1 diff -urNp linux-2.6.36.2/arch/alpha/include/asm/dma-mapping.h linux-2.6.36.2/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.36.2/arch/alpha/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
3 +++ linux-2.6.36.2/arch/alpha/include/asm/dma-mapping.h 2010-12-09 20:25:01.000000000 -0500
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.36.2/arch/alpha/include/asm/elf.h linux-2.6.36.2/arch/alpha/include/asm/elf.h
17 --- linux-2.6.36.2/arch/alpha/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
18 +++ linux-2.6.36.2/arch/alpha/include/asm/elf.h 2010-12-09 20:25:02.000000000 -0500
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.36.2/arch/alpha/include/asm/pgtable.h linux-2.6.36.2/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.36.2/arch/alpha/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
35 +++ linux-2.6.36.2/arch/alpha/include/asm/pgtable.h 2010-12-09 20:25:01.000000000 -0500
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.36.2/arch/alpha/kernel/module.c linux-2.6.36.2/arch/alpha/kernel/module.c
55 --- linux-2.6.36.2/arch/alpha/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
56 +++ linux-2.6.36.2/arch/alpha/kernel/module.c 2010-12-09 20:25:02.000000000 -0500
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.36.2/arch/alpha/kernel/osf_sys.c linux-2.6.36.2/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.36.2/arch/alpha/kernel/osf_sys.c 2010-10-20 16:30:22.000000000 -0400
68 +++ linux-2.6.36.2/arch/alpha/kernel/osf_sys.c 2010-12-09 20:25:02.000000000 -0500
69 @@ -1165,7 +1165,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1201,6 +1201,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1208,8 +1212,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.36.2/arch/alpha/kernel/pci_iommu.c linux-2.6.36.2/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.36.2/arch/alpha/kernel/pci_iommu.c 2010-10-20 16:30:22.000000000 -0400
102 +++ linux-2.6.36.2/arch/alpha/kernel/pci_iommu.c 2010-12-09 20:25:02.000000000 -0500
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.36.2/arch/alpha/kernel/pci-noop.c linux-2.6.36.2/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.36.2/arch/alpha/kernel/pci-noop.c 2010-10-20 16:30:22.000000000 -0400
121 +++ linux-2.6.36.2/arch/alpha/kernel/pci-noop.c 2010-12-09 20:25:02.000000000 -0500
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.36.2/arch/alpha/mm/fault.c linux-2.6.36.2/arch/alpha/mm/fault.c
141 --- linux-2.6.36.2/arch/alpha/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
142 +++ linux-2.6.36.2/arch/alpha/mm/fault.c 2010-12-09 20:25:02.000000000 -0500
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.36.2/arch/arm/include/asm/elf.h linux-2.6.36.2/arch/arm/include/asm/elf.h
300 --- linux-2.6.36.2/arch/arm/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
301 +++ linux-2.6.36.2/arch/arm/include/asm/elf.h 2010-12-09 20:24:56.000000000 -0500
302 @@ -113,7 +113,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -123,8 +130,4 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
327 diff -urNp linux-2.6.36.2/arch/arm/include/asm/kmap_types.h linux-2.6.36.2/arch/arm/include/asm/kmap_types.h
328 --- linux-2.6.36.2/arch/arm/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
329 +++ linux-2.6.36.2/arch/arm/include/asm/kmap_types.h 2010-12-09 20:24:55.000000000 -0500
330 @@ -21,6 +21,7 @@ enum km_type {
338 diff -urNp linux-2.6.36.2/arch/arm/include/asm/uaccess.h linux-2.6.36.2/arch/arm/include/asm/uaccess.h
339 --- linux-2.6.36.2/arch/arm/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
340 +++ linux-2.6.36.2/arch/arm/include/asm/uaccess.h 2010-12-09 20:24:55.000000000 -0500
341 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
343 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
348 if (access_ok(VERIFY_READ, from, n))
349 n = __copy_from_user(to, from, n);
350 else /* security hole - plug it */
351 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
353 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
358 if (access_ok(VERIFY_WRITE, to, n))
359 n = __copy_to_user(to, from, n);
361 diff -urNp linux-2.6.36.2/arch/arm/kernel/kgdb.c linux-2.6.36.2/arch/arm/kernel/kgdb.c
362 --- linux-2.6.36.2/arch/arm/kernel/kgdb.c 2010-11-26 18:26:23.000000000 -0500
363 +++ linux-2.6.36.2/arch/arm/kernel/kgdb.c 2010-12-09 20:24:59.000000000 -0500
364 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
365 * and we handle the normal undef case within the do_undefinstr
368 -struct kgdb_arch arch_kgdb_ops = {
369 +const struct kgdb_arch arch_kgdb_ops = {
371 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
372 #else /* ! __ARMEB__ */
373 diff -urNp linux-2.6.36.2/arch/arm/kernel/process.c linux-2.6.36.2/arch/arm/kernel/process.c
374 --- linux-2.6.36.2/arch/arm/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
375 +++ linux-2.6.36.2/arch/arm/kernel/process.c 2010-12-09 20:24:59.000000000 -0500
377 #include <linux/tick.h>
378 #include <linux/utsname.h>
379 #include <linux/uaccess.h>
380 -#include <linux/random.h>
382 #include <asm/cacheflush.h>
383 #include <asm/leds.h>
384 @@ -452,9 +451,3 @@ unsigned long get_wchan(struct task_stru
385 } while (count ++ < 16);
389 -unsigned long arch_randomize_brk(struct mm_struct *mm)
391 - unsigned long range_end = mm->brk + 0x02000000;
392 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
394 diff -urNp linux-2.6.36.2/arch/arm/mach-at91/pm.c linux-2.6.36.2/arch/arm/mach-at91/pm.c
395 --- linux-2.6.36.2/arch/arm/mach-at91/pm.c 2010-10-20 16:30:22.000000000 -0400
396 +++ linux-2.6.36.2/arch/arm/mach-at91/pm.c 2010-12-09 20:24:59.000000000 -0500
397 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
401 -static struct platform_suspend_ops at91_pm_ops ={
402 +static const struct platform_suspend_ops at91_pm_ops ={
403 .valid = at91_pm_valid_state,
404 .begin = at91_pm_begin,
405 .enter = at91_pm_enter,
406 diff -urNp linux-2.6.36.2/arch/arm/mach-davinci/pm.c linux-2.6.36.2/arch/arm/mach-davinci/pm.c
407 --- linux-2.6.36.2/arch/arm/mach-davinci/pm.c 2010-10-20 16:30:22.000000000 -0400
408 +++ linux-2.6.36.2/arch/arm/mach-davinci/pm.c 2010-12-09 20:24:58.000000000 -0500
409 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
413 -static struct platform_suspend_ops davinci_pm_ops = {
414 +static const struct platform_suspend_ops davinci_pm_ops = {
415 .enter = davinci_pm_enter,
416 .valid = suspend_valid_only_mem,
418 diff -urNp linux-2.6.36.2/arch/arm/mach-imx/pm-imx27.c linux-2.6.36.2/arch/arm/mach-imx/pm-imx27.c
419 --- linux-2.6.36.2/arch/arm/mach-imx/pm-imx27.c 2010-10-20 16:30:22.000000000 -0400
420 +++ linux-2.6.36.2/arch/arm/mach-imx/pm-imx27.c 2010-12-09 20:24:58.000000000 -0500
421 @@ -32,7 +32,7 @@ static int mx27_suspend_enter(suspend_st
425 -static struct platform_suspend_ops mx27_suspend_ops = {
426 +static const struct platform_suspend_ops mx27_suspend_ops = {
427 .enter = mx27_suspend_enter,
428 .valid = suspend_valid_only_mem,
430 diff -urNp linux-2.6.36.2/arch/arm/mach-lpc32xx/pm.c linux-2.6.36.2/arch/arm/mach-lpc32xx/pm.c
431 --- linux-2.6.36.2/arch/arm/mach-lpc32xx/pm.c 2010-10-20 16:30:22.000000000 -0400
432 +++ linux-2.6.36.2/arch/arm/mach-lpc32xx/pm.c 2010-12-09 20:24:59.000000000 -0500
433 @@ -123,7 +123,7 @@ static int lpc32xx_pm_enter(suspend_stat
437 -static struct platform_suspend_ops lpc32xx_pm_ops = {
438 +static const struct platform_suspend_ops lpc32xx_pm_ops = {
439 .valid = suspend_valid_only_mem,
440 .enter = lpc32xx_pm_enter,
442 diff -urNp linux-2.6.36.2/arch/arm/mach-msm/last_radio_log.c linux-2.6.36.2/arch/arm/mach-msm/last_radio_log.c
443 --- linux-2.6.36.2/arch/arm/mach-msm/last_radio_log.c 2010-10-20 16:30:22.000000000 -0400
444 +++ linux-2.6.36.2/arch/arm/mach-msm/last_radio_log.c 2010-12-09 20:25:01.000000000 -0500
445 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
449 +/* cannot be const, see msm_init_last_radio_log */
450 static struct file_operations last_radio_log_fops = {
451 .read = last_radio_log_read
453 diff -urNp linux-2.6.36.2/arch/arm/mach-omap1/pm.c linux-2.6.36.2/arch/arm/mach-omap1/pm.c
454 --- linux-2.6.36.2/arch/arm/mach-omap1/pm.c 2010-10-20 16:30:22.000000000 -0400
455 +++ linux-2.6.36.2/arch/arm/mach-omap1/pm.c 2010-12-09 20:24:59.000000000 -0500
456 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
460 -static struct platform_suspend_ops omap_pm_ops ={
461 +static const struct platform_suspend_ops omap_pm_ops ={
462 .prepare = omap_pm_prepare,
463 .enter = omap_pm_enter,
464 .finish = omap_pm_finish,
465 diff -urNp linux-2.6.36.2/arch/arm/mach-omap2/pm24xx.c linux-2.6.36.2/arch/arm/mach-omap2/pm24xx.c
466 --- linux-2.6.36.2/arch/arm/mach-omap2/pm24xx.c 2010-10-20 16:30:22.000000000 -0400
467 +++ linux-2.6.36.2/arch/arm/mach-omap2/pm24xx.c 2010-12-09 20:24:57.000000000 -0500
468 @@ -324,7 +324,7 @@ static void omap2_pm_finish(void)
472 -static struct platform_suspend_ops omap_pm_ops = {
473 +static const struct platform_suspend_ops omap_pm_ops = {
474 .prepare = omap2_pm_prepare,
475 .enter = omap2_pm_enter,
476 .finish = omap2_pm_finish,
477 diff -urNp linux-2.6.36.2/arch/arm/mach-omap2/pm34xx.c linux-2.6.36.2/arch/arm/mach-omap2/pm34xx.c
478 --- linux-2.6.36.2/arch/arm/mach-omap2/pm34xx.c 2010-10-20 16:30:22.000000000 -0400
479 +++ linux-2.6.36.2/arch/arm/mach-omap2/pm34xx.c 2010-12-09 20:24:56.000000000 -0500
480 @@ -672,7 +672,7 @@ static void omap3_pm_end(void)
484 -static struct platform_suspend_ops omap_pm_ops = {
485 +static const struct platform_suspend_ops omap_pm_ops = {
486 .begin = omap3_pm_begin,
488 .prepare = omap3_pm_prepare,
489 diff -urNp linux-2.6.36.2/arch/arm/mach-omap2/pm44xx.c linux-2.6.36.2/arch/arm/mach-omap2/pm44xx.c
490 --- linux-2.6.36.2/arch/arm/mach-omap2/pm44xx.c 2010-10-20 16:30:22.000000000 -0400
491 +++ linux-2.6.36.2/arch/arm/mach-omap2/pm44xx.c 2010-12-09 20:24:57.000000000 -0500
492 @@ -75,7 +75,7 @@ static void omap4_pm_end(void)
496 -static struct platform_suspend_ops omap_pm_ops = {
497 +static const struct platform_suspend_ops omap_pm_ops = {
498 .begin = omap4_pm_begin,
500 .prepare = omap4_pm_prepare,
501 diff -urNp linux-2.6.36.2/arch/arm/mach-pnx4008/pm.c linux-2.6.36.2/arch/arm/mach-pnx4008/pm.c
502 --- linux-2.6.36.2/arch/arm/mach-pnx4008/pm.c 2010-10-20 16:30:22.000000000 -0400
503 +++ linux-2.6.36.2/arch/arm/mach-pnx4008/pm.c 2010-12-09 20:25:01.000000000 -0500
504 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
505 (state == PM_SUSPEND_MEM);
508 -static struct platform_suspend_ops pnx4008_pm_ops = {
509 +static const struct platform_suspend_ops pnx4008_pm_ops = {
510 .enter = pnx4008_pm_enter,
511 .valid = pnx4008_pm_valid,
513 diff -urNp linux-2.6.36.2/arch/arm/mach-pxa/pm.c linux-2.6.36.2/arch/arm/mach-pxa/pm.c
514 --- linux-2.6.36.2/arch/arm/mach-pxa/pm.c 2010-10-20 16:30:22.000000000 -0400
515 +++ linux-2.6.36.2/arch/arm/mach-pxa/pm.c 2010-12-09 20:25:01.000000000 -0500
516 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
517 pxa_cpu_pm_fns->finish();
520 -static struct platform_suspend_ops pxa_pm_ops = {
521 +static const struct platform_suspend_ops pxa_pm_ops = {
522 .valid = pxa_pm_valid,
523 .enter = pxa_pm_enter,
524 .prepare = pxa_pm_prepare,
525 diff -urNp linux-2.6.36.2/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.36.2/arch/arm/mach-pxa/sharpsl_pm.c
526 --- linux-2.6.36.2/arch/arm/mach-pxa/sharpsl_pm.c 2010-10-20 16:30:22.000000000 -0400
527 +++ linux-2.6.36.2/arch/arm/mach-pxa/sharpsl_pm.c 2010-12-09 20:25:01.000000000 -0500
528 @@ -868,7 +868,7 @@ static void sharpsl_apm_get_power_status
532 -static struct platform_suspend_ops sharpsl_pm_ops = {
533 +static const struct platform_suspend_ops sharpsl_pm_ops = {
534 .prepare = pxa_pm_prepare,
535 .finish = pxa_pm_finish,
536 .enter = corgi_pxa_pm_enter,
537 diff -urNp linux-2.6.36.2/arch/arm/mach-sa1100/pm.c linux-2.6.36.2/arch/arm/mach-sa1100/pm.c
538 --- linux-2.6.36.2/arch/arm/mach-sa1100/pm.c 2010-10-20 16:30:22.000000000 -0400
539 +++ linux-2.6.36.2/arch/arm/mach-sa1100/pm.c 2010-12-09 20:25:00.000000000 -0500
540 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
541 return virt_to_phys(sp);
544 -static struct platform_suspend_ops sa11x0_pm_ops = {
545 +static const struct platform_suspend_ops sa11x0_pm_ops = {
546 .enter = sa11x0_pm_enter,
547 .valid = suspend_valid_only_mem,
549 diff -urNp linux-2.6.36.2/arch/arm/mm/fault.c linux-2.6.36.2/arch/arm/mm/fault.c
550 --- linux-2.6.36.2/arch/arm/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
551 +++ linux-2.6.36.2/arch/arm/mm/fault.c 2010-12-09 20:25:00.000000000 -0500
552 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
556 +#ifdef CONFIG_PAX_PAGEEXEC
557 + if (fsr & FSR_LNX_PF) {
558 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
559 + do_group_exit(SIGKILL);
563 tsk->thread.address = addr;
564 tsk->thread.error_code = fsr;
565 tsk->thread.trap_no = 14;
566 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
568 #endif /* CONFIG_MMU */
570 +#ifdef CONFIG_PAX_PAGEEXEC
571 +void pax_report_insns(void *pc, void *sp)
575 + printk(KERN_ERR "PAX: bytes at PC: ");
576 + for (i = 0; i < 20; i++) {
578 + if (get_user(c, (__force unsigned char __user *)pc+i))
579 + printk(KERN_CONT "?? ");
581 + printk(KERN_CONT "%02x ", c);
585 + printk(KERN_ERR "PAX: bytes at SP-4: ");
586 + for (i = -1; i < 20; i++) {
588 + if (get_user(c, (__force unsigned long __user *)sp+i))
589 + printk(KERN_CONT "???????? ");
591 + printk(KERN_CONT "%08lx ", c);
598 * First Level Translation Fault Handler
600 diff -urNp linux-2.6.36.2/arch/arm/mm/mmap.c linux-2.6.36.2/arch/arm/mm/mmap.c
601 --- linux-2.6.36.2/arch/arm/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
602 +++ linux-2.6.36.2/arch/arm/mm/mmap.c 2010-12-09 20:24:59.000000000 -0500
603 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
607 +#ifdef CONFIG_PAX_RANDMMAP
608 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
613 addr = COLOUR_ALIGN(addr, pgoff);
614 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
615 addr = PAGE_ALIGN(addr);
617 vma = find_vma(mm, addr);
618 - if (TASK_SIZE - len >= addr &&
619 - (!vma || addr + len <= vma->vm_start))
620 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
623 if (len > mm->cached_hole_size) {
624 - start_addr = addr = mm->free_area_cache;
625 + start_addr = addr = mm->free_area_cache;
627 - start_addr = addr = TASK_UNMAPPED_BASE;
628 - mm->cached_hole_size = 0;
629 + start_addr = addr = mm->mmap_base;
630 + mm->cached_hole_size = 0;
632 /* 8 bits of randomness in 20 address space bits */
633 if (current->flags & PF_RANDOMIZE)
634 @@ -98,14 +101,14 @@ full_search:
635 * Start a new search - just in case we missed
638 - if (start_addr != TASK_UNMAPPED_BASE) {
639 - start_addr = addr = TASK_UNMAPPED_BASE;
640 + if (start_addr != mm->mmap_base) {
641 + start_addr = addr = mm->mmap_base;
642 mm->cached_hole_size = 0;
647 - if (!vma || addr + len <= vma->vm_start) {
648 + if (check_heap_stack_gap(vma, addr, len)) {
650 * Remember the place where we stopped the search:
652 diff -urNp linux-2.6.36.2/arch/arm/plat-samsung/pm.c linux-2.6.36.2/arch/arm/plat-samsung/pm.c
653 --- linux-2.6.36.2/arch/arm/plat-samsung/pm.c 2010-10-20 16:30:22.000000000 -0400
654 +++ linux-2.6.36.2/arch/arm/plat-samsung/pm.c 2010-12-09 20:24:56.000000000 -0500
655 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
656 s3c_pm_check_cleanup();
659 -static struct platform_suspend_ops s3c_pm_ops = {
660 +static const struct platform_suspend_ops s3c_pm_ops = {
661 .enter = s3c_pm_enter,
662 .prepare = s3c_pm_prepare,
663 .finish = s3c_pm_finish,
664 diff -urNp linux-2.6.36.2/arch/avr32/include/asm/elf.h linux-2.6.36.2/arch/avr32/include/asm/elf.h
665 --- linux-2.6.36.2/arch/avr32/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
666 +++ linux-2.6.36.2/arch/avr32/include/asm/elf.h 2010-12-09 20:25:10.000000000 -0500
667 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
668 the loader. We need to make sure that it is out of the way of the program
669 that it will "exec", and that there is sufficient room for the brk. */
671 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
672 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
674 +#ifdef CONFIG_PAX_ASLR
675 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
677 +#define PAX_DELTA_MMAP_LEN 15
678 +#define PAX_DELTA_STACK_LEN 15
681 /* This yields a mask that user programs can use to figure out what
682 instruction set this CPU supports. This could be done in user space,
683 diff -urNp linux-2.6.36.2/arch/avr32/include/asm/kmap_types.h linux-2.6.36.2/arch/avr32/include/asm/kmap_types.h
684 --- linux-2.6.36.2/arch/avr32/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
685 +++ linux-2.6.36.2/arch/avr32/include/asm/kmap_types.h 2010-12-09 20:25:10.000000000 -0500
686 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
696 diff -urNp linux-2.6.36.2/arch/avr32/mach-at32ap/pm.c linux-2.6.36.2/arch/avr32/mach-at32ap/pm.c
697 --- linux-2.6.36.2/arch/avr32/mach-at32ap/pm.c 2010-10-20 16:30:22.000000000 -0400
698 +++ linux-2.6.36.2/arch/avr32/mach-at32ap/pm.c 2010-12-09 20:25:10.000000000 -0500
699 @@ -176,7 +176,7 @@ out:
703 -static struct platform_suspend_ops avr32_pm_ops = {
704 +static const struct platform_suspend_ops avr32_pm_ops = {
705 .valid = avr32_pm_valid_state,
706 .enter = avr32_pm_enter,
708 diff -urNp linux-2.6.36.2/arch/avr32/mm/fault.c linux-2.6.36.2/arch/avr32/mm/fault.c
709 --- linux-2.6.36.2/arch/avr32/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
710 +++ linux-2.6.36.2/arch/avr32/mm/fault.c 2010-12-09 20:25:11.000000000 -0500
711 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
713 int exception_trace = 1;
715 +#ifdef CONFIG_PAX_PAGEEXEC
716 +void pax_report_insns(void *pc, void *sp)
720 + printk(KERN_ERR "PAX: bytes at PC: ");
721 + for (i = 0; i < 20; i++) {
723 + if (get_user(c, (unsigned char *)pc+i))
724 + printk(KERN_CONT "???????? ");
726 + printk(KERN_CONT "%02x ", c);
733 * This routine handles page faults. It determines the address and the
734 * problem, and then passes it off to one of the appropriate routines.
735 @@ -156,6 +173,16 @@ bad_area:
736 up_read(&mm->mmap_sem);
738 if (user_mode(regs)) {
740 +#ifdef CONFIG_PAX_PAGEEXEC
741 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
742 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
743 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
744 + do_group_exit(SIGKILL);
749 if (exception_trace && printk_ratelimit())
750 printk("%s%s[%d]: segfault at %08lx pc %08lx "
751 "sp %08lx ecr %lu\n",
752 diff -urNp linux-2.6.36.2/arch/blackfin/kernel/kgdb.c linux-2.6.36.2/arch/blackfin/kernel/kgdb.c
753 --- linux-2.6.36.2/arch/blackfin/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
754 +++ linux-2.6.36.2/arch/blackfin/kernel/kgdb.c 2010-12-09 20:24:53.000000000 -0500
755 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
756 return -1; /* this means that we do not want to exit from the handler */
759 -struct kgdb_arch arch_kgdb_ops = {
760 +const struct kgdb_arch arch_kgdb_ops = {
761 .gdb_bpt_instr = {0xa1},
763 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
764 diff -urNp linux-2.6.36.2/arch/blackfin/mach-common/pm.c linux-2.6.36.2/arch/blackfin/mach-common/pm.c
765 --- linux-2.6.36.2/arch/blackfin/mach-common/pm.c 2010-10-20 16:30:22.000000000 -0400
766 +++ linux-2.6.36.2/arch/blackfin/mach-common/pm.c 2010-12-09 20:24:52.000000000 -0500
767 @@ -233,7 +233,7 @@ static int bfin_pm_enter(suspend_state_t
771 -struct platform_suspend_ops bfin_pm_ops = {
772 +const struct platform_suspend_ops bfin_pm_ops = {
773 .enter = bfin_pm_enter,
774 .valid = bfin_pm_valid,
776 diff -urNp linux-2.6.36.2/arch/blackfin/mm/maccess.c linux-2.6.36.2/arch/blackfin/mm/maccess.c
777 --- linux-2.6.36.2/arch/blackfin/mm/maccess.c 2010-10-20 16:30:22.000000000 -0400
778 +++ linux-2.6.36.2/arch/blackfin/mm/maccess.c 2010-12-09 20:24:53.000000000 -0500
779 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
780 return bfin_mem_access_type(addr, size);
783 -long probe_kernel_read(void *dst, void *src, size_t size)
784 +long probe_kernel_read(void *dst, const void *src, size_t size)
786 unsigned long lsrc = (unsigned long)src;
788 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
792 -long probe_kernel_write(void *dst, void *src, size_t size)
793 +long probe_kernel_write(void *dst, const void *src, size_t size)
795 unsigned long ldst = (unsigned long)dst;
797 diff -urNp linux-2.6.36.2/arch/frv/include/asm/kmap_types.h linux-2.6.36.2/arch/frv/include/asm/kmap_types.h
798 --- linux-2.6.36.2/arch/frv/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
799 +++ linux-2.6.36.2/arch/frv/include/asm/kmap_types.h 2010-12-09 20:25:15.000000000 -0500
800 @@ -23,6 +23,7 @@ enum km_type {
808 diff -urNp linux-2.6.36.2/arch/frv/mm/elf-fdpic.c linux-2.6.36.2/arch/frv/mm/elf-fdpic.c
809 --- linux-2.6.36.2/arch/frv/mm/elf-fdpic.c 2010-10-20 16:30:22.000000000 -0400
810 +++ linux-2.6.36.2/arch/frv/mm/elf-fdpic.c 2010-12-09 20:25:15.000000000 -0500
811 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
813 addr = PAGE_ALIGN(addr);
814 vma = find_vma(current->mm, addr);
815 - if (TASK_SIZE - len >= addr &&
816 - (!vma || addr + len <= vma->vm_start))
817 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
821 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
822 for (; vma; vma = vma->vm_next) {
825 - if (addr + len <= vma->vm_start)
826 + if (check_heap_stack_gap(vma, addr, len))
830 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
831 for (; vma; vma = vma->vm_next) {
834 - if (addr + len <= vma->vm_start)
835 + if (check_heap_stack_gap(vma, addr, len))
839 diff -urNp linux-2.6.36.2/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.36.2/arch/ia64/hp/common/hwsw_iommu.c
840 --- linux-2.6.36.2/arch/ia64/hp/common/hwsw_iommu.c 2010-10-20 16:30:22.000000000 -0400
841 +++ linux-2.6.36.2/arch/ia64/hp/common/hwsw_iommu.c 2010-12-09 20:25:11.000000000 -0500
843 #include <linux/swiotlb.h>
844 #include <asm/machvec.h>
846 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
847 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
849 /* swiotlb declarations & definitions: */
850 extern int swiotlb_late_init_with_default_size (size_t size);
851 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
852 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
855 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
856 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
858 if (use_swiotlb(dev))
859 return &swiotlb_dma_ops;
860 diff -urNp linux-2.6.36.2/arch/ia64/hp/common/sba_iommu.c linux-2.6.36.2/arch/ia64/hp/common/sba_iommu.c
861 --- linux-2.6.36.2/arch/ia64/hp/common/sba_iommu.c 2010-10-20 16:30:22.000000000 -0400
862 +++ linux-2.6.36.2/arch/ia64/hp/common/sba_iommu.c 2010-12-09 20:25:11.000000000 -0500
863 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
867 -extern struct dma_map_ops swiotlb_dma_ops;
868 +extern const struct dma_map_ops swiotlb_dma_ops;
872 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
874 __setup("sbapagesize=",sba_page_override);
876 -struct dma_map_ops sba_dma_ops = {
877 +const struct dma_map_ops sba_dma_ops = {
878 .alloc_coherent = sba_alloc_coherent,
879 .free_coherent = sba_free_coherent,
880 .map_page = sba_map_page,
881 diff -urNp linux-2.6.36.2/arch/ia64/include/asm/dma-mapping.h linux-2.6.36.2/arch/ia64/include/asm/dma-mapping.h
882 --- linux-2.6.36.2/arch/ia64/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
883 +++ linux-2.6.36.2/arch/ia64/include/asm/dma-mapping.h 2010-12-09 20:25:11.000000000 -0500
886 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
888 -extern struct dma_map_ops *dma_ops;
889 +extern const struct dma_map_ops *dma_ops;
890 extern struct ia64_machine_vector ia64_mv;
891 extern void set_iommu_machvec(void);
893 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
894 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
895 dma_addr_t *daddr, gfp_t gfp)
897 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
898 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
901 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
902 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
903 static inline void dma_free_coherent(struct device *dev, size_t size,
904 void *caddr, dma_addr_t daddr)
906 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
907 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
908 debug_dma_free_coherent(dev, size, caddr, daddr);
909 ops->free_coherent(dev, size, caddr, daddr);
911 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
913 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
915 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
916 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
917 return ops->mapping_error(dev, daddr);
920 static inline int dma_supported(struct device *dev, u64 mask)
922 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
923 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
924 return ops->dma_supported(dev, mask);
927 diff -urNp linux-2.6.36.2/arch/ia64/include/asm/elf.h linux-2.6.36.2/arch/ia64/include/asm/elf.h
928 --- linux-2.6.36.2/arch/ia64/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
929 +++ linux-2.6.36.2/arch/ia64/include/asm/elf.h 2010-12-09 20:25:11.000000000 -0500
932 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
934 +#ifdef CONFIG_PAX_ASLR
935 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
937 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
938 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
941 #define PT_IA_64_UNWIND 0x70000001
943 /* IA-64 relocations: */
944 diff -urNp linux-2.6.36.2/arch/ia64/include/asm/machvec.h linux-2.6.36.2/arch/ia64/include/asm/machvec.h
945 --- linux-2.6.36.2/arch/ia64/include/asm/machvec.h 2010-10-20 16:30:22.000000000 -0400
946 +++ linux-2.6.36.2/arch/ia64/include/asm/machvec.h 2010-12-09 20:25:11.000000000 -0500
947 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
948 /* DMA-mapping interface: */
949 typedef void ia64_mv_dma_init (void);
950 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
951 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
952 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
955 * WARNING: The legacy I/O space is _architected_. Platforms are
956 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
957 # endif /* CONFIG_IA64_GENERIC */
959 extern void swiotlb_dma_init(void);
960 -extern struct dma_map_ops *dma_get_ops(struct device *);
961 +extern const struct dma_map_ops *dma_get_ops(struct device *);
964 * Define default versions so we can extend machvec for new platforms without having
965 diff -urNp linux-2.6.36.2/arch/ia64/include/asm/pgtable.h linux-2.6.36.2/arch/ia64/include/asm/pgtable.h
966 --- linux-2.6.36.2/arch/ia64/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
967 +++ linux-2.6.36.2/arch/ia64/include/asm/pgtable.h 2010-12-09 20:25:11.000000000 -0500
969 * David Mosberger-Tang <davidm@hpl.hp.com>
973 +#include <linux/const.h>
974 #include <asm/mman.h>
975 #include <asm/page.h>
976 #include <asm/processor.h>
978 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
979 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
980 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
982 +#ifdef CONFIG_PAX_PAGEEXEC
983 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
984 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
985 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
987 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
988 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
989 +# define PAGE_COPY_NOEXEC PAGE_COPY
992 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
993 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
994 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
995 diff -urNp linux-2.6.36.2/arch/ia64/include/asm/uaccess.h linux-2.6.36.2/arch/ia64/include/asm/uaccess.h
996 --- linux-2.6.36.2/arch/ia64/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
997 +++ linux-2.6.36.2/arch/ia64/include/asm/uaccess.h 2010-12-09 20:25:11.000000000 -0500
998 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
999 const void *__cu_from = (from); \
1000 long __cu_len = (n); \
1002 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1003 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1004 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1007 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1008 long __cu_len = (n); \
1010 __chk_user_ptr(__cu_from); \
1011 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1012 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1013 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1016 diff -urNp linux-2.6.36.2/arch/ia64/kernel/dma-mapping.c linux-2.6.36.2/arch/ia64/kernel/dma-mapping.c
1017 --- linux-2.6.36.2/arch/ia64/kernel/dma-mapping.c 2010-10-20 16:30:22.000000000 -0400
1018 +++ linux-2.6.36.2/arch/ia64/kernel/dma-mapping.c 2010-12-09 20:25:11.000000000 -0500
1020 /* Set this to 1 if there is a HW IOMMU in the system */
1021 int iommu_detected __read_mostly;
1023 -struct dma_map_ops *dma_ops;
1024 +const struct dma_map_ops *dma_ops;
1025 EXPORT_SYMBOL(dma_ops);
1027 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1028 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1030 fs_initcall(dma_init);
1032 -struct dma_map_ops *dma_get_ops(struct device *dev)
1033 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1037 diff -urNp linux-2.6.36.2/arch/ia64/kernel/module.c linux-2.6.36.2/arch/ia64/kernel/module.c
1038 --- linux-2.6.36.2/arch/ia64/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
1039 +++ linux-2.6.36.2/arch/ia64/kernel/module.c 2010-12-09 20:25:11.000000000 -0500
1040 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1042 module_free (struct module *mod, void *module_region)
1044 - if (mod && mod->arch.init_unw_table &&
1045 - module_region == mod->module_init) {
1046 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1047 unw_remove_unwind_table(mod->arch.init_unw_table);
1048 mod->arch.init_unw_table = NULL;
1050 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1054 +in_init_rx (const struct module *mod, uint64_t addr)
1056 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1060 +in_init_rw (const struct module *mod, uint64_t addr)
1062 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1066 in_init (const struct module *mod, uint64_t addr)
1068 - return addr - (uint64_t) mod->module_init < mod->init_size;
1069 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1073 +in_core_rx (const struct module *mod, uint64_t addr)
1075 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1079 +in_core_rw (const struct module *mod, uint64_t addr)
1081 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1085 in_core (const struct module *mod, uint64_t addr)
1087 - return addr - (uint64_t) mod->module_core < mod->core_size;
1088 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1092 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1096 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1097 + if (in_init_rx(mod, val))
1098 + val -= (uint64_t) mod->module_init_rx;
1099 + else if (in_init_rw(mod, val))
1100 + val -= (uint64_t) mod->module_init_rw;
1101 + else if (in_core_rx(mod, val))
1102 + val -= (uint64_t) mod->module_core_rx;
1103 + else if (in_core_rw(mod, val))
1104 + val -= (uint64_t) mod->module_core_rw;
1108 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1109 * addresses have been selected...
1112 - if (mod->core_size > MAX_LTOFF)
1113 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1115 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1116 * at the end of the module.
1118 - gp = mod->core_size - MAX_LTOFF / 2;
1119 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1121 - gp = mod->core_size / 2;
1122 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1123 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1124 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1126 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1128 diff -urNp linux-2.6.36.2/arch/ia64/kernel/pci-dma.c linux-2.6.36.2/arch/ia64/kernel/pci-dma.c
1129 --- linux-2.6.36.2/arch/ia64/kernel/pci-dma.c 2010-10-20 16:30:22.000000000 -0400
1130 +++ linux-2.6.36.2/arch/ia64/kernel/pci-dma.c 2010-12-09 20:25:11.000000000 -0500
1131 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1132 .dma_mask = &fallback_dev.coherent_dma_mask,
1135 -extern struct dma_map_ops intel_dma_ops;
1136 +extern const struct dma_map_ops intel_dma_ops;
1138 static int __init pci_iommu_init(void)
1140 diff -urNp linux-2.6.36.2/arch/ia64/kernel/pci-swiotlb.c linux-2.6.36.2/arch/ia64/kernel/pci-swiotlb.c
1141 --- linux-2.6.36.2/arch/ia64/kernel/pci-swiotlb.c 2010-10-20 16:30:22.000000000 -0400
1142 +++ linux-2.6.36.2/arch/ia64/kernel/pci-swiotlb.c 2010-12-09 20:25:11.000000000 -0500
1143 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1144 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1147 -struct dma_map_ops swiotlb_dma_ops = {
1148 +const struct dma_map_ops swiotlb_dma_ops = {
1149 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1150 .free_coherent = swiotlb_free_coherent,
1151 .map_page = swiotlb_map_page,
1152 diff -urNp linux-2.6.36.2/arch/ia64/kernel/sys_ia64.c linux-2.6.36.2/arch/ia64/kernel/sys_ia64.c
1153 --- linux-2.6.36.2/arch/ia64/kernel/sys_ia64.c 2010-10-20 16:30:22.000000000 -0400
1154 +++ linux-2.6.36.2/arch/ia64/kernel/sys_ia64.c 2010-12-09 20:25:11.000000000 -0500
1155 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1156 if (REGION_NUMBER(addr) == RGN_HPAGE)
1160 +#ifdef CONFIG_PAX_RANDMMAP
1161 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1162 + addr = mm->free_area_cache;
1167 addr = mm->free_area_cache;
1169 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1170 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1171 /* At this point: (!vma || addr < vma->vm_end). */
1172 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1173 - if (start_addr != TASK_UNMAPPED_BASE) {
1174 + if (start_addr != mm->mmap_base) {
1175 /* Start a new search --- just in case we missed some holes. */
1176 - addr = TASK_UNMAPPED_BASE;
1177 + addr = mm->mmap_base;
1182 - if (!vma || addr + len <= vma->vm_start) {
1183 + if (check_heap_stack_gap(vma, addr, len)) {
1184 /* Remember the address where we stopped this search: */
1185 mm->free_area_cache = addr + len;
1187 diff -urNp linux-2.6.36.2/arch/ia64/kernel/vmlinux.lds.S linux-2.6.36.2/arch/ia64/kernel/vmlinux.lds.S
1188 --- linux-2.6.36.2/arch/ia64/kernel/vmlinux.lds.S 2010-10-20 16:30:22.000000000 -0400
1189 +++ linux-2.6.36.2/arch/ia64/kernel/vmlinux.lds.S 2010-12-09 20:25:11.000000000 -0500
1190 @@ -199,7 +199,7 @@ SECTIONS {
1192 . = ALIGN(PERCPU_PAGE_SIZE);
1193 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1194 - __phys_per_cpu_start = __per_cpu_load;
1195 + __phys_per_cpu_start = per_cpu_load;
1197 * ensure percpu data fits
1198 * into percpu page size
1199 diff -urNp linux-2.6.36.2/arch/ia64/mm/fault.c linux-2.6.36.2/arch/ia64/mm/fault.c
1200 --- linux-2.6.36.2/arch/ia64/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
1201 +++ linux-2.6.36.2/arch/ia64/mm/fault.c 2010-12-09 20:25:11.000000000 -0500
1202 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1203 return pte_present(pte);
1206 +#ifdef CONFIG_PAX_PAGEEXEC
1207 +void pax_report_insns(void *pc, void *sp)
1211 + printk(KERN_ERR "PAX: bytes at PC: ");
1212 + for (i = 0; i < 8; i++) {
1214 + if (get_user(c, (unsigned int *)pc+i))
1215 + printk(KERN_CONT "???????? ");
1217 + printk(KERN_CONT "%08x ", c);
1224 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1226 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1227 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1228 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1230 - if ((vma->vm_flags & mask) != mask)
1231 + if ((vma->vm_flags & mask) != mask) {
1233 +#ifdef CONFIG_PAX_PAGEEXEC
1234 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1235 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1238 + up_read(&mm->mmap_sem);
1239 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1240 + do_group_exit(SIGKILL);
1249 * If for any reason at all we couldn't handle the fault, make
1250 * sure we exit gracefully rather than endlessly redo the
1251 diff -urNp linux-2.6.36.2/arch/ia64/mm/hugetlbpage.c linux-2.6.36.2/arch/ia64/mm/hugetlbpage.c
1252 --- linux-2.6.36.2/arch/ia64/mm/hugetlbpage.c 2010-10-20 16:30:22.000000000 -0400
1253 +++ linux-2.6.36.2/arch/ia64/mm/hugetlbpage.c 2010-12-09 20:25:11.000000000 -0500
1254 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1255 /* At this point: (!vmm || addr < vmm->vm_end). */
1256 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1258 - if (!vmm || (addr + len) <= vmm->vm_start)
1259 + if (check_heap_stack_gap(vmm, addr, len))
1261 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1263 diff -urNp linux-2.6.36.2/arch/ia64/mm/init.c linux-2.6.36.2/arch/ia64/mm/init.c
1264 --- linux-2.6.36.2/arch/ia64/mm/init.c 2010-10-20 16:30:22.000000000 -0400
1265 +++ linux-2.6.36.2/arch/ia64/mm/init.c 2010-12-09 20:25:11.000000000 -0500
1266 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1267 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1268 vma->vm_end = vma->vm_start + PAGE_SIZE;
1269 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1271 +#ifdef CONFIG_PAX_PAGEEXEC
1272 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1273 + vma->vm_flags &= ~VM_EXEC;
1275 +#ifdef CONFIG_PAX_MPROTECT
1276 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1277 + vma->vm_flags &= ~VM_MAYEXEC;
1283 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1284 down_write(¤t->mm->mmap_sem);
1285 if (insert_vm_struct(current->mm, vma)) {
1286 diff -urNp linux-2.6.36.2/arch/ia64/sn/pci/pci_dma.c linux-2.6.36.2/arch/ia64/sn/pci/pci_dma.c
1287 --- linux-2.6.36.2/arch/ia64/sn/pci/pci_dma.c 2010-10-20 16:30:22.000000000 -0400
1288 +++ linux-2.6.36.2/arch/ia64/sn/pci/pci_dma.c 2010-12-09 20:25:11.000000000 -0500
1289 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1293 -static struct dma_map_ops sn_dma_ops = {
1294 +static const struct dma_map_ops sn_dma_ops = {
1295 .alloc_coherent = sn_dma_alloc_coherent,
1296 .free_coherent = sn_dma_free_coherent,
1297 .map_page = sn_dma_map_page,
1298 diff -urNp linux-2.6.36.2/arch/m32r/lib/usercopy.c linux-2.6.36.2/arch/m32r/lib/usercopy.c
1299 --- linux-2.6.36.2/arch/m32r/lib/usercopy.c 2010-10-20 16:30:22.000000000 -0400
1300 +++ linux-2.6.36.2/arch/m32r/lib/usercopy.c 2010-12-09 20:25:02.000000000 -0500
1303 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1309 if (access_ok(VERIFY_WRITE, to, n))
1310 __copy_user(to,from,n);
1311 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1313 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1319 if (access_ok(VERIFY_READ, from, n))
1320 __copy_user_zeroing(to,from,n);
1321 diff -urNp linux-2.6.36.2/arch/microblaze/include/asm/device.h linux-2.6.36.2/arch/microblaze/include/asm/device.h
1322 --- linux-2.6.36.2/arch/microblaze/include/asm/device.h 2010-10-20 16:30:22.000000000 -0400
1323 +++ linux-2.6.36.2/arch/microblaze/include/asm/device.h 2010-12-09 20:25:11.000000000 -0500
1324 @@ -13,7 +13,7 @@ struct device_node;
1326 struct dev_archdata {
1327 /* DMA operations on that device */
1328 - struct dma_map_ops *dma_ops;
1329 + const struct dma_map_ops *dma_ops;
1333 diff -urNp linux-2.6.36.2/arch/microblaze/include/asm/dma-mapping.h linux-2.6.36.2/arch/microblaze/include/asm/dma-mapping.h
1334 --- linux-2.6.36.2/arch/microblaze/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
1335 +++ linux-2.6.36.2/arch/microblaze/include/asm/dma-mapping.h 2010-12-09 20:25:11.000000000 -0500
1336 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1337 return 0xfffffffful;
1340 -extern struct dma_map_ops *dma_ops;
1341 +extern const struct dma_map_ops *dma_ops;
1344 * Available generic sets of operations
1346 -extern struct dma_map_ops dma_direct_ops;
1347 +extern const struct dma_map_ops dma_direct_ops;
1349 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1350 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1352 /* We don't handle the NULL dev case for ISA for now. We could
1353 * do it via an out of line call but it is not needed for now. The
1354 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1355 return dev->archdata.dma_ops;
1358 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1359 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1361 dev->archdata.dma_ops = ops;
1364 static inline int dma_supported(struct device *dev, u64 mask)
1366 - struct dma_map_ops *ops = get_dma_ops(dev);
1367 + const struct dma_map_ops *ops = get_dma_ops(dev);
1371 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1373 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1375 - struct dma_map_ops *ops = get_dma_ops(dev);
1376 + const struct dma_map_ops *ops = get_dma_ops(dev);
1378 if (unlikely(ops == NULL))
1380 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1382 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1384 - struct dma_map_ops *ops = get_dma_ops(dev);
1385 + const struct dma_map_ops *ops = get_dma_ops(dev);
1386 if (ops->mapping_error)
1387 return ops->mapping_error(dev, dma_addr);
1389 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1390 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1391 dma_addr_t *dma_handle, gfp_t flag)
1393 - struct dma_map_ops *ops = get_dma_ops(dev);
1394 + const struct dma_map_ops *ops = get_dma_ops(dev);
1398 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1399 static inline void dma_free_coherent(struct device *dev, size_t size,
1400 void *cpu_addr, dma_addr_t dma_handle)
1402 - struct dma_map_ops *ops = get_dma_ops(dev);
1403 + const struct dma_map_ops *ops = get_dma_ops(dev);
1406 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1407 diff -urNp linux-2.6.36.2/arch/microblaze/include/asm/pci.h linux-2.6.36.2/arch/microblaze/include/asm/pci.h
1408 --- linux-2.6.36.2/arch/microblaze/include/asm/pci.h 2010-10-20 16:30:22.000000000 -0400
1409 +++ linux-2.6.36.2/arch/microblaze/include/asm/pci.h 2010-12-09 20:25:11.000000000 -0500
1410 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1414 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1415 -extern struct dma_map_ops *get_pci_dma_ops(void);
1416 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1417 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1418 #else /* CONFIG_PCI */
1419 #define set_pci_dma_ops(d)
1420 #define get_pci_dma_ops() NULL
1421 diff -urNp linux-2.6.36.2/arch/microblaze/kernel/dma.c linux-2.6.36.2/arch/microblaze/kernel/dma.c
1422 --- linux-2.6.36.2/arch/microblaze/kernel/dma.c 2010-10-20 16:30:22.000000000 -0400
1423 +++ linux-2.6.36.2/arch/microblaze/kernel/dma.c 2010-12-09 20:25:11.000000000 -0500
1424 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1425 __dma_sync_page(dma_address, 0 , size, direction);
1428 -struct dma_map_ops dma_direct_ops = {
1429 +const struct dma_map_ops dma_direct_ops = {
1430 .alloc_coherent = dma_direct_alloc_coherent,
1431 .free_coherent = dma_direct_free_coherent,
1432 .map_sg = dma_direct_map_sg,
1433 diff -urNp linux-2.6.36.2/arch/microblaze/kernel/kgdb.c linux-2.6.36.2/arch/microblaze/kernel/kgdb.c
1434 --- linux-2.6.36.2/arch/microblaze/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
1435 +++ linux-2.6.36.2/arch/microblaze/kernel/kgdb.c 2010-12-09 20:25:11.000000000 -0500
1436 @@ -142,6 +142,6 @@ void kgdb_arch_exit(void)
1440 -struct kgdb_arch arch_kgdb_ops = {
1441 +const struct kgdb_arch arch_kgdb_ops = {
1442 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1444 diff -urNp linux-2.6.36.2/arch/microblaze/pci/pci-common.c linux-2.6.36.2/arch/microblaze/pci/pci-common.c
1445 --- linux-2.6.36.2/arch/microblaze/pci/pci-common.c 2010-10-20 16:30:22.000000000 -0400
1446 +++ linux-2.6.36.2/arch/microblaze/pci/pci-common.c 2010-12-09 20:25:11.000000000 -0500
1447 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1448 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1449 unsigned int pci_flags;
1451 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1452 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1454 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1455 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1457 pci_dma_ops = dma_ops;
1460 -struct dma_map_ops *get_pci_dma_ops(void)
1461 +const struct dma_map_ops *get_pci_dma_ops(void)
1465 diff -urNp linux-2.6.36.2/arch/mips/alchemy/devboards/pm.c linux-2.6.36.2/arch/mips/alchemy/devboards/pm.c
1466 --- linux-2.6.36.2/arch/mips/alchemy/devboards/pm.c 2010-10-20 16:30:22.000000000 -0400
1467 +++ linux-2.6.36.2/arch/mips/alchemy/devboards/pm.c 2010-12-09 20:25:03.000000000 -0500
1468 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1472 -static struct platform_suspend_ops db1x_pm_ops = {
1473 +static const struct platform_suspend_ops db1x_pm_ops = {
1474 .valid = suspend_valid_only_mem,
1475 .begin = db1x_pm_begin,
1476 .enter = db1x_pm_enter,
1477 diff -urNp linux-2.6.36.2/arch/mips/include/asm/elf.h linux-2.6.36.2/arch/mips/include/asm/elf.h
1478 --- linux-2.6.36.2/arch/mips/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
1479 +++ linux-2.6.36.2/arch/mips/include/asm/elf.h 2010-12-09 20:25:03.000000000 -0500
1480 @@ -368,13 +368,16 @@ extern const char *__elf_platform;
1481 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1484 +#ifdef CONFIG_PAX_ASLR
1485 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1487 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1488 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1491 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1492 struct linux_binprm;
1493 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1497 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1498 -#define arch_randomize_brk arch_randomize_brk
1500 #endif /* _ASM_ELF_H */
1501 diff -urNp linux-2.6.36.2/arch/mips/include/asm/page.h linux-2.6.36.2/arch/mips/include/asm/page.h
1502 --- linux-2.6.36.2/arch/mips/include/asm/page.h 2010-10-20 16:30:22.000000000 -0400
1503 +++ linux-2.6.36.2/arch/mips/include/asm/page.h 2010-12-09 20:25:03.000000000 -0500
1504 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1505 #ifdef CONFIG_CPU_MIPS32
1506 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1507 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1508 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1509 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1511 typedef struct { unsigned long long pte; } pte_t;
1512 #define pte_val(x) ((x).pte)
1513 diff -urNp linux-2.6.36.2/arch/mips/include/asm/system.h linux-2.6.36.2/arch/mips/include/asm/system.h
1514 --- linux-2.6.36.2/arch/mips/include/asm/system.h 2010-10-20 16:30:22.000000000 -0400
1515 +++ linux-2.6.36.2/arch/mips/include/asm/system.h 2010-12-09 20:25:03.000000000 -0500
1517 #include <asm/dsp.h>
1518 #include <asm/watch.h>
1519 #include <asm/war.h>
1520 +#include <asm/asm.h>
1524 @@ -234,6 +235,6 @@ extern void per_cpu_trap_init(void);
1526 #define __ARCH_WANT_UNLOCKED_CTXSW
1528 -extern unsigned long arch_align_stack(unsigned long sp);
1529 +#define arch_align_stack(x) ((x) & ALMASK)
1531 #endif /* _ASM_SYSTEM_H */
1532 diff -urNp linux-2.6.36.2/arch/mips/jz4740/pm.c linux-2.6.36.2/arch/mips/jz4740/pm.c
1533 --- linux-2.6.36.2/arch/mips/jz4740/pm.c 2010-10-20 16:30:22.000000000 -0400
1534 +++ linux-2.6.36.2/arch/mips/jz4740/pm.c 2010-12-09 20:25:04.000000000 -0500
1535 @@ -42,7 +42,7 @@ static int jz4740_pm_enter(suspend_state
1539 -static struct platform_suspend_ops jz4740_pm_ops = {
1540 +static const struct platform_suspend_ops jz4740_pm_ops = {
1541 .valid = suspend_valid_only_mem,
1542 .enter = jz4740_pm_enter,
1544 diff -urNp linux-2.6.36.2/arch/mips/kernel/binfmt_elfn32.c linux-2.6.36.2/arch/mips/kernel/binfmt_elfn32.c
1545 --- linux-2.6.36.2/arch/mips/kernel/binfmt_elfn32.c 2010-10-20 16:30:22.000000000 -0400
1546 +++ linux-2.6.36.2/arch/mips/kernel/binfmt_elfn32.c 2010-12-09 20:25:04.000000000 -0500
1547 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1548 #undef ELF_ET_DYN_BASE
1549 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1551 +#ifdef CONFIG_PAX_ASLR
1552 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1554 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1555 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1558 #include <asm/processor.h>
1559 #include <linux/module.h>
1560 #include <linux/elfcore.h>
1561 diff -urNp linux-2.6.36.2/arch/mips/kernel/binfmt_elfo32.c linux-2.6.36.2/arch/mips/kernel/binfmt_elfo32.c
1562 --- linux-2.6.36.2/arch/mips/kernel/binfmt_elfo32.c 2010-10-20 16:30:22.000000000 -0400
1563 +++ linux-2.6.36.2/arch/mips/kernel/binfmt_elfo32.c 2010-12-09 20:25:04.000000000 -0500
1564 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1565 #undef ELF_ET_DYN_BASE
1566 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1568 +#ifdef CONFIG_PAX_ASLR
1569 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1571 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1572 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1575 #include <asm/processor.h>
1578 diff -urNp linux-2.6.36.2/arch/mips/kernel/kgdb.c linux-2.6.36.2/arch/mips/kernel/kgdb.c
1579 --- linux-2.6.36.2/arch/mips/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
1580 +++ linux-2.6.36.2/arch/mips/kernel/kgdb.c 2010-12-09 20:25:04.000000000 -0500
1581 @@ -351,6 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1585 +/* cannot be const, see kgdb_arch_init */
1586 struct kgdb_arch arch_kgdb_ops;
1589 diff -urNp linux-2.6.36.2/arch/mips/kernel/process.c linux-2.6.36.2/arch/mips/kernel/process.c
1590 --- linux-2.6.36.2/arch/mips/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
1591 +++ linux-2.6.36.2/arch/mips/kernel/process.c 2010-12-09 20:25:04.000000000 -0500
1592 @@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
1598 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1599 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1601 -unsigned long arch_align_stack(unsigned long sp)
1603 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1604 - sp -= get_random_int() & ~PAGE_MASK;
1606 - return sp & ALMASK;
1608 diff -urNp linux-2.6.36.2/arch/mips/kernel/syscall.c linux-2.6.36.2/arch/mips/kernel/syscall.c
1609 --- linux-2.6.36.2/arch/mips/kernel/syscall.c 2010-10-20 16:30:22.000000000 -0400
1610 +++ linux-2.6.36.2/arch/mips/kernel/syscall.c 2010-12-09 20:25:04.000000000 -0500
1611 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1613 if (filp || (flags & MAP_SHARED))
1616 +#ifdef CONFIG_PAX_RANDMMAP
1617 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1622 addr = COLOUR_ALIGN(addr, pgoff);
1624 addr = PAGE_ALIGN(addr);
1625 vmm = find_vma(current->mm, addr);
1626 - if (task_size - len >= addr &&
1627 - (!vmm || addr + len <= vmm->vm_start))
1628 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1631 addr = current->mm->mmap_base;
1632 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1633 /* At this point: (!vmm || addr < vmm->vm_end). */
1634 if (task_size - len < addr)
1636 - if (!vmm || addr + len <= vmm->vm_start)
1637 + if (check_heap_stack_gap(vmm, addr, len))
1641 @@ -168,19 +172,6 @@ static inline unsigned long brk_rnd(void
1645 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1647 - unsigned long base = mm->brk;
1648 - unsigned long ret;
1650 - ret = PAGE_ALIGN(base + brk_rnd());
1652 - if (ret < mm->brk)
1658 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1659 unsigned long, prot, unsigned long, flags, unsigned long,
1661 diff -urNp linux-2.6.36.2/arch/mips/loongson/common/pm.c linux-2.6.36.2/arch/mips/loongson/common/pm.c
1662 --- linux-2.6.36.2/arch/mips/loongson/common/pm.c 2010-10-20 16:30:22.000000000 -0400
1663 +++ linux-2.6.36.2/arch/mips/loongson/common/pm.c 2010-12-09 20:25:03.000000000 -0500
1664 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1668 -static struct platform_suspend_ops loongson_pm_ops = {
1669 +static const struct platform_suspend_ops loongson_pm_ops = {
1670 .valid = loongson_pm_valid_state,
1671 .enter = loongson_pm_enter,
1673 diff -urNp linux-2.6.36.2/arch/mips/mm/fault.c linux-2.6.36.2/arch/mips/mm/fault.c
1674 --- linux-2.6.36.2/arch/mips/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
1675 +++ linux-2.6.36.2/arch/mips/mm/fault.c 2010-12-09 20:25:04.000000000 -0500
1677 #include <asm/highmem.h> /* For VMALLOC_END */
1678 #include <linux/kdebug.h>
1680 +#ifdef CONFIG_PAX_PAGEEXEC
1681 +void pax_report_insns(void *pc, void *sp)
1685 + printk(KERN_ERR "PAX: bytes at PC: ");
1686 + for (i = 0; i < 5; i++) {
1688 + if (get_user(c, (unsigned int *)pc+i))
1689 + printk(KERN_CONT "???????? ");
1691 + printk(KERN_CONT "%08x ", c);
1698 * This routine handles page faults. It determines the address,
1699 * and the problem, and then passes it off to one of the appropriate
1700 diff -urNp linux-2.6.36.2/arch/parisc/include/asm/elf.h linux-2.6.36.2/arch/parisc/include/asm/elf.h
1701 --- linux-2.6.36.2/arch/parisc/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
1702 +++ linux-2.6.36.2/arch/parisc/include/asm/elf.h 2010-12-09 20:25:09.000000000 -0500
1703 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1705 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1707 +#ifdef CONFIG_PAX_ASLR
1708 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1710 +#define PAX_DELTA_MMAP_LEN 16
1711 +#define PAX_DELTA_STACK_LEN 16
1714 /* This yields a mask that user programs can use to figure out what
1715 instruction set this CPU supports. This could be done in user space,
1716 but it's not easy, and we've already done it here. */
1717 diff -urNp linux-2.6.36.2/arch/parisc/include/asm/pgtable.h linux-2.6.36.2/arch/parisc/include/asm/pgtable.h
1718 --- linux-2.6.36.2/arch/parisc/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
1719 +++ linux-2.6.36.2/arch/parisc/include/asm/pgtable.h 2010-12-09 20:25:09.000000000 -0500
1720 @@ -207,6 +207,17 @@
1721 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1722 #define PAGE_COPY PAGE_EXECREAD
1723 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1725 +#ifdef CONFIG_PAX_PAGEEXEC
1726 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1727 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1728 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1730 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1731 +# define PAGE_COPY_NOEXEC PAGE_COPY
1732 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1735 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1736 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1737 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1738 diff -urNp linux-2.6.36.2/arch/parisc/kernel/module.c linux-2.6.36.2/arch/parisc/kernel/module.c
1739 --- linux-2.6.36.2/arch/parisc/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
1740 +++ linux-2.6.36.2/arch/parisc/kernel/module.c 2010-12-09 20:25:09.000000000 -0500
1743 /* three functions to determine where in the module core
1744 * or init pieces the location is */
1745 +static inline int in_init_rx(struct module *me, void *loc)
1747 + return (loc >= me->module_init_rx &&
1748 + loc < (me->module_init_rx + me->init_size_rx));
1751 +static inline int in_init_rw(struct module *me, void *loc)
1753 + return (loc >= me->module_init_rw &&
1754 + loc < (me->module_init_rw + me->init_size_rw));
1757 static inline int in_init(struct module *me, void *loc)
1759 - return (loc >= me->module_init &&
1760 - loc <= (me->module_init + me->init_size));
1761 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1764 +static inline int in_core_rx(struct module *me, void *loc)
1766 + return (loc >= me->module_core_rx &&
1767 + loc < (me->module_core_rx + me->core_size_rx));
1770 +static inline int in_core_rw(struct module *me, void *loc)
1772 + return (loc >= me->module_core_rw &&
1773 + loc < (me->module_core_rw + me->core_size_rw));
1776 static inline int in_core(struct module *me, void *loc)
1778 - return (loc >= me->module_core &&
1779 - loc <= (me->module_core + me->core_size));
1780 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1783 static inline int in_local(struct module *me, void *loc)
1784 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1787 /* align things a bit */
1788 - me->core_size = ALIGN(me->core_size, 16);
1789 - me->arch.got_offset = me->core_size;
1790 - me->core_size += gots * sizeof(struct got_entry);
1792 - me->core_size = ALIGN(me->core_size, 16);
1793 - me->arch.fdesc_offset = me->core_size;
1794 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1795 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1796 + me->arch.got_offset = me->core_size_rw;
1797 + me->core_size_rw += gots * sizeof(struct got_entry);
1799 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1800 + me->arch.fdesc_offset = me->core_size_rw;
1801 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1803 me->arch.got_max = gots;
1804 me->arch.fdesc_max = fdescs;
1805 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1809 - got = me->module_core + me->arch.got_offset;
1810 + got = me->module_core_rw + me->arch.got_offset;
1811 for (i = 0; got[i].addr; i++)
1812 if (got[i].addr == value)
1814 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1816 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1818 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1819 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1822 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1823 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1825 /* Create new one */
1826 fdesc->addr = value;
1827 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1828 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1829 return (Elf_Addr)fdesc;
1831 #endif /* CONFIG_64BIT */
1832 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1834 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1835 end = table + sechdrs[me->arch.unwind_section].sh_size;
1836 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1837 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1839 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1840 me->arch.unwind_section, table, end, gp);
1841 diff -urNp linux-2.6.36.2/arch/parisc/kernel/sys_parisc.c linux-2.6.36.2/arch/parisc/kernel/sys_parisc.c
1842 --- linux-2.6.36.2/arch/parisc/kernel/sys_parisc.c 2010-10-20 16:30:22.000000000 -0400
1843 +++ linux-2.6.36.2/arch/parisc/kernel/sys_parisc.c 2010-12-09 20:25:09.000000000 -0500
1844 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1845 /* At this point: (!vma || addr < vma->vm_end). */
1846 if (TASK_SIZE - len < addr)
1848 - if (!vma || addr + len <= vma->vm_start)
1849 + if (check_heap_stack_gap(vma, addr, len))
1853 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1854 /* At this point: (!vma || addr < vma->vm_end). */
1855 if (TASK_SIZE - len < addr)
1857 - if (!vma || addr + len <= vma->vm_start)
1858 + if (check_heap_stack_gap(vma, addr, len))
1860 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1861 if (addr < vma->vm_end) /* handle wraparound */
1862 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1863 if (flags & MAP_FIXED)
1866 - addr = TASK_UNMAPPED_BASE;
1867 + addr = current->mm->mmap_base;
1870 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1871 diff -urNp linux-2.6.36.2/arch/parisc/kernel/traps.c linux-2.6.36.2/arch/parisc/kernel/traps.c
1872 --- linux-2.6.36.2/arch/parisc/kernel/traps.c 2010-10-20 16:30:22.000000000 -0400
1873 +++ linux-2.6.36.2/arch/parisc/kernel/traps.c 2010-12-09 20:25:09.000000000 -0500
1874 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1876 down_read(¤t->mm->mmap_sem);
1877 vma = find_vma(current->mm,regs->iaoq[0]);
1878 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1879 - && (vma->vm_flags & VM_EXEC)) {
1881 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1882 fault_address = regs->iaoq[0];
1883 fault_space = regs->iasq[0];
1885 diff -urNp linux-2.6.36.2/arch/parisc/mm/fault.c linux-2.6.36.2/arch/parisc/mm/fault.c
1886 --- linux-2.6.36.2/arch/parisc/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
1887 +++ linux-2.6.36.2/arch/parisc/mm/fault.c 2010-12-09 20:25:09.000000000 -0500
1889 #include <linux/sched.h>
1890 #include <linux/interrupt.h>
1891 #include <linux/module.h>
1892 +#include <linux/unistd.h>
1894 #include <asm/uaccess.h>
1895 #include <asm/traps.h>
1896 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1897 static unsigned long
1898 parisc_acctyp(unsigned long code, unsigned int inst)
1900 - if (code == 6 || code == 16)
1901 + if (code == 6 || code == 7 || code == 16)
1904 switch (inst & 0xf0000000) {
1905 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1909 +#ifdef CONFIG_PAX_PAGEEXEC
1911 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1913 + * returns 1 when task should be killed
1914 + * 2 when rt_sigreturn trampoline was detected
1915 + * 3 when unpatched PLT trampoline was detected
1917 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1920 +#ifdef CONFIG_PAX_EMUPLT
1923 + do { /* PaX: unpatched PLT emulation */
1924 + unsigned int bl, depwi;
1926 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1927 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1932 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1933 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1935 + err = get_user(ldw, (unsigned int *)addr);
1936 + err |= get_user(bv, (unsigned int *)(addr+4));
1937 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1942 + if (ldw == 0x0E801096U &&
1943 + bv == 0xEAC0C000U &&
1944 + ldw2 == 0x0E881095U)
1946 + unsigned int resolver, map;
1948 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1949 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1953 + regs->gr[20] = instruction_pointer(regs)+8;
1954 + regs->gr[21] = map;
1955 + regs->gr[22] = resolver;
1956 + regs->iaoq[0] = resolver | 3UL;
1957 + regs->iaoq[1] = regs->iaoq[0] + 4;
1964 +#ifdef CONFIG_PAX_EMUTRAMP
1966 +#ifndef CONFIG_PAX_EMUSIGRT
1967 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1971 + do { /* PaX: rt_sigreturn emulation */
1972 + unsigned int ldi1, ldi2, bel, nop;
1974 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1975 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1976 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1977 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1982 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1983 + ldi2 == 0x3414015AU &&
1984 + bel == 0xE4008200U &&
1985 + nop == 0x08000240U)
1987 + regs->gr[25] = (ldi1 & 2) >> 1;
1988 + regs->gr[20] = __NR_rt_sigreturn;
1989 + regs->gr[31] = regs->iaoq[1] + 16;
1990 + regs->sr[0] = regs->iasq[1];
1991 + regs->iaoq[0] = 0x100UL;
1992 + regs->iaoq[1] = regs->iaoq[0] + 4;
1993 + regs->iasq[0] = regs->sr[2];
1994 + regs->iasq[1] = regs->sr[2];
2003 +void pax_report_insns(void *pc, void *sp)
2007 + printk(KERN_ERR "PAX: bytes at PC: ");
2008 + for (i = 0; i < 5; i++) {
2010 + if (get_user(c, (unsigned int *)pc+i))
2011 + printk(KERN_CONT "???????? ");
2013 + printk(KERN_CONT "%08x ", c);
2019 int fixup_exception(struct pt_regs *regs)
2021 const struct exception_table_entry *fix;
2022 @@ -192,8 +303,33 @@ good_area:
2024 acc_type = parisc_acctyp(code,regs->iir);
2026 - if ((vma->vm_flags & acc_type) != acc_type)
2027 + if ((vma->vm_flags & acc_type) != acc_type) {
2029 +#ifdef CONFIG_PAX_PAGEEXEC
2030 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2031 + (address & ~3UL) == instruction_pointer(regs))
2033 + up_read(&mm->mmap_sem);
2034 + switch (pax_handle_fetch_fault(regs)) {
2036 +#ifdef CONFIG_PAX_EMUPLT
2041 +#ifdef CONFIG_PAX_EMUTRAMP
2047 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2048 + do_group_exit(SIGKILL);
2056 * If for any reason at all we couldn't handle the fault, make
2057 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/device.h linux-2.6.36.2/arch/powerpc/include/asm/device.h
2058 --- linux-2.6.36.2/arch/powerpc/include/asm/device.h 2010-10-20 16:30:22.000000000 -0400
2059 +++ linux-2.6.36.2/arch/powerpc/include/asm/device.h 2010-12-09 20:25:05.000000000 -0500
2060 @@ -11,7 +11,7 @@ struct device_node;
2062 struct dev_archdata {
2063 /* DMA operations on that device */
2064 - struct dma_map_ops *dma_ops;
2065 + const struct dma_map_ops *dma_ops;
2068 * When an iommu is in use, dma_data is used as a ptr to the base of the
2069 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/dma-mapping.h linux-2.6.36.2/arch/powerpc/include/asm/dma-mapping.h
2070 --- linux-2.6.36.2/arch/powerpc/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
2071 +++ linux-2.6.36.2/arch/powerpc/include/asm/dma-mapping.h 2010-12-09 20:25:05.000000000 -0500
2072 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2074 * Available generic sets of operations
2076 +/* cannot be const */
2078 extern struct dma_map_ops dma_iommu_ops;
2080 -extern struct dma_map_ops dma_direct_ops;
2081 +extern const struct dma_map_ops dma_direct_ops;
2083 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2084 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2086 /* We don't handle the NULL dev case for ISA for now. We could
2087 * do it via an out of line call but it is not needed for now. The
2088 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2089 return dev->archdata.dma_ops;
2092 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2093 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2095 dev->archdata.dma_ops = ops;
2097 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2099 static inline int dma_supported(struct device *dev, u64 mask)
2101 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2102 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2104 if (unlikely(dma_ops == NULL))
2106 @@ -129,7 +130,7 @@ static inline int dma_supported(struct d
2108 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2110 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2111 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2113 if (unlikely(dma_ops == NULL))
2115 @@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
2116 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2117 dma_addr_t *dma_handle, gfp_t flag)
2119 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2120 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2124 @@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
2125 static inline void dma_free_coherent(struct device *dev, size_t size,
2126 void *cpu_addr, dma_addr_t dma_handle)
2128 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2129 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2133 @@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
2135 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2137 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2138 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2140 if (dma_ops->mapping_error)
2141 return dma_ops->mapping_error(dev, dma_addr);
2142 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/elf.h linux-2.6.36.2/arch/powerpc/include/asm/elf.h
2143 --- linux-2.6.36.2/arch/powerpc/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
2144 +++ linux-2.6.36.2/arch/powerpc/include/asm/elf.h 2010-12-09 20:25:05.000000000 -0500
2145 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2146 the loader. We need to make sure that it is out of the way of the program
2147 that it will "exec", and that there is sufficient room for the brk. */
2149 -extern unsigned long randomize_et_dyn(unsigned long base);
2150 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2151 +#define ELF_ET_DYN_BASE (0x20000000)
2153 +#ifdef CONFIG_PAX_ASLR
2154 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2156 +#ifdef __powerpc64__
2157 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2158 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2160 +#define PAX_DELTA_MMAP_LEN 15
2161 +#define PAX_DELTA_STACK_LEN 15
2166 * Our registers are always unsigned longs, whether we're a 32 bit
2167 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2168 (0x7ff >> (PAGE_SHIFT - 12)) : \
2169 (0x3ffff >> (PAGE_SHIFT - 12)))
2171 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2172 -#define arch_randomize_brk arch_randomize_brk
2174 #endif /* __KERNEL__ */
2177 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/iommu.h linux-2.6.36.2/arch/powerpc/include/asm/iommu.h
2178 --- linux-2.6.36.2/arch/powerpc/include/asm/iommu.h 2010-10-20 16:30:22.000000000 -0400
2179 +++ linux-2.6.36.2/arch/powerpc/include/asm/iommu.h 2010-12-09 20:25:05.000000000 -0500
2180 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2181 extern void iommu_init_early_dart(void);
2182 extern void iommu_init_early_pasemi(void);
2185 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2188 extern void pci_iommu_init(void);
2189 extern void pci_direct_iommu_init(void);
2190 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/kmap_types.h linux-2.6.36.2/arch/powerpc/include/asm/kmap_types.h
2191 --- linux-2.6.36.2/arch/powerpc/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
2192 +++ linux-2.6.36.2/arch/powerpc/include/asm/kmap_types.h 2010-12-09 20:25:05.000000000 -0500
2193 @@ -27,6 +27,7 @@ enum km_type {
2201 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/page_64.h linux-2.6.36.2/arch/powerpc/include/asm/page_64.h
2202 --- linux-2.6.36.2/arch/powerpc/include/asm/page_64.h 2010-10-20 16:30:22.000000000 -0400
2203 +++ linux-2.6.36.2/arch/powerpc/include/asm/page_64.h 2010-12-09 20:25:05.000000000 -0500
2204 @@ -172,15 +172,18 @@ do { \
2205 * stack by default, so in the absense of a PT_GNU_STACK program header
2206 * we turn execute permission off.
2208 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2209 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2210 +#define VM_STACK_DEFAULT_FLAGS32 \
2211 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2212 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2214 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2215 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2217 +#ifndef CONFIG_PAX_PAGEEXEC
2218 #define VM_STACK_DEFAULT_FLAGS \
2219 (test_thread_flag(TIF_32BIT) ? \
2220 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2223 #include <asm-generic/getorder.h>
2225 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/page.h linux-2.6.36.2/arch/powerpc/include/asm/page.h
2226 --- linux-2.6.36.2/arch/powerpc/include/asm/page.h 2010-10-20 16:30:22.000000000 -0400
2227 +++ linux-2.6.36.2/arch/powerpc/include/asm/page.h 2010-12-09 20:25:05.000000000 -0500
2228 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2229 * and needs to be executable. This means the whole heap ends
2230 * up being executable.
2232 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2233 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2234 +#define VM_DATA_DEFAULT_FLAGS32 \
2235 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2236 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2238 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2239 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2240 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2241 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2244 +#define ktla_ktva(addr) (addr)
2245 +#define ktva_ktla(addr) (addr)
2247 #ifndef __ASSEMBLY__
2249 #undef STRICT_MM_TYPECHECKS
2250 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/pci.h linux-2.6.36.2/arch/powerpc/include/asm/pci.h
2251 --- linux-2.6.36.2/arch/powerpc/include/asm/pci.h 2010-10-20 16:30:22.000000000 -0400
2252 +++ linux-2.6.36.2/arch/powerpc/include/asm/pci.h 2010-12-09 20:25:05.000000000 -0500
2253 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2257 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2258 -extern struct dma_map_ops *get_pci_dma_ops(void);
2259 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2260 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2261 #else /* CONFIG_PCI */
2262 #define set_pci_dma_ops(d)
2263 #define get_pci_dma_ops() NULL
2264 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/pte-hash32.h linux-2.6.36.2/arch/powerpc/include/asm/pte-hash32.h
2265 --- linux-2.6.36.2/arch/powerpc/include/asm/pte-hash32.h 2010-10-20 16:30:22.000000000 -0400
2266 +++ linux-2.6.36.2/arch/powerpc/include/asm/pte-hash32.h 2010-12-09 20:25:05.000000000 -0500
2268 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2269 #define _PAGE_USER 0x004 /* usermode access allowed */
2270 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2271 +#define _PAGE_EXEC _PAGE_GUARDED
2272 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2273 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2274 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2275 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/reg.h linux-2.6.36.2/arch/powerpc/include/asm/reg.h
2276 --- linux-2.6.36.2/arch/powerpc/include/asm/reg.h 2010-10-20 16:30:22.000000000 -0400
2277 +++ linux-2.6.36.2/arch/powerpc/include/asm/reg.h 2010-12-09 20:25:05.000000000 -0500
2279 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2280 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2281 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2282 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2283 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2284 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2285 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2286 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/swiotlb.h linux-2.6.36.2/arch/powerpc/include/asm/swiotlb.h
2287 --- linux-2.6.36.2/arch/powerpc/include/asm/swiotlb.h 2010-10-20 16:30:22.000000000 -0400
2288 +++ linux-2.6.36.2/arch/powerpc/include/asm/swiotlb.h 2010-12-09 20:25:05.000000000 -0500
2291 #include <linux/swiotlb.h>
2293 -extern struct dma_map_ops swiotlb_dma_ops;
2294 +extern const struct dma_map_ops swiotlb_dma_ops;
2296 static inline void dma_mark_clean(void *addr, size_t size) {}
2298 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/system.h linux-2.6.36.2/arch/powerpc/include/asm/system.h
2299 --- linux-2.6.36.2/arch/powerpc/include/asm/system.h 2010-10-20 16:30:22.000000000 -0400
2300 +++ linux-2.6.36.2/arch/powerpc/include/asm/system.h 2010-12-09 20:25:05.000000000 -0500
2301 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2302 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2305 -extern unsigned long arch_align_stack(unsigned long sp);
2306 +#define arch_align_stack(x) ((x) & ~0xfUL)
2308 /* Used in very early kernel initialization. */
2309 extern unsigned long reloc_offset(void);
2310 diff -urNp linux-2.6.36.2/arch/powerpc/include/asm/uaccess.h linux-2.6.36.2/arch/powerpc/include/asm/uaccess.h
2311 --- linux-2.6.36.2/arch/powerpc/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
2312 +++ linux-2.6.36.2/arch/powerpc/include/asm/uaccess.h 2010-12-09 20:25:05.000000000 -0500
2314 #define VERIFY_READ 0
2315 #define VERIFY_WRITE 1
2317 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2320 * The fs value determines whether argument validity checking should be
2321 * performed or not. If get_fs() == USER_DS, checking is performed, with
2322 @@ -327,52 +329,6 @@ do { \
2323 extern unsigned long __copy_tofrom_user(void __user *to,
2324 const void __user *from, unsigned long size);
2326 -#ifndef __powerpc64__
2328 -static inline unsigned long copy_from_user(void *to,
2329 - const void __user *from, unsigned long n)
2331 - unsigned long over;
2333 - if (access_ok(VERIFY_READ, from, n))
2334 - return __copy_tofrom_user((__force void __user *)to, from, n);
2335 - if ((unsigned long)from < TASK_SIZE) {
2336 - over = (unsigned long)from + n - TASK_SIZE;
2337 - return __copy_tofrom_user((__force void __user *)to, from,
2343 -static inline unsigned long copy_to_user(void __user *to,
2344 - const void *from, unsigned long n)
2346 - unsigned long over;
2348 - if (access_ok(VERIFY_WRITE, to, n))
2349 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2350 - if ((unsigned long)to < TASK_SIZE) {
2351 - over = (unsigned long)to + n - TASK_SIZE;
2352 - return __copy_tofrom_user(to, (__force void __user *)from,
2358 -#else /* __powerpc64__ */
2360 -#define __copy_in_user(to, from, size) \
2361 - __copy_tofrom_user((to), (from), (size))
2363 -extern unsigned long copy_from_user(void *to, const void __user *from,
2365 -extern unsigned long copy_to_user(void __user *to, const void *from,
2367 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2370 -#endif /* __powerpc64__ */
2372 static inline unsigned long __copy_from_user_inatomic(void *to,
2373 const void __user *from, unsigned long n)
2375 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2380 + if (!__builtin_constant_p(n))
2381 + check_object_size(to, n, false);
2383 return __copy_tofrom_user((__force void __user *)to, from, n);
2386 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2391 + if (!__builtin_constant_p(n))
2392 + check_object_size(from, n, true);
2394 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2397 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2398 return __copy_to_user_inatomic(to, from, size);
2401 +#ifndef __powerpc64__
2403 +static inline unsigned long __must_check copy_from_user(void *to,
2404 + const void __user *from, unsigned long n)
2406 + unsigned long over;
2411 + if (access_ok(VERIFY_READ, from, n)) {
2412 + if (!__builtin_constant_p(n))
2413 + check_object_size(to, n, false);
2414 + return __copy_tofrom_user((__force void __user *)to, from, n);
2416 + if ((unsigned long)from < TASK_SIZE) {
2417 + over = (unsigned long)from + n - TASK_SIZE;
2418 + if (!__builtin_constant_p(n - over))
2419 + check_object_size(to, n - over, false);
2420 + return __copy_tofrom_user((__force void __user *)to, from,
2426 +static inline unsigned long __must_check copy_to_user(void __user *to,
2427 + const void *from, unsigned long n)
2429 + unsigned long over;
2434 + if (access_ok(VERIFY_WRITE, to, n)) {
2435 + if (!__builtin_constant_p(n))
2436 + check_object_size(from, n, true);
2437 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2439 + if ((unsigned long)to < TASK_SIZE) {
2440 + over = (unsigned long)to + n - TASK_SIZE;
2441 + if (!__builtin_constant_p(n))
2442 + check_object_size(from, n - over, true);
2443 + return __copy_tofrom_user(to, (__force void __user *)from,
2449 +#else /* __powerpc64__ */
2451 +#define __copy_in_user(to, from, size) \
2452 + __copy_tofrom_user((to), (from), (size))
2454 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2456 + if ((long)n < 0 || n > INT_MAX)
2459 + if (!__builtin_constant_p(n))
2460 + check_object_size(to, n, false);
2462 + if (likely(access_ok(VERIFY_READ, from, n)))
2463 + n = __copy_from_user(to, from, n);
2469 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2471 + if ((long)n < 0 || n > INT_MAX)
2474 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2475 + if (!__builtin_constant_p(n))
2476 + check_object_size(from, n, true);
2477 + n = __copy_to_user(to, from, n);
2482 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2485 +#endif /* __powerpc64__ */
2487 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2489 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2490 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/dma.c linux-2.6.36.2/arch/powerpc/kernel/dma.c
2491 --- linux-2.6.36.2/arch/powerpc/kernel/dma.c 2010-10-20 16:30:22.000000000 -0400
2492 +++ linux-2.6.36.2/arch/powerpc/kernel/dma.c 2010-12-09 20:25:06.000000000 -0500
2493 @@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2497 -struct dma_map_ops dma_direct_ops = {
2498 +const struct dma_map_ops dma_direct_ops = {
2499 .alloc_coherent = dma_direct_alloc_coherent,
2500 .free_coherent = dma_direct_free_coherent,
2501 .map_sg = dma_direct_map_sg,
2502 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/dma-iommu.c linux-2.6.36.2/arch/powerpc/kernel/dma-iommu.c
2503 --- linux-2.6.36.2/arch/powerpc/kernel/dma-iommu.c 2010-10-20 16:30:22.000000000 -0400
2504 +++ linux-2.6.36.2/arch/powerpc/kernel/dma-iommu.c 2010-12-09 20:25:05.000000000 -0500
2505 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2508 /* We support DMA to/from any memory page via the iommu */
2509 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2510 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2512 struct iommu_table *tbl = get_iommu_table_base(dev);
2514 @@ -89,6 +89,7 @@ static int dma_iommu_dma_supported(struc
2518 +/* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2519 struct dma_map_ops dma_iommu_ops = {
2520 .alloc_coherent = dma_iommu_alloc_coherent,
2521 .free_coherent = dma_iommu_free_coherent,
2522 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.36.2/arch/powerpc/kernel/dma-swiotlb.c
2523 --- linux-2.6.36.2/arch/powerpc/kernel/dma-swiotlb.c 2010-10-20 16:30:22.000000000 -0400
2524 +++ linux-2.6.36.2/arch/powerpc/kernel/dma-swiotlb.c 2010-12-09 20:25:05.000000000 -0500
2525 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2526 * map_page, and unmap_page on highmem, use normal dma_ops
2527 * for everything else.
2529 -struct dma_map_ops swiotlb_dma_ops = {
2530 +const struct dma_map_ops swiotlb_dma_ops = {
2531 .alloc_coherent = dma_direct_alloc_coherent,
2532 .free_coherent = dma_direct_free_coherent,
2533 .map_sg = swiotlb_map_sg_attrs,
2534 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/exceptions-64e.S linux-2.6.36.2/arch/powerpc/kernel/exceptions-64e.S
2535 --- linux-2.6.36.2/arch/powerpc/kernel/exceptions-64e.S 2010-10-20 16:30:22.000000000 -0400
2536 +++ linux-2.6.36.2/arch/powerpc/kernel/exceptions-64e.S 2010-12-09 20:25:06.000000000 -0500
2537 @@ -495,6 +495,7 @@ storage_fault_common:
2540 addi r3,r1,STACK_FRAME_OVERHEAD
2544 ld r14,PACA_EXGEN+EX_R14(r13)
2545 @@ -504,8 +505,7 @@ storage_fault_common:
2548 b .ret_from_except_lite
2552 addi r3,r1,STACK_FRAME_OVERHEAD
2555 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/exceptions-64s.S linux-2.6.36.2/arch/powerpc/kernel/exceptions-64s.S
2556 --- linux-2.6.36.2/arch/powerpc/kernel/exceptions-64s.S 2010-10-20 16:30:22.000000000 -0400
2557 +++ linux-2.6.36.2/arch/powerpc/kernel/exceptions-64s.S 2010-12-09 20:25:06.000000000 -0500
2558 @@ -841,10 +841,10 @@ handle_page_fault:
2561 addi r3,r1,STACK_FRAME_OVERHEAD
2568 addi r3,r1,STACK_FRAME_OVERHEAD
2570 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/ibmebus.c linux-2.6.36.2/arch/powerpc/kernel/ibmebus.c
2571 --- linux-2.6.36.2/arch/powerpc/kernel/ibmebus.c 2010-10-20 16:30:22.000000000 -0400
2572 +++ linux-2.6.36.2/arch/powerpc/kernel/ibmebus.c 2010-12-09 20:25:05.000000000 -0500
2573 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2577 -static struct dma_map_ops ibmebus_dma_ops = {
2578 +static const struct dma_map_ops ibmebus_dma_ops = {
2579 .alloc_coherent = ibmebus_alloc_coherent,
2580 .free_coherent = ibmebus_free_coherent,
2581 .map_sg = ibmebus_map_sg,
2582 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/kgdb.c linux-2.6.36.2/arch/powerpc/kernel/kgdb.c
2583 --- linux-2.6.36.2/arch/powerpc/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
2584 +++ linux-2.6.36.2/arch/powerpc/kernel/kgdb.c 2010-12-09 20:25:05.000000000 -0500
2585 @@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
2589 -struct kgdb_arch arch_kgdb_ops = {
2590 +const struct kgdb_arch arch_kgdb_ops = {
2591 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2594 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/module_32.c linux-2.6.36.2/arch/powerpc/kernel/module_32.c
2595 --- linux-2.6.36.2/arch/powerpc/kernel/module_32.c 2010-10-20 16:30:22.000000000 -0400
2596 +++ linux-2.6.36.2/arch/powerpc/kernel/module_32.c 2010-12-09 20:25:05.000000000 -0500
2597 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2598 me->arch.core_plt_section = i;
2600 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2601 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2602 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2606 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2608 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2609 /* Init, or core PLT? */
2610 - if (location >= mod->module_core
2611 - && location < mod->module_core + mod->core_size)
2612 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2613 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2614 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2616 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2617 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2618 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2620 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2624 /* Find this entry, or if that fails, the next avail. entry */
2625 while (entry->jump[0]) {
2626 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/module.c linux-2.6.36.2/arch/powerpc/kernel/module.c
2627 --- linux-2.6.36.2/arch/powerpc/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
2628 +++ linux-2.6.36.2/arch/powerpc/kernel/module.c 2010-12-09 20:25:06.000000000 -0500
2631 LIST_HEAD(module_bug_list);
2633 +#ifdef CONFIG_PAX_KERNEXEC
2634 void *module_alloc(unsigned long size)
2639 + return vmalloc(size);
2642 +void *module_alloc_exec(unsigned long size)
2644 +void *module_alloc(unsigned long size)
2651 return vmalloc_exec(size);
2654 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2655 vfree(module_region);
2658 +#ifdef CONFIG_PAX_KERNEXEC
2659 +void module_free_exec(struct module *mod, void *module_region)
2661 + module_free(mod, module_region);
2665 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2666 const Elf_Shdr *sechdrs,
2668 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/pci-common.c linux-2.6.36.2/arch/powerpc/kernel/pci-common.c
2669 --- linux-2.6.36.2/arch/powerpc/kernel/pci-common.c 2010-10-20 16:30:22.000000000 -0400
2670 +++ linux-2.6.36.2/arch/powerpc/kernel/pci-common.c 2010-12-09 20:25:05.000000000 -0500
2671 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2672 unsigned int ppc_pci_flags = 0;
2675 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2676 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2678 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2679 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2681 pci_dma_ops = dma_ops;
2684 -struct dma_map_ops *get_pci_dma_ops(void)
2685 +const struct dma_map_ops *get_pci_dma_ops(void)
2689 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/process.c linux-2.6.36.2/arch/powerpc/kernel/process.c
2690 --- linux-2.6.36.2/arch/powerpc/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
2691 +++ linux-2.6.36.2/arch/powerpc/kernel/process.c 2010-12-09 20:25:05.000000000 -0500
2692 @@ -654,8 +654,8 @@ void show_regs(struct pt_regs * regs)
2693 * Lookup NIP late so we have the best change of getting the
2694 * above info out without failing
2696 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2697 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2698 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2699 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2701 show_stack(current, (unsigned long *) regs->gpr[1]);
2702 if (!user_mode(regs))
2703 @@ -1145,10 +1145,10 @@ void show_stack(struct task_struct *tsk,
2705 ip = stack[STACK_FRAME_LR_SAVE];
2706 if (!firstframe || ip != lr) {
2707 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2708 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2709 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2710 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2713 (void *)current->ret_stack[curr_frame].ret);
2716 @@ -1168,7 +1168,7 @@ void show_stack(struct task_struct *tsk,
2717 struct pt_regs *regs = (struct pt_regs *)
2718 (sp + STACK_FRAME_OVERHEAD);
2720 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2721 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2722 regs->trap, (void *)regs->nip, (void *)lr);
2725 @@ -1244,61 +1244,6 @@ void thread_info_cache_init(void)
2727 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2729 -unsigned long arch_align_stack(unsigned long sp)
2731 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2732 - sp -= get_random_int() & ~PAGE_MASK;
2736 -static inline unsigned long brk_rnd(void)
2738 - unsigned long rnd = 0;
2740 - /* 8MB for 32bit, 1GB for 64bit */
2741 - if (is_32bit_task())
2742 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2744 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2746 - return rnd << PAGE_SHIFT;
2749 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2751 - unsigned long base = mm->brk;
2752 - unsigned long ret;
2754 -#ifdef CONFIG_PPC_STD_MMU_64
2756 - * If we are using 1TB segments and we are allowed to randomise
2757 - * the heap, we can put it above 1TB so it is backed by a 1TB
2758 - * segment. Otherwise the heap will be in the bottom 1TB
2759 - * which always uses 256MB segments and this may result in a
2760 - * performance penalty.
2762 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2763 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2766 - ret = PAGE_ALIGN(base + brk_rnd());
2768 - if (ret < mm->brk)
2774 -unsigned long randomize_et_dyn(unsigned long base)
2776 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2785 int arch_sd_sibling_asym_packing(void)
2787 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/signal_32.c linux-2.6.36.2/arch/powerpc/kernel/signal_32.c
2788 --- linux-2.6.36.2/arch/powerpc/kernel/signal_32.c 2010-10-20 16:30:22.000000000 -0400
2789 +++ linux-2.6.36.2/arch/powerpc/kernel/signal_32.c 2010-12-09 20:25:06.000000000 -0500
2790 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2791 /* Save user registers on the stack */
2792 frame = &rt_sf->uc.uc_mcontext;
2794 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2795 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2796 if (save_user_regs(regs, frame, 0, 1))
2798 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2799 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/signal_64.c linux-2.6.36.2/arch/powerpc/kernel/signal_64.c
2800 --- linux-2.6.36.2/arch/powerpc/kernel/signal_64.c 2010-10-20 16:30:22.000000000 -0400
2801 +++ linux-2.6.36.2/arch/powerpc/kernel/signal_64.c 2010-12-09 20:25:06.000000000 -0500
2802 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2803 current->thread.fpscr.val = 0;
2805 /* Set up to return from userspace. */
2806 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2807 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2808 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2810 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2811 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/vdso.c linux-2.6.36.2/arch/powerpc/kernel/vdso.c
2812 --- linux-2.6.36.2/arch/powerpc/kernel/vdso.c 2010-10-20 16:30:22.000000000 -0400
2813 +++ linux-2.6.36.2/arch/powerpc/kernel/vdso.c 2010-12-09 20:25:06.000000000 -0500
2815 #include <asm/firmware.h>
2816 #include <asm/vdso.h>
2817 #include <asm/vdso_datapage.h>
2818 +#include <asm/mman.h>
2822 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2823 vdso_base = VDSO32_MBASE;
2826 - current->mm->context.vdso_base = 0;
2827 + current->mm->context.vdso_base = ~0UL;
2829 /* vDSO has a problem and was disabled, just don't "enable" it for the
2831 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2832 vdso_base = get_unmapped_area(NULL, vdso_base,
2833 (vdso_pages << PAGE_SHIFT) +
2834 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2836 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2837 if (IS_ERR_VALUE(vdso_base)) {
2840 diff -urNp linux-2.6.36.2/arch/powerpc/kernel/vio.c linux-2.6.36.2/arch/powerpc/kernel/vio.c
2841 --- linux-2.6.36.2/arch/powerpc/kernel/vio.c 2010-10-20 16:30:22.000000000 -0400
2842 +++ linux-2.6.36.2/arch/powerpc/kernel/vio.c 2010-12-09 20:25:06.000000000 -0500
2843 @@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
2844 vio_cmo_dealloc(viodev, alloc_size);
2847 -struct dma_map_ops vio_dma_mapping_ops = {
2848 +static const struct dma_map_ops vio_dma_mapping_ops = {
2849 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2850 .free_coherent = vio_dma_iommu_free_coherent,
2851 .map_sg = vio_dma_iommu_map_sg,
2852 .unmap_sg = vio_dma_iommu_unmap_sg,
2853 + .dma_supported = dma_iommu_dma_supported,
2854 .map_page = vio_dma_iommu_map_page,
2855 .unmap_page = vio_dma_iommu_unmap_page,
2857 @@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
2859 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2861 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2862 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2865 diff -urNp linux-2.6.36.2/arch/powerpc/lib/usercopy_64.c linux-2.6.36.2/arch/powerpc/lib/usercopy_64.c
2866 --- linux-2.6.36.2/arch/powerpc/lib/usercopy_64.c 2010-10-20 16:30:22.000000000 -0400
2867 +++ linux-2.6.36.2/arch/powerpc/lib/usercopy_64.c 2010-12-09 20:25:05.000000000 -0500
2869 #include <linux/module.h>
2870 #include <asm/uaccess.h>
2872 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2874 - if (likely(access_ok(VERIFY_READ, from, n)))
2875 - n = __copy_from_user(to, from, n);
2881 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2883 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2884 - n = __copy_to_user(to, from, n);
2888 unsigned long copy_in_user(void __user *to, const void __user *from,
2891 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2895 -EXPORT_SYMBOL(copy_from_user);
2896 -EXPORT_SYMBOL(copy_to_user);
2897 EXPORT_SYMBOL(copy_in_user);
2899 diff -urNp linux-2.6.36.2/arch/powerpc/mm/fault.c linux-2.6.36.2/arch/powerpc/mm/fault.c
2900 --- linux-2.6.36.2/arch/powerpc/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
2901 +++ linux-2.6.36.2/arch/powerpc/mm/fault.c 2010-12-09 20:25:06.000000000 -0500
2903 #include <linux/kprobes.h>
2904 #include <linux/kdebug.h>
2905 #include <linux/perf_event.h>
2906 +#include <linux/slab.h>
2907 +#include <linux/pagemap.h>
2908 +#include <linux/compiler.h>
2909 +#include <linux/unistd.h>
2911 #include <asm/firmware.h>
2912 #include <asm/page.h>
2914 #include <asm/tlbflush.h>
2915 #include <asm/siginfo.h>
2916 #include <mm/mmu_decl.h>
2917 +#include <asm/ptrace.h>
2919 #ifdef CONFIG_KPROBES
2920 static inline int notify_page_fault(struct pt_regs *regs)
2921 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2925 +#ifdef CONFIG_PAX_PAGEEXEC
2927 + * PaX: decide what to do with offenders (regs->nip = fault address)
2929 + * returns 1 when task should be killed
2931 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2936 +void pax_report_insns(void *pc, void *sp)
2940 + printk(KERN_ERR "PAX: bytes at PC: ");
2941 + for (i = 0; i < 5; i++) {
2943 + if (get_user(c, (unsigned int __user *)pc+i))
2944 + printk(KERN_CONT "???????? ");
2946 + printk(KERN_CONT "%08x ", c);
2953 * Check whether the instruction at regs->nip is a store using
2954 * an update addressing form which will update r1.
2955 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2956 * indicate errors in DSISR but can validly be set in SRR1.
2959 - error_code &= 0x48200000;
2960 + error_code &= 0x58200000;
2962 is_write = error_code & DSISR_ISSTORE;
2964 @@ -257,7 +289,7 @@ good_area:
2965 * "undefined". Of those that can be set, this is the only
2966 * one which seems bad.
2968 - if (error_code & 0x10000000)
2969 + if (error_code & DSISR_GUARDED)
2970 /* Guarded storage error. */
2972 #endif /* CONFIG_8xx */
2973 @@ -272,7 +304,7 @@ good_area:
2974 * processors use the same I/D cache coherency mechanism
2977 - if (error_code & DSISR_PROTFAULT)
2978 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2980 #endif /* CONFIG_PPC_STD_MMU */
2982 @@ -341,6 +373,23 @@ bad_area:
2983 bad_area_nosemaphore:
2984 /* User mode accesses cause a SIGSEGV */
2985 if (user_mode(regs)) {
2987 +#ifdef CONFIG_PAX_PAGEEXEC
2988 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2989 +#ifdef CONFIG_PPC_STD_MMU
2990 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2992 + if (is_exec && regs->nip == address) {
2994 + switch (pax_handle_fetch_fault(regs)) {
2997 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2998 + do_group_exit(SIGKILL);
3003 _exception(SIGSEGV, regs, code, address);
3006 diff -urNp linux-2.6.36.2/arch/powerpc/mm/mmap_64.c linux-2.6.36.2/arch/powerpc/mm/mmap_64.c
3007 --- linux-2.6.36.2/arch/powerpc/mm/mmap_64.c 2010-10-20 16:30:22.000000000 -0400
3008 +++ linux-2.6.36.2/arch/powerpc/mm/mmap_64.c 2010-12-09 20:25:06.000000000 -0500
3009 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3011 if (mmap_is_legacy()) {
3012 mm->mmap_base = TASK_UNMAPPED_BASE;
3014 +#ifdef CONFIG_PAX_RANDMMAP
3015 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3016 + mm->mmap_base += mm->delta_mmap;
3019 mm->get_unmapped_area = arch_get_unmapped_area;
3020 mm->unmap_area = arch_unmap_area;
3022 mm->mmap_base = mmap_base();
3024 +#ifdef CONFIG_PAX_RANDMMAP
3025 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3026 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3029 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3030 mm->unmap_area = arch_unmap_area_topdown;
3032 diff -urNp linux-2.6.36.2/arch/powerpc/mm/slice.c linux-2.6.36.2/arch/powerpc/mm/slice.c
3033 --- linux-2.6.36.2/arch/powerpc/mm/slice.c 2010-10-20 16:30:22.000000000 -0400
3034 +++ linux-2.6.36.2/arch/powerpc/mm/slice.c 2010-12-09 20:25:06.000000000 -0500
3035 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3036 if ((mm->task_size - len) < addr)
3038 vma = find_vma(mm, addr);
3039 - return (!vma || (addr + len) <= vma->vm_start);
3040 + return check_heap_stack_gap(vma, addr, len);
3043 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3044 @@ -256,7 +256,7 @@ full_search:
3045 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3048 - if (!vma || addr + len <= vma->vm_start) {
3049 + if (check_heap_stack_gap(vma, addr, len)) {
3051 * Remember the place where we stopped the search:
3053 @@ -336,7 +336,7 @@ static unsigned long slice_find_area_top
3054 * return with success:
3056 vma = find_vma(mm, addr);
3057 - if (!vma || (addr + len) <= vma->vm_start) {
3058 + if (check_heap_stack_gap(vma, addr, len)) {
3059 /* remember the address as a hint for next time */
3061 mm->free_area_cache = addr;
3062 @@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
3063 if (fixed && addr > (mm->task_size - len))
3066 +#ifdef CONFIG_PAX_RANDMMAP
3067 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3071 /* If hint, make sure it matches our alignment restrictions */
3072 if (!fixed && addr) {
3073 addr = _ALIGN_UP(addr, 1ul << pshift);
3074 diff -urNp linux-2.6.36.2/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.36.2/arch/powerpc/platforms/52xx/lite5200_pm.c
3075 --- linux-2.6.36.2/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-10-20 16:30:22.000000000 -0400
3076 +++ linux-2.6.36.2/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-12-09 20:25:07.000000000 -0500
3077 @@ -232,7 +232,7 @@ static void lite5200_pm_end(void)
3078 lite5200_pm_target_state = PM_SUSPEND_ON;
3081 -static struct platform_suspend_ops lite5200_pm_ops = {
3082 +static const struct platform_suspend_ops lite5200_pm_ops = {
3083 .valid = lite5200_pm_valid,
3084 .begin = lite5200_pm_begin,
3085 .prepare = lite5200_pm_prepare,
3086 diff -urNp linux-2.6.36.2/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.36.2/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3087 --- linux-2.6.36.2/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-10-20 16:30:22.000000000 -0400
3088 +++ linux-2.6.36.2/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-12-09 20:25:07.000000000 -0500
3089 @@ -186,7 +186,7 @@ void mpc52xx_pm_finish(void)
3093 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3094 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3095 .valid = mpc52xx_pm_valid,
3096 .prepare = mpc52xx_pm_prepare,
3097 .enter = mpc52xx_pm_enter,
3098 diff -urNp linux-2.6.36.2/arch/powerpc/platforms/83xx/suspend.c linux-2.6.36.2/arch/powerpc/platforms/83xx/suspend.c
3099 --- linux-2.6.36.2/arch/powerpc/platforms/83xx/suspend.c 2010-10-20 16:30:22.000000000 -0400
3100 +++ linux-2.6.36.2/arch/powerpc/platforms/83xx/suspend.c 2010-12-09 20:25:06.000000000 -0500
3101 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
3105 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3106 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3107 .valid = mpc83xx_suspend_valid,
3108 .begin = mpc83xx_suspend_begin,
3109 .enter = mpc83xx_suspend_enter,
3110 diff -urNp linux-2.6.36.2/arch/powerpc/platforms/cell/iommu.c linux-2.6.36.2/arch/powerpc/platforms/cell/iommu.c
3111 --- linux-2.6.36.2/arch/powerpc/platforms/cell/iommu.c 2010-10-20 16:30:22.000000000 -0400
3112 +++ linux-2.6.36.2/arch/powerpc/platforms/cell/iommu.c 2010-12-09 20:25:06.000000000 -0500
3113 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3115 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3117 -struct dma_map_ops dma_iommu_fixed_ops = {
3118 +const struct dma_map_ops dma_iommu_fixed_ops = {
3119 .alloc_coherent = dma_fixed_alloc_coherent,
3120 .free_coherent = dma_fixed_free_coherent,
3121 .map_sg = dma_fixed_map_sg,
3122 diff -urNp linux-2.6.36.2/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.36.2/arch/powerpc/platforms/ps3/system-bus.c
3123 --- linux-2.6.36.2/arch/powerpc/platforms/ps3/system-bus.c 2010-10-20 16:30:22.000000000 -0400
3124 +++ linux-2.6.36.2/arch/powerpc/platforms/ps3/system-bus.c 2010-12-09 20:25:07.000000000 -0500
3125 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3126 return mask >= DMA_BIT_MASK(32);
3129 -static struct dma_map_ops ps3_sb_dma_ops = {
3130 +static const struct dma_map_ops ps3_sb_dma_ops = {
3131 .alloc_coherent = ps3_alloc_coherent,
3132 .free_coherent = ps3_free_coherent,
3133 .map_sg = ps3_sb_map_sg,
3134 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3135 .unmap_page = ps3_unmap_page,
3138 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3139 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3140 .alloc_coherent = ps3_alloc_coherent,
3141 .free_coherent = ps3_free_coherent,
3142 .map_sg = ps3_ioc0_map_sg,
3143 diff -urNp linux-2.6.36.2/arch/powerpc/platforms/pseries/suspend.c linux-2.6.36.2/arch/powerpc/platforms/pseries/suspend.c
3144 --- linux-2.6.36.2/arch/powerpc/platforms/pseries/suspend.c 2010-10-20 16:30:22.000000000 -0400
3145 +++ linux-2.6.36.2/arch/powerpc/platforms/pseries/suspend.c 2010-12-09 20:25:07.000000000 -0500
3146 @@ -153,7 +153,7 @@ static struct sysdev_class suspend_sysde
3150 -static struct platform_suspend_ops pseries_suspend_ops = {
3151 +static const struct platform_suspend_ops pseries_suspend_ops = {
3152 .valid = suspend_valid_only_mem,
3153 .begin = pseries_suspend_begin,
3154 .prepare_late = pseries_prepare_late,
3155 diff -urNp linux-2.6.36.2/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.36.2/arch/powerpc/sysdev/fsl_pmc.c
3156 --- linux-2.6.36.2/arch/powerpc/sysdev/fsl_pmc.c 2010-10-20 16:30:22.000000000 -0400
3157 +++ linux-2.6.36.2/arch/powerpc/sysdev/fsl_pmc.c 2010-12-09 20:25:07.000000000 -0500
3158 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
3162 -static struct platform_suspend_ops pmc_suspend_ops = {
3163 +static const struct platform_suspend_ops pmc_suspend_ops = {
3164 .valid = pmc_suspend_valid,
3165 .enter = pmc_suspend_enter,
3167 diff -urNp linux-2.6.36.2/arch/s390/include/asm/elf.h linux-2.6.36.2/arch/s390/include/asm/elf.h
3168 --- linux-2.6.36.2/arch/s390/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
3169 +++ linux-2.6.36.2/arch/s390/include/asm/elf.h 2010-12-09 20:25:14.000000000 -0500
3170 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
3171 that it will "exec", and that there is sufficient room for the brk. */
3172 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3174 +#ifdef CONFIG_PAX_ASLR
3175 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3177 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3178 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3181 /* This yields a mask that user programs can use to figure out what
3182 instruction set this CPU supports. */
3184 diff -urNp linux-2.6.36.2/arch/s390/include/asm/uaccess.h linux-2.6.36.2/arch/s390/include/asm/uaccess.h
3185 --- linux-2.6.36.2/arch/s390/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
3186 +++ linux-2.6.36.2/arch/s390/include/asm/uaccess.h 2010-12-09 20:25:14.000000000 -0500
3187 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3188 copy_to_user(void __user *to, const void *from, unsigned long n)
3195 if (access_ok(VERIFY_WRITE, to, n))
3196 n = __copy_to_user(to, from, n);
3198 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3199 static inline unsigned long __must_check
3200 __copy_from_user(void *to, const void __user *from, unsigned long n)
3205 if (__builtin_constant_p(n) && (n <= 256))
3206 return uaccess.copy_from_user_small(n, from, to);
3208 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3209 unsigned int sz = __compiletime_object_size(to);
3216 if (unlikely(sz != -1 && sz < n)) {
3217 copy_from_user_overflow();
3219 diff -urNp linux-2.6.36.2/arch/s390/Kconfig linux-2.6.36.2/arch/s390/Kconfig
3220 --- linux-2.6.36.2/arch/s390/Kconfig 2010-10-20 16:30:22.000000000 -0400
3221 +++ linux-2.6.36.2/arch/s390/Kconfig 2010-12-09 20:25:14.000000000 -0500
3222 @@ -227,13 +227,12 @@ config AUDIT_ARCH
3224 config S390_EXEC_PROTECT
3225 bool "Data execute protection"
3228 This option allows to enable a buffer overflow protection for user
3229 - space programs and it also selects the addressing mode option above.
3230 - The kernel parameter noexec=on will enable this feature and also
3231 - switch the addressing modes, default is disabled. Enabling this (via
3232 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3233 - will reduce system performance.
3235 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3236 + reduce system performance.
3238 comment "Code generation options"
3240 diff -urNp linux-2.6.36.2/arch/s390/kernel/module.c linux-2.6.36.2/arch/s390/kernel/module.c
3241 --- linux-2.6.36.2/arch/s390/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
3242 +++ linux-2.6.36.2/arch/s390/kernel/module.c 2010-12-09 20:25:14.000000000 -0500
3243 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3245 /* Increase core size by size of got & plt and set start
3246 offsets for got and plt. */
3247 - me->core_size = ALIGN(me->core_size, 4);
3248 - me->arch.got_offset = me->core_size;
3249 - me->core_size += me->arch.got_size;
3250 - me->arch.plt_offset = me->core_size;
3251 - me->core_size += me->arch.plt_size;
3252 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3253 + me->arch.got_offset = me->core_size_rw;
3254 + me->core_size_rw += me->arch.got_size;
3255 + me->arch.plt_offset = me->core_size_rx;
3256 + me->core_size_rx += me->arch.plt_size;
3260 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3261 if (info->got_initialized == 0) {
3264 - gotent = me->module_core + me->arch.got_offset +
3265 + gotent = me->module_core_rw + me->arch.got_offset +
3268 info->got_initialized = 1;
3269 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3270 else if (r_type == R_390_GOTENT ||
3271 r_type == R_390_GOTPLTENT)
3272 *(unsigned int *) loc =
3273 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3274 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3275 else if (r_type == R_390_GOT64 ||
3276 r_type == R_390_GOTPLT64)
3277 *(unsigned long *) loc = val;
3278 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3279 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3280 if (info->plt_initialized == 0) {
3282 - ip = me->module_core + me->arch.plt_offset +
3283 + ip = me->module_core_rx + me->arch.plt_offset +
3285 #ifndef CONFIG_64BIT
3286 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3287 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3288 val - loc + 0xffffUL < 0x1ffffeUL) ||
3289 (r_type == R_390_PLT32DBL &&
3290 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3291 - val = (Elf_Addr) me->module_core +
3292 + val = (Elf_Addr) me->module_core_rx +
3293 me->arch.plt_offset +
3295 val += rela->r_addend - loc;
3296 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3297 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3298 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3299 val = val + rela->r_addend -
3300 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3301 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3302 if (r_type == R_390_GOTOFF16)
3303 *(unsigned short *) loc = val;
3304 else if (r_type == R_390_GOTOFF32)
3305 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3307 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3308 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3309 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3310 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3311 rela->r_addend - loc;
3312 if (r_type == R_390_GOTPC)
3313 *(unsigned int *) loc = val;
3314 diff -urNp linux-2.6.36.2/arch/s390/kernel/setup.c linux-2.6.36.2/arch/s390/kernel/setup.c
3315 --- linux-2.6.36.2/arch/s390/kernel/setup.c 2010-10-20 16:30:22.000000000 -0400
3316 +++ linux-2.6.36.2/arch/s390/kernel/setup.c 2010-12-09 20:25:14.000000000 -0500
3317 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3319 early_param("mem", early_parse_mem);
3321 -unsigned int user_mode = HOME_SPACE_MODE;
3322 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3323 EXPORT_SYMBOL_GPL(user_mode);
3325 static int set_amode_and_uaccess(unsigned long user_amode,
3326 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3331 - * Switch kernel/user addressing modes?
3333 -static int __init early_parse_switch_amode(char *p)
3335 - if (user_mode != SECONDARY_SPACE_MODE)
3336 - user_mode = PRIMARY_SPACE_MODE;
3339 -early_param("switch_amode", early_parse_switch_amode);
3341 static int __init early_parse_user_mode(char *p)
3343 if (p && strcmp(p, "primary") == 0)
3344 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3346 early_param("user_mode", early_parse_user_mode);
3348 -#ifdef CONFIG_S390_EXEC_PROTECT
3350 - * Enable execute protection?
3352 -static int __init early_parse_noexec(char *p)
3354 - if (!strncmp(p, "off", 3))
3356 - user_mode = SECONDARY_SPACE_MODE;
3359 -early_param("noexec", early_parse_noexec);
3360 -#endif /* CONFIG_S390_EXEC_PROTECT */
3362 static void setup_addressing_mode(void)
3364 if (user_mode == SECONDARY_SPACE_MODE) {
3365 diff -urNp linux-2.6.36.2/arch/s390/mm/maccess.c linux-2.6.36.2/arch/s390/mm/maccess.c
3366 --- linux-2.6.36.2/arch/s390/mm/maccess.c 2010-10-20 16:30:22.000000000 -0400
3367 +++ linux-2.6.36.2/arch/s390/mm/maccess.c 2010-12-09 20:25:14.000000000 -0500
3368 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3369 return rc ? rc : count;
3372 -long probe_kernel_write(void *dst, void *src, size_t size)
3373 +long probe_kernel_write(void *dst, const void *src, size_t size)
3377 diff -urNp linux-2.6.36.2/arch/s390/mm/mmap.c linux-2.6.36.2/arch/s390/mm/mmap.c
3378 --- linux-2.6.36.2/arch/s390/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
3379 +++ linux-2.6.36.2/arch/s390/mm/mmap.c 2010-12-09 20:25:14.000000000 -0500
3380 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3382 if (mmap_is_legacy()) {
3383 mm->mmap_base = TASK_UNMAPPED_BASE;
3385 +#ifdef CONFIG_PAX_RANDMMAP
3386 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3387 + mm->mmap_base += mm->delta_mmap;
3390 mm->get_unmapped_area = arch_get_unmapped_area;
3391 mm->unmap_area = arch_unmap_area;
3393 mm->mmap_base = mmap_base();
3395 +#ifdef CONFIG_PAX_RANDMMAP
3396 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3397 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3400 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3401 mm->unmap_area = arch_unmap_area_topdown;
3403 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3405 if (mmap_is_legacy()) {
3406 mm->mmap_base = TASK_UNMAPPED_BASE;
3408 +#ifdef CONFIG_PAX_RANDMMAP
3409 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3410 + mm->mmap_base += mm->delta_mmap;
3413 mm->get_unmapped_area = s390_get_unmapped_area;
3414 mm->unmap_area = arch_unmap_area;
3416 mm->mmap_base = mmap_base();
3418 +#ifdef CONFIG_PAX_RANDMMAP
3419 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3420 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3423 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3424 mm->unmap_area = arch_unmap_area_topdown;
3426 diff -urNp linux-2.6.36.2/arch/score/include/asm/system.h linux-2.6.36.2/arch/score/include/asm/system.h
3427 --- linux-2.6.36.2/arch/score/include/asm/system.h 2010-10-20 16:30:22.000000000 -0400
3428 +++ linux-2.6.36.2/arch/score/include/asm/system.h 2010-12-09 20:25:03.000000000 -0500
3429 @@ -17,7 +17,7 @@ do { \
3430 #define finish_arch_switch(prev) do {} while (0)
3432 typedef void (*vi_handler_t)(void);
3433 -extern unsigned long arch_align_stack(unsigned long sp);
3434 +#define arch_align_stack(x) (x)
3436 #define mb() barrier()
3437 #define rmb() barrier()
3438 diff -urNp linux-2.6.36.2/arch/score/kernel/process.c linux-2.6.36.2/arch/score/kernel/process.c
3439 --- linux-2.6.36.2/arch/score/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
3440 +++ linux-2.6.36.2/arch/score/kernel/process.c 2010-12-09 20:25:03.000000000 -0500
3441 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3443 return task_pt_regs(task)->cp0_epc;
3446 -unsigned long arch_align_stack(unsigned long sp)
3450 diff -urNp linux-2.6.36.2/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.36.2/arch/sh/boards/mach-hp6xx/pm.c
3451 --- linux-2.6.36.2/arch/sh/boards/mach-hp6xx/pm.c 2010-10-20 16:30:22.000000000 -0400
3452 +++ linux-2.6.36.2/arch/sh/boards/mach-hp6xx/pm.c 2010-12-09 20:25:08.000000000 -0500
3453 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3457 -static struct platform_suspend_ops hp6x0_pm_ops = {
3458 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3459 .enter = hp6x0_pm_enter,
3460 .valid = suspend_valid_only_mem,
3462 diff -urNp linux-2.6.36.2/arch/sh/include/asm/dma-mapping.h linux-2.6.36.2/arch/sh/include/asm/dma-mapping.h
3463 --- linux-2.6.36.2/arch/sh/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
3464 +++ linux-2.6.36.2/arch/sh/include/asm/dma-mapping.h 2010-12-09 20:25:08.000000000 -0500
3466 #ifndef __ASM_SH_DMA_MAPPING_H
3467 #define __ASM_SH_DMA_MAPPING_H
3469 -extern struct dma_map_ops *dma_ops;
3470 +extern const struct dma_map_ops *dma_ops;
3471 extern void no_iommu_init(void);
3473 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3474 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3478 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3480 static inline int dma_supported(struct device *dev, u64 mask)
3482 - struct dma_map_ops *ops = get_dma_ops(dev);
3483 + const struct dma_map_ops *ops = get_dma_ops(dev);
3485 if (ops->dma_supported)
3486 return ops->dma_supported(dev, mask);
3487 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3489 static inline int dma_set_mask(struct device *dev, u64 mask)
3491 - struct dma_map_ops *ops = get_dma_ops(dev);
3492 + const struct dma_map_ops *ops = get_dma_ops(dev);
3494 if (!dev->dma_mask || !dma_supported(dev, mask))
3496 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3498 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3500 - struct dma_map_ops *ops = get_dma_ops(dev);
3501 + const struct dma_map_ops *ops = get_dma_ops(dev);
3503 if (ops->mapping_error)
3504 return ops->mapping_error(dev, dma_addr);
3505 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3506 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3507 dma_addr_t *dma_handle, gfp_t gfp)
3509 - struct dma_map_ops *ops = get_dma_ops(dev);
3510 + const struct dma_map_ops *ops = get_dma_ops(dev);
3513 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3514 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3515 static inline void dma_free_coherent(struct device *dev, size_t size,
3516 void *vaddr, dma_addr_t dma_handle)
3518 - struct dma_map_ops *ops = get_dma_ops(dev);
3519 + const struct dma_map_ops *ops = get_dma_ops(dev);
3521 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3523 diff -urNp linux-2.6.36.2/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.36.2/arch/sh/kernel/cpu/shmobile/pm.c
3524 --- linux-2.6.36.2/arch/sh/kernel/cpu/shmobile/pm.c 2010-10-20 16:30:22.000000000 -0400
3525 +++ linux-2.6.36.2/arch/sh/kernel/cpu/shmobile/pm.c 2010-12-09 20:25:08.000000000 -0500
3526 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3530 -static struct platform_suspend_ops sh_pm_ops = {
3531 +static const struct platform_suspend_ops sh_pm_ops = {
3532 .enter = sh_pm_enter,
3533 .valid = suspend_valid_only_mem,
3535 diff -urNp linux-2.6.36.2/arch/sh/kernel/dma-nommu.c linux-2.6.36.2/arch/sh/kernel/dma-nommu.c
3536 --- linux-2.6.36.2/arch/sh/kernel/dma-nommu.c 2010-10-20 16:30:22.000000000 -0400
3537 +++ linux-2.6.36.2/arch/sh/kernel/dma-nommu.c 2010-12-09 20:25:08.000000000 -0500
3538 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3542 -struct dma_map_ops nommu_dma_ops = {
3543 +const struct dma_map_ops nommu_dma_ops = {
3544 .alloc_coherent = dma_generic_alloc_coherent,
3545 .free_coherent = dma_generic_free_coherent,
3546 .map_page = nommu_map_page,
3547 diff -urNp linux-2.6.36.2/arch/sh/kernel/kgdb.c linux-2.6.36.2/arch/sh/kernel/kgdb.c
3548 --- linux-2.6.36.2/arch/sh/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
3549 +++ linux-2.6.36.2/arch/sh/kernel/kgdb.c 2010-12-09 20:25:08.000000000 -0500
3550 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3551 unregister_die_notifier(&kgdb_notifier);
3554 -struct kgdb_arch arch_kgdb_ops = {
3555 +const struct kgdb_arch arch_kgdb_ops = {
3556 /* Breakpoint instruction: trapa #0x3c */
3557 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3558 .gdb_bpt_instr = { 0x3c, 0xc3 },
3559 diff -urNp linux-2.6.36.2/arch/sh/mm/consistent.c linux-2.6.36.2/arch/sh/mm/consistent.c
3560 --- linux-2.6.36.2/arch/sh/mm/consistent.c 2010-10-20 16:30:22.000000000 -0400
3561 +++ linux-2.6.36.2/arch/sh/mm/consistent.c 2010-12-09 20:25:08.000000000 -0500
3564 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3566 -struct dma_map_ops *dma_ops;
3567 +const struct dma_map_ops *dma_ops;
3568 EXPORT_SYMBOL(dma_ops);
3570 static int __init dma_init(void)
3571 diff -urNp linux-2.6.36.2/arch/sh/mm/mmap.c linux-2.6.36.2/arch/sh/mm/mmap.c
3572 --- linux-2.6.36.2/arch/sh/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
3573 +++ linux-2.6.36.2/arch/sh/mm/mmap.c 2010-12-09 20:25:08.000000000 -0500
3574 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3575 addr = PAGE_ALIGN(addr);
3577 vma = find_vma(mm, addr);
3578 - if (TASK_SIZE - len >= addr &&
3579 - (!vma || addr + len <= vma->vm_start))
3580 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3584 @@ -106,7 +105,7 @@ full_search:
3588 - if (likely(!vma || addr + len <= vma->vm_start)) {
3589 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3591 * Remember the place where we stopped the search:
3593 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3594 addr = PAGE_ALIGN(addr);
3596 vma = find_vma(mm, addr);
3597 - if (TASK_SIZE - len >= addr &&
3598 - (!vma || addr + len <= vma->vm_start))
3599 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3603 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3604 /* make sure it can fit in the remaining address space */
3605 if (likely(addr > len)) {
3606 vma = find_vma(mm, addr-len);
3607 - if (!vma || addr <= vma->vm_start) {
3608 + if (check_heap_stack_gap(vma, addr - len, len)) {
3609 /* remember the address as a hint for next time */
3610 return (mm->free_area_cache = addr-len);
3612 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3613 * return with success:
3615 vma = find_vma(mm, addr);
3616 - if (likely(!vma || addr+len <= vma->vm_start)) {
3617 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3618 /* remember the address as a hint for next time */
3619 return (mm->free_area_cache = addr);
3621 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/atomic_64.h linux-2.6.36.2/arch/sparc/include/asm/atomic_64.h
3622 --- linux-2.6.36.2/arch/sparc/include/asm/atomic_64.h 2010-10-20 16:30:22.000000000 -0400
3623 +++ linux-2.6.36.2/arch/sparc/include/asm/atomic_64.h 2010-12-09 20:25:13.000000000 -0500
3625 #define ATOMIC64_INIT(i) { (i) }
3627 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3628 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3630 + return v->counter;
3632 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3633 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3635 + return v->counter;
3638 #define atomic_set(v, i) (((v)->counter) = i)
3639 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3643 #define atomic64_set(v, i) (((v)->counter) = i)
3644 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3649 extern void atomic_add(int, atomic_t *);
3650 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3651 extern void atomic64_add(long, atomic64_t *);
3652 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3653 extern void atomic_sub(int, atomic_t *);
3654 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3655 extern void atomic64_sub(long, atomic64_t *);
3656 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3658 extern int atomic_add_ret(int, atomic_t *);
3659 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3660 extern long atomic64_add_ret(long, atomic64_t *);
3661 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3662 extern int atomic_sub_ret(int, atomic_t *);
3663 extern long atomic64_sub_ret(long, atomic64_t *);
3665 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3666 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3668 #define atomic_inc_return(v) atomic_add_ret(1, v)
3669 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3671 + return atomic_add_ret_unchecked(1, v);
3673 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3674 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3676 + return atomic64_add_ret_unchecked(1, v);
3679 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3680 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3682 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3683 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3685 + return atomic_add_ret_unchecked(i, v);
3687 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3690 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3691 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3693 #define atomic_inc(v) atomic_add(1, v)
3694 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3696 + atomic_add_unchecked(1, v);
3698 #define atomic64_inc(v) atomic64_add(1, v)
3699 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3701 + atomic64_add_unchecked(1, v);
3704 #define atomic_dec(v) atomic_sub(1, v)
3705 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3707 + atomic_sub_unchecked(1, v);
3709 #define atomic64_dec(v) atomic64_sub(1, v)
3710 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3712 + atomic64_sub_unchecked(1, v);
3715 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3716 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3717 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3719 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3725 - if (unlikely(c == (u)))
3726 + if (unlikely(c == u))
3728 - old = atomic_cmpxchg((v), c, c + (a));
3730 + asm volatile("addcc %2, %0, %0\n"
3732 +#ifdef CONFIG_PAX_REFCOUNT
3737 + : "0" (c), "ir" (a)
3740 + old = atomic_cmpxchg(v, c, new);
3741 if (likely(old == c))
3749 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3750 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3752 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3756 c = atomic64_read(v);
3758 - if (unlikely(c == (u)))
3759 + if (unlikely(c == u))
3761 - old = atomic64_cmpxchg((v), c, c + (a));
3763 + asm volatile("addcc %2, %0, %0\n"
3765 +#ifdef CONFIG_PAX_REFCOUNT
3770 + : "0" (c), "ir" (a)
3773 + old = atomic64_cmpxchg(v, c, new);
3774 if (likely(old == c))
3782 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3783 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/dma-mapping.h linux-2.6.36.2/arch/sparc/include/asm/dma-mapping.h
3784 --- linux-2.6.36.2/arch/sparc/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
3785 +++ linux-2.6.36.2/arch/sparc/include/asm/dma-mapping.h 2010-12-09 20:25:12.000000000 -0500
3786 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3787 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3788 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3790 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3791 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3792 extern struct bus_type pci_bus_type;
3794 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3795 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3797 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3798 if (dev->bus == &pci_bus_type)
3799 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3800 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3801 dma_addr_t *dma_handle, gfp_t flag)
3803 - struct dma_map_ops *ops = get_dma_ops(dev);
3804 + const struct dma_map_ops *ops = get_dma_ops(dev);
3807 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3808 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3809 static inline void dma_free_coherent(struct device *dev, size_t size,
3810 void *cpu_addr, dma_addr_t dma_handle)
3812 - struct dma_map_ops *ops = get_dma_ops(dev);
3813 + const struct dma_map_ops *ops = get_dma_ops(dev);
3815 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3816 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3817 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/elf_32.h linux-2.6.36.2/arch/sparc/include/asm/elf_32.h
3818 --- linux-2.6.36.2/arch/sparc/include/asm/elf_32.h 2010-10-20 16:30:22.000000000 -0400
3819 +++ linux-2.6.36.2/arch/sparc/include/asm/elf_32.h 2010-12-09 20:25:12.000000000 -0500
3820 @@ -114,6 +114,13 @@ typedef struct {
3822 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3824 +#ifdef CONFIG_PAX_ASLR
3825 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3827 +#define PAX_DELTA_MMAP_LEN 16
3828 +#define PAX_DELTA_STACK_LEN 16
3831 /* This yields a mask that user programs can use to figure out what
3832 instruction set this cpu supports. This can NOT be done in userspace
3834 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/elf_64.h linux-2.6.36.2/arch/sparc/include/asm/elf_64.h
3835 --- linux-2.6.36.2/arch/sparc/include/asm/elf_64.h 2010-10-20 16:30:22.000000000 -0400
3836 +++ linux-2.6.36.2/arch/sparc/include/asm/elf_64.h 2010-12-09 20:25:13.000000000 -0500
3837 @@ -162,6 +162,12 @@ typedef struct {
3838 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3839 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3841 +#ifdef CONFIG_PAX_ASLR
3842 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3844 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3845 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3848 /* This yields a mask that user programs can use to figure out what
3849 instruction set this cpu supports. */
3850 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/pgtable_32.h linux-2.6.36.2/arch/sparc/include/asm/pgtable_32.h
3851 --- linux-2.6.36.2/arch/sparc/include/asm/pgtable_32.h 2010-10-20 16:30:22.000000000 -0400
3852 +++ linux-2.6.36.2/arch/sparc/include/asm/pgtable_32.h 2010-12-09 20:25:13.000000000 -0500
3853 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3854 BTFIXUPDEF_INT(page_none)
3855 BTFIXUPDEF_INT(page_copy)
3856 BTFIXUPDEF_INT(page_readonly)
3858 +#ifdef CONFIG_PAX_PAGEEXEC
3859 +BTFIXUPDEF_INT(page_shared_noexec)
3860 +BTFIXUPDEF_INT(page_copy_noexec)
3861 +BTFIXUPDEF_INT(page_readonly_noexec)
3864 BTFIXUPDEF_INT(page_kernel)
3866 #define PMD_SHIFT SUN4C_PMD_SHIFT
3867 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3868 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3869 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3871 +#ifdef CONFIG_PAX_PAGEEXEC
3872 +extern pgprot_t PAGE_SHARED_NOEXEC;
3873 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3874 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3876 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3877 +# define PAGE_COPY_NOEXEC PAGE_COPY
3878 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3881 extern unsigned long page_kernel;
3884 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.36.2/arch/sparc/include/asm/pgtsrmmu.h
3885 --- linux-2.6.36.2/arch/sparc/include/asm/pgtsrmmu.h 2010-10-20 16:30:22.000000000 -0400
3886 +++ linux-2.6.36.2/arch/sparc/include/asm/pgtsrmmu.h 2010-12-09 20:25:13.000000000 -0500
3887 @@ -115,6 +115,13 @@
3888 SRMMU_EXEC | SRMMU_REF)
3889 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3890 SRMMU_EXEC | SRMMU_REF)
3892 +#ifdef CONFIG_PAX_PAGEEXEC
3893 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3894 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3895 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3898 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3899 SRMMU_DIRTY | SRMMU_REF)
3901 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/spinlock_64.h linux-2.6.36.2/arch/sparc/include/asm/spinlock_64.h
3902 --- linux-2.6.36.2/arch/sparc/include/asm/spinlock_64.h 2010-10-20 16:30:22.000000000 -0400
3903 +++ linux-2.6.36.2/arch/sparc/include/asm/spinlock_64.h 2010-12-09 20:25:13.000000000 -0500
3904 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3905 __asm__ __volatile__ (
3906 "1: ldsw [%2], %0\n"
3908 -"4: add %0, 1, %1\n"
3909 +"4: addcc %0, 1, %1\n"
3911 +#ifdef CONFIG_PAX_REFCOUNT
3915 " cas [%2], %0, %1\n"
3917 " bne,pn %%icc, 1b\n"
3918 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3920 : "=&r" (tmp1), "=&r" (tmp2)
3923 + : "memory", "cc");
3926 static int inline arch_read_trylock(arch_rwlock_t *lock)
3927 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3928 "1: ldsw [%2], %0\n"
3929 " brlz,a,pn %0, 2f\n"
3932 +" addcc %0, 1, %1\n"
3934 +#ifdef CONFIG_PAX_REFCOUNT
3938 " cas [%2], %0, %1\n"
3940 " bne,pn %%icc, 1b\n"
3941 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3943 __asm__ __volatile__(
3944 "1: lduw [%2], %0\n"
3946 +" subcc %0, 1, %1\n"
3948 +#ifdef CONFIG_PAX_REFCOUNT
3952 " cas [%2], %0, %1\n"
3954 " bne,pn %%xcc, 1b\n"
3955 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/uaccess_32.h linux-2.6.36.2/arch/sparc/include/asm/uaccess_32.h
3956 --- linux-2.6.36.2/arch/sparc/include/asm/uaccess_32.h 2010-10-20 16:30:22.000000000 -0400
3957 +++ linux-2.6.36.2/arch/sparc/include/asm/uaccess_32.h 2010-12-09 20:25:13.000000000 -0500
3958 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3960 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3962 - if (n && __access_ok((unsigned long) to, n))
3966 + if (n && __access_ok((unsigned long) to, n)) {
3967 + if (!__builtin_constant_p(n))
3968 + check_object_size(from, n, true);
3969 return __copy_user(to, (__force void __user *) from, n);
3975 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3980 + if (!__builtin_constant_p(n))
3981 + check_object_size(from, n, true);
3983 return __copy_user(to, (__force void __user *) from, n);
3986 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3988 - if (n && __access_ok((unsigned long) from, n))
3992 + if (n && __access_ok((unsigned long) from, n)) {
3993 + if (!__builtin_constant_p(n))
3994 + check_object_size(to, n, false);
3995 return __copy_user((__force void __user *) to, from, n);
4001 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4006 return __copy_user((__force void __user *) to, from, n);
4009 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/uaccess_64.h linux-2.6.36.2/arch/sparc/include/asm/uaccess_64.h
4010 --- linux-2.6.36.2/arch/sparc/include/asm/uaccess_64.h 2010-10-20 16:30:22.000000000 -0400
4011 +++ linux-2.6.36.2/arch/sparc/include/asm/uaccess_64.h 2010-12-09 20:25:12.000000000 -0500
4013 #include <linux/compiler.h>
4014 #include <linux/string.h>
4015 #include <linux/thread_info.h>
4016 +#include <linux/kernel.h>
4017 #include <asm/asi.h>
4018 #include <asm/system.h>
4019 #include <asm/spitfire.h>
4020 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
4021 static inline unsigned long __must_check
4022 copy_from_user(void *to, const void __user *from, unsigned long size)
4024 - unsigned long ret = ___copy_from_user(to, from, size);
4025 + unsigned long ret;
4027 + if ((long)size < 0 || size > INT_MAX)
4030 + if (!__builtin_constant_p(size))
4031 + check_object_size(to, size, false);
4033 + ret = ___copy_from_user(to, from, size);
4035 ret = copy_from_user_fixup(to, from, size);
4037 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4038 static inline unsigned long __must_check
4039 copy_to_user(void __user *to, const void *from, unsigned long size)
4041 - unsigned long ret = ___copy_to_user(to, from, size);
4042 + unsigned long ret;
4044 + if ((long)size < 0 || size > INT_MAX)
4047 + if (!__builtin_constant_p(size))
4048 + check_object_size(from, size, true);
4050 + ret = ___copy_to_user(to, from, size);
4052 ret = copy_to_user_fixup(to, from, size);
4054 diff -urNp linux-2.6.36.2/arch/sparc/include/asm/uaccess.h linux-2.6.36.2/arch/sparc/include/asm/uaccess.h
4055 --- linux-2.6.36.2/arch/sparc/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
4056 +++ linux-2.6.36.2/arch/sparc/include/asm/uaccess.h 2010-12-09 20:25:13.000000000 -0500
4058 #ifndef ___ASM_SPARC_UACCESS_H
4059 #define ___ASM_SPARC_UACCESS_H
4062 +#ifndef __ASSEMBLY__
4063 +#include <linux/types.h>
4064 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4068 #if defined(__sparc__) && defined(__arch64__)
4069 #include <asm/uaccess_64.h>
4071 diff -urNp linux-2.6.36.2/arch/sparc/kernel/iommu.c linux-2.6.36.2/arch/sparc/kernel/iommu.c
4072 --- linux-2.6.36.2/arch/sparc/kernel/iommu.c 2010-10-20 16:30:22.000000000 -0400
4073 +++ linux-2.6.36.2/arch/sparc/kernel/iommu.c 2010-12-09 20:25:13.000000000 -0500
4074 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4075 spin_unlock_irqrestore(&iommu->lock, flags);
4078 -static struct dma_map_ops sun4u_dma_ops = {
4079 +static const struct dma_map_ops sun4u_dma_ops = {
4080 .alloc_coherent = dma_4u_alloc_coherent,
4081 .free_coherent = dma_4u_free_coherent,
4082 .map_page = dma_4u_map_page,
4083 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
4084 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4087 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4088 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4089 EXPORT_SYMBOL(dma_ops);
4091 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4092 diff -urNp linux-2.6.36.2/arch/sparc/kernel/ioport.c linux-2.6.36.2/arch/sparc/kernel/ioport.c
4093 --- linux-2.6.36.2/arch/sparc/kernel/ioport.c 2010-10-20 16:30:22.000000000 -0400
4094 +++ linux-2.6.36.2/arch/sparc/kernel/ioport.c 2010-12-09 20:25:13.000000000 -0500
4095 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4099 -struct dma_map_ops sbus_dma_ops = {
4100 +const struct dma_map_ops sbus_dma_ops = {
4101 .alloc_coherent = sbus_alloc_coherent,
4102 .free_coherent = sbus_free_coherent,
4103 .map_page = sbus_map_page,
4104 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4105 .sync_sg_for_device = sbus_sync_sg_for_device,
4108 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4109 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4110 EXPORT_SYMBOL(dma_ops);
4112 static int __init sparc_register_ioport(void)
4113 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4117 -struct dma_map_ops pci32_dma_ops = {
4118 +const struct dma_map_ops pci32_dma_ops = {
4119 .alloc_coherent = pci32_alloc_coherent,
4120 .free_coherent = pci32_free_coherent,
4121 .map_page = pci32_map_page,
4122 diff -urNp linux-2.6.36.2/arch/sparc/kernel/kgdb_32.c linux-2.6.36.2/arch/sparc/kernel/kgdb_32.c
4123 --- linux-2.6.36.2/arch/sparc/kernel/kgdb_32.c 2010-10-20 16:30:22.000000000 -0400
4124 +++ linux-2.6.36.2/arch/sparc/kernel/kgdb_32.c 2010-12-09 20:25:13.000000000 -0500
4125 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4126 regs->npc = regs->pc + 4;
4129 -struct kgdb_arch arch_kgdb_ops = {
4130 +const struct kgdb_arch arch_kgdb_ops = {
4131 /* Breakpoint instruction: ta 0x7d */
4132 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4134 diff -urNp linux-2.6.36.2/arch/sparc/kernel/kgdb_64.c linux-2.6.36.2/arch/sparc/kernel/kgdb_64.c
4135 --- linux-2.6.36.2/arch/sparc/kernel/kgdb_64.c 2010-10-20 16:30:22.000000000 -0400
4136 +++ linux-2.6.36.2/arch/sparc/kernel/kgdb_64.c 2010-12-09 20:25:13.000000000 -0500
4137 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4138 regs->tnpc = regs->tpc + 4;
4141 -struct kgdb_arch arch_kgdb_ops = {
4142 +const struct kgdb_arch arch_kgdb_ops = {
4143 /* Breakpoint instruction: ta 0x72 */
4144 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4146 diff -urNp linux-2.6.36.2/arch/sparc/kernel/Makefile linux-2.6.36.2/arch/sparc/kernel/Makefile
4147 --- linux-2.6.36.2/arch/sparc/kernel/Makefile 2010-10-20 16:30:22.000000000 -0400
4148 +++ linux-2.6.36.2/arch/sparc/kernel/Makefile 2010-12-09 20:25:13.000000000 -0500
4153 -ccflags-y := -Werror
4154 +#ccflags-y := -Werror
4156 extra-y := head_$(BITS).o
4157 extra-y += init_task.o
4158 diff -urNp linux-2.6.36.2/arch/sparc/kernel/pci_sun4v.c linux-2.6.36.2/arch/sparc/kernel/pci_sun4v.c
4159 --- linux-2.6.36.2/arch/sparc/kernel/pci_sun4v.c 2010-10-20 16:30:22.000000000 -0400
4160 +++ linux-2.6.36.2/arch/sparc/kernel/pci_sun4v.c 2010-12-09 20:25:13.000000000 -0500
4161 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4162 spin_unlock_irqrestore(&iommu->lock, flags);
4165 -static struct dma_map_ops sun4v_dma_ops = {
4166 +static const struct dma_map_ops sun4v_dma_ops = {
4167 .alloc_coherent = dma_4v_alloc_coherent,
4168 .free_coherent = dma_4v_free_coherent,
4169 .map_page = dma_4v_map_page,
4170 diff -urNp linux-2.6.36.2/arch/sparc/kernel/process_32.c linux-2.6.36.2/arch/sparc/kernel/process_32.c
4171 --- linux-2.6.36.2/arch/sparc/kernel/process_32.c 2010-10-20 16:30:22.000000000 -0400
4172 +++ linux-2.6.36.2/arch/sparc/kernel/process_32.c 2010-12-09 20:25:13.000000000 -0500
4173 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4174 rw->ins[4], rw->ins[5],
4177 - printk("%pS\n", (void *) rw->ins[7]);
4178 + printk("%pA\n", (void *) rw->ins[7]);
4179 rw = (struct reg_window32 *) rw->ins[6];
4181 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4182 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4184 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4185 r->psr, r->pc, r->npc, r->y, print_tainted());
4186 - printk("PC: <%pS>\n", (void *) r->pc);
4187 + printk("PC: <%pA>\n", (void *) r->pc);
4188 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4189 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4190 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4191 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4192 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4193 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4194 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4195 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4197 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4198 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4199 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4200 rw = (struct reg_window32 *) fp;
4202 printk("[%08lx : ", pc);
4203 - printk("%pS ] ", (void *) pc);
4204 + printk("%pA ] ", (void *) pc);
4206 } while (++count < 16);
4208 diff -urNp linux-2.6.36.2/arch/sparc/kernel/process_64.c linux-2.6.36.2/arch/sparc/kernel/process_64.c
4209 --- linux-2.6.36.2/arch/sparc/kernel/process_64.c 2010-10-20 16:30:22.000000000 -0400
4210 +++ linux-2.6.36.2/arch/sparc/kernel/process_64.c 2010-12-09 20:25:13.000000000 -0500
4211 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4212 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4213 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4214 if (regs->tstate & TSTATE_PRIV)
4215 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4216 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4219 void show_regs(struct pt_regs *regs)
4221 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4222 regs->tpc, regs->tnpc, regs->y, print_tainted());
4223 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4224 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4225 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4226 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4228 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4229 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4230 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4232 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4233 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4234 show_regwindow(regs);
4235 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4237 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4238 ((tp && tp->task) ? tp->task->pid : -1));
4240 if (gp->tstate & TSTATE_PRIV) {
4241 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4242 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4246 diff -urNp linux-2.6.36.2/arch/sparc/kernel/sys_sparc_32.c linux-2.6.36.2/arch/sparc/kernel/sys_sparc_32.c
4247 --- linux-2.6.36.2/arch/sparc/kernel/sys_sparc_32.c 2010-10-20 16:30:22.000000000 -0400
4248 +++ linux-2.6.36.2/arch/sparc/kernel/sys_sparc_32.c 2010-12-09 20:25:13.000000000 -0500
4249 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4250 if (ARCH_SUN4C && len > 0x20000000)
4253 - addr = TASK_UNMAPPED_BASE;
4254 + addr = current->mm->mmap_base;
4256 if (flags & MAP_SHARED)
4257 addr = COLOUR_ALIGN(addr);
4258 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4260 if (TASK_SIZE - PAGE_SIZE - len < addr)
4262 - if (!vmm || addr + len <= vmm->vm_start)
4263 + if (check_heap_stack_gap(vmm, addr, len))
4266 if (flags & MAP_SHARED)
4267 diff -urNp linux-2.6.36.2/arch/sparc/kernel/sys_sparc_64.c linux-2.6.36.2/arch/sparc/kernel/sys_sparc_64.c
4268 --- linux-2.6.36.2/arch/sparc/kernel/sys_sparc_64.c 2010-10-20 16:30:22.000000000 -0400
4269 +++ linux-2.6.36.2/arch/sparc/kernel/sys_sparc_64.c 2010-12-09 20:25:13.000000000 -0500
4270 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4271 /* We do not accept a shared mapping if it would violate
4272 * cache aliasing constraints.
4274 - if ((flags & MAP_SHARED) &&
4275 + if ((filp || (flags & MAP_SHARED)) &&
4276 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4279 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4280 if (filp || (flags & MAP_SHARED))
4283 +#ifdef CONFIG_PAX_RANDMMAP
4284 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4289 addr = COLOUR_ALIGN(addr, pgoff);
4290 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4291 addr = PAGE_ALIGN(addr);
4293 vma = find_vma(mm, addr);
4294 - if (task_size - len >= addr &&
4295 - (!vma || addr + len <= vma->vm_start))
4296 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4300 if (len > mm->cached_hole_size) {
4301 - start_addr = addr = mm->free_area_cache;
4302 + start_addr = addr = mm->free_area_cache;
4304 - start_addr = addr = TASK_UNMAPPED_BASE;
4305 + start_addr = addr = mm->mmap_base;
4306 mm->cached_hole_size = 0;
4309 @@ -174,14 +177,14 @@ full_search:
4310 vma = find_vma(mm, VA_EXCLUDE_END);
4312 if (unlikely(task_size < addr)) {
4313 - if (start_addr != TASK_UNMAPPED_BASE) {
4314 - start_addr = addr = TASK_UNMAPPED_BASE;
4315 + if (start_addr != mm->mmap_base) {
4316 + start_addr = addr = mm->mmap_base;
4317 mm->cached_hole_size = 0;
4322 - if (likely(!vma || addr + len <= vma->vm_start)) {
4323 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4325 * Remember the place where we stopped the search:
4327 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4328 /* We do not accept a shared mapping if it would violate
4329 * cache aliasing constraints.
4331 - if ((flags & MAP_SHARED) &&
4332 + if ((filp || (flags & MAP_SHARED)) &&
4333 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4336 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4337 addr = PAGE_ALIGN(addr);
4339 vma = find_vma(mm, addr);
4340 - if (task_size - len >= addr &&
4341 - (!vma || addr + len <= vma->vm_start))
4342 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4346 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4347 /* make sure it can fit in the remaining address space */
4348 if (likely(addr > len)) {
4349 vma = find_vma(mm, addr-len);
4350 - if (!vma || addr <= vma->vm_start) {
4351 + if (check_heap_stack_gap(vma, addr - len, len)) {
4352 /* remember the address as a hint for next time */
4353 return (mm->free_area_cache = addr-len);
4355 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4356 * return with success:
4358 vma = find_vma(mm, addr);
4359 - if (likely(!vma || addr+len <= vma->vm_start)) {
4360 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4361 /* remember the address as a hint for next time */
4362 return (mm->free_area_cache = addr);
4364 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4365 gap == RLIM_INFINITY ||
4366 sysctl_legacy_va_layout) {
4367 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4369 +#ifdef CONFIG_PAX_RANDMMAP
4370 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4371 + mm->mmap_base += mm->delta_mmap;
4374 mm->get_unmapped_area = arch_get_unmapped_area;
4375 mm->unmap_area = arch_unmap_area;
4377 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4378 gap = (task_size / 6 * 5);
4380 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4382 +#ifdef CONFIG_PAX_RANDMMAP
4383 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4384 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4387 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4388 mm->unmap_area = arch_unmap_area_topdown;
4390 diff -urNp linux-2.6.36.2/arch/sparc/kernel/traps_32.c linux-2.6.36.2/arch/sparc/kernel/traps_32.c
4391 --- linux-2.6.36.2/arch/sparc/kernel/traps_32.c 2010-10-20 16:30:22.000000000 -0400
4392 +++ linux-2.6.36.2/arch/sparc/kernel/traps_32.c 2010-12-09 20:25:13.000000000 -0500
4393 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4395 (((unsigned long) rw) >= PAGE_OFFSET) &&
4396 !(((unsigned long) rw) & 0x7)) {
4397 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4398 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4399 (void *) rw->ins[7]);
4400 rw = (struct reg_window32 *)rw->ins[6];
4402 diff -urNp linux-2.6.36.2/arch/sparc/kernel/traps_64.c linux-2.6.36.2/arch/sparc/kernel/traps_64.c
4403 --- linux-2.6.36.2/arch/sparc/kernel/traps_64.c 2010-10-20 16:30:22.000000000 -0400
4404 +++ linux-2.6.36.2/arch/sparc/kernel/traps_64.c 2010-12-09 20:25:13.000000000 -0500
4405 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4407 p->trapstack[i].tstate, p->trapstack[i].tpc,
4408 p->trapstack[i].tnpc, p->trapstack[i].tt);
4409 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4410 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4414 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4417 if (regs->tstate & TSTATE_PRIV) {
4419 +#ifdef CONFIG_PAX_REFCOUNT
4421 + pax_report_refcount_overflow(regs);
4424 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4425 die_if_kernel(buffer, regs);
4427 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4428 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4433 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4434 0, lvl, SIGTRAP) == NOTIFY_STOP)
4437 +#ifdef CONFIG_PAX_REFCOUNT
4439 + pax_report_refcount_overflow(regs);
4442 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4444 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4445 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4446 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4447 printk("%s" "ERROR(%d): ",
4448 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4449 - printk("TPC<%pS>\n", (void *) regs->tpc);
4450 + printk("TPC<%pA>\n", (void *) regs->tpc);
4451 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4452 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4453 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4454 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4456 (type & 0x1) ? 'I' : 'D',
4458 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4459 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4460 panic("Irrecoverable Cheetah+ parity error.");
4463 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4465 (type & 0x1) ? 'I' : 'D',
4467 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4468 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4471 struct sun4v_error_entry {
4472 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4474 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4476 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4477 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4478 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4479 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4480 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4481 (void *) regs->u_regs[UREG_I7]);
4482 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4483 "pte[%lx] error[%lx]\n",
4484 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4486 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4488 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4489 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4490 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4491 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4492 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4493 (void *) regs->u_regs[UREG_I7]);
4494 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4495 "pte[%lx] error[%lx]\n",
4496 @@ -2196,13 +2207,13 @@ void show_stack(struct task_struct *tsk,
4497 fp = (unsigned long)sf->fp + STACK_BIAS;
4500 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4501 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4502 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4503 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4504 int index = tsk->curr_ret_stack;
4505 if (tsk->ret_stack && index >= graph) {
4506 pc = tsk->ret_stack[index - graph].ret;
4507 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4508 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4512 @@ -2255,7 +2266,7 @@ void die_if_kernel(char *str, struct pt_
4515 kstack_valid(tp, (unsigned long) rw)) {
4516 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4517 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4518 (void *) rw->ins[7]);
4520 rw = kernel_stack_up(rw);
4521 diff -urNp linux-2.6.36.2/arch/sparc/kernel/unaligned_64.c linux-2.6.36.2/arch/sparc/kernel/unaligned_64.c
4522 --- linux-2.6.36.2/arch/sparc/kernel/unaligned_64.c 2010-10-20 16:30:22.000000000 -0400
4523 +++ linux-2.6.36.2/arch/sparc/kernel/unaligned_64.c 2010-12-09 20:25:13.000000000 -0500
4524 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4525 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4527 if (__ratelimit(&ratelimit)) {
4528 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4529 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4530 regs->tpc, (void *) regs->tpc);
4533 diff -urNp linux-2.6.36.2/arch/sparc/lib/atomic_64.S linux-2.6.36.2/arch/sparc/lib/atomic_64.S
4534 --- linux-2.6.36.2/arch/sparc/lib/atomic_64.S 2010-10-20 16:30:22.000000000 -0400
4535 +++ linux-2.6.36.2/arch/sparc/lib/atomic_64.S 2010-12-09 20:25:13.000000000 -0500
4537 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4541 + addcc %g1, %o0, %g7
4543 +#ifdef CONFIG_PAX_REFCOUNT
4549 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4550 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4551 2: BACKOFF_SPIN(%o2, %o3, 1b)
4552 .size atomic_add, .-atomic_add
4554 + .globl atomic_add_unchecked
4555 + .type atomic_add_unchecked,#function
4556 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4557 + BACKOFF_SETUP(%o2)
4560 + cas [%o1], %g1, %g7
4566 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4567 + .size atomic_add_unchecked, .-atomic_add_unchecked
4570 .type atomic_sub,#function
4571 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4575 + subcc %g1, %o0, %g7
4577 +#ifdef CONFIG_PAX_REFCOUNT
4583 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4584 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4585 2: BACKOFF_SPIN(%o2, %o3, 1b)
4586 .size atomic_sub, .-atomic_sub
4588 + .globl atomic_sub_unchecked
4589 + .type atomic_sub_unchecked,#function
4590 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4591 + BACKOFF_SETUP(%o2)
4594 + cas [%o1], %g1, %g7
4600 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4601 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4603 .globl atomic_add_ret
4604 .type atomic_add_ret,#function
4605 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4609 + addcc %g1, %o0, %g7
4611 +#ifdef CONFIG_PAX_REFCOUNT
4617 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4618 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4619 2: BACKOFF_SPIN(%o2, %o3, 1b)
4620 .size atomic_add_ret, .-atomic_add_ret
4622 + .globl atomic_add_ret_unchecked
4623 + .type atomic_add_ret_unchecked,#function
4624 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4625 + BACKOFF_SETUP(%o2)
4627 + addcc %g1, %o0, %g7
4628 + cas [%o1], %g1, %g7
4635 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4636 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4638 .globl atomic_sub_ret
4639 .type atomic_sub_ret,#function
4640 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4644 + subcc %g1, %o0, %g7
4646 +#ifdef CONFIG_PAX_REFCOUNT
4652 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4653 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4654 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4658 + addcc %g1, %o0, %g7
4660 +#ifdef CONFIG_PAX_REFCOUNT
4664 casx [%o1], %g1, %g7
4666 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4667 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4668 2: BACKOFF_SPIN(%o2, %o3, 1b)
4669 .size atomic64_add, .-atomic64_add
4671 + .globl atomic64_add_unchecked
4672 + .type atomic64_add_unchecked,#function
4673 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4674 + BACKOFF_SETUP(%o2)
4676 + addcc %g1, %o0, %g7
4677 + casx [%o1], %g1, %g7
4683 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4684 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4687 .type atomic64_sub,#function
4688 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4692 + subcc %g1, %o0, %g7
4694 +#ifdef CONFIG_PAX_REFCOUNT
4698 casx [%o1], %g1, %g7
4700 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4701 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4702 2: BACKOFF_SPIN(%o2, %o3, 1b)
4703 .size atomic64_sub, .-atomic64_sub
4705 + .globl atomic64_sub_unchecked
4706 + .type atomic64_sub_unchecked,#function
4707 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4708 + BACKOFF_SETUP(%o2)
4710 + subcc %g1, %o0, %g7
4711 + casx [%o1], %g1, %g7
4717 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4718 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4720 .globl atomic64_add_ret
4721 .type atomic64_add_ret,#function
4722 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4726 + addcc %g1, %o0, %g7
4728 +#ifdef CONFIG_PAX_REFCOUNT
4732 casx [%o1], %g1, %g7
4734 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4735 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4736 2: BACKOFF_SPIN(%o2, %o3, 1b)
4737 .size atomic64_add_ret, .-atomic64_add_ret
4739 + .globl atomic64_add_ret_unchecked
4740 + .type atomic64_add_ret_unchecked,#function
4741 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4742 + BACKOFF_SETUP(%o2)
4744 + addcc %g1, %o0, %g7
4745 + casx [%o1], %g1, %g7
4752 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4753 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4755 .globl atomic64_sub_ret
4756 .type atomic64_sub_ret,#function
4757 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4761 + subcc %g1, %o0, %g7
4763 +#ifdef CONFIG_PAX_REFCOUNT
4767 casx [%o1], %g1, %g7
4769 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4770 diff -urNp linux-2.6.36.2/arch/sparc/lib/ksyms.c linux-2.6.36.2/arch/sparc/lib/ksyms.c
4771 --- linux-2.6.36.2/arch/sparc/lib/ksyms.c 2010-10-20 16:30:22.000000000 -0400
4772 +++ linux-2.6.36.2/arch/sparc/lib/ksyms.c 2010-12-09 20:25:13.000000000 -0500
4773 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4775 /* Atomic counter implementation. */
4776 EXPORT_SYMBOL(atomic_add);
4777 +EXPORT_SYMBOL(atomic_add_unchecked);
4778 EXPORT_SYMBOL(atomic_add_ret);
4779 EXPORT_SYMBOL(atomic_sub);
4780 +EXPORT_SYMBOL(atomic_sub_unchecked);
4781 EXPORT_SYMBOL(atomic_sub_ret);
4782 EXPORT_SYMBOL(atomic64_add);
4783 +EXPORT_SYMBOL(atomic64_add_unchecked);
4784 EXPORT_SYMBOL(atomic64_add_ret);
4785 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4786 EXPORT_SYMBOL(atomic64_sub);
4787 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4788 EXPORT_SYMBOL(atomic64_sub_ret);
4790 /* Atomic bit operations. */
4791 diff -urNp linux-2.6.36.2/arch/sparc/Makefile linux-2.6.36.2/arch/sparc/Makefile
4792 --- linux-2.6.36.2/arch/sparc/Makefile 2010-10-20 16:30:22.000000000 -0400
4793 +++ linux-2.6.36.2/arch/sparc/Makefile 2010-12-09 20:25:13.000000000 -0500
4794 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4795 # Export what is needed by arch/sparc/boot/Makefile
4796 export VMLINUX_INIT VMLINUX_MAIN
4797 VMLINUX_INIT := $(head-y) $(init-y)
4798 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4799 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4800 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4801 VMLINUX_MAIN += $(drivers-y) $(net-y)
4803 diff -urNp linux-2.6.36.2/arch/sparc/mm/fault_32.c linux-2.6.36.2/arch/sparc/mm/fault_32.c
4804 --- linux-2.6.36.2/arch/sparc/mm/fault_32.c 2010-10-20 16:30:22.000000000 -0400
4805 +++ linux-2.6.36.2/arch/sparc/mm/fault_32.c 2010-12-09 20:25:13.000000000 -0500
4807 #include <linux/interrupt.h>
4808 #include <linux/module.h>
4809 #include <linux/kdebug.h>
4810 +#include <linux/slab.h>
4811 +#include <linux/pagemap.h>
4812 +#include <linux/compiler.h>
4814 #include <asm/system.h>
4815 #include <asm/page.h>
4816 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4817 return safe_compute_effective_address(regs, insn);
4820 +#ifdef CONFIG_PAX_PAGEEXEC
4821 +#ifdef CONFIG_PAX_DLRESOLVE
4822 +static void pax_emuplt_close(struct vm_area_struct *vma)
4824 + vma->vm_mm->call_dl_resolve = 0UL;
4827 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4829 + unsigned int *kaddr;
4831 + vmf->page = alloc_page(GFP_HIGHUSER);
4833 + return VM_FAULT_OOM;
4835 + kaddr = kmap(vmf->page);
4836 + memset(kaddr, 0, PAGE_SIZE);
4837 + kaddr[0] = 0x9DE3BFA8U; /* save */
4838 + flush_dcache_page(vmf->page);
4839 + kunmap(vmf->page);
4840 + return VM_FAULT_MAJOR;
4843 +static const struct vm_operations_struct pax_vm_ops = {
4844 + .close = pax_emuplt_close,
4845 + .fault = pax_emuplt_fault
4848 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4852 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4853 + vma->vm_mm = current->mm;
4854 + vma->vm_start = addr;
4855 + vma->vm_end = addr + PAGE_SIZE;
4856 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4857 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4858 + vma->vm_ops = &pax_vm_ops;
4860 + ret = insert_vm_struct(current->mm, vma);
4864 + ++current->mm->total_vm;
4870 + * PaX: decide what to do with offenders (regs->pc = fault address)
4872 + * returns 1 when task should be killed
4873 + * 2 when patched PLT trampoline was detected
4874 + * 3 when unpatched PLT trampoline was detected
4876 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4879 +#ifdef CONFIG_PAX_EMUPLT
4882 + do { /* PaX: patched PLT emulation #1 */
4883 + unsigned int sethi1, sethi2, jmpl;
4885 + err = get_user(sethi1, (unsigned int *)regs->pc);
4886 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4887 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4892 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4893 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4894 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4896 + unsigned int addr;
4898 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4899 + addr = regs->u_regs[UREG_G1];
4900 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4902 + regs->npc = addr+4;
4907 + { /* PaX: patched PLT emulation #2 */
4910 + err = get_user(ba, (unsigned int *)regs->pc);
4912 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4913 + unsigned int addr;
4915 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4917 + regs->npc = addr+4;
4922 + do { /* PaX: patched PLT emulation #3 */
4923 + unsigned int sethi, jmpl, nop;
4925 + err = get_user(sethi, (unsigned int *)regs->pc);
4926 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4927 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4932 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4933 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4934 + nop == 0x01000000U)
4936 + unsigned int addr;
4938 + addr = (sethi & 0x003FFFFFU) << 10;
4939 + regs->u_regs[UREG_G1] = addr;
4940 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4942 + regs->npc = addr+4;
4947 + do { /* PaX: unpatched PLT emulation step 1 */
4948 + unsigned int sethi, ba, nop;
4950 + err = get_user(sethi, (unsigned int *)regs->pc);
4951 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4952 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4957 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4958 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4959 + nop == 0x01000000U)
4961 + unsigned int addr, save, call;
4963 + if ((ba & 0xFFC00000U) == 0x30800000U)
4964 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4966 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4968 + err = get_user(save, (unsigned int *)addr);
4969 + err |= get_user(call, (unsigned int *)(addr+4));
4970 + err |= get_user(nop, (unsigned int *)(addr+8));
4974 +#ifdef CONFIG_PAX_DLRESOLVE
4975 + if (save == 0x9DE3BFA8U &&
4976 + (call & 0xC0000000U) == 0x40000000U &&
4977 + nop == 0x01000000U)
4979 + struct vm_area_struct *vma;
4980 + unsigned long call_dl_resolve;
4982 + down_read(¤t->mm->mmap_sem);
4983 + call_dl_resolve = current->mm->call_dl_resolve;
4984 + up_read(¤t->mm->mmap_sem);
4985 + if (likely(call_dl_resolve))
4988 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4990 + down_write(¤t->mm->mmap_sem);
4991 + if (current->mm->call_dl_resolve) {
4992 + call_dl_resolve = current->mm->call_dl_resolve;
4993 + up_write(¤t->mm->mmap_sem);
4995 + kmem_cache_free(vm_area_cachep, vma);
4999 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5000 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5001 + up_write(¤t->mm->mmap_sem);
5003 + kmem_cache_free(vm_area_cachep, vma);
5007 + if (pax_insert_vma(vma, call_dl_resolve)) {
5008 + up_write(¤t->mm->mmap_sem);
5009 + kmem_cache_free(vm_area_cachep, vma);
5013 + current->mm->call_dl_resolve = call_dl_resolve;
5014 + up_write(¤t->mm->mmap_sem);
5017 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5018 + regs->pc = call_dl_resolve;
5019 + regs->npc = addr+4;
5024 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5025 + if ((save & 0xFFC00000U) == 0x05000000U &&
5026 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5027 + nop == 0x01000000U)
5029 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5030 + regs->u_regs[UREG_G2] = addr + 4;
5031 + addr = (save & 0x003FFFFFU) << 10;
5032 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5034 + regs->npc = addr+4;
5040 + do { /* PaX: unpatched PLT emulation step 2 */
5041 + unsigned int save, call, nop;
5043 + err = get_user(save, (unsigned int *)(regs->pc-4));
5044 + err |= get_user(call, (unsigned int *)regs->pc);
5045 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5049 + if (save == 0x9DE3BFA8U &&
5050 + (call & 0xC0000000U) == 0x40000000U &&
5051 + nop == 0x01000000U)
5053 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5055 + regs->u_regs[UREG_RETPC] = regs->pc;
5056 + regs->pc = dl_resolve;
5057 + regs->npc = dl_resolve+4;
5066 +void pax_report_insns(void *pc, void *sp)
5070 + printk(KERN_ERR "PAX: bytes at PC: ");
5071 + for (i = 0; i < 8; i++) {
5073 + if (get_user(c, (unsigned int *)pc+i))
5074 + printk(KERN_CONT "???????? ");
5076 + printk(KERN_CONT "%08x ", c);
5082 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5085 @@ -282,6 +547,24 @@ good_area:
5086 if(!(vma->vm_flags & VM_WRITE))
5090 +#ifdef CONFIG_PAX_PAGEEXEC
5091 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5092 + up_read(&mm->mmap_sem);
5093 + switch (pax_handle_fetch_fault(regs)) {
5095 +#ifdef CONFIG_PAX_EMUPLT
5102 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5103 + do_group_exit(SIGKILL);
5107 /* Allow reads even for write-only mappings */
5108 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5110 diff -urNp linux-2.6.36.2/arch/sparc/mm/fault_64.c linux-2.6.36.2/arch/sparc/mm/fault_64.c
5111 --- linux-2.6.36.2/arch/sparc/mm/fault_64.c 2010-10-20 16:30:22.000000000 -0400
5112 +++ linux-2.6.36.2/arch/sparc/mm/fault_64.c 2010-12-09 20:25:13.000000000 -0500
5114 #include <linux/kprobes.h>
5115 #include <linux/kdebug.h>
5116 #include <linux/percpu.h>
5117 +#include <linux/slab.h>
5118 +#include <linux/pagemap.h>
5119 +#include <linux/compiler.h>
5121 #include <asm/page.h>
5122 #include <asm/pgtable.h>
5123 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5124 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5126 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5127 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5128 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5129 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5131 unhandled_fault(regs->tpc, current, regs);
5132 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5136 +#ifdef CONFIG_PAX_PAGEEXEC
5137 +#ifdef CONFIG_PAX_DLRESOLVE
5138 +static void pax_emuplt_close(struct vm_area_struct *vma)
5140 + vma->vm_mm->call_dl_resolve = 0UL;
5143 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5145 + unsigned int *kaddr;
5147 + vmf->page = alloc_page(GFP_HIGHUSER);
5149 + return VM_FAULT_OOM;
5151 + kaddr = kmap(vmf->page);
5152 + memset(kaddr, 0, PAGE_SIZE);
5153 + kaddr[0] = 0x9DE3BFA8U; /* save */
5154 + flush_dcache_page(vmf->page);
5155 + kunmap(vmf->page);
5156 + return VM_FAULT_MAJOR;
5159 +static const struct vm_operations_struct pax_vm_ops = {
5160 + .close = pax_emuplt_close,
5161 + .fault = pax_emuplt_fault
5164 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5168 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5169 + vma->vm_mm = current->mm;
5170 + vma->vm_start = addr;
5171 + vma->vm_end = addr + PAGE_SIZE;
5172 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5173 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5174 + vma->vm_ops = &pax_vm_ops;
5176 + ret = insert_vm_struct(current->mm, vma);
5180 + ++current->mm->total_vm;
5186 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5188 + * returns 1 when task should be killed
5189 + * 2 when patched PLT trampoline was detected
5190 + * 3 when unpatched PLT trampoline was detected
5192 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5195 +#ifdef CONFIG_PAX_EMUPLT
5198 + do { /* PaX: patched PLT emulation #1 */
5199 + unsigned int sethi1, sethi2, jmpl;
5201 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5202 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5203 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5208 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5209 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5210 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5212 + unsigned long addr;
5214 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5215 + addr = regs->u_regs[UREG_G1];
5216 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5218 + if (test_thread_flag(TIF_32BIT))
5219 + addr &= 0xFFFFFFFFUL;
5222 + regs->tnpc = addr+4;
5227 + { /* PaX: patched PLT emulation #2 */
5230 + err = get_user(ba, (unsigned int *)regs->tpc);
5232 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5233 + unsigned long addr;
5235 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5237 + if (test_thread_flag(TIF_32BIT))
5238 + addr &= 0xFFFFFFFFUL;
5241 + regs->tnpc = addr+4;
5246 + do { /* PaX: patched PLT emulation #3 */
5247 + unsigned int sethi, jmpl, nop;
5249 + err = get_user(sethi, (unsigned int *)regs->tpc);
5250 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5251 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5256 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5257 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5258 + nop == 0x01000000U)
5260 + unsigned long addr;
5262 + addr = (sethi & 0x003FFFFFU) << 10;
5263 + regs->u_regs[UREG_G1] = addr;
5264 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5266 + if (test_thread_flag(TIF_32BIT))
5267 + addr &= 0xFFFFFFFFUL;
5270 + regs->tnpc = addr+4;
5275 + do { /* PaX: patched PLT emulation #4 */
5276 + unsigned int sethi, mov1, call, mov2;
5278 + err = get_user(sethi, (unsigned int *)regs->tpc);
5279 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5280 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5281 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5286 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5287 + mov1 == 0x8210000FU &&
5288 + (call & 0xC0000000U) == 0x40000000U &&
5289 + mov2 == 0x9E100001U)
5291 + unsigned long addr;
5293 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5294 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5296 + if (test_thread_flag(TIF_32BIT))
5297 + addr &= 0xFFFFFFFFUL;
5300 + regs->tnpc = addr+4;
5305 + do { /* PaX: patched PLT emulation #5 */
5306 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5308 + err = get_user(sethi, (unsigned int *)regs->tpc);
5309 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5310 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5311 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5312 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5313 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5314 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5315 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5320 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5321 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5322 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5323 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5324 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5325 + sllx == 0x83287020U &&
5326 + jmpl == 0x81C04005U &&
5327 + nop == 0x01000000U)
5329 + unsigned long addr;
5331 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5332 + regs->u_regs[UREG_G1] <<= 32;
5333 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5334 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5336 + regs->tnpc = addr+4;
5341 + do { /* PaX: patched PLT emulation #6 */
5342 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5344 + err = get_user(sethi, (unsigned int *)regs->tpc);
5345 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5346 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5347 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5348 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5349 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5350 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5355 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5356 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5357 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5358 + sllx == 0x83287020U &&
5359 + (or & 0xFFFFE000U) == 0x8A116000U &&
5360 + jmpl == 0x81C04005U &&
5361 + nop == 0x01000000U)
5363 + unsigned long addr;
5365 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5366 + regs->u_regs[UREG_G1] <<= 32;
5367 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5368 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5370 + regs->tnpc = addr+4;
5375 + do { /* PaX: unpatched PLT emulation step 1 */
5376 + unsigned int sethi, ba, nop;
5378 + err = get_user(sethi, (unsigned int *)regs->tpc);
5379 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5380 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5385 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5386 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5387 + nop == 0x01000000U)
5389 + unsigned long addr;
5390 + unsigned int save, call;
5391 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5393 + if ((ba & 0xFFC00000U) == 0x30800000U)
5394 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5396 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5398 + if (test_thread_flag(TIF_32BIT))
5399 + addr &= 0xFFFFFFFFUL;
5401 + err = get_user(save, (unsigned int *)addr);
5402 + err |= get_user(call, (unsigned int *)(addr+4));
5403 + err |= get_user(nop, (unsigned int *)(addr+8));
5407 +#ifdef CONFIG_PAX_DLRESOLVE
5408 + if (save == 0x9DE3BFA8U &&
5409 + (call & 0xC0000000U) == 0x40000000U &&
5410 + nop == 0x01000000U)
5412 + struct vm_area_struct *vma;
5413 + unsigned long call_dl_resolve;
5415 + down_read(¤t->mm->mmap_sem);
5416 + call_dl_resolve = current->mm->call_dl_resolve;
5417 + up_read(¤t->mm->mmap_sem);
5418 + if (likely(call_dl_resolve))
5421 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5423 + down_write(¤t->mm->mmap_sem);
5424 + if (current->mm->call_dl_resolve) {
5425 + call_dl_resolve = current->mm->call_dl_resolve;
5426 + up_write(¤t->mm->mmap_sem);
5428 + kmem_cache_free(vm_area_cachep, vma);
5432 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5433 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5434 + up_write(¤t->mm->mmap_sem);
5436 + kmem_cache_free(vm_area_cachep, vma);
5440 + if (pax_insert_vma(vma, call_dl_resolve)) {
5441 + up_write(¤t->mm->mmap_sem);
5442 + kmem_cache_free(vm_area_cachep, vma);
5446 + current->mm->call_dl_resolve = call_dl_resolve;
5447 + up_write(¤t->mm->mmap_sem);
5450 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5451 + regs->tpc = call_dl_resolve;
5452 + regs->tnpc = addr+4;
5457 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5458 + if ((save & 0xFFC00000U) == 0x05000000U &&
5459 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5460 + nop == 0x01000000U)
5462 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5463 + regs->u_regs[UREG_G2] = addr + 4;
5464 + addr = (save & 0x003FFFFFU) << 10;
5465 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5467 + if (test_thread_flag(TIF_32BIT))
5468 + addr &= 0xFFFFFFFFUL;
5471 + regs->tnpc = addr+4;
5475 + /* PaX: 64-bit PLT stub */
5476 + err = get_user(sethi1, (unsigned int *)addr);
5477 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5478 + err |= get_user(or1, (unsigned int *)(addr+8));
5479 + err |= get_user(or2, (unsigned int *)(addr+12));
5480 + err |= get_user(sllx, (unsigned int *)(addr+16));
5481 + err |= get_user(add, (unsigned int *)(addr+20));
5482 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5483 + err |= get_user(nop, (unsigned int *)(addr+28));
5487 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5488 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5489 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5490 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5491 + sllx == 0x89293020U &&
5492 + add == 0x8A010005U &&
5493 + jmpl == 0x89C14000U &&
5494 + nop == 0x01000000U)
5496 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5497 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5498 + regs->u_regs[UREG_G4] <<= 32;
5499 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5500 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5501 + regs->u_regs[UREG_G4] = addr + 24;
5502 + addr = regs->u_regs[UREG_G5];
5504 + regs->tnpc = addr+4;
5510 +#ifdef CONFIG_PAX_DLRESOLVE
5511 + do { /* PaX: unpatched PLT emulation step 2 */
5512 + unsigned int save, call, nop;
5514 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5515 + err |= get_user(call, (unsigned int *)regs->tpc);
5516 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5520 + if (save == 0x9DE3BFA8U &&
5521 + (call & 0xC0000000U) == 0x40000000U &&
5522 + nop == 0x01000000U)
5524 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5526 + if (test_thread_flag(TIF_32BIT))
5527 + dl_resolve &= 0xFFFFFFFFUL;
5529 + regs->u_regs[UREG_RETPC] = regs->tpc;
5530 + regs->tpc = dl_resolve;
5531 + regs->tnpc = dl_resolve+4;
5537 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5538 + unsigned int sethi, ba, nop;
5540 + err = get_user(sethi, (unsigned int *)regs->tpc);
5541 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5542 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5547 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5548 + (ba & 0xFFF00000U) == 0x30600000U &&
5549 + nop == 0x01000000U)
5551 + unsigned long addr;
5553 + addr = (sethi & 0x003FFFFFU) << 10;
5554 + regs->u_regs[UREG_G1] = addr;
5555 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5557 + if (test_thread_flag(TIF_32BIT))
5558 + addr &= 0xFFFFFFFFUL;
5561 + regs->tnpc = addr+4;
5571 +void pax_report_insns(void *pc, void *sp)
5575 + printk(KERN_ERR "PAX: bytes at PC: ");
5576 + for (i = 0; i < 8; i++) {
5578 + if (get_user(c, (unsigned int *)pc+i))
5579 + printk(KERN_CONT "???????? ");
5581 + printk(KERN_CONT "%08x ", c);
5587 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5589 struct mm_struct *mm = current->mm;
5590 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5594 +#ifdef CONFIG_PAX_PAGEEXEC
5595 + /* PaX: detect ITLB misses on non-exec pages */
5596 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5597 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5599 + if (address != regs->tpc)
5602 + up_read(&mm->mmap_sem);
5603 + switch (pax_handle_fetch_fault(regs)) {
5605 +#ifdef CONFIG_PAX_EMUPLT
5612 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5613 + do_group_exit(SIGKILL);
5617 /* Pure DTLB misses do not tell us whether the fault causing
5618 * load/store/atomic was a write or not, it only says that there
5619 * was no match. So in such a case we (carefully) read the
5620 diff -urNp linux-2.6.36.2/arch/sparc/mm/hugetlbpage.c linux-2.6.36.2/arch/sparc/mm/hugetlbpage.c
5621 --- linux-2.6.36.2/arch/sparc/mm/hugetlbpage.c 2010-10-20 16:30:22.000000000 -0400
5622 +++ linux-2.6.36.2/arch/sparc/mm/hugetlbpage.c 2010-12-09 20:25:13.000000000 -0500
5623 @@ -68,7 +68,7 @@ full_search:
5627 - if (likely(!vma || addr + len <= vma->vm_start)) {
5628 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5630 * Remember the place where we stopped the search:
5632 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5633 /* make sure it can fit in the remaining address space */
5634 if (likely(addr > len)) {
5635 vma = find_vma(mm, addr-len);
5636 - if (!vma || addr <= vma->vm_start) {
5637 + if (check_heap_stack_gap(vma, addr - len, len)) {
5638 /* remember the address as a hint for next time */
5639 return (mm->free_area_cache = addr-len);
5641 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5642 * return with success:
5644 vma = find_vma(mm, addr);
5645 - if (likely(!vma || addr+len <= vma->vm_start)) {
5646 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5647 /* remember the address as a hint for next time */
5648 return (mm->free_area_cache = addr);
5650 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5652 addr = ALIGN(addr, HPAGE_SIZE);
5653 vma = find_vma(mm, addr);
5654 - if (task_size - len >= addr &&
5655 - (!vma || addr + len <= vma->vm_start))
5656 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5659 if (mm->get_unmapped_area == arch_get_unmapped_area)
5660 diff -urNp linux-2.6.36.2/arch/sparc/mm/init_32.c linux-2.6.36.2/arch/sparc/mm/init_32.c
5661 --- linux-2.6.36.2/arch/sparc/mm/init_32.c 2010-10-20 16:30:22.000000000 -0400
5662 +++ linux-2.6.36.2/arch/sparc/mm/init_32.c 2010-12-09 20:25:13.000000000 -0500
5663 @@ -318,6 +318,9 @@ extern void device_scan(void);
5664 pgprot_t PAGE_SHARED __read_mostly;
5665 EXPORT_SYMBOL(PAGE_SHARED);
5667 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5668 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5670 void __init paging_init(void)
5672 switch(sparc_cpu_model) {
5673 @@ -346,17 +349,17 @@ void __init paging_init(void)
5675 /* Initialize the protection map with non-constant, MMU dependent values. */
5676 protection_map[0] = PAGE_NONE;
5677 - protection_map[1] = PAGE_READONLY;
5678 - protection_map[2] = PAGE_COPY;
5679 - protection_map[3] = PAGE_COPY;
5680 + protection_map[1] = PAGE_READONLY_NOEXEC;
5681 + protection_map[2] = PAGE_COPY_NOEXEC;
5682 + protection_map[3] = PAGE_COPY_NOEXEC;
5683 protection_map[4] = PAGE_READONLY;
5684 protection_map[5] = PAGE_READONLY;
5685 protection_map[6] = PAGE_COPY;
5686 protection_map[7] = PAGE_COPY;
5687 protection_map[8] = PAGE_NONE;
5688 - protection_map[9] = PAGE_READONLY;
5689 - protection_map[10] = PAGE_SHARED;
5690 - protection_map[11] = PAGE_SHARED;
5691 + protection_map[9] = PAGE_READONLY_NOEXEC;
5692 + protection_map[10] = PAGE_SHARED_NOEXEC;
5693 + protection_map[11] = PAGE_SHARED_NOEXEC;
5694 protection_map[12] = PAGE_READONLY;
5695 protection_map[13] = PAGE_READONLY;
5696 protection_map[14] = PAGE_SHARED;
5697 diff -urNp linux-2.6.36.2/arch/sparc/mm/Makefile linux-2.6.36.2/arch/sparc/mm/Makefile
5698 --- linux-2.6.36.2/arch/sparc/mm/Makefile 2010-10-20 16:30:22.000000000 -0400
5699 +++ linux-2.6.36.2/arch/sparc/mm/Makefile 2010-12-09 20:25:13.000000000 -0500
5704 -ccflags-y := -Werror
5705 +#ccflags-y := -Werror
5707 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5708 obj-y += fault_$(BITS).o
5709 diff -urNp linux-2.6.36.2/arch/sparc/mm/srmmu.c linux-2.6.36.2/arch/sparc/mm/srmmu.c
5710 --- linux-2.6.36.2/arch/sparc/mm/srmmu.c 2010-10-20 16:30:22.000000000 -0400
5711 +++ linux-2.6.36.2/arch/sparc/mm/srmmu.c 2010-12-09 20:25:13.000000000 -0500
5712 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
5713 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5714 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5715 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5717 +#ifdef CONFIG_PAX_PAGEEXEC
5718 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5719 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5720 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5723 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5724 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5726 diff -urNp linux-2.6.36.2/arch/um/include/asm/kmap_types.h linux-2.6.36.2/arch/um/include/asm/kmap_types.h
5727 --- linux-2.6.36.2/arch/um/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
5728 +++ linux-2.6.36.2/arch/um/include/asm/kmap_types.h 2010-12-09 20:25:15.000000000 -0500
5729 @@ -23,6 +23,7 @@ enum km_type {
5737 diff -urNp linux-2.6.36.2/arch/um/include/asm/page.h linux-2.6.36.2/arch/um/include/asm/page.h
5738 --- linux-2.6.36.2/arch/um/include/asm/page.h 2010-10-20 16:30:22.000000000 -0400
5739 +++ linux-2.6.36.2/arch/um/include/asm/page.h 2010-12-09 20:25:15.000000000 -0500
5741 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5742 #define PAGE_MASK (~(PAGE_SIZE-1))
5744 +#define ktla_ktva(addr) (addr)
5745 +#define ktva_ktla(addr) (addr)
5747 #ifndef __ASSEMBLY__
5750 diff -urNp linux-2.6.36.2/arch/um/kernel/process.c linux-2.6.36.2/arch/um/kernel/process.c
5751 --- linux-2.6.36.2/arch/um/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
5752 +++ linux-2.6.36.2/arch/um/kernel/process.c 2010-12-09 20:25:15.000000000 -0500
5753 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5758 - * Only x86 and x86_64 have an arch_align_stack().
5759 - * All other arches have "#define arch_align_stack(x) (x)"
5760 - * in their asm/system.h
5761 - * As this is included in UML from asm-um/system-generic.h,
5762 - * we can use it to behave as the subarch does.
5764 -#ifndef arch_align_stack
5765 -unsigned long arch_align_stack(unsigned long sp)
5767 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5768 - sp -= get_random_int() % 8192;
5773 unsigned long get_wchan(struct task_struct *p)
5775 unsigned long stack_page, sp, ip;
5776 diff -urNp linux-2.6.36.2/arch/um/sys-i386/syscalls.c linux-2.6.36.2/arch/um/sys-i386/syscalls.c
5777 --- linux-2.6.36.2/arch/um/sys-i386/syscalls.c 2010-10-20 16:30:22.000000000 -0400
5778 +++ linux-2.6.36.2/arch/um/sys-i386/syscalls.c 2010-12-09 20:25:15.000000000 -0500
5780 #include "asm/uaccess.h"
5781 #include "asm/unistd.h"
5783 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5785 + unsigned long pax_task_size = TASK_SIZE;
5787 +#ifdef CONFIG_PAX_SEGMEXEC
5788 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5789 + pax_task_size = SEGMEXEC_TASK_SIZE;
5792 + if (len > pax_task_size || addr > pax_task_size - len)
5799 * The prototype on i386 is:
5801 diff -urNp linux-2.6.36.2/arch/x86/boot/bitops.h linux-2.6.36.2/arch/x86/boot/bitops.h
5802 --- linux-2.6.36.2/arch/x86/boot/bitops.h 2010-10-20 16:30:22.000000000 -0400
5803 +++ linux-2.6.36.2/arch/x86/boot/bitops.h 2010-12-09 20:24:54.000000000 -0500
5804 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5806 const u32 *p = (const u32 *)addr;
5808 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5809 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5813 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5815 static inline void set_bit(int nr, void *addr)
5817 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5818 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5821 #endif /* BOOT_BITOPS_H */
5822 diff -urNp linux-2.6.36.2/arch/x86/boot/boot.h linux-2.6.36.2/arch/x86/boot/boot.h
5823 --- linux-2.6.36.2/arch/x86/boot/boot.h 2010-10-20 16:30:22.000000000 -0400
5824 +++ linux-2.6.36.2/arch/x86/boot/boot.h 2010-12-09 20:24:54.000000000 -0500
5825 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5826 static inline u16 ds(void)
5829 - asm("movw %%ds,%0" : "=rm" (seg));
5830 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5834 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5835 static inline int memcmp(const void *s1, const void *s2, size_t len)
5838 - asm("repe; cmpsb; setnz %0"
5839 + asm volatile("repe; cmpsb; setnz %0"
5840 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5843 diff -urNp linux-2.6.36.2/arch/x86/boot/compressed/head_32.S linux-2.6.36.2/arch/x86/boot/compressed/head_32.S
5844 --- linux-2.6.36.2/arch/x86/boot/compressed/head_32.S 2010-10-20 16:30:22.000000000 -0400
5845 +++ linux-2.6.36.2/arch/x86/boot/compressed/head_32.S 2010-12-09 20:24:54.000000000 -0500
5846 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5850 - movl $LOAD_PHYSICAL_ADDR, %ebx
5851 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5854 /* Target address to relocate to for decompression */
5855 @@ -162,7 +162,7 @@ relocated:
5856 * and where it was actually loaded.
5859 - subl $LOAD_PHYSICAL_ADDR, %ebx
5860 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5861 jz 2f /* Nothing to be done if loaded at compiled addr. */
5863 * Process relocations.
5864 @@ -170,8 +170,7 @@ relocated:
5871 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5874 diff -urNp linux-2.6.36.2/arch/x86/boot/compressed/head_64.S linux-2.6.36.2/arch/x86/boot/compressed/head_64.S
5875 --- linux-2.6.36.2/arch/x86/boot/compressed/head_64.S 2010-10-20 16:30:22.000000000 -0400
5876 +++ linux-2.6.36.2/arch/x86/boot/compressed/head_64.S 2010-12-09 20:24:54.000000000 -0500
5877 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5881 - movl $LOAD_PHYSICAL_ADDR, %ebx
5882 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5885 /* Target address to relocate to for decompression */
5886 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5890 - movq $LOAD_PHYSICAL_ADDR, %rbp
5891 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5894 /* Target address to relocate to for decompression */
5895 diff -urNp linux-2.6.36.2/arch/x86/boot/compressed/misc.c linux-2.6.36.2/arch/x86/boot/compressed/misc.c
5896 --- linux-2.6.36.2/arch/x86/boot/compressed/misc.c 2010-10-20 16:30:22.000000000 -0400
5897 +++ linux-2.6.36.2/arch/x86/boot/compressed/misc.c 2010-12-09 20:24:54.000000000 -0500
5898 @@ -289,7 +289,7 @@ static void parse_elf(void *output)
5900 #ifdef CONFIG_RELOCATABLE
5902 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5903 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5905 dest = (void *)(phdr->p_paddr);
5907 @@ -342,7 +342,7 @@ asmlinkage void decompress_kernel(void *
5908 error("Destination address too large");
5910 #ifndef CONFIG_RELOCATABLE
5911 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5912 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5913 error("Wrong destination address");
5916 diff -urNp linux-2.6.36.2/arch/x86/boot/compressed/mkpiggy.c linux-2.6.36.2/arch/x86/boot/compressed/mkpiggy.c
5917 --- linux-2.6.36.2/arch/x86/boot/compressed/mkpiggy.c 2010-10-20 16:30:22.000000000 -0400
5918 +++ linux-2.6.36.2/arch/x86/boot/compressed/mkpiggy.c 2010-12-09 20:24:54.000000000 -0500
5919 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5921 offs = (olen > ilen) ? olen - ilen : 0;
5922 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5923 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5924 + offs += 64*1024; /* Add 64K bytes slack */
5925 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5927 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5928 diff -urNp linux-2.6.36.2/arch/x86/boot/compressed/relocs.c linux-2.6.36.2/arch/x86/boot/compressed/relocs.c
5929 --- linux-2.6.36.2/arch/x86/boot/compressed/relocs.c 2010-10-20 16:30:22.000000000 -0400
5930 +++ linux-2.6.36.2/arch/x86/boot/compressed/relocs.c 2010-12-09 20:24:54.000000000 -0500
5933 static void die(char *fmt, ...);
5935 +#include "../../../../include/generated/autoconf.h"
5937 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5938 static Elf32_Ehdr ehdr;
5939 +static Elf32_Phdr *phdr;
5940 static unsigned long reloc_count, reloc_idx;
5941 static unsigned long *relocs;
5943 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5947 +static void read_phdrs(FILE *fp)
5951 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5953 + die("Unable to allocate %d program headers\n",
5956 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5957 + die("Seek to %d failed: %s\n",
5958 + ehdr.e_phoff, strerror(errno));
5960 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5961 + die("Cannot read ELF program headers: %s\n",
5964 + for(i = 0; i < ehdr.e_phnum; i++) {
5965 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5966 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5967 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5968 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5969 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5970 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5971 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5972 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5977 static void read_shdrs(FILE *fp)
5983 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5984 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5986 static void read_strtabs(FILE *fp)
5990 for (i = 0; i < ehdr.e_shnum; i++) {
5991 struct section *sec = &secs[i];
5992 if (sec->shdr.sh_type != SHT_STRTAB) {
5993 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5995 static void read_symtabs(FILE *fp)
5999 for (i = 0; i < ehdr.e_shnum; i++) {
6000 struct section *sec = &secs[i];
6001 if (sec->shdr.sh_type != SHT_SYMTAB) {
6002 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6004 static void read_relocs(FILE *fp)
6010 for (i = 0; i < ehdr.e_shnum; i++) {
6011 struct section *sec = &secs[i];
6012 if (sec->shdr.sh_type != SHT_REL) {
6013 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6014 die("Cannot read symbol table: %s\n",
6018 + for (j = 0; j < ehdr.e_phnum; j++) {
6019 + if (phdr[j].p_type != PT_LOAD )
6021 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6023 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6026 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6027 Elf32_Rel *rel = &sec->reltab[j];
6028 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6029 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6030 rel->r_info = elf32_to_cpu(rel->r_info);
6033 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6035 static void print_absolute_symbols(void)
6039 printf("Absolute symbols\n");
6040 printf(" Num: Value Size Type Bind Visibility Name\n");
6041 for (i = 0; i < ehdr.e_shnum; i++) {
6042 struct section *sec = &secs[i];
6044 Elf32_Sym *sh_symtab;
6048 if (sec->shdr.sh_type != SHT_SYMTAB) {
6050 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6052 static void print_absolute_relocs(void)
6054 - int i, printed = 0;
6055 + unsigned int i, printed = 0;
6057 for (i = 0; i < ehdr.e_shnum; i++) {
6058 struct section *sec = &secs[i];
6059 struct section *sec_applies, *sec_symtab;
6061 Elf32_Sym *sh_symtab;
6064 if (sec->shdr.sh_type != SHT_REL) {
6067 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6069 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6073 /* Walk through the relocations */
6074 for (i = 0; i < ehdr.e_shnum; i++) {
6076 Elf32_Sym *sh_symtab;
6077 struct section *sec_applies, *sec_symtab;
6080 struct section *sec = &secs[i];
6082 if (sec->shdr.sh_type != SHT_REL) {
6083 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6084 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6087 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6088 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6091 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6092 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6093 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6095 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6097 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6099 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6106 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6108 static void emit_relocs(int as_text)
6112 /* Count how many relocations I have and allocate space for them. */
6114 walk_relocs(count_reloc);
6115 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6116 fname, strerror(errno));
6123 diff -urNp linux-2.6.36.2/arch/x86/boot/cpucheck.c linux-2.6.36.2/arch/x86/boot/cpucheck.c
6124 --- linux-2.6.36.2/arch/x86/boot/cpucheck.c 2010-10-20 16:30:22.000000000 -0400
6125 +++ linux-2.6.36.2/arch/x86/boot/cpucheck.c 2010-12-09 20:24:54.000000000 -0500
6126 @@ -74,7 +74,7 @@ static int has_fpu(void)
6127 u16 fcw = -1, fsw = -1;
6130 - asm("movl %%cr0,%0" : "=r" (cr0));
6131 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6132 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6133 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6134 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6135 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6140 + asm volatile("pushfl ; "
6144 @@ -115,7 +115,7 @@ static void get_flags(void)
6145 set_bit(X86_FEATURE_FPU, cpu.flags);
6147 if (has_eflag(X86_EFLAGS_ID)) {
6149 + asm volatile("cpuid"
6150 : "=a" (max_intel_level),
6151 "=b" (cpu_vendor[0]),
6152 "=d" (cpu_vendor[1]),
6153 @@ -124,7 +124,7 @@ static void get_flags(void)
6155 if (max_intel_level >= 0x00000001 &&
6156 max_intel_level <= 0x0000ffff) {
6158 + asm volatile("cpuid"
6160 "=c" (cpu.flags[4]),
6162 @@ -136,7 +136,7 @@ static void get_flags(void)
6163 cpu.model += ((tfms >> 16) & 0xf) << 4;
6167 + asm volatile("cpuid"
6168 : "=a" (max_amd_level)
6170 : "ebx", "ecx", "edx");
6171 @@ -144,7 +144,7 @@ static void get_flags(void)
6172 if (max_amd_level >= 0x80000001 &&
6173 max_amd_level <= 0x8000ffff) {
6174 u32 eax = 0x80000001;
6176 + asm volatile("cpuid"
6178 "=c" (cpu.flags[6]),
6180 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6181 u32 ecx = MSR_K7_HWCR;
6184 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6185 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6187 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6188 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6190 get_flags(); /* Make sure it really did something */
6191 err = check_flags();
6192 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6193 u32 ecx = MSR_VIA_FCR;
6196 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6197 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6198 eax |= (1<<1)|(1<<7);
6199 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6200 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6202 set_bit(X86_FEATURE_CX8, cpu.flags);
6203 err = check_flags();
6204 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6208 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6209 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6211 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6212 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6213 + asm volatile("cpuid"
6214 : "+a" (level), "=d" (cpu.flags[0])
6216 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6217 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6219 err = check_flags();
6221 diff -urNp linux-2.6.36.2/arch/x86/boot/header.S linux-2.6.36.2/arch/x86/boot/header.S
6222 --- linux-2.6.36.2/arch/x86/boot/header.S 2010-10-20 16:30:22.000000000 -0400
6223 +++ linux-2.6.36.2/arch/x86/boot/header.S 2010-12-09 20:24:54.000000000 -0500
6224 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6225 # single linked list of
6228 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6229 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6231 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6232 #define VO_INIT_SIZE (VO__end - VO__text)
6233 diff -urNp linux-2.6.36.2/arch/x86/boot/memory.c linux-2.6.36.2/arch/x86/boot/memory.c
6234 --- linux-2.6.36.2/arch/x86/boot/memory.c 2010-10-20 16:30:22.000000000 -0400
6235 +++ linux-2.6.36.2/arch/x86/boot/memory.c 2010-12-09 20:24:54.000000000 -0500
6238 static int detect_memory_e820(void)
6241 + unsigned int count = 0;
6242 struct biosregs ireg, oreg;
6243 struct e820entry *desc = boot_params.e820_map;
6244 static struct e820entry buf; /* static so it is zeroed */
6245 diff -urNp linux-2.6.36.2/arch/x86/boot/video.c linux-2.6.36.2/arch/x86/boot/video.c
6246 --- linux-2.6.36.2/arch/x86/boot/video.c 2010-10-20 16:30:22.000000000 -0400
6247 +++ linux-2.6.36.2/arch/x86/boot/video.c 2010-12-09 20:24:54.000000000 -0500
6248 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6249 static unsigned int get_entry(void)
6253 + unsigned int i, len = 0;
6257 diff -urNp linux-2.6.36.2/arch/x86/boot/video-vesa.c linux-2.6.36.2/arch/x86/boot/video-vesa.c
6258 --- linux-2.6.36.2/arch/x86/boot/video-vesa.c 2010-10-20 16:30:22.000000000 -0400
6259 +++ linux-2.6.36.2/arch/x86/boot/video-vesa.c 2010-12-09 20:24:54.000000000 -0500
6260 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6262 boot_params.screen_info.vesapm_seg = oreg.es;
6263 boot_params.screen_info.vesapm_off = oreg.di;
6264 + boot_params.screen_info.vesapm_size = oreg.cx;
6268 diff -urNp linux-2.6.36.2/arch/x86/ia32/ia32_aout.c linux-2.6.36.2/arch/x86/ia32/ia32_aout.c
6269 --- linux-2.6.36.2/arch/x86/ia32/ia32_aout.c 2010-10-20 16:30:22.000000000 -0400
6270 +++ linux-2.6.36.2/arch/x86/ia32/ia32_aout.c 2010-12-09 20:24:55.000000000 -0500
6271 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6272 unsigned long dump_start, dump_size;
6275 + memset(&dump, 0, sizeof(dump));
6280 diff -urNp linux-2.6.36.2/arch/x86/ia32/ia32entry.S linux-2.6.36.2/arch/x86/ia32/ia32entry.S
6281 --- linux-2.6.36.2/arch/x86/ia32/ia32entry.S 2010-10-20 16:30:22.000000000 -0400
6282 +++ linux-2.6.36.2/arch/x86/ia32/ia32entry.S 2010-12-09 20:24:55.000000000 -0500
6284 #include <asm/thread_info.h>
6285 #include <asm/segment.h>
6286 #include <asm/irqflags.h>
6287 +#include <asm/pgtable.h>
6288 #include <linux/linkage.h>
6290 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6291 @@ -120,6 +121,11 @@ ENTRY(ia32_sysenter_target)
6293 movq PER_CPU_VAR(kernel_stack), %rsp
6294 addq $(KERNEL_STACK_OFFSET),%rsp
6296 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6297 + call pax_enter_kernel_user
6301 * No need to follow this irqs on/off section: the syscall
6302 * disabled irqs, here we enable it straight after entry:
6303 @@ -150,6 +156,12 @@ ENTRY(ia32_sysenter_target)
6305 /* no need to do an access_ok check here because rbp has been
6306 32bit zero extended */
6308 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6309 + mov $PAX_USER_SHADOW_BASE,%r10
6314 .section __ex_table,"a"
6315 .quad 1b,ia32_badarg
6316 @@ -172,6 +184,11 @@ sysenter_dispatch:
6317 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6319 sysexit_from_sys_call:
6321 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6322 + call pax_exit_kernel_user
6325 andl $~TS_COMPAT,TI_status(%r10)
6326 /* clear IF, that popfq doesn't enable interrupts early */
6327 andl $~0x200,EFLAGS-R11(%rsp)
6328 @@ -290,6 +307,11 @@ ENTRY(ia32_cstar_target)
6331 movq PER_CPU_VAR(kernel_stack),%rsp
6333 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6334 + call pax_enter_kernel_user
6338 * No need to follow this irqs on/off section: the syscall
6339 * disabled irqs and here we enable it straight after entry:
6340 @@ -311,6 +333,12 @@ ENTRY(ia32_cstar_target)
6341 /* no need to do an access_ok check here because r8 has been
6342 32bit zero extended */
6343 /* hardware stack frame is complete now */
6345 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6346 + mov $PAX_USER_SHADOW_BASE,%r10
6351 .section __ex_table,"a"
6352 .quad 1b,ia32_badarg
6353 @@ -333,6 +361,11 @@ cstar_dispatch:
6354 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6356 sysretl_from_sys_call:
6358 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6359 + call pax_exit_kernel_user
6362 andl $~TS_COMPAT,TI_status(%r10)
6363 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6364 movl RIP-ARGOFFSET(%rsp),%ecx
6365 @@ -415,6 +448,11 @@ ENTRY(ia32_syscall)
6366 CFI_REL_OFFSET rip,RIP-RIP
6367 PARAVIRT_ADJUST_EXCEPTION_FRAME
6370 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6371 + call pax_enter_kernel_user
6375 * No need to follow this irqs on/off section: the syscall
6376 * disabled irqs and here we enable it straight after entry:
6377 diff -urNp linux-2.6.36.2/arch/x86/ia32/ia32_signal.c linux-2.6.36.2/arch/x86/ia32/ia32_signal.c
6378 --- linux-2.6.36.2/arch/x86/ia32/ia32_signal.c 2010-10-20 16:30:22.000000000 -0400
6379 +++ linux-2.6.36.2/arch/x86/ia32/ia32_signal.c 2010-12-09 20:24:55.000000000 -0500
6380 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6382 /* Align the stack pointer according to the i386 ABI,
6383 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6384 - sp = ((sp + 4) & -16ul) - 4;
6385 + sp = ((sp - 12) & -16ul) - 4;
6386 return (void __user *) sp;
6389 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6390 * These are actually not used anymore, but left because some
6391 * gdb versions depend on them as a marker.
6393 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6394 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6395 } put_user_catch(err);
6398 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6400 __NR_ia32_rt_sigreturn,
6406 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6407 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6409 if (ka->sa.sa_flags & SA_RESTORER)
6410 restorer = ka->sa.sa_restorer;
6411 + else if (current->mm->context.vdso)
6412 + /* Return stub is in 32bit vsyscall page */
6413 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6415 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6417 + restorer = &frame->retcode;
6418 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6421 * Not actually used anymore, but left because some gdb
6424 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6425 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6426 } put_user_catch(err);
6429 diff -urNp linux-2.6.36.2/arch/x86/include/asm/alternative.h linux-2.6.36.2/arch/x86/include/asm/alternative.h
6430 --- linux-2.6.36.2/arch/x86/include/asm/alternative.h 2010-10-20 16:30:22.000000000 -0400
6431 +++ linux-2.6.36.2/arch/x86/include/asm/alternative.h 2010-12-09 20:24:53.000000000 -0500
6432 @@ -92,7 +92,7 @@ static inline int alternatives_text_rese
6433 ".section .discard,\"aw\",@progbits\n" \
6434 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6436 - ".section .altinstr_replacement, \"ax\"\n" \
6437 + ".section .altinstr_replacement, \"a\"\n" \
6438 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6441 diff -urNp linux-2.6.36.2/arch/x86/include/asm/apm.h linux-2.6.36.2/arch/x86/include/asm/apm.h
6442 --- linux-2.6.36.2/arch/x86/include/asm/apm.h 2010-10-20 16:30:22.000000000 -0400
6443 +++ linux-2.6.36.2/arch/x86/include/asm/apm.h 2010-12-09 20:24:53.000000000 -0500
6444 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6445 __asm__ __volatile__(APM_DO_ZERO_SEGS
6448 - "lcall *%%cs:apm_bios_entry\n\t"
6449 + "lcall *%%ss:apm_bios_entry\n\t"
6453 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6454 __asm__ __volatile__(APM_DO_ZERO_SEGS
6457 - "lcall *%%cs:apm_bios_entry\n\t"
6458 + "lcall *%%ss:apm_bios_entry\n\t"
6462 diff -urNp linux-2.6.36.2/arch/x86/include/asm/asm.h linux-2.6.36.2/arch/x86/include/asm/asm.h
6463 --- linux-2.6.36.2/arch/x86/include/asm/asm.h 2010-10-20 16:30:22.000000000 -0400
6464 +++ linux-2.6.36.2/arch/x86/include/asm/asm.h 2010-12-09 20:24:53.000000000 -0500
6466 #define _ASM_SI __ASM_REG(si)
6467 #define _ASM_DI __ASM_REG(di)
6469 +#ifdef CONFIG_X86_32
6470 +#define _ASM_INTO "into"
6472 +#define _ASM_INTO "int $4"
6475 /* Exception table entry */
6477 # define _ASM_EXTABLE(from,to) \
6478 diff -urNp linux-2.6.36.2/arch/x86/include/asm/atomic64_32.h linux-2.6.36.2/arch/x86/include/asm/atomic64_32.h
6479 --- linux-2.6.36.2/arch/x86/include/asm/atomic64_32.h 2010-10-20 16:30:22.000000000 -0400
6480 +++ linux-2.6.36.2/arch/x86/include/asm/atomic64_32.h 2010-12-09 20:24:53.000000000 -0500
6481 @@ -12,6 +12,14 @@ typedef struct {
6482 u64 __aligned(8) counter;
6485 +#ifdef CONFIG_PAX_REFCOUNT
6487 + u64 __aligned(8) counter;
6488 +} atomic64_unchecked_t;
6490 +typedef atomic64_t atomic64_unchecked_t;
6493 #define ATOMIC64_INIT(val) { (val) }
6495 #ifdef CONFIG_X86_CMPXCHG64
6496 diff -urNp linux-2.6.36.2/arch/x86/include/asm/atomic64_64.h linux-2.6.36.2/arch/x86/include/asm/atomic64_64.h
6497 --- linux-2.6.36.2/arch/x86/include/asm/atomic64_64.h 2010-10-20 16:30:22.000000000 -0400
6498 +++ linux-2.6.36.2/arch/x86/include/asm/atomic64_64.h 2010-12-09 20:24:53.000000000 -0500
6501 static inline long atomic64_read(const atomic64_t *v)
6503 - return (*(volatile long *)&(v)->counter);
6504 + return (*(volatile const long *)&(v)->counter);
6508 + * atomic64_read_unchecked - read atomic64 variable
6509 + * @v: pointer of type atomic64_unchecked_t
6511 + * Atomically reads the value of @v.
6512 + * Doesn't imply a read memory barrier.
6514 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6516 + return (*(volatile const long *)&(v)->counter);
6520 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6524 + * atomic64_set_unchecked - set atomic64 variable
6525 + * @v: pointer to type atomic64_unchecked_t
6526 + * @i: required value
6528 + * Atomically sets the value of @v to @i.
6530 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6536 * atomic64_add - add integer to atomic64 variable
6537 * @i: integer value to add
6538 * @v: pointer to type atomic64_t
6539 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6541 static inline void atomic64_add(long i, atomic64_t *v)
6543 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6545 +#ifdef CONFIG_PAX_REFCOUNT
6547 + LOCK_PREFIX "subq %1,%0\n"
6549 + _ASM_EXTABLE(0b, 0b)
6552 + : "=m" (v->counter)
6553 + : "er" (i), "m" (v->counter));
6557 + * atomic64_add_unchecked - add integer to atomic64 variable
6558 + * @i: integer value to add
6559 + * @v: pointer to type atomic64_unchecked_t
6561 + * Atomically adds @i to @v.
6563 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6565 asm volatile(LOCK_PREFIX "addq %1,%0"
6567 : "er" (i), "m" (v->counter));
6568 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6570 static inline void atomic64_sub(long i, atomic64_t *v)
6572 - asm volatile(LOCK_PREFIX "subq %1,%0"
6573 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6575 +#ifdef CONFIG_PAX_REFCOUNT
6577 + LOCK_PREFIX "addq %1,%0\n"
6579 + _ASM_EXTABLE(0b, 0b)
6582 + : "=m" (v->counter)
6583 + : "er" (i), "m" (v->counter));
6587 + * atomic64_sub_unchecked - subtract the atomic64 variable
6588 + * @i: integer value to subtract
6589 + * @v: pointer to type atomic64_unchecked_t
6591 + * Atomically subtracts @i from @v.
6593 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6595 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6597 : "er" (i), "m" (v->counter));
6599 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6603 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6604 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6606 +#ifdef CONFIG_PAX_REFCOUNT
6608 + LOCK_PREFIX "addq %2,%0\n"
6610 + _ASM_EXTABLE(0b, 0b)
6614 : "=m" (v->counter), "=qm" (c)
6615 : "er" (i), "m" (v->counter) : "memory");
6617 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6619 static inline void atomic64_inc(atomic64_t *v)
6621 + asm volatile(LOCK_PREFIX "incq %0\n"
6623 +#ifdef CONFIG_PAX_REFCOUNT
6625 + LOCK_PREFIX "decq %0\n"
6627 + _ASM_EXTABLE(0b, 0b)
6630 + : "=m" (v->counter)
6631 + : "m" (v->counter));
6635 + * atomic64_inc_unchecked - increment atomic64 variable
6636 + * @v: pointer to type atomic64_unchecked_t
6638 + * Atomically increments @v by 1.
6640 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6642 asm volatile(LOCK_PREFIX "incq %0"
6644 : "m" (v->counter));
6645 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6647 static inline void atomic64_dec(atomic64_t *v)
6649 - asm volatile(LOCK_PREFIX "decq %0"
6650 + asm volatile(LOCK_PREFIX "decq %0\n"
6652 +#ifdef CONFIG_PAX_REFCOUNT
6654 + LOCK_PREFIX "incq %0\n"
6656 + _ASM_EXTABLE(0b, 0b)
6659 + : "=m" (v->counter)
6660 + : "m" (v->counter));
6664 + * atomic64_dec_unchecked - decrement atomic64 variable
6665 + * @v: pointer to type atomic64_t
6667 + * Atomically decrements @v by 1.
6669 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6671 + asm volatile(LOCK_PREFIX "decq %0\n"
6673 : "m" (v->counter));
6675 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6679 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6680 + asm volatile(LOCK_PREFIX "decq %0\n"
6682 +#ifdef CONFIG_PAX_REFCOUNT
6684 + LOCK_PREFIX "incq %0\n"
6686 + _ASM_EXTABLE(0b, 0b)
6690 : "=m" (v->counter), "=qm" (c)
6691 : "m" (v->counter) : "memory");
6693 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6697 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6698 + asm volatile(LOCK_PREFIX "incq %0\n"
6700 +#ifdef CONFIG_PAX_REFCOUNT
6702 + LOCK_PREFIX "decq %0\n"
6704 + _ASM_EXTABLE(0b, 0b)
6708 : "=m" (v->counter), "=qm" (c)
6709 : "m" (v->counter) : "memory");
6711 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6715 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6716 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6718 +#ifdef CONFIG_PAX_REFCOUNT
6720 + LOCK_PREFIX "subq %2,%0\n"
6722 + _ASM_EXTABLE(0b, 0b)
6726 : "=m" (v->counter), "=qm" (c)
6727 : "er" (i), "m" (v->counter) : "memory");
6729 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6730 static inline long atomic64_add_return(long i, atomic64_t *v)
6733 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6734 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6736 +#ifdef CONFIG_PAX_REFCOUNT
6740 + _ASM_EXTABLE(0b, 0b)
6743 + : "+r" (i), "+m" (v->counter)
6749 + * atomic64_add_return_unchecked - add and return
6750 + * @i: integer value to add
6751 + * @v: pointer to type atomic64_unchecked_t
6753 + * Atomically adds @i to @v and returns @i + @v
6755 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6758 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6759 : "+r" (i), "+m" (v->counter)
6762 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6765 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6766 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6768 + return atomic64_add_return_unchecked(1, v);
6770 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6772 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6773 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6775 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6779 c = atomic64_read(v);
6781 - if (unlikely(c == (u)))
6782 + if (unlikely(c == u))
6784 - old = atomic64_cmpxchg((v), c, c + (a));
6786 + asm volatile("add %2,%0\n"
6788 +#ifdef CONFIG_PAX_REFCOUNT
6792 + _ASM_EXTABLE(0b, 0b)
6796 + : "0" (c), "ir" (a));
6798 + old = atomic64_cmpxchg(v, c, new);
6799 if (likely(old == c))
6807 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6808 diff -urNp linux-2.6.36.2/arch/x86/include/asm/atomic.h linux-2.6.36.2/arch/x86/include/asm/atomic.h
6809 --- linux-2.6.36.2/arch/x86/include/asm/atomic.h 2010-10-20 16:30:22.000000000 -0400
6810 +++ linux-2.6.36.2/arch/x86/include/asm/atomic.h 2010-12-09 20:24:53.000000000 -0500
6813 static inline int atomic_read(const atomic_t *v)
6815 - return (*(volatile int *)&(v)->counter);
6816 + return (*(volatile const int *)&(v)->counter);
6820 + * atomic_read_unchecked - read atomic variable
6821 + * @v: pointer of type atomic_unchecked_t
6823 + * Atomically reads the value of @v.
6825 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6827 + return (*(volatile const int *)&(v)->counter);
6831 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6835 + * atomic_set_unchecked - set atomic variable
6836 + * @v: pointer of type atomic_unchecked_t
6837 + * @i: required value
6839 + * Atomically sets the value of @v to @i.
6841 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6847 * atomic_add - add integer to atomic variable
6848 * @i: integer value to add
6849 * @v: pointer of type atomic_t
6850 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6852 static inline void atomic_add(int i, atomic_t *v)
6854 - asm volatile(LOCK_PREFIX "addl %1,%0"
6855 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6857 +#ifdef CONFIG_PAX_REFCOUNT
6859 + LOCK_PREFIX "subl %1,%0\n"
6860 + _ASM_INTO "\n0:\n"
6861 + _ASM_EXTABLE(0b, 0b)
6864 + : "+m" (v->counter)
6869 + * atomic_add_unchecked - add integer to atomic variable
6870 + * @i: integer value to add
6871 + * @v: pointer of type atomic_unchecked_t
6873 + * Atomically adds @i to @v.
6875 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6877 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6881 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6883 static inline void atomic_sub(int i, atomic_t *v)
6885 - asm volatile(LOCK_PREFIX "subl %1,%0"
6886 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6888 +#ifdef CONFIG_PAX_REFCOUNT
6890 + LOCK_PREFIX "addl %1,%0\n"
6891 + _ASM_INTO "\n0:\n"
6892 + _ASM_EXTABLE(0b, 0b)
6895 + : "+m" (v->counter)
6900 + * atomic_sub_unchecked - subtract integer from atomic variable
6901 + * @i: integer value to subtract
6902 + * @v: pointer of type atomic_t
6904 + * Atomically subtracts @i from @v.
6906 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6908 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6912 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6916 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6917 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6919 +#ifdef CONFIG_PAX_REFCOUNT
6921 + LOCK_PREFIX "addl %2,%0\n"
6922 + _ASM_INTO "\n0:\n"
6923 + _ASM_EXTABLE(0b, 0b)
6927 : "+m" (v->counter), "=qm" (c)
6928 : "ir" (i) : "memory");
6930 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6932 static inline void atomic_inc(atomic_t *v)
6934 - asm volatile(LOCK_PREFIX "incl %0"
6935 + asm volatile(LOCK_PREFIX "incl %0\n"
6937 +#ifdef CONFIG_PAX_REFCOUNT
6939 + LOCK_PREFIX "decl %0\n"
6940 + _ASM_INTO "\n0:\n"
6941 + _ASM_EXTABLE(0b, 0b)
6944 + : "+m" (v->counter));
6948 + * atomic_inc_unchecked - increment atomic variable
6949 + * @v: pointer of type atomic_unchecked_t
6951 + * Atomically increments @v by 1.
6953 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6955 + asm volatile(LOCK_PREFIX "incl %0\n"
6956 : "+m" (v->counter));
6959 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6961 static inline void atomic_dec(atomic_t *v)
6963 - asm volatile(LOCK_PREFIX "decl %0"
6964 + asm volatile(LOCK_PREFIX "decl %0\n"
6966 +#ifdef CONFIG_PAX_REFCOUNT
6968 + LOCK_PREFIX "incl %0\n"
6969 + _ASM_INTO "\n0:\n"
6970 + _ASM_EXTABLE(0b, 0b)
6973 + : "+m" (v->counter));
6977 + * atomic_dec_unchecked - decrement atomic variable
6978 + * @v: pointer of type atomic_t
6980 + * Atomically decrements @v by 1.
6982 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6984 + asm volatile(LOCK_PREFIX "decl %0\n"
6985 : "+m" (v->counter));
6988 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6992 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6993 + asm volatile(LOCK_PREFIX "decl %0\n"
6995 +#ifdef CONFIG_PAX_REFCOUNT
6997 + LOCK_PREFIX "incl %0\n"
6998 + _ASM_INTO "\n0:\n"
6999 + _ASM_EXTABLE(0b, 0b)
7003 : "+m" (v->counter), "=qm" (c)
7006 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
7010 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7011 + asm volatile(LOCK_PREFIX "incl %0\n"
7013 +#ifdef CONFIG_PAX_REFCOUNT
7015 + LOCK_PREFIX "decl %0\n"
7016 + _ASM_INTO "\n0:\n"
7017 + _ASM_EXTABLE(0b, 0b)
7021 : "+m" (v->counter), "=qm" (c)
7024 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
7028 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7029 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7031 +#ifdef CONFIG_PAX_REFCOUNT
7033 + LOCK_PREFIX "subl %2,%0\n"
7034 + _ASM_INTO "\n0:\n"
7035 + _ASM_EXTABLE(0b, 0b)
7039 : "+m" (v->counter), "=qm" (c)
7040 : "ir" (i) : "memory");
7042 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
7044 /* Modern 486+ processor */
7046 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7048 +#ifdef CONFIG_PAX_REFCOUNT
7051 + _ASM_INTO "\n0:\n"
7052 + _ASM_EXTABLE(0b, 0b)
7055 + : "+r" (i), "+m" (v->counter)
7060 +no_xadd: /* Legacy 386 processor */
7061 + local_irq_save(flags);
7062 + __i = atomic_read(v);
7063 + atomic_set(v, i + __i);
7064 + local_irq_restore(flags);
7070 + * atomic_add_return_unchecked - add integer and return
7071 + * @v: pointer of type atomic_unchecked_t
7072 + * @i: integer value to add
7074 + * Atomically adds @i to @v and returns @i + @v
7076 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7080 + unsigned long flags;
7081 + if (unlikely(boot_cpu_data.x86 <= 3))
7084 + /* Modern 486+ processor */
7086 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7087 : "+r" (i), "+m" (v->counter)
7089 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
7092 #define atomic_inc_return(v) (atomic_add_return(1, v))
7093 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7095 + return atomic_add_return_unchecked(1, v);
7097 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7099 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7100 @@ -231,17 +418,30 @@ static inline int atomic_xchg(atomic_t *
7102 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7108 - if (unlikely(c == (u)))
7109 + if (unlikely(c == u))
7111 - old = atomic_cmpxchg((v), c, c + (a));
7113 + asm volatile("addl %2,%0\n"
7115 +#ifdef CONFIG_PAX_REFCOUNT
7118 + _ASM_INTO "\n0:\n"
7119 + _ASM_EXTABLE(0b, 0b)
7123 + : "0" (c), "ir" (a));
7125 + old = atomic_cmpxchg(v, c, new);
7126 if (likely(old == c))
7134 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7135 diff -urNp linux-2.6.36.2/arch/x86/include/asm/bitops.h linux-2.6.36.2/arch/x86/include/asm/bitops.h
7136 --- linux-2.6.36.2/arch/x86/include/asm/bitops.h 2010-10-20 16:30:22.000000000 -0400
7137 +++ linux-2.6.36.2/arch/x86/include/asm/bitops.h 2010-12-09 20:24:53.000000000 -0500
7139 * a mask operation on a byte.
7141 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7142 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7143 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7144 #define CONST_MASK(nr) (1 << ((nr) & 7))
7147 diff -urNp linux-2.6.36.2/arch/x86/include/asm/boot.h linux-2.6.36.2/arch/x86/include/asm/boot.h
7148 --- linux-2.6.36.2/arch/x86/include/asm/boot.h 2010-10-20 16:30:22.000000000 -0400
7149 +++ linux-2.6.36.2/arch/x86/include/asm/boot.h 2010-12-09 20:24:53.000000000 -0500
7151 #include <asm/pgtable_types.h>
7153 /* Physical address where kernel should be loaded. */
7154 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7155 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7156 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7157 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7159 +#ifndef __ASSEMBLY__
7160 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7161 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7164 /* Minimum kernel alignment, as a power of two */
7165 #ifdef CONFIG_X86_64
7166 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7167 diff -urNp linux-2.6.36.2/arch/x86/include/asm/cacheflush.h linux-2.6.36.2/arch/x86/include/asm/cacheflush.h
7168 --- linux-2.6.36.2/arch/x86/include/asm/cacheflush.h 2010-10-20 16:30:22.000000000 -0400
7169 +++ linux-2.6.36.2/arch/x86/include/asm/cacheflush.h 2010-12-09 20:24:53.000000000 -0500
7170 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
7171 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7173 if (pg_flags == _PGMT_DEFAULT)
7176 else if (pg_flags == _PGMT_WC)
7177 return _PAGE_CACHE_WC;
7178 else if (pg_flags == _PGMT_UC_MINUS)
7179 diff -urNp linux-2.6.36.2/arch/x86/include/asm/cache.h linux-2.6.36.2/arch/x86/include/asm/cache.h
7180 --- linux-2.6.36.2/arch/x86/include/asm/cache.h 2010-10-20 16:30:22.000000000 -0400
7181 +++ linux-2.6.36.2/arch/x86/include/asm/cache.h 2010-12-09 20:24:53.000000000 -0500
7183 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7185 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7186 +#define __read_only __attribute__((__section__(".data..read_only")))
7188 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7189 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7190 diff -urNp linux-2.6.36.2/arch/x86/include/asm/checksum_32.h linux-2.6.36.2/arch/x86/include/asm/checksum_32.h
7191 --- linux-2.6.36.2/arch/x86/include/asm/checksum_32.h 2010-10-20 16:30:22.000000000 -0400
7192 +++ linux-2.6.36.2/arch/x86/include/asm/checksum_32.h 2010-12-09 20:24:53.000000000 -0500
7193 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7194 int len, __wsum sum,
7195 int *src_err_ptr, int *dst_err_ptr);
7197 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7198 + int len, __wsum sum,
7199 + int *src_err_ptr, int *dst_err_ptr);
7201 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7202 + int len, __wsum sum,
7203 + int *src_err_ptr, int *dst_err_ptr);
7206 * Note: when you get a NULL pointer exception here this means someone
7207 * passed in an incorrect kernel address to one of these functions.
7208 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7212 - return csum_partial_copy_generic((__force void *)src, dst,
7213 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7214 len, sum, err_ptr, NULL);
7217 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7220 if (access_ok(VERIFY_WRITE, dst, len))
7221 - return csum_partial_copy_generic(src, (__force void *)dst,
7222 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7223 len, sum, NULL, err_ptr);
7226 diff -urNp linux-2.6.36.2/arch/x86/include/asm/cpufeature.h linux-2.6.36.2/arch/x86/include/asm/cpufeature.h
7227 --- linux-2.6.36.2/arch/x86/include/asm/cpufeature.h 2010-11-26 18:26:23.000000000 -0500
7228 +++ linux-2.6.36.2/arch/x86/include/asm/cpufeature.h 2010-12-09 20:24:53.000000000 -0500
7229 @@ -338,7 +338,7 @@ static __always_inline __pure bool __sta
7230 ".section .discard,\"aw\",@progbits\n"
7231 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7233 - ".section .altinstr_replacement,\"ax\"\n"
7234 + ".section .altinstr_replacement,\"a\"\n"
7238 diff -urNp linux-2.6.36.2/arch/x86/include/asm/desc.h linux-2.6.36.2/arch/x86/include/asm/desc.h
7239 --- linux-2.6.36.2/arch/x86/include/asm/desc.h 2010-10-20 16:30:22.000000000 -0400
7240 +++ linux-2.6.36.2/arch/x86/include/asm/desc.h 2010-12-09 20:24:53.000000000 -0500
7242 #include <asm/desc_defs.h>
7243 #include <asm/ldt.h>
7244 #include <asm/mmu.h>
7245 +#include <asm/pgtable.h>
7246 #include <linux/smp.h>
7248 static inline void fill_ldt(struct desc_struct *desc,
7249 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7250 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7251 desc->type = (info->read_exec_only ^ 1) << 1;
7252 desc->type |= info->contents << 2;
7253 + desc->type |= info->seg_not_present ^ 1;
7256 desc->p = info->seg_not_present ^ 1;
7257 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7260 extern struct desc_ptr idt_descr;
7261 -extern gate_desc idt_table[];
7264 - struct desc_struct gdt[GDT_ENTRIES];
7265 -} __attribute__((aligned(PAGE_SIZE)));
7266 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7267 +extern gate_desc idt_table[256];
7269 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7270 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7272 - return per_cpu(gdt_page, cpu).gdt;
7273 + return cpu_gdt_table[cpu];
7276 #ifdef CONFIG_X86_64
7277 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
7278 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7279 const gate_desc *gate)
7281 + pax_open_kernel();
7282 memcpy(&idt[entry], gate, sizeof(*gate));
7283 + pax_close_kernel();
7286 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7289 + pax_open_kernel();
7290 memcpy(&ldt[entry], desc, 8);
7291 + pax_close_kernel();
7294 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7295 const void *desc, int type)
7301 size = sizeof(tss_desc);
7302 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
7303 size = sizeof(struct desc_struct);
7307 + pax_open_kernel();
7308 memcpy(&gdt[entry], desc, size);
7309 + pax_close_kernel();
7312 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7313 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
7315 static inline void native_load_tr_desc(void)
7317 + pax_open_kernel();
7318 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7319 + pax_close_kernel();
7322 static inline void native_load_gdt(const struct desc_ptr *dtr)
7323 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
7325 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7327 + pax_open_kernel();
7328 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7329 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7330 + pax_close_kernel();
7333 #define _LDT_empty(info) \
7334 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
7335 desc->limit = (limit >> 16) & 0xf;
7338 -static inline void _set_gate(int gate, unsigned type, void *addr,
7339 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7340 unsigned dpl, unsigned ist, unsigned seg)
7343 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
7344 * Pentium F0 0F bugfix can have resulted in the mapped
7345 * IDT being write-protected.
7347 -static inline void set_intr_gate(unsigned int n, void *addr)
7348 +static inline void set_intr_gate(unsigned int n, const void *addr)
7350 BUG_ON((unsigned)n > 0xFF);
7351 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7352 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
7354 * This routine sets up an interrupt gate at directory privilege level 3.
7356 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7357 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7359 BUG_ON((unsigned)n > 0xFF);
7360 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7363 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7364 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7366 BUG_ON((unsigned)n > 0xFF);
7367 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7370 -static inline void set_trap_gate(unsigned int n, void *addr)
7371 +static inline void set_trap_gate(unsigned int n, const void *addr)
7373 BUG_ON((unsigned)n > 0xFF);
7374 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7375 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7376 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7378 BUG_ON((unsigned)n > 0xFF);
7379 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7380 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7383 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7384 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7386 BUG_ON((unsigned)n > 0xFF);
7387 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7390 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7391 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7393 BUG_ON((unsigned)n > 0xFF);
7394 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7397 +#ifdef CONFIG_X86_32
7398 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7400 + struct desc_struct d;
7402 + if (likely(limit))
7403 + limit = (limit - 1UL) >> PAGE_SHIFT;
7404 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7405 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7409 #endif /* _ASM_X86_DESC_H */
7410 diff -urNp linux-2.6.36.2/arch/x86/include/asm/device.h linux-2.6.36.2/arch/x86/include/asm/device.h
7411 --- linux-2.6.36.2/arch/x86/include/asm/device.h 2010-10-20 16:30:22.000000000 -0400
7412 +++ linux-2.6.36.2/arch/x86/include/asm/device.h 2010-12-09 20:24:53.000000000 -0500
7413 @@ -6,7 +6,7 @@ struct dev_archdata {
7416 #ifdef CONFIG_X86_64
7417 -struct dma_map_ops *dma_ops;
7418 + const struct dma_map_ops *dma_ops;
7420 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7421 void *iommu; /* hook for IOMMU specific extension */
7422 diff -urNp linux-2.6.36.2/arch/x86/include/asm/dma-mapping.h linux-2.6.36.2/arch/x86/include/asm/dma-mapping.h
7423 --- linux-2.6.36.2/arch/x86/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
7424 +++ linux-2.6.36.2/arch/x86/include/asm/dma-mapping.h 2010-12-09 20:24:53.000000000 -0500
7425 @@ -26,9 +26,9 @@ extern int iommu_merge;
7426 extern struct device x86_dma_fallback_dev;
7427 extern int panic_on_overflow;
7429 -extern struct dma_map_ops *dma_ops;
7430 +extern const struct dma_map_ops *dma_ops;
7432 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7433 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7435 #ifdef CONFIG_X86_32
7437 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7438 /* Make sure we keep the same behaviour */
7439 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7441 - struct dma_map_ops *ops = get_dma_ops(dev);
7442 + const struct dma_map_ops *ops = get_dma_ops(dev);
7443 if (ops->mapping_error)
7444 return ops->mapping_error(dev, dma_addr);
7446 @@ -115,7 +115,7 @@ static inline void *
7447 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7450 - struct dma_map_ops *ops = get_dma_ops(dev);
7451 + const struct dma_map_ops *ops = get_dma_ops(dev);
7454 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7455 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7456 static inline void dma_free_coherent(struct device *dev, size_t size,
7457 void *vaddr, dma_addr_t bus)
7459 - struct dma_map_ops *ops = get_dma_ops(dev);
7460 + const struct dma_map_ops *ops = get_dma_ops(dev);
7462 WARN_ON(irqs_disabled()); /* for portability */
7464 diff -urNp linux-2.6.36.2/arch/x86/include/asm/e820.h linux-2.6.36.2/arch/x86/include/asm/e820.h
7465 --- linux-2.6.36.2/arch/x86/include/asm/e820.h 2010-10-20 16:30:22.000000000 -0400
7466 +++ linux-2.6.36.2/arch/x86/include/asm/e820.h 2010-12-09 20:24:53.000000000 -0500
7467 @@ -69,7 +69,7 @@ struct e820map {
7468 #define ISA_START_ADDRESS 0xa0000
7469 #define ISA_END_ADDRESS 0x100000
7471 -#define BIOS_BEGIN 0x000a0000
7472 +#define BIOS_BEGIN 0x000c0000
7473 #define BIOS_END 0x00100000
7476 diff -urNp linux-2.6.36.2/arch/x86/include/asm/elf.h linux-2.6.36.2/arch/x86/include/asm/elf.h
7477 --- linux-2.6.36.2/arch/x86/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
7478 +++ linux-2.6.36.2/arch/x86/include/asm/elf.h 2010-12-09 20:24:53.000000000 -0500
7479 @@ -237,7 +237,25 @@ extern int force_personality32;
7480 the loader. We need to make sure that it is out of the way of the program
7481 that it will "exec", and that there is sufficient room for the brk. */
7483 +#ifdef CONFIG_PAX_SEGMEXEC
7484 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7486 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7489 +#ifdef CONFIG_PAX_ASLR
7490 +#ifdef CONFIG_X86_32
7491 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7493 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7494 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7496 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7498 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7499 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7503 /* This yields a mask that user programs can use to figure out what
7504 instruction set this CPU supports. This could be done in user space,
7505 @@ -291,8 +309,7 @@ do { \
7506 #define ARCH_DLINFO \
7509 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7510 - (unsigned long)current->mm->context.vdso); \
7511 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7514 #define AT_SYSINFO 32
7515 @@ -303,7 +320,7 @@ do { \
7517 #endif /* !CONFIG_X86_32 */
7519 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7520 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7522 #define VDSO_ENTRY \
7523 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7524 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7525 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7526 #define compat_arch_setup_additional_pages syscall32_setup_pages
7528 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7529 -#define arch_randomize_brk arch_randomize_brk
7531 #endif /* _ASM_X86_ELF_H */
7532 diff -urNp linux-2.6.36.2/arch/x86/include/asm/futex.h linux-2.6.36.2/arch/x86/include/asm/futex.h
7533 --- linux-2.6.36.2/arch/x86/include/asm/futex.h 2010-10-20 16:30:22.000000000 -0400
7534 +++ linux-2.6.36.2/arch/x86/include/asm/futex.h 2010-12-09 20:24:53.000000000 -0500
7536 #include <asm/processor.h>
7537 #include <asm/system.h>
7539 +#ifdef CONFIG_X86_32
7540 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7542 + "movw\t%w6, %%ds\n" \
7543 + "1:\t" insn "\n" \
7544 + "2:\tpushl\t%%ss\n" \
7545 + "\tpopl\t%%ds\n" \
7546 + "\t.section .fixup,\"ax\"\n" \
7547 + "3:\tmov\t%3, %1\n" \
7550 + _ASM_EXTABLE(1b, 3b) \
7551 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7552 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7554 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7555 + asm volatile("movw\t%w7, %%es\n" \
7556 + "1:\tmovl\t%%es:%2, %0\n" \
7557 + "\tmovl\t%0, %3\n" \
7559 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7561 + "3:\tpushl\t%%ss\n" \
7562 + "\tpopl\t%%es\n" \
7563 + "\t.section .fixup,\"ax\"\n" \
7564 + "4:\tmov\t%5, %1\n" \
7567 + _ASM_EXTABLE(1b, 4b) \
7568 + _ASM_EXTABLE(2b, 4b) \
7569 + : "=&a" (oldval), "=&r" (ret), \
7570 + "+m" (*uaddr), "=&r" (tem) \
7571 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7573 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7574 + typecheck(u32 *, uaddr); \
7575 asm volatile("1:\t" insn "\n" \
7576 "2:\t.section .fixup,\"ax\"\n" \
7577 "3:\tmov\t%3, %1\n" \
7580 _ASM_EXTABLE(1b, 3b) \
7581 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7582 + : "=r" (oldval), "=r" (ret), \
7583 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7584 : "i" (-EFAULT), "0" (oparg), "1" (0))
7586 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7587 + typecheck(u32 *, uaddr); \
7588 asm volatile("1:\tmovl %2, %0\n" \
7589 "\tmovl\t%0, %3\n" \
7592 _ASM_EXTABLE(1b, 4b) \
7593 _ASM_EXTABLE(2b, 4b) \
7594 : "=&a" (oldval), "=&r" (ret), \
7595 - "+m" (*uaddr), "=&r" (tem) \
7596 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7598 : "r" (oparg), "i" (-EFAULT), "1" (0))
7601 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7602 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7604 int op = (encoded_op >> 28) & 7;
7605 int cmp = (encoded_op >> 24) & 15;
7606 @@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
7610 +#ifdef CONFIG_X86_32
7611 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7613 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7617 +#ifdef CONFIG_X86_32
7618 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7621 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7626 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
7627 @@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
7631 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7632 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7636 @@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7640 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7641 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7644 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7645 - "2:\t.section .fixup, \"ax\"\n"
7647 +#ifdef CONFIG_X86_32
7648 + "\tmovw %w5, %%ds\n"
7649 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
7650 + "2:\tpushl %%ss\n"
7653 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7656 + "\t.section .fixup, \"ax\"\n"
7660 _ASM_EXTABLE(1b, 3b)
7661 +#ifdef CONFIG_X86_32
7662 : "=a" (oldval), "+m" (*uaddr)
7663 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7665 + : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
7666 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7671 diff -urNp linux-2.6.36.2/arch/x86/include/asm/i387.h linux-2.6.36.2/arch/x86/include/asm/i387.h
7672 --- linux-2.6.36.2/arch/x86/include/asm/i387.h 2010-10-20 16:30:22.000000000 -0400
7673 +++ linux-2.6.36.2/arch/x86/include/asm/i387.h 2010-12-09 20:24:53.000000000 -0500
7674 @@ -90,6 +90,11 @@ static inline int fxrstor_checking(struc
7678 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7679 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7680 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7683 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7685 ".section .fixup,\"ax\"\n"
7686 @@ -140,6 +145,11 @@ static inline int fxsave_user(struct i38
7690 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7691 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7692 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7696 * Clear the bytes not touched by the fxsave and reserved
7698 @@ -242,13 +252,8 @@ static inline int fxrstor_checking(struc
7701 /* We need a safe address that is cheap to find and that is already
7702 - in L1 during context switch. The best choices are unfortunately
7703 - different for UP and SMP */
7705 -#define safe_address (__per_cpu_offset[0])
7707 -#define safe_address (kstat_cpu(0).cpustat.user)
7709 + in L1 during context switch. */
7710 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7713 * These must be called with preempt disabled
7714 diff -urNp linux-2.6.36.2/arch/x86/include/asm/io.h linux-2.6.36.2/arch/x86/include/asm/io.h
7715 --- linux-2.6.36.2/arch/x86/include/asm/io.h 2010-11-26 18:26:23.000000000 -0500
7716 +++ linux-2.6.36.2/arch/x86/include/asm/io.h 2010-12-09 20:24:53.000000000 -0500
7717 @@ -214,6 +214,17 @@ extern void set_iounmap_nonlazy(void);
7719 #include <linux/vmalloc.h>
7721 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7722 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7724 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7727 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7729 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7733 * Convert a virtual cached pointer to an uncached pointer
7735 diff -urNp linux-2.6.36.2/arch/x86/include/asm/iommu.h linux-2.6.36.2/arch/x86/include/asm/iommu.h
7736 --- linux-2.6.36.2/arch/x86/include/asm/iommu.h 2010-10-20 16:30:22.000000000 -0400
7737 +++ linux-2.6.36.2/arch/x86/include/asm/iommu.h 2010-12-09 20:24:53.000000000 -0500
7739 #ifndef _ASM_X86_IOMMU_H
7740 #define _ASM_X86_IOMMU_H
7742 -extern struct dma_map_ops nommu_dma_ops;
7743 +extern const struct dma_map_ops nommu_dma_ops;
7744 extern int force_iommu, no_iommu;
7745 extern int iommu_detected;
7746 extern int iommu_pass_through;
7747 diff -urNp linux-2.6.36.2/arch/x86/include/asm/irqflags.h linux-2.6.36.2/arch/x86/include/asm/irqflags.h
7748 --- linux-2.6.36.2/arch/x86/include/asm/irqflags.h 2010-10-20 16:30:22.000000000 -0400
7749 +++ linux-2.6.36.2/arch/x86/include/asm/irqflags.h 2010-12-09 20:24:53.000000000 -0500
7750 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
7754 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7755 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7756 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7757 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7760 #define INTERRUPT_RETURN iret
7761 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7762 diff -urNp linux-2.6.36.2/arch/x86/include/asm/kvm_host.h linux-2.6.36.2/arch/x86/include/asm/kvm_host.h
7763 --- linux-2.6.36.2/arch/x86/include/asm/kvm_host.h 2010-10-20 16:30:22.000000000 -0400
7764 +++ linux-2.6.36.2/arch/x86/include/asm/kvm_host.h 2010-12-09 20:24:53.000000000 -0500
7765 @@ -525,7 +525,7 @@ struct kvm_x86_ops {
7766 const struct trace_print_flags *exit_reasons_str;
7769 -extern struct kvm_x86_ops *kvm_x86_ops;
7770 +extern const struct kvm_x86_ops *kvm_x86_ops;
7772 int kvm_mmu_module_init(void);
7773 void kvm_mmu_module_exit(void);
7774 diff -urNp linux-2.6.36.2/arch/x86/include/asm/local.h linux-2.6.36.2/arch/x86/include/asm/local.h
7775 --- linux-2.6.36.2/arch/x86/include/asm/local.h 2010-10-20 16:30:22.000000000 -0400
7776 +++ linux-2.6.36.2/arch/x86/include/asm/local.h 2010-12-09 20:24:53.000000000 -0500
7777 @@ -18,26 +18,90 @@ typedef struct {
7779 static inline void local_inc(local_t *l)
7781 - asm volatile(_ASM_INC "%0"
7782 + asm volatile(_ASM_INC "%0\n"
7784 +#ifdef CONFIG_PAX_REFCOUNT
7785 +#ifdef CONFIG_X86_32
7791 + ".pushsection .fixup,\"ax\"\n"
7796 + _ASM_EXTABLE(0b, 1b)
7799 : "+m" (l->a.counter));
7802 static inline void local_dec(local_t *l)
7804 - asm volatile(_ASM_DEC "%0"
7805 + asm volatile(_ASM_DEC "%0\n"
7807 +#ifdef CONFIG_PAX_REFCOUNT
7808 +#ifdef CONFIG_X86_32
7814 + ".pushsection .fixup,\"ax\"\n"
7819 + _ASM_EXTABLE(0b, 1b)
7822 : "+m" (l->a.counter));
7825 static inline void local_add(long i, local_t *l)
7827 - asm volatile(_ASM_ADD "%1,%0"
7828 + asm volatile(_ASM_ADD "%1,%0\n"
7830 +#ifdef CONFIG_PAX_REFCOUNT
7831 +#ifdef CONFIG_X86_32
7837 + ".pushsection .fixup,\"ax\"\n"
7839 + _ASM_SUB "%1,%0\n"
7842 + _ASM_EXTABLE(0b, 1b)
7845 : "+m" (l->a.counter)
7849 static inline void local_sub(long i, local_t *l)
7851 - asm volatile(_ASM_SUB "%1,%0"
7852 + asm volatile(_ASM_SUB "%1,%0\n"
7854 +#ifdef CONFIG_PAX_REFCOUNT
7855 +#ifdef CONFIG_X86_32
7861 + ".pushsection .fixup,\"ax\"\n"
7863 + _ASM_ADD "%1,%0\n"
7866 + _ASM_EXTABLE(0b, 1b)
7869 : "+m" (l->a.counter)
7872 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7876 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7877 + asm volatile(_ASM_SUB "%2,%0\n"
7879 +#ifdef CONFIG_PAX_REFCOUNT
7880 +#ifdef CONFIG_X86_32
7886 + ".pushsection .fixup,\"ax\"\n"
7888 + _ASM_ADD "%2,%0\n"
7891 + _ASM_EXTABLE(0b, 1b)
7895 : "+m" (l->a.counter), "=qm" (c)
7896 : "ir" (i) : "memory");
7898 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7902 - asm volatile(_ASM_DEC "%0; sete %1"
7903 + asm volatile(_ASM_DEC "%0\n"
7905 +#ifdef CONFIG_PAX_REFCOUNT
7906 +#ifdef CONFIG_X86_32
7912 + ".pushsection .fixup,\"ax\"\n"
7917 + _ASM_EXTABLE(0b, 1b)
7921 : "+m" (l->a.counter), "=qm" (c)
7924 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7928 - asm volatile(_ASM_INC "%0; sete %1"
7929 + asm volatile(_ASM_INC "%0\n"
7931 +#ifdef CONFIG_PAX_REFCOUNT
7932 +#ifdef CONFIG_X86_32
7938 + ".pushsection .fixup,\"ax\"\n"
7943 + _ASM_EXTABLE(0b, 1b)
7947 : "+m" (l->a.counter), "=qm" (c)
7950 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7954 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7955 + asm volatile(_ASM_ADD "%2,%0\n"
7957 +#ifdef CONFIG_PAX_REFCOUNT
7958 +#ifdef CONFIG_X86_32
7964 + ".pushsection .fixup,\"ax\"\n"
7966 + _ASM_SUB "%2,%0\n"
7969 + _ASM_EXTABLE(0b, 1b)
7973 : "+m" (l->a.counter), "=qm" (c)
7974 : "ir" (i) : "memory");
7976 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7978 /* Modern 486+ processor */
7980 - asm volatile(_ASM_XADD "%0, %1;"
7981 + asm volatile(_ASM_XADD "%0, %1\n"
7983 +#ifdef CONFIG_PAX_REFCOUNT
7984 +#ifdef CONFIG_X86_32
7990 + ".pushsection .fixup,\"ax\"\n"
7992 + _ASM_MOV "%0,%1\n"
7995 + _ASM_EXTABLE(0b, 1b)
7998 : "+r" (i), "+m" (l->a.counter)
8001 diff -urNp linux-2.6.36.2/arch/x86/include/asm/mc146818rtc.h linux-2.6.36.2/arch/x86/include/asm/mc146818rtc.h
8002 --- linux-2.6.36.2/arch/x86/include/asm/mc146818rtc.h 2010-10-20 16:30:22.000000000 -0400
8003 +++ linux-2.6.36.2/arch/x86/include/asm/mc146818rtc.h 2010-12-09 20:24:53.000000000 -0500
8004 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
8006 #define lock_cmos_prefix(reg) do {} while (0)
8007 #define lock_cmos_suffix(reg) do {} while (0)
8008 -#define lock_cmos(reg)
8009 -#define unlock_cmos()
8010 +#define lock_cmos(reg) do {} while (0)
8011 +#define unlock_cmos() do {} while (0)
8012 #define do_i_have_lock_cmos() 0
8013 #define current_lock_cmos_reg() 0
8015 diff -urNp linux-2.6.36.2/arch/x86/include/asm/microcode.h linux-2.6.36.2/arch/x86/include/asm/microcode.h
8016 --- linux-2.6.36.2/arch/x86/include/asm/microcode.h 2010-10-20 16:30:22.000000000 -0400
8017 +++ linux-2.6.36.2/arch/x86/include/asm/microcode.h 2010-12-09 20:24:53.000000000 -0500
8018 @@ -12,13 +12,13 @@ struct device;
8019 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
8021 struct microcode_ops {
8022 - enum ucode_state (*request_microcode_user) (int cpu,
8023 + enum ucode_state (* const request_microcode_user) (int cpu,
8024 const void __user *buf, size_t size);
8026 - enum ucode_state (*request_microcode_fw) (int cpu,
8027 + enum ucode_state (* const request_microcode_fw) (int cpu,
8028 struct device *device);
8030 - void (*microcode_fini_cpu) (int cpu);
8031 + void (* const microcode_fini_cpu) (int cpu);
8034 * The generic 'microcode_core' part guarantees that
8035 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
8036 extern struct ucode_cpu_info ucode_cpu_info[];
8038 #ifdef CONFIG_MICROCODE_INTEL
8039 -extern struct microcode_ops * __init init_intel_microcode(void);
8040 +extern const struct microcode_ops * __init init_intel_microcode(void);
8042 -static inline struct microcode_ops * __init init_intel_microcode(void)
8043 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8047 #endif /* CONFIG_MICROCODE_INTEL */
8049 #ifdef CONFIG_MICROCODE_AMD
8050 -extern struct microcode_ops * __init init_amd_microcode(void);
8051 +extern const struct microcode_ops * __init init_amd_microcode(void);
8053 -static inline struct microcode_ops * __init init_amd_microcode(void)
8054 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8058 diff -urNp linux-2.6.36.2/arch/x86/include/asm/mman.h linux-2.6.36.2/arch/x86/include/asm/mman.h
8059 --- linux-2.6.36.2/arch/x86/include/asm/mman.h 2010-10-20 16:30:22.000000000 -0400
8060 +++ linux-2.6.36.2/arch/x86/include/asm/mman.h 2010-12-09 20:24:53.000000000 -0500
8063 #include <asm-generic/mman.h>
8066 +#ifndef __ASSEMBLY__
8067 +#ifdef CONFIG_X86_32
8068 +#define arch_mmap_check i386_mmap_check
8069 +int i386_mmap_check(unsigned long addr, unsigned long len,
8070 + unsigned long flags);
8075 #endif /* _ASM_X86_MMAN_H */
8076 diff -urNp linux-2.6.36.2/arch/x86/include/asm/mmu_context.h linux-2.6.36.2/arch/x86/include/asm/mmu_context.h
8077 --- linux-2.6.36.2/arch/x86/include/asm/mmu_context.h 2010-10-20 16:30:22.000000000 -0400
8078 +++ linux-2.6.36.2/arch/x86/include/asm/mmu_context.h 2010-12-09 20:24:53.000000000 -0500
8079 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8081 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8084 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8088 + pax_open_kernel();
8089 + pgd = get_cpu_pgd(smp_processor_id());
8090 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8091 + if (paravirt_enabled())
8092 + set_pgd(pgd+i, native_make_pgd(0));
8094 + pgd[i] = native_make_pgd(0);
8095 + pax_close_kernel();
8099 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8100 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8101 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
8102 struct task_struct *tsk)
8104 unsigned cpu = smp_processor_id();
8105 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8106 + int tlbstate = TLBSTATE_OK;
8109 if (likely(prev != next)) {
8110 /* stop flush ipis for the previous mm */
8111 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8113 +#ifdef CONFIG_X86_32
8114 + tlbstate = percpu_read(cpu_tlbstate.state);
8116 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8117 percpu_write(cpu_tlbstate.active_mm, next);
8119 cpumask_set_cpu(cpu, mm_cpumask(next));
8121 /* Re-load page tables */
8122 +#ifdef CONFIG_PAX_PER_CPU_PGD
8123 + pax_open_kernel();
8124 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8125 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8126 + pax_close_kernel();
8127 + load_cr3(get_cpu_pgd(cpu));
8129 load_cr3(next->pgd);
8133 * load the LDT, if the LDT is different:
8135 if (unlikely(prev->context.ldt != next->context.ldt))
8136 load_LDT_nolock(&next->context);
8139 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8140 + if (!(__supported_pte_mask & _PAGE_NX)) {
8141 + smp_mb__before_clear_bit();
8142 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8143 + smp_mb__after_clear_bit();
8144 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8148 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8149 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8150 + prev->context.user_cs_limit != next->context.user_cs_limit))
8151 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8153 + else if (unlikely(tlbstate != TLBSTATE_OK))
8154 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8161 +#ifdef CONFIG_PAX_PER_CPU_PGD
8162 + pax_open_kernel();
8163 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8164 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8165 + pax_close_kernel();
8166 + load_cr3(get_cpu_pgd(cpu));
8170 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8171 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8173 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
8174 * tlb flush IPI delivery. We must reload CR3
8175 * to make sure to use no freed page tables.
8178 +#ifndef CONFIG_PAX_PER_CPU_PGD
8179 load_cr3(next->pgd);
8182 load_LDT_nolock(&next->context);
8184 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8185 + if (!(__supported_pte_mask & _PAGE_NX))
8186 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8189 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8190 +#ifdef CONFIG_PAX_PAGEEXEC
8191 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8193 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8202 #define activate_mm(prev, next) \
8203 diff -urNp linux-2.6.36.2/arch/x86/include/asm/mmu.h linux-2.6.36.2/arch/x86/include/asm/mmu.h
8204 --- linux-2.6.36.2/arch/x86/include/asm/mmu.h 2010-10-20 16:30:22.000000000 -0400
8205 +++ linux-2.6.36.2/arch/x86/include/asm/mmu.h 2010-12-09 20:24:53.000000000 -0500
8207 * we put the segment information here.
8211 + struct desc_struct *ldt;
8215 + unsigned long vdso;
8217 +#ifdef CONFIG_X86_32
8218 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8219 + unsigned long user_cs_base;
8220 + unsigned long user_cs_limit;
8222 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8223 + cpumask_t cpu_user_cs_mask;
8232 diff -urNp linux-2.6.36.2/arch/x86/include/asm/module.h linux-2.6.36.2/arch/x86/include/asm/module.h
8233 --- linux-2.6.36.2/arch/x86/include/asm/module.h 2010-10-20 16:30:22.000000000 -0400
8234 +++ linux-2.6.36.2/arch/x86/include/asm/module.h 2010-12-09 20:24:53.000000000 -0500
8236 #error unknown processor family
8239 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8240 +#define MODULE_PAX_UDEREF "UDEREF "
8242 +#define MODULE_PAX_UDEREF ""
8245 #ifdef CONFIG_X86_32
8246 # ifdef CONFIG_4KSTACKS
8247 # define MODULE_STACKSIZE "4KSTACKS "
8249 # define MODULE_STACKSIZE ""
8251 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
8252 +# ifdef CONFIG_PAX_KERNEXEC
8253 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8255 +# define MODULE_PAX_KERNEXEC ""
8257 +# ifdef CONFIG_GRKERNSEC
8258 +# define MODULE_GRSEC "GRSECURITY "
8260 +# define MODULE_GRSEC ""
8262 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8264 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8267 #endif /* _ASM_X86_MODULE_H */
8268 diff -urNp linux-2.6.36.2/arch/x86/include/asm/page_32_types.h linux-2.6.36.2/arch/x86/include/asm/page_32_types.h
8269 --- linux-2.6.36.2/arch/x86/include/asm/page_32_types.h 2010-10-20 16:30:22.000000000 -0400
8270 +++ linux-2.6.36.2/arch/x86/include/asm/page_32_types.h 2010-12-09 20:24:53.000000000 -0500
8273 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
8275 +#ifdef CONFIG_PAX_PAGEEXEC
8276 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
8279 #ifdef CONFIG_4KSTACKS
8280 #define THREAD_ORDER 0
8282 diff -urNp linux-2.6.36.2/arch/x86/include/asm/page_64_types.h linux-2.6.36.2/arch/x86/include/asm/page_64_types.h
8283 --- linux-2.6.36.2/arch/x86/include/asm/page_64_types.h 2010-10-20 16:30:22.000000000 -0400
8284 +++ linux-2.6.36.2/arch/x86/include/asm/page_64_types.h 2010-12-09 20:24:53.000000000 -0500
8285 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8287 /* duplicated to the one in bootmem.h */
8288 extern unsigned long max_pfn;
8289 -extern unsigned long phys_base;
8290 +extern const unsigned long phys_base;
8292 extern unsigned long __phys_addr(unsigned long);
8293 #define __phys_reloc_hide(x) (x)
8294 diff -urNp linux-2.6.36.2/arch/x86/include/asm/paravirt.h linux-2.6.36.2/arch/x86/include/asm/paravirt.h
8295 --- linux-2.6.36.2/arch/x86/include/asm/paravirt.h 2010-10-20 16:30:22.000000000 -0400
8296 +++ linux-2.6.36.2/arch/x86/include/asm/paravirt.h 2010-12-09 20:24:53.000000000 -0500
8297 @@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
8298 pv_mmu_ops.set_fixmap(idx, phys, flags);
8301 +#ifdef CONFIG_PAX_KERNEXEC
8302 +static inline unsigned long pax_open_kernel(void)
8304 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8307 +static inline unsigned long pax_close_kernel(void)
8309 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8312 +static inline unsigned long pax_open_kernel(void) { return 0; }
8313 +static inline unsigned long pax_close_kernel(void) { return 0; }
8316 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8318 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8319 @@ -936,7 +951,7 @@ extern void default_banner(void);
8321 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8322 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8323 -#define PARA_INDIRECT(addr) *%cs:addr
8324 +#define PARA_INDIRECT(addr) *%ss:addr
8327 #define INTERRUPT_RETURN \
8328 @@ -1013,6 +1028,21 @@ extern void default_banner(void);
8329 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8331 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8333 +#define GET_CR0_INTO_RDI \
8334 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8337 +#define SET_RDI_INTO_CR0 \
8338 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8340 +#define GET_CR3_INTO_RDI \
8341 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8344 +#define SET_RDI_INTO_CR3 \
8345 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8347 #endif /* CONFIG_X86_32 */
8349 #endif /* __ASSEMBLY__ */
8350 diff -urNp linux-2.6.36.2/arch/x86/include/asm/paravirt_types.h linux-2.6.36.2/arch/x86/include/asm/paravirt_types.h
8351 --- linux-2.6.36.2/arch/x86/include/asm/paravirt_types.h 2010-10-20 16:30:22.000000000 -0400
8352 +++ linux-2.6.36.2/arch/x86/include/asm/paravirt_types.h 2010-12-09 20:24:53.000000000 -0500
8353 @@ -312,6 +312,12 @@ struct pv_mmu_ops {
8354 an mfn. We can tell which is which from the index. */
8355 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8356 phys_addr_t phys, pgprot_t flags);
8358 +#ifdef CONFIG_PAX_KERNEXEC
8359 + unsigned long (*pax_open_kernel)(void);
8360 + unsigned long (*pax_close_kernel)(void);
8365 struct arch_spinlock;
8366 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pci_x86.h linux-2.6.36.2/arch/x86/include/asm/pci_x86.h
8367 --- linux-2.6.36.2/arch/x86/include/asm/pci_x86.h 2010-10-20 16:30:22.000000000 -0400
8368 +++ linux-2.6.36.2/arch/x86/include/asm/pci_x86.h 2010-12-09 20:24:53.000000000 -0500
8369 @@ -92,16 +92,16 @@ extern int (*pcibios_enable_irq)(struct
8370 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8372 struct pci_raw_ops {
8373 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8374 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8375 int reg, int len, u32 *val);
8376 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8377 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8378 int reg, int len, u32 val);
8381 -extern struct pci_raw_ops *raw_pci_ops;
8382 -extern struct pci_raw_ops *raw_pci_ext_ops;
8383 +extern const struct pci_raw_ops *raw_pci_ops;
8384 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8386 -extern struct pci_raw_ops pci_direct_conf1;
8387 +extern const struct pci_raw_ops pci_direct_conf1;
8388 extern bool port_cf9_safe;
8390 /* arch_initcall level */
8391 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgalloc.h linux-2.6.36.2/arch/x86/include/asm/pgalloc.h
8392 --- linux-2.6.36.2/arch/x86/include/asm/pgalloc.h 2010-10-20 16:30:22.000000000 -0400
8393 +++ linux-2.6.36.2/arch/x86/include/asm/pgalloc.h 2010-12-09 20:24:53.000000000 -0500
8394 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8395 pmd_t *pmd, pte_t *pte)
8397 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8398 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8401 +static inline void pmd_populate_user(struct mm_struct *mm,
8402 + pmd_t *pmd, pte_t *pte)
8404 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8405 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8408 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable-2level.h linux-2.6.36.2/arch/x86/include/asm/pgtable-2level.h
8409 --- linux-2.6.36.2/arch/x86/include/asm/pgtable-2level.h 2010-10-20 16:30:22.000000000 -0400
8410 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable-2level.h 2010-12-09 20:24:53.000000000 -0500
8411 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8413 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8415 + pax_open_kernel();
8417 + pax_close_kernel();
8420 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8421 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable_32.h linux-2.6.36.2/arch/x86/include/asm/pgtable_32.h
8422 --- linux-2.6.36.2/arch/x86/include/asm/pgtable_32.h 2010-10-20 16:30:22.000000000 -0400
8423 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable_32.h 2010-12-09 20:24:53.000000000 -0500
8426 struct vm_area_struct;
8428 -extern pgd_t swapper_pg_dir[1024];
8429 -extern pgd_t trampoline_pg_dir[1024];
8431 static inline void pgtable_cache_init(void) { }
8432 static inline void check_pgt_cache(void) { }
8433 void paging_init(void);
8434 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8435 # include <asm/pgtable-2level.h>
8438 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8439 +extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
8440 +#ifdef CONFIG_X86_PAE
8441 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8444 #if defined(CONFIG_HIGHPTE)
8446 (in_nmi() ? KM_NMI_PTE : \
8447 @@ -72,7 +75,9 @@ extern void set_pmd_pfn(unsigned long, u
8448 /* Clear a kernel PTE and flush it from the TLB */
8449 #define kpte_clear_flush(ptep, vaddr) \
8451 + pax_open_kernel(); \
8452 pte_clear(&init_mm, (vaddr), (ptep)); \
8453 + pax_close_kernel(); \
8454 __flush_tlb_one((vaddr)); \
8457 @@ -84,6 +89,9 @@ do { \
8459 #endif /* !__ASSEMBLY__ */
8461 +#define HAVE_ARCH_UNMAPPED_AREA
8462 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8465 * kern_addr_valid() is (1) for FLATMEM and (0) for
8466 * SPARSEMEM and DISCONTIGMEM
8467 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable_32_types.h linux-2.6.36.2/arch/x86/include/asm/pgtable_32_types.h
8468 --- linux-2.6.36.2/arch/x86/include/asm/pgtable_32_types.h 2010-10-20 16:30:22.000000000 -0400
8469 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable_32_types.h 2010-12-09 20:24:53.000000000 -0500
8472 #ifdef CONFIG_X86_PAE
8473 # include <asm/pgtable-3level_types.h>
8474 -# define PMD_SIZE (1UL << PMD_SHIFT)
8475 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8476 # define PMD_MASK (~(PMD_SIZE - 1))
8478 # include <asm/pgtable-2level_types.h>
8479 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8480 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8483 +#ifdef CONFIG_PAX_KERNEXEC
8484 +#ifndef __ASSEMBLY__
8485 +extern unsigned char MODULES_EXEC_VADDR[];
8486 +extern unsigned char MODULES_EXEC_END[];
8488 +#include <asm/boot.h>
8489 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8490 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8492 +#define ktla_ktva(addr) (addr)
8493 +#define ktva_ktla(addr) (addr)
8496 #define MODULES_VADDR VMALLOC_START
8497 #define MODULES_END VMALLOC_END
8498 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8499 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable-3level.h linux-2.6.36.2/arch/x86/include/asm/pgtable-3level.h
8500 --- linux-2.6.36.2/arch/x86/include/asm/pgtable-3level.h 2010-10-20 16:30:22.000000000 -0400
8501 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable-3level.h 2010-12-09 20:24:53.000000000 -0500
8502 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8504 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8506 + pax_open_kernel();
8507 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8508 + pax_close_kernel();
8511 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8513 + pax_open_kernel();
8514 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8515 + pax_close_kernel();
8519 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable_64.h linux-2.6.36.2/arch/x86/include/asm/pgtable_64.h
8520 --- linux-2.6.36.2/arch/x86/include/asm/pgtable_64.h 2010-10-20 16:30:22.000000000 -0400
8521 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable_64.h 2010-12-09 20:24:53.000000000 -0500
8524 extern pud_t level3_kernel_pgt[512];
8525 extern pud_t level3_ident_pgt[512];
8526 +extern pud_t level3_vmalloc_pgt[512];
8527 +extern pud_t level3_vmemmap_pgt[512];
8528 +extern pud_t level2_vmemmap_pgt[512];
8529 extern pmd_t level2_kernel_pgt[512];
8530 extern pmd_t level2_fixmap_pgt[512];
8531 -extern pmd_t level2_ident_pgt[512];
8532 -extern pgd_t init_level4_pgt[];
8533 +extern pmd_t level2_ident_pgt[512*2];
8534 +extern pgd_t init_level4_pgt[512];
8536 #define swapper_pg_dir init_level4_pgt
8538 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8540 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8542 + pax_open_kernel();
8544 + pax_close_kernel();
8547 static inline void native_pmd_clear(pmd_t *pmd)
8548 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8550 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8552 + pax_open_kernel();
8554 + pax_close_kernel();
8557 static inline void native_pgd_clear(pgd_t *pgd)
8558 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable_64_types.h linux-2.6.36.2/arch/x86/include/asm/pgtable_64_types.h
8559 --- linux-2.6.36.2/arch/x86/include/asm/pgtable_64_types.h 2010-10-20 16:30:22.000000000 -0400
8560 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable_64_types.h 2010-12-09 20:24:53.000000000 -0500
8561 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8562 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8563 #define MODULES_END _AC(0xffffffffff000000, UL)
8564 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8565 +#define MODULES_EXEC_VADDR MODULES_VADDR
8566 +#define MODULES_EXEC_END MODULES_END
8568 +#define ktla_ktva(addr) (addr)
8569 +#define ktva_ktla(addr) (addr)
8571 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8572 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable.h linux-2.6.36.2/arch/x86/include/asm/pgtable.h
8573 --- linux-2.6.36.2/arch/x86/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
8574 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable.h 2010-12-09 20:24:53.000000000 -0500
8575 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8577 #define arch_end_context_switch(prev) do {} while(0)
8579 +#define pax_open_kernel() native_pax_open_kernel()
8580 +#define pax_close_kernel() native_pax_close_kernel()
8581 #endif /* CONFIG_PARAVIRT */
8583 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8584 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8586 +#ifdef CONFIG_PAX_KERNEXEC
8587 +static inline unsigned long native_pax_open_kernel(void)
8589 + unsigned long cr0;
8591 + preempt_disable();
8593 + cr0 = read_cr0() ^ X86_CR0_WP;
8594 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8596 + return cr0 ^ X86_CR0_WP;
8599 +static inline unsigned long native_pax_close_kernel(void)
8601 + unsigned long cr0;
8603 + cr0 = read_cr0() ^ X86_CR0_WP;
8604 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8607 + preempt_enable_no_resched();
8608 + return cr0 ^ X86_CR0_WP;
8611 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8612 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8616 * The following only work if pte_present() is true.
8617 * Undefined behaviour if not..
8619 +static inline int pte_user(pte_t pte)
8621 + return pte_val(pte) & _PAGE_USER;
8624 static inline int pte_dirty(pte_t pte)
8626 return pte_flags(pte) & _PAGE_DIRTY;
8627 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
8628 return pte_clear_flags(pte, _PAGE_RW);
8631 +static inline pte_t pte_mkread(pte_t pte)
8633 + return __pte(pte_val(pte) | _PAGE_USER);
8636 static inline pte_t pte_mkexec(pte_t pte)
8638 - return pte_clear_flags(pte, _PAGE_NX);
8639 +#ifdef CONFIG_X86_PAE
8640 + if (__supported_pte_mask & _PAGE_NX)
8641 + return pte_clear_flags(pte, _PAGE_NX);
8644 + return pte_set_flags(pte, _PAGE_USER);
8647 +static inline pte_t pte_exprotect(pte_t pte)
8649 +#ifdef CONFIG_X86_PAE
8650 + if (__supported_pte_mask & _PAGE_NX)
8651 + return pte_set_flags(pte, _PAGE_NX);
8654 + return pte_clear_flags(pte, _PAGE_USER);
8657 static inline pte_t pte_mkdirty(pte_t pte)
8658 @@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8661 #ifndef __ASSEMBLY__
8663 +#ifdef CONFIG_PAX_PER_CPU_PGD
8664 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8665 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8667 + return cpu_pgd[cpu];
8671 #include <linux/mm_types.h>
8673 static inline int pte_none(pte_t pte)
8674 @@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
8676 static inline int pgd_bad(pgd_t pgd)
8678 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8679 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8682 static inline int pgd_none(pgd_t pgd)
8683 @@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8684 * pgd_offset() returns a (pgd_t *)
8685 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8687 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8688 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8690 +#ifdef CONFIG_PAX_PER_CPU_PGD
8691 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8695 * a shortcut which implies the use of the kernel's pgd, instead
8697 @@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8698 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8699 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8701 +#ifdef CONFIG_X86_32
8702 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8704 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8705 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8707 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8708 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8710 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8715 #ifndef __ASSEMBLY__
8717 extern int direct_gbpages;
8718 @@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
8719 * dst and src can be on the same page, but the range must not overlap,
8720 * and must not cross a page boundary.
8722 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8723 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8725 - memcpy(dst, src, count * sizeof(pgd_t));
8726 + pax_open_kernel();
8729 + pax_close_kernel();
8732 +#ifdef CONFIG_PAX_PER_CPU_PGD
8733 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8736 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8737 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8739 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8742 #include <asm-generic/pgtable.h>
8743 #endif /* __ASSEMBLY__ */
8744 diff -urNp linux-2.6.36.2/arch/x86/include/asm/pgtable_types.h linux-2.6.36.2/arch/x86/include/asm/pgtable_types.h
8745 --- linux-2.6.36.2/arch/x86/include/asm/pgtable_types.h 2010-10-20 16:30:22.000000000 -0400
8746 +++ linux-2.6.36.2/arch/x86/include/asm/pgtable_types.h 2010-12-09 20:24:53.000000000 -0500
8748 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8749 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8750 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8751 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8752 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8753 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8754 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8755 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8756 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8757 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8758 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8759 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8761 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8763 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8764 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8765 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8766 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8767 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8768 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8769 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8772 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8773 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8775 +#elif defined(CONFIG_KMEMCHECK)
8776 #define _PAGE_NX (_AT(pteval_t, 0))
8778 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8781 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8783 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8786 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8787 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8789 #define __PAGE_KERNEL_EXEC \
8790 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8791 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8793 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8794 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8795 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8796 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8797 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8798 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8799 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8800 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8801 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8802 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8804 * bits are combined, this will alow user to access the high address mapped
8805 * VDSO in the presence of CONFIG_COMPAT_VDSO
8807 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8808 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8809 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8810 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8811 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8814 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8816 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8820 +#if PAGETABLE_LEVELS == 3
8821 +#include <asm-generic/pgtable-nopud.h>
8824 +#if PAGETABLE_LEVELS == 2
8825 +#include <asm-generic/pgtable-nopmd.h>
8828 +#ifndef __ASSEMBLY__
8829 #if PAGETABLE_LEVELS > 3
8830 typedef struct { pudval_t pud; } pud_t;
8832 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8836 -#include <asm-generic/pgtable-nopud.h>
8838 static inline pudval_t native_pud_val(pud_t pud)
8840 return native_pgd_val(pud.pgd);
8841 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8845 -#include <asm-generic/pgtable-nopmd.h>
8847 static inline pmdval_t native_pmd_val(pmd_t pmd)
8849 return native_pgd_val(pmd.pud.pgd);
8850 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8852 extern pteval_t __supported_pte_mask;
8853 extern void set_nx(void);
8854 -extern int nx_enabled;
8856 #define pgprot_writecombine pgprot_writecombine
8857 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8858 diff -urNp linux-2.6.36.2/arch/x86/include/asm/processor.h linux-2.6.36.2/arch/x86/include/asm/processor.h
8859 --- linux-2.6.36.2/arch/x86/include/asm/processor.h 2010-10-20 16:30:22.000000000 -0400
8860 +++ linux-2.6.36.2/arch/x86/include/asm/processor.h 2010-12-09 20:24:53.000000000 -0500
8861 @@ -269,7 +269,7 @@ struct tss_struct {
8863 } ____cacheline_aligned;
8865 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8866 +extern struct tss_struct init_tss[NR_CPUS];
8869 * Save the original ist values for checking stack pointers during debugging
8870 @@ -885,8 +885,15 @@ static inline void spin_lock_prefetch(co
8872 #define TASK_SIZE PAGE_OFFSET
8873 #define TASK_SIZE_MAX TASK_SIZE
8875 +#ifdef CONFIG_PAX_SEGMEXEC
8876 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8877 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8879 #define STACK_TOP TASK_SIZE
8880 -#define STACK_TOP_MAX STACK_TOP
8883 +#define STACK_TOP_MAX TASK_SIZE
8885 #define INIT_THREAD { \
8886 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8887 @@ -903,7 +910,7 @@ static inline void spin_lock_prefetch(co
8889 #define INIT_TSS { \
8891 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8892 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8893 .ss0 = __KERNEL_DS, \
8894 .ss1 = __KERNEL_CS, \
8895 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8896 @@ -914,11 +921,7 @@ static inline void spin_lock_prefetch(co
8897 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8899 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8900 -#define KSTK_TOP(info) \
8902 - unsigned long *__ptr = (unsigned long *)(info); \
8903 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8905 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8908 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8909 @@ -933,7 +936,7 @@ extern unsigned long thread_saved_pc(str
8910 #define task_pt_regs(task) \
8912 struct pt_regs *__regs__; \
8913 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8914 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8918 @@ -943,13 +946,13 @@ extern unsigned long thread_saved_pc(str
8920 * User space process size. 47bits minus one guard page.
8922 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8923 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8925 /* This decides where the kernel will search for a free chunk of vm
8926 * space during mmap's.
8928 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8929 - 0xc0000000 : 0xFFFFe000)
8930 + 0xc0000000 : 0xFFFFf000)
8932 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8933 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8934 @@ -986,6 +989,10 @@ extern void start_thread(struct pt_regs
8936 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8938 +#ifdef CONFIG_PAX_SEGMEXEC
8939 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8942 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8944 /* Get/set a process' ability to use the timestamp counter instruction */
8945 diff -urNp linux-2.6.36.2/arch/x86/include/asm/ptrace.h linux-2.6.36.2/arch/x86/include/asm/ptrace.h
8946 --- linux-2.6.36.2/arch/x86/include/asm/ptrace.h 2010-10-20 16:30:22.000000000 -0400
8947 +++ linux-2.6.36.2/arch/x86/include/asm/ptrace.h 2010-12-09 20:24:53.000000000 -0500
8948 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8952 - * user_mode_vm(regs) determines whether a register set came from user mode.
8953 + * user_mode(regs) determines whether a register set came from user mode.
8954 * This is true if V8086 mode was enabled OR if the register set was from
8955 * protected mode with RPL-3 CS value. This tricky test checks that with
8956 * one comparison. Many places in the kernel can bypass this full check
8957 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8958 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8961 -static inline int user_mode(struct pt_regs *regs)
8962 +static inline int user_mode_novm(struct pt_regs *regs)
8964 #ifdef CONFIG_X86_32
8965 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8967 - return !!(regs->cs & 3);
8968 + return !!(regs->cs & SEGMENT_RPL_MASK);
8972 -static inline int user_mode_vm(struct pt_regs *regs)
8973 +static inline int user_mode(struct pt_regs *regs)
8975 #ifdef CONFIG_X86_32
8976 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8979 - return user_mode(regs);
8980 + return user_mode_novm(regs);
8984 diff -urNp linux-2.6.36.2/arch/x86/include/asm/reboot.h linux-2.6.36.2/arch/x86/include/asm/reboot.h
8985 --- linux-2.6.36.2/arch/x86/include/asm/reboot.h 2010-10-20 16:30:22.000000000 -0400
8986 +++ linux-2.6.36.2/arch/x86/include/asm/reboot.h 2010-12-09 20:24:53.000000000 -0500
8987 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8989 void native_machine_crash_shutdown(struct pt_regs *regs);
8990 void native_machine_shutdown(void);
8991 -void machine_real_restart(const unsigned char *code, int length);
8992 +void machine_real_restart(const unsigned char *code, unsigned int length);
8994 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8995 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8996 diff -urNp linux-2.6.36.2/arch/x86/include/asm/rwsem.h linux-2.6.36.2/arch/x86/include/asm/rwsem.h
8997 --- linux-2.6.36.2/arch/x86/include/asm/rwsem.h 2010-10-20 16:30:22.000000000 -0400
8998 +++ linux-2.6.36.2/arch/x86/include/asm/rwsem.h 2010-12-09 20:24:53.000000000 -0500
8999 @@ -118,10 +118,26 @@ static inline void __down_read(struct rw
9001 asm volatile("# beginning down_read\n\t"
9002 LOCK_PREFIX _ASM_INC "(%1)\n\t"
9004 +#ifdef CONFIG_PAX_REFCOUNT
9005 +#ifdef CONFIG_X86_32
9011 + ".pushsection .fixup,\"ax\"\n"
9013 + LOCK_PREFIX _ASM_DEC "(%1)\n"
9016 + _ASM_EXTABLE(0b, 1b)
9019 /* adds 0x00000001 */
9022 " call call_rwsem_down_read_failed\n"
9025 "# ending down_read\n\t"
9028 @@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
9029 rwsem_count_t result, tmp;
9030 asm volatile("# beginning __down_read_trylock\n\t"
9038 +#ifdef CONFIG_PAX_REFCOUNT
9039 +#ifdef CONFIG_X86_32
9045 + ".pushsection .fixup,\"ax\"\n"
9050 + _ASM_EXTABLE(0b, 1b)
9054 LOCK_PREFIX " cmpxchg %2,%0\n\t"
9059 "# ending __down_read_trylock\n\t"
9060 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
9061 : "i" (RWSEM_ACTIVE_READ_BIAS)
9062 @@ -158,12 +190,28 @@ static inline void __down_write_nested(s
9064 asm volatile("# beginning down_write\n\t"
9065 LOCK_PREFIX " xadd %1,(%2)\n\t"
9067 +#ifdef CONFIG_PAX_REFCOUNT
9068 +#ifdef CONFIG_X86_32
9074 + ".pushsection .fixup,\"ax\"\n"
9079 + _ASM_EXTABLE(0b, 1b)
9082 /* adds 0xffff0001, returns the old value */
9084 /* was the count 0 before? */
9087 " call call_rwsem_down_write_failed\n"
9090 "# ending down_write"
9091 : "+m" (sem->count), "=d" (tmp)
9092 : "a" (sem), "1" (RWSEM_ACTIVE_WRITE_BIAS)
9093 @@ -196,10 +244,26 @@ static inline void __up_read(struct rw_s
9095 asm volatile("# beginning __up_read\n\t"
9096 LOCK_PREFIX " xadd %1,(%2)\n\t"
9098 +#ifdef CONFIG_PAX_REFCOUNT
9099 +#ifdef CONFIG_X86_32
9105 + ".pushsection .fixup,\"ax\"\n"
9110 + _ASM_EXTABLE(0b, 1b)
9113 /* subtracts 1, returns the old value */
9116 " call call_rwsem_wake\n" /* expects old value in %edx */
9119 "# ending __up_read\n"
9120 : "+m" (sem->count), "=d" (tmp)
9121 : "a" (sem), "1" (-RWSEM_ACTIVE_READ_BIAS)
9122 @@ -214,10 +278,26 @@ static inline void __up_write(struct rw_
9124 asm volatile("# beginning __up_write\n\t"
9125 LOCK_PREFIX " xadd %1,(%2)\n\t"
9127 +#ifdef CONFIG_PAX_REFCOUNT
9128 +#ifdef CONFIG_X86_32
9134 + ".pushsection .fixup,\"ax\"\n"
9139 + _ASM_EXTABLE(0b, 1b)
9142 /* subtracts 0xffff0001, returns the old value */
9145 " call call_rwsem_wake\n" /* expects old value in %edx */
9148 "# ending __up_write\n"
9149 : "+m" (sem->count), "=d" (tmp)
9150 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
9151 @@ -231,13 +311,29 @@ static inline void __downgrade_write(str
9153 asm volatile("# beginning __downgrade_write\n\t"
9154 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9156 +#ifdef CONFIG_PAX_REFCOUNT
9157 +#ifdef CONFIG_X86_32
9163 + ".pushsection .fixup,\"ax\"\n"
9165 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9168 + _ASM_EXTABLE(0b, 1b)
9172 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9173 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9177 " call call_rwsem_downgrade_wake\n"
9180 "# ending __downgrade_write\n"
9182 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
9183 @@ -250,7 +346,23 @@ static inline void __downgrade_write(str
9184 static inline void rwsem_atomic_add(rwsem_count_t delta,
9185 struct rw_semaphore *sem)
9187 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9188 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9190 +#ifdef CONFIG_PAX_REFCOUNT
9191 +#ifdef CONFIG_X86_32
9197 + ".pushsection .fixup,\"ax\"\n"
9199 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9202 + _ASM_EXTABLE(0b, 1b)
9208 @@ -263,7 +375,23 @@ static inline rwsem_count_t rwsem_atomic
9210 rwsem_count_t tmp = delta;
9212 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9213 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9215 +#ifdef CONFIG_PAX_REFCOUNT
9216 +#ifdef CONFIG_X86_32
9222 + ".pushsection .fixup,\"ax\"\n"
9227 + _ASM_EXTABLE(0b, 1b)
9230 : "+r" (tmp), "+m" (sem->count)
9233 diff -urNp linux-2.6.36.2/arch/x86/include/asm/segment.h linux-2.6.36.2/arch/x86/include/asm/segment.h
9234 --- linux-2.6.36.2/arch/x86/include/asm/segment.h 2010-10-20 16:30:22.000000000 -0400
9235 +++ linux-2.6.36.2/arch/x86/include/asm/segment.h 2010-12-09 20:24:53.000000000 -0500
9237 * 26 - ESPFIX small SS
9238 * 27 - per-cpu [ offset to per-cpu data area ]
9239 * 28 - stack_canary-20 [ for stack protector ]
9242 + * 29 - PCI BIOS CS
9243 + * 30 - PCI BIOS DS
9244 * 31 - TSS for double fault handler
9246 #define GDT_ENTRY_TLS_MIN 6
9249 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
9251 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9253 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
9255 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
9257 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
9258 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
9260 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9261 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9263 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
9265 @@ -102,6 +104,12 @@
9266 #define __KERNEL_STACK_CANARY 0
9269 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
9270 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9272 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
9273 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9275 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9281 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9282 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9283 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9288 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9289 #define __USER32_DS __USER_DS
9291 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9293 #define GDT_ENTRY_TSS 8 /* needs two entries */
9294 #define GDT_ENTRY_LDT 10 /* needs two entries */
9295 #define GDT_ENTRY_TLS_MIN 12
9299 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
9300 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
9301 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
9302 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
9303 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
9304 diff -urNp linux-2.6.36.2/arch/x86/include/asm/smp.h linux-2.6.36.2/arch/x86/include/asm/smp.h
9305 --- linux-2.6.36.2/arch/x86/include/asm/smp.h 2010-11-26 18:26:23.000000000 -0500
9306 +++ linux-2.6.36.2/arch/x86/include/asm/smp.h 2010-12-09 20:24:53.000000000 -0500
9307 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9308 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9309 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9310 DECLARE_PER_CPU(u16, cpu_llc_id);
9311 -DECLARE_PER_CPU(int, cpu_number);
9312 +DECLARE_PER_CPU(unsigned int, cpu_number);
9314 static inline struct cpumask *cpu_sibling_mask(int cpu)
9316 diff -urNp linux-2.6.36.2/arch/x86/include/asm/spinlock.h linux-2.6.36.2/arch/x86/include/asm/spinlock.h
9317 --- linux-2.6.36.2/arch/x86/include/asm/spinlock.h 2010-10-20 16:30:22.000000000 -0400
9318 +++ linux-2.6.36.2/arch/x86/include/asm/spinlock.h 2010-12-09 20:24:53.000000000 -0500
9319 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
9320 static inline void arch_read_lock(arch_rwlock_t *rw)
9322 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9324 - "call __read_lock_failed\n\t"
9326 +#ifdef CONFIG_PAX_REFCOUNT
9327 +#ifdef CONFIG_X86_32
9333 + ".pushsection .fixup,\"ax\"\n"
9335 + LOCK_PREFIX " addl $1,(%0)\n"
9338 + _ASM_EXTABLE(0b, 1b)
9342 + "call __read_lock_failed\n\t"
9344 ::LOCK_PTR_REG (rw) : "memory");
9347 static inline void arch_write_lock(arch_rwlock_t *rw)
9349 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9351 - "call __write_lock_failed\n\t"
9353 +#ifdef CONFIG_PAX_REFCOUNT
9354 +#ifdef CONFIG_X86_32
9360 + ".pushsection .fixup,\"ax\"\n"
9362 + LOCK_PREFIX " addl %1,(%0)\n"
9365 + _ASM_EXTABLE(0b, 1b)
9369 + "call __write_lock_failed\n\t"
9371 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
9374 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
9376 static inline void arch_read_unlock(arch_rwlock_t *rw)
9378 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9379 + asm volatile(LOCK_PREFIX "incl %0\n"
9381 +#ifdef CONFIG_PAX_REFCOUNT
9382 +#ifdef CONFIG_X86_32
9388 + ".pushsection .fixup,\"ax\"\n"
9390 + LOCK_PREFIX "decl %0\n"
9393 + _ASM_EXTABLE(0b, 1b)
9396 + :"+m" (rw->lock) : : "memory");
9399 static inline void arch_write_unlock(arch_rwlock_t *rw)
9401 - asm volatile(LOCK_PREFIX "addl %1, %0"
9402 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9404 +#ifdef CONFIG_PAX_REFCOUNT
9405 +#ifdef CONFIG_X86_32
9411 + ".pushsection .fixup,\"ax\"\n"
9413 + LOCK_PREFIX "subl %1,%0\n"
9416 + _ASM_EXTABLE(0b, 1b)
9419 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9422 diff -urNp linux-2.6.36.2/arch/x86/include/asm/system.h linux-2.6.36.2/arch/x86/include/asm/system.h
9423 --- linux-2.6.36.2/arch/x86/include/asm/system.h 2010-10-20 16:30:22.000000000 -0400
9424 +++ linux-2.6.36.2/arch/x86/include/asm/system.h 2010-12-09 20:24:53.000000000 -0500
9425 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9427 unsigned long __limit;
9428 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9429 - return __limit + 1;
9433 static inline void native_clts(void)
9434 @@ -342,7 +342,7 @@ void enable_hlt(void);
9436 void cpu_idle_wait(void);
9438 -extern unsigned long arch_align_stack(unsigned long sp);
9439 +#define arch_align_stack(x) ((x) & ~0xfUL)
9440 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9442 void default_idle(void);
9443 diff -urNp linux-2.6.36.2/arch/x86/include/asm/uaccess_32.h linux-2.6.36.2/arch/x86/include/asm/uaccess_32.h
9444 --- linux-2.6.36.2/arch/x86/include/asm/uaccess_32.h 2010-10-20 16:30:22.000000000 -0400
9445 +++ linux-2.6.36.2/arch/x86/include/asm/uaccess_32.h 2010-12-09 20:24:53.000000000 -0500
9446 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9447 static __always_inline unsigned long __must_check
9448 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9453 if (__builtin_constant_p(n)) {
9456 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9460 + if (!__builtin_constant_p(n))
9461 + check_object_size(from, n, true);
9462 return __copy_to_user_ll(to, from, n);
9465 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9466 static __always_inline unsigned long
9467 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9472 /* Avoid zeroing the tail if the copy fails..
9473 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9474 * but as the zeroing behaviour is only significant when n is not
9475 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9476 __copy_from_user(void *to, const void __user *from, unsigned long n)
9483 if (__builtin_constant_p(n)) {
9486 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9490 + if (!__builtin_constant_p(n))
9491 + check_object_size(to, n, false);
9492 return __copy_from_user_ll(to, from, n);
9495 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9496 const void __user *from, unsigned long n)
9503 if (__builtin_constant_p(n)) {
9506 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9507 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9510 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9515 -unsigned long __must_check copy_to_user(void __user *to,
9516 - const void *from, unsigned long n);
9517 -unsigned long __must_check _copy_from_user(void *to,
9518 - const void __user *from,
9520 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9523 +extern void copy_to_user_overflow(void)
9524 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9525 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9527 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9531 extern void copy_from_user_overflow(void)
9532 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9533 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9537 -static inline unsigned long __must_check copy_from_user(void *to,
9538 - const void __user *from,
9541 + * copy_to_user: - Copy a block of data into user space.
9542 + * @to: Destination address, in user space.
9543 + * @from: Source address, in kernel space.
9544 + * @n: Number of bytes to copy.
9546 + * Context: User context only. This function may sleep.
9548 + * Copy data from kernel space to user space.
9550 + * Returns number of bytes that could not be copied.
9551 + * On success, this will be zero.
9553 +static inline unsigned long __must_check
9554 +copy_to_user(void __user *to, const void *from, unsigned long n)
9556 + int sz = __compiletime_object_size(from);
9558 + if (unlikely(sz != -1 && sz < n))
9559 + copy_to_user_overflow();
9560 + else if (access_ok(VERIFY_WRITE, to, n))
9561 + n = __copy_to_user(to, from, n);
9566 + * copy_from_user: - Copy a block of data from user space.
9567 + * @to: Destination address, in kernel space.
9568 + * @from: Source address, in user space.
9569 + * @n: Number of bytes to copy.
9571 + * Context: User context only. This function may sleep.
9573 + * Copy data from user space to kernel space.
9575 + * Returns number of bytes that could not be copied.
9576 + * On success, this will be zero.
9578 + * If some data could not be copied, this function will pad the copied
9579 + * data to the requested size using zero bytes.
9581 +static inline unsigned long __must_check
9582 +copy_from_user(void *to, const void __user *from, unsigned long n)
9584 int sz = __compiletime_object_size(to);
9586 - if (likely(sz == -1 || sz >= n))
9587 - n = _copy_from_user(to, from, n);
9589 + if (unlikely(sz != -1 && sz < n))
9590 copy_from_user_overflow();
9592 + else if (access_ok(VERIFY_READ, from, n))
9593 + n = __copy_from_user(to, from, n);
9594 + else if ((long)n > 0) {
9595 + if (!__builtin_constant_p(n))
9596 + check_object_size(to, n, false);
9602 diff -urNp linux-2.6.36.2/arch/x86/include/asm/uaccess_64.h linux-2.6.36.2/arch/x86/include/asm/uaccess_64.h
9603 --- linux-2.6.36.2/arch/x86/include/asm/uaccess_64.h 2010-10-20 16:30:22.000000000 -0400
9604 +++ linux-2.6.36.2/arch/x86/include/asm/uaccess_64.h 2010-12-09 20:24:53.000000000 -0500
9606 #include <asm/alternative.h>
9607 #include <asm/cpufeature.h>
9608 #include <asm/page.h>
9609 +#include <asm/pgtable.h>
9611 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9614 * Copy To/From Userspace
9615 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9619 -__must_check unsigned long
9620 -_copy_to_user(void __user *to, const void *from, unsigned len);
9621 -__must_check unsigned long
9622 -_copy_from_user(void *to, const void __user *from, unsigned len);
9623 +static __always_inline __must_check unsigned long
9624 +__copy_to_user(void __user *to, const void *from, unsigned len);
9625 +static __always_inline __must_check unsigned long
9626 +__copy_from_user(void *to, const void __user *from, unsigned len);
9627 __must_check unsigned long
9628 copy_in_user(void __user *to, const void __user *from, unsigned len);
9630 static inline unsigned long __must_check copy_from_user(void *to,
9631 const void __user *from,
9635 - int sz = __compiletime_object_size(to);
9638 - if (likely(sz == -1 || sz >= n))
9639 - n = _copy_from_user(to, from, n);
9640 -#ifdef CONFIG_DEBUG_VM
9642 - WARN(1, "Buffer overflow detected!\n");
9645 + if (access_ok(VERIFY_READ, from, n))
9646 + n = __copy_from_user(to, from, n);
9647 + else if ((int)n > 0) {
9648 + if (!__builtin_constant_p(n))
9649 + check_object_size(to, n, false);
9655 @@ -65,110 +68,157 @@ int copy_to_user(void __user *dst, const
9659 - return _copy_to_user(dst, src, size);
9660 + if (access_ok(VERIFY_WRITE, dst, size))
9661 + size = __copy_to_user(dst, src, size);
9665 static __always_inline __must_check
9666 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9667 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9670 + int sz = __compiletime_object_size(dst);
9674 - if (!__builtin_constant_p(size))
9675 - return copy_user_generic(dst, (__force void *)src, size);
9677 + if ((int)size < 0)
9680 + if (unlikely(sz != -1 && sz < size)) {
9681 +#ifdef CONFIG_DEBUG_VM
9682 + WARN(1, "Buffer overflow detected!\n");
9687 + if (!__builtin_constant_p(size)) {
9688 + check_object_size(dst, size, false);
9689 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9690 + src += PAX_USER_SHADOW_BASE;
9691 + return copy_user_generic(dst, (__force const void *)src, size);
9694 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9695 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9696 ret, "b", "b", "=q", 1);
9698 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9699 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9700 ret, "w", "w", "=r", 2);
9702 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9703 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9704 ret, "l", "k", "=r", 4);
9706 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9707 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9708 ret, "q", "", "=r", 8);
9711 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9712 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9713 ret, "q", "", "=r", 10);
9716 __get_user_asm(*(u16 *)(8 + (char *)dst),
9717 - (u16 __user *)(8 + (char __user *)src),
9718 + (const u16 __user *)(8 + (const char __user *)src),
9719 ret, "w", "w", "=r", 2);
9722 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9723 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9724 ret, "q", "", "=r", 16);
9727 __get_user_asm(*(u64 *)(8 + (char *)dst),
9728 - (u64 __user *)(8 + (char __user *)src),
9729 + (const u64 __user *)(8 + (const char __user *)src),
9730 ret, "q", "", "=r", 8);
9733 - return copy_user_generic(dst, (__force void *)src, size);
9734 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9735 + src += PAX_USER_SHADOW_BASE;
9736 + return copy_user_generic(dst, (__force const void *)src, size);
9740 static __always_inline __must_check
9741 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9742 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9745 + int sz = __compiletime_object_size(src);
9749 - if (!__builtin_constant_p(size))
9751 + if ((int)size < 0)
9754 + if (unlikely(sz != -1 && sz < size)) {
9755 +#ifdef CONFIG_DEBUG_VM
9756 + WARN(1, "Buffer overflow detected!\n");
9761 + if (!__builtin_constant_p(size)) {
9762 + check_object_size(src, size, true);
9763 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9764 + dst += PAX_USER_SHADOW_BASE;
9765 return copy_user_generic((__force void *)dst, src, size);
9768 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9769 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9770 ret, "b", "b", "iq", 1);
9772 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9773 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9774 ret, "w", "w", "ir", 2);
9776 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9777 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9778 ret, "l", "k", "ir", 4);
9780 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9781 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9782 ret, "q", "", "er", 8);
9785 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9786 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9787 ret, "q", "", "er", 10);
9791 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9792 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9793 ret, "w", "w", "ir", 2);
9796 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9797 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9798 ret, "q", "", "er", 16);
9802 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9803 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9804 ret, "q", "", "er", 8);
9807 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9808 + dst += PAX_USER_SHADOW_BASE;
9809 return copy_user_generic((__force void *)dst, src, size);
9813 static __always_inline __must_check
9814 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9815 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9821 - if (!__builtin_constant_p(size))
9823 + if ((int)size < 0)
9826 + if (!__builtin_constant_p(size)) {
9827 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9828 + src += PAX_USER_SHADOW_BASE;
9829 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9830 + dst += PAX_USER_SHADOW_BASE;
9831 return copy_user_generic((__force void *)dst,
9832 - (__force void *)src, size);
9833 + (__force const void *)src, size);
9838 - __get_user_asm(tmp, (u8 __user *)src,
9839 + __get_user_asm(tmp, (const u8 __user *)src,
9840 ret, "b", "b", "=q", 1);
9842 __put_user_asm(tmp, (u8 __user *)dst,
9843 @@ -177,7 +227,7 @@ int __copy_in_user(void __user *dst, con
9847 - __get_user_asm(tmp, (u16 __user *)src,
9848 + __get_user_asm(tmp, (const u16 __user *)src,
9849 ret, "w", "w", "=r", 2);
9851 __put_user_asm(tmp, (u16 __user *)dst,
9852 @@ -187,7 +237,7 @@ int __copy_in_user(void __user *dst, con
9856 - __get_user_asm(tmp, (u32 __user *)src,
9857 + __get_user_asm(tmp, (const u32 __user *)src,
9858 ret, "l", "k", "=r", 4);
9860 __put_user_asm(tmp, (u32 __user *)dst,
9861 @@ -196,7 +246,7 @@ int __copy_in_user(void __user *dst, con
9865 - __get_user_asm(tmp, (u64 __user *)src,
9866 + __get_user_asm(tmp, (const u64 __user *)src,
9867 ret, "q", "", "=r", 8);
9869 __put_user_asm(tmp, (u64 __user *)dst,
9870 @@ -204,8 +254,12 @@ int __copy_in_user(void __user *dst, con
9874 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9875 + src += PAX_USER_SHADOW_BASE;
9876 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9877 + dst += PAX_USER_SHADOW_BASE;
9878 return copy_user_generic((__force void *)dst,
9879 - (__force void *)src, size);
9880 + (__force const void *)src, size);
9884 @@ -222,33 +276,45 @@ __must_check unsigned long __clear_user(
9885 static __must_check __always_inline int
9886 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9888 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9889 + src += PAX_USER_SHADOW_BASE;
9890 return copy_user_generic(dst, (__force const void *)src, size);
9893 -static __must_check __always_inline int
9894 +static __must_check __always_inline unsigned long
9895 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9897 + if ((int)size < 0)
9900 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9901 + dst += PAX_USER_SHADOW_BASE;
9902 return copy_user_generic((__force void *)dst, src, size);
9905 -extern long __copy_user_nocache(void *dst, const void __user *src,
9906 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9907 unsigned size, int zerorest);
9910 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9911 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9915 + if ((int)size < 0)
9918 return __copy_user_nocache(dst, src, size, 1);
9922 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9923 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9926 + if ((int)size < 0)
9929 return __copy_user_nocache(dst, src, size, 0);
9933 +extern unsigned long
9934 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9936 #endif /* _ASM_X86_UACCESS_64_H */
9937 diff -urNp linux-2.6.36.2/arch/x86/include/asm/uaccess.h linux-2.6.36.2/arch/x86/include/asm/uaccess.h
9938 --- linux-2.6.36.2/arch/x86/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
9939 +++ linux-2.6.36.2/arch/x86/include/asm/uaccess.h 2010-12-09 20:24:53.000000000 -0500
9941 #include <linux/thread_info.h>
9942 #include <linux/prefetch.h>
9943 #include <linux/string.h>
9944 +#include <linux/sched.h>
9945 #include <asm/asm.h>
9946 #include <asm/page.h>
9948 #define VERIFY_READ 0
9949 #define VERIFY_WRITE 1
9951 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9954 * The fs value determines whether argument validity checking should be
9955 * performed or not. If get_fs() == USER_DS, checking is performed, with
9958 #define get_ds() (KERNEL_DS)
9959 #define get_fs() (current_thread_info()->addr_limit)
9960 +#ifdef CONFIG_X86_32
9961 +void __set_fs(mm_segment_t x, int cpu);
9962 +void set_fs(mm_segment_t x);
9964 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9967 #define segment_eq(a, b) ((a).seg == (b).seg)
9970 * checks that the pointer is in the user space range - after calling
9971 * this function, memory access functions may still return -EFAULT.
9973 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9974 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9975 +#define access_ok(type, addr, size) \
9977 + long __size = size; \
9978 + unsigned long __addr = (unsigned long)addr; \
9979 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9980 + unsigned long __end_ao = __addr + __size - 1; \
9981 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9982 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9983 + while(__addr_ao <= __end_ao) { \
9985 + __addr_ao += PAGE_SIZE; \
9986 + if (__size > PAGE_SIZE) \
9988 + if (__get_user(__c_ao, (char __user *)__addr)) \
9990 + if (type != VERIFY_WRITE) { \
9991 + __addr = __addr_ao; \
9994 + if (__put_user(__c_ao, (char __user *)__addr)) \
9996 + __addr = __addr_ao; \
10003 * The exception table consists of pairs of addresses: the first is the
10004 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
10005 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10006 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10009 +#ifdef CONFIG_X86_32
10010 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
10011 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
10013 +#define _ASM_LOAD_USER_DS(ds)
10014 +#define _ASM_LOAD_KERNEL_DS
10017 #ifdef CONFIG_X86_32
10018 #define __put_user_asm_u64(x, addr, err, errret) \
10019 - asm volatile("1: movl %%eax,0(%2)\n" \
10020 - "2: movl %%edx,4(%2)\n" \
10021 + asm volatile(_ASM_LOAD_USER_DS(5) \
10022 + "1: movl %%eax,%%ds:0(%2)\n" \
10023 + "2: movl %%edx,%%ds:4(%2)\n" \
10025 + _ASM_LOAD_KERNEL_DS \
10026 ".section .fixup,\"ax\"\n" \
10027 "4: movl %3,%0\n" \
10029 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
10030 _ASM_EXTABLE(1b, 4b) \
10031 _ASM_EXTABLE(2b, 4b) \
10033 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
10034 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
10037 #define __put_user_asm_ex_u64(x, addr) \
10038 - asm volatile("1: movl %%eax,0(%1)\n" \
10039 - "2: movl %%edx,4(%1)\n" \
10040 + asm volatile(_ASM_LOAD_USER_DS(2) \
10041 + "1: movl %%eax,%%ds:0(%1)\n" \
10042 + "2: movl %%edx,%%ds:4(%1)\n" \
10044 + _ASM_LOAD_KERNEL_DS \
10045 _ASM_EXTABLE(1b, 2b - 1b) \
10046 _ASM_EXTABLE(2b, 3b - 2b) \
10047 - : : "A" (x), "r" (addr))
10048 + : : "A" (x), "r" (addr), "r"(__USER_DS))
10050 #define __put_user_x8(x, ptr, __ret_pu) \
10051 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
10052 @@ -374,16 +419,18 @@ do { \
10055 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10056 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10057 + asm volatile(_ASM_LOAD_USER_DS(5) \
10058 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
10060 + _ASM_LOAD_KERNEL_DS \
10061 ".section .fixup,\"ax\"\n" \
10063 " xor"itype" %"rtype"1,%"rtype"1\n" \
10066 _ASM_EXTABLE(1b, 3b) \
10067 - : "=r" (err), ltype(x) \
10068 - : "m" (__m(addr)), "i" (errret), "0" (err))
10069 + : "=r" (err), ltype (x) \
10070 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
10072 #define __get_user_size_ex(x, ptr, size) \
10074 @@ -407,10 +454,12 @@ do { \
10077 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10078 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10079 + asm volatile(_ASM_LOAD_USER_DS(2) \
10080 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
10082 + _ASM_LOAD_KERNEL_DS \
10083 _ASM_EXTABLE(1b, 2b - 1b) \
10084 - : ltype(x) : "m" (__m(addr)))
10085 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
10087 #define __put_user_nocheck(x, ptr, size) \
10089 @@ -424,13 +473,24 @@ do { \
10091 unsigned long __gu_val; \
10092 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10093 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
10094 + (x) = (__typeof__(*(ptr)))__gu_val; \
10098 /* FIXME: this hack is definitely wrong -AK */
10099 struct __large_struct { unsigned long buf[100]; };
10100 -#define __m(x) (*(struct __large_struct __user *)(x))
10101 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10102 +#define ____m(x) \
10104 + unsigned long ____x = (unsigned long)(x); \
10105 + if (____x < PAX_USER_SHADOW_BASE) \
10106 + ____x += PAX_USER_SHADOW_BASE; \
10107 + (void __user *)____x; \
10110 +#define ____m(x) (x)
10112 +#define __m(x) (*(struct __large_struct __user *)____m(x))
10115 * Tell gcc we read from memory instead of writing: this is because
10116 @@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
10119 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10120 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10121 + asm volatile(_ASM_LOAD_USER_DS(5) \
10122 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
10124 + _ASM_LOAD_KERNEL_DS \
10125 ".section .fixup,\"ax\"\n" \
10129 _ASM_EXTABLE(1b, 3b) \
10131 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10132 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
10135 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10136 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10137 + asm volatile(_ASM_LOAD_USER_DS(2) \
10138 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
10140 + _ASM_LOAD_KERNEL_DS \
10141 _ASM_EXTABLE(1b, 2b - 1b) \
10142 - : : ltype(x), "m" (__m(addr)))
10143 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
10146 * uaccess_try and catch
10147 @@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
10148 #define get_user_ex(x, ptr) do { \
10149 unsigned long __gue_val; \
10150 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10151 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
10152 + (x) = (__typeof__(*(ptr)))__gue_val; \
10155 #ifdef CONFIG_X86_WP_WORKS_OK
10156 @@ -567,6 +632,7 @@ extern struct movsl_mask {
10158 #define ARCH_HAS_NOCACHE_UACCESS 1
10160 +#define ARCH_HAS_SORT_EXTABLE
10161 #ifdef CONFIG_X86_32
10162 # include "uaccess_32.h"
10164 diff -urNp linux-2.6.36.2/arch/x86/include/asm/vgtod.h linux-2.6.36.2/arch/x86/include/asm/vgtod.h
10165 --- linux-2.6.36.2/arch/x86/include/asm/vgtod.h 2010-10-20 16:30:22.000000000 -0400
10166 +++ linux-2.6.36.2/arch/x86/include/asm/vgtod.h 2010-12-09 20:24:53.000000000 -0500
10167 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10168 int sysctl_enabled;
10169 struct timezone sys_tz;
10170 struct { /* extract of a clocksource struct */
10172 cycle_t (*vread)(void);
10173 cycle_t cycle_last;
10175 diff -urNp linux-2.6.36.2/arch/x86/include/asm/vmi.h linux-2.6.36.2/arch/x86/include/asm/vmi.h
10176 --- linux-2.6.36.2/arch/x86/include/asm/vmi.h 2010-10-20 16:30:22.000000000 -0400
10177 +++ linux-2.6.36.2/arch/x86/include/asm/vmi.h 2010-12-09 20:24:53.000000000 -0500
10178 @@ -191,6 +191,7 @@ struct vrom_header {
10179 u8 reserved[96]; /* Reserved for headers */
10180 char vmi_init[8]; /* VMI_Init jump point */
10181 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
10182 + char rom_data[8048]; /* rest of the option ROM */
10183 } __attribute__((packed));
10185 struct pnp_header {
10186 diff -urNp linux-2.6.36.2/arch/x86/include/asm/vsyscall.h linux-2.6.36.2/arch/x86/include/asm/vsyscall.h
10187 --- linux-2.6.36.2/arch/x86/include/asm/vsyscall.h 2010-10-20 16:30:22.000000000 -0400
10188 +++ linux-2.6.36.2/arch/x86/include/asm/vsyscall.h 2010-12-09 20:24:53.000000000 -0500
10189 @@ -15,9 +15,10 @@ enum vsyscall_num {
10192 #include <linux/seqlock.h>
10193 +#include <linux/getcpu.h>
10194 +#include <linux/time.h>
10196 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10197 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10199 /* Definitions for CONFIG_GENERIC_TIME definitions */
10200 #define __section_vsyscall_gtod_data __attribute__ \
10201 @@ -31,7 +32,6 @@ enum vsyscall_num {
10202 #define VGETCPU_LSL 2
10204 extern int __vgetcpu_mode;
10205 -extern volatile unsigned long __jiffies;
10207 /* kernel space (writeable) */
10208 extern int vgetcpu_mode;
10209 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10211 extern void map_vsyscall(void);
10213 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10214 +extern time_t vtime(time_t *t);
10215 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10216 #endif /* __KERNEL__ */
10218 #endif /* _ASM_X86_VSYSCALL_H */
10219 diff -urNp linux-2.6.36.2/arch/x86/include/asm/xsave.h linux-2.6.36.2/arch/x86/include/asm/xsave.h
10220 --- linux-2.6.36.2/arch/x86/include/asm/xsave.h 2010-10-20 16:30:22.000000000 -0400
10221 +++ linux-2.6.36.2/arch/x86/include/asm/xsave.h 2010-12-09 20:24:53.000000000 -0500
10222 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10226 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10227 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10228 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10232 * Clear the xsave header first, so that reserved fields are
10233 * initialized to zero.
10234 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10236 u32 hmask = mask >> 32;
10238 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10239 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10240 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10243 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10245 ".section .fixup,\"ax\"\n"
10246 diff -urNp linux-2.6.36.2/arch/x86/Kconfig linux-2.6.36.2/arch/x86/Kconfig
10247 --- linux-2.6.36.2/arch/x86/Kconfig 2010-10-20 16:30:22.000000000 -0400
10248 +++ linux-2.6.36.2/arch/x86/Kconfig 2010-12-09 20:24:54.000000000 -0500
10249 @@ -1036,7 +1036,7 @@ choice
10253 - depends on !X86_NUMAQ
10254 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10256 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10257 However, the address space of 32-bit x86 processors is only 4
10258 @@ -1073,7 +1073,7 @@ config NOHIGHMEM
10262 - depends on !X86_NUMAQ
10263 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10265 Select this if you have a 32-bit processor and between 1 and 4
10266 gigabytes of physical RAM.
10267 @@ -1127,7 +1127,7 @@ config PAGE_OFFSET
10269 default 0xB0000000 if VMSPLIT_3G_OPT
10270 default 0x80000000 if VMSPLIT_2G
10271 - default 0x78000000 if VMSPLIT_2G_OPT
10272 + default 0x70000000 if VMSPLIT_2G_OPT
10273 default 0x40000000 if VMSPLIT_1G
10276 @@ -1459,7 +1459,7 @@ config ARCH_USES_PG_UNCACHED
10279 bool "EFI runtime service support"
10281 + depends on ACPI && !PAX_KERNEXEC
10283 This enables the kernel to use EFI runtime services that are
10284 available (such as the EFI variable services).
10285 @@ -1546,6 +1546,7 @@ config KEXEC_JUMP
10286 config PHYSICAL_START
10287 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
10288 default "0x1000000"
10289 + range 0x400000 0x40000000
10291 This gives the physical address where the kernel is loaded.
10293 @@ -1609,6 +1610,7 @@ config X86_NEED_RELOCS
10294 config PHYSICAL_ALIGN
10295 hex "Alignment value to which kernel should be aligned" if X86_32
10296 default "0x1000000"
10297 + range 0x400000 0x1000000 if PAX_KERNEXEC
10298 range 0x2000 0x1000000
10300 This value puts the alignment restrictions on physical address
10301 @@ -1640,9 +1642,10 @@ config HOTPLUG_CPU
10302 Say N if you want to disable CPU hotplug.
10307 prompt "Compat VDSO support"
10308 depends on X86_32 || IA32_EMULATION
10309 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10311 Map the 32-bit VDSO to the predictable old-style address too.
10313 diff -urNp linux-2.6.36.2/arch/x86/Kconfig.cpu linux-2.6.36.2/arch/x86/Kconfig.cpu
10314 --- linux-2.6.36.2/arch/x86/Kconfig.cpu 2010-10-20 16:30:22.000000000 -0400
10315 +++ linux-2.6.36.2/arch/x86/Kconfig.cpu 2010-12-09 20:24:54.000000000 -0500
10316 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
10318 config X86_F00F_BUG
10320 - depends on M586MMX || M586TSC || M586 || M486 || M386
10321 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10323 config X86_INVD_BUG
10325 @@ -360,7 +360,7 @@ config X86_POPAD_OK
10327 config X86_ALIGNMENT_16
10329 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10330 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10332 config X86_INTEL_USERCOPY
10334 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
10338 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10339 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10341 config X86_MINIMUM_CPU_FAMILY
10343 diff -urNp linux-2.6.36.2/arch/x86/Kconfig.debug linux-2.6.36.2/arch/x86/Kconfig.debug
10344 --- linux-2.6.36.2/arch/x86/Kconfig.debug 2010-10-20 16:30:22.000000000 -0400
10345 +++ linux-2.6.36.2/arch/x86/Kconfig.debug 2010-12-09 20:24:54.000000000 -0500
10346 @@ -97,7 +97,7 @@ config X86_PTDUMP
10347 config DEBUG_RODATA
10348 bool "Write protect kernel read-only data structures"
10350 - depends on DEBUG_KERNEL
10351 + depends on DEBUG_KERNEL && BROKEN
10353 Mark the kernel read-only data as write-protected in the pagetables,
10354 in order to catch accidental (and incorrect) writes to such const
10355 diff -urNp linux-2.6.36.2/arch/x86/kernel/acpi/boot.c linux-2.6.36.2/arch/x86/kernel/acpi/boot.c
10356 --- linux-2.6.36.2/arch/x86/kernel/acpi/boot.c 2010-10-20 16:30:22.000000000 -0400
10357 +++ linux-2.6.36.2/arch/x86/kernel/acpi/boot.c 2010-12-09 20:24:54.000000000 -0500
10358 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
10359 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10363 + { NULL, NULL, {{0, {0}}}, NULL}
10367 diff -urNp linux-2.6.36.2/arch/x86/kernel/acpi/sleep.c linux-2.6.36.2/arch/x86/kernel/acpi/sleep.c
10368 --- linux-2.6.36.2/arch/x86/kernel/acpi/sleep.c 2010-10-20 16:30:22.000000000 -0400
10369 +++ linux-2.6.36.2/arch/x86/kernel/acpi/sleep.c 2010-12-09 20:24:54.000000000 -0500
10370 @@ -11,11 +11,12 @@
10371 #include <linux/cpumask.h>
10372 #include <asm/segment.h>
10373 #include <asm/desc.h>
10374 +#include <asm/e820.h>
10376 #include "realmode/wakeup.h"
10379 -unsigned long acpi_wakeup_address;
10380 +unsigned long acpi_wakeup_address = 0x2000;
10381 unsigned long acpi_realmode_flags;
10383 /* address in low memory of the wakeup routine. */
10384 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
10385 header->trampoline_segment = setup_trampoline() >> 4;
10387 stack_start.sp = temp_stack + sizeof(temp_stack);
10389 + pax_open_kernel();
10390 early_gdt_descr.address =
10391 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10392 + pax_close_kernel();
10394 initial_gs = per_cpu_offset(smp_processor_id());
10396 initial_code = (unsigned long)wakeup_long64;
10397 diff -urNp linux-2.6.36.2/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.36.2/arch/x86/kernel/acpi/wakeup_32.S
10398 --- linux-2.6.36.2/arch/x86/kernel/acpi/wakeup_32.S 2010-10-20 16:30:22.000000000 -0400
10399 +++ linux-2.6.36.2/arch/x86/kernel/acpi/wakeup_32.S 2010-12-09 20:24:54.000000000 -0500
10400 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10401 # and restore the stack ... but you need gdt for this to work
10402 movl saved_context_esp, %esp
10404 - movl %cs:saved_magic, %eax
10405 - cmpl $0x12345678, %eax
10406 + cmpl $0x12345678, saved_magic
10409 # jump to place where we left off
10410 - movl saved_eip, %eax
10416 diff -urNp linux-2.6.36.2/arch/x86/kernel/alternative.c linux-2.6.36.2/arch/x86/kernel/alternative.c
10417 --- linux-2.6.36.2/arch/x86/kernel/alternative.c 2010-10-20 16:30:22.000000000 -0400
10418 +++ linux-2.6.36.2/arch/x86/kernel/alternative.c 2010-12-09 20:24:55.000000000 -0500
10419 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10420 if (!*poff || ptr < text || ptr >= text_end)
10422 /* turn DS segment override prefix into lock prefix */
10423 - if (*ptr == 0x3e)
10424 + if (*ktla_ktva(ptr) == 0x3e)
10425 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10427 mutex_unlock(&text_mutex);
10428 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10429 if (!*poff || ptr < text || ptr >= text_end)
10431 /* turn lock prefix into DS segment override prefix */
10432 - if (*ptr == 0xf0)
10433 + if (*ktla_ktva(ptr) == 0xf0)
10434 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10436 mutex_unlock(&text_mutex);
10437 @@ -437,7 +437,7 @@ void __init_or_module apply_paravirt(str
10439 BUG_ON(p->len > MAX_PATCH_LEN);
10440 /* prep the buffer with the original instructions */
10441 - memcpy(insnbuf, p->instr, p->len);
10442 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10443 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10444 (unsigned long)p->instr, p->len);
10446 @@ -505,7 +505,7 @@ void __init alternative_instructions(voi
10448 free_init_pages("SMP alternatives",
10449 (unsigned long)__smp_locks,
10450 - (unsigned long)__smp_locks_end);
10451 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10455 @@ -522,13 +522,17 @@ void __init alternative_instructions(voi
10456 * instructions. And on the local CPU you need to be protected again NMI or MCE
10457 * handlers seeing an inconsistent instruction while you patch.
10459 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
10460 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
10463 unsigned long flags;
10464 local_irq_save(flags);
10465 - memcpy(addr, opcode, len);
10467 + pax_open_kernel();
10468 + memcpy(ktla_ktva(addr), opcode, len);
10470 + pax_close_kernel();
10472 local_irq_restore(flags);
10473 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10474 that causes hangs on some VIA CPUs. */
10475 @@ -550,36 +554,22 @@ static void *__init_or_module text_poke_
10477 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10479 - unsigned long flags;
10481 + unsigned char *vaddr = ktla_ktva(addr);
10482 struct page *pages[2];
10486 if (!core_kernel_text((unsigned long)addr)) {
10487 - pages[0] = vmalloc_to_page(addr);
10488 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10489 + pages[0] = vmalloc_to_page(vaddr);
10490 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10492 - pages[0] = virt_to_page(addr);
10493 + pages[0] = virt_to_page(vaddr);
10494 WARN_ON(!PageReserved(pages[0]));
10495 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10496 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10499 - local_irq_save(flags);
10500 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10502 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10503 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10504 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10505 - clear_fixmap(FIX_TEXT_POKE0);
10507 - clear_fixmap(FIX_TEXT_POKE1);
10508 - local_flush_tlb();
10510 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10511 - that causes hangs on some VIA CPUs. */
10512 + text_poke_early(addr, opcode, len);
10513 for (i = 0; i < len; i++)
10514 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10515 - local_irq_restore(flags);
10516 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10520 diff -urNp linux-2.6.36.2/arch/x86/kernel/amd_iommu.c linux-2.6.36.2/arch/x86/kernel/amd_iommu.c
10521 --- linux-2.6.36.2/arch/x86/kernel/amd_iommu.c 2010-10-20 16:30:22.000000000 -0400
10522 +++ linux-2.6.36.2/arch/x86/kernel/amd_iommu.c 2010-12-09 20:24:54.000000000 -0500
10523 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10527 -static struct dma_map_ops amd_iommu_dma_ops = {
10528 +static const struct dma_map_ops amd_iommu_dma_ops = {
10529 .alloc_coherent = alloc_coherent,
10530 .free_coherent = free_coherent,
10531 .map_page = map_page,
10532 diff -urNp linux-2.6.36.2/arch/x86/kernel/apic/io_apic.c linux-2.6.36.2/arch/x86/kernel/apic/io_apic.c
10533 --- linux-2.6.36.2/arch/x86/kernel/apic/io_apic.c 2010-11-26 18:26:23.000000000 -0500
10534 +++ linux-2.6.36.2/arch/x86/kernel/apic/io_apic.c 2010-12-09 20:24:55.000000000 -0500
10535 @@ -696,7 +696,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10536 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10538 if (!ioapic_entries)
10542 for (apic = 0; apic < nr_ioapics; apic++) {
10543 ioapic_entries[apic] =
10544 @@ -713,7 +713,7 @@ nomem:
10545 kfree(ioapic_entries[apic]);
10546 kfree(ioapic_entries);
10553 @@ -1123,7 +1123,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10555 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10557 -void lock_vector_lock(void)
10558 +void lock_vector_lock(void) __acquires(vector_lock)
10560 /* Used to the online set of cpus does not change
10561 * during assign_irq_vector.
10562 @@ -1131,7 +1131,7 @@ void lock_vector_lock(void)
10563 raw_spin_lock(&vector_lock);
10566 -void unlock_vector_lock(void)
10567 +void unlock_vector_lock(void) __releases(vector_lock)
10569 raw_spin_unlock(&vector_lock);
10571 diff -urNp linux-2.6.36.2/arch/x86/kernel/apm_32.c linux-2.6.36.2/arch/x86/kernel/apm_32.c
10572 --- linux-2.6.36.2/arch/x86/kernel/apm_32.c 2010-10-20 16:30:22.000000000 -0400
10573 +++ linux-2.6.36.2/arch/x86/kernel/apm_32.c 2010-12-09 20:24:55.000000000 -0500
10574 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10575 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10576 * even though they are called in protected mode.
10578 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10579 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10580 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10582 static const char driver_version[] = "1.16ac"; /* no spaces */
10583 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10585 gdt = get_cpu_gdt_table(cpu);
10586 save_desc_40 = gdt[0x40 / 8];
10588 + pax_open_kernel();
10589 gdt[0x40 / 8] = bad_bios_desc;
10590 + pax_close_kernel();
10592 apm_irq_save(flags);
10594 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10596 APM_DO_RESTORE_SEGS;
10597 apm_irq_restore(flags);
10599 + pax_open_kernel();
10600 gdt[0x40 / 8] = save_desc_40;
10601 + pax_close_kernel();
10605 return call->eax & 0xff;
10606 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10608 gdt = get_cpu_gdt_table(cpu);
10609 save_desc_40 = gdt[0x40 / 8];
10611 + pax_open_kernel();
10612 gdt[0x40 / 8] = bad_bios_desc;
10613 + pax_close_kernel();
10615 apm_irq_save(flags);
10617 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10619 APM_DO_RESTORE_SEGS;
10620 apm_irq_restore(flags);
10622 + pax_open_kernel();
10623 gdt[0x40 / 8] = save_desc_40;
10624 + pax_close_kernel();
10629 @@ -975,7 +989,7 @@ recalc:
10631 static void apm_power_off(void)
10633 - unsigned char po_bios_call[] = {
10634 + const unsigned char po_bios_call[] = {
10635 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10636 0x8e, 0xd0, /* movw ax,ss */
10637 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10638 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
10639 static struct miscdevice apm_device = {
10650 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
10651 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10655 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10659 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
10660 * code to that CPU.
10662 gdt = get_cpu_gdt_table(0);
10664 + pax_open_kernel();
10665 set_desc_base(&gdt[APM_CS >> 3],
10666 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10667 set_desc_base(&gdt[APM_CS_16 >> 3],
10668 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10669 set_desc_base(&gdt[APM_DS >> 3],
10670 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10671 + pax_close_kernel();
10673 proc_create("apm", 0, NULL, &apm_file_ops);
10675 diff -urNp linux-2.6.36.2/arch/x86/kernel/asm-offsets_32.c linux-2.6.36.2/arch/x86/kernel/asm-offsets_32.c
10676 --- linux-2.6.36.2/arch/x86/kernel/asm-offsets_32.c 2010-10-20 16:30:22.000000000 -0400
10677 +++ linux-2.6.36.2/arch/x86/kernel/asm-offsets_32.c 2010-12-09 20:24:55.000000000 -0500
10678 @@ -115,6 +115,11 @@ void foo(void)
10679 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10680 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10681 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10683 +#ifdef CONFIG_PAX_KERNEXEC
10684 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10690 diff -urNp linux-2.6.36.2/arch/x86/kernel/asm-offsets_64.c linux-2.6.36.2/arch/x86/kernel/asm-offsets_64.c
10691 --- linux-2.6.36.2/arch/x86/kernel/asm-offsets_64.c 2010-10-20 16:30:22.000000000 -0400
10692 +++ linux-2.6.36.2/arch/x86/kernel/asm-offsets_64.c 2010-12-09 20:24:55.000000000 -0500
10693 @@ -63,6 +63,18 @@ int main(void)
10694 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10695 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10696 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10698 +#ifdef CONFIG_PAX_KERNEXEC
10699 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10700 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10703 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10704 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10705 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10706 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10712 @@ -115,6 +127,7 @@ int main(void)
10716 + DEFINE(TSS_size, sizeof(struct tss_struct));
10717 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10719 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10720 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/common.c linux-2.6.36.2/arch/x86/kernel/cpu/common.c
10721 --- linux-2.6.36.2/arch/x86/kernel/cpu/common.c 2010-10-20 16:30:22.000000000 -0400
10722 +++ linux-2.6.36.2/arch/x86/kernel/cpu/common.c 2010-12-09 20:24:55.000000000 -0500
10723 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10725 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10727 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10728 -#ifdef CONFIG_X86_64
10730 - * We need valid kernel segments for data and code in long mode too
10731 - * IRET will check the segment types kkeil 2000/10/28
10732 - * Also sysret mandates a special GDT layout
10734 - * TLS descriptors are currently at a different place compared to i386.
10735 - * Hopefully nobody expects them at a fixed place (Wine?)
10737 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10738 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10739 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10740 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10741 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10742 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10744 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10745 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10746 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10747 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10749 - * Segments used for calling PnP BIOS have byte granularity.
10750 - * They code segments and data segments have fixed 64k limits,
10751 - * the transfer segment sizes are set at run time.
10753 - /* 32-bit code */
10754 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10755 - /* 16-bit code */
10756 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10757 - /* 16-bit data */
10758 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10759 - /* 16-bit data */
10760 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10761 - /* 16-bit data */
10762 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10764 - * The APM segments have byte granularity and their bases
10765 - * are set at run time. All have 64k limits.
10767 - /* 32-bit code */
10768 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10769 - /* 16-bit code */
10770 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10772 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10774 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10775 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10776 - GDT_STACK_CANARY_INIT
10779 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10781 static int __init x86_xsave_setup(char *s)
10783 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10784 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10786 struct desc_ptr gdt_descr;
10788 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10789 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10790 gdt_descr.size = GDT_SIZE - 1;
10791 load_gdt(&gdt_descr);
10792 /* Reload the per-cpu base */
10793 @@ -820,6 +766,10 @@ static void __cpuinit identify_cpu(struc
10794 /* Filter out anything that depends on CPUID levels we don't have */
10795 filter_cpuid_features(c, true);
10797 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10798 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10801 /* If the model name is still unset, do table lookup. */
10802 if (!c->x86_model_id[0]) {
10804 @@ -1135,7 +1085,7 @@ void __cpuinit cpu_init(void)
10807 cpu = stack_smp_processor_id();
10808 - t = &per_cpu(init_tss, cpu);
10809 + t = init_tss + cpu;
10810 oist = &per_cpu(orig_ist, cpu);
10813 @@ -1161,7 +1111,7 @@ void __cpuinit cpu_init(void)
10814 switch_to_new_gdt(cpu);
10815 loadsegment(fs, 0);
10817 - load_idt((const struct desc_ptr *)&idt_descr);
10818 + load_idt(&idt_descr);
10820 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10822 @@ -1170,7 +1120,6 @@ void __cpuinit cpu_init(void)
10823 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10826 - x86_configure_nx();
10830 @@ -1224,7 +1173,7 @@ void __cpuinit cpu_init(void)
10832 int cpu = smp_processor_id();
10833 struct task_struct *curr = current;
10834 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10835 + struct tss_struct *t = init_tss + cpu;
10836 struct thread_struct *thread = &curr->thread;
10838 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10839 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10840 --- linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-12-09 20:53:45.000000000 -0500
10841 +++ linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-12-09 20:54:31.000000000 -0500
10842 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
10843 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10847 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10850 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10851 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10852 --- linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-10-20 16:30:22.000000000 -0400
10853 +++ linux-2.6.36.2/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-12-09 20:24:55.000000000 -0500
10854 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10855 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10856 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10859 + { NULL, NULL, 0, NULL}
10863 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/intel.c linux-2.6.36.2/arch/x86/kernel/cpu/intel.c
10864 --- linux-2.6.36.2/arch/x86/kernel/cpu/intel.c 2010-10-20 16:30:22.000000000 -0400
10865 +++ linux-2.6.36.2/arch/x86/kernel/cpu/intel.c 2010-12-09 20:24:55.000000000 -0500
10866 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
10867 * Update the IDT descriptor and reload the IDT so that
10868 * it uses the read-only mapped virtual address.
10870 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10871 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10872 load_idt(&idt_descr);
10875 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/Makefile linux-2.6.36.2/arch/x86/kernel/cpu/Makefile
10876 --- linux-2.6.36.2/arch/x86/kernel/cpu/Makefile 2010-10-20 16:30:22.000000000 -0400
10877 +++ linux-2.6.36.2/arch/x86/kernel/cpu/Makefile 2010-12-09 20:24:55.000000000 -0500
10878 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10879 CFLAGS_REMOVE_perf_event.o = -pg
10882 -# Make sure load_percpu_segment has no stackprotector
10883 -nostackp := $(call cc-option, -fno-stack-protector)
10884 -CFLAGS_common.o := $(nostackp)
10886 obj-y := intel_cacheinfo.o scattered.o topology.o
10887 obj-y += proc.o capflags.o powerflags.o common.o
10888 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10889 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.36.2/arch/x86/kernel/cpu/mcheck/mce.c
10890 --- linux-2.6.36.2/arch/x86/kernel/cpu/mcheck/mce.c 2010-10-20 16:30:22.000000000 -0400
10891 +++ linux-2.6.36.2/arch/x86/kernel/cpu/mcheck/mce.c 2010-12-09 20:24:55.000000000 -0500
10892 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10893 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10896 - if (m->cs == __KERNEL_CS)
10897 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10898 print_symbol("{%s}", m->ip);
10901 @@ -1460,14 +1460,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10904 static DEFINE_SPINLOCK(mce_state_lock);
10905 -static int open_count; /* #times opened */
10906 +static atomic_t open_count; /* #times opened */
10907 static int open_exclu; /* already open exclusive? */
10909 static int mce_open(struct inode *inode, struct file *file)
10911 spin_lock(&mce_state_lock);
10913 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10914 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10915 spin_unlock(&mce_state_lock);
10918 @@ -1475,7 +1475,7 @@ static int mce_open(struct inode *inode,
10920 if (file->f_flags & O_EXCL)
10923 + atomic_inc(&open_count);
10925 spin_unlock(&mce_state_lock);
10927 @@ -1486,7 +1486,7 @@ static int mce_release(struct inode *ino
10929 spin_lock(&mce_state_lock);
10932 + atomic_dec(&open_count);
10935 spin_unlock(&mce_state_lock);
10936 @@ -1672,6 +1672,7 @@ static struct miscdevice mce_log_device
10940 + {NULL, NULL}, NULL, NULL
10944 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/generic.c
10945 --- linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/generic.c 2010-10-20 16:30:22.000000000 -0400
10946 +++ linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/generic.c 2010-12-09 20:24:55.000000000 -0500
10947 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10948 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10949 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10950 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10955 static unsigned long smp_changes_mask;
10956 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/main.c
10957 --- linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/main.c 2010-10-20 16:30:22.000000000 -0400
10958 +++ linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/main.c 2010-12-09 20:24:55.000000000 -0500
10959 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10960 u64 size_or_mask, size_and_mask;
10961 static bool mtrr_aps_delayed_init;
10963 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10964 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10966 const struct mtrr_ops *mtrr_if;
10968 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/mtrr.h
10969 --- linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-10-20 16:30:22.000000000 -0400
10970 +++ linux-2.6.36.2/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-12-09 20:24:55.000000000 -0500
10971 @@ -12,19 +12,19 @@
10972 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10976 - u32 use_intel_if;
10977 - void (*set)(unsigned int reg, unsigned long base,
10978 + const u32 vendor;
10979 + const u32 use_intel_if;
10980 + void (* const set)(unsigned int reg, unsigned long base,
10981 unsigned long size, mtrr_type type);
10982 - void (*set_all)(void);
10983 + void (* const set_all)(void);
10985 - void (*get)(unsigned int reg, unsigned long *base,
10986 + void (* const get)(unsigned int reg, unsigned long *base,
10987 unsigned long *size, mtrr_type *type);
10988 - int (*get_free_region)(unsigned long base, unsigned long size,
10989 + int (* const get_free_region)(unsigned long base, unsigned long size,
10991 - int (*validate_add_page)(unsigned long base, unsigned long size,
10992 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10993 unsigned int type);
10994 - int (*have_wrcomb)(void);
10995 + int (* const have_wrcomb)(void);
10998 extern int generic_get_free_region(unsigned long base, unsigned long size,
10999 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.36.2/arch/x86/kernel/cpu/perfctr-watchdog.c
11000 --- linux-2.6.36.2/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-10-20 16:30:22.000000000 -0400
11001 +++ linux-2.6.36.2/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-12-09 20:24:55.000000000 -0500
11002 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
11004 /* Interface defining a CPU specific perfctr watchdog */
11006 - int (*reserve)(void);
11007 - void (*unreserve)(void);
11008 - int (*setup)(unsigned nmi_hz);
11009 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
11010 - void (*stop)(void);
11011 + int (* const reserve)(void);
11012 + void (* const unreserve)(void);
11013 + int (* const setup)(unsigned nmi_hz);
11014 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
11015 + void (* const stop)(void);
11019 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
11020 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
11021 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
11023 +/* cannot be const, see probe_nmi_watchdog */
11024 static struct wd_ops intel_arch_wd_ops;
11026 static int setup_intel_arch_watchdog(unsigned nmi_hz)
11027 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
11031 +/* cannot be const */
11032 static struct wd_ops intel_arch_wd_ops __read_mostly = {
11033 .reserve = single_msr_reserve,
11034 .unreserve = single_msr_unreserve,
11035 diff -urNp linux-2.6.36.2/arch/x86/kernel/cpu/perf_event.c linux-2.6.36.2/arch/x86/kernel/cpu/perf_event.c
11036 --- linux-2.6.36.2/arch/x86/kernel/cpu/perf_event.c 2010-10-20 16:30:22.000000000 -0400
11037 +++ linux-2.6.36.2/arch/x86/kernel/cpu/perf_event.c 2010-12-09 20:24:55.000000000 -0500
11038 @@ -1732,7 +1732,7 @@ perf_callchain_user(struct pt_regs *regs
11041 callchain_store(entry, frame.return_address);
11042 - fp = frame.next_frame;
11043 + fp = (__force const void __user *)frame.next_frame;
11047 diff -urNp linux-2.6.36.2/arch/x86/kernel/crash.c linux-2.6.36.2/arch/x86/kernel/crash.c
11048 --- linux-2.6.36.2/arch/x86/kernel/crash.c 2010-10-20 16:30:22.000000000 -0400
11049 +++ linux-2.6.36.2/arch/x86/kernel/crash.c 2010-12-09 20:24:54.000000000 -0500
11050 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11053 #ifdef CONFIG_X86_32
11054 - if (!user_mode_vm(regs)) {
11055 + if (!user_mode(regs)) {
11056 crash_fixup_ss_esp(&fixed_regs, regs);
11057 regs = &fixed_regs;
11059 diff -urNp linux-2.6.36.2/arch/x86/kernel/doublefault_32.c linux-2.6.36.2/arch/x86/kernel/doublefault_32.c
11060 --- linux-2.6.36.2/arch/x86/kernel/doublefault_32.c 2010-10-20 16:30:22.000000000 -0400
11061 +++ linux-2.6.36.2/arch/x86/kernel/doublefault_32.c 2010-12-09 20:24:55.000000000 -0500
11064 #define DOUBLEFAULT_STACKSIZE (1024)
11065 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11066 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11067 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11069 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11071 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
11072 unsigned long gdt, tss;
11074 store_gdt(&gdt_desc);
11075 - gdt = gdt_desc.address;
11076 + gdt = (unsigned long)gdt_desc.address;
11078 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11080 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11081 /* 0x2 bit is always set */
11082 .flags = X86_EFLAGS_SF | 0x2,
11085 + .es = __KERNEL_DS,
11089 + .ds = __KERNEL_DS,
11090 .fs = __KERNEL_PERCPU,
11092 .__cr3 = __pa_nodebug(swapper_pg_dir),
11093 diff -urNp linux-2.6.36.2/arch/x86/kernel/dumpstack_32.c linux-2.6.36.2/arch/x86/kernel/dumpstack_32.c
11094 --- linux-2.6.36.2/arch/x86/kernel/dumpstack_32.c 2010-10-20 16:30:22.000000000 -0400
11095 +++ linux-2.6.36.2/arch/x86/kernel/dumpstack_32.c 2010-12-09 20:24:55.000000000 -0500
11096 @@ -105,11 +105,12 @@ void show_registers(struct pt_regs *regs
11097 * When in-kernel, we also print out the stack and code at the
11098 * time of the fault..
11100 - if (!user_mode_vm(regs)) {
11101 + if (!user_mode(regs)) {
11102 unsigned int code_prologue = code_bytes * 43 / 64;
11103 unsigned int code_len = code_bytes;
11106 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11108 printk(KERN_EMERG "Stack:\n");
11109 show_stack_log_lvl(NULL, regs, ®s->sp,
11110 @@ -117,10 +118,10 @@ void show_registers(struct pt_regs *regs
11112 printk(KERN_EMERG "Code: ");
11114 - ip = (u8 *)regs->ip - code_prologue;
11115 + ip = (u8 *)regs->ip - code_prologue + cs_base;
11116 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11117 /* try starting at IP */
11118 - ip = (u8 *)regs->ip;
11119 + ip = (u8 *)regs->ip + cs_base;
11120 code_len = code_len - code_prologue + 1;
11122 for (i = 0; i < code_len; i++, ip++) {
11123 @@ -129,7 +130,7 @@ void show_registers(struct pt_regs *regs
11124 printk(" Bad EIP value.");
11127 - if (ip == (u8 *)regs->ip)
11128 + if (ip == (u8 *)regs->ip + cs_base)
11129 printk("<%02x> ", c);
11131 printk("%02x ", c);
11132 @@ -142,6 +143,7 @@ int is_valid_bugaddr(unsigned long ip)
11134 unsigned short ud2;
11136 + ip = ktla_ktva(ip);
11137 if (ip < PAGE_OFFSET)
11139 if (probe_kernel_address((unsigned short *)ip, ud2))
11140 diff -urNp linux-2.6.36.2/arch/x86/kernel/dumpstack.c linux-2.6.36.2/arch/x86/kernel/dumpstack.c
11141 --- linux-2.6.36.2/arch/x86/kernel/dumpstack.c 2010-10-20 16:30:22.000000000 -0400
11142 +++ linux-2.6.36.2/arch/x86/kernel/dumpstack.c 2010-12-09 20:24:54.000000000 -0500
11143 @@ -27,7 +27,7 @@ static int die_counter;
11145 void printk_address(unsigned long address, int reliable)
11147 - printk(" [<%p>] %s%pS\n", (void *) address,
11148 + printk(" [<%p>] %s%pA\n", (void *) address,
11149 reliable ? "" : "? ", (void *) address);
11152 @@ -206,7 +206,7 @@ void dump_stack(void)
11155 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11156 - current->pid, current->comm, current->xid, print_tainted(),
11157 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11158 init_utsname()->release,
11159 (int)strcspn(init_utsname()->version, " "),
11160 init_utsname()->version);
11161 @@ -262,7 +262,7 @@ void __kprobes oops_end(unsigned long fl
11162 panic("Fatal exception in interrupt");
11164 panic("Fatal exception");
11166 + do_group_exit(signr);
11169 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11170 @@ -289,7 +289,7 @@ int __kprobes __die(const char *str, str
11172 show_registers(regs);
11173 #ifdef CONFIG_X86_32
11174 - if (user_mode_vm(regs)) {
11175 + if (user_mode(regs)) {
11177 ss = regs->ss & 0xffff;
11179 @@ -317,7 +317,7 @@ void die(const char *str, struct pt_regs
11180 unsigned long flags = oops_begin();
11183 - if (!user_mode_vm(regs))
11184 + if (!user_mode(regs))
11185 report_bug(regs->ip, regs);
11187 if (__die(str, regs, err))
11188 diff -urNp linux-2.6.36.2/arch/x86/kernel/efi_32.c linux-2.6.36.2/arch/x86/kernel/efi_32.c
11189 --- linux-2.6.36.2/arch/x86/kernel/efi_32.c 2010-10-20 16:30:22.000000000 -0400
11190 +++ linux-2.6.36.2/arch/x86/kernel/efi_32.c 2010-12-09 20:24:55.000000000 -0500
11191 @@ -38,70 +38,38 @@
11194 static unsigned long efi_rt_eflags;
11195 -static pgd_t efi_bak_pg_dir_pointer[2];
11196 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
11198 -void efi_call_phys_prelog(void)
11199 +void __init efi_call_phys_prelog(void)
11201 - unsigned long cr4;
11202 - unsigned long temp;
11203 struct desc_ptr gdt_descr;
11205 local_irq_save(efi_rt_eflags);
11208 - * If I don't have PAE, I should just duplicate two entries in page
11209 - * directory. If I have PAE, I just need to duplicate one entry in
11210 - * page directory.
11212 - cr4 = read_cr4_safe();
11214 - if (cr4 & X86_CR4_PAE) {
11215 - efi_bak_pg_dir_pointer[0].pgd =
11216 - swapper_pg_dir[pgd_index(0)].pgd;
11217 - swapper_pg_dir[0].pgd =
11218 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
11220 - efi_bak_pg_dir_pointer[0].pgd =
11221 - swapper_pg_dir[pgd_index(0)].pgd;
11222 - efi_bak_pg_dir_pointer[1].pgd =
11223 - swapper_pg_dir[pgd_index(0x400000)].pgd;
11224 - swapper_pg_dir[pgd_index(0)].pgd =
11225 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
11226 - temp = PAGE_OFFSET + 0x400000;
11227 - swapper_pg_dir[pgd_index(0x400000)].pgd =
11228 - swapper_pg_dir[pgd_index(temp)].pgd;
11230 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
11231 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
11232 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
11235 * After the lock is released, the original page table is restored.
11239 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
11240 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
11241 gdt_descr.size = GDT_SIZE - 1;
11242 load_gdt(&gdt_descr);
11245 -void efi_call_phys_epilog(void)
11246 +void __init efi_call_phys_epilog(void)
11248 - unsigned long cr4;
11249 struct desc_ptr gdt_descr;
11251 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
11252 + gdt_descr.address = get_cpu_gdt_table(0);
11253 gdt_descr.size = GDT_SIZE - 1;
11254 load_gdt(&gdt_descr);
11256 - cr4 = read_cr4_safe();
11258 - if (cr4 & X86_CR4_PAE) {
11259 - swapper_pg_dir[pgd_index(0)].pgd =
11260 - efi_bak_pg_dir_pointer[0].pgd;
11262 - swapper_pg_dir[pgd_index(0)].pgd =
11263 - efi_bak_pg_dir_pointer[0].pgd;
11264 - swapper_pg_dir[pgd_index(0x400000)].pgd =
11265 - efi_bak_pg_dir_pointer[1].pgd;
11267 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
11270 * After the lock is released, the original page table is restored.
11271 diff -urNp linux-2.6.36.2/arch/x86/kernel/efi_stub_32.S linux-2.6.36.2/arch/x86/kernel/efi_stub_32.S
11272 --- linux-2.6.36.2/arch/x86/kernel/efi_stub_32.S 2010-10-20 16:30:22.000000000 -0400
11273 +++ linux-2.6.36.2/arch/x86/kernel/efi_stub_32.S 2010-12-09 20:24:54.000000000 -0500
11277 #include <linux/linkage.h>
11278 +#include <linux/init.h>
11279 #include <asm/page_types.h>
11283 * service functions will comply with gcc calling convention, too.
11288 ENTRY(efi_call_phys)
11290 * 0. The function can only be called in Linux kernel. So CS has been
11291 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
11292 * The mapping of lower virtual memory has been created in prelog and
11296 - subl $__PAGE_OFFSET, %edx
11298 + jmp 1f-__PAGE_OFFSET
11302 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
11303 * parameter 2, ..., param n. To make things easy, we save the return
11304 * address of efi_call_phys in a global variable.
11307 - movl %edx, saved_return_addr
11308 - /* get the function pointer into ECX*/
11310 - movl %ecx, efi_rt_function_ptr
11312 - subl $__PAGE_OFFSET, %edx
11314 + popl (saved_return_addr)
11315 + popl (efi_rt_function_ptr)
11318 * 3. Clear PG bit in %CR0.
11319 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
11321 * 5. Call the physical function.
11324 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
11328 * 6. After EFI runtime service returns, control will return to
11329 * following instruction. We'd better readjust stack pointer first.
11330 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
11332 orl $0x80000000, %edx
11338 * 8. Now restore the virtual mode from flat mode by
11339 * adding EIP with PAGE_OFFSET.
11343 + jmp 1f+__PAGE_OFFSET
11347 * 9. Balance the stack. And because EAX contain the return value,
11348 * we'd better not clobber it.
11350 - leal efi_rt_function_ptr, %edx
11351 - movl (%edx), %ecx
11353 + pushl (efi_rt_function_ptr)
11356 - * 10. Push the saved return address onto the stack and return.
11357 + * 10. Return to the saved return address.
11359 - leal saved_return_addr, %edx
11360 - movl (%edx), %ecx
11363 + jmpl *(saved_return_addr)
11364 ENDPROC(efi_call_phys)
11371 efi_rt_function_ptr:
11372 diff -urNp linux-2.6.36.2/arch/x86/kernel/entry_32.S linux-2.6.36.2/arch/x86/kernel/entry_32.S
11373 --- linux-2.6.36.2/arch/x86/kernel/entry_32.S 2010-10-20 16:30:22.000000000 -0400
11374 +++ linux-2.6.36.2/arch/x86/kernel/entry_32.S 2010-12-09 20:24:54.000000000 -0500
11375 @@ -192,7 +192,67 @@
11377 #endif /* CONFIG_X86_32_LAZY_GS */
11380 +.macro PAX_EXIT_KERNEL
11381 +#ifdef CONFIG_PAX_KERNEXEC
11382 +#ifdef CONFIG_PARAVIRT
11383 + push %eax; push %ecx;
11386 + cmp $__KERNEXEC_KERNEL_CS, %esi
11388 +#ifdef CONFIG_PARAVIRT
11389 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11395 + ljmp $__KERNEL_CS, $1f
11397 +#ifdef CONFIG_PARAVIRT
11399 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11404 +#ifdef CONFIG_PARAVIRT
11405 + pop %ecx; pop %eax
11410 +.macro PAX_ENTER_KERNEL
11411 +#ifdef CONFIG_PAX_KERNEXEC
11412 +#ifdef CONFIG_PARAVIRT
11413 + push %eax; push %ecx;
11414 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11422 + cmp $__KERNEL_CS, %esi
11424 + ljmp $__KERNEL_CS, $3f
11425 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11427 +#ifdef CONFIG_PARAVIRT
11429 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11434 +#ifdef CONFIG_PARAVIRT
11435 + pop %ecx; pop %eax
11440 +.macro __SAVE_ALL _DS
11444 @@ -225,7 +285,7 @@
11446 CFI_ADJUST_CFA_OFFSET 4
11447 CFI_REL_OFFSET ebx, 0
11448 - movl $(__USER_DS), %edx
11452 movl $(__KERNEL_PERCPU), %edx
11453 @@ -233,6 +293,15 @@
11458 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11459 + __SAVE_ALL __KERNEL_DS
11462 + __SAVE_ALL __USER_DS
11466 .macro RESTORE_INT_REGS
11468 CFI_ADJUST_CFA_OFFSET -4
11469 @@ -357,7 +426,15 @@ check_userspace:
11470 movb PT_CS(%esp), %al
11471 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11472 cmpl $USER_RPL, %eax
11474 +#ifdef CONFIG_PAX_KERNEXEC
11475 + jae resume_userspace
11478 + jmp resume_kernel
11480 jb resume_kernel # not returning to v8086 or userspace
11483 ENTRY(resume_userspace)
11485 @@ -423,10 +500,9 @@ sysenter_past_esp:
11486 /*CFI_REL_OFFSET cs, 0*/
11488 * Push current_thread_info()->sysenter_return to the stack.
11489 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11490 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11492 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
11493 + GET_THREAD_INFO(%ebp)
11494 + pushl TI_sysenter_return(%ebp)
11495 CFI_ADJUST_CFA_OFFSET 4
11496 CFI_REL_OFFSET eip, 0
11498 @@ -439,9 +515,19 @@ sysenter_past_esp:
11499 * Load the potential sixth argument from user stack.
11500 * Careful about security.
11502 + movl PT_OLDESP(%esp),%ebp
11504 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11505 + mov PT_OLDSS(%esp),%ds
11506 +1: movl %ds:(%ebp),%ebp
11510 cmpl $__PAGE_OFFSET-3,%ebp
11512 1: movl (%ebp),%ebp
11515 movl %ebp,PT_EBP(%esp)
11516 .section __ex_table,"a"
11518 @@ -464,12 +550,23 @@ sysenter_do_call:
11519 testl $_TIF_ALLWORK_MASK, %ecx
11523 +#ifdef CONFIG_PAX_RANDKSTACK
11525 + CFI_ADJUST_CFA_OFFSET 4
11526 + call pax_randomize_kstack
11528 + CFI_ADJUST_CFA_OFFSET -4
11531 /* if something modifies registers it must also disable sysexit */
11532 movl PT_EIP(%esp), %edx
11533 movl PT_OLDESP(%esp), %ecx
11536 1: mov PT_FS(%esp), %fs
11537 +2: mov PT_DS(%esp), %ds
11538 +3: mov PT_ES(%esp), %es
11540 ENABLE_INTERRUPTS_SYSEXIT
11542 @@ -513,11 +610,17 @@ sysexit_audit:
11545 .pushsection .fixup,"ax"
11546 -2: movl $0,PT_FS(%esp)
11547 +4: movl $0,PT_FS(%esp)
11549 +5: movl $0,PT_DS(%esp)
11551 +6: movl $0,PT_ES(%esp)
11553 .section __ex_table,"a"
11561 ENDPROC(ia32_sysenter_target)
11562 @@ -551,6 +654,10 @@ syscall_exit:
11563 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11564 jne syscall_exit_work
11566 +#ifdef CONFIG_PAX_RANDKSTACK
11567 + call pax_randomize_kstack
11572 restore_all_notrace:
11573 @@ -611,14 +718,21 @@ ldt_ss:
11574 * compensating for the offset by changing to the ESPFIX segment with
11575 * a base address that matches for the difference.
11577 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11578 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11579 mov %esp, %edx /* load kernel esp */
11580 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11581 mov %dx, %ax /* eax: new kernel esp */
11582 sub %eax, %edx /* offset (low word is 0) */
11584 + movl PER_CPU_VAR(cpu_number), %ebx
11585 + shll $PAGE_SHIFT_asm, %ebx
11586 + addl $cpu_gdt_table, %ebx
11588 + movl $cpu_gdt_table, %ebx
11591 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11592 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11593 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11594 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11596 CFI_ADJUST_CFA_OFFSET 4
11597 push %eax /* new kernel esp */
11598 @@ -655,25 +769,19 @@ work_resched:
11600 work_notifysig: # deal with pending signals and
11601 # notify-resume requests
11604 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11606 - jne work_notifysig_v86 # returning to kernel-space or
11607 + jz 1f # returning to kernel-space or
11610 - call do_notify_resume
11611 - jmp resume_userspace_sig
11614 -work_notifysig_v86:
11615 pushl %ecx # save ti_flags for do_notify_resume
11616 CFI_ADJUST_CFA_OFFSET 4
11617 call save_v86_state # %eax contains pt_regs pointer
11619 CFI_ADJUST_CFA_OFFSET -4
11626 call do_notify_resume
11627 @@ -708,6 +816,10 @@ END(syscall_exit_work)
11629 RING0_INT_FRAME # can't unwind into user space anyway
11631 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11635 GET_THREAD_INFO(%ebp)
11636 movl $-EFAULT,PT_EAX(%esp)
11637 jmp resume_userspace
11638 @@ -791,8 +903,15 @@ ptregs_clone:
11639 * normal stack and adjusts ESP with the matching offset.
11641 /* fixup the stack */
11642 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11643 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11645 + movl PER_CPU_VAR(cpu_number), %ebx
11646 + shll $PAGE_SHIFT_asm, %ebx
11647 + addl $cpu_gdt_table, %ebx
11649 + movl $cpu_gdt_table, %ebx
11651 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11652 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11654 addl %esp, %eax /* the adjusted stack pointer */
11656 @@ -1275,7 +1394,6 @@ return_to_handler:
11660 -.section .rodata,"a"
11661 #include "syscall_table_32.S"
11663 syscall_table_size=(.-sys_call_table)
11664 @@ -1332,9 +1450,12 @@ error_code:
11665 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11668 - movl $(__USER_DS), %ecx
11669 + movl $(__KERNEL_DS), %ecx
11676 movl %esp,%eax # pt_regs pointer
11678 @@ -1428,6 +1549,9 @@ nmi_stack_correct:
11679 xorl %edx,%edx # zero error code
11680 movl %esp,%eax # pt_regs pointer
11685 jmp restore_all_notrace
11688 @@ -1468,6 +1592,9 @@ nmi_espfix_stack:
11689 FIXUP_ESPFIX_STACK # %eax == %esp
11690 xorl %edx,%edx # zero error code
11696 lss 12+4(%esp), %esp # back to espfix stack
11697 CFI_ADJUST_CFA_OFFSET -24
11698 diff -urNp linux-2.6.36.2/arch/x86/kernel/entry_64.S linux-2.6.36.2/arch/x86/kernel/entry_64.S
11699 --- linux-2.6.36.2/arch/x86/kernel/entry_64.S 2010-10-20 16:30:22.000000000 -0400
11700 +++ linux-2.6.36.2/arch/x86/kernel/entry_64.S 2010-12-09 20:24:54.000000000 -0500
11702 #include <asm/paravirt.h>
11703 #include <asm/ftrace.h>
11704 #include <asm/percpu.h>
11705 +#include <asm/pgtable.h>
11707 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11708 #include <linux/elf-em.h>
11709 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11710 ENDPROC(native_usergs_sysret64)
11711 #endif /* CONFIG_PARAVIRT */
11713 + .macro ljmpq sel, off
11714 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11715 + .byte 0x48; ljmp *1234f(%rip)
11716 + .pushsection .rodata
11718 + 1234: .quad \off; .word \sel
11727 +ENTRY(pax_enter_kernel)
11729 +#ifdef CONFIG_PAX_KERNEXEC
11732 +#ifdef CONFIG_PARAVIRT
11733 + PV_SAVE_REGS(CLBR_RDI)
11740 + cmp $__KERNEL_CS,%edi
11742 + ljmpq __KERNEL_CS,3f
11743 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11744 +2: SET_RDI_INTO_CR0
11747 +#ifdef CONFIG_PARAVIRT
11748 + PV_RESTORE_REGS(CLBR_RDI)
11755 +ENDPROC(pax_enter_kernel)
11757 +ENTRY(pax_exit_kernel)
11759 +#ifdef CONFIG_PAX_KERNEXEC
11762 +#ifdef CONFIG_PARAVIRT
11763 + PV_SAVE_REGS(CLBR_RDI)
11767 + cmp $__KERNEXEC_KERNEL_CS,%edi
11771 + ljmpq __KERNEL_CS,1f
11772 +1: SET_RDI_INTO_CR0
11775 +#ifdef CONFIG_PARAVIRT
11776 + PV_RESTORE_REGS(CLBR_RDI);
11783 +ENDPROC(pax_exit_kernel)
11785 +ENTRY(pax_enter_kernel_user)
11787 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11791 +#ifdef CONFIG_PARAVIRT
11792 + PV_SAVE_REGS(CLBR_RDI)
11797 + add $__START_KERNEL_map,%rbx
11798 + sub phys_base(%rip),%rbx
11800 +#ifdef CONFIG_PARAVIRT
11802 + cmpl $0, pv_info+PARAVIRT_enabled
11805 + .rept USER_PGD_PTRS
11806 + mov i*8(%rbx),%rsi
11808 + lea i*8(%rbx),%rdi
11809 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11817 + .rept USER_PGD_PTRS
11818 + movb $0,i*8(%rbx)
11822 +#ifdef CONFIG_PARAVIRT
11827 +#ifdef CONFIG_PAX_KERNEXEC
11833 +#ifdef CONFIG_PARAVIRT
11834 + PV_RESTORE_REGS(CLBR_RDI)
11842 +ENDPROC(pax_enter_kernel_user)
11844 +ENTRY(pax_exit_kernel_user)
11846 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11849 +#ifdef CONFIG_PARAVIRT
11851 + PV_SAVE_REGS(CLBR_RDI)
11854 +#ifdef CONFIG_PAX_KERNEXEC
11861 + add $__START_KERNEL_map,%rdi
11862 + sub phys_base(%rip),%rdi
11864 +#ifdef CONFIG_PARAVIRT
11865 + cmpl $0, pv_info+PARAVIRT_enabled
11869 + .rept USER_PGD_PTRS
11870 + mov i*8(%rbx),%rsi
11872 + lea i*8(%rbx),%rdi
11873 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11881 + .rept USER_PGD_PTRS
11882 + movb $0x67,i*8(%rdi)
11886 +#ifdef CONFIG_PARAVIRT
11887 +2: PV_RESTORE_REGS(CLBR_RDI)
11895 +ENDPROC(pax_exit_kernel_user)
11897 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11898 #ifdef CONFIG_TRACE_IRQFLAGS
11899 @@ -317,7 +501,7 @@ ENTRY(save_args)
11900 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11901 movq_cfi rbp, 8 /* push %rbp */
11902 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11903 - testl $3, CS(%rdi)
11904 + testb $3, CS(%rdi)
11908 @@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11912 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11913 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11914 je int_ret_from_sys_call
11916 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11917 @@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11919 movq %rsp,PER_CPU_VAR(old_rsp)
11920 movq PER_CPU_VAR(kernel_stack),%rsp
11922 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11923 + call pax_enter_kernel_user
11927 * No need to follow this irqs off/on section - it's straight
11929 @@ -502,6 +691,11 @@ sysret_check:
11934 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11935 + call pax_exit_kernel_user
11939 * sysretq will re-enable interrupts:
11941 @@ -613,7 +807,7 @@ tracesys:
11942 GLOBAL(int_ret_from_sys_call)
11943 DISABLE_INTERRUPTS(CLBR_NONE)
11945 - testl $3,CS-ARGOFFSET(%rsp)
11946 + testb $3,CS-ARGOFFSET(%rsp)
11947 je retint_restore_args
11948 movl $_TIF_ALLWORK_MASK,%edi
11949 /* edi: mask to check */
11950 @@ -800,6 +994,16 @@ END(interrupt)
11951 CFI_ADJUST_CFA_OFFSET 10*8
11954 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11955 + testb $3, CS(%rdi)
11957 + call pax_enter_kernel
11959 +1: call pax_enter_kernel_user
11962 + call pax_enter_kernel
11967 @@ -826,7 +1030,7 @@ ret_from_intr:
11968 CFI_ADJUST_CFA_OFFSET -8
11970 GET_THREAD_INFO(%rcx)
11971 - testl $3,CS-ARGOFFSET(%rsp)
11972 + testb $3,CS-ARGOFFSET(%rsp)
11975 /* Interrupt came from user space */
11976 @@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11977 * The iretq could re-enable interrupts:
11979 DISABLE_INTERRUPTS(CLBR_ANY)
11981 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11982 + call pax_exit_kernel_user
11989 retint_restore_args: /* return to kernel space */
11990 DISABLE_INTERRUPTS(CLBR_ANY)
11991 + call pax_exit_kernel
11993 * The iretq could re-enable interrupts:
11995 @@ -1040,6 +1250,16 @@ ENTRY(\sym)
11996 CFI_ADJUST_CFA_OFFSET 15*8
11999 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12000 + testb $3, CS(%rsp)
12002 + call pax_enter_kernel
12004 +1: call pax_enter_kernel_user
12007 + call pax_enter_kernel
12009 movq %rsp,%rdi /* pt_regs pointer */
12010 xorl %esi,%esi /* no error code */
12012 @@ -1057,6 +1277,16 @@ ENTRY(\sym)
12016 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12017 + testb $3, CS(%rsp)
12019 + call pax_enter_kernel
12021 +1: call pax_enter_kernel_user
12024 + call pax_enter_kernel
12026 movq %rsp,%rdi /* pt_regs pointer */
12027 xorl %esi,%esi /* no error code */
12029 @@ -1065,7 +1295,7 @@ ENTRY(\sym)
12033 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12034 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12035 .macro paranoidzeroentry_ist sym do_sym ist
12038 @@ -1075,8 +1305,24 @@ ENTRY(\sym)
12042 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12043 + testb $3, CS(%rsp)
12045 + call pax_enter_kernel
12047 +1: call pax_enter_kernel_user
12050 + call pax_enter_kernel
12052 movq %rsp,%rdi /* pt_regs pointer */
12053 xorl %esi,%esi /* no error code */
12055 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
12056 + lea init_tss(%r12), %r12
12058 + lea init_tss(%rip), %r12
12060 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12062 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12063 @@ -1093,6 +1339,16 @@ ENTRY(\sym)
12064 CFI_ADJUST_CFA_OFFSET 15*8
12067 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12068 + testb $3, CS(%rsp)
12070 + call pax_enter_kernel
12072 +1: call pax_enter_kernel_user
12075 + call pax_enter_kernel
12077 movq %rsp,%rdi /* pt_regs pointer */
12078 movq ORIG_RAX(%rsp),%rsi /* get error code */
12079 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12080 @@ -1112,6 +1368,16 @@ ENTRY(\sym)
12084 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12085 + testb $3, CS(%rsp)
12087 + call pax_enter_kernel
12089 +1: call pax_enter_kernel_user
12092 + call pax_enter_kernel
12094 movq %rsp,%rdi /* pt_regs pointer */
12095 movq ORIG_RAX(%rsp),%rsi /* get error code */
12096 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12097 @@ -1373,14 +1639,27 @@ ENTRY(paranoid_exit)
12099 testl %ebx,%ebx /* swapgs needed? */
12100 jnz paranoid_restore
12101 - testl $3,CS(%rsp)
12102 + testb $3,CS(%rsp)
12103 jnz paranoid_userspace
12104 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12105 + call pax_exit_kernel
12106 + TRACE_IRQS_IRETQ 0
12107 + SWAPGS_UNSAFE_STACK
12112 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12113 + call pax_exit_kernel_user
12115 + call pax_exit_kernel
12118 SWAPGS_UNSAFE_STACK
12122 + call pax_exit_kernel
12126 @@ -1438,7 +1717,7 @@ ENTRY(error_entry)
12127 movq_cfi r14, R14+8
12128 movq_cfi r15, R15+8
12130 - testl $3,CS+8(%rsp)
12131 + testb $3,CS+8(%rsp)
12132 je error_kernelspace
12135 @@ -1502,6 +1781,16 @@ ENTRY(nmi)
12136 CFI_ADJUST_CFA_OFFSET 15*8
12139 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12140 + testb $3, CS(%rsp)
12142 + call pax_enter_kernel
12144 +1: call pax_enter_kernel_user
12147 + call pax_enter_kernel
12149 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
12152 @@ -1512,11 +1801,12 @@ ENTRY(nmi)
12153 DISABLE_INTERRUPTS(CLBR_NONE)
12154 testl %ebx,%ebx /* swapgs needed? */
12156 - testl $3,CS(%rsp)
12157 + testb $3,CS(%rsp)
12160 SWAPGS_UNSAFE_STACK
12162 + call pax_exit_kernel
12166 diff -urNp linux-2.6.36.2/arch/x86/kernel/ftrace.c linux-2.6.36.2/arch/x86/kernel/ftrace.c
12167 --- linux-2.6.36.2/arch/x86/kernel/ftrace.c 2010-10-20 16:30:22.000000000 -0400
12168 +++ linux-2.6.36.2/arch/x86/kernel/ftrace.c 2010-12-09 20:24:55.000000000 -0500
12169 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
12171 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
12173 + pax_open_kernel();
12175 + pax_close_kernel();
12176 atomic_inc(&nmi_update_count);
12178 /* Must have previous changes seen before executions */
12179 @@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
12183 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
12184 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
12186 static unsigned char *ftrace_nop_replace(void)
12188 @@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
12190 unsigned char replaced[MCOUNT_INSN_SIZE];
12192 + ip = ktla_ktva(ip);
12195 * Note: Due to modules and __init, code can
12196 * disappear and change, we need to protect against faulting
12197 @@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
12198 unsigned char old[MCOUNT_INSN_SIZE], *new;
12201 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
12202 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
12203 new = ftrace_call_replace(ip, (unsigned long)func);
12204 ret = ftrace_modify_code(ip, old, new);
12206 @@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
12209 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
12210 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
12211 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
12214 pr_info("converting mcount calls to 66 66 66 66 90\n");
12215 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
12216 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
12219 pr_info("converting mcount calls to jmp . + 5\n");
12220 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
12221 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
12225 @@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
12227 unsigned char code[MCOUNT_INSN_SIZE];
12229 + ip = ktla_ktva(ip);
12231 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
12234 diff -urNp linux-2.6.36.2/arch/x86/kernel/head32.c linux-2.6.36.2/arch/x86/kernel/head32.c
12235 --- linux-2.6.36.2/arch/x86/kernel/head32.c 2010-10-20 16:30:22.000000000 -0400
12236 +++ linux-2.6.36.2/arch/x86/kernel/head32.c 2010-12-09 20:24:54.000000000 -0500
12238 #include <asm/apic.h>
12239 #include <asm/io_apic.h>
12240 #include <asm/bios_ebda.h>
12241 +#include <asm/boot.h>
12243 static void __init i386_default_early_setup(void)
12245 @@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
12249 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
12250 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
12252 #ifdef CONFIG_BLK_DEV_INITRD
12253 /* Reserve INITRD */
12254 diff -urNp linux-2.6.36.2/arch/x86/kernel/head_32.S linux-2.6.36.2/arch/x86/kernel/head_32.S
12255 --- linux-2.6.36.2/arch/x86/kernel/head_32.S 2010-10-20 16:30:22.000000000 -0400
12256 +++ linux-2.6.36.2/arch/x86/kernel/head_32.S 2010-12-09 20:24:55.000000000 -0500
12258 /* Physical address */
12259 #define pa(X) ((X) - __PAGE_OFFSET)
12261 +#ifdef CONFIG_PAX_KERNEXEC
12264 +#define ta(X) ((X) - __PAGE_OFFSET)
12268 * References to members of the new_cpu_data structure.
12271 * and small than max_low_pfn, otherwise will waste some page table entries
12274 -#if PTRS_PER_PMD > 1
12275 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
12277 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
12279 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
12281 /* Enough space to fit pagetables for the low memory linear map */
12282 MAPPING_BEYOND_END = \
12283 @@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
12284 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12287 + * Real beginning of normal "text" segment
12293 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12294 * %esi points to the real-mode code as a 32-bit pointer.
12295 * CS and DS must be 4 GB flat segments, but we don't depend on
12296 @@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12301 +#ifdef CONFIG_PAX_KERNEXEC
12303 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12304 +.fill PAGE_SIZE-5,1,0xcc
12308 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
12309 us to not reload segments */
12310 @@ -99,6 +114,55 @@ ENTRY(startup_32)
12315 + movl $pa(cpu_gdt_table),%edi
12316 + movl $__per_cpu_load,%eax
12317 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12319 + movb %al,__KERNEL_PERCPU + 4(%edi)
12320 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12321 + movl $__per_cpu_end - 1,%eax
12322 + subl $__per_cpu_start,%eax
12323 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12326 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12327 + movl $NR_CPUS,%ecx
12328 + movl $pa(cpu_gdt_table),%edi
12330 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12331 + addl $PAGE_SIZE_asm,%edi
12335 +#ifdef CONFIG_PAX_KERNEXEC
12336 + movl $pa(boot_gdt),%edi
12337 + movl $__LOAD_PHYSICAL_ADDR,%eax
12338 + movw %ax,__BOOT_CS + 2(%edi)
12340 + movb %al,__BOOT_CS + 4(%edi)
12341 + movb %ah,__BOOT_CS + 7(%edi)
12344 + ljmp $(__BOOT_CS),$1f
12347 + movl $NR_CPUS,%ecx
12348 + movl $pa(cpu_gdt_table),%edi
12349 + addl $__PAGE_OFFSET,%eax
12351 + movw %ax,__KERNEL_CS + 2(%edi)
12352 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12354 + movb %al,__KERNEL_CS + 4(%edi)
12355 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12356 + movb %ah,__KERNEL_CS + 7(%edi)
12357 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12359 + addl $PAGE_SIZE_asm,%edi
12364 * Clear BSS first so that there are no surprises...
12366 @@ -148,9 +212,7 @@ ENTRY(startup_32)
12367 cmpl $num_subarch_entries, %eax
12370 - movl pa(subarch_entries)(,%eax,4), %eax
12371 - subl $__PAGE_OFFSET, %eax
12373 + jmp *pa(subarch_entries)(,%eax,4)
12377 @@ -162,10 +224,10 @@ WEAK(xen_entry)
12381 - .long default_entry /* normal x86/PC */
12382 - .long lguest_entry /* lguest hypervisor */
12383 - .long xen_entry /* Xen hypervisor */
12384 - .long default_entry /* Moorestown MID */
12385 + .long ta(default_entry) /* normal x86/PC */
12386 + .long ta(lguest_entry) /* lguest hypervisor */
12387 + .long ta(xen_entry) /* Xen hypervisor */
12388 + .long ta(default_entry) /* Moorestown MID */
12389 num_subarch_entries = (. - subarch_entries) / 4
12391 #endif /* CONFIG_PARAVIRT */
12392 @@ -226,8 +288,11 @@ default_entry:
12393 movl %eax, pa(max_pfn_mapped)
12395 /* Do early initialization of the fixmap area */
12396 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12397 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12398 +#ifdef CONFIG_COMPAT_VDSO
12399 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12401 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12403 #else /* Not PAE */
12405 page_pde_offset = (__PAGE_OFFSET >> 20);
12406 @@ -257,8 +322,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12407 movl %eax, pa(max_pfn_mapped)
12409 /* Do early initialization of the fixmap area */
12410 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12411 - movl %eax,pa(swapper_pg_dir+0xffc)
12412 +#ifdef CONFIG_COMPAT_VDSO
12413 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
12415 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
12420 @@ -305,6 +373,7 @@ ENTRY(startup_32_smp)
12424 +#ifdef CONFIG_X86_PAE
12425 testb $X86_CR4_PAE, %al # check if PAE is enabled
12428 @@ -329,6 +398,9 @@ ENTRY(startup_32_smp)
12429 /* Make changes effective */
12432 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12438 @@ -354,9 +426,7 @@ ENTRY(startup_32_smp)
12442 - jz 1f /* Initial CPU cleans BSS */
12445 + jnz checkCPUtype /* Initial CPU cleans BSS */
12446 #endif /* CONFIG_SMP */
12449 @@ -434,7 +504,7 @@ is386: movl $2,%ecx # set MP
12450 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12451 movl %eax,%ss # after changing gdt.
12453 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12454 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12458 @@ -448,8 +518,11 @@ is386: movl $2,%ecx # set MP
12462 - movl $gdt_page,%eax
12463 + movl $cpu_gdt_table,%eax
12464 movl $stack_canary,%ecx
12466 + addl $__per_cpu_load,%ecx
12468 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12470 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12471 @@ -467,10 +540,6 @@ is386: movl $2,%ecx # set MP
12475 - cmpb $0,%cl # the first CPU calls start_kernel
12477 - movl (stack_start), %esp
12479 #endif /* CONFIG_SMP */
12480 jmp *(initial_code)
12482 @@ -556,22 +625,22 @@ early_page_fault:
12487 #ifdef CONFIG_PRINTK
12488 + cmpl $1,%ss:early_recursion_flag
12490 + incl %ss:early_recursion_flag
12493 movl $(__KERNEL_DS),%eax
12496 - cmpl $2,early_recursion_flag
12498 - incl early_recursion_flag
12501 pushl %edx /* trapno */
12510 @@ -579,8 +648,11 @@ hlt_loop:
12511 /* This is the default interrupt "handler" :-) */
12515 #ifdef CONFIG_PRINTK
12516 + cmpl $2,%ss:early_recursion_flag
12518 + incl %ss:early_recursion_flag
12523 @@ -589,9 +661,6 @@ ignore_int:
12524 movl $(__KERNEL_DS),%eax
12527 - cmpl $2,early_recursion_flag
12529 - incl early_recursion_flag
12533 @@ -620,31 +689,47 @@ ENTRY(initial_page_table)
12537 -__PAGE_ALIGNED_BSS
12538 - .align PAGE_SIZE_asm
12539 #ifdef CONFIG_X86_PAE
12540 +.section .swapper_pg_pmd,"a",@progbits
12542 .fill 1024*KPMDS,4,0
12544 +.section .swapper_pg_dir,"a",@progbits
12545 ENTRY(swapper_pg_dir)
12548 +.section .swapper_pg_fixmap,"a",@progbits
12551 #ifdef CONFIG_X86_TRAMPOLINE
12552 +.section .trampoline_pg_dir,"a",@progbits
12553 ENTRY(trampoline_pg_dir)
12554 +#ifdef CONFIG_X86_PAE
12561 +.section .empty_zero_page,"a",@progbits
12562 ENTRY(empty_zero_page)
12566 + * The IDT has to be page-aligned to simplify the Pentium
12567 + * F0 0F bug workaround.. We have a special link segment
12570 +.section .idt,"a",@progbits
12575 * This starts the data section.
12577 #ifdef CONFIG_X86_PAE
12578 -__PAGE_ALIGNED_DATA
12579 - /* Page-aligned for the benefit of paravirt? */
12580 - .align PAGE_SIZE_asm
12581 +.section .swapper_pg_dir,"a",@progbits
12583 ENTRY(swapper_pg_dir)
12584 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12586 @@ -663,15 +748,24 @@ ENTRY(swapper_pg_dir)
12587 # error "Kernel PMDs should be 1, 2 or 3"
12589 .align PAGE_SIZE_asm /* needs to be page-sized too */
12591 +#ifdef CONFIG_PAX_PER_CPU_PGD
12602 - .long init_thread_union+THREAD_SIZE
12603 + .long init_thread_union+THREAD_SIZE-8
12608 +.section .rodata,"a",@progbits
12609 early_recursion_flag:
12612 @@ -707,7 +801,7 @@ fault_msg:
12613 .word 0 # 32 bit align gdt_desc.address
12616 - .long boot_gdt - __PAGE_OFFSET
12617 + .long pa(boot_gdt)
12619 .word 0 # 32-bit align idt_desc.address
12621 @@ -718,7 +812,7 @@ idt_descr:
12622 .word 0 # 32 bit align gdt_desc.address
12623 ENTRY(early_gdt_descr)
12624 .word GDT_ENTRIES*8-1
12625 - .long gdt_page /* Overwritten for secondary CPUs */
12626 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12629 * The boot_gdt must mirror the equivalent in setup.S and is
12630 @@ -727,5 +821,65 @@ ENTRY(early_gdt_descr)
12631 .align L1_CACHE_BYTES
12633 .fill GDT_ENTRY_BOOT_CS,8,0
12634 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12635 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12636 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12637 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12639 + .align PAGE_SIZE_asm
12640 +ENTRY(cpu_gdt_table)
12642 + .quad 0x0000000000000000 /* NULL descriptor */
12643 + .quad 0x0000000000000000 /* 0x0b reserved */
12644 + .quad 0x0000000000000000 /* 0x13 reserved */
12645 + .quad 0x0000000000000000 /* 0x1b reserved */
12647 +#ifdef CONFIG_PAX_KERNEXEC
12648 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12650 + .quad 0x0000000000000000 /* 0x20 unused */
12653 + .quad 0x0000000000000000 /* 0x28 unused */
12654 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12655 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12656 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12657 + .quad 0x0000000000000000 /* 0x4b reserved */
12658 + .quad 0x0000000000000000 /* 0x53 reserved */
12659 + .quad 0x0000000000000000 /* 0x5b reserved */
12661 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12662 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12663 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12664 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12666 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12667 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12670 + * Segments used for calling PnP BIOS have byte granularity.
12671 + * The code segments and data segments have fixed 64k limits,
12672 + * the transfer segment sizes are set at run time.
12674 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12675 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12676 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12677 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12678 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12681 + * The APM segments have byte granularity and their bases
12682 + * are set at run time. All have 64k limits.
12684 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12685 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12686 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12688 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12689 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12690 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12691 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12692 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12693 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12695 + /* Be sure this is zeroed to avoid false validations in Xen */
12696 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12698 diff -urNp linux-2.6.36.2/arch/x86/kernel/head_64.S linux-2.6.36.2/arch/x86/kernel/head_64.S
12699 --- linux-2.6.36.2/arch/x86/kernel/head_64.S 2010-10-20 16:30:22.000000000 -0400
12700 +++ linux-2.6.36.2/arch/x86/kernel/head_64.S 2010-12-09 20:24:55.000000000 -0500
12702 #include <asm/cache.h>
12703 #include <asm/processor-flags.h>
12704 #include <asm/percpu.h>
12705 +#include <asm/cpufeature.h>
12707 #ifdef CONFIG_PARAVIRT
12708 #include <asm/asm-offsets.h>
12709 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12710 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12711 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12712 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12713 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12714 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12715 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12716 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12720 @@ -85,35 +90,22 @@ startup_64:
12722 addq %rbp, init_level4_pgt + 0(%rip)
12723 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12724 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12725 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12726 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12728 addq %rbp, level3_ident_pgt + 0(%rip)
12729 +#ifndef CONFIG_XEN
12730 + addq %rbp, level3_ident_pgt + 8(%rip)
12733 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12734 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12735 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12737 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12738 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12739 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12741 - /* Add an Identity mapping if I am above 1G */
12742 - leaq _text(%rip), %rdi
12743 - andq $PMD_PAGE_MASK, %rdi
12746 - shrq $PUD_SHIFT, %rax
12747 - andq $(PTRS_PER_PUD - 1), %rax
12748 - jz ident_complete
12750 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12751 - leaq level3_ident_pgt(%rip), %rbx
12752 - movq %rdx, 0(%rbx, %rax, 8)
12755 - shrq $PMD_SHIFT, %rax
12756 - andq $(PTRS_PER_PMD - 1), %rax
12757 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12758 - leaq level2_spare_pgt(%rip), %rbx
12759 - movq %rdx, 0(%rbx, %rax, 8)
12761 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12762 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12765 * Fixup the kernel text+data virtual addresses. Note that
12766 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12767 * after the boot processor executes this code.
12770 - /* Enable PAE mode and PGE */
12771 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12772 + /* Enable PAE mode and PSE/PGE */
12773 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12776 /* Setup early boot stage 4 level pagetables. */
12777 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12778 movl $MSR_EFER, %ecx
12780 btsl $_EFER_SCE, %eax /* Enable System Call */
12781 - btl $20,%edi /* No Execute supported? */
12782 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12784 btsl $_EFER_NX, %eax
12785 + leaq init_level4_pgt(%rip), %rdi
12786 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12787 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12788 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12789 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12790 1: wrmsr /* Make changes effective */
12793 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
12797 - .section ".init.text","ax"
12799 #ifdef CONFIG_EARLY_PRINTK
12800 .globl early_idt_handlers
12801 early_idt_handlers:
12802 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
12803 #endif /* EARLY_PRINTK */
12808 #ifdef CONFIG_EARLY_PRINTK
12810 early_recursion_flag:
12814 + .section .rodata,"a",@progbits
12816 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12819 -#endif /* CONFIG_EARLY_PRINTK */
12821 +#endif /* CONFIG_EARLY_PRINTK */
12823 + .section .rodata,"a",@progbits
12824 #define NEXT_PAGE(name) \
12825 .balign PAGE_SIZE; \
12827 @@ -339,7 +341,6 @@ ENTRY(name)
12833 * This default setting generates an ident mapping at address 0x100000
12834 * and a mapping for the kernel that precisely maps virtual address
12835 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
12836 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12837 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12838 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12839 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12840 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12841 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12842 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12843 .org init_level4_pgt + L4_START_KERNEL*8, 0
12844 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12845 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12847 +#ifdef CONFIG_PAX_PER_CPU_PGD
12848 +NEXT_PAGE(cpu_pgd)
12854 NEXT_PAGE(level3_ident_pgt)
12855 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12859 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12863 +NEXT_PAGE(level3_vmalloc_pgt)
12866 +NEXT_PAGE(level3_vmemmap_pgt)
12867 + .fill L3_VMEMMAP_START,8,0
12868 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12870 NEXT_PAGE(level3_kernel_pgt)
12871 .fill L3_START_KERNEL,8,0
12872 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
12873 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12874 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12876 +NEXT_PAGE(level2_vmemmap_pgt)
12879 NEXT_PAGE(level2_fixmap_pgt)
12881 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12882 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12885 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12886 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12889 -NEXT_PAGE(level1_fixmap_pgt)
12890 +NEXT_PAGE(level1_vsyscall_pgt)
12893 -NEXT_PAGE(level2_ident_pgt)
12894 - /* Since I easily can, map the first 1G.
12895 + /* Since I easily can, map the first 2G.
12896 * Don't set NX because code runs from these pages.
12898 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12899 +NEXT_PAGE(level2_ident_pgt)
12900 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12902 NEXT_PAGE(level2_kernel_pgt)
12904 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
12905 * If you want to increase this then increase MODULES_VADDR
12908 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12909 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12911 -NEXT_PAGE(level2_spare_pgt)
12913 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12920 +ENTRY(cpu_gdt_table)
12922 + .quad 0x0000000000000000 /* NULL descriptor */
12923 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12924 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12925 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12926 + .quad 0x00cffb000000ffff /* __USER32_CS */
12927 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12928 + .quad 0x00affb000000ffff /* __USER_CS */
12930 +#ifdef CONFIG_PAX_KERNEXEC
12931 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12933 + .quad 0x0 /* unused */
12936 + .quad 0,0 /* TSS */
12937 + .quad 0,0 /* LDT */
12938 + .quad 0,0,0 /* three TLS descriptors */
12939 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12940 + /* asm/segment.h:GDT_ENTRIES must match this */
12942 + /* zero the remaining page */
12943 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12947 .globl early_gdt_descr
12949 .word GDT_ENTRIES*8-1
12950 early_gdt_descr_base:
12951 - .quad INIT_PER_CPU_VAR(gdt_page)
12952 + .quad cpu_gdt_table
12955 /* This must match the first entry in level2_kernel_pgt */
12956 .quad 0x0000000000000000
12958 #include "../../x86/xen/xen-head.S"
12960 - .section .bss, "aw", @nobits
12962 + .section .rodata,"a",@progbits
12963 .align L1_CACHE_BYTES
12965 - .skip IDT_ENTRIES * 16
12970 diff -urNp linux-2.6.36.2/arch/x86/kernel/i386_ksyms_32.c linux-2.6.36.2/arch/x86/kernel/i386_ksyms_32.c
12971 --- linux-2.6.36.2/arch/x86/kernel/i386_ksyms_32.c 2010-10-20 16:30:22.000000000 -0400
12972 +++ linux-2.6.36.2/arch/x86/kernel/i386_ksyms_32.c 2010-12-09 20:24:54.000000000 -0500
12973 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12974 EXPORT_SYMBOL(cmpxchg8b_emu);
12977 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12979 /* Networking helper routines. */
12980 EXPORT_SYMBOL(csum_partial_copy_generic);
12981 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12982 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12984 EXPORT_SYMBOL(__get_user_1);
12985 EXPORT_SYMBOL(__get_user_2);
12986 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12988 EXPORT_SYMBOL(csum_partial);
12989 EXPORT_SYMBOL(empty_zero_page);
12991 +#ifdef CONFIG_PAX_KERNEXEC
12992 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12994 diff -urNp linux-2.6.36.2/arch/x86/kernel/init_task.c linux-2.6.36.2/arch/x86/kernel/init_task.c
12995 --- linux-2.6.36.2/arch/x86/kernel/init_task.c 2010-10-20 16:30:22.000000000 -0400
12996 +++ linux-2.6.36.2/arch/x86/kernel/init_task.c 2010-12-09 20:24:55.000000000 -0500
12997 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12998 * section. Since TSS's are completely CPU-local, we want them
12999 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
13001 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
13003 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
13004 +EXPORT_SYMBOL(init_tss);
13005 diff -urNp linux-2.6.36.2/arch/x86/kernel/ioport.c linux-2.6.36.2/arch/x86/kernel/ioport.c
13006 --- linux-2.6.36.2/arch/x86/kernel/ioport.c 2010-10-20 16:30:22.000000000 -0400
13007 +++ linux-2.6.36.2/arch/x86/kernel/ioport.c 2010-12-09 20:24:55.000000000 -0500
13009 #include <linux/sched.h>
13010 #include <linux/kernel.h>
13011 #include <linux/capability.h>
13012 +#include <linux/security.h>
13013 #include <linux/errno.h>
13014 #include <linux/types.h>
13015 #include <linux/ioport.h>
13016 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
13018 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
13020 +#ifdef CONFIG_GRKERNSEC_IO
13021 + if (turn_on && grsec_disable_privio) {
13022 + gr_handle_ioperm();
13026 if (turn_on && !capable(CAP_SYS_RAWIO))
13029 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
13030 * because the ->io_bitmap_max value must match the bitmap
13033 - tss = &per_cpu(init_tss, get_cpu());
13034 + tss = init_tss + get_cpu();
13036 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
13038 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
13040 /* Trying to gain more privileges? */
13042 +#ifdef CONFIG_GRKERNSEC_IO
13043 + if (grsec_disable_privio) {
13044 + gr_handle_iopl();
13048 if (!capable(CAP_SYS_RAWIO))
13051 diff -urNp linux-2.6.36.2/arch/x86/kernel/irq_32.c linux-2.6.36.2/arch/x86/kernel/irq_32.c
13052 --- linux-2.6.36.2/arch/x86/kernel/irq_32.c 2010-10-20 16:30:22.000000000 -0400
13053 +++ linux-2.6.36.2/arch/x86/kernel/irq_32.c 2010-12-09 21:11:07.000000000 -0500
13054 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
13057 /* build the stack frame on the IRQ stack */
13058 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
13059 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
13060 irqctx->tinfo.task = curctx->tinfo.task;
13061 irqctx->tinfo.previous_esp = current_stack_pointer;
13063 @@ -106,6 +106,10 @@ execute_on_irq_stack(int overflow, struc
13064 (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
13065 (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
13067 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13068 + __set_fs(irqctx->tinfo.addr_limit, smp_processor_id());
13071 if (unlikely(overflow))
13072 call_on_stack(print_stack_overflow, isp);
13074 @@ -116,6 +120,11 @@ execute_on_irq_stack(int overflow, struc
13075 : "0" (irq), "1" (desc), "2" (isp),
13076 "D" (desc->handle_irq)
13077 : "memory", "cc", "ecx");
13079 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13080 + __set_fs(curctx->tinfo.addr_limit, smp_processor_id());
13086 @@ -175,9 +184,18 @@ asmlinkage void do_softirq(void)
13087 irqctx->tinfo.previous_esp = current_stack_pointer;
13089 /* build the stack frame on the softirq stack */
13090 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
13091 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
13093 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13094 + __set_fs(irqctx->tinfo.addr_limit, smp_processor_id());
13097 call_on_stack(__do_softirq, isp);
13099 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13100 + __set_fs(curctx->tinfo.addr_limit, smp_processor_id());
13104 * Shouldnt happen, we returned above if in_interrupt():
13106 diff -urNp linux-2.6.36.2/arch/x86/kernel/kgdb.c linux-2.6.36.2/arch/x86/kernel/kgdb.c
13107 --- linux-2.6.36.2/arch/x86/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
13108 +++ linux-2.6.36.2/arch/x86/kernel/kgdb.c 2010-12-09 20:24:54.000000000 -0500
13109 @@ -123,11 +123,11 @@ char *dbg_get_reg(int regno, void *mem,
13111 #ifdef CONFIG_X86_32
13113 - if (!user_mode_vm(regs))
13114 + if (!user_mode(regs))
13115 *(unsigned long *)mem = __KERNEL_DS;
13118 - if (!user_mode_vm(regs))
13119 + if (!user_mode(regs))
13120 *(unsigned long *)mem = kernel_stack_pointer(regs);
13123 @@ -715,7 +715,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
13127 -struct kgdb_arch arch_kgdb_ops = {
13128 +const struct kgdb_arch arch_kgdb_ops = {
13129 /* Breakpoint instruction: */
13130 .gdb_bpt_instr = { 0xcc },
13131 .flags = KGDB_HW_BREAKPOINT,
13132 diff -urNp linux-2.6.36.2/arch/x86/kernel/kprobes.c linux-2.6.36.2/arch/x86/kernel/kprobes.c
13133 --- linux-2.6.36.2/arch/x86/kernel/kprobes.c 2010-10-20 16:30:22.000000000 -0400
13134 +++ linux-2.6.36.2/arch/x86/kernel/kprobes.c 2010-12-09 20:24:55.000000000 -0500
13135 @@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
13137 } __attribute__((packed)) *insn;
13139 - insn = (struct __arch_relative_insn *)from;
13140 + insn = (struct __arch_relative_insn *)(ktla_ktva(from));
13142 + pax_open_kernel();
13143 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
13145 + pax_close_kernel();
13148 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
13149 @@ -317,7 +320,9 @@ static int __kprobes __copy_instruction(
13152 insn_get_length(&insn);
13153 + pax_open_kernel();
13154 memcpy(dest, insn.kaddr, insn.length);
13155 + pax_close_kernel();
13157 #ifdef CONFIG_X86_64
13158 if (insn_rip_relative(&insn)) {
13159 @@ -341,7 +346,9 @@ static int __kprobes __copy_instruction(
13161 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
13162 disp = (u8 *) dest + insn_offset_displacement(&insn);
13163 + pax_open_kernel();
13164 *(s32 *) disp = (s32) newdisp;
13165 + pax_close_kernel();
13168 return insn.length;
13169 @@ -355,12 +362,12 @@ static void __kprobes arch_copy_kprobe(s
13171 __copy_instruction(p->ainsn.insn, p->addr, 0);
13173 - if (can_boost(p->addr))
13174 + if (can_boost(ktla_ktva(p->addr)))
13175 p->ainsn.boostable = 0;
13177 p->ainsn.boostable = -1;
13179 - p->opcode = *p->addr;
13180 + p->opcode = *(ktla_ktva(p->addr));
13183 int __kprobes arch_prepare_kprobe(struct kprobe *p)
13184 @@ -477,7 +484,7 @@ static void __kprobes setup_singlestep(s
13185 * nor set current_kprobe, because it doesn't use single
13188 - regs->ip = (unsigned long)p->ainsn.insn;
13189 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
13190 preempt_enable_no_resched();
13193 @@ -496,7 +503,7 @@ static void __kprobes setup_singlestep(s
13194 if (p->opcode == BREAKPOINT_INSTRUCTION)
13195 regs->ip = (unsigned long)p->addr;
13197 - regs->ip = (unsigned long)p->ainsn.insn;
13198 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
13202 @@ -575,7 +582,7 @@ static int __kprobes kprobe_handler(stru
13203 setup_singlestep(p, regs, kcb, 0);
13206 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
13207 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
13209 * The breakpoint instruction was removed right
13210 * after we hit it. Another cpu has removed
13211 @@ -820,7 +827,7 @@ static void __kprobes resume_execution(s
13212 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
13214 unsigned long *tos = stack_addr(regs);
13215 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
13216 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
13217 unsigned long orig_ip = (unsigned long)p->addr;
13218 kprobe_opcode_t *insn = p->ainsn.insn;
13220 @@ -1002,7 +1009,7 @@ int __kprobes kprobe_exceptions_notify(s
13221 struct die_args *args = data;
13222 int ret = NOTIFY_DONE;
13224 - if (args->regs && user_mode_vm(args->regs))
13225 + if (args->regs && user_mode(args->regs))
13229 diff -urNp linux-2.6.36.2/arch/x86/kernel/ldt.c linux-2.6.36.2/arch/x86/kernel/ldt.c
13230 --- linux-2.6.36.2/arch/x86/kernel/ldt.c 2010-10-20 16:30:22.000000000 -0400
13231 +++ linux-2.6.36.2/arch/x86/kernel/ldt.c 2010-12-09 20:24:54.000000000 -0500
13232 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
13237 + load_LDT_nolock(pc);
13238 if (!cpumask_equal(mm_cpumask(current->mm),
13239 cpumask_of(smp_processor_id())))
13240 smp_call_function(flush_ldt, current->mm, 1);
13244 + load_LDT_nolock(pc);
13248 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
13251 for (i = 0; i < old->size; i++)
13252 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
13253 + write_ldt_entry(new->ldt, i, old->ldt + i);
13257 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
13258 retval = copy_ldt(&mm->context, &old_mm->context);
13259 mutex_unlock(&old_mm->context.lock);
13262 + if (tsk == current) {
13263 + mm->context.vdso = 0;
13265 +#ifdef CONFIG_X86_32
13266 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
13267 + mm->context.user_cs_base = 0UL;
13268 + mm->context.user_cs_limit = ~0UL;
13270 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
13271 + cpus_clear(mm->context.cpu_user_cs_mask);
13282 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
13286 +#ifdef CONFIG_PAX_SEGMEXEC
13287 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
13293 fill_ldt(&ldt, &ldt_info);
13296 diff -urNp linux-2.6.36.2/arch/x86/kernel/machine_kexec_32.c linux-2.6.36.2/arch/x86/kernel/machine_kexec_32.c
13297 --- linux-2.6.36.2/arch/x86/kernel/machine_kexec_32.c 2010-10-20 16:30:22.000000000 -0400
13298 +++ linux-2.6.36.2/arch/x86/kernel/machine_kexec_32.c 2010-12-09 20:24:54.000000000 -0500
13300 #include <asm/cacheflush.h>
13301 #include <asm/debugreg.h>
13303 -static void set_idt(void *newidt, __u16 limit)
13304 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13306 struct desc_ptr curidt;
13308 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13312 -static void set_gdt(void *newgdt, __u16 limit)
13313 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13315 struct desc_ptr curgdt;
13317 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13320 control_page = page_address(image->control_code_page);
13321 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13322 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13324 relocate_kernel_ptr = control_page;
13325 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13326 diff -urNp linux-2.6.36.2/arch/x86/kernel/microcode_amd.c linux-2.6.36.2/arch/x86/kernel/microcode_amd.c
13327 --- linux-2.6.36.2/arch/x86/kernel/microcode_amd.c 2010-10-20 16:30:22.000000000 -0400
13328 +++ linux-2.6.36.2/arch/x86/kernel/microcode_amd.c 2010-12-09 20:24:54.000000000 -0500
13329 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
13333 -static struct microcode_ops microcode_amd_ops = {
13334 +static const struct microcode_ops microcode_amd_ops = {
13335 .request_microcode_user = request_microcode_user,
13336 .request_microcode_fw = request_microcode_fw,
13337 .collect_cpu_info = collect_cpu_info_amd,
13338 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
13339 .microcode_fini_cpu = microcode_fini_cpu_amd,
13342 -struct microcode_ops * __init init_amd_microcode(void)
13343 +const struct microcode_ops * __init init_amd_microcode(void)
13345 return µcode_amd_ops;
13347 diff -urNp linux-2.6.36.2/arch/x86/kernel/microcode_core.c linux-2.6.36.2/arch/x86/kernel/microcode_core.c
13348 --- linux-2.6.36.2/arch/x86/kernel/microcode_core.c 2010-10-20 16:30:22.000000000 -0400
13349 +++ linux-2.6.36.2/arch/x86/kernel/microcode_core.c 2010-12-09 20:24:55.000000000 -0500
13350 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13352 #define MICROCODE_VERSION "2.00"
13354 -static struct microcode_ops *microcode_ops;
13355 +static const struct microcode_ops *microcode_ops;
13359 diff -urNp linux-2.6.36.2/arch/x86/kernel/microcode_intel.c linux-2.6.36.2/arch/x86/kernel/microcode_intel.c
13360 --- linux-2.6.36.2/arch/x86/kernel/microcode_intel.c 2010-10-20 16:30:22.000000000 -0400
13361 +++ linux-2.6.36.2/arch/x86/kernel/microcode_intel.c 2010-12-09 20:24:55.000000000 -0500
13362 @@ -446,13 +446,13 @@ static enum ucode_state request_microcod
13364 static int get_ucode_user(void *to, const void *from, size_t n)
13366 - return copy_from_user(to, from, n);
13367 + return copy_from_user(to, (__force const void __user *)from, n);
13370 static enum ucode_state
13371 request_microcode_user(int cpu, const void __user *buf, size_t size)
13373 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13374 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13377 static void microcode_fini_cpu(int cpu)
13378 @@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
13382 -static struct microcode_ops microcode_intel_ops = {
13383 +static const struct microcode_ops microcode_intel_ops = {
13384 .request_microcode_user = request_microcode_user,
13385 .request_microcode_fw = request_microcode_fw,
13386 .collect_cpu_info = collect_cpu_info,
13387 @@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
13388 .microcode_fini_cpu = microcode_fini_cpu,
13391 -struct microcode_ops * __init init_intel_microcode(void)
13392 +const struct microcode_ops * __init init_intel_microcode(void)
13394 return µcode_intel_ops;
13396 diff -urNp linux-2.6.36.2/arch/x86/kernel/module.c linux-2.6.36.2/arch/x86/kernel/module.c
13397 --- linux-2.6.36.2/arch/x86/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
13398 +++ linux-2.6.36.2/arch/x86/kernel/module.c 2010-12-09 20:24:55.000000000 -0500
13400 #define DEBUGP(fmt...)
13403 -void *module_alloc(unsigned long size)
13404 +static void *__module_alloc(unsigned long size, pgprot_t prot)
13406 struct vm_struct *area;
13408 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
13412 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
13413 - PAGE_KERNEL_EXEC);
13414 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
13417 +void *module_alloc(unsigned long size)
13420 +#ifdef CONFIG_PAX_KERNEXEC
13421 + return __module_alloc(size, PAGE_KERNEL);
13423 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13428 /* Free memory returned from module_alloc */
13429 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
13430 vfree(module_region);
13433 +#ifdef CONFIG_PAX_KERNEXEC
13434 +#ifdef CONFIG_X86_32
13435 +void *module_alloc_exec(unsigned long size)
13437 + struct vm_struct *area;
13442 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13443 + return area ? area->addr : NULL;
13445 +EXPORT_SYMBOL(module_alloc_exec);
13447 +void module_free_exec(struct module *mod, void *module_region)
13449 + vunmap(module_region);
13451 +EXPORT_SYMBOL(module_free_exec);
13453 +void module_free_exec(struct module *mod, void *module_region)
13455 + module_free(mod, module_region);
13457 +EXPORT_SYMBOL(module_free_exec);
13459 +void *module_alloc_exec(unsigned long size)
13461 + return __module_alloc(size, PAGE_KERNEL_RX);
13463 +EXPORT_SYMBOL(module_alloc_exec);
13467 /* We don't need anything special. */
13468 int module_frob_arch_sections(Elf_Ehdr *hdr,
13470 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13472 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13474 - uint32_t *location;
13475 + uint32_t *plocation, location;
13477 DEBUGP("Applying relocate section %u to %u\n", relsec,
13478 sechdrs[relsec].sh_info);
13479 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13480 /* This is where to make the change */
13481 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13482 - + rel[i].r_offset;
13483 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13484 + location = (uint32_t)plocation;
13485 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13486 + plocation = ktla_ktva((void *)plocation);
13487 /* This is the symbol it is referring to. Note that all
13488 undefined symbols have been resolved. */
13489 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13490 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13491 switch (ELF32_R_TYPE(rel[i].r_info)) {
13493 /* We add the value into the location given */
13494 - *location += sym->st_value;
13495 + pax_open_kernel();
13496 + *plocation += sym->st_value;
13497 + pax_close_kernel();
13500 /* Add the value, subtract its postition */
13501 - *location += sym->st_value - (uint32_t)location;
13502 + pax_open_kernel();
13503 + *plocation += sym->st_value - location;
13504 + pax_close_kernel();
13507 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13508 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13509 case R_X86_64_NONE:
13512 + pax_open_kernel();
13514 + pax_close_kernel();
13517 + pax_open_kernel();
13519 + pax_close_kernel();
13520 if (val != *(u32 *)loc)
13524 + pax_open_kernel();
13526 + pax_close_kernel();
13527 if ((s64)val != *(s32 *)loc)
13530 case R_X86_64_PC32:
13532 + pax_open_kernel();
13534 + pax_close_kernel();
13537 if ((s64)val != *(s32 *)loc)
13539 diff -urNp linux-2.6.36.2/arch/x86/kernel/paravirt.c linux-2.6.36.2/arch/x86/kernel/paravirt.c
13540 --- linux-2.6.36.2/arch/x86/kernel/paravirt.c 2010-10-20 16:30:22.000000000 -0400
13541 +++ linux-2.6.36.2/arch/x86/kernel/paravirt.c 2010-12-09 20:24:54.000000000 -0500
13542 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13543 * corresponding structure. */
13544 static void *get_call_destination(u8 type)
13546 - struct paravirt_patch_template tmpl = {
13547 + const struct paravirt_patch_template tmpl = {
13548 .pv_init_ops = pv_init_ops,
13549 .pv_time_ops = pv_time_ops,
13550 .pv_cpu_ops = pv_cpu_ops,
13551 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13552 if (opfunc == NULL)
13553 /* If there's no function, patch it with a ud2a (BUG) */
13554 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13555 - else if (opfunc == _paravirt_nop)
13556 + else if (opfunc == (void *)_paravirt_nop)
13557 /* If the operation is a nop, then nop the callsite */
13558 ret = paravirt_patch_nop();
13560 /* identity functions just return their single argument */
13561 - else if (opfunc == _paravirt_ident_32)
13562 + else if (opfunc == (void *)_paravirt_ident_32)
13563 ret = paravirt_patch_ident_32(insnbuf, len);
13564 - else if (opfunc == _paravirt_ident_64)
13565 + else if (opfunc == (void *)_paravirt_ident_64)
13566 ret = paravirt_patch_ident_64(insnbuf, len);
13568 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13569 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13570 if (insn_len > len || start == NULL)
13573 - memcpy(insnbuf, start, insn_len);
13574 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13578 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13582 -struct pv_info pv_info = {
13583 +struct pv_info pv_info __read_only = {
13584 .name = "bare hardware",
13585 .paravirt_enabled = 0,
13587 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13590 -struct pv_init_ops pv_init_ops = {
13591 +struct pv_init_ops pv_init_ops __read_only = {
13592 .patch = native_patch,
13595 -struct pv_time_ops pv_time_ops = {
13596 +struct pv_time_ops pv_time_ops __read_only = {
13597 .sched_clock = native_sched_clock,
13600 -struct pv_irq_ops pv_irq_ops = {
13601 +struct pv_irq_ops pv_irq_ops __read_only = {
13602 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13603 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13604 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13605 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13609 -struct pv_cpu_ops pv_cpu_ops = {
13610 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13611 .cpuid = native_cpuid,
13612 .get_debugreg = native_get_debugreg,
13613 .set_debugreg = native_set_debugreg,
13614 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13615 .end_context_switch = paravirt_nop,
13618 -struct pv_apic_ops pv_apic_ops = {
13619 +struct pv_apic_ops pv_apic_ops __read_only = {
13620 #ifdef CONFIG_X86_LOCAL_APIC
13621 .startup_ipi_hook = paravirt_nop,
13623 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13624 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13627 -struct pv_mmu_ops pv_mmu_ops = {
13628 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13630 .read_cr2 = native_read_cr2,
13631 .write_cr2 = native_write_cr2,
13632 @@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13635 .set_fixmap = native_set_fixmap,
13637 +#ifdef CONFIG_PAX_KERNEXEC
13638 + .pax_open_kernel = native_pax_open_kernel,
13639 + .pax_close_kernel = native_pax_close_kernel,
13644 EXPORT_SYMBOL_GPL(pv_time_ops);
13645 diff -urNp linux-2.6.36.2/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.36.2/arch/x86/kernel/paravirt-spinlocks.c
13646 --- linux-2.6.36.2/arch/x86/kernel/paravirt-spinlocks.c 2010-10-20 16:30:22.000000000 -0400
13647 +++ linux-2.6.36.2/arch/x86/kernel/paravirt-spinlocks.c 2010-12-09 20:24:54.000000000 -0500
13648 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13649 arch_spin_lock(lock);
13652 -struct pv_lock_ops pv_lock_ops = {
13653 +struct pv_lock_ops pv_lock_ops __read_only = {
13655 .spin_is_locked = __ticket_spin_is_locked,
13656 .spin_is_contended = __ticket_spin_is_contended,
13657 diff -urNp linux-2.6.36.2/arch/x86/kernel/pci-calgary_64.c linux-2.6.36.2/arch/x86/kernel/pci-calgary_64.c
13658 --- linux-2.6.36.2/arch/x86/kernel/pci-calgary_64.c 2010-10-20 16:30:22.000000000 -0400
13659 +++ linux-2.6.36.2/arch/x86/kernel/pci-calgary_64.c 2010-12-09 20:24:55.000000000 -0500
13660 @@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
13661 free_pages((unsigned long)vaddr, get_order(size));
13664 -static struct dma_map_ops calgary_dma_ops = {
13665 +static const struct dma_map_ops calgary_dma_ops = {
13666 .alloc_coherent = calgary_alloc_coherent,
13667 .free_coherent = calgary_free_coherent,
13668 .map_sg = calgary_map_sg,
13669 diff -urNp linux-2.6.36.2/arch/x86/kernel/pci-dma.c linux-2.6.36.2/arch/x86/kernel/pci-dma.c
13670 --- linux-2.6.36.2/arch/x86/kernel/pci-dma.c 2010-10-20 16:30:22.000000000 -0400
13671 +++ linux-2.6.36.2/arch/x86/kernel/pci-dma.c 2010-12-09 20:24:54.000000000 -0500
13674 static int forbid_dac __read_mostly;
13676 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13677 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13678 EXPORT_SYMBOL(dma_ops);
13680 static int iommu_sac_force __read_mostly;
13681 @@ -251,7 +251,7 @@ early_param("iommu", iommu_setup);
13683 int dma_supported(struct device *dev, u64 mask)
13685 - struct dma_map_ops *ops = get_dma_ops(dev);
13686 + const struct dma_map_ops *ops = get_dma_ops(dev);
13689 if (mask > 0xffffffff && forbid_dac > 0) {
13690 diff -urNp linux-2.6.36.2/arch/x86/kernel/pci-gart_64.c linux-2.6.36.2/arch/x86/kernel/pci-gart_64.c
13691 --- linux-2.6.36.2/arch/x86/kernel/pci-gart_64.c 2010-10-20 16:30:22.000000000 -0400
13692 +++ linux-2.6.36.2/arch/x86/kernel/pci-gart_64.c 2010-12-09 20:24:54.000000000 -0500
13693 @@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
13697 -static struct dma_map_ops gart_dma_ops = {
13698 +static const struct dma_map_ops gart_dma_ops = {
13699 .map_sg = gart_map_sg,
13700 .unmap_sg = gart_unmap_sg,
13701 .map_page = gart_map_page,
13702 diff -urNp linux-2.6.36.2/arch/x86/kernel/pci-nommu.c linux-2.6.36.2/arch/x86/kernel/pci-nommu.c
13703 --- linux-2.6.36.2/arch/x86/kernel/pci-nommu.c 2010-10-20 16:30:22.000000000 -0400
13704 +++ linux-2.6.36.2/arch/x86/kernel/pci-nommu.c 2010-12-09 20:24:55.000000000 -0500
13705 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13706 flush_write_buffers();
13709 -struct dma_map_ops nommu_dma_ops = {
13710 +const struct dma_map_ops nommu_dma_ops = {
13711 .alloc_coherent = dma_generic_alloc_coherent,
13712 .free_coherent = nommu_free_coherent,
13713 .map_sg = nommu_map_sg,
13714 diff -urNp linux-2.6.36.2/arch/x86/kernel/pci-swiotlb.c linux-2.6.36.2/arch/x86/kernel/pci-swiotlb.c
13715 --- linux-2.6.36.2/arch/x86/kernel/pci-swiotlb.c 2010-10-20 16:30:22.000000000 -0400
13716 +++ linux-2.6.36.2/arch/x86/kernel/pci-swiotlb.c 2010-12-09 20:24:54.000000000 -0500
13717 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13718 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13721 -static struct dma_map_ops swiotlb_dma_ops = {
13722 +static const struct dma_map_ops swiotlb_dma_ops = {
13723 .mapping_error = swiotlb_dma_mapping_error,
13724 .alloc_coherent = x86_swiotlb_alloc_coherent,
13725 .free_coherent = swiotlb_free_coherent,
13726 diff -urNp linux-2.6.36.2/arch/x86/kernel/process_32.c linux-2.6.36.2/arch/x86/kernel/process_32.c
13727 --- linux-2.6.36.2/arch/x86/kernel/process_32.c 2010-10-20 16:30:22.000000000 -0400
13728 +++ linux-2.6.36.2/arch/x86/kernel/process_32.c 2010-12-09 20:24:54.000000000 -0500
13729 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
13730 unsigned long thread_saved_pc(struct task_struct *tsk)
13732 return ((unsigned long *)tsk->thread.sp)[3];
13733 +//XXX return tsk->thread.eip;
13737 @@ -130,7 +131,7 @@ void __show_regs(struct pt_regs *regs, i
13739 unsigned short ss, gs;
13741 - if (user_mode_vm(regs)) {
13742 + if (user_mode(regs)) {
13744 ss = regs->ss & 0xffff;
13745 gs = get_user_gs(regs);
13746 @@ -200,7 +201,7 @@ int copy_thread(unsigned long clone_flag
13747 struct task_struct *tsk;
13750 - childregs = task_pt_regs(p);
13751 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13752 *childregs = *regs;
13754 childregs->sp = sp;
13755 @@ -234,6 +235,7 @@ int copy_thread(unsigned long clone_flag
13756 * Set a new TLS for the child thread?
13758 if (clone_flags & CLONE_SETTLS)
13759 +//XXX needs set_fs()?
13760 err = do_set_thread_area(p, -1,
13761 (struct user_desc __user *)childregs->si, 0);
13763 @@ -297,7 +299,7 @@ __switch_to(struct task_struct *prev_p,
13764 struct thread_struct *prev = &prev_p->thread,
13765 *next = &next_p->thread;
13766 int cpu = smp_processor_id();
13767 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13768 + struct tss_struct *tss = init_tss + cpu;
13771 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13772 @@ -332,6 +334,11 @@ __switch_to(struct task_struct *prev_p,
13774 lazy_save_gs(prev->gs);
13776 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13777 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13778 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13782 * Load the per-thread Thread-Local Storage descriptor.
13784 @@ -408,3 +415,27 @@ unsigned long get_wchan(struct task_stru
13788 +#ifdef CONFIG_PAX_RANDKSTACK
13789 +asmlinkage void pax_randomize_kstack(void)
13791 + struct thread_struct *thread = ¤t->thread;
13792 + unsigned long time;
13794 + if (!randomize_va_space)
13799 + /* P4 seems to return a 0 LSB, ignore it */
13800 +#ifdef CONFIG_MPENTIUM4
13808 + thread->sp0 ^= time;
13809 + load_sp0(init_tss + smp_processor_id(), thread);
13812 diff -urNp linux-2.6.36.2/arch/x86/kernel/process_64.c linux-2.6.36.2/arch/x86/kernel/process_64.c
13813 --- linux-2.6.36.2/arch/x86/kernel/process_64.c 2010-10-20 16:30:22.000000000 -0400
13814 +++ linux-2.6.36.2/arch/x86/kernel/process_64.c 2010-12-09 20:24:54.000000000 -0500
13815 @@ -89,7 +89,7 @@ static void __exit_idle(void)
13816 void exit_idle(void)
13818 /* idle loop has pid 0 */
13819 - if (current->pid)
13820 + if (task_pid_nr(current))
13824 @@ -380,7 +380,7 @@ __switch_to(struct task_struct *prev_p,
13825 struct thread_struct *prev = &prev_p->thread;
13826 struct thread_struct *next = &next_p->thread;
13827 int cpu = smp_processor_id();
13828 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13829 + struct tss_struct *tss = init_tss + cpu;
13830 unsigned fsindex, gsindex;
13833 @@ -533,12 +533,11 @@ unsigned long get_wchan(struct task_stru
13834 if (!p || p == current || p->state == TASK_RUNNING)
13836 stack = (unsigned long)task_stack_page(p);
13837 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13838 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13840 fp = *(u64 *)(p->thread.sp);
13842 - if (fp < (unsigned long)stack ||
13843 - fp >= (unsigned long)stack+THREAD_SIZE)
13844 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13846 ip = *(u64 *)(fp+8);
13847 if (!in_sched_functions(ip))
13848 diff -urNp linux-2.6.36.2/arch/x86/kernel/process.c linux-2.6.36.2/arch/x86/kernel/process.c
13849 --- linux-2.6.36.2/arch/x86/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
13850 +++ linux-2.6.36.2/arch/x86/kernel/process.c 2010-12-09 20:24:55.000000000 -0500
13851 @@ -74,7 +74,7 @@ void exit_thread(void)
13852 unsigned long *bp = t->io_bitmap_ptr;
13855 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13856 + struct tss_struct *tss = init_tss + get_cpu();
13858 t->io_bitmap_ptr = NULL;
13859 clear_thread_flag(TIF_IO_BITMAP);
13860 @@ -118,6 +118,9 @@ void flush_thread(void)
13862 struct task_struct *tsk = current;
13864 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13865 + loadsegment(gs, 0);
13867 flush_ptrace_hw_breakpoint(tsk);
13868 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13870 @@ -280,8 +283,8 @@ int kernel_thread(int (*fn)(void *), voi
13871 regs.di = (unsigned long) arg;
13873 #ifdef CONFIG_X86_32
13874 - regs.ds = __USER_DS;
13875 - regs.es = __USER_DS;
13876 + regs.ds = __KERNEL_DS;
13877 + regs.es = __KERNEL_DS;
13878 regs.fs = __KERNEL_PERCPU;
13879 regs.gs = __KERNEL_STACK_CANARY;
13881 @@ -658,17 +661,3 @@ static int __init idle_setup(char *str)
13884 early_param("idle", idle_setup);
13886 -unsigned long arch_align_stack(unsigned long sp)
13888 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13889 - sp -= get_random_int() % 8192;
13890 - return sp & ~0xf;
13893 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13895 - unsigned long range_end = mm->brk + 0x02000000;
13896 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13899 diff -urNp linux-2.6.36.2/arch/x86/kernel/ptrace.c linux-2.6.36.2/arch/x86/kernel/ptrace.c
13900 --- linux-2.6.36.2/arch/x86/kernel/ptrace.c 2010-10-20 16:30:22.000000000 -0400
13901 +++ linux-2.6.36.2/arch/x86/kernel/ptrace.c 2010-12-09 20:24:54.000000000 -0500
13902 @@ -804,7 +804,7 @@ static const struct user_regset_view use
13903 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13906 - unsigned long __user *datap = (unsigned long __user *)data;
13907 + unsigned long __user *datap = (__force unsigned long __user *)data;
13910 /* read the word at location addr in the USER area. */
13911 @@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
13914 ret = do_get_thread_area(child, addr,
13915 - (struct user_desc __user *) data);
13916 + (__force struct user_desc __user *) data);
13919 case PTRACE_SET_THREAD_AREA:
13922 ret = do_set_thread_area(child, addr,
13923 - (struct user_desc __user *) data, 0);
13924 + (__force struct user_desc __user *) data, 0);
13928 @@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
13929 memset(info, 0, sizeof(*info));
13930 info->si_signo = SIGTRAP;
13931 info->si_code = si_code;
13932 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13933 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13936 void user_single_step_siginfo(struct task_struct *tsk,
13937 diff -urNp linux-2.6.36.2/arch/x86/kernel/reboot.c linux-2.6.36.2/arch/x86/kernel/reboot.c
13938 --- linux-2.6.36.2/arch/x86/kernel/reboot.c 2010-11-26 18:26:24.000000000 -0500
13939 +++ linux-2.6.36.2/arch/x86/kernel/reboot.c 2010-12-09 20:24:55.000000000 -0500
13940 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13941 EXPORT_SYMBOL(pm_power_off);
13943 static const struct desc_ptr no_idt = {};
13944 -static int reboot_mode;
13945 +static unsigned short reboot_mode;
13946 enum reboot_type reboot_type = BOOT_KBD;
13949 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13950 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13954 + { NULL, NULL, {{0, {0}}}, NULL}
13957 static int __init reboot_init(void)
13958 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13959 controller to pulse the CPU reset line, which is more thorough, but
13960 doesn't work with at least one type of 486 motherboard. It is easy
13961 to stop this code working; hence the copious comments. */
13962 -static const unsigned long long
13963 -real_mode_gdt_entries [3] =
13964 +static struct desc_struct
13965 +real_mode_gdt_entries [3] __read_only =
13967 - 0x0000000000000000ULL, /* Null descriptor */
13968 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13969 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13970 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13971 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13972 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13975 static const struct desc_ptr
13976 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13977 * specified by the code and length parameters.
13978 * We assume that length will aways be less that 100!
13980 -void machine_real_restart(const unsigned char *code, int length)
13981 +void machine_real_restart(const unsigned char *code, unsigned int length)
13983 local_irq_disable();
13985 @@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
13986 /* Remap the kernel at virtual address zero, as well as offset zero
13987 from the kernel segment. This assumes the kernel segment starts at
13988 virtual address PAGE_OFFSET. */
13989 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13990 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13991 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13992 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13995 * Use `swapper_pg_dir' as our page directory.
13996 @@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
13997 boot)". This seems like a fairly standard thing that gets set by
13998 REBOOT.COM programs, and the previous reset routine did this
14000 - *((unsigned short *)0x472) = reboot_mode;
14001 + *(unsigned short *)(__va(0x472)) = reboot_mode;
14003 /* For the switch to real mode, copy some code to low memory. It has
14004 to be in the first 64k because it is running in 16-bit mode, and it
14005 has to have the same physical and virtual address, because it turns
14006 off paging. Copy it near the end of the first page, out of the way
14007 of BIOS variables. */
14008 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
14009 - real_mode_switch, sizeof (real_mode_switch));
14010 - memcpy((void *)(0x1000 - 100), code, length);
14011 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
14012 + memcpy(__va(0x1000 - 100), code, length);
14014 /* Set up the IDT for real mode. */
14015 load_idt(&real_mode_idt);
14016 diff -urNp linux-2.6.36.2/arch/x86/kernel/setup.c linux-2.6.36.2/arch/x86/kernel/setup.c
14017 --- linux-2.6.36.2/arch/x86/kernel/setup.c 2010-10-20 16:30:22.000000000 -0400
14018 +++ linux-2.6.36.2/arch/x86/kernel/setup.c 2010-12-09 20:24:54.000000000 -0500
14019 @@ -705,7 +705,7 @@ static void __init trim_bios_range(void)
14020 * area (640->1Mb) as ram even though it is not.
14023 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
14024 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
14025 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
14028 @@ -797,14 +797,14 @@ void __init setup_arch(char **cmdline_p)
14030 if (!boot_params.hdr.root_flags)
14031 root_mountflags &= ~MS_RDONLY;
14032 - init_mm.start_code = (unsigned long) _text;
14033 - init_mm.end_code = (unsigned long) _etext;
14034 + init_mm.start_code = ktla_ktva((unsigned long) _text);
14035 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
14036 init_mm.end_data = (unsigned long) _edata;
14037 init_mm.brk = _brk_end;
14039 - code_resource.start = virt_to_phys(_text);
14040 - code_resource.end = virt_to_phys(_etext)-1;
14041 - data_resource.start = virt_to_phys(_etext);
14042 + code_resource.start = virt_to_phys(ktla_ktva(_text));
14043 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
14044 + data_resource.start = virt_to_phys(_sdata);
14045 data_resource.end = virt_to_phys(_edata)-1;
14046 bss_resource.start = virt_to_phys(&__bss_start);
14047 bss_resource.end = virt_to_phys(&__bss_stop)-1;
14048 diff -urNp linux-2.6.36.2/arch/x86/kernel/setup_percpu.c linux-2.6.36.2/arch/x86/kernel/setup_percpu.c
14049 --- linux-2.6.36.2/arch/x86/kernel/setup_percpu.c 2010-10-20 16:30:22.000000000 -0400
14050 +++ linux-2.6.36.2/arch/x86/kernel/setup_percpu.c 2010-12-09 20:24:55.000000000 -0500
14051 @@ -21,19 +21,17 @@
14052 #include <asm/cpu.h>
14053 #include <asm/stackprotector.h>
14055 -DEFINE_PER_CPU(int, cpu_number);
14057 +DEFINE_PER_CPU(unsigned int, cpu_number);
14058 EXPORT_PER_CPU_SYMBOL(cpu_number);
14061 -#ifdef CONFIG_X86_64
14062 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
14064 -#define BOOT_PERCPU_OFFSET 0
14067 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
14068 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
14070 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
14071 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
14072 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
14074 EXPORT_SYMBOL(__per_cpu_offset);
14075 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
14077 #ifdef CONFIG_X86_32
14078 struct desc_struct gdt;
14079 + unsigned long base = per_cpu_offset(cpu);
14081 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
14082 - 0x2 | DESCTYPE_S, 0x8);
14084 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
14085 + 0x83 | DESCTYPE_S, 0xC);
14086 write_gdt_entry(get_cpu_gdt_table(cpu),
14087 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
14089 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
14090 /* alrighty, percpu areas up and running */
14091 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
14092 for_each_possible_cpu(cpu) {
14093 +#ifdef CONFIG_CC_STACKPROTECTOR
14094 +#ifdef CONFIG_x86_32
14095 + unsigned long canary = per_cpu(stack_canary, cpu);
14098 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
14099 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
14100 per_cpu(cpu_number, cpu) = cpu;
14101 @@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
14102 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
14105 +#ifdef CONFIG_CC_STACKPROTECTOR
14106 +#ifdef CONFIG_x86_32
14107 + if (cpu == boot_cpu_id)
14108 + per_cpu(stack_canary, cpu) = canary;
14112 * Up to this point, the boot CPU has been using .init.data
14113 * area. Reload any changed state for the boot CPU.
14114 diff -urNp linux-2.6.36.2/arch/x86/kernel/signal.c linux-2.6.36.2/arch/x86/kernel/signal.c
14115 --- linux-2.6.36.2/arch/x86/kernel/signal.c 2010-10-20 16:30:22.000000000 -0400
14116 +++ linux-2.6.36.2/arch/x86/kernel/signal.c 2010-12-09 20:24:55.000000000 -0500
14117 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
14118 * Align the stack pointer according to the i386 ABI,
14119 * i.e. so that on function entry ((sp + 4) & 15) == 0.
14121 - sp = ((sp + 4) & -16ul) - 4;
14122 + sp = ((sp - 12) & -16ul) - 4;
14123 #else /* !CONFIG_X86_32 */
14124 sp = round_down(sp, 16) - 8;
14126 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
14127 * Return an always-bogus address instead so we will die with SIGSEGV.
14129 if (onsigstack && !likely(on_sig_stack(sp)))
14130 - return (void __user *)-1L;
14131 + return (__force void __user *)-1L;
14133 /* save i387 state */
14134 if (used_math() && save_i387_xstate(*fpstate) < 0)
14135 - return (void __user *)-1L;
14136 + return (__force void __user *)-1L;
14138 return (void __user *)sp;
14140 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
14143 if (current->mm->context.vdso)
14144 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
14145 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
14147 - restorer = &frame->retcode;
14148 + restorer = (void __user *)&frame->retcode;
14149 if (ka->sa.sa_flags & SA_RESTORER)
14150 restorer = ka->sa.sa_restorer;
14152 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
14153 * reasons and because gdb uses it as a signature to notice
14154 * signal handler stack frames.
14156 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
14157 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
14161 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
14162 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
14164 /* Set up to return from userspace. */
14165 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
14166 + if (current->mm->context.vdso)
14167 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
14169 + restorer = (void __user *)&frame->retcode;
14170 if (ka->sa.sa_flags & SA_RESTORER)
14171 restorer = ka->sa.sa_restorer;
14172 put_user_ex(restorer, &frame->pretcode);
14173 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
14174 * reasons and because gdb uses it as a signature to notice
14175 * signal handler stack frames.
14177 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
14178 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
14179 } put_user_catch(err);
14182 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
14183 * X86_32: vm86 regs switched out by assembly code before reaching
14184 * here, so testing against kernel CS suffices.
14186 - if (!user_mode(regs))
14187 + if (!user_mode_novm(regs))
14190 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
14191 diff -urNp linux-2.6.36.2/arch/x86/kernel/smpboot.c linux-2.6.36.2/arch/x86/kernel/smpboot.c
14192 --- linux-2.6.36.2/arch/x86/kernel/smpboot.c 2010-10-20 16:30:22.000000000 -0400
14193 +++ linux-2.6.36.2/arch/x86/kernel/smpboot.c 2010-12-09 20:24:55.000000000 -0500
14194 @@ -782,7 +782,11 @@ do_rest:
14195 (unsigned long)task_stack_page(c_idle.idle) -
14196 KERNEL_STACK_OFFSET + THREAD_SIZE;
14199 + pax_open_kernel();
14200 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
14201 + pax_close_kernel();
14203 initial_code = (unsigned long)start_secondary;
14204 stack_start.sp = (void *) c_idle.idle->thread.sp;
14206 @@ -922,6 +926,12 @@ int __cpuinit native_cpu_up(unsigned int
14208 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
14210 +#ifdef CONFIG_PAX_PER_CPU_PGD
14211 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
14212 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
14213 + KERNEL_PGD_PTRS);
14216 err = do_boot_cpu(apicid, cpu);
14219 diff -urNp linux-2.6.36.2/arch/x86/kernel/step.c linux-2.6.36.2/arch/x86/kernel/step.c
14220 --- linux-2.6.36.2/arch/x86/kernel/step.c 2010-10-20 16:30:22.000000000 -0400
14221 +++ linux-2.6.36.2/arch/x86/kernel/step.c 2010-12-09 20:24:54.000000000 -0500
14222 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
14223 struct desc_struct *desc;
14224 unsigned long base;
14229 mutex_lock(&child->mm->context.lock);
14230 - if (unlikely((seg >> 3) >= child->mm->context.size))
14231 + if (unlikely(seg >= child->mm->context.size))
14232 addr = -1L; /* bogus selector, access would fault */
14234 desc = child->mm->context.ldt + seg;
14235 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
14236 unsigned char opcode[15];
14237 unsigned long addr = convert_ip_to_linear(child, regs);
14239 + if (addr == -EINVAL)
14242 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
14243 for (i = 0; i < copied; i++) {
14244 switch (opcode[i]) {
14245 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
14247 #ifdef CONFIG_X86_64
14248 case 0x40 ... 0x4f:
14249 - if (regs->cs != __USER_CS)
14250 + if ((regs->cs & 0xffff) != __USER_CS)
14251 /* 32-bit mode: register increment */
14253 /* 64-bit mode: REX prefix */
14254 diff -urNp linux-2.6.36.2/arch/x86/kernel/syscall_table_32.S linux-2.6.36.2/arch/x86/kernel/syscall_table_32.S
14255 --- linux-2.6.36.2/arch/x86/kernel/syscall_table_32.S 2010-10-20 16:30:22.000000000 -0400
14256 +++ linux-2.6.36.2/arch/x86/kernel/syscall_table_32.S 2010-12-09 20:24:54.000000000 -0500
14258 +.section .rodata,"a",@progbits
14259 ENTRY(sys_call_table)
14260 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
14262 diff -urNp linux-2.6.36.2/arch/x86/kernel/sys_i386_32.c linux-2.6.36.2/arch/x86/kernel/sys_i386_32.c
14263 --- linux-2.6.36.2/arch/x86/kernel/sys_i386_32.c 2010-10-20 16:30:22.000000000 -0400
14264 +++ linux-2.6.36.2/arch/x86/kernel/sys_i386_32.c 2010-12-09 20:24:55.000000000 -0500
14265 @@ -24,6 +24,228 @@
14267 #include <asm/syscalls.h>
14269 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
14271 + unsigned long pax_task_size = TASK_SIZE;
14273 +#ifdef CONFIG_PAX_SEGMEXEC
14274 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
14275 + pax_task_size = SEGMEXEC_TASK_SIZE;
14278 + if (len > pax_task_size || addr > pax_task_size - len)
14285 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
14286 + unsigned long len, unsigned long pgoff, unsigned long flags)
14288 + struct mm_struct *mm = current->mm;
14289 + struct vm_area_struct *vma;
14290 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14292 +#ifdef CONFIG_PAX_SEGMEXEC
14293 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14294 + pax_task_size = SEGMEXEC_TASK_SIZE;
14297 + pax_task_size -= PAGE_SIZE;
14299 + if (len > pax_task_size)
14302 + if (flags & MAP_FIXED)
14305 +#ifdef CONFIG_PAX_RANDMMAP
14306 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14310 + addr = PAGE_ALIGN(addr);
14311 + if (pax_task_size - len >= addr) {
14312 + vma = find_vma(mm, addr);
14313 + if (check_heap_stack_gap(vma, addr, len))
14317 + if (len > mm->cached_hole_size) {
14318 + start_addr = addr = mm->free_area_cache;
14320 + start_addr = addr = mm->mmap_base;
14321 + mm->cached_hole_size = 0;
14324 +#ifdef CONFIG_PAX_PAGEEXEC
14325 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14326 + start_addr = 0x00110000UL;
14328 +#ifdef CONFIG_PAX_RANDMMAP
14329 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14330 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14333 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14334 + start_addr = addr = mm->mmap_base;
14336 + addr = start_addr;
14341 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14342 + /* At this point: (!vma || addr < vma->vm_end). */
14343 + if (pax_task_size - len < addr) {
14345 + * Start a new search - just in case we missed
14348 + if (start_addr != mm->mmap_base) {
14349 + start_addr = addr = mm->mmap_base;
14350 + mm->cached_hole_size = 0;
14351 + goto full_search;
14355 + if (check_heap_stack_gap(vma, addr, len))
14357 + if (addr + mm->cached_hole_size < vma->vm_start)
14358 + mm->cached_hole_size = vma->vm_start - addr;
14359 + addr = vma->vm_end;
14360 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14361 + start_addr = addr = mm->mmap_base;
14362 + mm->cached_hole_size = 0;
14363 + goto full_search;
14368 + * Remember the place where we stopped the search:
14370 + mm->free_area_cache = addr + len;
14375 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14376 + const unsigned long len, const unsigned long pgoff,
14377 + const unsigned long flags)
14379 + struct vm_area_struct *vma;
14380 + struct mm_struct *mm = current->mm;
14381 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14383 +#ifdef CONFIG_PAX_SEGMEXEC
14384 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14385 + pax_task_size = SEGMEXEC_TASK_SIZE;
14388 + pax_task_size -= PAGE_SIZE;
14390 + /* requested length too big for entire address space */
14391 + if (len > pax_task_size)
14394 + if (flags & MAP_FIXED)
14397 +#ifdef CONFIG_PAX_PAGEEXEC
14398 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14402 +#ifdef CONFIG_PAX_RANDMMAP
14403 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14406 + /* requesting a specific address */
14408 + addr = PAGE_ALIGN(addr);
14409 + if (pax_task_size - len >= addr) {
14410 + vma = find_vma(mm, addr);
14411 + if (check_heap_stack_gap(vma, addr, len))
14416 + /* check if free_area_cache is useful for us */
14417 + if (len <= mm->cached_hole_size) {
14418 + mm->cached_hole_size = 0;
14419 + mm->free_area_cache = mm->mmap_base;
14422 + /* either no address requested or can't fit in requested address hole */
14423 + addr = mm->free_area_cache;
14425 + /* make sure it can fit in the remaining address space */
14426 + if (addr > len) {
14427 + vma = find_vma(mm, addr-len);
14428 + if (check_heap_stack_gap(vma, addr - len, len))
14429 + /* remember the address as a hint for next time */
14430 + return (mm->free_area_cache = addr-len);
14433 + if (mm->mmap_base < len)
14436 + addr = mm->mmap_base-len;
14440 + * Lookup failure means no vma is above this address,
14441 + * else if new region fits below vma->vm_start,
14442 + * return with success:
14444 + vma = find_vma(mm, addr);
14445 + if (check_heap_stack_gap(vma, addr, len))
14446 + /* remember the address as a hint for next time */
14447 + return (mm->free_area_cache = addr);
14449 + /* remember the largest hole we saw so far */
14450 + if (addr + mm->cached_hole_size < vma->vm_start)
14451 + mm->cached_hole_size = vma->vm_start - addr;
14453 + /* try just below the current vma->vm_start */
14454 + addr = vma->vm_start-len;
14455 + } while (len < vma->vm_start);
14459 + * A failed mmap() very likely causes application failure,
14460 + * so fall back to the bottom-up function here. This scenario
14461 + * can happen with large stack limits and large mmap()
14465 +#ifdef CONFIG_PAX_SEGMEXEC
14466 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14467 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14471 + mm->mmap_base = TASK_UNMAPPED_BASE;
14473 +#ifdef CONFIG_PAX_RANDMMAP
14474 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14475 + mm->mmap_base += mm->delta_mmap;
14478 + mm->free_area_cache = mm->mmap_base;
14479 + mm->cached_hole_size = ~0UL;
14480 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14482 + * Restore the topdown base:
14484 + mm->mmap_base = base;
14485 + mm->free_area_cache = base;
14486 + mm->cached_hole_size = ~0UL;
14492 * Do a system call from kernel instead of calling sys_execve so we
14493 * end up with proper pt_regs.
14494 diff -urNp linux-2.6.36.2/arch/x86/kernel/sys_x86_64.c linux-2.6.36.2/arch/x86/kernel/sys_x86_64.c
14495 --- linux-2.6.36.2/arch/x86/kernel/sys_x86_64.c 2010-10-20 16:30:22.000000000 -0400
14496 +++ linux-2.6.36.2/arch/x86/kernel/sys_x86_64.c 2010-12-09 20:24:54.000000000 -0500
14497 @@ -32,8 +32,8 @@ out:
14501 -static void find_start_end(unsigned long flags, unsigned long *begin,
14502 - unsigned long *end)
14503 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14504 + unsigned long *begin, unsigned long *end)
14506 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14507 unsigned long new_begin;
14508 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
14509 *begin = new_begin;
14512 - *begin = TASK_UNMAPPED_BASE;
14513 + *begin = mm->mmap_base;
14517 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
14518 if (flags & MAP_FIXED)
14521 - find_start_end(flags, &begin, &end);
14522 + find_start_end(mm, flags, &begin, &end);
14527 +#ifdef CONFIG_PAX_RANDMMAP
14528 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14532 addr = PAGE_ALIGN(addr);
14533 vma = find_vma(mm, addr);
14534 - if (end - len >= addr &&
14535 - (!vma || addr + len <= vma->vm_start))
14536 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14539 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14540 @@ -106,7 +109,7 @@ full_search:
14544 - if (!vma || addr + len <= vma->vm_start) {
14545 + if (check_heap_stack_gap(vma, addr, len)) {
14547 * Remember the place where we stopped the search:
14549 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
14551 struct vm_area_struct *vma;
14552 struct mm_struct *mm = current->mm;
14553 - unsigned long addr = addr0;
14554 + unsigned long base = mm->mmap_base, addr = addr0;
14556 /* requested length too big for entire address space */
14557 if (len > TASK_SIZE)
14558 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
14559 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14562 +#ifdef CONFIG_PAX_RANDMMAP
14563 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14566 /* requesting a specific address */
14568 addr = PAGE_ALIGN(addr);
14569 vma = find_vma(mm, addr);
14570 - if (TASK_SIZE - len >= addr &&
14571 - (!vma || addr + len <= vma->vm_start))
14572 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
14576 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
14577 /* make sure it can fit in the remaining address space */
14579 vma = find_vma(mm, addr-len);
14580 - if (!vma || addr <= vma->vm_start)
14581 + if (check_heap_stack_gap(vma, addr - len, len))
14582 /* remember the address as a hint for next time */
14583 return mm->free_area_cache = addr-len;
14585 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14586 * return with success:
14588 vma = find_vma(mm, addr);
14589 - if (!vma || addr+len <= vma->vm_start)
14590 + if (check_heap_stack_gap(vma, addr, len))
14591 /* remember the address as a hint for next time */
14592 return mm->free_area_cache = addr;
14594 @@ -198,13 +204,21 @@ bottomup:
14595 * can happen with large stack limits and large mmap()
14598 + mm->mmap_base = TASK_UNMAPPED_BASE;
14600 +#ifdef CONFIG_PAX_RANDMMAP
14601 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14602 + mm->mmap_base += mm->delta_mmap;
14605 + mm->free_area_cache = mm->mmap_base;
14606 mm->cached_hole_size = ~0UL;
14607 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14608 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14610 * Restore the topdown base:
14612 - mm->free_area_cache = mm->mmap_base;
14613 + mm->mmap_base = base;
14614 + mm->free_area_cache = base;
14615 mm->cached_hole_size = ~0UL;
14618 diff -urNp linux-2.6.36.2/arch/x86/kernel/time.c linux-2.6.36.2/arch/x86/kernel/time.c
14619 --- linux-2.6.36.2/arch/x86/kernel/time.c 2010-10-20 16:30:22.000000000 -0400
14620 +++ linux-2.6.36.2/arch/x86/kernel/time.c 2010-12-09 20:24:54.000000000 -0500
14621 @@ -26,17 +26,13 @@
14625 -#ifdef CONFIG_X86_64
14626 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14629 unsigned long profile_pc(struct pt_regs *regs)
14631 unsigned long pc = instruction_pointer(regs);
14633 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14634 + if (!user_mode(regs) && in_lock_functions(pc)) {
14635 #ifdef CONFIG_FRAME_POINTER
14636 - return *(unsigned long *)(regs->bp + sizeof(long));
14637 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14639 unsigned long *sp =
14640 (unsigned long *)kernel_stack_pointer(regs);
14641 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14642 * or above a saved flags. Eflags has bits 22-31 zero,
14643 * kernel addresses don't.
14646 +#ifdef CONFIG_PAX_KERNEXEC
14647 + return ktla_ktva(sp[0]);
14659 diff -urNp linux-2.6.36.2/arch/x86/kernel/tls.c linux-2.6.36.2/arch/x86/kernel/tls.c
14660 --- linux-2.6.36.2/arch/x86/kernel/tls.c 2010-10-20 16:30:22.000000000 -0400
14661 +++ linux-2.6.36.2/arch/x86/kernel/tls.c 2010-12-09 20:24:55.000000000 -0500
14662 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14663 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14666 +#ifdef CONFIG_PAX_SEGMEXEC
14667 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14671 set_tls_desc(p, idx, &info, 1);
14674 diff -urNp linux-2.6.36.2/arch/x86/kernel/trampoline_32.S linux-2.6.36.2/arch/x86/kernel/trampoline_32.S
14675 --- linux-2.6.36.2/arch/x86/kernel/trampoline_32.S 2010-10-20 16:30:22.000000000 -0400
14676 +++ linux-2.6.36.2/arch/x86/kernel/trampoline_32.S 2010-12-09 20:24:54.000000000 -0500
14678 #include <asm/segment.h>
14679 #include <asm/page_types.h>
14681 +#ifdef CONFIG_PAX_KERNEXEC
14684 +#define ta(X) ((X) - __PAGE_OFFSET)
14687 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14690 @@ -60,7 +66,7 @@ r_base = .
14691 inc %ax # protected mode (PE) bit
14692 lmsw %ax # into protected mode
14693 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14694 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14695 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14697 # These need to be in the same 64K segment as the above;
14698 # hence we don't use the boot_gdt_descr defined in head.S
14699 diff -urNp linux-2.6.36.2/arch/x86/kernel/trampoline_64.S linux-2.6.36.2/arch/x86/kernel/trampoline_64.S
14700 --- linux-2.6.36.2/arch/x86/kernel/trampoline_64.S 2010-10-20 16:30:22.000000000 -0400
14701 +++ linux-2.6.36.2/arch/x86/kernel/trampoline_64.S 2010-12-09 20:24:54.000000000 -0500
14702 @@ -91,7 +91,7 @@ startup_32:
14703 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
14706 - movl $X86_CR4_PAE, %eax
14707 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14708 movl %eax, %cr4 # Enable PAE mode
14710 # Setup trampoline 4 level pagetables
14711 @@ -138,7 +138,7 @@ tidt:
14712 # so the kernel can live anywhere
14715 - .short tgdt_end - tgdt # gdt limit
14716 + .short tgdt_end - tgdt - 1 # gdt limit
14717 .long tgdt - r_base
14719 .quad 0x00cf9b000000ffff # __KERNEL32_CS
14720 diff -urNp linux-2.6.36.2/arch/x86/kernel/traps.c linux-2.6.36.2/arch/x86/kernel/traps.c
14721 --- linux-2.6.36.2/arch/x86/kernel/traps.c 2010-11-26 18:26:24.000000000 -0500
14722 +++ linux-2.6.36.2/arch/x86/kernel/traps.c 2010-12-09 20:24:54.000000000 -0500
14723 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14725 /* Do we ignore FPU interrupts ? */
14726 char ignore_fpu_irq;
14729 - * The IDT has to be page-aligned to simplify the Pentium
14730 - * F0 0F bug workaround.
14732 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14735 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14736 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14739 static void __kprobes
14740 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14741 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14742 long error_code, siginfo_t *info)
14744 struct task_struct *tsk = current;
14746 #ifdef CONFIG_X86_32
14747 - if (regs->flags & X86_VM_MASK) {
14748 + if (v8086_mode(regs)) {
14750 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14751 * On nmi (interrupt 2), do_trap should not be called.
14752 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14756 - if (!user_mode(regs))
14757 + if (!user_mode_novm(regs))
14760 #ifdef CONFIG_X86_32
14761 @@ -150,7 +144,7 @@ trap_signal:
14762 printk_ratelimit()) {
14764 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14765 - tsk->comm, tsk->pid, str,
14766 + tsk->comm, task_pid_nr(tsk), str,
14767 regs->ip, regs->sp, error_code);
14768 print_vma_addr(" in ", regs->ip);
14770 @@ -167,8 +161,20 @@ kernel_trap:
14771 if (!fixup_exception(regs)) {
14772 tsk->thread.error_code = error_code;
14773 tsk->thread.trap_no = trapnr;
14775 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14776 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14777 + str = "PAX: suspicious stack segment fault";
14780 die(str, regs, error_code);
14783 +#ifdef CONFIG_PAX_REFCOUNT
14785 + pax_report_refcount_overflow(regs);
14790 #ifdef CONFIG_X86_32
14791 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14792 conditional_sti(regs);
14794 #ifdef CONFIG_X86_32
14795 - if (regs->flags & X86_VM_MASK)
14796 + if (v8086_mode(regs))
14801 - if (!user_mode(regs))
14802 + if (!user_mode_novm(regs))
14805 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14806 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14807 + struct mm_struct *mm = tsk->mm;
14808 + unsigned long limit;
14810 + down_write(&mm->mmap_sem);
14811 + limit = mm->context.user_cs_limit;
14812 + if (limit < TASK_SIZE) {
14813 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14814 + up_write(&mm->mmap_sem);
14817 + up_write(&mm->mmap_sem);
14821 tsk->thread.error_code = error_code;
14822 tsk->thread.trap_no = 13;
14824 @@ -297,6 +319,13 @@ gp_in_kernel:
14825 if (notify_die(DIE_GPF, "general protection fault", regs,
14826 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14829 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14830 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14831 + die("PAX: suspicious general protection fault", regs, error_code);
14835 die("general protection fault", regs, error_code);
14838 @@ -572,7 +601,7 @@ dotraplinkage void __kprobes do_debug(st
14839 /* It's safe to allow irq's after DR6 has been saved */
14840 preempt_conditional_sti(regs);
14842 - if (regs->flags & X86_VM_MASK) {
14843 + if (v8086_mode(regs)) {
14844 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14846 preempt_conditional_cli(regs);
14847 @@ -586,7 +615,7 @@ dotraplinkage void __kprobes do_debug(st
14848 * We already checked v86 mode above, so we can check for kernel mode
14849 * by just checking the CPL of CS.
14851 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14852 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14853 tsk->thread.debugreg6 &= ~DR_STEP;
14854 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14855 regs->flags &= ~X86_EFLAGS_TF;
14856 @@ -615,7 +644,7 @@ void math_error(struct pt_regs *regs, in
14858 conditional_sti(regs);
14860 - if (!user_mode_vm(regs))
14861 + if (!user_mode(regs))
14863 if (!fixup_exception(regs)) {
14864 task->thread.error_code = error_code;
14865 diff -urNp linux-2.6.36.2/arch/x86/kernel/tsc.c linux-2.6.36.2/arch/x86/kernel/tsc.c
14866 --- linux-2.6.36.2/arch/x86/kernel/tsc.c 2010-10-20 16:30:22.000000000 -0400
14867 +++ linux-2.6.36.2/arch/x86/kernel/tsc.c 2010-12-09 20:24:55.000000000 -0500
14868 @@ -832,7 +832,7 @@ static struct dmi_system_id __initdata b
14869 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14873 + { NULL, NULL, {{0, {0}}}, NULL}
14876 static void __init check_system_tsc_reliable(void)
14877 diff -urNp linux-2.6.36.2/arch/x86/kernel/vm86_32.c linux-2.6.36.2/arch/x86/kernel/vm86_32.c
14878 --- linux-2.6.36.2/arch/x86/kernel/vm86_32.c 2010-11-26 18:26:24.000000000 -0500
14879 +++ linux-2.6.36.2/arch/x86/kernel/vm86_32.c 2010-12-09 20:24:54.000000000 -0500
14881 #include <linux/ptrace.h>
14882 #include <linux/audit.h>
14883 #include <linux/stddef.h>
14884 +#include <linux/grsecurity.h>
14886 #include <asm/uaccess.h>
14887 #include <asm/io.h>
14888 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14892 - tss = &per_cpu(init_tss, get_cpu());
14893 + tss = init_tss + get_cpu();
14894 current->thread.sp0 = current->thread.saved_sp0;
14895 current->thread.sysenter_cs = __KERNEL_CS;
14896 load_sp0(tss, ¤t->thread);
14897 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14898 struct task_struct *tsk;
14899 int tmp, ret = -EPERM;
14901 +#ifdef CONFIG_GRKERNSEC_VM86
14902 + if (!capable(CAP_SYS_RAWIO)) {
14903 + gr_handle_vm86();
14909 if (tsk->thread.saved_sp0)
14911 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14913 struct vm86plus_struct __user *v86;
14915 +#ifdef CONFIG_GRKERNSEC_VM86
14916 + if (!capable(CAP_SYS_RAWIO)) {
14917 + gr_handle_vm86();
14925 case VM86_REQUEST_IRQ:
14926 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14927 tsk->thread.saved_fs = info->regs32->fs;
14928 tsk->thread.saved_gs = get_user_gs(info->regs32);
14930 - tss = &per_cpu(init_tss, get_cpu());
14931 + tss = init_tss + get_cpu();
14932 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14934 tsk->thread.sysenter_cs = 0;
14935 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14936 goto cannot_handle;
14937 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14938 goto cannot_handle;
14939 - intr_ptr = (unsigned long __user *) (i << 2);
14940 + intr_ptr = (__force unsigned long __user *) (i << 2);
14941 if (get_user(segoffs, intr_ptr))
14942 goto cannot_handle;
14943 if ((segoffs >> 16) == BIOSSEG)
14944 diff -urNp linux-2.6.36.2/arch/x86/kernel/vmi_32.c linux-2.6.36.2/arch/x86/kernel/vmi_32.c
14945 --- linux-2.6.36.2/arch/x86/kernel/vmi_32.c 2010-10-20 16:30:22.000000000 -0400
14946 +++ linux-2.6.36.2/arch/x86/kernel/vmi_32.c 2010-12-09 20:24:55.000000000 -0500
14947 @@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
14948 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14950 #define call_vrom_func(rom,func) \
14951 - (((VROMFUNC *)(rom->func))())
14952 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
14954 #define call_vrom_long_func(rom,func,arg) \
14955 - (((VROMLONGFUNC *)(rom->func)) (arg))
14957 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14958 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14959 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14963 -static struct vrom_header *vmi_rom;
14964 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14965 static int disable_pge;
14966 static int disable_pse;
14967 static int disable_sep;
14968 @@ -78,10 +83,10 @@ static struct {
14969 void (*set_initial_ap_state)(int, int);
14970 void (*halt)(void);
14971 void (*set_lazy_mode)(int mode);
14973 +} vmi_ops __read_only;
14975 /* Cached VMI operations */
14976 -struct vmi_timer_ops vmi_timer_ops;
14977 +struct vmi_timer_ops vmi_timer_ops __read_only;
14980 * VMI patching routines.
14981 @@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
14982 static inline void patch_offset(void *insnbuf,
14983 unsigned long ip, unsigned long dest)
14985 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
14986 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
14989 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
14990 @@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
14993 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
14995 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14996 switch(rel->type) {
14997 case VMI_RELOCATION_CALL_REL:
14998 @@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
15000 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
15002 - const pte_t pte = { .pte = 0 };
15003 + const pte_t pte = __pte(0ULL);
15004 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
15007 static void vmi_pmd_clear(pmd_t *pmd)
15009 - const pte_t pte = { .pte = 0 };
15010 + const pte_t pte = __pte(0ULL);
15011 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
15014 @@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
15015 ap.ss = __KERNEL_DS;
15016 ap.esp = (unsigned long) start_esp;
15018 - ap.ds = __USER_DS;
15019 - ap.es = __USER_DS;
15020 + ap.ds = __KERNEL_DS;
15021 + ap.es = __KERNEL_DS;
15022 ap.fs = __KERNEL_PERCPU;
15023 ap.gs = __KERNEL_STACK_CANARY;
15025 @@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
15026 paravirt_leave_lazy_mmu();
15029 +#ifdef CONFIG_PAX_KERNEXEC
15030 +static unsigned long vmi_pax_open_kernel(void)
15035 +static unsigned long vmi_pax_close_kernel(void)
15041 static inline int __init check_vmi_rom(struct vrom_header *rom)
15043 struct pci_header *pci;
15044 @@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
15046 if (rom->vrom_signature != VMI_SIGNATURE)
15048 + if (rom->rom_length * 512 > sizeof(*rom)) {
15049 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
15052 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
15053 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
15054 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
15055 @@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
15056 struct vrom_header *romstart;
15057 romstart = (struct vrom_header *)isa_bus_to_virt(base);
15058 if (check_vmi_rom(romstart)) {
15059 - vmi_rom = romstart;
15060 + vmi_rom = *romstart;
15064 @@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
15066 para_fill(pv_irq_ops.safe_halt, Halt);
15068 +#ifdef CONFIG_PAX_KERNEXEC
15069 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
15070 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
15074 * Alternative instruction rewriting doesn't happen soon enough
15075 * to convert VMI_IRET to a call instead of a jump; so we have
15076 @@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
15078 void __init vmi_init(void)
15081 + if (!vmi_rom.rom_signature)
15084 - check_vmi_rom(vmi_rom);
15085 + check_vmi_rom(&vmi_rom);
15087 /* In case probing for or validating the ROM failed, basil */
15089 + if (!vmi_rom.rom_signature)
15092 - reserve_top_address(-vmi_rom->virtual_top);
15093 + reserve_top_address(-vmi_rom.virtual_top);
15095 #ifdef CONFIG_X86_IO_APIC
15096 /* This is virtual hardware; timer routing is wired correctly */
15097 @@ -854,7 +881,7 @@ void __init vmi_activate(void)
15099 unsigned long flags;
15102 + if (!vmi_rom.rom_signature)
15105 local_irq_save(flags);
15106 diff -urNp linux-2.6.36.2/arch/x86/kernel/vmlinux.lds.S linux-2.6.36.2/arch/x86/kernel/vmlinux.lds.S
15107 --- linux-2.6.36.2/arch/x86/kernel/vmlinux.lds.S 2010-10-20 16:30:22.000000000 -0400
15108 +++ linux-2.6.36.2/arch/x86/kernel/vmlinux.lds.S 2010-12-09 20:24:55.000000000 -0500
15110 #include <asm/page_types.h>
15111 #include <asm/cache.h>
15112 #include <asm/boot.h>
15113 +#include <asm/segment.h>
15115 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15116 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
15118 +#define __KERNEL_TEXT_OFFSET 0
15121 #undef i386 /* in case the preprocessor is a 32bit one */
15123 @@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
15124 #ifdef CONFIG_X86_32
15126 ENTRY(phys_startup_32)
15127 -jiffies = jiffies_64;
15129 OUTPUT_ARCH(i386:x86-64)
15130 ENTRY(phys_startup_64)
15131 -jiffies_64 = jiffies;
15134 +jiffies = jiffies_64;
15136 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
15138 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
15139 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
15142 text PT_LOAD FLAGS(5); /* R_E */
15143 - data PT_LOAD FLAGS(7); /* RWE */
15144 +#ifdef CONFIG_X86_32
15145 + module PT_LOAD FLAGS(5); /* R_E */
15148 + rodata PT_LOAD FLAGS(5); /* R_E */
15150 + rodata PT_LOAD FLAGS(4); /* R__ */
15152 + data PT_LOAD FLAGS(6); /* RW_ */
15153 #ifdef CONFIG_X86_64
15154 user PT_LOAD FLAGS(5); /* R_E */
15156 + init.begin PT_LOAD FLAGS(6); /* RW_ */
15158 percpu PT_LOAD FLAGS(6); /* RW_ */
15160 + text.init PT_LOAD FLAGS(5); /* R_E */
15161 + text.exit PT_LOAD FLAGS(5); /* R_E */
15162 init PT_LOAD FLAGS(7); /* RWE */
15164 note PT_NOTE FLAGS(0); /* ___ */
15169 #ifdef CONFIG_X86_32
15170 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
15171 - phys_startup_32 = startup_32 - LOAD_OFFSET;
15172 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
15174 - . = __START_KERNEL;
15175 - phys_startup_64 = startup_64 - LOAD_OFFSET;
15176 + . = __START_KERNEL;
15179 /* Text and read-only data */
15180 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
15182 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
15183 /* bootstrapping code */
15184 +#ifdef CONFIG_X86_32
15185 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15187 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15189 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15192 #ifdef CONFIG_X86_32
15193 . = ALIGN(PAGE_SIZE);
15194 @@ -108,13 +130,52 @@ SECTIONS
15198 - /* End of text section */
15202 - NOTES :text :note
15203 + . += __KERNEL_TEXT_OFFSET;
15205 +#ifdef CONFIG_X86_32
15206 + . = ALIGN(PAGE_SIZE);
15207 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
15211 + . = ALIGN(PAGE_SIZE);
15212 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
15214 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
15215 + MODULES_EXEC_VADDR = .;
15217 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
15218 + . = ALIGN(HPAGE_SIZE);
15219 + MODULES_EXEC_END = . - 1;
15225 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
15226 + /* End of text section */
15227 + _etext = . - __KERNEL_TEXT_OFFSET;
15230 +#ifdef CONFIG_X86_32
15231 + . = ALIGN(PAGE_SIZE);
15232 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
15234 + . = ALIGN(PAGE_SIZE);
15235 + *(.empty_zero_page)
15236 + *(.swapper_pg_fixmap)
15237 + *(.swapper_pg_pmd)
15238 + *(.swapper_pg_dir)
15239 + *(.trampoline_pg_dir)
15243 + . = ALIGN(PAGE_SIZE);
15244 + NOTES :rodata :note
15246 - EXCEPTION_TABLE(16) :text = 0x9090
15247 + EXCEPTION_TABLE(16) :rodata
15249 X64_ALIGN_DEBUG_RODATA_BEGIN
15251 @@ -122,16 +183,20 @@ SECTIONS
15254 .data : AT(ADDR(.data) - LOAD_OFFSET) {
15256 +#ifdef CONFIG_PAX_KERNEXEC
15257 + . = ALIGN(HPAGE_SIZE);
15259 + . = ALIGN(PAGE_SIZE);
15262 /* Start of data section */
15266 INIT_TASK_DATA(THREAD_SIZE)
15268 -#ifdef CONFIG_X86_32
15269 - /* 32 bit has nosave before _edata */
15273 PAGE_ALIGNED_DATA(PAGE_SIZE)
15275 @@ -194,12 +259,6 @@ SECTIONS
15277 vgetcpu_mode = VVIRT(.vgetcpu_mode);
15279 - . = ALIGN(L1_CACHE_BYTES);
15280 - .jiffies : AT(VLOAD(.jiffies)) {
15283 - jiffies = VVIRT(.jiffies);
15285 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
15288 @@ -215,12 +274,19 @@ SECTIONS
15289 #endif /* CONFIG_X86_64 */
15291 /* Init code and data - will be freed after init */
15292 - . = ALIGN(PAGE_SIZE);
15293 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
15296 +#ifdef CONFIG_PAX_KERNEXEC
15297 + . = ALIGN(HPAGE_SIZE);
15299 + . = ALIGN(PAGE_SIZE);
15302 __init_begin = .; /* paired with __init_end */
15306 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
15309 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
15310 * output PHDR, so the next output section - .init.text - should
15311 @@ -229,12 +295,27 @@ SECTIONS
15312 PERCPU_VADDR(0, :percpu)
15315 - INIT_TEXT_SECTION(PAGE_SIZE)
15316 -#ifdef CONFIG_X86_64
15319 + . = ALIGN(PAGE_SIZE);
15321 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
15322 + VMLINUX_SYMBOL(_sinittext) = .;
15324 + VMLINUX_SYMBOL(_einittext) = .;
15325 + . = ALIGN(PAGE_SIZE);
15329 + * .exit.text is discard at runtime, not link time, to deal with
15330 + * references from .altinstructions and .eh_frame
15332 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
15336 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
15338 - INIT_DATA_SECTION(16)
15339 + . = ALIGN(PAGE_SIZE);
15340 + INIT_DATA_SECTION(16) :init
15342 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
15343 __x86_cpu_dev_start = .;
15344 @@ -260,19 +341,11 @@ SECTIONS
15345 *(.altinstr_replacement)
15349 - * .exit.text is discard at runtime, not link time, to deal with
15350 - * references from .altinstructions and .eh_frame
15352 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
15356 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
15360 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
15361 +#ifndef CONFIG_SMP
15365 @@ -291,16 +364,10 @@ SECTIONS
15366 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
15369 - . = ALIGN(PAGE_SIZE);
15370 __smp_locks_end = .;
15371 + . = ALIGN(PAGE_SIZE);
15374 -#ifdef CONFIG_X86_64
15375 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15381 . = ALIGN(PAGE_SIZE);
15382 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15383 @@ -316,6 +383,7 @@ SECTIONS
15385 . += 64 * 1024; /* 64k alignment slop space */
15386 *(.brk_reservation) /* areas brk users have reserved */
15387 + . = ALIGN(HPAGE_SIZE);
15391 @@ -342,13 +410,12 @@ SECTIONS
15392 * for the boot processor.
15394 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15395 -INIT_PER_CPU(gdt_page);
15396 INIT_PER_CPU(irq_stack_union);
15399 * Build-time check on the image size:
15401 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15402 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15403 "kernel image bigger than KERNEL_IMAGE_SIZE");
15406 diff -urNp linux-2.6.36.2/arch/x86/kernel/vsyscall_64.c linux-2.6.36.2/arch/x86/kernel/vsyscall_64.c
15407 --- linux-2.6.36.2/arch/x86/kernel/vsyscall_64.c 2010-10-20 16:30:22.000000000 -0400
15408 +++ linux-2.6.36.2/arch/x86/kernel/vsyscall_64.c 2010-12-09 20:24:54.000000000 -0500
15409 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15411 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15412 /* copy vsyscall data */
15413 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15414 vsyscall_gtod_data.clock.vread = clock->vread;
15415 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15416 vsyscall_gtod_data.clock.mask = clock->mask;
15417 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15418 We do this here because otherwise user space would do it on
15419 its own in a likely inferior way (no access to jiffies).
15420 If you don't like it pass NULL. */
15421 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15422 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15423 p = tcache->blob[1];
15424 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15425 /* Load per CPU data from RDTSCP */
15426 diff -urNp linux-2.6.36.2/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.36.2/arch/x86/kernel/x8664_ksyms_64.c
15427 --- linux-2.6.36.2/arch/x86/kernel/x8664_ksyms_64.c 2010-10-20 16:30:22.000000000 -0400
15428 +++ linux-2.6.36.2/arch/x86/kernel/x8664_ksyms_64.c 2010-12-09 20:24:54.000000000 -0500
15429 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15430 EXPORT_SYMBOL(copy_user_generic_string);
15431 EXPORT_SYMBOL(copy_user_generic_unrolled);
15432 EXPORT_SYMBOL(__copy_user_nocache);
15433 -EXPORT_SYMBOL(_copy_from_user);
15434 -EXPORT_SYMBOL(_copy_to_user);
15436 EXPORT_SYMBOL(copy_page);
15437 EXPORT_SYMBOL(clear_page);
15438 diff -urNp linux-2.6.36.2/arch/x86/kernel/xsave.c linux-2.6.36.2/arch/x86/kernel/xsave.c
15439 --- linux-2.6.36.2/arch/x86/kernel/xsave.c 2010-10-20 16:30:22.000000000 -0400
15440 +++ linux-2.6.36.2/arch/x86/kernel/xsave.c 2010-12-09 20:24:54.000000000 -0500
15441 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15442 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15445 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15446 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15447 fx_sw_user->extended_size -
15448 FP_XSTATE_MAGIC2_SIZE));
15450 @@ -267,7 +267,7 @@ fx_only:
15451 * the other extended state.
15453 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15454 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15455 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15459 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15461 err = restore_user_xstate(buf);
15463 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15464 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15466 if (unlikely(err)) {
15468 diff -urNp linux-2.6.36.2/arch/x86/kvm/emulate.c linux-2.6.36.2/arch/x86/kvm/emulate.c
15469 --- linux-2.6.36.2/arch/x86/kvm/emulate.c 2010-10-20 16:30:22.000000000 -0400
15470 +++ linux-2.6.36.2/arch/x86/kvm/emulate.c 2010-12-09 20:24:55.000000000 -0500
15472 #define Src2CL (1<<29)
15473 #define Src2ImmByte (2<<29)
15474 #define Src2One (3<<29)
15475 -#define Src2Mask (7<<29)
15476 +#define Src2Mask (7U<<29)
15479 Group1_80, Group1_81, Group1_82, Group1_83,
15480 @@ -446,6 +446,7 @@ static u32 group2_table[] = {
15482 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
15484 + unsigned long _tmp; \
15485 __asm__ __volatile__ ( \
15486 _PRE_EFLAGS("0", "4", "2") \
15487 _op _suffix " %"_x"3,%1; " \
15488 @@ -459,8 +460,6 @@ static u32 group2_table[] = {
15489 /* Raw emulation: instruction has two explicit operands. */
15490 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15492 - unsigned long _tmp; \
15494 switch ((_dst).bytes) { \
15496 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
15497 @@ -476,7 +475,6 @@ static u32 group2_table[] = {
15499 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15501 - unsigned long _tmp; \
15502 switch ((_dst).bytes) { \
15504 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
15505 diff -urNp linux-2.6.36.2/arch/x86/kvm/lapic.c linux-2.6.36.2/arch/x86/kvm/lapic.c
15506 --- linux-2.6.36.2/arch/x86/kvm/lapic.c 2010-10-20 16:30:22.000000000 -0400
15507 +++ linux-2.6.36.2/arch/x86/kvm/lapic.c 2010-12-09 20:24:55.000000000 -0500
15509 #define APIC_BUS_CYCLE_NS 1
15511 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15512 -#define apic_debug(fmt, arg...)
15513 +#define apic_debug(fmt, arg...) do {} while (0)
15515 #define APIC_LVT_NUM 6
15516 /* 14 is the version for Xeon and Pentium 8.4.8*/
15517 diff -urNp linux-2.6.36.2/arch/x86/kvm/svm.c linux-2.6.36.2/arch/x86/kvm/svm.c
15518 --- linux-2.6.36.2/arch/x86/kvm/svm.c 2010-12-09 20:53:46.000000000 -0500
15519 +++ linux-2.6.36.2/arch/x86/kvm/svm.c 2010-12-09 20:54:31.000000000 -0500
15520 @@ -2921,7 +2921,11 @@ static void reload_tss(struct kvm_vcpu *
15521 int cpu = raw_smp_processor_id();
15523 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15525 + pax_open_kernel();
15526 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15527 + pax_close_kernel();
15532 @@ -3476,7 +3480,7 @@ static void svm_fpu_deactivate(struct kv
15533 update_cr0_intercept(svm);
15536 -static struct kvm_x86_ops svm_x86_ops = {
15537 +static const struct kvm_x86_ops svm_x86_ops = {
15538 .cpu_has_kvm_support = has_svm,
15539 .disabled_by_bios = is_disabled,
15540 .hardware_setup = svm_hardware_setup,
15541 diff -urNp linux-2.6.36.2/arch/x86/kvm/vmx.c linux-2.6.36.2/arch/x86/kvm/vmx.c
15542 --- linux-2.6.36.2/arch/x86/kvm/vmx.c 2010-12-09 20:53:46.000000000 -0500
15543 +++ linux-2.6.36.2/arch/x86/kvm/vmx.c 2010-12-09 20:54:31.000000000 -0500
15544 @@ -711,7 +711,11 @@ static void reload_tss(void)
15546 native_store_gdt(&gdt);
15547 descs = (void *)gdt.address;
15549 + pax_open_kernel();
15550 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15551 + pax_close_kernel();
15556 @@ -1615,8 +1619,11 @@ static __init int hardware_setup(void)
15557 if (!cpu_has_vmx_flexpriority())
15558 flexpriority_enabled = 0;
15560 - if (!cpu_has_vmx_tpr_shadow())
15561 - kvm_x86_ops->update_cr8_intercept = NULL;
15562 + if (!cpu_has_vmx_tpr_shadow()) {
15563 + pax_open_kernel();
15564 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15565 + pax_close_kernel();
15568 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15569 kvm_disable_largepages();
15570 @@ -2601,7 +2608,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15571 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15573 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15574 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15575 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15576 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15577 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15578 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15579 @@ -3984,6 +3991,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15580 "jmp .Lkvm_vmx_return \n\t"
15581 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15582 ".Lkvm_vmx_return: "
15584 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15585 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15586 + ".Lkvm_vmx_return2: "
15589 /* Save guest registers, load host registers, keep flags */
15590 "xchg %0, (%%"R"sp) \n\t"
15591 "mov %%"R"ax, %c[rax](%0) \n\t"
15592 @@ -4030,8 +4043,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
15593 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15595 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15597 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15598 + ,[cs]"i"(__KERNEL_CS)
15602 - , R"bx", R"di", R"si"
15603 + , R"ax", R"bx", R"di", R"si"
15604 #ifdef CONFIG_X86_64
15605 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
15607 @@ -4045,7 +4063,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15608 if (vmx->rmode.irq.pending)
15609 fixup_rmode_irq(vmx);
15611 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15612 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15615 vmx_complete_interrupts(vmx);
15616 @@ -4279,7 +4297,7 @@ static void vmx_set_supported_cpuid(u32
15620 -static struct kvm_x86_ops vmx_x86_ops = {
15621 +static const struct kvm_x86_ops vmx_x86_ops = {
15622 .cpu_has_kvm_support = cpu_has_kvm_support,
15623 .disabled_by_bios = vmx_disabled_by_bios,
15624 .hardware_setup = hardware_setup,
15625 diff -urNp linux-2.6.36.2/arch/x86/kvm/x86.c linux-2.6.36.2/arch/x86/kvm/x86.c
15626 --- linux-2.6.36.2/arch/x86/kvm/x86.c 2010-12-09 20:53:46.000000000 -0500
15627 +++ linux-2.6.36.2/arch/x86/kvm/x86.c 2010-12-09 20:54:31.000000000 -0500
15628 @@ -90,7 +90,7 @@ static void update_cr8_intercept(struct
15629 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15630 struct kvm_cpuid_entry2 __user *entries);
15632 -struct kvm_x86_ops *kvm_x86_ops;
15633 +const struct kvm_x86_ops *kvm_x86_ops;
15634 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15636 int ignore_msrs = 0;
15637 @@ -116,38 +116,38 @@ static struct kvm_shared_msrs_global __r
15638 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15640 struct kvm_stats_debugfs_item debugfs_entries[] = {
15641 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15642 - { "pf_guest", VCPU_STAT(pf_guest) },
15643 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15644 - { "invlpg", VCPU_STAT(invlpg) },
15645 - { "exits", VCPU_STAT(exits) },
15646 - { "io_exits", VCPU_STAT(io_exits) },
15647 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15648 - { "signal_exits", VCPU_STAT(signal_exits) },
15649 - { "irq_window", VCPU_STAT(irq_window_exits) },
15650 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15651 - { "halt_exits", VCPU_STAT(halt_exits) },
15652 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15653 - { "hypercalls", VCPU_STAT(hypercalls) },
15654 - { "request_irq", VCPU_STAT(request_irq_exits) },
15655 - { "irq_exits", VCPU_STAT(irq_exits) },
15656 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15657 - { "efer_reload", VCPU_STAT(efer_reload) },
15658 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15659 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15660 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15661 - { "irq_injections", VCPU_STAT(irq_injections) },
15662 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15663 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15664 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15665 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15666 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15667 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15668 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15669 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15670 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15671 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15672 - { "largepages", VM_STAT(lpages) },
15673 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15674 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15675 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15676 + { "invlpg", VCPU_STAT(invlpg), NULL },
15677 + { "exits", VCPU_STAT(exits), NULL },
15678 + { "io_exits", VCPU_STAT(io_exits), NULL },
15679 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15680 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15681 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15682 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15683 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15684 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15685 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15686 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15687 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15688 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15689 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15690 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15691 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15692 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15693 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15694 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15695 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15696 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15697 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15698 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15699 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15700 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15701 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15702 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15703 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15704 + { "largepages", VM_STAT(lpages), NULL },
15708 @@ -1740,6 +1740,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15709 if (n < msr_list.nmsrs)
15712 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15714 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15715 num_msrs_to_save * sizeof(u32)))
15717 @@ -2197,7 +2199,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15718 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15719 struct kvm_interrupt *irq)
15721 - if (irq->irq < 0 || irq->irq >= 256)
15722 + if (irq->irq >= 256)
15724 if (irqchip_in_kernel(vcpu->kvm))
15726 @@ -4220,10 +4222,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15728 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15730 -int kvm_arch_init(void *opaque)
15731 +int kvm_arch_init(const void *opaque)
15734 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15735 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15738 printk(KERN_ERR "kvm: already loaded the other module\n");
15739 diff -urNp linux-2.6.36.2/arch/x86/lib/atomic64_cx8_32.S linux-2.6.36.2/arch/x86/lib/atomic64_cx8_32.S
15740 --- linux-2.6.36.2/arch/x86/lib/atomic64_cx8_32.S 2010-10-20 16:30:22.000000000 -0400
15741 +++ linux-2.6.36.2/arch/x86/lib/atomic64_cx8_32.S 2010-12-09 20:24:54.000000000 -0500
15742 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
15744 \ins\()l %esi, %ebx
15745 \insc\()l %edi, %ecx
15747 +#ifdef CONFIG_PAX_REFCOUNT
15750 + _ASM_EXTABLE(2b, 3f)
15761 +#ifdef CONFIG_PAX_REFCOUNT
15768 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
15773 +#ifdef CONFIG_PAX_REFCOUNT
15776 + _ASM_EXTABLE(2b, 3f)
15787 +#ifdef CONFIG_PAX_REFCOUNT
15794 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
15799 +#ifdef CONFIG_PAX_REFCOUNT
15802 + _ASM_EXTABLE(1234b, 1234b)
15808 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
15813 +#ifdef CONFIG_PAX_REFCOUNT
15816 + _ASM_EXTABLE(1234b, 1234b)
15822 diff -urNp linux-2.6.36.2/arch/x86/lib/checksum_32.S linux-2.6.36.2/arch/x86/lib/checksum_32.S
15823 --- linux-2.6.36.2/arch/x86/lib/checksum_32.S 2010-10-20 16:30:22.000000000 -0400
15824 +++ linux-2.6.36.2/arch/x86/lib/checksum_32.S 2010-12-09 20:24:54.000000000 -0500
15826 #include <linux/linkage.h>
15827 #include <asm/dwarf2.h>
15828 #include <asm/errno.h>
15830 +#include <asm/segment.h>
15833 * computes a partial checksum, e.g. for TCP/UDP fragments
15835 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15840 -ENTRY(csum_partial_copy_generic)
15842 +ENTRY(csum_partial_copy_generic_to_user)
15844 + pushl $(__USER_DS)
15845 + CFI_ADJUST_CFA_OFFSET 4
15847 + CFI_ADJUST_CFA_OFFSET -4
15848 + jmp csum_partial_copy_generic
15850 +ENTRY(csum_partial_copy_generic_from_user)
15851 + pushl $(__USER_DS)
15852 + CFI_ADJUST_CFA_OFFSET 4
15854 + CFI_ADJUST_CFA_OFFSET -4
15856 +ENTRY(csum_partial_copy_generic)
15858 CFI_ADJUST_CFA_OFFSET 4
15860 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15862 SRC(1: movw (%esi), %bx )
15864 -DST( movw %bx, (%edi) )
15865 +DST( movw %bx, %es:(%edi) )
15869 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15870 SRC(1: movl (%esi), %ebx )
15871 SRC( movl 4(%esi), %edx )
15873 -DST( movl %ebx, (%edi) )
15874 +DST( movl %ebx, %es:(%edi) )
15876 -DST( movl %edx, 4(%edi) )
15877 +DST( movl %edx, %es:4(%edi) )
15879 SRC( movl 8(%esi), %ebx )
15880 SRC( movl 12(%esi), %edx )
15882 -DST( movl %ebx, 8(%edi) )
15883 +DST( movl %ebx, %es:8(%edi) )
15885 -DST( movl %edx, 12(%edi) )
15886 +DST( movl %edx, %es:12(%edi) )
15888 SRC( movl 16(%esi), %ebx )
15889 SRC( movl 20(%esi), %edx )
15891 -DST( movl %ebx, 16(%edi) )
15892 +DST( movl %ebx, %es:16(%edi) )
15894 -DST( movl %edx, 20(%edi) )
15895 +DST( movl %edx, %es:20(%edi) )
15897 SRC( movl 24(%esi), %ebx )
15898 SRC( movl 28(%esi), %edx )
15900 -DST( movl %ebx, 24(%edi) )
15901 +DST( movl %ebx, %es:24(%edi) )
15903 -DST( movl %edx, 28(%edi) )
15904 +DST( movl %edx, %es:28(%edi) )
15908 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15909 shrl $2, %edx # This clears CF
15910 SRC(3: movl (%esi), %ebx )
15912 -DST( movl %ebx, (%edi) )
15913 +DST( movl %ebx, %es:(%edi) )
15917 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15919 SRC( movw (%esi), %cx )
15921 -DST( movw %cx, (%edi) )
15922 +DST( movw %cx, %es:(%edi) )
15926 SRC(5: movb (%esi), %cl )
15927 -DST( movb %cl, (%edi) )
15928 +DST( movb %cl, %es:(%edi) )
15932 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15935 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15936 - movl $-EFAULT, (%ebx)
15937 + movl $-EFAULT, %ss:(%ebx)
15939 # zero the complete destination - computing the rest
15941 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15944 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15945 - movl $-EFAULT,(%ebx)
15946 + movl $-EFAULT,%ss:(%ebx)
15952 + CFI_ADJUST_CFA_OFFSET 4
15954 + CFI_ADJUST_CFA_OFFSET -4
15956 + CFI_ADJUST_CFA_OFFSET 4
15958 + CFI_ADJUST_CFA_OFFSET -4
15960 CFI_ADJUST_CFA_OFFSET -4
15962 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15963 CFI_ADJUST_CFA_OFFSET -4
15966 -ENDPROC(csum_partial_copy_generic)
15967 +ENDPROC(csum_partial_copy_generic_to_user)
15971 /* Version for PentiumII/PPro */
15973 #define ROUND1(x) \
15975 SRC(movl x(%esi), %ebx ) ; \
15976 addl %ebx, %eax ; \
15977 - DST(movl %ebx, x(%edi) ) ;
15978 + DST(movl %ebx, %es:x(%edi)) ;
15982 SRC(movl x(%esi), %ebx ) ; \
15983 adcl %ebx, %eax ; \
15984 - DST(movl %ebx, x(%edi) ) ;
15985 + DST(movl %ebx, %es:x(%edi)) ;
15989 -ENTRY(csum_partial_copy_generic)
15991 +ENTRY(csum_partial_copy_generic_to_user)
15993 + pushl $(__USER_DS)
15994 + CFI_ADJUST_CFA_OFFSET 4
15996 + CFI_ADJUST_CFA_OFFSET -4
15997 + jmp csum_partial_copy_generic
15999 +ENTRY(csum_partial_copy_generic_from_user)
16000 + pushl $(__USER_DS)
16001 + CFI_ADJUST_CFA_OFFSET 4
16003 + CFI_ADJUST_CFA_OFFSET -4
16005 +ENTRY(csum_partial_copy_generic)
16007 CFI_ADJUST_CFA_OFFSET 4
16008 CFI_REL_OFFSET ebx, 0
16009 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
16013 - lea 3f(%ebx,%ebx), %ebx
16014 + lea 3f(%ebx,%ebx,2), %ebx
16018 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
16020 SRC( movw (%esi), %dx )
16022 -DST( movw %dx, (%edi) )
16023 +DST( movw %dx, %es:(%edi) )
16028 SRC( movb (%esi), %dl )
16029 -DST( movb %dl, (%edi) )
16030 +DST( movb %dl, %es:(%edi) )
16034 .section .fixup, "ax"
16035 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
16036 - movl $-EFAULT, (%ebx)
16037 + movl $-EFAULT, %ss:(%ebx)
16038 # zero the complete destination (computing the rest is too much work)
16039 movl ARGBASE+8(%esp),%edi # dst
16040 movl ARGBASE+12(%esp),%ecx # len
16041 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
16044 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
16045 - movl $-EFAULT, (%ebx)
16046 + movl $-EFAULT, %ss:(%ebx)
16051 + CFI_ADJUST_CFA_OFFSET 4
16053 + CFI_ADJUST_CFA_OFFSET -4
16055 + CFI_ADJUST_CFA_OFFSET 4
16057 + CFI_ADJUST_CFA_OFFSET -4
16059 CFI_ADJUST_CFA_OFFSET -4
16061 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
16065 -ENDPROC(csum_partial_copy_generic)
16066 +ENDPROC(csum_partial_copy_generic_to_user)
16070 diff -urNp linux-2.6.36.2/arch/x86/lib/clear_page_64.S linux-2.6.36.2/arch/x86/lib/clear_page_64.S
16071 --- linux-2.6.36.2/arch/x86/lib/clear_page_64.S 2010-10-20 16:30:22.000000000 -0400
16072 +++ linux-2.6.36.2/arch/x86/lib/clear_page_64.S 2010-12-09 20:24:54.000000000 -0500
16073 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
16075 #include <asm/cpufeature.h>
16077 - .section .altinstr_replacement,"ax"
16078 + .section .altinstr_replacement,"a"
16079 1: .byte 0xeb /* jmp <disp8> */
16080 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
16082 diff -urNp linux-2.6.36.2/arch/x86/lib/copy_page_64.S linux-2.6.36.2/arch/x86/lib/copy_page_64.S
16083 --- linux-2.6.36.2/arch/x86/lib/copy_page_64.S 2010-10-20 16:30:22.000000000 -0400
16084 +++ linux-2.6.36.2/arch/x86/lib/copy_page_64.S 2010-12-09 20:24:54.000000000 -0500
16085 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
16087 #include <asm/cpufeature.h>
16089 - .section .altinstr_replacement,"ax"
16090 + .section .altinstr_replacement,"a"
16091 1: .byte 0xeb /* jmp <disp8> */
16092 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
16094 diff -urNp linux-2.6.36.2/arch/x86/lib/copy_user_64.S linux-2.6.36.2/arch/x86/lib/copy_user_64.S
16095 --- linux-2.6.36.2/arch/x86/lib/copy_user_64.S 2010-10-20 16:30:22.000000000 -0400
16096 +++ linux-2.6.36.2/arch/x86/lib/copy_user_64.S 2010-12-09 20:24:54.000000000 -0500
16097 @@ -15,13 +15,14 @@
16098 #include <asm/asm-offsets.h>
16099 #include <asm/thread_info.h>
16100 #include <asm/cpufeature.h>
16101 +#include <asm/pgtable.h>
16103 .macro ALTERNATIVE_JUMP feature,orig,alt
16105 .byte 0xe9 /* 32bit jump */
16106 .long \orig-1f /* by default jump to orig */
16108 - .section .altinstr_replacement,"ax"
16109 + .section .altinstr_replacement,"a"
16110 2: .byte 0xe9 /* near jump with 32bit immediate */
16111 .long \alt-1b /* offset */ /* or alternatively to alt */
16113 @@ -64,37 +65,13 @@
16117 -/* Standard copy_to_user with segment limit checking */
16118 -ENTRY(_copy_to_user)
16120 - GET_THREAD_INFO(%rax)
16124 - cmpq TI_addr_limit(%rax),%rcx
16126 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
16128 -ENDPROC(_copy_to_user)
16130 -/* Standard copy_from_user with segment limit checking */
16131 -ENTRY(_copy_from_user)
16133 - GET_THREAD_INFO(%rax)
16137 - cmpq TI_addr_limit(%rax),%rcx
16138 - jae bad_from_user
16139 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
16141 -ENDPROC(_copy_from_user)
16143 .section .fixup,"ax"
16144 /* must zero dest */
16145 ENTRY(bad_from_user)
16153 diff -urNp linux-2.6.36.2/arch/x86/lib/copy_user_nocache_64.S linux-2.6.36.2/arch/x86/lib/copy_user_nocache_64.S
16154 --- linux-2.6.36.2/arch/x86/lib/copy_user_nocache_64.S 2010-10-20 16:30:22.000000000 -0400
16155 +++ linux-2.6.36.2/arch/x86/lib/copy_user_nocache_64.S 2010-12-09 20:24:54.000000000 -0500
16157 #include <asm/current.h>
16158 #include <asm/asm-offsets.h>
16159 #include <asm/thread_info.h>
16160 +#include <asm/pgtable.h>
16162 .macro ALIGN_DESTINATION
16163 #ifdef FIX_ALIGNMENT
16166 ENTRY(__copy_user_nocache)
16169 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16170 + mov $PAX_USER_SHADOW_BASE,%rcx
16178 jb 20f /* less then 8 bytes, go to byte copy loop */
16180 diff -urNp linux-2.6.36.2/arch/x86/lib/csum-wrappers_64.c linux-2.6.36.2/arch/x86/lib/csum-wrappers_64.c
16181 --- linux-2.6.36.2/arch/x86/lib/csum-wrappers_64.c 2010-10-20 16:30:22.000000000 -0400
16182 +++ linux-2.6.36.2/arch/x86/lib/csum-wrappers_64.c 2010-12-09 20:24:54.000000000 -0500
16183 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
16187 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
16188 + src += PAX_USER_SHADOW_BASE;
16189 isum = csum_partial_copy_generic((__force const void *)src,
16190 dst, len, isum, errp, NULL);
16191 if (unlikely(*errp))
16192 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
16196 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
16197 + dst += PAX_USER_SHADOW_BASE;
16198 return csum_partial_copy_generic(src, (void __force *)dst,
16199 len, isum, NULL, errp);
16201 diff -urNp linux-2.6.36.2/arch/x86/lib/getuser.S linux-2.6.36.2/arch/x86/lib/getuser.S
16202 --- linux-2.6.36.2/arch/x86/lib/getuser.S 2010-10-20 16:30:22.000000000 -0400
16203 +++ linux-2.6.36.2/arch/x86/lib/getuser.S 2010-12-09 20:24:54.000000000 -0500
16204 @@ -33,14 +33,38 @@
16205 #include <asm/asm-offsets.h>
16206 #include <asm/thread_info.h>
16207 #include <asm/asm.h>
16208 +#include <asm/segment.h>
16209 +#include <asm/pgtable.h>
16212 ENTRY(__get_user_1)
16215 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16216 + pushl $(__USER_DS)
16219 GET_THREAD_INFO(%_ASM_DX)
16220 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16223 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16224 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16225 + cmp %_ASM_DX,%_ASM_AX
16227 + add %_ASM_DX,%_ASM_AX
16233 1: movzb (%_ASM_AX),%edx
16235 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16243 @@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
16244 ENTRY(__get_user_2)
16248 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16249 + pushl $(__USER_DS)
16253 GET_THREAD_INFO(%_ASM_DX)
16254 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16257 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16258 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16259 + cmp %_ASM_DX,%_ASM_AX
16261 + add %_ASM_DX,%_ASM_AX
16267 2: movzwl -1(%_ASM_AX),%edx
16269 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16277 @@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
16278 ENTRY(__get_user_4)
16282 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16283 + pushl $(__USER_DS)
16287 GET_THREAD_INFO(%_ASM_DX)
16288 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16291 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16292 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16293 + cmp %_ASM_DX,%_ASM_AX
16295 + add %_ASM_DX,%_ASM_AX
16301 3: mov -3(%_ASM_AX),%edx
16303 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16311 @@ -80,6 +148,15 @@ ENTRY(__get_user_8)
16312 GET_THREAD_INFO(%_ASM_DX)
16313 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16316 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16317 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16318 + cmp %_ASM_DX,%_ASM_AX
16320 + add %_ASM_DX,%_ASM_AX
16324 4: movq -7(%_ASM_AX),%_ASM_DX
16327 @@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
16332 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16338 mov $(-EFAULT),%_ASM_AX
16340 diff -urNp linux-2.6.36.2/arch/x86/lib/insn.c linux-2.6.36.2/arch/x86/lib/insn.c
16341 --- linux-2.6.36.2/arch/x86/lib/insn.c 2010-10-20 16:30:22.000000000 -0400
16342 +++ linux-2.6.36.2/arch/x86/lib/insn.c 2010-12-09 20:24:54.000000000 -0500
16344 #include <linux/string.h>
16345 #include <asm/inat.h>
16346 #include <asm/insn.h>
16347 +#include <asm/pgtable_types.h>
16349 #define get_next(t, insn) \
16350 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
16352 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
16354 memset(insn, 0, sizeof(*insn));
16355 - insn->kaddr = kaddr;
16356 - insn->next_byte = kaddr;
16357 + insn->kaddr = ktla_ktva(kaddr);
16358 + insn->next_byte = ktla_ktva(kaddr);
16359 insn->x86_64 = x86_64 ? 1 : 0;
16360 insn->opnd_bytes = 4;
16362 diff -urNp linux-2.6.36.2/arch/x86/lib/mmx_32.c linux-2.6.36.2/arch/x86/lib/mmx_32.c
16363 --- linux-2.6.36.2/arch/x86/lib/mmx_32.c 2010-10-20 16:30:22.000000000 -0400
16364 +++ linux-2.6.36.2/arch/x86/lib/mmx_32.c 2010-12-09 20:24:54.000000000 -0500
16365 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
16369 + unsigned long cr0;
16371 if (unlikely(in_interrupt()))
16372 return __memcpy(to, from, len);
16373 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
16374 kernel_fpu_begin();
16376 __asm__ __volatile__ (
16377 - "1: prefetch (%0)\n" /* This set is 28 bytes */
16378 - " prefetch 64(%0)\n"
16379 - " prefetch 128(%0)\n"
16380 - " prefetch 192(%0)\n"
16381 - " prefetch 256(%0)\n"
16382 + "1: prefetch (%1)\n" /* This set is 28 bytes */
16383 + " prefetch 64(%1)\n"
16384 + " prefetch 128(%1)\n"
16385 + " prefetch 192(%1)\n"
16386 + " prefetch 256(%1)\n"
16388 ".section .fixup, \"ax\"\n"
16389 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16392 +#ifdef CONFIG_PAX_KERNEXEC
16393 + " movl %%cr0, %0\n"
16394 + " movl %0, %%eax\n"
16395 + " andl $0xFFFEFFFF, %%eax\n"
16396 + " movl %%eax, %%cr0\n"
16399 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16401 +#ifdef CONFIG_PAX_KERNEXEC
16402 + " movl %0, %%cr0\n"
16407 _ASM_EXTABLE(1b, 3b)
16409 + : "=&r" (cr0) : "r" (from) : "ax");
16411 for ( ; i > 5; i--) {
16412 __asm__ __volatile__ (
16413 - "1: prefetch 320(%0)\n"
16414 - "2: movq (%0), %%mm0\n"
16415 - " movq 8(%0), %%mm1\n"
16416 - " movq 16(%0), %%mm2\n"
16417 - " movq 24(%0), %%mm3\n"
16418 - " movq %%mm0, (%1)\n"
16419 - " movq %%mm1, 8(%1)\n"
16420 - " movq %%mm2, 16(%1)\n"
16421 - " movq %%mm3, 24(%1)\n"
16422 - " movq 32(%0), %%mm0\n"
16423 - " movq 40(%0), %%mm1\n"
16424 - " movq 48(%0), %%mm2\n"
16425 - " movq 56(%0), %%mm3\n"
16426 - " movq %%mm0, 32(%1)\n"
16427 - " movq %%mm1, 40(%1)\n"
16428 - " movq %%mm2, 48(%1)\n"
16429 - " movq %%mm3, 56(%1)\n"
16430 + "1: prefetch 320(%1)\n"
16431 + "2: movq (%1), %%mm0\n"
16432 + " movq 8(%1), %%mm1\n"
16433 + " movq 16(%1), %%mm2\n"
16434 + " movq 24(%1), %%mm3\n"
16435 + " movq %%mm0, (%2)\n"
16436 + " movq %%mm1, 8(%2)\n"
16437 + " movq %%mm2, 16(%2)\n"
16438 + " movq %%mm3, 24(%2)\n"
16439 + " movq 32(%1), %%mm0\n"
16440 + " movq 40(%1), %%mm1\n"
16441 + " movq 48(%1), %%mm2\n"
16442 + " movq 56(%1), %%mm3\n"
16443 + " movq %%mm0, 32(%2)\n"
16444 + " movq %%mm1, 40(%2)\n"
16445 + " movq %%mm2, 48(%2)\n"
16446 + " movq %%mm3, 56(%2)\n"
16447 ".section .fixup, \"ax\"\n"
16448 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16451 +#ifdef CONFIG_PAX_KERNEXEC
16452 + " movl %%cr0, %0\n"
16453 + " movl %0, %%eax\n"
16454 + " andl $0xFFFEFFFF, %%eax\n"
16455 + " movl %%eax, %%cr0\n"
16458 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16460 +#ifdef CONFIG_PAX_KERNEXEC
16461 + " movl %0, %%cr0\n"
16466 _ASM_EXTABLE(1b, 3b)
16467 - : : "r" (from), "r" (to) : "memory");
16468 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16472 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16473 static void fast_copy_page(void *to, void *from)
16476 + unsigned long cr0;
16478 kernel_fpu_begin();
16480 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16481 * but that is for later. -AV
16483 __asm__ __volatile__(
16484 - "1: prefetch (%0)\n"
16485 - " prefetch 64(%0)\n"
16486 - " prefetch 128(%0)\n"
16487 - " prefetch 192(%0)\n"
16488 - " prefetch 256(%0)\n"
16489 + "1: prefetch (%1)\n"
16490 + " prefetch 64(%1)\n"
16491 + " prefetch 128(%1)\n"
16492 + " prefetch 192(%1)\n"
16493 + " prefetch 256(%1)\n"
16495 ".section .fixup, \"ax\"\n"
16496 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16499 +#ifdef CONFIG_PAX_KERNEXEC
16500 + " movl %%cr0, %0\n"
16501 + " movl %0, %%eax\n"
16502 + " andl $0xFFFEFFFF, %%eax\n"
16503 + " movl %%eax, %%cr0\n"
16506 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16508 +#ifdef CONFIG_PAX_KERNEXEC
16509 + " movl %0, %%cr0\n"
16514 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16515 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16517 for (i = 0; i < (4096-320)/64; i++) {
16518 __asm__ __volatile__ (
16519 - "1: prefetch 320(%0)\n"
16520 - "2: movq (%0), %%mm0\n"
16521 - " movntq %%mm0, (%1)\n"
16522 - " movq 8(%0), %%mm1\n"
16523 - " movntq %%mm1, 8(%1)\n"
16524 - " movq 16(%0), %%mm2\n"
16525 - " movntq %%mm2, 16(%1)\n"
16526 - " movq 24(%0), %%mm3\n"
16527 - " movntq %%mm3, 24(%1)\n"
16528 - " movq 32(%0), %%mm4\n"
16529 - " movntq %%mm4, 32(%1)\n"
16530 - " movq 40(%0), %%mm5\n"
16531 - " movntq %%mm5, 40(%1)\n"
16532 - " movq 48(%0), %%mm6\n"
16533 - " movntq %%mm6, 48(%1)\n"
16534 - " movq 56(%0), %%mm7\n"
16535 - " movntq %%mm7, 56(%1)\n"
16536 + "1: prefetch 320(%1)\n"
16537 + "2: movq (%1), %%mm0\n"
16538 + " movntq %%mm0, (%2)\n"
16539 + " movq 8(%1), %%mm1\n"
16540 + " movntq %%mm1, 8(%2)\n"
16541 + " movq 16(%1), %%mm2\n"
16542 + " movntq %%mm2, 16(%2)\n"
16543 + " movq 24(%1), %%mm3\n"
16544 + " movntq %%mm3, 24(%2)\n"
16545 + " movq 32(%1), %%mm4\n"
16546 + " movntq %%mm4, 32(%2)\n"
16547 + " movq 40(%1), %%mm5\n"
16548 + " movntq %%mm5, 40(%2)\n"
16549 + " movq 48(%1), %%mm6\n"
16550 + " movntq %%mm6, 48(%2)\n"
16551 + " movq 56(%1), %%mm7\n"
16552 + " movntq %%mm7, 56(%2)\n"
16553 ".section .fixup, \"ax\"\n"
16554 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16557 +#ifdef CONFIG_PAX_KERNEXEC
16558 + " movl %%cr0, %0\n"
16559 + " movl %0, %%eax\n"
16560 + " andl $0xFFFEFFFF, %%eax\n"
16561 + " movl %%eax, %%cr0\n"
16564 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16566 +#ifdef CONFIG_PAX_KERNEXEC
16567 + " movl %0, %%cr0\n"
16572 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16573 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16577 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16578 static void fast_copy_page(void *to, void *from)
16581 + unsigned long cr0;
16583 kernel_fpu_begin();
16585 __asm__ __volatile__ (
16586 - "1: prefetch (%0)\n"
16587 - " prefetch 64(%0)\n"
16588 - " prefetch 128(%0)\n"
16589 - " prefetch 192(%0)\n"
16590 - " prefetch 256(%0)\n"
16591 + "1: prefetch (%1)\n"
16592 + " prefetch 64(%1)\n"
16593 + " prefetch 128(%1)\n"
16594 + " prefetch 192(%1)\n"
16595 + " prefetch 256(%1)\n"
16597 ".section .fixup, \"ax\"\n"
16598 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16601 +#ifdef CONFIG_PAX_KERNEXEC
16602 + " movl %%cr0, %0\n"
16603 + " movl %0, %%eax\n"
16604 + " andl $0xFFFEFFFF, %%eax\n"
16605 + " movl %%eax, %%cr0\n"
16608 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16610 +#ifdef CONFIG_PAX_KERNEXEC
16611 + " movl %0, %%cr0\n"
16616 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16617 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16619 for (i = 0; i < 4096/64; i++) {
16620 __asm__ __volatile__ (
16621 - "1: prefetch 320(%0)\n"
16622 - "2: movq (%0), %%mm0\n"
16623 - " movq 8(%0), %%mm1\n"
16624 - " movq 16(%0), %%mm2\n"
16625 - " movq 24(%0), %%mm3\n"
16626 - " movq %%mm0, (%1)\n"
16627 - " movq %%mm1, 8(%1)\n"
16628 - " movq %%mm2, 16(%1)\n"
16629 - " movq %%mm3, 24(%1)\n"
16630 - " movq 32(%0), %%mm0\n"
16631 - " movq 40(%0), %%mm1\n"
16632 - " movq 48(%0), %%mm2\n"
16633 - " movq 56(%0), %%mm3\n"
16634 - " movq %%mm0, 32(%1)\n"
16635 - " movq %%mm1, 40(%1)\n"
16636 - " movq %%mm2, 48(%1)\n"
16637 - " movq %%mm3, 56(%1)\n"
16638 + "1: prefetch 320(%1)\n"
16639 + "2: movq (%1), %%mm0\n"
16640 + " movq 8(%1), %%mm1\n"
16641 + " movq 16(%1), %%mm2\n"
16642 + " movq 24(%1), %%mm3\n"
16643 + " movq %%mm0, (%2)\n"
16644 + " movq %%mm1, 8(%2)\n"
16645 + " movq %%mm2, 16(%2)\n"
16646 + " movq %%mm3, 24(%2)\n"
16647 + " movq 32(%1), %%mm0\n"
16648 + " movq 40(%1), %%mm1\n"
16649 + " movq 48(%1), %%mm2\n"
16650 + " movq 56(%1), %%mm3\n"
16651 + " movq %%mm0, 32(%2)\n"
16652 + " movq %%mm1, 40(%2)\n"
16653 + " movq %%mm2, 48(%2)\n"
16654 + " movq %%mm3, 56(%2)\n"
16655 ".section .fixup, \"ax\"\n"
16656 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16659 +#ifdef CONFIG_PAX_KERNEXEC
16660 + " movl %%cr0, %0\n"
16661 + " movl %0, %%eax\n"
16662 + " andl $0xFFFEFFFF, %%eax\n"
16663 + " movl %%eax, %%cr0\n"
16666 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16668 +#ifdef CONFIG_PAX_KERNEXEC
16669 + " movl %0, %%cr0\n"
16674 _ASM_EXTABLE(1b, 3b)
16675 - : : "r" (from), "r" (to) : "memory");
16676 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16680 diff -urNp linux-2.6.36.2/arch/x86/lib/putuser.S linux-2.6.36.2/arch/x86/lib/putuser.S
16681 --- linux-2.6.36.2/arch/x86/lib/putuser.S 2010-10-20 16:30:22.000000000 -0400
16682 +++ linux-2.6.36.2/arch/x86/lib/putuser.S 2010-12-09 20:24:54.000000000 -0500
16684 #include <asm/thread_info.h>
16685 #include <asm/errno.h>
16686 #include <asm/asm.h>
16688 +#include <asm/segment.h>
16689 +#include <asm/pgtable.h>
16693 @@ -29,59 +30,162 @@
16694 * as they get called from within inline assembly.
16697 -#define ENTER CFI_STARTPROC ; \
16698 - GET_THREAD_INFO(%_ASM_BX)
16699 +#define ENTER CFI_STARTPROC
16700 #define EXIT ret ; \
16703 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16704 +#define _DEST %_ASM_CX,%_ASM_BX
16706 +#define _DEST %_ASM_CX
16710 ENTRY(__put_user_1)
16713 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16714 + pushl $(__USER_DS)
16717 + GET_THREAD_INFO(%_ASM_BX)
16718 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16720 -1: movb %al,(%_ASM_CX)
16722 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16723 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16724 + cmp %_ASM_BX,%_ASM_CX
16732 +1: movb %al,(_DEST)
16734 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16741 ENDPROC(__put_user_1)
16743 ENTRY(__put_user_2)
16746 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16747 + pushl $(__USER_DS)
16750 + GET_THREAD_INFO(%_ASM_BX)
16751 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16753 cmp %_ASM_BX,%_ASM_CX
16755 -2: movw %ax,(%_ASM_CX)
16757 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16758 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16759 + cmp %_ASM_BX,%_ASM_CX
16767 +2: movw %ax,(_DEST)
16769 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16776 ENDPROC(__put_user_2)
16778 ENTRY(__put_user_4)
16781 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16782 + pushl $(__USER_DS)
16785 + GET_THREAD_INFO(%_ASM_BX)
16786 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16788 cmp %_ASM_BX,%_ASM_CX
16790 -3: movl %eax,(%_ASM_CX)
16792 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16793 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16794 + cmp %_ASM_BX,%_ASM_CX
16802 +3: movl %eax,(_DEST)
16804 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16811 ENDPROC(__put_user_4)
16813 ENTRY(__put_user_8)
16816 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16817 + pushl $(__USER_DS)
16820 + GET_THREAD_INFO(%_ASM_BX)
16821 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16823 cmp %_ASM_BX,%_ASM_CX
16825 -4: mov %_ASM_AX,(%_ASM_CX)
16827 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16828 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16829 + cmp %_ASM_BX,%_ASM_CX
16837 +4: mov %_ASM_AX,(_DEST)
16838 #ifdef CONFIG_X86_32
16839 -5: movl %edx,4(%_ASM_CX)
16840 +5: movl %edx,4(_DEST)
16843 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16850 ENDPROC(__put_user_8)
16855 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16863 diff -urNp linux-2.6.36.2/arch/x86/lib/usercopy_32.c linux-2.6.36.2/arch/x86/lib/usercopy_32.c
16864 --- linux-2.6.36.2/arch/x86/lib/usercopy_32.c 2010-10-20 16:30:22.000000000 -0400
16865 +++ linux-2.6.36.2/arch/x86/lib/usercopy_32.c 2010-12-09 20:24:54.000000000 -0500
16866 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16867 * Copy a null terminated string from userspace.
16870 -#define __do_strncpy_from_user(dst, src, count, res) \
16872 - int __d0, __d1, __d2; \
16874 - __asm__ __volatile__( \
16875 - " testl %1,%1\n" \
16879 - " testb %%al,%%al\n" \
16883 - "1: subl %1,%0\n" \
16885 - ".section .fixup,\"ax\"\n" \
16886 - "3: movl %5,%0\n" \
16889 - _ASM_EXTABLE(0b,3b) \
16890 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16892 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16895 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16897 + int __d0, __d1, __d2;
16898 + long res = -EFAULT;
16901 + __asm__ __volatile__(
16902 + " movw %w10,%%ds\n"
16907 + " testb %%al,%%al\n"
16911 + "1: subl %1,%0\n"
16915 + ".section .fixup,\"ax\"\n"
16916 + "3: movl %5,%0\n"
16919 + _ASM_EXTABLE(0b,3b)
16920 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16922 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16929 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16930 @@ -85,9 +92,7 @@ do { \
16932 __strncpy_from_user(char *dst, const char __user *src, long count)
16935 - __do_strncpy_from_user(dst, src, count, res);
16937 + return __do_strncpy_from_user(dst, src, count);
16939 EXPORT_SYMBOL(__strncpy_from_user);
16941 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16943 long res = -EFAULT;
16944 if (access_ok(VERIFY_READ, src, 1))
16945 - __do_strncpy_from_user(dst, src, count, res);
16946 + res = __do_strncpy_from_user(dst, src, count);
16949 EXPORT_SYMBOL(strncpy_from_user);
16950 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16954 -#define __do_clear_user(addr,size) \
16958 - __asm__ __volatile__( \
16959 - "0: rep; stosl\n" \
16960 - " movl %2,%0\n" \
16961 - "1: rep; stosb\n" \
16963 - ".section .fixup,\"ax\"\n" \
16964 - "3: lea 0(%2,%0,4),%0\n" \
16967 - _ASM_EXTABLE(0b,3b) \
16968 - _ASM_EXTABLE(1b,2b) \
16969 - : "=&c"(size), "=&D" (__d0) \
16970 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16972 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16977 + __asm__ __volatile__(
16978 + " movw %w6,%%es\n"
16979 + "0: rep; stosl\n"
16981 + "1: rep; stosb\n"
16985 + ".section .fixup,\"ax\"\n"
16986 + "3: lea 0(%2,%0,4),%0\n"
16989 + _ASM_EXTABLE(0b,3b)
16990 + _ASM_EXTABLE(1b,2b)
16991 + : "=&c"(size), "=&D" (__d0)
16992 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16998 * clear_user: - Zero a block of memory in user space.
16999 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
17002 if (access_ok(VERIFY_WRITE, to, n))
17003 - __do_clear_user(to, n);
17004 + n = __do_clear_user(to, n);
17007 EXPORT_SYMBOL(clear_user);
17008 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
17010 __clear_user(void __user *to, unsigned long n)
17012 - __do_clear_user(to, n);
17014 + return __do_clear_user(to, n);
17016 EXPORT_SYMBOL(__clear_user);
17018 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
17021 __asm__ __volatile__(
17022 + " movw %w8,%%es\n"
17025 - " andl %0,%%ecx\n"
17026 + " movl %0,%%ecx\n"
17027 "0: repne; scasb\n"
17034 ".section .fixup,\"ax\"\n"
17035 "2: xorl %%eax,%%eax\n"
17037 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
17040 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
17041 - :"0" (n), "1" (s), "2" (0), "3" (mask)
17042 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
17046 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
17048 #ifdef CONFIG_X86_INTEL_USERCOPY
17049 static unsigned long
17050 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
17051 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
17054 + __asm__ __volatile__(
17055 + " movw %w6, %%es\n"
17056 + " .align 2,0x90\n"
17057 + "1: movl 32(%4), %%eax\n"
17058 + " cmpl $67, %0\n"
17060 + "2: movl 64(%4), %%eax\n"
17061 + " .align 2,0x90\n"
17062 + "3: movl 0(%4), %%eax\n"
17063 + "4: movl 4(%4), %%edx\n"
17064 + "5: movl %%eax, %%es:0(%3)\n"
17065 + "6: movl %%edx, %%es:4(%3)\n"
17066 + "7: movl 8(%4), %%eax\n"
17067 + "8: movl 12(%4),%%edx\n"
17068 + "9: movl %%eax, %%es:8(%3)\n"
17069 + "10: movl %%edx, %%es:12(%3)\n"
17070 + "11: movl 16(%4), %%eax\n"
17071 + "12: movl 20(%4), %%edx\n"
17072 + "13: movl %%eax, %%es:16(%3)\n"
17073 + "14: movl %%edx, %%es:20(%3)\n"
17074 + "15: movl 24(%4), %%eax\n"
17075 + "16: movl 28(%4), %%edx\n"
17076 + "17: movl %%eax, %%es:24(%3)\n"
17077 + "18: movl %%edx, %%es:28(%3)\n"
17078 + "19: movl 32(%4), %%eax\n"
17079 + "20: movl 36(%4), %%edx\n"
17080 + "21: movl %%eax, %%es:32(%3)\n"
17081 + "22: movl %%edx, %%es:36(%3)\n"
17082 + "23: movl 40(%4), %%eax\n"
17083 + "24: movl 44(%4), %%edx\n"
17084 + "25: movl %%eax, %%es:40(%3)\n"
17085 + "26: movl %%edx, %%es:44(%3)\n"
17086 + "27: movl 48(%4), %%eax\n"
17087 + "28: movl 52(%4), %%edx\n"
17088 + "29: movl %%eax, %%es:48(%3)\n"
17089 + "30: movl %%edx, %%es:52(%3)\n"
17090 + "31: movl 56(%4), %%eax\n"
17091 + "32: movl 60(%4), %%edx\n"
17092 + "33: movl %%eax, %%es:56(%3)\n"
17093 + "34: movl %%edx, %%es:60(%3)\n"
17094 + " addl $-64, %0\n"
17095 + " addl $64, %4\n"
17096 + " addl $64, %3\n"
17097 + " cmpl $63, %0\n"
17099 + "35: movl %0, %%eax\n"
17101 + " andl $3, %%eax\n"
17103 + "99: rep; movsl\n"
17104 + "36: movl %%eax, %0\n"
17105 + "37: rep; movsb\n"
17109 + ".section .fixup,\"ax\"\n"
17110 + "101: lea 0(%%eax,%0,4),%0\n"
17113 + ".section __ex_table,\"a\"\n"
17115 + " .long 1b,100b\n"
17116 + " .long 2b,100b\n"
17117 + " .long 3b,100b\n"
17118 + " .long 4b,100b\n"
17119 + " .long 5b,100b\n"
17120 + " .long 6b,100b\n"
17121 + " .long 7b,100b\n"
17122 + " .long 8b,100b\n"
17123 + " .long 9b,100b\n"
17124 + " .long 10b,100b\n"
17125 + " .long 11b,100b\n"
17126 + " .long 12b,100b\n"
17127 + " .long 13b,100b\n"
17128 + " .long 14b,100b\n"
17129 + " .long 15b,100b\n"
17130 + " .long 16b,100b\n"
17131 + " .long 17b,100b\n"
17132 + " .long 18b,100b\n"
17133 + " .long 19b,100b\n"
17134 + " .long 20b,100b\n"
17135 + " .long 21b,100b\n"
17136 + " .long 22b,100b\n"
17137 + " .long 23b,100b\n"
17138 + " .long 24b,100b\n"
17139 + " .long 25b,100b\n"
17140 + " .long 26b,100b\n"
17141 + " .long 27b,100b\n"
17142 + " .long 28b,100b\n"
17143 + " .long 29b,100b\n"
17144 + " .long 30b,100b\n"
17145 + " .long 31b,100b\n"
17146 + " .long 32b,100b\n"
17147 + " .long 33b,100b\n"
17148 + " .long 34b,100b\n"
17149 + " .long 35b,100b\n"
17150 + " .long 36b,100b\n"
17151 + " .long 37b,100b\n"
17152 + " .long 99b,101b\n"
17154 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
17155 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17156 + : "eax", "edx", "memory");
17160 +static unsigned long
17161 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
17164 __asm__ __volatile__(
17165 + " movw %w6, %%ds\n"
17167 "1: movl 32(%4), %%eax\n"
17169 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
17171 "3: movl 0(%4), %%eax\n"
17172 "4: movl 4(%4), %%edx\n"
17173 - "5: movl %%eax, 0(%3)\n"
17174 - "6: movl %%edx, 4(%3)\n"
17175 + "5: movl %%eax, %%es:0(%3)\n"
17176 + "6: movl %%edx, %%es:4(%3)\n"
17177 "7: movl 8(%4), %%eax\n"
17178 "8: movl 12(%4),%%edx\n"
17179 - "9: movl %%eax, 8(%3)\n"
17180 - "10: movl %%edx, 12(%3)\n"
17181 + "9: movl %%eax, %%es:8(%3)\n"
17182 + "10: movl %%edx, %%es:12(%3)\n"
17183 "11: movl 16(%4), %%eax\n"
17184 "12: movl 20(%4), %%edx\n"
17185 - "13: movl %%eax, 16(%3)\n"
17186 - "14: movl %%edx, 20(%3)\n"
17187 + "13: movl %%eax, %%es:16(%3)\n"
17188 + "14: movl %%edx, %%es:20(%3)\n"
17189 "15: movl 24(%4), %%eax\n"
17190 "16: movl 28(%4), %%edx\n"
17191 - "17: movl %%eax, 24(%3)\n"
17192 - "18: movl %%edx, 28(%3)\n"
17193 + "17: movl %%eax, %%es:24(%3)\n"
17194 + "18: movl %%edx, %%es:28(%3)\n"
17195 "19: movl 32(%4), %%eax\n"
17196 "20: movl 36(%4), %%edx\n"
17197 - "21: movl %%eax, 32(%3)\n"
17198 - "22: movl %%edx, 36(%3)\n"
17199 + "21: movl %%eax, %%es:32(%3)\n"
17200 + "22: movl %%edx, %%es:36(%3)\n"
17201 "23: movl 40(%4), %%eax\n"
17202 "24: movl 44(%4), %%edx\n"
17203 - "25: movl %%eax, 40(%3)\n"
17204 - "26: movl %%edx, 44(%3)\n"
17205 + "25: movl %%eax, %%es:40(%3)\n"
17206 + "26: movl %%edx, %%es:44(%3)\n"
17207 "27: movl 48(%4), %%eax\n"
17208 "28: movl 52(%4), %%edx\n"
17209 - "29: movl %%eax, 48(%3)\n"
17210 - "30: movl %%edx, 52(%3)\n"
17211 + "29: movl %%eax, %%es:48(%3)\n"
17212 + "30: movl %%edx, %%es:52(%3)\n"
17213 "31: movl 56(%4), %%eax\n"
17214 "32: movl 60(%4), %%edx\n"
17215 - "33: movl %%eax, 56(%3)\n"
17216 - "34: movl %%edx, 60(%3)\n"
17217 + "33: movl %%eax, %%es:56(%3)\n"
17218 + "34: movl %%edx, %%es:60(%3)\n"
17222 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
17223 "36: movl %%eax, %0\n"
17228 ".section .fixup,\"ax\"\n"
17229 "101: lea 0(%%eax,%0,4),%0\n"
17231 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
17232 " .long 99b,101b\n"
17234 : "=&c"(size), "=&D" (d0), "=&S" (d1)
17235 - : "1"(to), "2"(from), "0"(size)
17236 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17237 : "eax", "edx", "memory");
17240 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
17243 __asm__ __volatile__(
17244 + " movw %w6, %%ds\n"
17246 "0: movl 32(%4), %%eax\n"
17248 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
17250 "2: movl 0(%4), %%eax\n"
17251 "21: movl 4(%4), %%edx\n"
17252 - " movl %%eax, 0(%3)\n"
17253 - " movl %%edx, 4(%3)\n"
17254 + " movl %%eax, %%es:0(%3)\n"
17255 + " movl %%edx, %%es:4(%3)\n"
17256 "3: movl 8(%4), %%eax\n"
17257 "31: movl 12(%4),%%edx\n"
17258 - " movl %%eax, 8(%3)\n"
17259 - " movl %%edx, 12(%3)\n"
17260 + " movl %%eax, %%es:8(%3)\n"
17261 + " movl %%edx, %%es:12(%3)\n"
17262 "4: movl 16(%4), %%eax\n"
17263 "41: movl 20(%4), %%edx\n"
17264 - " movl %%eax, 16(%3)\n"
17265 - " movl %%edx, 20(%3)\n"
17266 + " movl %%eax, %%es:16(%3)\n"
17267 + " movl %%edx, %%es:20(%3)\n"
17268 "10: movl 24(%4), %%eax\n"
17269 "51: movl 28(%4), %%edx\n"
17270 - " movl %%eax, 24(%3)\n"
17271 - " movl %%edx, 28(%3)\n"
17272 + " movl %%eax, %%es:24(%3)\n"
17273 + " movl %%edx, %%es:28(%3)\n"
17274 "11: movl 32(%4), %%eax\n"
17275 "61: movl 36(%4), %%edx\n"
17276 - " movl %%eax, 32(%3)\n"
17277 - " movl %%edx, 36(%3)\n"
17278 + " movl %%eax, %%es:32(%3)\n"
17279 + " movl %%edx, %%es:36(%3)\n"
17280 "12: movl 40(%4), %%eax\n"
17281 "71: movl 44(%4), %%edx\n"
17282 - " movl %%eax, 40(%3)\n"
17283 - " movl %%edx, 44(%3)\n"
17284 + " movl %%eax, %%es:40(%3)\n"
17285 + " movl %%edx, %%es:44(%3)\n"
17286 "13: movl 48(%4), %%eax\n"
17287 "81: movl 52(%4), %%edx\n"
17288 - " movl %%eax, 48(%3)\n"
17289 - " movl %%edx, 52(%3)\n"
17290 + " movl %%eax, %%es:48(%3)\n"
17291 + " movl %%edx, %%es:52(%3)\n"
17292 "14: movl 56(%4), %%eax\n"
17293 "91: movl 60(%4), %%edx\n"
17294 - " movl %%eax, 56(%3)\n"
17295 - " movl %%edx, 60(%3)\n"
17296 + " movl %%eax, %%es:56(%3)\n"
17297 + " movl %%edx, %%es:60(%3)\n"
17301 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
17307 ".section .fixup,\"ax\"\n"
17308 "9: lea 0(%%eax,%0,4),%0\n"
17310 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
17313 : "=&c"(size), "=&D" (d0), "=&S" (d1)
17314 - : "1"(to), "2"(from), "0"(size)
17315 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17316 : "eax", "edx", "memory");
17319 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
17322 __asm__ __volatile__(
17323 + " movw %w6, %%ds\n"
17325 "0: movl 32(%4), %%eax\n"
17327 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
17329 "2: movl 0(%4), %%eax\n"
17330 "21: movl 4(%4), %%edx\n"
17331 - " movnti %%eax, 0(%3)\n"
17332 - " movnti %%edx, 4(%3)\n"
17333 + " movnti %%eax, %%es:0(%3)\n"
17334 + " movnti %%edx, %%es:4(%3)\n"
17335 "3: movl 8(%4), %%eax\n"
17336 "31: movl 12(%4),%%edx\n"
17337 - " movnti %%eax, 8(%3)\n"
17338 - " movnti %%edx, 12(%3)\n"
17339 + " movnti %%eax, %%es:8(%3)\n"
17340 + " movnti %%edx, %%es:12(%3)\n"
17341 "4: movl 16(%4), %%eax\n"
17342 "41: movl 20(%4), %%edx\n"
17343 - " movnti %%eax, 16(%3)\n"
17344 - " movnti %%edx, 20(%3)\n"
17345 + " movnti %%eax, %%es:16(%3)\n"
17346 + " movnti %%edx, %%es:20(%3)\n"
17347 "10: movl 24(%4), %%eax\n"
17348 "51: movl 28(%4), %%edx\n"
17349 - " movnti %%eax, 24(%3)\n"
17350 - " movnti %%edx, 28(%3)\n"
17351 + " movnti %%eax, %%es:24(%3)\n"
17352 + " movnti %%edx, %%es:28(%3)\n"
17353 "11: movl 32(%4), %%eax\n"
17354 "61: movl 36(%4), %%edx\n"
17355 - " movnti %%eax, 32(%3)\n"
17356 - " movnti %%edx, 36(%3)\n"
17357 + " movnti %%eax, %%es:32(%3)\n"
17358 + " movnti %%edx, %%es:36(%3)\n"
17359 "12: movl 40(%4), %%eax\n"
17360 "71: movl 44(%4), %%edx\n"
17361 - " movnti %%eax, 40(%3)\n"
17362 - " movnti %%edx, 44(%3)\n"
17363 + " movnti %%eax, %%es:40(%3)\n"
17364 + " movnti %%edx, %%es:44(%3)\n"
17365 "13: movl 48(%4), %%eax\n"
17366 "81: movl 52(%4), %%edx\n"
17367 - " movnti %%eax, 48(%3)\n"
17368 - " movnti %%edx, 52(%3)\n"
17369 + " movnti %%eax, %%es:48(%3)\n"
17370 + " movnti %%edx, %%es:52(%3)\n"
17371 "14: movl 56(%4), %%eax\n"
17372 "91: movl 60(%4), %%edx\n"
17373 - " movnti %%eax, 56(%3)\n"
17374 - " movnti %%edx, 60(%3)\n"
17375 + " movnti %%eax, %%es:56(%3)\n"
17376 + " movnti %%edx, %%es:60(%3)\n"
17380 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
17386 ".section .fixup,\"ax\"\n"
17387 "9: lea 0(%%eax,%0,4),%0\n"
17389 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
17392 : "=&c"(size), "=&D" (d0), "=&S" (d1)
17393 - : "1"(to), "2"(from), "0"(size)
17394 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17395 : "eax", "edx", "memory");
17398 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
17401 __asm__ __volatile__(
17402 + " movw %w6, %%ds\n"
17404 "0: movl 32(%4), %%eax\n"
17406 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
17408 "2: movl 0(%4), %%eax\n"
17409 "21: movl 4(%4), %%edx\n"
17410 - " movnti %%eax, 0(%3)\n"
17411 - " movnti %%edx, 4(%3)\n"
17412 + " movnti %%eax, %%es:0(%3)\n"
17413 + " movnti %%edx, %%es:4(%3)\n"
17414 "3: movl 8(%4), %%eax\n"
17415 "31: movl 12(%4),%%edx\n"
17416 - " movnti %%eax, 8(%3)\n"
17417 - " movnti %%edx, 12(%3)\n"
17418 + " movnti %%eax, %%es:8(%3)\n"
17419 + " movnti %%edx, %%es:12(%3)\n"
17420 "4: movl 16(%4), %%eax\n"
17421 "41: movl 20(%4), %%edx\n"
17422 - " movnti %%eax, 16(%3)\n"
17423 - " movnti %%edx, 20(%3)\n"
17424 + " movnti %%eax, %%es:16(%3)\n"
17425 + " movnti %%edx, %%es:20(%3)\n"
17426 "10: movl 24(%4), %%eax\n"
17427 "51: movl 28(%4), %%edx\n"
17428 - " movnti %%eax, 24(%3)\n"
17429 - " movnti %%edx, 28(%3)\n"
17430 + " movnti %%eax, %%es:24(%3)\n"
17431 + " movnti %%edx, %%es:28(%3)\n"
17432 "11: movl 32(%4), %%eax\n"
17433 "61: movl 36(%4), %%edx\n"
17434 - " movnti %%eax, 32(%3)\n"
17435 - " movnti %%edx, 36(%3)\n"
17436 + " movnti %%eax, %%es:32(%3)\n"
17437 + " movnti %%edx, %%es:36(%3)\n"
17438 "12: movl 40(%4), %%eax\n"
17439 "71: movl 44(%4), %%edx\n"
17440 - " movnti %%eax, 40(%3)\n"
17441 - " movnti %%edx, 44(%3)\n"
17442 + " movnti %%eax, %%es:40(%3)\n"
17443 + " movnti %%edx, %%es:44(%3)\n"
17444 "13: movl 48(%4), %%eax\n"
17445 "81: movl 52(%4), %%edx\n"
17446 - " movnti %%eax, 48(%3)\n"
17447 - " movnti %%edx, 52(%3)\n"
17448 + " movnti %%eax, %%es:48(%3)\n"
17449 + " movnti %%edx, %%es:52(%3)\n"
17450 "14: movl 56(%4), %%eax\n"
17451 "91: movl 60(%4), %%edx\n"
17452 - " movnti %%eax, 56(%3)\n"
17453 - " movnti %%edx, 60(%3)\n"
17454 + " movnti %%eax, %%es:56(%3)\n"
17455 + " movnti %%edx, %%es:60(%3)\n"
17459 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
17465 ".section .fixup,\"ax\"\n"
17466 "9: lea 0(%%eax,%0,4),%0\n"
17468 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
17471 : "=&c"(size), "=&D" (d0), "=&S" (d1)
17472 - : "1"(to), "2"(from), "0"(size)
17473 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17474 : "eax", "edx", "memory");
17477 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
17479 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
17480 unsigned long size);
17481 -unsigned long __copy_user_intel(void __user *to, const void *from,
17482 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
17483 + unsigned long size);
17484 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
17485 unsigned long size);
17486 unsigned long __copy_user_zeroing_intel_nocache(void *to,
17487 const void __user *from, unsigned long size);
17488 #endif /* CONFIG_X86_INTEL_USERCOPY */
17490 /* Generic arbitrary sized copy. */
17491 -#define __copy_user(to, from, size) \
17493 - int __d0, __d1, __d2; \
17494 - __asm__ __volatile__( \
17497 - " movl %1,%0\n" \
17499 - " andl $7,%0\n" \
17500 - " subl %0,%3\n" \
17501 - "4: rep; movsb\n" \
17502 - " movl %3,%0\n" \
17503 - " shrl $2,%0\n" \
17504 - " andl $3,%3\n" \
17505 - " .align 2,0x90\n" \
17506 - "0: rep; movsl\n" \
17507 - " movl %3,%0\n" \
17508 - "1: rep; movsb\n" \
17510 - ".section .fixup,\"ax\"\n" \
17511 - "5: addl %3,%0\n" \
17513 - "3: lea 0(%3,%0,4),%0\n" \
17516 - ".section __ex_table,\"a\"\n" \
17518 - " .long 4b,5b\n" \
17519 - " .long 0b,3b\n" \
17520 - " .long 1b,2b\n" \
17522 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
17523 - : "3"(size), "0"(size), "1"(to), "2"(from) \
17527 -#define __copy_user_zeroing(to, from, size) \
17529 - int __d0, __d1, __d2; \
17530 - __asm__ __volatile__( \
17533 - " movl %1,%0\n" \
17535 - " andl $7,%0\n" \
17536 - " subl %0,%3\n" \
17537 - "4: rep; movsb\n" \
17538 - " movl %3,%0\n" \
17539 - " shrl $2,%0\n" \
17540 - " andl $3,%3\n" \
17541 - " .align 2,0x90\n" \
17542 - "0: rep; movsl\n" \
17543 - " movl %3,%0\n" \
17544 - "1: rep; movsb\n" \
17546 - ".section .fixup,\"ax\"\n" \
17547 - "5: addl %3,%0\n" \
17549 - "3: lea 0(%3,%0,4),%0\n" \
17550 - "6: pushl %0\n" \
17551 - " pushl %%eax\n" \
17552 - " xorl %%eax,%%eax\n" \
17553 - " rep; stosb\n" \
17554 - " popl %%eax\n" \
17558 - ".section __ex_table,\"a\"\n" \
17560 - " .long 4b,5b\n" \
17561 - " .long 0b,3b\n" \
17562 - " .long 1b,6b\n" \
17564 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
17565 - : "3"(size), "0"(size), "1"(to), "2"(from) \
17568 +static unsigned long
17569 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
17571 + int __d0, __d1, __d2;
17573 + __asm__ __volatile__(
17574 + " movw %w8,%%es\n"
17581 + "4: rep; movsb\n"
17585 + " .align 2,0x90\n"
17586 + "0: rep; movsl\n"
17588 + "1: rep; movsb\n"
17592 + ".section .fixup,\"ax\"\n"
17593 + "5: addl %3,%0\n"
17595 + "3: lea 0(%3,%0,4),%0\n"
17598 + ".section __ex_table,\"a\"\n"
17604 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17605 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17610 +static unsigned long
17611 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
17613 + int __d0, __d1, __d2;
17615 + __asm__ __volatile__(
17616 + " movw %w8,%%ds\n"
17623 + "4: rep; movsb\n"
17627 + " .align 2,0x90\n"
17628 + "0: rep; movsl\n"
17630 + "1: rep; movsb\n"
17634 + ".section .fixup,\"ax\"\n"
17635 + "5: addl %3,%0\n"
17637 + "3: lea 0(%3,%0,4),%0\n"
17640 + ".section __ex_table,\"a\"\n"
17646 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17647 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17652 +static unsigned long
17653 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
17655 + int __d0, __d1, __d2;
17657 + __asm__ __volatile__(
17658 + " movw %w8,%%ds\n"
17665 + "4: rep; movsb\n"
17669 + " .align 2,0x90\n"
17670 + "0: rep; movsl\n"
17672 + "1: rep; movsb\n"
17676 + ".section .fixup,\"ax\"\n"
17677 + "5: addl %3,%0\n"
17679 + "3: lea 0(%3,%0,4),%0\n"
17682 + " xorl %%eax,%%eax\n"
17688 + ".section __ex_table,\"a\"\n"
17694 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17695 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17700 unsigned long __copy_to_user_ll(void __user *to, const void *from,
17702 @@ -775,9 +966,9 @@ survive:
17705 if (movsl_is_ok(to, from, n))
17706 - __copy_user(to, from, n);
17707 + n = __generic_copy_to_user(to, from, n);
17709 - n = __copy_user_intel(to, from, n);
17710 + n = __generic_copy_to_user_intel(to, from, n);
17713 EXPORT_SYMBOL(__copy_to_user_ll);
17714 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17717 if (movsl_is_ok(to, from, n))
17718 - __copy_user_zeroing(to, from, n);
17719 + n = __copy_user_zeroing(to, from, n);
17721 n = __copy_user_zeroing_intel(to, from, n);
17723 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17726 if (movsl_is_ok(to, from, n))
17727 - __copy_user(to, from, n);
17728 + n = __generic_copy_from_user(to, from, n);
17730 - n = __copy_user_intel((void __user *)to,
17731 - (const void *)from, n);
17732 + n = __generic_copy_from_user_intel(to, from, n);
17735 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17736 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17737 if (n > 64 && cpu_has_xmm2)
17738 n = __copy_user_zeroing_intel_nocache(to, from, n);
17740 - __copy_user_zeroing(to, from, n);
17741 + n = __copy_user_zeroing(to, from, n);
17743 - __copy_user_zeroing(to, from, n);
17744 + n = __copy_user_zeroing(to, from, n);
17748 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
17749 if (n > 64 && cpu_has_xmm2)
17750 n = __copy_user_intel_nocache(to, from, n);
17752 - __copy_user(to, from, n);
17753 + n = __generic_copy_from_user(to, from, n);
17755 - __copy_user(to, from, n);
17756 + n = __generic_copy_from_user(to, from, n);
17760 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17763 - * copy_to_user: - Copy a block of data into user space.
17764 - * @to: Destination address, in user space.
17765 - * @from: Source address, in kernel space.
17766 - * @n: Number of bytes to copy.
17768 - * Context: User context only. This function may sleep.
17770 - * Copy data from kernel space to user space.
17772 - * Returns number of bytes that could not be copied.
17773 - * On success, this will be zero.
17776 -copy_to_user(void __user *to, const void *from, unsigned long n)
17777 +void copy_from_user_overflow(void)
17779 - if (access_ok(VERIFY_WRITE, to, n))
17780 - n = __copy_to_user(to, from, n);
17782 + WARN(1, "Buffer overflow detected!\n");
17784 -EXPORT_SYMBOL(copy_to_user);
17785 +EXPORT_SYMBOL(copy_from_user_overflow);
17788 - * copy_from_user: - Copy a block of data from user space.
17789 - * @to: Destination address, in kernel space.
17790 - * @from: Source address, in user space.
17791 - * @n: Number of bytes to copy.
17793 - * Context: User context only. This function may sleep.
17795 - * Copy data from user space to kernel space.
17797 - * Returns number of bytes that could not be copied.
17798 - * On success, this will be zero.
17800 - * If some data could not be copied, this function will pad the copied
17801 - * data to the requested size using zero bytes.
17804 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17805 +void copy_to_user_overflow(void)
17807 - if (access_ok(VERIFY_READ, from, n))
17808 - n = __copy_from_user(to, from, n);
17810 - memset(to, 0, n);
17812 + WARN(1, "Buffer overflow detected!\n");
17814 -EXPORT_SYMBOL(_copy_from_user);
17815 +EXPORT_SYMBOL(copy_to_user_overflow);
17817 -void copy_from_user_overflow(void)
17818 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17819 +void __set_fs(mm_segment_t x, int cpu)
17821 - WARN(1, "Buffer overflow detected!\n");
17822 + unsigned long limit = x.seg;
17823 + struct desc_struct d;
17825 + current_thread_info()->addr_limit = x;
17826 + if (unlikely(paravirt_enabled()))
17829 + if (likely(limit))
17830 + limit = (limit - 1UL) >> PAGE_SHIFT;
17831 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17832 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17834 -EXPORT_SYMBOL(copy_from_user_overflow);
17836 +void set_fs(mm_segment_t x)
17838 + __set_fs(x, get_cpu());
17841 +EXPORT_SYMBOL(copy_from_user);
17843 +void set_fs(mm_segment_t x)
17845 + current_thread_info()->addr_limit = x;
17849 +EXPORT_SYMBOL(set_fs);
17850 diff -urNp linux-2.6.36.2/arch/x86/lib/usercopy_64.c linux-2.6.36.2/arch/x86/lib/usercopy_64.c
17851 --- linux-2.6.36.2/arch/x86/lib/usercopy_64.c 2010-10-20 16:30:22.000000000 -0400
17852 +++ linux-2.6.36.2/arch/x86/lib/usercopy_64.c 2010-12-09 20:24:54.000000000 -0500
17853 @@ -42,6 +42,8 @@ long
17854 __strncpy_from_user(char *dst, const char __user *src, long count)
17857 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17858 + src += PAX_USER_SHADOW_BASE;
17859 __do_strncpy_from_user(dst, src, count, res);
17862 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17866 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17867 + addr += PAX_USER_SHADOW_BASE;
17868 /* no memory constraint because it doesn't change any memory gcc knows
17871 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17873 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17875 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17876 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17877 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17878 + to += PAX_USER_SHADOW_BASE;
17879 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17880 + from += PAX_USER_SHADOW_BASE;
17881 return copy_user_generic((__force void *)to, (__force void *)from, len);
17887 EXPORT_SYMBOL(copy_in_user);
17889 diff -urNp linux-2.6.36.2/arch/x86/Makefile linux-2.6.36.2/arch/x86/Makefile
17890 --- linux-2.6.36.2/arch/x86/Makefile 2010-10-20 16:30:22.000000000 -0400
17891 +++ linux-2.6.36.2/arch/x86/Makefile 2010-12-09 20:24:55.000000000 -0500
17892 @@ -191,3 +191,12 @@ define archhelp
17893 echo ' FDARGS="..." arguments for the booted kernel'
17894 echo ' FDINITRD=file initrd for the booted kernel'
17899 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17900 +*** Please upgrade your binutils to 2.18 or newer
17904 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17905 diff -urNp linux-2.6.36.2/arch/x86/mm/extable.c linux-2.6.36.2/arch/x86/mm/extable.c
17906 --- linux-2.6.36.2/arch/x86/mm/extable.c 2010-10-20 16:30:22.000000000 -0400
17907 +++ linux-2.6.36.2/arch/x86/mm/extable.c 2010-12-09 20:24:55.000000000 -0500
17909 #include <linux/module.h>
17910 #include <linux/spinlock.h>
17911 +#include <linux/sort.h>
17912 #include <asm/uaccess.h>
17913 +#include <asm/pgtable.h>
17916 + * The exception table needs to be sorted so that the binary
17917 + * search that we use to find entries in it works properly.
17918 + * This is used both for the kernel exception table and for
17919 + * the exception tables of modules that get loaded.
17921 +static int cmp_ex(const void *a, const void *b)
17923 + const struct exception_table_entry *x = a, *y = b;
17925 + /* avoid overflow */
17926 + if (x->insn > y->insn)
17928 + if (x->insn < y->insn)
17933 +static void swap_ex(void *a, void *b, int size)
17935 + struct exception_table_entry t, *x = a, *y = b;
17939 + pax_open_kernel();
17942 + pax_close_kernel();
17945 +void sort_extable(struct exception_table_entry *start,
17946 + struct exception_table_entry *finish)
17948 + sort(start, finish - start, sizeof(struct exception_table_entry),
17949 + cmp_ex, swap_ex);
17952 +#ifdef CONFIG_MODULES
17954 + * If the exception table is sorted, any referring to the module init
17955 + * will be at the beginning or the end.
17957 +void trim_init_extable(struct module *m)
17959 + /*trim the beginning*/
17960 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17962 + m->num_exentries--;
17965 + while (m->num_exentries &&
17966 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17967 + m->num_exentries--;
17969 +#endif /* CONFIG_MODULES */
17971 int fixup_exception(struct pt_regs *regs)
17973 const struct exception_table_entry *fixup;
17975 #ifdef CONFIG_PNPBIOS
17976 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17977 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17978 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17979 extern u32 pnp_bios_is_utter_crap;
17980 pnp_bios_is_utter_crap = 1;
17981 diff -urNp linux-2.6.36.2/arch/x86/mm/fault.c linux-2.6.36.2/arch/x86/mm/fault.c
17982 --- linux-2.6.36.2/arch/x86/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
17983 +++ linux-2.6.36.2/arch/x86/mm/fault.c 2010-12-09 20:24:55.000000000 -0500
17984 @@ -11,10 +11,18 @@
17985 #include <linux/kprobes.h> /* __kprobes, ... */
17986 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17987 #include <linux/perf_event.h> /* perf_sw_event */
17988 +#include <linux/unistd.h>
17989 +#include <linux/compiler.h>
17991 #include <asm/traps.h> /* dotraplinkage, ... */
17992 #include <asm/pgalloc.h> /* pgd_*(), ... */
17993 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17994 +#include <asm/vsyscall.h>
17995 +#include <asm/tlbflush.h>
17997 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17998 +#include <asm/stacktrace.h>
18002 * Page fault error code bits:
18003 @@ -52,7 +60,7 @@ static inline int __kprobes notify_page_
18006 /* kprobe_running() needs smp_processor_id() */
18007 - if (kprobes_built_in() && !user_mode_vm(regs)) {
18008 + if (kprobes_built_in() && !user_mode(regs)) {
18010 if (kprobe_running() && kprobe_fault_handler(regs, 14))
18012 @@ -173,6 +181,30 @@ force_sig_info_fault(int si_signo, int s
18013 force_sig_info(si_signo, &info, tsk);
18016 +#ifdef CONFIG_PAX_EMUTRAMP
18017 +static int pax_handle_fetch_fault(struct pt_regs *regs);
18020 +#ifdef CONFIG_PAX_PAGEEXEC
18021 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
18027 + pgd = pgd_offset(mm, address);
18028 + if (!pgd_present(*pgd))
18030 + pud = pud_offset(pgd, address);
18031 + if (!pud_present(*pud))
18033 + pmd = pmd_offset(pud, address);
18034 + if (!pmd_present(*pmd))
18040 DEFINE_SPINLOCK(pgd_lock);
18041 LIST_HEAD(pgd_list);
18043 @@ -225,11 +257,24 @@ void vmalloc_sync_all(void)
18044 address += PMD_SIZE) {
18046 unsigned long flags;
18048 +#ifdef CONFIG_PAX_PER_CPU_PGD
18049 + unsigned long cpu;
18054 spin_lock_irqsave(&pgd_lock, flags);
18056 +#ifdef CONFIG_PAX_PER_CPU_PGD
18057 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18058 + pgd_t *pgd = get_cpu_pgd(cpu);
18060 list_for_each_entry(page, &pgd_list, lru) {
18061 - if (!vmalloc_sync_one(page_address(page), address))
18062 + pgd_t *pgd = page_address(page);
18065 + if (!vmalloc_sync_one(pgd, address))
18068 spin_unlock_irqrestore(&pgd_lock, flags);
18069 @@ -259,6 +304,11 @@ static noinline __kprobes int vmalloc_fa
18070 * an interrupt in the middle of a task switch..
18072 pgd_paddr = read_cr3();
18074 +#ifdef CONFIG_PAX_PER_CPU_PGD
18075 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
18078 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
18081 @@ -333,15 +383,27 @@ void vmalloc_sync_all(void)
18083 const pgd_t *pgd_ref = pgd_offset_k(address);
18084 unsigned long flags;
18086 +#ifdef CONFIG_PAX_PER_CPU_PGD
18087 + unsigned long cpu;
18092 if (pgd_none(*pgd_ref))
18095 spin_lock_irqsave(&pgd_lock, flags);
18097 +#ifdef CONFIG_PAX_PER_CPU_PGD
18098 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18099 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
18101 list_for_each_entry(page, &pgd_list, lru) {
18103 pgd = (pgd_t *)page_address(page) + pgd_index(address);
18106 if (pgd_none(*pgd))
18107 set_pgd(pgd, *pgd_ref);
18109 @@ -374,7 +436,14 @@ static noinline __kprobes int vmalloc_fa
18110 * happen within a race in page table update. In the later
18114 +#ifdef CONFIG_PAX_PER_CPU_PGD
18115 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
18116 + pgd = pgd_offset_cpu(smp_processor_id(), address);
18118 pgd = pgd_offset(current->active_mm, address);
18121 pgd_ref = pgd_offset_k(address);
18122 if (pgd_none(*pgd_ref))
18124 @@ -536,7 +605,7 @@ static int is_errata93(struct pt_regs *r
18125 static int is_errata100(struct pt_regs *regs, unsigned long address)
18127 #ifdef CONFIG_X86_64
18128 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
18129 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
18133 @@ -563,7 +632,7 @@ static int is_f00f_bug(struct pt_regs *r
18136 static const char nx_warning[] = KERN_CRIT
18137 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
18138 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
18141 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
18142 @@ -572,15 +641,26 @@ show_fault_oops(struct pt_regs *regs, un
18143 if (!oops_may_print())
18146 - if (error_code & PF_INSTR) {
18147 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
18148 unsigned int level;
18150 pte_t *pte = lookup_address(address, &level);
18152 if (pte && pte_present(*pte) && !pte_exec(*pte))
18153 - printk(nx_warning, current_uid());
18154 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
18157 +#ifdef CONFIG_PAX_KERNEXEC
18158 + if (init_mm.start_code <= address && address < init_mm.end_code) {
18159 + if (current->signal->curr_ip)
18160 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
18161 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
18163 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
18164 + current->comm, task_pid_nr(current), current_uid(), current_euid());
18168 printk(KERN_ALERT "BUG: unable to handle kernel ");
18169 if (address < PAGE_SIZE)
18170 printk(KERN_CONT "NULL pointer dereference");
18171 @@ -705,6 +785,68 @@ __bad_area_nosemaphore(struct pt_regs *r
18172 unsigned long address, int si_code)
18174 struct task_struct *tsk = current;
18175 + struct mm_struct *mm = tsk->mm;
18177 +#ifdef CONFIG_X86_64
18178 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
18179 + if (regs->ip == (unsigned long)vgettimeofday) {
18180 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
18182 + } else if (regs->ip == (unsigned long)vtime) {
18183 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
18185 + } else if (regs->ip == (unsigned long)vgetcpu) {
18186 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
18192 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18193 + if (mm && (error_code & PF_USER)) {
18194 + unsigned long ip = regs->ip;
18196 + if (v8086_mode(regs))
18197 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
18200 + * It's possible to have interrupts off here:
18202 + local_irq_enable();
18204 +#ifdef CONFIG_PAX_PAGEEXEC
18205 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
18206 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
18208 +#ifdef CONFIG_PAX_EMUTRAMP
18209 + switch (pax_handle_fetch_fault(regs)) {
18215 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
18216 + do_group_exit(SIGKILL);
18220 +#ifdef CONFIG_PAX_SEGMEXEC
18221 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
18223 +#ifdef CONFIG_PAX_EMUTRAMP
18224 + switch (pax_handle_fetch_fault(regs)) {
18230 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
18231 + do_group_exit(SIGKILL);
18238 /* User mode accesses just cause a SIGSEGV */
18239 if (error_code & PF_USER) {
18240 @@ -851,6 +993,106 @@ static int spurious_fault_check(unsigned
18244 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18245 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
18250 + unsigned char pte_mask;
18252 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
18253 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
18256 + /* PaX: it's our fault, let's handle it if we can */
18258 + /* PaX: take a look at read faults before acquiring any locks */
18259 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
18260 + /* instruction fetch attempt from a protected page in user mode */
18261 + up_read(&mm->mmap_sem);
18263 +#ifdef CONFIG_PAX_EMUTRAMP
18264 + switch (pax_handle_fetch_fault(regs)) {
18270 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
18271 + do_group_exit(SIGKILL);
18274 + pmd = pax_get_pmd(mm, address);
18275 + if (unlikely(!pmd))
18278 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
18279 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
18280 + pte_unmap_unlock(pte, ptl);
18284 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
18285 + /* write attempt to a protected page in user mode */
18286 + pte_unmap_unlock(pte, ptl);
18291 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
18293 + if (likely(address > get_limit(regs->cs)))
18296 + set_pte(pte, pte_mkread(*pte));
18297 + __flush_tlb_one(address);
18298 + pte_unmap_unlock(pte, ptl);
18299 + up_read(&mm->mmap_sem);
18303 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
18306 + * PaX: fill DTLB with user rights and retry
18308 + __asm__ __volatile__ (
18309 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18310 + "movw %w4,%%es\n"
18313 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
18315 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
18316 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
18317 + * page fault when examined during a TLB load attempt. this is true not only
18318 + * for PTEs holding a non-present entry but also present entries that will
18319 + * raise a page fault (such as those set up by PaX, or the copy-on-write
18320 + * mechanism). in effect it means that we do *not* need to flush the TLBs
18321 + * for our target pages since their PTEs are simply not in the TLBs at all.
18323 + * the best thing in omitting it is that we gain around 15-20% speed in the
18324 + * fast path of the page fault handler and can get rid of tracing since we
18325 + * can no longer flush unintended entries.
18329 + "testb $0,%%es:(%0)\n"
18331 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18336 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
18337 + : "memory", "cc");
18338 + pte_unmap_unlock(pte, ptl);
18339 + up_read(&mm->mmap_sem);
18345 * Handle a spurious fault caused by a stale TLB entry.
18347 @@ -917,6 +1159,9 @@ int show_unhandled_signals = 1;
18349 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
18351 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
18355 /* write, present and write, not present: */
18356 if (unlikely(!(vma->vm_flags & VM_WRITE)))
18357 @@ -950,17 +1195,31 @@ do_page_fault(struct pt_regs *regs, unsi
18359 struct vm_area_struct *vma;
18360 struct task_struct *tsk;
18361 - unsigned long address;
18362 struct mm_struct *mm;
18366 + /* Get the faulting address: */
18367 + unsigned long address = read_cr2();
18369 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18370 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
18371 + if (!search_exception_tables(regs->ip)) {
18372 + bad_area_nosemaphore(regs, error_code, address);
18375 + if (address < PAX_USER_SHADOW_BASE) {
18376 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
18377 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
18378 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
18380 + address -= PAX_USER_SHADOW_BASE;
18387 - /* Get the faulting address: */
18388 - address = read_cr2();
18391 * Detect and handle instructions that would cause a page fault for
18392 * both a tracked kernel page and a userspace page.
18393 @@ -1020,7 +1279,7 @@ do_page_fault(struct pt_regs *regs, unsi
18394 * User-mode registers count as a user access even for any
18395 * potential system fault or CPU buglet:
18397 - if (user_mode_vm(regs)) {
18398 + if (user_mode(regs)) {
18399 local_irq_enable();
18400 error_code |= PF_USER;
18402 @@ -1074,6 +1333,11 @@ do_page_fault(struct pt_regs *regs, unsi
18406 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18407 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
18411 vma = find_vma(mm, address);
18412 if (unlikely(!vma)) {
18413 bad_area(regs, error_code, address);
18414 @@ -1085,18 +1349,24 @@ do_page_fault(struct pt_regs *regs, unsi
18415 bad_area(regs, error_code, address);
18418 - if (error_code & PF_USER) {
18420 - * Accessing the stack below %sp is always a bug.
18421 - * The large cushion allows instructions like enter
18422 - * and pusha to work. ("enter $65535, $31" pushes
18423 - * 32 pointers and then decrements %sp by 65535.)
18425 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
18426 - bad_area(regs, error_code, address);
18430 + * Accessing the stack below %sp is always a bug.
18431 + * The large cushion allows instructions like enter
18432 + * and pusha to work. ("enter $65535, $31" pushes
18433 + * 32 pointers and then decrements %sp by 65535.)
18435 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
18436 + bad_area(regs, error_code, address);
18440 +#ifdef CONFIG_PAX_SEGMEXEC
18441 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
18442 + bad_area(regs, error_code, address);
18447 if (unlikely(expand_stack(vma, address))) {
18448 bad_area(regs, error_code, address);
18450 @@ -1140,3 +1410,199 @@ good_area:
18452 up_read(&mm->mmap_sem);
18455 +#ifdef CONFIG_PAX_EMUTRAMP
18456 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
18460 + do { /* PaX: gcc trampoline emulation #1 */
18461 + unsigned char mov1, mov2;
18462 + unsigned short jmp;
18463 + unsigned int addr1, addr2;
18465 +#ifdef CONFIG_X86_64
18466 + if ((regs->ip + 11) >> 32)
18470 + err = get_user(mov1, (unsigned char __user *)regs->ip);
18471 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18472 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
18473 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18474 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
18479 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
18480 + regs->cx = addr1;
18481 + regs->ax = addr2;
18482 + regs->ip = addr2;
18487 + do { /* PaX: gcc trampoline emulation #2 */
18488 + unsigned char mov, jmp;
18489 + unsigned int addr1, addr2;
18491 +#ifdef CONFIG_X86_64
18492 + if ((regs->ip + 9) >> 32)
18496 + err = get_user(mov, (unsigned char __user *)regs->ip);
18497 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18498 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
18499 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18504 + if (mov == 0xB9 && jmp == 0xE9) {
18505 + regs->cx = addr1;
18506 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
18511 + return 1; /* PaX in action */
18514 +#ifdef CONFIG_X86_64
18515 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
18519 + do { /* PaX: gcc trampoline emulation #1 */
18520 + unsigned short mov1, mov2, jmp1;
18521 + unsigned char jmp2;
18522 + unsigned int addr1;
18523 + unsigned long addr2;
18525 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18526 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
18527 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
18528 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
18529 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
18530 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
18535 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18536 + regs->r11 = addr1;
18537 + regs->r10 = addr2;
18538 + regs->ip = addr1;
18543 + do { /* PaX: gcc trampoline emulation #2 */
18544 + unsigned short mov1, mov2, jmp1;
18545 + unsigned char jmp2;
18546 + unsigned long addr1, addr2;
18548 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18549 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
18550 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
18551 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
18552 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
18553 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
18558 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18559 + regs->r11 = addr1;
18560 + regs->r10 = addr2;
18561 + regs->ip = addr1;
18566 + return 1; /* PaX in action */
18571 + * PaX: decide what to do with offenders (regs->ip = fault address)
18573 + * returns 1 when task should be killed
18574 + * 2 when gcc trampoline was detected
18576 +static int pax_handle_fetch_fault(struct pt_regs *regs)
18578 + if (v8086_mode(regs))
18581 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
18584 +#ifdef CONFIG_X86_32
18585 + return pax_handle_fetch_fault_32(regs);
18587 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
18588 + return pax_handle_fetch_fault_32(regs);
18590 + return pax_handle_fetch_fault_64(regs);
18595 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18596 +void pax_report_insns(void *pc, void *sp)
18600 + printk(KERN_ERR "PAX: bytes at PC: ");
18601 + for (i = 0; i < 20; i++) {
18603 + if (get_user(c, (__force unsigned char __user *)pc+i))
18604 + printk(KERN_CONT "?? ");
18606 + printk(KERN_CONT "%02x ", c);
18610 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
18611 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
18613 + if (get_user(c, (__force unsigned long __user *)sp+i))
18614 +#ifdef CONFIG_X86_32
18615 + printk(KERN_CONT "???????? ");
18617 + printk(KERN_CONT "???????????????? ");
18620 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
18627 + * probe_kernel_write(): safely attempt to write to a location
18628 + * @dst: address to write to
18629 + * @src: pointer to the data that shall be written
18630 + * @size: size of the data chunk
18632 + * Safely write to address @dst from the buffer at @src. If a kernel fault
18633 + * happens, handle that and return -EFAULT.
18635 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
18638 + mm_segment_t old_fs = get_fs();
18640 + set_fs(KERNEL_DS);
18641 + pagefault_disable();
18642 + pax_open_kernel();
18643 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
18644 + pax_close_kernel();
18645 + pagefault_enable();
18648 + return ret ? -EFAULT : 0;
18650 diff -urNp linux-2.6.36.2/arch/x86/mm/gup.c linux-2.6.36.2/arch/x86/mm/gup.c
18651 --- linux-2.6.36.2/arch/x86/mm/gup.c 2010-10-20 16:30:22.000000000 -0400
18652 +++ linux-2.6.36.2/arch/x86/mm/gup.c 2010-12-09 20:24:55.000000000 -0500
18653 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
18655 len = (unsigned long) nr_pages << PAGE_SHIFT;
18657 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18658 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18659 (void __user *)start, len)))
18662 diff -urNp linux-2.6.36.2/arch/x86/mm/highmem_32.c linux-2.6.36.2/arch/x86/mm/highmem_32.c
18663 --- linux-2.6.36.2/arch/x86/mm/highmem_32.c 2010-10-20 16:30:22.000000000 -0400
18664 +++ linux-2.6.36.2/arch/x86/mm/highmem_32.c 2010-12-09 20:24:55.000000000 -0500
18665 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
18666 idx = type + KM_TYPE_NR*smp_processor_id();
18667 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18668 BUG_ON(!pte_none(*(kmap_pte-idx)));
18670 + pax_open_kernel();
18671 set_pte(kmap_pte-idx, mk_pte(page, prot));
18672 + pax_close_kernel();
18674 return (void *)vaddr;
18676 diff -urNp linux-2.6.36.2/arch/x86/mm/hugetlbpage.c linux-2.6.36.2/arch/x86/mm/hugetlbpage.c
18677 --- linux-2.6.36.2/arch/x86/mm/hugetlbpage.c 2010-10-20 16:30:22.000000000 -0400
18678 +++ linux-2.6.36.2/arch/x86/mm/hugetlbpage.c 2010-12-09 20:24:55.000000000 -0500
18679 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
18680 struct hstate *h = hstate_file(file);
18681 struct mm_struct *mm = current->mm;
18682 struct vm_area_struct *vma;
18683 - unsigned long start_addr;
18684 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18686 +#ifdef CONFIG_PAX_SEGMEXEC
18687 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18688 + pax_task_size = SEGMEXEC_TASK_SIZE;
18691 + pax_task_size -= PAGE_SIZE;
18693 if (len > mm->cached_hole_size) {
18694 - start_addr = mm->free_area_cache;
18695 + start_addr = mm->free_area_cache;
18697 - start_addr = TASK_UNMAPPED_BASE;
18698 - mm->cached_hole_size = 0;
18699 + start_addr = mm->mmap_base;
18700 + mm->cached_hole_size = 0;
18704 @@ -280,26 +287,27 @@ full_search:
18706 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18707 /* At this point: (!vma || addr < vma->vm_end). */
18708 - if (TASK_SIZE - len < addr) {
18709 + if (pax_task_size - len < addr) {
18711 * Start a new search - just in case we missed
18714 - if (start_addr != TASK_UNMAPPED_BASE) {
18715 - start_addr = TASK_UNMAPPED_BASE;
18716 + if (start_addr != mm->mmap_base) {
18717 + start_addr = mm->mmap_base;
18718 mm->cached_hole_size = 0;
18723 - if (!vma || addr + len <= vma->vm_start) {
18724 - mm->free_area_cache = addr + len;
18727 + if (check_heap_stack_gap(vma, addr, len))
18729 if (addr + mm->cached_hole_size < vma->vm_start)
18730 mm->cached_hole_size = vma->vm_start - addr;
18731 addr = ALIGN(vma->vm_end, huge_page_size(h));
18734 + mm->free_area_cache = addr + len;
18738 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18739 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
18741 struct hstate *h = hstate_file(file);
18742 struct mm_struct *mm = current->mm;
18743 - struct vm_area_struct *vma, *prev_vma;
18744 - unsigned long base = mm->mmap_base, addr = addr0;
18745 + struct vm_area_struct *vma;
18746 + unsigned long base = mm->mmap_base, addr;
18747 unsigned long largest_hole = mm->cached_hole_size;
18748 - int first_time = 1;
18750 /* don't allow allocations above current base */
18751 if (mm->free_area_cache > base)
18752 @@ -321,7 +328,7 @@ static unsigned long hugetlb_get_unmappe
18754 mm->free_area_cache = base;
18758 /* make sure it can fit in the remaining address space */
18759 if (mm->free_area_cache < len)
18761 @@ -329,33 +336,27 @@ try_again:
18762 /* either no address requested or cant fit in requested address hole */
18763 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18765 + vma = find_vma(mm, addr);
18767 * Lookup failure means no vma is above this address,
18768 * i.e. return with success:
18770 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18774 * new region fits between prev_vma->vm_end and
18775 * vma->vm_start, use it:
18777 - if (addr + len <= vma->vm_start &&
18778 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18779 + if (check_heap_stack_gap(vma, addr, len)) {
18780 /* remember the address as a hint for next time */
18781 - mm->cached_hole_size = largest_hole;
18782 - return (mm->free_area_cache = addr);
18784 - /* pull free_area_cache down to the first hole */
18785 - if (mm->free_area_cache == vma->vm_end) {
18786 - mm->free_area_cache = vma->vm_start;
18787 - mm->cached_hole_size = largest_hole;
18789 + mm->cached_hole_size = largest_hole;
18790 + return (mm->free_area_cache = addr);
18792 + /* pull free_area_cache down to the first hole */
18793 + if (mm->free_area_cache == vma->vm_end) {
18794 + mm->free_area_cache = vma->vm_start;
18795 + mm->cached_hole_size = largest_hole;
18798 /* remember the largest hole we saw so far */
18799 if (addr + largest_hole < vma->vm_start)
18800 - largest_hole = vma->vm_start - addr;
18801 + largest_hole = vma->vm_start - addr;
18803 /* try just below the current vma->vm_start */
18804 addr = (vma->vm_start - len) & huge_page_mask(h);
18805 @@ -363,22 +364,26 @@ try_again:
18809 - * if hint left us with no space for the requested
18810 - * mapping then try again:
18812 - if (first_time) {
18813 - mm->free_area_cache = base;
18814 - largest_hole = 0;
18819 * A failed mmap() very likely causes application failure,
18820 * so fall back to the bottom-up function here. This scenario
18821 * can happen with large stack limits and large mmap()
18824 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18826 +#ifdef CONFIG_PAX_SEGMEXEC
18827 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18828 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18832 + mm->mmap_base = TASK_UNMAPPED_BASE;
18834 +#ifdef CONFIG_PAX_RANDMMAP
18835 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18836 + mm->mmap_base += mm->delta_mmap;
18839 + mm->free_area_cache = mm->mmap_base;
18840 mm->cached_hole_size = ~0UL;
18841 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18842 len, pgoff, flags);
18843 @@ -386,6 +391,7 @@ fail:
18845 * Restore the topdown base:
18847 + mm->mmap_base = base;
18848 mm->free_area_cache = base;
18849 mm->cached_hole_size = ~0UL;
18851 @@ -399,10 +405,19 @@ hugetlb_get_unmapped_area(struct file *f
18852 struct hstate *h = hstate_file(file);
18853 struct mm_struct *mm = current->mm;
18854 struct vm_area_struct *vma;
18855 + unsigned long pax_task_size = TASK_SIZE;
18857 if (len & ~huge_page_mask(h))
18859 - if (len > TASK_SIZE)
18861 +#ifdef CONFIG_PAX_SEGMEXEC
18862 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18863 + pax_task_size = SEGMEXEC_TASK_SIZE;
18866 + pax_task_size -= PAGE_SIZE;
18868 + if (len > pax_task_size)
18871 if (flags & MAP_FIXED) {
18872 @@ -414,8 +429,7 @@ hugetlb_get_unmapped_area(struct file *f
18874 addr = ALIGN(addr, huge_page_size(h));
18875 vma = find_vma(mm, addr);
18876 - if (TASK_SIZE - len >= addr &&
18877 - (!vma || addr + len <= vma->vm_start))
18878 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18881 if (mm->get_unmapped_area == arch_get_unmapped_area)
18882 diff -urNp linux-2.6.36.2/arch/x86/mm/init_32.c linux-2.6.36.2/arch/x86/mm/init_32.c
18883 --- linux-2.6.36.2/arch/x86/mm/init_32.c 2010-10-20 16:30:22.000000000 -0400
18884 +++ linux-2.6.36.2/arch/x86/mm/init_32.c 2010-12-09 20:24:55.000000000 -0500
18885 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
18889 - * Creates a middle page table and puts a pointer to it in the
18890 - * given global directory entry. This only returns the gd entry
18891 - * in non-PAE compilation mode, since the middle layer is folded.
18893 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18896 - pmd_t *pmd_table;
18898 -#ifdef CONFIG_X86_PAE
18899 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18900 - if (after_bootmem)
18901 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18903 - pmd_table = (pmd_t *)alloc_low_page();
18904 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18905 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18906 - pud = pud_offset(pgd, 0);
18907 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18909 - return pmd_table;
18912 - pud = pud_offset(pgd, 0);
18913 - pmd_table = pmd_offset(pud, 0);
18915 - return pmd_table;
18919 * Create a page table and place a pointer to it in a middle page
18922 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
18923 page_table = (pte_t *)alloc_low_page();
18925 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18926 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18927 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18929 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18931 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18934 return pte_offset_kernel(pmd, 0);
18937 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18940 + pmd_t *pmd_table;
18942 + pud = pud_offset(pgd, 0);
18943 + pmd_table = pmd_offset(pud, 0);
18945 + return pmd_table;
18948 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18950 int pgd_idx = pgd_index(vaddr);
18951 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
18952 int pgd_idx, pmd_idx;
18953 unsigned long vaddr;
18959 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
18960 pgd = pgd_base + pgd_idx;
18962 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18963 - pmd = one_md_table_init(pgd);
18964 - pmd = pmd + pmd_index(vaddr);
18965 + pud = pud_offset(pgd, vaddr);
18966 + pmd = pmd_offset(pud, vaddr);
18968 +#ifdef CONFIG_X86_PAE
18969 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18972 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18973 pmd++, pmd_idx++) {
18974 pte = page_table_kmap_check(one_page_table_init(pmd),
18975 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
18979 -static inline int is_kernel_text(unsigned long addr)
18980 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18982 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18985 + if ((start > ktla_ktva((unsigned long)_etext) ||
18986 + end <= ktla_ktva((unsigned long)_stext)) &&
18987 + (start > ktla_ktva((unsigned long)_einittext) ||
18988 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18990 +#ifdef CONFIG_ACPI_SLEEP
18991 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18994 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
19000 @@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
19001 unsigned long last_map_addr = end;
19002 unsigned long start_pfn, end_pfn;
19003 pgd_t *pgd_base = swapper_pg_dir;
19004 - int pgd_idx, pmd_idx, pte_ofs;
19005 + unsigned int pgd_idx, pmd_idx, pte_ofs;
19011 unsigned pages_2m, pages_4k;
19012 @@ -279,8 +280,13 @@ repeat:
19014 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
19015 pgd = pgd_base + pgd_idx;
19016 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
19017 - pmd = one_md_table_init(pgd);
19018 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
19019 + pud = pud_offset(pgd, 0);
19020 + pmd = pmd_offset(pud, 0);
19022 +#ifdef CONFIG_X86_PAE
19023 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
19026 if (pfn >= end_pfn)
19028 @@ -292,14 +298,13 @@ repeat:
19030 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
19031 pmd++, pmd_idx++) {
19032 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
19033 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
19036 * Map with big pages if possible, otherwise
19037 * create normal page tables:
19040 - unsigned int addr2;
19041 pgprot_t prot = PAGE_KERNEL_LARGE;
19043 * first pass will use the same initial
19044 @@ -309,11 +314,7 @@ repeat:
19045 __pgprot(PTE_IDENT_ATTR |
19048 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
19049 - PAGE_OFFSET + PAGE_SIZE-1;
19051 - if (is_kernel_text(addr) ||
19052 - is_kernel_text(addr2))
19053 + if (is_kernel_text(address, address + PMD_SIZE))
19054 prot = PAGE_KERNEL_LARGE_EXEC;
19057 @@ -330,7 +331,7 @@ repeat:
19058 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
19060 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
19061 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
19062 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
19063 pgprot_t prot = PAGE_KERNEL;
19065 * first pass will use the same initial
19066 @@ -338,7 +339,7 @@ repeat:
19068 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
19070 - if (is_kernel_text(addr))
19071 + if (is_kernel_text(address, address + PAGE_SIZE))
19072 prot = PAGE_KERNEL_EXEC;
19075 @@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
19077 pud = pud_offset(pgd, va);
19078 pmd = pmd_offset(pud, va);
19079 - if (!pmd_present(*pmd))
19080 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
19083 pte = pte_offset_kernel(pmd, va);
19084 @@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
19086 static void __init pagetable_init(void)
19088 - pgd_t *pgd_base = swapper_pg_dir;
19090 - permanent_kmaps_init(pgd_base);
19091 + permanent_kmaps_init(swapper_pg_dir);
19094 #ifdef CONFIG_ACPI_SLEEP
19095 @@ -553,12 +552,12 @@ static void __init pagetable_init(void)
19096 * ACPI suspend needs this for resume, because things like the intel-agp
19097 * driver might have split up a kernel 4MB mapping.
19099 -char swsusp_pg_dir[PAGE_SIZE]
19100 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
19101 __attribute__ ((aligned(PAGE_SIZE)));
19103 static inline void save_pg_dir(void)
19105 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
19106 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
19108 #else /* !CONFIG_ACPI_SLEEP */
19109 static inline void save_pg_dir(void)
19110 @@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
19114 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
19115 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
19116 EXPORT_SYMBOL_GPL(__supported_pte_mask);
19118 /* user-defined highmem size */
19119 @@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
19120 * Initialize the boot-time allocator (with low memory only):
19122 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
19123 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
19124 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
19126 if (bootmap == -1L)
19127 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
19128 @@ -871,6 +870,12 @@ void __init mem_init(void)
19132 +#ifdef CONFIG_PAX_PER_CPU_PGD
19133 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
19134 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19135 + KERNEL_PGD_PTRS);
19138 #ifdef CONFIG_FLATMEM
19141 @@ -888,7 +893,7 @@ void __init mem_init(void)
19142 set_highmem_pages_init();
19144 codesize = (unsigned long) &_etext - (unsigned long) &_text;
19145 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
19146 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
19147 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
19149 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
19150 @@ -929,10 +934,10 @@ void __init mem_init(void)
19151 ((unsigned long)&__init_end -
19152 (unsigned long)&__init_begin) >> 10,
19154 - (unsigned long)&_etext, (unsigned long)&_edata,
19155 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
19156 + (unsigned long)&_sdata, (unsigned long)&_edata,
19157 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
19159 - (unsigned long)&_text, (unsigned long)&_etext,
19160 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
19161 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
19164 @@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
19165 if (!kernel_set_to_readonly)
19168 + start = ktla_ktva(start);
19169 pr_debug("Set kernel text: %lx - %lx for read write\n",
19170 start, start+size);
19172 @@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
19173 if (!kernel_set_to_readonly)
19176 + start = ktla_ktva(start);
19177 pr_debug("Set kernel text: %lx - %lx for read only\n",
19178 start, start+size);
19180 @@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
19181 unsigned long start = PFN_ALIGN(_text);
19182 unsigned long size = PFN_ALIGN(_etext) - start;
19184 + start = ktla_ktva(start);
19185 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
19186 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
19188 diff -urNp linux-2.6.36.2/arch/x86/mm/init_64.c linux-2.6.36.2/arch/x86/mm/init_64.c
19189 --- linux-2.6.36.2/arch/x86/mm/init_64.c 2010-10-20 16:30:22.000000000 -0400
19190 +++ linux-2.6.36.2/arch/x86/mm/init_64.c 2010-12-09 20:24:55.000000000 -0500
19192 #include <asm/numa.h>
19193 #include <asm/cacheflush.h>
19194 #include <asm/init.h>
19195 -#include <linux/bootmem.h>
19197 static unsigned long dma_reserve __initdata;
19199 @@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
19200 * around without checking the pgd every time.
19203 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
19204 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
19205 EXPORT_SYMBOL_GPL(__supported_pte_mask);
19207 int force_personality32;
19208 @@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
19209 pmd = fill_pmd(pud, vaddr);
19210 pte = fill_pte(pmd, vaddr);
19212 + pax_open_kernel();
19213 set_pte(pte, new_pte);
19214 + pax_close_kernel();
19217 * It's enough to flush this one mapping.
19218 @@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
19219 pgd = pgd_offset_k((unsigned long)__va(phys));
19220 if (pgd_none(*pgd)) {
19221 pud = (pud_t *) spp_getpage();
19222 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
19224 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
19226 pud = pud_offset(pgd, (unsigned long)__va(phys));
19227 if (pud_none(*pud)) {
19228 pmd = (pmd_t *) spp_getpage();
19229 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
19231 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
19233 pmd = pmd_offset(pud, phys);
19234 BUG_ON(!pmd_none(*pmd));
19235 @@ -680,6 +679,12 @@ void __init mem_init(void)
19239 +#ifdef CONFIG_PAX_PER_CPU_PGD
19240 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
19241 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19242 + KERNEL_PGD_PTRS);
19245 /* clear_bss() already clear the empty_zero_page */
19248 @@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
19249 static struct vm_area_struct gate_vma = {
19250 .vm_start = VSYSCALL_START,
19251 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
19252 - .vm_page_prot = PAGE_READONLY_EXEC,
19253 - .vm_flags = VM_READ | VM_EXEC
19254 + .vm_page_prot = PAGE_READONLY,
19255 + .vm_flags = VM_READ
19258 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
19259 @@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
19261 const char *arch_vma_name(struct vm_area_struct *vma)
19263 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
19264 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
19266 if (vma == &gate_vma)
19267 return "[vsyscall]";
19268 diff -urNp linux-2.6.36.2/arch/x86/mm/init.c linux-2.6.36.2/arch/x86/mm/init.c
19269 --- linux-2.6.36.2/arch/x86/mm/init.c 2010-10-20 16:30:22.000000000 -0400
19270 +++ linux-2.6.36.2/arch/x86/mm/init.c 2010-12-09 20:24:55.000000000 -0500
19271 @@ -70,11 +70,7 @@ static void __init find_early_table_spac
19272 * cause a hotspot and fill up ZONE_DMA. The page tables
19273 * need roughly 0.5KB per GB.
19275 -#ifdef CONFIG_X86_32
19280 + start = 0x100000;
19281 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
19282 tables, PAGE_SIZE);
19283 if (e820_table_start == -1UL)
19284 @@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
19286 int devmem_is_allowed(unsigned long pagenr)
19288 - if (pagenr <= 256)
19291 +#ifdef CONFIG_VM86
19292 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
19295 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
19297 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
19299 @@ -380,6 +382,86 @@ void free_init_pages(char *what, unsigne
19301 void free_initmem(void)
19304 +#ifdef CONFIG_PAX_KERNEXEC
19305 +#ifdef CONFIG_X86_32
19306 + /* PaX: limit KERNEL_CS to actual size */
19307 + unsigned long addr, limit;
19308 + struct desc_struct d;
19311 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
19312 + limit = (limit - 1UL) >> PAGE_SHIFT;
19314 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
19315 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19316 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
19317 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
19320 + /* PaX: make KERNEL_CS read-only */
19321 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
19322 + if (!paravirt_enabled())
19323 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
19325 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
19326 + pgd = pgd_offset_k(addr);
19327 + pud = pud_offset(pgd, addr);
19328 + pmd = pmd_offset(pud, addr);
19329 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19332 +#ifdef CONFIG_X86_PAE
19333 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
19335 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
19336 + pgd = pgd_offset_k(addr);
19337 + pud = pud_offset(pgd, addr);
19338 + pmd = pmd_offset(pud, addr);
19339 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19344 +#ifdef CONFIG_MODULES
19345 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
19352 + unsigned long addr, end;
19354 + /* PaX: make kernel code/rodata read-only, rest non-executable */
19355 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
19356 + pgd = pgd_offset_k(addr);
19357 + pud = pud_offset(pgd, addr);
19358 + pmd = pmd_offset(pud, addr);
19359 + if (!pmd_present(*pmd))
19361 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
19362 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19364 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19367 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
19368 + end = addr + KERNEL_IMAGE_SIZE;
19369 + for (; addr < end; addr += PMD_SIZE) {
19370 + pgd = pgd_offset_k(addr);
19371 + pud = pud_offset(pgd, addr);
19372 + pmd = pmd_offset(pud, addr);
19373 + if (!pmd_present(*pmd))
19375 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
19376 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19383 free_init_pages("unused kernel memory",
19384 (unsigned long)(&__init_begin),
19385 (unsigned long)(&__init_end));
19386 diff -urNp linux-2.6.36.2/arch/x86/mm/iomap_32.c linux-2.6.36.2/arch/x86/mm/iomap_32.c
19387 --- linux-2.6.36.2/arch/x86/mm/iomap_32.c 2010-10-20 16:30:22.000000000 -0400
19388 +++ linux-2.6.36.2/arch/x86/mm/iomap_32.c 2010-12-09 20:24:55.000000000 -0500
19389 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
19390 debug_kmap_atomic(type);
19391 idx = type + KM_TYPE_NR * smp_processor_id();
19392 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
19394 + pax_open_kernel();
19395 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
19396 + pax_close_kernel();
19398 arch_flush_lazy_mmu_mode();
19400 return (void *)vaddr;
19401 diff -urNp linux-2.6.36.2/arch/x86/mm/ioremap.c linux-2.6.36.2/arch/x86/mm/ioremap.c
19402 --- linux-2.6.36.2/arch/x86/mm/ioremap.c 2010-10-20 16:30:22.000000000 -0400
19403 +++ linux-2.6.36.2/arch/x86/mm/ioremap.c 2010-12-09 20:24:55.000000000 -0500
19404 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
19405 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
19406 int is_ram = page_is_ram(pfn);
19408 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
19409 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
19411 WARN_ON_ONCE(is_ram);
19413 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
19414 early_param("early_ioremap_debug", early_ioremap_debug_setup);
19416 static __initdata int after_paging_init;
19417 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
19418 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
19420 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
19422 @@ -376,8 +376,7 @@ void __init early_ioremap_init(void)
19423 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
19425 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
19426 - memset(bm_pte, 0, sizeof(bm_pte));
19427 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
19428 + pmd_populate_user(&init_mm, pmd, bm_pte);
19431 * The boot-ioremap range spans multiple pmds, for which
19432 diff -urNp linux-2.6.36.2/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.36.2/arch/x86/mm/kmemcheck/kmemcheck.c
19433 --- linux-2.6.36.2/arch/x86/mm/kmemcheck/kmemcheck.c 2010-10-20 16:30:22.000000000 -0400
19434 +++ linux-2.6.36.2/arch/x86/mm/kmemcheck/kmemcheck.c 2010-12-09 20:24:55.000000000 -0500
19435 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
19436 * memory (e.g. tracked pages)? For now, we need this to avoid
19437 * invoking kmemcheck for PnP BIOS calls.
19439 - if (regs->flags & X86_VM_MASK)
19440 + if (v8086_mode(regs))
19442 - if (regs->cs != __KERNEL_CS)
19443 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
19446 pte = kmemcheck_pte_lookup(address);
19447 diff -urNp linux-2.6.36.2/arch/x86/mm/mmap.c linux-2.6.36.2/arch/x86/mm/mmap.c
19448 --- linux-2.6.36.2/arch/x86/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
19449 +++ linux-2.6.36.2/arch/x86/mm/mmap.c 2010-12-09 20:24:55.000000000 -0500
19450 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
19451 * Leave an at least ~128 MB hole with possible stack randomization.
19453 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
19454 -#define MAX_GAP (TASK_SIZE/6*5)
19455 +#define MAX_GAP (pax_task_size/6*5)
19458 * True on X86_32 or when emulating IA32 on X86_64
19459 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
19460 return rnd << PAGE_SHIFT;
19463 -static unsigned long mmap_base(void)
19464 +static unsigned long mmap_base(struct mm_struct *mm)
19466 unsigned long gap = rlimit(RLIMIT_STACK);
19467 + unsigned long pax_task_size = TASK_SIZE;
19469 +#ifdef CONFIG_PAX_SEGMEXEC
19470 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19471 + pax_task_size = SEGMEXEC_TASK_SIZE;
19476 else if (gap > MAX_GAP)
19479 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
19480 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
19484 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
19485 * does, but not when emulating X86_32
19487 -static unsigned long mmap_legacy_base(void)
19488 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
19490 - if (mmap_is_ia32())
19491 + if (mmap_is_ia32()) {
19493 +#ifdef CONFIG_PAX_SEGMEXEC
19494 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19495 + return SEGMEXEC_TASK_UNMAPPED_BASE;
19499 return TASK_UNMAPPED_BASE;
19502 return TASK_UNMAPPED_BASE + mmap_rnd();
19505 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
19506 void arch_pick_mmap_layout(struct mm_struct *mm)
19508 if (mmap_is_legacy()) {
19509 - mm->mmap_base = mmap_legacy_base();
19510 + mm->mmap_base = mmap_legacy_base(mm);
19512 +#ifdef CONFIG_PAX_RANDMMAP
19513 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19514 + mm->mmap_base += mm->delta_mmap;
19517 mm->get_unmapped_area = arch_get_unmapped_area;
19518 mm->unmap_area = arch_unmap_area;
19520 - mm->mmap_base = mmap_base();
19521 + mm->mmap_base = mmap_base(mm);
19523 +#ifdef CONFIG_PAX_RANDMMAP
19524 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19525 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
19528 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
19529 mm->unmap_area = arch_unmap_area_topdown;
19531 diff -urNp linux-2.6.36.2/arch/x86/mm/numa_32.c linux-2.6.36.2/arch/x86/mm/numa_32.c
19532 --- linux-2.6.36.2/arch/x86/mm/numa_32.c 2010-10-20 16:30:22.000000000 -0400
19533 +++ linux-2.6.36.2/arch/x86/mm/numa_32.c 2010-12-09 20:24:55.000000000 -0500
19534 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
19538 -extern unsigned long find_max_low_pfn(void);
19539 extern unsigned long highend_pfn, highstart_pfn;
19541 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
19542 diff -urNp linux-2.6.36.2/arch/x86/mm/pageattr.c linux-2.6.36.2/arch/x86/mm/pageattr.c
19543 --- linux-2.6.36.2/arch/x86/mm/pageattr.c 2010-10-20 16:30:22.000000000 -0400
19544 +++ linux-2.6.36.2/arch/x86/mm/pageattr.c 2010-12-09 20:24:55.000000000 -0500
19545 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
19546 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
19548 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
19549 - pgprot_val(forbidden) |= _PAGE_NX;
19550 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19553 * The kernel text needs to be executable for obvious reasons
19554 * Does not cover __inittext since that is gone later on. On
19555 * 64bit we do not enforce !NX on the low mapping
19557 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
19558 - pgprot_val(forbidden) |= _PAGE_NX;
19559 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
19560 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19562 +#ifdef CONFIG_DEBUG_RODATA
19564 * The .rodata section needs to be read-only. Using the pfn
19565 * catches all aliases.
19566 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
19567 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
19568 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
19569 pgprot_val(forbidden) |= _PAGE_RW;
19572 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
19574 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
19578 +#ifdef CONFIG_PAX_KERNEXEC
19579 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
19580 + pgprot_val(forbidden) |= _PAGE_RW;
19581 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19585 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
19588 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
19589 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
19591 /* change init_mm */
19592 + pax_open_kernel();
19593 set_pte_atomic(kpte, pte);
19595 #ifdef CONFIG_X86_32
19596 if (!SHARED_KERNEL_PMD) {
19598 +#ifdef CONFIG_PAX_PER_CPU_PGD
19599 + unsigned long cpu;
19604 +#ifdef CONFIG_PAX_PER_CPU_PGD
19605 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19606 + pgd_t *pgd = get_cpu_pgd(cpu);
19608 list_for_each_entry(page, &pgd_list, lru) {
19610 + pgd_t *pgd = (pgd_t *)page_address(page);
19616 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
19617 + pgd += pgd_index(address);
19618 pud = pud_offset(pgd, address);
19619 pmd = pmd_offset(pud, address);
19620 set_pte_atomic((pte_t *)pmd, pte);
19624 + pax_close_kernel();
19628 diff -urNp linux-2.6.36.2/arch/x86/mm/pageattr-test.c linux-2.6.36.2/arch/x86/mm/pageattr-test.c
19629 --- linux-2.6.36.2/arch/x86/mm/pageattr-test.c 2010-10-20 16:30:22.000000000 -0400
19630 +++ linux-2.6.36.2/arch/x86/mm/pageattr-test.c 2010-12-09 20:24:55.000000000 -0500
19631 @@ -36,7 +36,7 @@ enum {
19633 static int pte_testbit(pte_t pte)
19635 - return pte_flags(pte) & _PAGE_UNUSED1;
19636 + return pte_flags(pte) & _PAGE_CPA_TEST;
19639 struct split_state {
19640 diff -urNp linux-2.6.36.2/arch/x86/mm/pat.c linux-2.6.36.2/arch/x86/mm/pat.c
19641 --- linux-2.6.36.2/arch/x86/mm/pat.c 2010-10-20 16:30:22.000000000 -0400
19642 +++ linux-2.6.36.2/arch/x86/mm/pat.c 2010-12-09 20:24:55.000000000 -0500
19643 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
19646 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
19647 - current->comm, current->pid, start, end);
19648 + current->comm, task_pid_nr(current), start, end);
19652 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
19653 while (cursor < to) {
19654 if (!devmem_is_allowed(pfn)) {
19656 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
19657 - current->comm, from, to);
19658 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
19659 + current->comm, from, to, cursor);
19662 cursor += PAGE_SIZE;
19663 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
19665 "%s:%d ioremap_change_attr failed %s "
19667 - current->comm, current->pid,
19668 + current->comm, task_pid_nr(current),
19670 base, (unsigned long long)(base + size));
19672 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
19673 if (want_flags != flags) {
19674 printk(KERN_WARNING
19675 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19676 - current->comm, current->pid,
19677 + current->comm, task_pid_nr(current),
19678 cattr_name(want_flags),
19679 (unsigned long long)paddr,
19680 (unsigned long long)(paddr + size),
19681 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19682 free_memtype(paddr, paddr + size);
19683 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19684 " for %Lx-%Lx, got %s\n",
19685 - current->comm, current->pid,
19686 + current->comm, task_pid_nr(current),
19687 cattr_name(want_flags),
19688 (unsigned long long)paddr,
19689 (unsigned long long)(paddr + size),
19690 diff -urNp linux-2.6.36.2/arch/x86/mm/pgtable_32.c linux-2.6.36.2/arch/x86/mm/pgtable_32.c
19691 --- linux-2.6.36.2/arch/x86/mm/pgtable_32.c 2010-10-20 16:30:22.000000000 -0400
19692 +++ linux-2.6.36.2/arch/x86/mm/pgtable_32.c 2010-12-09 20:24:55.000000000 -0500
19693 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19696 pte = pte_offset_kernel(pmd, vaddr);
19698 + pax_open_kernel();
19699 if (pte_val(pteval))
19700 set_pte_at(&init_mm, vaddr, pte, pteval);
19702 pte_clear(&init_mm, vaddr, pte);
19703 + pax_close_kernel();
19706 * It's enough to flush this one mapping.
19707 diff -urNp linux-2.6.36.2/arch/x86/mm/pgtable.c linux-2.6.36.2/arch/x86/mm/pgtable.c
19708 --- linux-2.6.36.2/arch/x86/mm/pgtable.c 2010-10-20 16:30:22.000000000 -0400
19709 +++ linux-2.6.36.2/arch/x86/mm/pgtable.c 2010-12-09 20:24:55.000000000 -0500
19710 @@ -84,8 +84,58 @@ static inline void pgd_list_del(pgd_t *p
19711 list_del(&page->lru);
19714 -#define UNSHARED_PTRS_PER_PGD \
19715 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19716 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19717 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19719 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19722 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
19726 +#ifdef CONFIG_PAX_PER_CPU_PGD
19727 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19731 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19732 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19740 +#ifdef CONFIG_PAX_PER_CPU_PGD
19741 +static inline void pgd_ctor(pgd_t *pgd) {}
19742 +static inline void pgd_dtor(pgd_t *pgd) {}
19743 +#ifdef CONFIG_X86_64
19744 +#define pxd_t pud_t
19745 +#define pyd_t pgd_t
19746 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19747 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19748 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19749 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19750 +#define PYD_SIZE PGDIR_SIZE
19752 +#define pxd_t pmd_t
19753 +#define pyd_t pud_t
19754 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19755 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19756 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19757 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19758 +#define PYD_SIZE PUD_SIZE
19761 +#define pxd_t pmd_t
19762 +#define pyd_t pud_t
19763 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19764 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19765 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19766 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19767 +#define PYD_SIZE PUD_SIZE
19769 static void pgd_ctor(pgd_t *pgd)
19771 @@ -120,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
19773 spin_unlock_irqrestore(&pgd_lock, flags);
19778 * List of all pgd's needed for non-PAE so it can invalidate entries
19779 @@ -132,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
19783 -#ifdef CONFIG_X86_PAE
19784 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19786 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19787 * updating the top-level pagetable entries to guarantee the
19788 @@ -144,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
19789 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19790 * and initialize the kernel pmds here.
19792 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19793 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19795 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19797 @@ -163,36 +214,38 @@ void pud_populate(struct mm_struct *mm,
19798 if (mm == current->active_mm)
19799 write_cr3(read_cr3());
19801 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19802 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19803 #else /* !CONFIG_X86_PAE */
19805 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19806 -#define PREALLOCATED_PMDS 0
19807 +#define PREALLOCATED_PXDS 0
19809 #endif /* CONFIG_X86_PAE */
19811 -static void free_pmds(pmd_t *pmds[])
19812 +static void free_pxds(pxd_t *pxds[])
19816 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19818 - free_page((unsigned long)pmds[i]);
19819 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19821 + free_page((unsigned long)pxds[i]);
19824 -static int preallocate_pmds(pmd_t *pmds[])
19825 +static int preallocate_pxds(pxd_t *pxds[])
19828 bool failed = false;
19830 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19831 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19833 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19834 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19847 @@ -205,51 +258,56 @@ static int preallocate_pmds(pmd_t *pmds[
19848 * preallocate which never got a corresponding vma will need to be
19851 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19852 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19856 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19857 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19858 pgd_t pgd = pgdp[i];
19860 if (pgd_val(pgd) != 0) {
19861 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19862 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19864 - pgdp[i] = native_make_pgd(0);
19865 + set_pgd(pgdp + i, native_make_pgd(0));
19867 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19868 - pmd_free(mm, pmd);
19869 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19870 + pxd_free(mm, pxd);
19875 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19876 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19880 unsigned long addr;
19883 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19884 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19887 - pud = pud_offset(pgd, 0);
19888 +#ifdef CONFIG_X86_64
19889 + pyd = pyd_offset(mm, 0L);
19891 + pyd = pyd_offset(pgd, 0L);
19894 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19895 - i++, pud++, addr += PUD_SIZE) {
19896 - pmd_t *pmd = pmds[i];
19897 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19898 + i++, pyd++, addr += PYD_SIZE) {
19899 + pxd_t *pxd = pxds[i];
19901 if (i >= KERNEL_PGD_BOUNDARY)
19902 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19903 - sizeof(pmd_t) * PTRS_PER_PMD);
19904 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19905 + sizeof(pxd_t) * PTRS_PER_PMD);
19907 - pud_populate(mm, pud, pmd);
19908 + pyd_populate(mm, pyd, pxd);
19912 pgd_t *pgd_alloc(struct mm_struct *mm)
19915 - pmd_t *pmds[PREALLOCATED_PMDS];
19916 + pxd_t *pxds[PREALLOCATED_PXDS];
19918 unsigned long flags;
19920 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19921 @@ -259,11 +317,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19925 - if (preallocate_pmds(pmds) != 0)
19926 + if (preallocate_pxds(pxds) != 0)
19929 if (paravirt_pgd_alloc(mm) != 0)
19930 - goto out_free_pmds;
19931 + goto out_free_pxds;
19934 * Make sure that pre-populating the pmds is atomic with
19935 @@ -273,14 +331,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19936 spin_lock_irqsave(&pgd_lock, flags);
19939 - pgd_prepopulate_pmd(mm, pgd, pmds);
19940 + pgd_prepopulate_pxd(mm, pgd, pxds);
19942 spin_unlock_irqrestore(&pgd_lock, flags);
19951 free_page((unsigned long)pgd);
19953 @@ -289,7 +347,7 @@ out:
19955 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19957 - pgd_mop_up_pmds(mm, pgd);
19958 + pgd_mop_up_pxds(mm, pgd);
19960 paravirt_pgd_free(mm, pgd);
19961 free_page((unsigned long)pgd);
19962 diff -urNp linux-2.6.36.2/arch/x86/mm/setup_nx.c linux-2.6.36.2/arch/x86/mm/setup_nx.c
19963 --- linux-2.6.36.2/arch/x86/mm/setup_nx.c 2010-10-20 16:30:22.000000000 -0400
19964 +++ linux-2.6.36.2/arch/x86/mm/setup_nx.c 2010-12-09 20:24:55.000000000 -0500
19966 #include <asm/pgtable.h>
19967 #include <asm/proto.h>
19969 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19970 static int disable_nx __cpuinitdata;
19972 +#ifndef CONFIG_PAX_PAGEEXEC
19976 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19979 early_param("noexec", noexec_setup);
19984 void __cpuinit x86_configure_nx(void)
19986 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19987 if (cpu_has_nx && !disable_nx)
19988 __supported_pte_mask |= _PAGE_NX;
19991 __supported_pte_mask &= ~_PAGE_NX;
19994 diff -urNp linux-2.6.36.2/arch/x86/mm/tlb.c linux-2.6.36.2/arch/x86/mm/tlb.c
19995 --- linux-2.6.36.2/arch/x86/mm/tlb.c 2010-10-20 16:30:22.000000000 -0400
19996 +++ linux-2.6.36.2/arch/x86/mm/tlb.c 2010-12-09 20:24:55.000000000 -0500
19998 #include <asm/uv/uv.h>
20000 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
20001 - = { &init_mm, 0, };
20002 + = { &init_mm, 0 };
20005 * Smarter SMP flushing macros.
20006 @@ -62,7 +62,11 @@ void leave_mm(int cpu)
20008 cpumask_clear_cpu(cpu,
20009 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
20011 +#ifndef CONFIG_PAX_PER_CPU_PGD
20012 load_cr3(swapper_pg_dir);
20016 EXPORT_SYMBOL_GPL(leave_mm);
20018 diff -urNp linux-2.6.36.2/arch/x86/oprofile/backtrace.c linux-2.6.36.2/arch/x86/oprofile/backtrace.c
20019 --- linux-2.6.36.2/arch/x86/oprofile/backtrace.c 2010-10-20 16:30:22.000000000 -0400
20020 +++ linux-2.6.36.2/arch/x86/oprofile/backtrace.c 2010-12-09 20:24:54.000000000 -0500
20021 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
20022 struct frame_head bufhead[2];
20024 /* Also check accessibility of one struct frame_head beyond */
20025 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
20026 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
20028 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
20030 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
20032 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
20034 - if (!user_mode_vm(regs)) {
20035 + if (!user_mode(regs)) {
20036 unsigned long stack = kernel_stack_pointer(regs);
20038 dump_trace(NULL, regs, (unsigned long *)stack, 0,
20039 diff -urNp linux-2.6.36.2/arch/x86/oprofile/op_model_p4.c linux-2.6.36.2/arch/x86/oprofile/op_model_p4.c
20040 --- linux-2.6.36.2/arch/x86/oprofile/op_model_p4.c 2010-10-20 16:30:22.000000000 -0400
20041 +++ linux-2.6.36.2/arch/x86/oprofile/op_model_p4.c 2010-12-09 20:24:54.000000000 -0500
20042 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
20046 -static int inline addr_increment(void)
20047 +static inline int addr_increment(void)
20050 return smp_num_siblings == 2 ? 2 : 1;
20051 diff -urNp linux-2.6.36.2/arch/x86/pci/common.c linux-2.6.36.2/arch/x86/pci/common.c
20052 --- linux-2.6.36.2/arch/x86/pci/common.c 2010-10-20 16:30:22.000000000 -0400
20053 +++ linux-2.6.36.2/arch/x86/pci/common.c 2010-12-09 20:24:54.000000000 -0500
20054 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
20055 int pcibios_last_bus = -1;
20056 unsigned long pirq_table_addr;
20057 struct pci_bus *pci_root_bus;
20058 -struct pci_raw_ops *raw_pci_ops;
20059 -struct pci_raw_ops *raw_pci_ext_ops;
20060 +const struct pci_raw_ops *raw_pci_ops;
20061 +const struct pci_raw_ops *raw_pci_ext_ops;
20063 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
20064 int reg, int len, u32 *val)
20065 @@ -382,7 +382,7 @@ static const struct dmi_system_id __devi
20066 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
20070 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
20073 void __init dmi_check_pciprobe(void)
20074 diff -urNp linux-2.6.36.2/arch/x86/pci/direct.c linux-2.6.36.2/arch/x86/pci/direct.c
20075 --- linux-2.6.36.2/arch/x86/pci/direct.c 2010-10-20 16:30:22.000000000 -0400
20076 +++ linux-2.6.36.2/arch/x86/pci/direct.c 2010-12-09 20:24:54.000000000 -0500
20077 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
20079 #undef PCI_CONF1_ADDRESS
20081 -struct pci_raw_ops pci_direct_conf1 = {
20082 +const struct pci_raw_ops pci_direct_conf1 = {
20083 .read = pci_conf1_read,
20084 .write = pci_conf1_write,
20086 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
20088 #undef PCI_CONF2_ADDRESS
20090 -struct pci_raw_ops pci_direct_conf2 = {
20091 +const struct pci_raw_ops pci_direct_conf2 = {
20092 .read = pci_conf2_read,
20093 .write = pci_conf2_write,
20095 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
20096 * This should be close to trivial, but it isn't, because there are buggy
20097 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
20099 -static int __init pci_sanity_check(struct pci_raw_ops *o)
20100 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
20104 diff -urNp linux-2.6.36.2/arch/x86/pci/fixup.c linux-2.6.36.2/arch/x86/pci/fixup.c
20105 --- linux-2.6.36.2/arch/x86/pci/fixup.c 2010-10-20 16:30:22.000000000 -0400
20106 +++ linux-2.6.36.2/arch/x86/pci/fixup.c 2010-12-09 20:24:54.000000000 -0500
20107 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
20108 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
20112 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20116 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
20117 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
20121 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20124 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
20125 diff -urNp linux-2.6.36.2/arch/x86/pci/irq.c linux-2.6.36.2/arch/x86/pci/irq.c
20126 --- linux-2.6.36.2/arch/x86/pci/irq.c 2010-10-20 16:30:22.000000000 -0400
20127 +++ linux-2.6.36.2/arch/x86/pci/irq.c 2010-12-09 20:24:54.000000000 -0500
20128 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
20129 static struct pci_device_id __initdata pirq_440gx[] = {
20130 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
20131 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
20133 + { PCI_DEVICE(0, 0) }
20136 /* 440GX has a proprietary PIRQ router -- don't use it */
20137 @@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
20138 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
20142 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20145 void __init pcibios_irq_init(void)
20146 diff -urNp linux-2.6.36.2/arch/x86/pci/mmconfig_32.c linux-2.6.36.2/arch/x86/pci/mmconfig_32.c
20147 --- linux-2.6.36.2/arch/x86/pci/mmconfig_32.c 2010-10-20 16:30:22.000000000 -0400
20148 +++ linux-2.6.36.2/arch/x86/pci/mmconfig_32.c 2010-12-09 20:24:54.000000000 -0500
20149 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
20153 -static struct pci_raw_ops pci_mmcfg = {
20154 +static const struct pci_raw_ops pci_mmcfg = {
20155 .read = pci_mmcfg_read,
20156 .write = pci_mmcfg_write,
20158 diff -urNp linux-2.6.36.2/arch/x86/pci/mmconfig_64.c linux-2.6.36.2/arch/x86/pci/mmconfig_64.c
20159 --- linux-2.6.36.2/arch/x86/pci/mmconfig_64.c 2010-10-20 16:30:22.000000000 -0400
20160 +++ linux-2.6.36.2/arch/x86/pci/mmconfig_64.c 2010-12-09 20:24:54.000000000 -0500
20161 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
20165 -static struct pci_raw_ops pci_mmcfg = {
20166 +static const struct pci_raw_ops pci_mmcfg = {
20167 .read = pci_mmcfg_read,
20168 .write = pci_mmcfg_write,
20170 diff -urNp linux-2.6.36.2/arch/x86/pci/numaq_32.c linux-2.6.36.2/arch/x86/pci/numaq_32.c
20171 --- linux-2.6.36.2/arch/x86/pci/numaq_32.c 2010-10-20 16:30:22.000000000 -0400
20172 +++ linux-2.6.36.2/arch/x86/pci/numaq_32.c 2010-12-09 20:24:54.000000000 -0500
20173 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
20175 #undef PCI_CONF1_MQ_ADDRESS
20177 -static struct pci_raw_ops pci_direct_conf1_mq = {
20178 +static const struct pci_raw_ops pci_direct_conf1_mq = {
20179 .read = pci_conf1_mq_read,
20180 .write = pci_conf1_mq_write
20182 diff -urNp linux-2.6.36.2/arch/x86/pci/olpc.c linux-2.6.36.2/arch/x86/pci/olpc.c
20183 --- linux-2.6.36.2/arch/x86/pci/olpc.c 2010-10-20 16:30:22.000000000 -0400
20184 +++ linux-2.6.36.2/arch/x86/pci/olpc.c 2010-12-09 20:24:54.000000000 -0500
20185 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
20189 -static struct pci_raw_ops pci_olpc_conf = {
20190 +static const struct pci_raw_ops pci_olpc_conf = {
20191 .read = pci_olpc_read,
20192 .write = pci_olpc_write,
20194 diff -urNp linux-2.6.36.2/arch/x86/pci/pcbios.c linux-2.6.36.2/arch/x86/pci/pcbios.c
20195 --- linux-2.6.36.2/arch/x86/pci/pcbios.c 2010-10-20 16:30:22.000000000 -0400
20196 +++ linux-2.6.36.2/arch/x86/pci/pcbios.c 2010-12-09 20:24:54.000000000 -0500
20197 @@ -57,50 +57,93 @@ union bios32 {
20199 unsigned long address;
20200 unsigned short segment;
20201 -} bios32_indirect = { 0, __KERNEL_CS };
20202 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
20205 * Returns the entry point for the given service, NULL on error
20208 -static unsigned long bios32_service(unsigned long service)
20209 +static unsigned long __devinit bios32_service(unsigned long service)
20211 unsigned char return_code; /* %al */
20212 unsigned long address; /* %ebx */
20213 unsigned long length; /* %ecx */
20214 unsigned long entry; /* %edx */
20215 unsigned long flags;
20216 + struct desc_struct d, *gdt;
20218 local_irq_save(flags);
20219 - __asm__("lcall *(%%edi); cld"
20221 + gdt = get_cpu_gdt_table(smp_processor_id());
20223 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
20224 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
20225 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
20226 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
20228 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
20229 : "=a" (return_code),
20235 - "D" (&bios32_indirect));
20236 + "D" (&bios32_indirect),
20237 + "r"(__PCIBIOS_DS)
20240 + pax_open_kernel();
20241 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
20242 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
20243 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
20244 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
20245 + pax_close_kernel();
20247 local_irq_restore(flags);
20249 switch (return_code) {
20251 - return address + entry;
20252 - case 0x80: /* Not present */
20253 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
20255 - default: /* Shouldn't happen */
20256 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
20257 - service, return_code);
20260 + unsigned char flags;
20262 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
20263 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
20264 + printk(KERN_WARNING "bios32_service: not valid\n");
20267 + address = address + PAGE_OFFSET;
20268 + length += 16UL; /* some BIOSs underreport this... */
20270 + if (length >= 64*1024*1024) {
20271 + length >>= PAGE_SHIFT;
20275 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
20276 + gdt = get_cpu_gdt_table(cpu);
20277 + pack_descriptor(&d, address, length, 0x9b, flags);
20278 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
20279 + pack_descriptor(&d, address, length, 0x93, flags);
20280 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
20284 + case 0x80: /* Not present */
20285 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
20287 + default: /* Shouldn't happen */
20288 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
20289 + service, return_code);
20295 unsigned long address;
20296 unsigned short segment;
20297 -} pci_indirect = { 0, __KERNEL_CS };
20298 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
20300 -static int pci_bios_present;
20301 +static int pci_bios_present __read_only;
20303 static int __devinit check_pcibios(void)
20305 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
20306 unsigned long flags, pcibios_entry;
20308 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
20309 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
20310 + pci_indirect.address = pcibios_entry;
20312 local_irq_save(flags);
20314 - "lcall *(%%edi); cld\n\t"
20315 + __asm__("movw %w6, %%ds\n\t"
20316 + "lcall *%%ss:(%%edi); cld\n\t"
20322 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
20325 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
20326 - "D" (&pci_indirect)
20327 + "D" (&pci_indirect),
20328 + "r" (__PCIBIOS_DS)
20330 local_irq_restore(flags);
20332 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
20336 - __asm__("lcall *(%%esi); cld\n\t"
20337 + __asm__("movw %w6, %%ds\n\t"
20338 + "lcall *%%ss:(%%esi); cld\n\t"
20344 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
20345 : "1" (PCIBIOS_READ_CONFIG_BYTE),
20348 - "S" (&pci_indirect));
20349 + "S" (&pci_indirect),
20350 + "r" (__PCIBIOS_DS));
20352 * Zero-extend the result beyond 8 bits, do not trust the
20353 * BIOS having done it:
20354 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
20358 - __asm__("lcall *(%%esi); cld\n\t"
20359 + __asm__("movw %w6, %%ds\n\t"
20360 + "lcall *%%ss:(%%esi); cld\n\t"
20366 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
20367 : "1" (PCIBIOS_READ_CONFIG_WORD),
20370 - "S" (&pci_indirect));
20371 + "S" (&pci_indirect),
20372 + "r" (__PCIBIOS_DS));
20374 * Zero-extend the result beyond 16 bits, do not trust the
20375 * BIOS having done it:
20376 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
20380 - __asm__("lcall *(%%esi); cld\n\t"
20381 + __asm__("movw %w6, %%ds\n\t"
20382 + "lcall *%%ss:(%%esi); cld\n\t"
20388 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
20389 : "1" (PCIBIOS_READ_CONFIG_DWORD),
20392 - "S" (&pci_indirect));
20393 + "S" (&pci_indirect),
20394 + "r" (__PCIBIOS_DS));
20398 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
20402 - __asm__("lcall *(%%esi); cld\n\t"
20403 + __asm__("movw %w6, %%ds\n\t"
20404 + "lcall *%%ss:(%%esi); cld\n\t"
20410 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
20414 - "S" (&pci_indirect));
20415 + "S" (&pci_indirect),
20416 + "r" (__PCIBIOS_DS));
20419 - __asm__("lcall *(%%esi); cld\n\t"
20420 + __asm__("movw %w6, %%ds\n\t"
20421 + "lcall *%%ss:(%%esi); cld\n\t"
20427 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
20431 - "S" (&pci_indirect));
20432 + "S" (&pci_indirect),
20433 + "r" (__PCIBIOS_DS));
20436 - __asm__("lcall *(%%esi); cld\n\t"
20437 + __asm__("movw %w6, %%ds\n\t"
20438 + "lcall *%%ss:(%%esi); cld\n\t"
20444 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
20448 - "S" (&pci_indirect));
20449 + "S" (&pci_indirect),
20450 + "r" (__PCIBIOS_DS));
20454 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
20455 * Function table for BIOS32 access
20458 -static struct pci_raw_ops pci_bios_access = {
20459 +static const struct pci_raw_ops pci_bios_access = {
20460 .read = pci_bios_read,
20461 .write = pci_bios_write
20463 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
20464 * Try to find PCI BIOS.
20467 -static struct pci_raw_ops * __devinit pci_find_bios(void)
20468 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
20470 union bios32 *check;
20472 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
20474 DBG("PCI: Fetching IRQ routing table... ");
20475 __asm__("push %%es\n\t"
20476 + "movw %w8, %%ds\n\t"
20479 - "lcall *(%%esi); cld\n\t"
20480 + "lcall *%%ss:(%%esi); cld\n\t"
20487 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
20490 "S" (&pci_indirect),
20493 + "r" (__PCIBIOS_DS)
20495 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
20497 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
20501 - __asm__("lcall *(%%esi); cld\n\t"
20502 + __asm__("movw %w5, %%ds\n\t"
20503 + "lcall *%%ss:(%%esi); cld\n\t"
20509 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
20510 : "0" (PCIBIOS_SET_PCI_HW_INT),
20511 "b" ((dev->bus->number << 8) | dev->devfn),
20512 "c" ((irq << 8) | (pin + 10)),
20513 - "S" (&pci_indirect));
20514 + "S" (&pci_indirect),
20515 + "r" (__PCIBIOS_DS));
20516 return !(ret & 0xff00);
20518 EXPORT_SYMBOL(pcibios_set_irq_routing);
20519 diff -urNp linux-2.6.36.2/arch/x86/power/cpu.c linux-2.6.36.2/arch/x86/power/cpu.c
20520 --- linux-2.6.36.2/arch/x86/power/cpu.c 2010-10-20 16:30:22.000000000 -0400
20521 +++ linux-2.6.36.2/arch/x86/power/cpu.c 2010-12-09 20:24:53.000000000 -0500
20522 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
20523 static void fix_processor_context(void)
20525 int cpu = smp_processor_id();
20526 - struct tss_struct *t = &per_cpu(init_tss, cpu);
20527 + struct tss_struct *t = init_tss + cpu;
20529 set_tss_desc(cpu, t); /*
20530 * This just modifies memory; should not be
20531 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
20534 #ifdef CONFIG_X86_64
20535 + pax_open_kernel();
20536 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
20537 + pax_close_kernel();
20539 syscall_init(); /* This sets MSR_*STAR and related */
20541 diff -urNp linux-2.6.36.2/arch/x86/vdso/Makefile linux-2.6.36.2/arch/x86/vdso/Makefile
20542 --- linux-2.6.36.2/arch/x86/vdso/Makefile 2010-10-20 16:30:22.000000000 -0400
20543 +++ linux-2.6.36.2/arch/x86/vdso/Makefile 2010-12-09 20:24:55.000000000 -0500
20544 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
20545 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
20546 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
20548 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20549 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20553 diff -urNp linux-2.6.36.2/arch/x86/vdso/vclock_gettime.c linux-2.6.36.2/arch/x86/vdso/vclock_gettime.c
20554 --- linux-2.6.36.2/arch/x86/vdso/vclock_gettime.c 2010-10-20 16:30:22.000000000 -0400
20555 +++ linux-2.6.36.2/arch/x86/vdso/vclock_gettime.c 2010-12-09 20:24:55.000000000 -0500
20556 @@ -22,24 +22,48 @@
20557 #include <asm/hpet.h>
20558 #include <asm/unistd.h>
20559 #include <asm/io.h>
20560 +#include <asm/fixmap.h>
20561 #include "vextern.h"
20563 #define gtod vdso_vsyscall_gtod_data
20565 +notrace noinline long __vdso_fallback_time(long *t)
20568 + asm volatile("syscall"
20570 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20574 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20577 asm("syscall" : "=a" (ret) :
20578 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20579 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20583 +notrace static inline cycle_t __vdso_vread_hpet(void)
20585 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20588 +notrace static inline cycle_t __vdso_vread_tsc(void)
20590 + cycle_t ret = (cycle_t)vget_cycles();
20592 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20595 notrace static inline long vgetns(void)
20598 - cycles_t (*vread)(void);
20599 - vread = gtod->clock.vread;
20600 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20601 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20602 + v = __vdso_vread_tsc();
20604 + v = __vdso_vread_hpet();
20605 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20606 return (v * gtod->clock.mult) >> gtod->clock.shift;
20609 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20611 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20613 - if (likely(gtod->sysctl_enabled))
20614 + if (likely(gtod->sysctl_enabled &&
20615 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20616 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20618 case CLOCK_REALTIME:
20619 if (likely(gtod->clock.vread))
20620 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20621 int clock_gettime(clockid_t, struct timespec *)
20622 __attribute__((weak, alias("__vdso_clock_gettime")));
20624 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20625 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20628 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20629 + asm("syscall" : "=a" (ret) :
20630 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20634 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20636 + if (likely(gtod->sysctl_enabled &&
20637 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20638 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20640 if (likely(tv != NULL)) {
20641 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20642 offsetof(struct timespec, tv_nsec) ||
20643 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20647 - asm("syscall" : "=a" (ret) :
20648 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20650 + return __vdso_fallback_gettimeofday(tv, tz);
20652 int gettimeofday(struct timeval *, struct timezone *)
20653 __attribute__((weak, alias("__vdso_gettimeofday")));
20654 diff -urNp linux-2.6.36.2/arch/x86/vdso/vdso32-setup.c linux-2.6.36.2/arch/x86/vdso/vdso32-setup.c
20655 --- linux-2.6.36.2/arch/x86/vdso/vdso32-setup.c 2010-10-20 16:30:22.000000000 -0400
20656 +++ linux-2.6.36.2/arch/x86/vdso/vdso32-setup.c 2010-12-09 20:24:55.000000000 -0500
20658 #include <asm/tlbflush.h>
20659 #include <asm/vdso.h>
20660 #include <asm/proto.h>
20661 +#include <asm/mman.h>
20665 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20666 void enable_sep_cpu(void)
20668 int cpu = get_cpu();
20669 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20670 + struct tss_struct *tss = init_tss + cpu;
20672 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20674 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20675 gate_vma.vm_start = FIXADDR_USER_START;
20676 gate_vma.vm_end = FIXADDR_USER_END;
20677 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20678 - gate_vma.vm_page_prot = __P101;
20679 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20681 * Make sure the vDSO gets into every core dump.
20682 * Dumping its contents makes post-mortem fully interpretable later
20683 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20685 addr = VDSO_HIGH_BASE;
20687 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20688 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20689 if (IS_ERR_VALUE(addr)) {
20695 - current->mm->context.vdso = (void *)addr;
20696 + current->mm->context.vdso = addr;
20698 if (compat_uses_vma || !compat) {
20700 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20703 current_thread_info()->sysenter_return =
20704 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20705 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20709 - current->mm->context.vdso = NULL;
20710 + current->mm->context.vdso = 0;
20712 up_write(&mm->mmap_sem);
20714 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20716 const char *arch_vma_name(struct vm_area_struct *vma)
20718 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20719 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20722 +#ifdef CONFIG_PAX_SEGMEXEC
20723 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20730 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20731 struct mm_struct *mm = tsk->mm;
20733 /* Check to see if this task was created in compat vdso mode */
20734 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20735 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20739 diff -urNp linux-2.6.36.2/arch/x86/vdso/vdso.lds.S linux-2.6.36.2/arch/x86/vdso/vdso.lds.S
20740 --- linux-2.6.36.2/arch/x86/vdso/vdso.lds.S 2010-10-20 16:30:22.000000000 -0400
20741 +++ linux-2.6.36.2/arch/x86/vdso/vdso.lds.S 2010-12-09 20:24:55.000000000 -0500
20742 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20743 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20744 #include "vextern.h"
20747 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20748 +VEXTERN(fallback_gettimeofday)
20749 +VEXTERN(fallback_time)
20752 diff -urNp linux-2.6.36.2/arch/x86/vdso/vextern.h linux-2.6.36.2/arch/x86/vdso/vextern.h
20753 --- linux-2.6.36.2/arch/x86/vdso/vextern.h 2010-10-20 16:30:22.000000000 -0400
20754 +++ linux-2.6.36.2/arch/x86/vdso/vextern.h 2010-12-09 20:24:55.000000000 -0500
20756 put into vextern.h and be referenced as a pointer with vdso prefix.
20757 The main kernel later fills in the values. */
20760 VEXTERN(vgetcpu_mode)
20761 VEXTERN(vsyscall_gtod_data)
20762 diff -urNp linux-2.6.36.2/arch/x86/vdso/vma.c linux-2.6.36.2/arch/x86/vdso/vma.c
20763 --- linux-2.6.36.2/arch/x86/vdso/vma.c 2010-10-20 16:30:22.000000000 -0400
20764 +++ linux-2.6.36.2/arch/x86/vdso/vma.c 2010-12-09 20:24:55.000000000 -0500
20765 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20769 - if (memcmp(vbase, "\177ELF", 4)) {
20770 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20771 printk("VDSO: I'm broken; not ELF\n");
20774 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20778 - current->mm->context.vdso = (void *)addr;
20779 + current->mm->context.vdso = addr;
20781 ret = install_special_mapping(mm, addr, vdso_size,
20783 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20787 - current->mm->context.vdso = NULL;
20788 + current->mm->context.vdso = 0;
20792 @@ -134,10 +134,3 @@ up_fail:
20793 up_write(&mm->mmap_sem);
20797 -static __init int vdso_setup(char *s)
20799 - vdso_enabled = simple_strtoul(s, NULL, 0);
20802 -__setup("vdso=", vdso_setup);
20803 diff -urNp linux-2.6.36.2/arch/x86/xen/enlighten.c linux-2.6.36.2/arch/x86/xen/enlighten.c
20804 --- linux-2.6.36.2/arch/x86/xen/enlighten.c 2010-12-09 20:53:46.000000000 -0500
20805 +++ linux-2.6.36.2/arch/x86/xen/enlighten.c 2010-12-09 20:54:31.000000000 -0500
20806 @@ -79,8 +79,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20808 struct shared_info xen_dummy_shared_info;
20810 -void *xen_initial_gdt;
20812 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
20813 __read_mostly int xen_have_vector_callback;
20814 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
20815 @@ -573,7 +571,7 @@ static void xen_write_idt_entry(gate_des
20819 - start = __get_cpu_var(idt_desc).address;
20820 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20821 end = start + __get_cpu_var(idt_desc).size + 1;
20824 @@ -1126,7 +1124,17 @@ asmlinkage void __init xen_start_kernel(
20825 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20827 /* Work out if we support NX */
20828 - x86_configure_nx();
20829 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20830 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20831 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20834 + __supported_pte_mask |= _PAGE_NX;
20835 + rdmsr(MSR_EFER, l, h);
20837 + wrmsr(MSR_EFER, l, h);
20841 xen_setup_features();
20843 @@ -1157,13 +1165,6 @@ asmlinkage void __init xen_start_kernel(
20845 machine_ops = xen_machine_ops;
20848 - * The only reliable way to retain the initial address of the
20849 - * percpu gdt_page is to remember it here, so we can go and
20850 - * mark it RW later, when the initial percpu area is freed.
20852 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20856 pgd = (pgd_t *)xen_start_info->pt_base;
20857 diff -urNp linux-2.6.36.2/arch/x86/xen/mmu.c linux-2.6.36.2/arch/x86/xen/mmu.c
20858 --- linux-2.6.36.2/arch/x86/xen/mmu.c 2010-10-20 16:30:22.000000000 -0400
20859 +++ linux-2.6.36.2/arch/x86/xen/mmu.c 2010-12-09 20:24:54.000000000 -0500
20860 @@ -1773,6 +1773,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20861 convert_pfn_mfn(init_level4_pgt);
20862 convert_pfn_mfn(level3_ident_pgt);
20863 convert_pfn_mfn(level3_kernel_pgt);
20864 + convert_pfn_mfn(level3_vmalloc_pgt);
20865 + convert_pfn_mfn(level3_vmemmap_pgt);
20867 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20868 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20869 @@ -1791,7 +1793,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20870 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20871 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20872 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20873 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20874 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20875 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20876 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20877 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20878 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20880 diff -urNp linux-2.6.36.2/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.36.2/arch/x86/xen/pci-swiotlb-xen.c
20881 --- linux-2.6.36.2/arch/x86/xen/pci-swiotlb-xen.c 2010-10-20 16:30:22.000000000 -0400
20882 +++ linux-2.6.36.2/arch/x86/xen/pci-swiotlb-xen.c 2010-12-09 20:24:54.000000000 -0500
20885 int xen_swiotlb __read_mostly;
20887 -static struct dma_map_ops xen_swiotlb_dma_ops = {
20888 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
20889 .mapping_error = xen_swiotlb_dma_mapping_error,
20890 .alloc_coherent = xen_swiotlb_alloc_coherent,
20891 .free_coherent = xen_swiotlb_free_coherent,
20892 diff -urNp linux-2.6.36.2/arch/x86/xen/smp.c linux-2.6.36.2/arch/x86/xen/smp.c
20893 --- linux-2.6.36.2/arch/x86/xen/smp.c 2010-11-26 18:26:24.000000000 -0500
20894 +++ linux-2.6.36.2/arch/x86/xen/smp.c 2010-12-09 20:24:54.000000000 -0500
20895 @@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
20897 BUG_ON(smp_processor_id() != 0);
20898 native_smp_prepare_boot_cpu();
20900 - /* We've switched to the "real" per-cpu gdt, so make sure the
20901 - old memory can be recycled */
20902 - make_lowmem_page_readwrite(xen_initial_gdt);
20904 xen_setup_vcpu_info_placement();
20907 @@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
20908 gdt = get_cpu_gdt_table(cpu);
20910 ctxt->flags = VGCF_IN_KERNEL;
20911 - ctxt->user_regs.ds = __USER_DS;
20912 - ctxt->user_regs.es = __USER_DS;
20913 + ctxt->user_regs.ds = __KERNEL_DS;
20914 + ctxt->user_regs.es = __KERNEL_DS;
20915 ctxt->user_regs.ss = __KERNEL_DS;
20916 #ifdef CONFIG_X86_32
20917 ctxt->user_regs.fs = __KERNEL_PERCPU;
20918 diff -urNp linux-2.6.36.2/arch/x86/xen/xen-head.S linux-2.6.36.2/arch/x86/xen/xen-head.S
20919 --- linux-2.6.36.2/arch/x86/xen/xen-head.S 2010-10-20 16:30:22.000000000 -0400
20920 +++ linux-2.6.36.2/arch/x86/xen/xen-head.S 2010-12-09 20:24:54.000000000 -0500
20921 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20922 #ifdef CONFIG_X86_32
20923 mov %esi,xen_start_info
20924 mov $init_thread_union+THREAD_SIZE,%esp
20926 + movl $cpu_gdt_table,%edi
20927 + movl $__per_cpu_load,%eax
20928 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20930 + movb %al,__KERNEL_PERCPU + 4(%edi)
20931 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20932 + movl $__per_cpu_end - 1,%eax
20933 + subl $__per_cpu_start,%eax
20934 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20937 mov %rsi,xen_start_info
20938 mov $init_thread_union+THREAD_SIZE,%rsp
20939 diff -urNp linux-2.6.36.2/arch/x86/xen/xen-ops.h linux-2.6.36.2/arch/x86/xen/xen-ops.h
20940 --- linux-2.6.36.2/arch/x86/xen/xen-ops.h 2010-10-20 16:30:22.000000000 -0400
20941 +++ linux-2.6.36.2/arch/x86/xen/xen-ops.h 2010-12-09 20:24:54.000000000 -0500
20943 extern const char xen_hypervisor_callback[];
20944 extern const char xen_failsafe_callback[];
20946 -extern void *xen_initial_gdt;
20949 void xen_copy_trap_info(struct trap_info *traps);
20951 diff -urNp linux-2.6.36.2/block/blk-iopoll.c linux-2.6.36.2/block/blk-iopoll.c
20952 --- linux-2.6.36.2/block/blk-iopoll.c 2010-10-20 16:30:22.000000000 -0400
20953 +++ linux-2.6.36.2/block/blk-iopoll.c 2010-12-09 20:24:09.000000000 -0500
20954 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20956 EXPORT_SYMBOL(blk_iopoll_complete);
20958 -static void blk_iopoll_softirq(struct softirq_action *h)
20959 +static void blk_iopoll_softirq(void)
20961 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20962 int rearm = 0, budget = blk_iopoll_budget;
20963 diff -urNp linux-2.6.36.2/block/blk-map.c linux-2.6.36.2/block/blk-map.c
20964 --- linux-2.6.36.2/block/blk-map.c 2010-12-09 20:53:46.000000000 -0500
20965 +++ linux-2.6.36.2/block/blk-map.c 2010-12-09 20:54:31.000000000 -0500
20966 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20967 * direct dma. else, set up kernel bounce buffers
20969 uaddr = (unsigned long) ubuf;
20970 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
20971 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20972 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20974 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20975 @@ -201,6 +201,9 @@ int blk_rq_map_user_iov(struct request_q
20976 for (i = 0; i < iov_count; i++) {
20977 unsigned long uaddr = (unsigned long)iov[i].iov_base;
20979 + if (!iov[i].iov_len)
20982 if (uaddr & queue_dma_alignment(q)) {
20985 @@ -299,7 +302,7 @@ int blk_rq_map_kern(struct request_queue
20989 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20990 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20992 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20994 diff -urNp linux-2.6.36.2/block/blk-softirq.c linux-2.6.36.2/block/blk-softirq.c
20995 --- linux-2.6.36.2/block/blk-softirq.c 2010-10-20 16:30:22.000000000 -0400
20996 +++ linux-2.6.36.2/block/blk-softirq.c 2010-12-09 20:24:09.000000000 -0500
20997 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20998 * Softirq action handler - move entries to local list and loop over them
20999 * while passing them to the queue registered handler.
21001 -static void blk_done_softirq(struct softirq_action *h)
21002 +static void blk_done_softirq(void)
21004 struct list_head *cpu_list, local_list;
21006 diff -urNp linux-2.6.36.2/crypto/lrw.c linux-2.6.36.2/crypto/lrw.c
21007 --- linux-2.6.36.2/crypto/lrw.c 2010-10-20 16:30:22.000000000 -0400
21008 +++ linux-2.6.36.2/crypto/lrw.c 2010-12-09 20:24:08.000000000 -0500
21009 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
21010 struct priv *ctx = crypto_tfm_ctx(parent);
21011 struct crypto_cipher *child = ctx->child;
21013 - be128 tmp = { 0 };
21014 + be128 tmp = { 0, 0 };
21015 int bsize = crypto_cipher_blocksize(child);
21017 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
21018 diff -urNp linux-2.6.36.2/Documentation/dontdiff linux-2.6.36.2/Documentation/dontdiff
21019 --- linux-2.6.36.2/Documentation/dontdiff 2010-10-20 16:30:22.000000000 -0400
21020 +++ linux-2.6.36.2/Documentation/dontdiff 2010-12-09 20:24:49.000000000 -0500
21040 @@ -49,11 +52,16 @@
21057 @@ -62,6 +70,7 @@ aic7*reg_print.c*
21065 @@ -76,7 +85,10 @@ btfixupprep
21076 @@ -100,19 +112,23 @@ fore200e_mkfirm
21091 initramfs_data.cpio
21092 +initramfs_data.cpio.bz2
21093 initramfs_data.cpio.gz
21101 @@ -136,10 +152,13 @@ mkboot
21115 @@ -151,7 +170,9 @@ parse.h
21125 @@ -160,15 +181,18 @@ qconf
21144 @@ -189,14 +213,20 @@ version.h*
21165 diff -urNp linux-2.6.36.2/Documentation/filesystems/sysfs.txt linux-2.6.36.2/Documentation/filesystems/sysfs.txt
21166 --- linux-2.6.36.2/Documentation/filesystems/sysfs.txt 2010-10-20 16:30:22.000000000 -0400
21167 +++ linux-2.6.36.2/Documentation/filesystems/sysfs.txt 2010-12-09 20:24:50.000000000 -0500
21168 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
21169 show and store methods of the attribute owners.
21172 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
21173 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
21174 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
21175 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
21178 [ Subsystems should have already defined a struct kobj_type as a
21179 diff -urNp linux-2.6.36.2/Documentation/kernel-parameters.txt linux-2.6.36.2/Documentation/kernel-parameters.txt
21180 --- linux-2.6.36.2/Documentation/kernel-parameters.txt 2010-10-20 16:30:22.000000000 -0400
21181 +++ linux-2.6.36.2/Documentation/kernel-parameters.txt 2010-12-09 20:24:50.000000000 -0500
21182 @@ -1835,6 +1835,12 @@ and is between 256 and 4096 characters.
21183 the specified number of seconds. This is to be used if
21184 your oopses keep scrolling off the screen.
21186 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
21187 + virtualization environments that don't cope well with the
21188 + expand down segment used by UDEREF on X86-32.
21190 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
21195 diff -urNp linux-2.6.36.2/drivers/acpi/battery.c linux-2.6.36.2/drivers/acpi/battery.c
21196 --- linux-2.6.36.2/drivers/acpi/battery.c 2010-12-09 20:53:46.000000000 -0500
21197 +++ linux-2.6.36.2/drivers/acpi/battery.c 2010-12-09 20:54:34.000000000 -0500
21198 @@ -845,7 +845,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
21201 static struct battery_file {
21202 - struct file_operations ops;
21203 + const struct file_operations ops;
21206 } acpi_battery_file[] = {
21207 diff -urNp linux-2.6.36.2/drivers/acpi/blacklist.c linux-2.6.36.2/drivers/acpi/blacklist.c
21208 --- linux-2.6.36.2/drivers/acpi/blacklist.c 2010-10-20 16:30:22.000000000 -0400
21209 +++ linux-2.6.36.2/drivers/acpi/blacklist.c 2010-12-09 20:24:13.000000000 -0500
21210 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
21211 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
21212 "Incorrect _ADR", 1},
21215 + {"", "", 0, NULL, all_versions, NULL, 0}
21218 #if CONFIG_ACPI_BLACKLIST_YEAR
21219 diff -urNp linux-2.6.36.2/drivers/acpi/dock.c linux-2.6.36.2/drivers/acpi/dock.c
21220 --- linux-2.6.36.2/drivers/acpi/dock.c 2010-10-20 16:30:22.000000000 -0400
21221 +++ linux-2.6.36.2/drivers/acpi/dock.c 2010-12-09 20:24:13.000000000 -0500
21222 @@ -77,7 +77,7 @@ struct dock_dependent_device {
21223 struct list_head list;
21224 struct list_head hotplug_list;
21225 acpi_handle handle;
21226 - struct acpi_dock_ops *ops;
21227 + const struct acpi_dock_ops *ops;
21231 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
21232 * the dock driver after _DCK is executed.
21235 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
21236 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
21239 struct dock_dependent_device *dd;
21240 diff -urNp linux-2.6.36.2/drivers/acpi/osl.c linux-2.6.36.2/drivers/acpi/osl.c
21241 --- linux-2.6.36.2/drivers/acpi/osl.c 2010-10-20 16:30:22.000000000 -0400
21242 +++ linux-2.6.36.2/drivers/acpi/osl.c 2010-12-09 20:24:13.000000000 -0500
21243 @@ -497,6 +497,8 @@ acpi_os_read_memory(acpi_physical_addres
21244 void __iomem *virt_addr;
21246 virt_addr = ioremap(phys_addr, width);
21248 + return AE_NO_MEMORY;
21252 @@ -525,6 +527,8 @@ acpi_os_write_memory(acpi_physical_addre
21253 void __iomem *virt_addr;
21255 virt_addr = ioremap(phys_addr, width);
21257 + return AE_NO_MEMORY;
21261 diff -urNp linux-2.6.36.2/drivers/acpi/power_meter.c linux-2.6.36.2/drivers/acpi/power_meter.c
21262 --- linux-2.6.36.2/drivers/acpi/power_meter.c 2010-10-20 16:30:22.000000000 -0400
21263 +++ linux-2.6.36.2/drivers/acpi/power_meter.c 2010-12-09 20:24:13.000000000 -0500
21264 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
21271 mutex_lock(&resource->lock);
21272 resource->trip[attr->index - 7] = temp;
21273 diff -urNp linux-2.6.36.2/drivers/acpi/proc.c linux-2.6.36.2/drivers/acpi/proc.c
21274 --- linux-2.6.36.2/drivers/acpi/proc.c 2010-10-20 16:30:22.000000000 -0400
21275 +++ linux-2.6.36.2/drivers/acpi/proc.c 2010-12-09 20:24:13.000000000 -0500
21276 @@ -338,20 +338,15 @@ acpi_system_write_wakeup_device(struct f
21277 size_t count, loff_t * ppos)
21279 struct list_head *node, *next;
21281 - char str[5] = "";
21282 - unsigned int len = count;
21283 + char strbuf[5] = {0};
21284 struct acpi_device *found_dev = NULL;
21293 - if (copy_from_user(strbuf, buffer, len))
21294 + if (copy_from_user(strbuf, buffer, count))
21296 - strbuf[len] = '\0';
21297 - sscanf(strbuf, "%s", str);
21298 + strbuf[count] = '\0';
21300 mutex_lock(&acpi_device_lock);
21301 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
21302 @@ -360,7 +355,7 @@ acpi_system_write_wakeup_device(struct f
21303 if (!dev->wakeup.flags.valid)
21306 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
21307 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
21308 dev->wakeup.state.enabled =
21309 dev->wakeup.state.enabled ? 0 : 1;
21311 diff -urNp linux-2.6.36.2/drivers/acpi/processor_driver.c linux-2.6.36.2/drivers/acpi/processor_driver.c
21312 --- linux-2.6.36.2/drivers/acpi/processor_driver.c 2010-10-20 16:30:22.000000000 -0400
21313 +++ linux-2.6.36.2/drivers/acpi/processor_driver.c 2010-12-09 20:24:13.000000000 -0500
21314 @@ -507,7 +507,7 @@ static int __cpuinit acpi_processor_add(
21318 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
21319 + BUG_ON(pr->id >= nr_cpu_ids);
21323 diff -urNp linux-2.6.36.2/drivers/acpi/processor_idle.c linux-2.6.36.2/drivers/acpi/processor_idle.c
21324 --- linux-2.6.36.2/drivers/acpi/processor_idle.c 2010-10-20 16:30:22.000000000 -0400
21325 +++ linux-2.6.36.2/drivers/acpi/processor_idle.c 2010-12-09 20:24:13.000000000 -0500
21326 @@ -115,7 +115,7 @@ static struct dmi_system_id __cpuinitdat
21327 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
21328 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
21331 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
21335 diff -urNp linux-2.6.36.2/drivers/acpi/sleep.c linux-2.6.36.2/drivers/acpi/sleep.c
21336 --- linux-2.6.36.2/drivers/acpi/sleep.c 2010-10-20 16:30:22.000000000 -0400
21337 +++ linux-2.6.36.2/drivers/acpi/sleep.c 2010-12-09 20:24:13.000000000 -0500
21338 @@ -319,7 +319,7 @@ static int acpi_suspend_state_valid(susp
21342 -static struct platform_suspend_ops acpi_suspend_ops = {
21343 +static const struct platform_suspend_ops acpi_suspend_ops = {
21344 .valid = acpi_suspend_state_valid,
21345 .begin = acpi_suspend_begin,
21346 .prepare_late = acpi_pm_prepare,
21347 @@ -347,7 +347,7 @@ static int acpi_suspend_begin_old(suspen
21348 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
21351 -static struct platform_suspend_ops acpi_suspend_ops_old = {
21352 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
21353 .valid = acpi_suspend_state_valid,
21354 .begin = acpi_suspend_begin_old,
21355 .prepare_late = acpi_pm_pre_suspend,
21356 @@ -490,7 +490,7 @@ static void acpi_pm_thaw(void)
21357 acpi_enable_all_runtime_gpes();
21360 -static struct platform_hibernation_ops acpi_hibernation_ops = {
21361 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
21362 .begin = acpi_hibernation_begin,
21363 .end = acpi_pm_end,
21364 .pre_snapshot = acpi_pm_prepare,
21365 @@ -533,7 +533,7 @@ static int acpi_hibernation_begin_old(vo
21366 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
21369 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
21370 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
21371 .begin = acpi_hibernation_begin_old,
21372 .end = acpi_pm_end,
21373 .pre_snapshot = acpi_pm_pre_suspend,
21374 diff -urNp linux-2.6.36.2/drivers/acpi/video.c linux-2.6.36.2/drivers/acpi/video.c
21375 --- linux-2.6.36.2/drivers/acpi/video.c 2010-10-20 16:30:22.000000000 -0400
21376 +++ linux-2.6.36.2/drivers/acpi/video.c 2010-12-09 20:24:13.000000000 -0500
21377 @@ -367,7 +367,7 @@ static int acpi_video_set_brightness(str
21378 vd->brightness->levels[request_level]);
21381 -static struct backlight_ops acpi_backlight_ops = {
21382 +static const struct backlight_ops acpi_backlight_ops = {
21383 .get_brightness = acpi_video_get_brightness,
21384 .update_status = acpi_video_set_brightness,
21386 diff -urNp linux-2.6.36.2/drivers/ata/ahci.c linux-2.6.36.2/drivers/ata/ahci.c
21387 --- linux-2.6.36.2/drivers/ata/ahci.c 2010-10-20 16:30:22.000000000 -0400
21388 +++ linux-2.6.36.2/drivers/ata/ahci.c 2010-12-09 20:24:14.000000000 -0500
21389 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
21393 -static struct ata_port_operations ahci_vt8251_ops = {
21394 +static const struct ata_port_operations ahci_vt8251_ops = {
21395 .inherits = &ahci_ops,
21396 .hardreset = ahci_vt8251_hardreset,
21399 -static struct ata_port_operations ahci_p5wdh_ops = {
21400 +static const struct ata_port_operations ahci_p5wdh_ops = {
21401 .inherits = &ahci_ops,
21402 .hardreset = ahci_p5wdh_hardreset,
21405 -static struct ata_port_operations ahci_sb600_ops = {
21406 +static const struct ata_port_operations ahci_sb600_ops = {
21407 .inherits = &ahci_ops,
21408 .softreset = ahci_sb600_softreset,
21409 .pmp_softreset = ahci_sb600_softreset,
21410 @@ -388,7 +388,7 @@ static const struct pci_device_id ahci_p
21411 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
21412 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
21414 - { } /* terminate list */
21415 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21419 diff -urNp linux-2.6.36.2/drivers/ata/ahci.h linux-2.6.36.2/drivers/ata/ahci.h
21420 --- linux-2.6.36.2/drivers/ata/ahci.h 2010-11-26 18:26:24.000000000 -0500
21421 +++ linux-2.6.36.2/drivers/ata/ahci.h 2010-12-09 20:24:14.000000000 -0500
21422 @@ -310,7 +310,7 @@ extern struct device_attribute *ahci_sde
21423 .shost_attrs = ahci_shost_attrs, \
21424 .sdev_attrs = ahci_sdev_attrs
21426 -extern struct ata_port_operations ahci_ops;
21427 +extern const struct ata_port_operations ahci_ops;
21429 void ahci_save_initial_config(struct device *dev,
21430 struct ahci_host_priv *hpriv,
21431 diff -urNp linux-2.6.36.2/drivers/ata/ata_generic.c linux-2.6.36.2/drivers/ata/ata_generic.c
21432 --- linux-2.6.36.2/drivers/ata/ata_generic.c 2010-10-20 16:30:22.000000000 -0400
21433 +++ linux-2.6.36.2/drivers/ata/ata_generic.c 2010-12-09 20:24:14.000000000 -0500
21434 @@ -100,7 +100,7 @@ static struct scsi_host_template generic
21435 ATA_BMDMA_SHT(DRV_NAME),
21438 -static struct ata_port_operations generic_port_ops = {
21439 +static const struct ata_port_operations generic_port_ops = {
21440 .inherits = &ata_bmdma_port_ops,
21441 .cable_detect = ata_cable_unknown,
21442 .set_mode = generic_set_mode,
21443 diff -urNp linux-2.6.36.2/drivers/ata/ata_piix.c linux-2.6.36.2/drivers/ata/ata_piix.c
21444 --- linux-2.6.36.2/drivers/ata/ata_piix.c 2010-10-20 16:30:22.000000000 -0400
21445 +++ linux-2.6.36.2/drivers/ata/ata_piix.c 2010-12-09 20:24:14.000000000 -0500
21446 @@ -306,7 +306,7 @@ static const struct pci_device_id piix_p
21447 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
21448 /* SATA Controller IDE (PBG) */
21449 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
21450 - { } /* terminate list */
21451 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21454 static struct pci_driver piix_pci_driver = {
21455 @@ -324,12 +324,12 @@ static struct scsi_host_template piix_sh
21456 ATA_BMDMA_SHT(DRV_NAME),
21459 -static struct ata_port_operations piix_sata_ops = {
21460 +static const struct ata_port_operations piix_sata_ops = {
21461 .inherits = &ata_bmdma32_port_ops,
21462 .sff_irq_check = piix_irq_check,
21465 -static struct ata_port_operations piix_pata_ops = {
21466 +static const struct ata_port_operations piix_pata_ops = {
21467 .inherits = &piix_sata_ops,
21468 .cable_detect = ata_cable_40wire,
21469 .set_piomode = piix_set_piomode,
21470 @@ -337,18 +337,18 @@ static struct ata_port_operations piix_p
21471 .prereset = piix_pata_prereset,
21474 -static struct ata_port_operations piix_vmw_ops = {
21475 +static const struct ata_port_operations piix_vmw_ops = {
21476 .inherits = &piix_pata_ops,
21477 .bmdma_status = piix_vmw_bmdma_status,
21480 -static struct ata_port_operations ich_pata_ops = {
21481 +static const struct ata_port_operations ich_pata_ops = {
21482 .inherits = &piix_pata_ops,
21483 .cable_detect = ich_pata_cable_detect,
21484 .set_dmamode = ich_set_dmamode,
21487 -static struct ata_port_operations piix_sidpr_sata_ops = {
21488 +static const struct ata_port_operations piix_sidpr_sata_ops = {
21489 .inherits = &piix_sata_ops,
21490 .hardreset = sata_std_hardreset,
21491 .scr_read = piix_sidpr_scr_read,
21492 @@ -624,7 +624,7 @@ static const struct ich_laptop ich_lapto
21493 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
21494 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
21501 @@ -1116,7 +1116,7 @@ static int piix_broken_suspend(void)
21505 - { } /* terminate list */
21506 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
21508 static const char *oemstrs[] = {
21510 diff -urNp linux-2.6.36.2/drivers/ata/libahci.c linux-2.6.36.2/drivers/ata/libahci.c
21511 --- linux-2.6.36.2/drivers/ata/libahci.c 2010-11-26 18:26:24.000000000 -0500
21512 +++ linux-2.6.36.2/drivers/ata/libahci.c 2010-12-09 20:24:14.000000000 -0500
21513 @@ -141,7 +141,7 @@ struct device_attribute *ahci_sdev_attrs
21515 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
21517 -struct ata_port_operations ahci_ops = {
21518 +const struct ata_port_operations ahci_ops = {
21519 .inherits = &sata_pmp_port_ops,
21521 .qc_defer = ahci_pmp_qc_defer,
21522 diff -urNp linux-2.6.36.2/drivers/ata/libata-acpi.c linux-2.6.36.2/drivers/ata/libata-acpi.c
21523 --- linux-2.6.36.2/drivers/ata/libata-acpi.c 2010-10-20 16:30:22.000000000 -0400
21524 +++ linux-2.6.36.2/drivers/ata/libata-acpi.c 2010-12-09 20:24:14.000000000 -0500
21525 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
21526 ata_acpi_uevent(dev->link->ap, dev, event);
21529 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21530 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21531 .handler = ata_acpi_dev_notify_dock,
21532 .uevent = ata_acpi_dev_uevent,
21535 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21536 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21537 .handler = ata_acpi_ap_notify_dock,
21538 .uevent = ata_acpi_ap_uevent,
21540 diff -urNp linux-2.6.36.2/drivers/ata/libata-core.c linux-2.6.36.2/drivers/ata/libata-core.c
21541 --- linux-2.6.36.2/drivers/ata/libata-core.c 2010-10-20 16:30:22.000000000 -0400
21542 +++ linux-2.6.36.2/drivers/ata/libata-core.c 2010-12-09 20:24:14.000000000 -0500
21543 @@ -899,7 +899,7 @@ static const struct ata_xfer_ent {
21544 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
21545 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
21546 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
21552 @@ -3071,7 +3071,7 @@ static const struct ata_timing ata_timin
21553 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
21554 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
21557 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
21560 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
21561 @@ -4260,7 +4260,7 @@ static const struct ata_blacklist_entry
21562 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
21566 + { NULL, NULL, 0 }
21570 @@ -4865,7 +4865,7 @@ void ata_qc_free(struct ata_queued_cmd *
21571 struct ata_port *ap;
21574 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21575 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21579 @@ -4881,7 +4881,7 @@ void __ata_qc_complete(struct ata_queued
21580 struct ata_port *ap;
21581 struct ata_link *link;
21583 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21584 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21585 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
21587 link = qc->dev->link;
21588 @@ -5866,7 +5866,7 @@ static void ata_host_stop(struct device
21592 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
21593 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21595 static DEFINE_SPINLOCK(lock);
21596 const struct ata_port_operations *cur;
21597 @@ -5878,6 +5878,7 @@ static void ata_finalize_port_ops(struct
21601 + pax_open_kernel();
21603 for (cur = ops->inherits; cur; cur = cur->inherits) {
21604 void **inherit = (void **)cur;
21605 @@ -5891,8 +5892,9 @@ static void ata_finalize_port_ops(struct
21609 - ops->inherits = NULL;
21610 + ((struct ata_port_operations *)ops)->inherits = NULL;
21612 + pax_close_kernel();
21613 spin_unlock(&lock);
21616 @@ -5989,7 +5991,7 @@ int ata_host_start(struct ata_host *host
21618 /* KILLME - the only user left is ipr */
21619 void ata_host_init(struct ata_host *host, struct device *dev,
21620 - unsigned long flags, struct ata_port_operations *ops)
21621 + unsigned long flags, const struct ata_port_operations *ops)
21623 spin_lock_init(&host->lock);
21625 @@ -6630,7 +6632,7 @@ static void ata_dummy_error_handler(stru
21629 -struct ata_port_operations ata_dummy_port_ops = {
21630 +const struct ata_port_operations ata_dummy_port_ops = {
21631 .qc_prep = ata_noop_qc_prep,
21632 .qc_issue = ata_dummy_qc_issue,
21633 .error_handler = ata_dummy_error_handler,
21634 diff -urNp linux-2.6.36.2/drivers/ata/libata-eh.c linux-2.6.36.2/drivers/ata/libata-eh.c
21635 --- linux-2.6.36.2/drivers/ata/libata-eh.c 2010-10-20 16:30:22.000000000 -0400
21636 +++ linux-2.6.36.2/drivers/ata/libata-eh.c 2010-12-09 20:24:14.000000000 -0500
21637 @@ -3685,7 +3685,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21639 void ata_std_error_handler(struct ata_port *ap)
21641 - struct ata_port_operations *ops = ap->ops;
21642 + const struct ata_port_operations *ops = ap->ops;
21643 ata_reset_fn_t hardreset = ops->hardreset;
21645 /* ignore built-in hardreset if SCR access is not available */
21646 diff -urNp linux-2.6.36.2/drivers/ata/libata-pmp.c linux-2.6.36.2/drivers/ata/libata-pmp.c
21647 --- linux-2.6.36.2/drivers/ata/libata-pmp.c 2010-10-20 16:30:22.000000000 -0400
21648 +++ linux-2.6.36.2/drivers/ata/libata-pmp.c 2010-12-09 20:24:14.000000000 -0500
21649 @@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
21651 static int sata_pmp_eh_recover(struct ata_port *ap)
21653 - struct ata_port_operations *ops = ap->ops;
21654 + const struct ata_port_operations *ops = ap->ops;
21655 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21656 struct ata_link *pmp_link = &ap->link;
21657 struct ata_device *pmp_dev = pmp_link->device;
21658 diff -urNp linux-2.6.36.2/drivers/ata/pata_acpi.c linux-2.6.36.2/drivers/ata/pata_acpi.c
21659 --- linux-2.6.36.2/drivers/ata/pata_acpi.c 2010-10-20 16:30:22.000000000 -0400
21660 +++ linux-2.6.36.2/drivers/ata/pata_acpi.c 2010-12-09 20:24:14.000000000 -0500
21661 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21662 ATA_BMDMA_SHT(DRV_NAME),
21665 -static struct ata_port_operations pacpi_ops = {
21666 +static const struct ata_port_operations pacpi_ops = {
21667 .inherits = &ata_bmdma_port_ops,
21668 .qc_issue = pacpi_qc_issue,
21669 .cable_detect = pacpi_cable_detect,
21670 diff -urNp linux-2.6.36.2/drivers/ata/pata_ali.c linux-2.6.36.2/drivers/ata/pata_ali.c
21671 --- linux-2.6.36.2/drivers/ata/pata_ali.c 2010-10-20 16:30:22.000000000 -0400
21672 +++ linux-2.6.36.2/drivers/ata/pata_ali.c 2010-12-09 20:24:14.000000000 -0500
21673 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21674 * Port operations for PIO only ALi
21677 -static struct ata_port_operations ali_early_port_ops = {
21678 +static const struct ata_port_operations ali_early_port_ops = {
21679 .inherits = &ata_sff_port_ops,
21680 .cable_detect = ata_cable_40wire,
21681 .set_piomode = ali_set_piomode,
21682 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21683 * Port operations for DMA capable ALi without cable
21686 -static struct ata_port_operations ali_20_port_ops = {
21687 +static const struct ata_port_operations ali_20_port_ops = {
21688 .inherits = &ali_dma_base_ops,
21689 .cable_detect = ata_cable_40wire,
21690 .mode_filter = ali_20_filter,
21691 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21693 * Port operations for DMA capable ALi with cable detect
21695 -static struct ata_port_operations ali_c2_port_ops = {
21696 +static const struct ata_port_operations ali_c2_port_ops = {
21697 .inherits = &ali_dma_base_ops,
21698 .check_atapi_dma = ali_check_atapi_dma,
21699 .cable_detect = ali_c2_cable_detect,
21700 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21702 * Port operations for DMA capable ALi with cable detect
21704 -static struct ata_port_operations ali_c4_port_ops = {
21705 +static const struct ata_port_operations ali_c4_port_ops = {
21706 .inherits = &ali_dma_base_ops,
21707 .check_atapi_dma = ali_check_atapi_dma,
21708 .cable_detect = ali_c2_cable_detect,
21709 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21711 * Port operations for DMA capable ALi with cable detect and LBA48
21713 -static struct ata_port_operations ali_c5_port_ops = {
21714 +static const struct ata_port_operations ali_c5_port_ops = {
21715 .inherits = &ali_dma_base_ops,
21716 .check_atapi_dma = ali_check_atapi_dma,
21717 .dev_config = ali_warn_atapi_dma,
21718 diff -urNp linux-2.6.36.2/drivers/ata/pata_amd.c linux-2.6.36.2/drivers/ata/pata_amd.c
21719 --- linux-2.6.36.2/drivers/ata/pata_amd.c 2010-10-20 16:30:22.000000000 -0400
21720 +++ linux-2.6.36.2/drivers/ata/pata_amd.c 2010-12-09 20:24:14.000000000 -0500
21721 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21722 .prereset = amd_pre_reset,
21725 -static struct ata_port_operations amd33_port_ops = {
21726 +static const struct ata_port_operations amd33_port_ops = {
21727 .inherits = &amd_base_port_ops,
21728 .cable_detect = ata_cable_40wire,
21729 .set_piomode = amd33_set_piomode,
21730 .set_dmamode = amd33_set_dmamode,
21733 -static struct ata_port_operations amd66_port_ops = {
21734 +static const struct ata_port_operations amd66_port_ops = {
21735 .inherits = &amd_base_port_ops,
21736 .cable_detect = ata_cable_unknown,
21737 .set_piomode = amd66_set_piomode,
21738 .set_dmamode = amd66_set_dmamode,
21741 -static struct ata_port_operations amd100_port_ops = {
21742 +static const struct ata_port_operations amd100_port_ops = {
21743 .inherits = &amd_base_port_ops,
21744 .cable_detect = ata_cable_unknown,
21745 .set_piomode = amd100_set_piomode,
21746 .set_dmamode = amd100_set_dmamode,
21749 -static struct ata_port_operations amd133_port_ops = {
21750 +static const struct ata_port_operations amd133_port_ops = {
21751 .inherits = &amd_base_port_ops,
21752 .cable_detect = amd_cable_detect,
21753 .set_piomode = amd133_set_piomode,
21754 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21755 .host_stop = nv_host_stop,
21758 -static struct ata_port_operations nv100_port_ops = {
21759 +static const struct ata_port_operations nv100_port_ops = {
21760 .inherits = &nv_base_port_ops,
21761 .set_piomode = nv100_set_piomode,
21762 .set_dmamode = nv100_set_dmamode,
21765 -static struct ata_port_operations nv133_port_ops = {
21766 +static const struct ata_port_operations nv133_port_ops = {
21767 .inherits = &nv_base_port_ops,
21768 .set_piomode = nv133_set_piomode,
21769 .set_dmamode = nv133_set_dmamode,
21770 diff -urNp linux-2.6.36.2/drivers/ata/pata_artop.c linux-2.6.36.2/drivers/ata/pata_artop.c
21771 --- linux-2.6.36.2/drivers/ata/pata_artop.c 2010-10-20 16:30:22.000000000 -0400
21772 +++ linux-2.6.36.2/drivers/ata/pata_artop.c 2010-12-09 20:24:14.000000000 -0500
21773 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
21774 ATA_BMDMA_SHT(DRV_NAME),
21777 -static struct ata_port_operations artop6210_ops = {
21778 +static const struct ata_port_operations artop6210_ops = {
21779 .inherits = &ata_bmdma_port_ops,
21780 .cable_detect = ata_cable_40wire,
21781 .set_piomode = artop6210_set_piomode,
21782 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
21783 .qc_defer = artop6210_qc_defer,
21786 -static struct ata_port_operations artop6260_ops = {
21787 +static const struct ata_port_operations artop6260_ops = {
21788 .inherits = &ata_bmdma_port_ops,
21789 .cable_detect = artop6260_cable_detect,
21790 .set_piomode = artop6260_set_piomode,
21791 diff -urNp linux-2.6.36.2/drivers/ata/pata_at32.c linux-2.6.36.2/drivers/ata/pata_at32.c
21792 --- linux-2.6.36.2/drivers/ata/pata_at32.c 2010-10-20 16:30:22.000000000 -0400
21793 +++ linux-2.6.36.2/drivers/ata/pata_at32.c 2010-12-09 20:24:14.000000000 -0500
21794 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21795 ATA_PIO_SHT(DRV_NAME),
21798 -static struct ata_port_operations at32_port_ops = {
21799 +static const struct ata_port_operations at32_port_ops = {
21800 .inherits = &ata_sff_port_ops,
21801 .cable_detect = ata_cable_40wire,
21802 .set_piomode = pata_at32_set_piomode,
21803 diff -urNp linux-2.6.36.2/drivers/ata/pata_at91.c linux-2.6.36.2/drivers/ata/pata_at91.c
21804 --- linux-2.6.36.2/drivers/ata/pata_at91.c 2010-10-20 16:30:22.000000000 -0400
21805 +++ linux-2.6.36.2/drivers/ata/pata_at91.c 2010-12-09 20:24:14.000000000 -0500
21806 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21807 ATA_PIO_SHT(DRV_NAME),
21810 -static struct ata_port_operations pata_at91_port_ops = {
21811 +static const struct ata_port_operations pata_at91_port_ops = {
21812 .inherits = &ata_sff_port_ops,
21814 .sff_data_xfer = pata_at91_data_xfer_noirq,
21815 diff -urNp linux-2.6.36.2/drivers/ata/pata_atiixp.c linux-2.6.36.2/drivers/ata/pata_atiixp.c
21816 --- linux-2.6.36.2/drivers/ata/pata_atiixp.c 2010-10-20 16:30:22.000000000 -0400
21817 +++ linux-2.6.36.2/drivers/ata/pata_atiixp.c 2010-12-09 20:24:14.000000000 -0500
21818 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21819 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21822 -static struct ata_port_operations atiixp_port_ops = {
21823 +static const struct ata_port_operations atiixp_port_ops = {
21824 .inherits = &ata_bmdma_port_ops,
21826 .qc_prep = ata_bmdma_dumb_qc_prep,
21827 diff -urNp linux-2.6.36.2/drivers/ata/pata_atp867x.c linux-2.6.36.2/drivers/ata/pata_atp867x.c
21828 --- linux-2.6.36.2/drivers/ata/pata_atp867x.c 2010-10-20 16:30:22.000000000 -0400
21829 +++ linux-2.6.36.2/drivers/ata/pata_atp867x.c 2010-12-09 20:24:14.000000000 -0500
21830 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21831 ATA_BMDMA_SHT(DRV_NAME),
21834 -static struct ata_port_operations atp867x_ops = {
21835 +static const struct ata_port_operations atp867x_ops = {
21836 .inherits = &ata_bmdma_port_ops,
21837 .cable_detect = atp867x_cable_detect,
21838 .set_piomode = atp867x_set_piomode,
21839 diff -urNp linux-2.6.36.2/drivers/ata/pata_bf54x.c linux-2.6.36.2/drivers/ata/pata_bf54x.c
21840 --- linux-2.6.36.2/drivers/ata/pata_bf54x.c 2010-10-20 16:30:22.000000000 -0400
21841 +++ linux-2.6.36.2/drivers/ata/pata_bf54x.c 2010-12-09 20:24:14.000000000 -0500
21842 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21843 .dma_boundary = ATA_DMA_BOUNDARY,
21846 -static struct ata_port_operations bfin_pata_ops = {
21847 +static const struct ata_port_operations bfin_pata_ops = {
21848 .inherits = &ata_bmdma_port_ops,
21850 .set_piomode = bfin_set_piomode,
21851 diff -urNp linux-2.6.36.2/drivers/ata/pata_cmd640.c linux-2.6.36.2/drivers/ata/pata_cmd640.c
21852 --- linux-2.6.36.2/drivers/ata/pata_cmd640.c 2010-10-20 16:30:22.000000000 -0400
21853 +++ linux-2.6.36.2/drivers/ata/pata_cmd640.c 2010-12-09 20:24:14.000000000 -0500
21854 @@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21855 ATA_PIO_SHT(DRV_NAME),
21858 -static struct ata_port_operations cmd640_port_ops = {
21859 +static const struct ata_port_operations cmd640_port_ops = {
21860 .inherits = &ata_sff_port_ops,
21861 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21862 .sff_data_xfer = ata_sff_data_xfer_noirq,
21863 diff -urNp linux-2.6.36.2/drivers/ata/pata_cmd64x.c linux-2.6.36.2/drivers/ata/pata_cmd64x.c
21864 --- linux-2.6.36.2/drivers/ata/pata_cmd64x.c 2010-10-20 16:30:22.000000000 -0400
21865 +++ linux-2.6.36.2/drivers/ata/pata_cmd64x.c 2010-12-09 20:24:14.000000000 -0500
21866 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21867 .set_dmamode = cmd64x_set_dmamode,
21870 -static struct ata_port_operations cmd64x_port_ops = {
21871 +static const struct ata_port_operations cmd64x_port_ops = {
21872 .inherits = &cmd64x_base_ops,
21873 .cable_detect = ata_cable_40wire,
21876 -static struct ata_port_operations cmd646r1_port_ops = {
21877 +static const struct ata_port_operations cmd646r1_port_ops = {
21878 .inherits = &cmd64x_base_ops,
21879 .bmdma_stop = cmd646r1_bmdma_stop,
21880 .cable_detect = ata_cable_40wire,
21883 -static struct ata_port_operations cmd648_port_ops = {
21884 +static const struct ata_port_operations cmd648_port_ops = {
21885 .inherits = &cmd64x_base_ops,
21886 .bmdma_stop = cmd648_bmdma_stop,
21887 .cable_detect = cmd648_cable_detect,
21888 diff -urNp linux-2.6.36.2/drivers/ata/pata_cs5520.c linux-2.6.36.2/drivers/ata/pata_cs5520.c
21889 --- linux-2.6.36.2/drivers/ata/pata_cs5520.c 2010-10-20 16:30:22.000000000 -0400
21890 +++ linux-2.6.36.2/drivers/ata/pata_cs5520.c 2010-12-09 20:24:14.000000000 -0500
21891 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21892 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21895 -static struct ata_port_operations cs5520_port_ops = {
21896 +static const struct ata_port_operations cs5520_port_ops = {
21897 .inherits = &ata_bmdma_port_ops,
21898 .qc_prep = ata_bmdma_dumb_qc_prep,
21899 .cable_detect = ata_cable_40wire,
21900 diff -urNp linux-2.6.36.2/drivers/ata/pata_cs5530.c linux-2.6.36.2/drivers/ata/pata_cs5530.c
21901 --- linux-2.6.36.2/drivers/ata/pata_cs5530.c 2010-10-20 16:30:22.000000000 -0400
21902 +++ linux-2.6.36.2/drivers/ata/pata_cs5530.c 2010-12-09 20:24:14.000000000 -0500
21903 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21904 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21907 -static struct ata_port_operations cs5530_port_ops = {
21908 +static const struct ata_port_operations cs5530_port_ops = {
21909 .inherits = &ata_bmdma_port_ops,
21911 .qc_prep = ata_bmdma_dumb_qc_prep,
21912 diff -urNp linux-2.6.36.2/drivers/ata/pata_cs5535.c linux-2.6.36.2/drivers/ata/pata_cs5535.c
21913 --- linux-2.6.36.2/drivers/ata/pata_cs5535.c 2010-10-20 16:30:22.000000000 -0400
21914 +++ linux-2.6.36.2/drivers/ata/pata_cs5535.c 2010-12-09 20:24:14.000000000 -0500
21915 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21916 ATA_BMDMA_SHT(DRV_NAME),
21919 -static struct ata_port_operations cs5535_port_ops = {
21920 +static const struct ata_port_operations cs5535_port_ops = {
21921 .inherits = &ata_bmdma_port_ops,
21922 .cable_detect = cs5535_cable_detect,
21923 .set_piomode = cs5535_set_piomode,
21924 diff -urNp linux-2.6.36.2/drivers/ata/pata_cs5536.c linux-2.6.36.2/drivers/ata/pata_cs5536.c
21925 --- linux-2.6.36.2/drivers/ata/pata_cs5536.c 2010-10-20 16:30:22.000000000 -0400
21926 +++ linux-2.6.36.2/drivers/ata/pata_cs5536.c 2010-12-09 20:24:14.000000000 -0500
21927 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21928 ATA_BMDMA_SHT(DRV_NAME),
21931 -static struct ata_port_operations cs5536_port_ops = {
21932 +static const struct ata_port_operations cs5536_port_ops = {
21933 .inherits = &ata_bmdma32_port_ops,
21934 .cable_detect = cs5536_cable_detect,
21935 .set_piomode = cs5536_set_piomode,
21936 diff -urNp linux-2.6.36.2/drivers/ata/pata_cypress.c linux-2.6.36.2/drivers/ata/pata_cypress.c
21937 --- linux-2.6.36.2/drivers/ata/pata_cypress.c 2010-10-20 16:30:22.000000000 -0400
21938 +++ linux-2.6.36.2/drivers/ata/pata_cypress.c 2010-12-09 20:24:14.000000000 -0500
21939 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21940 ATA_BMDMA_SHT(DRV_NAME),
21943 -static struct ata_port_operations cy82c693_port_ops = {
21944 +static const struct ata_port_operations cy82c693_port_ops = {
21945 .inherits = &ata_bmdma_port_ops,
21946 .cable_detect = ata_cable_40wire,
21947 .set_piomode = cy82c693_set_piomode,
21948 diff -urNp linux-2.6.36.2/drivers/ata/pata_efar.c linux-2.6.36.2/drivers/ata/pata_efar.c
21949 --- linux-2.6.36.2/drivers/ata/pata_efar.c 2010-10-20 16:30:22.000000000 -0400
21950 +++ linux-2.6.36.2/drivers/ata/pata_efar.c 2010-12-09 20:24:14.000000000 -0500
21951 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21952 ATA_BMDMA_SHT(DRV_NAME),
21955 -static struct ata_port_operations efar_ops = {
21956 +static const struct ata_port_operations efar_ops = {
21957 .inherits = &ata_bmdma_port_ops,
21958 .cable_detect = efar_cable_detect,
21959 .set_piomode = efar_set_piomode,
21960 diff -urNp linux-2.6.36.2/drivers/ata/pata_hpt366.c linux-2.6.36.2/drivers/ata/pata_hpt366.c
21961 --- linux-2.6.36.2/drivers/ata/pata_hpt366.c 2010-10-20 16:30:22.000000000 -0400
21962 +++ linux-2.6.36.2/drivers/ata/pata_hpt366.c 2010-12-09 20:24:14.000000000 -0500
21963 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21964 * Configuration for HPT366/68
21967 -static struct ata_port_operations hpt366_port_ops = {
21968 +static const struct ata_port_operations hpt366_port_ops = {
21969 .inherits = &ata_bmdma_port_ops,
21970 .cable_detect = hpt36x_cable_detect,
21971 .mode_filter = hpt366_filter,
21972 diff -urNp linux-2.6.36.2/drivers/ata/pata_hpt37x.c linux-2.6.36.2/drivers/ata/pata_hpt37x.c
21973 --- linux-2.6.36.2/drivers/ata/pata_hpt37x.c 2010-10-20 16:30:22.000000000 -0400
21974 +++ linux-2.6.36.2/drivers/ata/pata_hpt37x.c 2010-12-09 20:24:14.000000000 -0500
21975 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21976 * Configuration for HPT370
21979 -static struct ata_port_operations hpt370_port_ops = {
21980 +static const struct ata_port_operations hpt370_port_ops = {
21981 .inherits = &ata_bmdma_port_ops,
21983 .bmdma_stop = hpt370_bmdma_stop,
21984 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21985 * Configuration for HPT370A. Close to 370 but less filters
21988 -static struct ata_port_operations hpt370a_port_ops = {
21989 +static const struct ata_port_operations hpt370a_port_ops = {
21990 .inherits = &hpt370_port_ops,
21991 .mode_filter = hpt370a_filter,
21993 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21994 * and DMA mode setting functionality.
21997 -static struct ata_port_operations hpt372_port_ops = {
21998 +static const struct ata_port_operations hpt372_port_ops = {
21999 .inherits = &ata_bmdma_port_ops,
22001 .bmdma_stop = hpt37x_bmdma_stop,
22002 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
22003 * but we have a different cable detection procedure for function 1.
22006 -static struct ata_port_operations hpt374_fn1_port_ops = {
22007 +static const struct ata_port_operations hpt374_fn1_port_ops = {
22008 .inherits = &hpt372_port_ops,
22009 .cable_detect = hpt374_fn1_cable_detect,
22010 .prereset = hpt37x_pre_reset,
22011 diff -urNp linux-2.6.36.2/drivers/ata/pata_hpt3x2n.c linux-2.6.36.2/drivers/ata/pata_hpt3x2n.c
22012 --- linux-2.6.36.2/drivers/ata/pata_hpt3x2n.c 2010-10-20 16:30:22.000000000 -0400
22013 +++ linux-2.6.36.2/drivers/ata/pata_hpt3x2n.c 2010-12-09 20:24:14.000000000 -0500
22014 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
22015 * Configuration for HPT3x2n.
22018 -static struct ata_port_operations hpt3x2n_port_ops = {
22019 +static const struct ata_port_operations hpt3x2n_port_ops = {
22020 .inherits = &ata_bmdma_port_ops,
22022 .bmdma_stop = hpt3x2n_bmdma_stop,
22023 diff -urNp linux-2.6.36.2/drivers/ata/pata_hpt3x3.c linux-2.6.36.2/drivers/ata/pata_hpt3x3.c
22024 --- linux-2.6.36.2/drivers/ata/pata_hpt3x3.c 2010-10-20 16:30:22.000000000 -0400
22025 +++ linux-2.6.36.2/drivers/ata/pata_hpt3x3.c 2010-12-09 20:24:14.000000000 -0500
22026 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
22027 ATA_BMDMA_SHT(DRV_NAME),
22030 -static struct ata_port_operations hpt3x3_port_ops = {
22031 +static const struct ata_port_operations hpt3x3_port_ops = {
22032 .inherits = &ata_bmdma_port_ops,
22033 .cable_detect = ata_cable_40wire,
22034 .set_piomode = hpt3x3_set_piomode,
22035 diff -urNp linux-2.6.36.2/drivers/ata/pata_icside.c linux-2.6.36.2/drivers/ata/pata_icside.c
22036 --- linux-2.6.36.2/drivers/ata/pata_icside.c 2010-10-20 16:30:22.000000000 -0400
22037 +++ linux-2.6.36.2/drivers/ata/pata_icside.c 2010-12-09 20:24:14.000000000 -0500
22038 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
22042 -static struct ata_port_operations pata_icside_port_ops = {
22043 +static const struct ata_port_operations pata_icside_port_ops = {
22044 .inherits = &ata_bmdma_port_ops,
22045 /* no need to build any PRD tables for DMA */
22046 .qc_prep = ata_noop_qc_prep,
22047 diff -urNp linux-2.6.36.2/drivers/ata/pata_isapnp.c linux-2.6.36.2/drivers/ata/pata_isapnp.c
22048 --- linux-2.6.36.2/drivers/ata/pata_isapnp.c 2010-10-20 16:30:22.000000000 -0400
22049 +++ linux-2.6.36.2/drivers/ata/pata_isapnp.c 2010-12-09 20:24:14.000000000 -0500
22050 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
22051 ATA_PIO_SHT(DRV_NAME),
22054 -static struct ata_port_operations isapnp_port_ops = {
22055 +static const struct ata_port_operations isapnp_port_ops = {
22056 .inherits = &ata_sff_port_ops,
22057 .cable_detect = ata_cable_40wire,
22060 -static struct ata_port_operations isapnp_noalt_port_ops = {
22061 +static const struct ata_port_operations isapnp_noalt_port_ops = {
22062 .inherits = &ata_sff_port_ops,
22063 .cable_detect = ata_cable_40wire,
22064 /* No altstatus so we don't want to use the lost interrupt poll */
22065 diff -urNp linux-2.6.36.2/drivers/ata/pata_it8213.c linux-2.6.36.2/drivers/ata/pata_it8213.c
22066 --- linux-2.6.36.2/drivers/ata/pata_it8213.c 2010-10-20 16:30:22.000000000 -0400
22067 +++ linux-2.6.36.2/drivers/ata/pata_it8213.c 2010-12-09 20:24:14.000000000 -0500
22068 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
22072 -static struct ata_port_operations it8213_ops = {
22073 +static const struct ata_port_operations it8213_ops = {
22074 .inherits = &ata_bmdma_port_ops,
22075 .cable_detect = it8213_cable_detect,
22076 .set_piomode = it8213_set_piomode,
22077 diff -urNp linux-2.6.36.2/drivers/ata/pata_it821x.c linux-2.6.36.2/drivers/ata/pata_it821x.c
22078 --- linux-2.6.36.2/drivers/ata/pata_it821x.c 2010-10-20 16:30:22.000000000 -0400
22079 +++ linux-2.6.36.2/drivers/ata/pata_it821x.c 2010-12-09 20:24:14.000000000 -0500
22080 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
22081 ATA_BMDMA_SHT(DRV_NAME),
22084 -static struct ata_port_operations it821x_smart_port_ops = {
22085 +static const struct ata_port_operations it821x_smart_port_ops = {
22086 .inherits = &ata_bmdma_port_ops,
22088 .check_atapi_dma= it821x_check_atapi_dma,
22089 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
22090 .port_start = it821x_port_start,
22093 -static struct ata_port_operations it821x_passthru_port_ops = {
22094 +static const struct ata_port_operations it821x_passthru_port_ops = {
22095 .inherits = &ata_bmdma_port_ops,
22097 .check_atapi_dma= it821x_check_atapi_dma,
22098 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
22099 .port_start = it821x_port_start,
22102 -static struct ata_port_operations it821x_rdc_port_ops = {
22103 +static const struct ata_port_operations it821x_rdc_port_ops = {
22104 .inherits = &ata_bmdma_port_ops,
22106 .check_atapi_dma= it821x_check_atapi_dma,
22107 diff -urNp linux-2.6.36.2/drivers/ata/pata_ixp4xx_cf.c linux-2.6.36.2/drivers/ata/pata_ixp4xx_cf.c
22108 --- linux-2.6.36.2/drivers/ata/pata_ixp4xx_cf.c 2010-10-20 16:30:22.000000000 -0400
22109 +++ linux-2.6.36.2/drivers/ata/pata_ixp4xx_cf.c 2010-12-09 20:24:14.000000000 -0500
22110 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
22111 ATA_PIO_SHT(DRV_NAME),
22114 -static struct ata_port_operations ixp4xx_port_ops = {
22115 +static const struct ata_port_operations ixp4xx_port_ops = {
22116 .inherits = &ata_sff_port_ops,
22117 .sff_data_xfer = ixp4xx_mmio_data_xfer,
22118 .cable_detect = ata_cable_40wire,
22119 diff -urNp linux-2.6.36.2/drivers/ata/pata_jmicron.c linux-2.6.36.2/drivers/ata/pata_jmicron.c
22120 --- linux-2.6.36.2/drivers/ata/pata_jmicron.c 2010-10-20 16:30:22.000000000 -0400
22121 +++ linux-2.6.36.2/drivers/ata/pata_jmicron.c 2010-12-09 20:24:14.000000000 -0500
22122 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
22123 ATA_BMDMA_SHT(DRV_NAME),
22126 -static struct ata_port_operations jmicron_ops = {
22127 +static const struct ata_port_operations jmicron_ops = {
22128 .inherits = &ata_bmdma_port_ops,
22129 .prereset = jmicron_pre_reset,
22131 diff -urNp linux-2.6.36.2/drivers/ata/pata_legacy.c linux-2.6.36.2/drivers/ata/pata_legacy.c
22132 --- linux-2.6.36.2/drivers/ata/pata_legacy.c 2010-10-20 16:30:22.000000000 -0400
22133 +++ linux-2.6.36.2/drivers/ata/pata_legacy.c 2010-12-09 20:24:14.000000000 -0500
22134 @@ -116,7 +116,7 @@ struct legacy_probe {
22136 struct legacy_controller {
22138 - struct ata_port_operations *ops;
22139 + const struct ata_port_operations *ops;
22140 unsigned int pio_mask;
22141 unsigned int flags;
22142 unsigned int pflags;
22143 @@ -239,12 +239,12 @@ static const struct ata_port_operations
22144 * pio_mask as well.
22147 -static struct ata_port_operations simple_port_ops = {
22148 +static const struct ata_port_operations simple_port_ops = {
22149 .inherits = &legacy_base_port_ops,
22150 .sff_data_xfer = ata_sff_data_xfer_noirq,
22153 -static struct ata_port_operations legacy_port_ops = {
22154 +static const struct ata_port_operations legacy_port_ops = {
22155 .inherits = &legacy_base_port_ops,
22156 .sff_data_xfer = ata_sff_data_xfer_noirq,
22157 .set_mode = legacy_set_mode,
22158 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
22162 -static struct ata_port_operations pdc20230_port_ops = {
22163 +static const struct ata_port_operations pdc20230_port_ops = {
22164 .inherits = &legacy_base_port_ops,
22165 .set_piomode = pdc20230_set_piomode,
22166 .sff_data_xfer = pdc_data_xfer_vlb,
22167 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
22168 ioread8(ap->ioaddr.status_addr);
22171 -static struct ata_port_operations ht6560a_port_ops = {
22172 +static const struct ata_port_operations ht6560a_port_ops = {
22173 .inherits = &legacy_base_port_ops,
22174 .set_piomode = ht6560a_set_piomode,
22176 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
22177 ioread8(ap->ioaddr.status_addr);
22180 -static struct ata_port_operations ht6560b_port_ops = {
22181 +static const struct ata_port_operations ht6560b_port_ops = {
22182 .inherits = &legacy_base_port_ops,
22183 .set_piomode = ht6560b_set_piomode,
22185 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
22189 -static struct ata_port_operations opti82c611a_port_ops = {
22190 +static const struct ata_port_operations opti82c611a_port_ops = {
22191 .inherits = &legacy_base_port_ops,
22192 .set_piomode = opti82c611a_set_piomode,
22194 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
22195 return ata_sff_qc_issue(qc);
22198 -static struct ata_port_operations opti82c46x_port_ops = {
22199 +static const struct ata_port_operations opti82c46x_port_ops = {
22200 .inherits = &legacy_base_port_ops,
22201 .set_piomode = opti82c46x_set_piomode,
22202 .qc_issue = opti82c46x_qc_issue,
22203 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
22207 -static struct ata_port_operations qdi6500_port_ops = {
22208 +static const struct ata_port_operations qdi6500_port_ops = {
22209 .inherits = &legacy_base_port_ops,
22210 .set_piomode = qdi6500_set_piomode,
22211 .qc_issue = qdi_qc_issue,
22212 .sff_data_xfer = vlb32_data_xfer,
22215 -static struct ata_port_operations qdi6580_port_ops = {
22216 +static const struct ata_port_operations qdi6580_port_ops = {
22217 .inherits = &legacy_base_port_ops,
22218 .set_piomode = qdi6580_set_piomode,
22219 .sff_data_xfer = vlb32_data_xfer,
22222 -static struct ata_port_operations qdi6580dp_port_ops = {
22223 +static const struct ata_port_operations qdi6580dp_port_ops = {
22224 .inherits = &legacy_base_port_ops,
22225 .set_piomode = qdi6580dp_set_piomode,
22226 .qc_issue = qdi_qc_issue,
22227 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
22231 -static struct ata_port_operations winbond_port_ops = {
22232 +static const struct ata_port_operations winbond_port_ops = {
22233 .inherits = &legacy_base_port_ops,
22234 .set_piomode = winbond_set_piomode,
22235 .sff_data_xfer = vlb32_data_xfer,
22236 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
22237 int pio_modes = controller->pio_mask;
22238 unsigned long io = probe->port;
22239 u32 mask = (1 << probe->slot);
22240 - struct ata_port_operations *ops = controller->ops;
22241 + const struct ata_port_operations *ops = controller->ops;
22242 struct legacy_data *ld = &legacy_data[probe->slot];
22243 struct ata_host *host = NULL;
22244 struct ata_port *ap;
22245 diff -urNp linux-2.6.36.2/drivers/ata/pata_macio.c linux-2.6.36.2/drivers/ata/pata_macio.c
22246 --- linux-2.6.36.2/drivers/ata/pata_macio.c 2010-10-20 16:30:22.000000000 -0400
22247 +++ linux-2.6.36.2/drivers/ata/pata_macio.c 2010-12-09 20:24:14.000000000 -0500
22248 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
22249 .slave_configure = pata_macio_slave_config,
22252 -static struct ata_port_operations pata_macio_ops = {
22253 +static const struct ata_port_operations pata_macio_ops = {
22254 .inherits = &ata_bmdma_port_ops,
22256 .freeze = pata_macio_freeze,
22257 .set_piomode = pata_macio_set_timings,
22258 .set_dmamode = pata_macio_set_timings,
22259 diff -urNp linux-2.6.36.2/drivers/ata/pata_marvell.c linux-2.6.36.2/drivers/ata/pata_marvell.c
22260 --- linux-2.6.36.2/drivers/ata/pata_marvell.c 2010-10-20 16:30:22.000000000 -0400
22261 +++ linux-2.6.36.2/drivers/ata/pata_marvell.c 2010-12-09 20:24:14.000000000 -0500
22262 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
22263 ATA_BMDMA_SHT(DRV_NAME),
22266 -static struct ata_port_operations marvell_ops = {
22267 +static const struct ata_port_operations marvell_ops = {
22268 .inherits = &ata_bmdma_port_ops,
22269 .cable_detect = marvell_cable_detect,
22270 .prereset = marvell_pre_reset,
22271 diff -urNp linux-2.6.36.2/drivers/ata/pata_mpc52xx.c linux-2.6.36.2/drivers/ata/pata_mpc52xx.c
22272 --- linux-2.6.36.2/drivers/ata/pata_mpc52xx.c 2010-10-20 16:30:22.000000000 -0400
22273 +++ linux-2.6.36.2/drivers/ata/pata_mpc52xx.c 2010-12-09 20:24:14.000000000 -0500
22274 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
22275 ATA_PIO_SHT(DRV_NAME),
22278 -static struct ata_port_operations mpc52xx_ata_port_ops = {
22279 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
22280 .inherits = &ata_sff_port_ops,
22281 .sff_dev_select = mpc52xx_ata_dev_select,
22282 .set_piomode = mpc52xx_ata_set_piomode,
22283 diff -urNp linux-2.6.36.2/drivers/ata/pata_mpiix.c linux-2.6.36.2/drivers/ata/pata_mpiix.c
22284 --- linux-2.6.36.2/drivers/ata/pata_mpiix.c 2010-10-20 16:30:22.000000000 -0400
22285 +++ linux-2.6.36.2/drivers/ata/pata_mpiix.c 2010-12-09 20:24:14.000000000 -0500
22286 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
22287 ATA_PIO_SHT(DRV_NAME),
22290 -static struct ata_port_operations mpiix_port_ops = {
22291 +static const struct ata_port_operations mpiix_port_ops = {
22292 .inherits = &ata_sff_port_ops,
22293 .qc_issue = mpiix_qc_issue,
22294 .cable_detect = ata_cable_40wire,
22295 diff -urNp linux-2.6.36.2/drivers/ata/pata_netcell.c linux-2.6.36.2/drivers/ata/pata_netcell.c
22296 --- linux-2.6.36.2/drivers/ata/pata_netcell.c 2010-10-20 16:30:22.000000000 -0400
22297 +++ linux-2.6.36.2/drivers/ata/pata_netcell.c 2010-12-09 20:24:14.000000000 -0500
22298 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
22299 ATA_BMDMA_SHT(DRV_NAME),
22302 -static struct ata_port_operations netcell_ops = {
22303 +static const struct ata_port_operations netcell_ops = {
22304 .inherits = &ata_bmdma_port_ops,
22305 .cable_detect = ata_cable_80wire,
22306 .read_id = netcell_read_id,
22307 diff -urNp linux-2.6.36.2/drivers/ata/pata_ninja32.c linux-2.6.36.2/drivers/ata/pata_ninja32.c
22308 --- linux-2.6.36.2/drivers/ata/pata_ninja32.c 2010-10-20 16:30:22.000000000 -0400
22309 +++ linux-2.6.36.2/drivers/ata/pata_ninja32.c 2010-12-09 20:24:14.000000000 -0500
22310 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
22311 ATA_BMDMA_SHT(DRV_NAME),
22314 -static struct ata_port_operations ninja32_port_ops = {
22315 +static const struct ata_port_operations ninja32_port_ops = {
22316 .inherits = &ata_bmdma_port_ops,
22317 .sff_dev_select = ninja32_dev_select,
22318 .cable_detect = ata_cable_40wire,
22319 diff -urNp linux-2.6.36.2/drivers/ata/pata_ns87410.c linux-2.6.36.2/drivers/ata/pata_ns87410.c
22320 --- linux-2.6.36.2/drivers/ata/pata_ns87410.c 2010-10-20 16:30:22.000000000 -0400
22321 +++ linux-2.6.36.2/drivers/ata/pata_ns87410.c 2010-12-09 20:24:14.000000000 -0500
22322 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
22323 ATA_PIO_SHT(DRV_NAME),
22326 -static struct ata_port_operations ns87410_port_ops = {
22327 +static const struct ata_port_operations ns87410_port_ops = {
22328 .inherits = &ata_sff_port_ops,
22329 .qc_issue = ns87410_qc_issue,
22330 .cable_detect = ata_cable_40wire,
22331 diff -urNp linux-2.6.36.2/drivers/ata/pata_ns87415.c linux-2.6.36.2/drivers/ata/pata_ns87415.c
22332 --- linux-2.6.36.2/drivers/ata/pata_ns87415.c 2010-10-20 16:30:22.000000000 -0400
22333 +++ linux-2.6.36.2/drivers/ata/pata_ns87415.c 2010-12-09 20:24:14.000000000 -0500
22334 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
22336 #endif /* 87560 SuperIO Support */
22338 -static struct ata_port_operations ns87415_pata_ops = {
22339 +static const struct ata_port_operations ns87415_pata_ops = {
22340 .inherits = &ata_bmdma_port_ops,
22342 .check_atapi_dma = ns87415_check_atapi_dma,
22343 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
22346 #if defined(CONFIG_SUPERIO)
22347 -static struct ata_port_operations ns87560_pata_ops = {
22348 +static const struct ata_port_operations ns87560_pata_ops = {
22349 .inherits = &ns87415_pata_ops,
22350 .sff_tf_read = ns87560_tf_read,
22351 .sff_check_status = ns87560_check_status,
22352 diff -urNp linux-2.6.36.2/drivers/ata/pata_octeon_cf.c linux-2.6.36.2/drivers/ata/pata_octeon_cf.c
22353 --- linux-2.6.36.2/drivers/ata/pata_octeon_cf.c 2010-10-20 16:30:22.000000000 -0400
22354 +++ linux-2.6.36.2/drivers/ata/pata_octeon_cf.c 2010-12-09 20:24:14.000000000 -0500
22355 @@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
22359 +/* cannot be const */
22360 static struct ata_port_operations octeon_cf_ops = {
22361 .inherits = &ata_sff_port_ops,
22362 .check_atapi_dma = octeon_cf_check_atapi_dma,
22363 diff -urNp linux-2.6.36.2/drivers/ata/pata_oldpiix.c linux-2.6.36.2/drivers/ata/pata_oldpiix.c
22364 --- linux-2.6.36.2/drivers/ata/pata_oldpiix.c 2010-10-20 16:30:22.000000000 -0400
22365 +++ linux-2.6.36.2/drivers/ata/pata_oldpiix.c 2010-12-09 20:24:14.000000000 -0500
22366 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
22367 ATA_BMDMA_SHT(DRV_NAME),
22370 -static struct ata_port_operations oldpiix_pata_ops = {
22371 +static const struct ata_port_operations oldpiix_pata_ops = {
22372 .inherits = &ata_bmdma_port_ops,
22373 .qc_issue = oldpiix_qc_issue,
22374 .cable_detect = ata_cable_40wire,
22375 diff -urNp linux-2.6.36.2/drivers/ata/pata_opti.c linux-2.6.36.2/drivers/ata/pata_opti.c
22376 --- linux-2.6.36.2/drivers/ata/pata_opti.c 2010-10-20 16:30:22.000000000 -0400
22377 +++ linux-2.6.36.2/drivers/ata/pata_opti.c 2010-12-09 20:24:14.000000000 -0500
22378 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
22379 ATA_PIO_SHT(DRV_NAME),
22382 -static struct ata_port_operations opti_port_ops = {
22383 +static const struct ata_port_operations opti_port_ops = {
22384 .inherits = &ata_sff_port_ops,
22385 .cable_detect = ata_cable_40wire,
22386 .set_piomode = opti_set_piomode,
22387 diff -urNp linux-2.6.36.2/drivers/ata/pata_optidma.c linux-2.6.36.2/drivers/ata/pata_optidma.c
22388 --- linux-2.6.36.2/drivers/ata/pata_optidma.c 2010-10-20 16:30:22.000000000 -0400
22389 +++ linux-2.6.36.2/drivers/ata/pata_optidma.c 2010-12-09 20:24:14.000000000 -0500
22390 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
22391 ATA_BMDMA_SHT(DRV_NAME),
22394 -static struct ata_port_operations optidma_port_ops = {
22395 +static const struct ata_port_operations optidma_port_ops = {
22396 .inherits = &ata_bmdma_port_ops,
22397 .cable_detect = ata_cable_40wire,
22398 .set_piomode = optidma_set_pio_mode,
22399 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
22400 .prereset = optidma_pre_reset,
22403 -static struct ata_port_operations optiplus_port_ops = {
22404 +static const struct ata_port_operations optiplus_port_ops = {
22405 .inherits = &optidma_port_ops,
22406 .set_piomode = optiplus_set_pio_mode,
22407 .set_dmamode = optiplus_set_dma_mode,
22408 diff -urNp linux-2.6.36.2/drivers/ata/pata_palmld.c linux-2.6.36.2/drivers/ata/pata_palmld.c
22409 --- linux-2.6.36.2/drivers/ata/pata_palmld.c 2010-10-20 16:30:22.000000000 -0400
22410 +++ linux-2.6.36.2/drivers/ata/pata_palmld.c 2010-12-09 20:24:14.000000000 -0500
22411 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
22412 ATA_PIO_SHT(DRV_NAME),
22415 -static struct ata_port_operations palmld_port_ops = {
22416 +static const struct ata_port_operations palmld_port_ops = {
22417 .inherits = &ata_sff_port_ops,
22418 .sff_data_xfer = ata_sff_data_xfer_noirq,
22419 .cable_detect = ata_cable_40wire,
22420 diff -urNp linux-2.6.36.2/drivers/ata/pata_pcmcia.c linux-2.6.36.2/drivers/ata/pata_pcmcia.c
22421 --- linux-2.6.36.2/drivers/ata/pata_pcmcia.c 2010-10-20 16:30:22.000000000 -0400
22422 +++ linux-2.6.36.2/drivers/ata/pata_pcmcia.c 2010-12-09 20:24:14.000000000 -0500
22423 @@ -152,14 +152,14 @@ static struct scsi_host_template pcmcia_
22424 ATA_PIO_SHT(DRV_NAME),
22427 -static struct ata_port_operations pcmcia_port_ops = {
22428 +static const struct ata_port_operations pcmcia_port_ops = {
22429 .inherits = &ata_sff_port_ops,
22430 .sff_data_xfer = ata_sff_data_xfer_noirq,
22431 .cable_detect = ata_cable_40wire,
22432 .set_mode = pcmcia_set_mode,
22435 -static struct ata_port_operations pcmcia_8bit_port_ops = {
22436 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
22437 .inherits = &ata_sff_port_ops,
22438 .sff_data_xfer = ata_data_xfer_8bit,
22439 .cable_detect = ata_cable_40wire,
22440 @@ -244,7 +244,7 @@ static int pcmcia_init_one(struct pcmcia
22441 unsigned long io_base, ctl_base;
22442 void __iomem *io_addr, *ctl_addr;
22444 - struct ata_port_operations *ops = &pcmcia_port_ops;
22445 + const struct ata_port_operations *ops = &pcmcia_port_ops;
22447 /* Set up attributes in order to probe card and get resources */
22448 pdev->resource[0]->flags |= IO_DATA_PATH_WIDTH_AUTO;
22449 diff -urNp linux-2.6.36.2/drivers/ata/pata_pdc2027x.c linux-2.6.36.2/drivers/ata/pata_pdc2027x.c
22450 --- linux-2.6.36.2/drivers/ata/pata_pdc2027x.c 2010-10-20 16:30:22.000000000 -0400
22451 +++ linux-2.6.36.2/drivers/ata/pata_pdc2027x.c 2010-12-09 20:24:14.000000000 -0500
22452 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
22453 ATA_BMDMA_SHT(DRV_NAME),
22456 -static struct ata_port_operations pdc2027x_pata100_ops = {
22457 +static const struct ata_port_operations pdc2027x_pata100_ops = {
22458 .inherits = &ata_bmdma_port_ops,
22459 .check_atapi_dma = pdc2027x_check_atapi_dma,
22460 .cable_detect = pdc2027x_cable_detect,
22461 .prereset = pdc2027x_prereset,
22464 -static struct ata_port_operations pdc2027x_pata133_ops = {
22465 +static const struct ata_port_operations pdc2027x_pata133_ops = {
22466 .inherits = &pdc2027x_pata100_ops,
22467 .mode_filter = pdc2027x_mode_filter,
22468 .set_piomode = pdc2027x_set_piomode,
22469 diff -urNp linux-2.6.36.2/drivers/ata/pata_pdc202xx_old.c linux-2.6.36.2/drivers/ata/pata_pdc202xx_old.c
22470 --- linux-2.6.36.2/drivers/ata/pata_pdc202xx_old.c 2010-10-20 16:30:22.000000000 -0400
22471 +++ linux-2.6.36.2/drivers/ata/pata_pdc202xx_old.c 2010-12-09 20:24:14.000000000 -0500
22472 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
22473 ATA_BMDMA_SHT(DRV_NAME),
22476 -static struct ata_port_operations pdc2024x_port_ops = {
22477 +static const struct ata_port_operations pdc2024x_port_ops = {
22478 .inherits = &ata_bmdma_port_ops,
22480 .cable_detect = ata_cable_40wire,
22481 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
22482 .sff_exec_command = pdc202xx_exec_command,
22485 -static struct ata_port_operations pdc2026x_port_ops = {
22486 +static const struct ata_port_operations pdc2026x_port_ops = {
22487 .inherits = &pdc2024x_port_ops,
22489 .check_atapi_dma = pdc2026x_check_atapi_dma,
22490 diff -urNp linux-2.6.36.2/drivers/ata/pata_piccolo.c linux-2.6.36.2/drivers/ata/pata_piccolo.c
22491 --- linux-2.6.36.2/drivers/ata/pata_piccolo.c 2010-10-20 16:30:22.000000000 -0400
22492 +++ linux-2.6.36.2/drivers/ata/pata_piccolo.c 2010-12-09 20:24:14.000000000 -0500
22493 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
22494 ATA_BMDMA_SHT(DRV_NAME),
22497 -static struct ata_port_operations tosh_port_ops = {
22498 +static const struct ata_port_operations tosh_port_ops = {
22499 .inherits = &ata_bmdma_port_ops,
22500 .cable_detect = ata_cable_unknown,
22501 .set_piomode = tosh_set_piomode,
22502 diff -urNp linux-2.6.36.2/drivers/ata/pata_platform.c linux-2.6.36.2/drivers/ata/pata_platform.c
22503 --- linux-2.6.36.2/drivers/ata/pata_platform.c 2010-10-20 16:30:22.000000000 -0400
22504 +++ linux-2.6.36.2/drivers/ata/pata_platform.c 2010-12-09 20:24:14.000000000 -0500
22505 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
22506 ATA_PIO_SHT(DRV_NAME),
22509 -static struct ata_port_operations pata_platform_port_ops = {
22510 +static const struct ata_port_operations pata_platform_port_ops = {
22511 .inherits = &ata_sff_port_ops,
22512 .sff_data_xfer = ata_sff_data_xfer_noirq,
22513 .cable_detect = ata_cable_unknown,
22514 diff -urNp linux-2.6.36.2/drivers/ata/pata_pxa.c linux-2.6.36.2/drivers/ata/pata_pxa.c
22515 --- linux-2.6.36.2/drivers/ata/pata_pxa.c 2010-10-20 16:30:22.000000000 -0400
22516 +++ linux-2.6.36.2/drivers/ata/pata_pxa.c 2010-12-09 20:24:14.000000000 -0500
22517 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
22518 ATA_BMDMA_SHT(DRV_NAME),
22521 -static struct ata_port_operations pxa_ata_port_ops = {
22522 +static const struct ata_port_operations pxa_ata_port_ops = {
22523 .inherits = &ata_bmdma_port_ops,
22524 .cable_detect = ata_cable_40wire,
22526 diff -urNp linux-2.6.36.2/drivers/ata/pata_qdi.c linux-2.6.36.2/drivers/ata/pata_qdi.c
22527 --- linux-2.6.36.2/drivers/ata/pata_qdi.c 2010-10-20 16:30:22.000000000 -0400
22528 +++ linux-2.6.36.2/drivers/ata/pata_qdi.c 2010-12-09 20:24:14.000000000 -0500
22529 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
22530 ATA_PIO_SHT(DRV_NAME),
22533 -static struct ata_port_operations qdi6500_port_ops = {
22534 +static const struct ata_port_operations qdi6500_port_ops = {
22535 .inherits = &ata_sff_port_ops,
22536 .qc_issue = qdi_qc_issue,
22537 .sff_data_xfer = qdi_data_xfer,
22538 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
22539 .set_piomode = qdi6500_set_piomode,
22542 -static struct ata_port_operations qdi6580_port_ops = {
22543 +static const struct ata_port_operations qdi6580_port_ops = {
22544 .inherits = &qdi6500_port_ops,
22545 .set_piomode = qdi6580_set_piomode,
22547 diff -urNp linux-2.6.36.2/drivers/ata/pata_radisys.c linux-2.6.36.2/drivers/ata/pata_radisys.c
22548 --- linux-2.6.36.2/drivers/ata/pata_radisys.c 2010-10-20 16:30:22.000000000 -0400
22549 +++ linux-2.6.36.2/drivers/ata/pata_radisys.c 2010-12-09 20:24:14.000000000 -0500
22550 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
22551 ATA_BMDMA_SHT(DRV_NAME),
22554 -static struct ata_port_operations radisys_pata_ops = {
22555 +static const struct ata_port_operations radisys_pata_ops = {
22556 .inherits = &ata_bmdma_port_ops,
22557 .qc_issue = radisys_qc_issue,
22558 .cable_detect = ata_cable_unknown,
22559 diff -urNp linux-2.6.36.2/drivers/ata/pata_rb532_cf.c linux-2.6.36.2/drivers/ata/pata_rb532_cf.c
22560 --- linux-2.6.36.2/drivers/ata/pata_rb532_cf.c 2010-10-20 16:30:22.000000000 -0400
22561 +++ linux-2.6.36.2/drivers/ata/pata_rb532_cf.c 2010-12-09 20:24:14.000000000 -0500
22562 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
22563 return IRQ_HANDLED;
22566 -static struct ata_port_operations rb532_pata_port_ops = {
22567 +static const struct ata_port_operations rb532_pata_port_ops = {
22568 .inherits = &ata_sff_port_ops,
22569 .sff_data_xfer = ata_sff_data_xfer32,
22571 diff -urNp linux-2.6.36.2/drivers/ata/pata_rdc.c linux-2.6.36.2/drivers/ata/pata_rdc.c
22572 --- linux-2.6.36.2/drivers/ata/pata_rdc.c 2010-10-20 16:30:22.000000000 -0400
22573 +++ linux-2.6.36.2/drivers/ata/pata_rdc.c 2010-12-09 20:24:14.000000000 -0500
22574 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
22575 pci_write_config_byte(dev, 0x48, udma_enable);
22578 -static struct ata_port_operations rdc_pata_ops = {
22579 +static const struct ata_port_operations rdc_pata_ops = {
22580 .inherits = &ata_bmdma32_port_ops,
22581 .cable_detect = rdc_pata_cable_detect,
22582 .set_piomode = rdc_set_piomode,
22583 diff -urNp linux-2.6.36.2/drivers/ata/pata_rz1000.c linux-2.6.36.2/drivers/ata/pata_rz1000.c
22584 --- linux-2.6.36.2/drivers/ata/pata_rz1000.c 2010-10-20 16:30:22.000000000 -0400
22585 +++ linux-2.6.36.2/drivers/ata/pata_rz1000.c 2010-12-09 20:24:14.000000000 -0500
22586 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
22587 ATA_PIO_SHT(DRV_NAME),
22590 -static struct ata_port_operations rz1000_port_ops = {
22591 +static const struct ata_port_operations rz1000_port_ops = {
22592 .inherits = &ata_sff_port_ops,
22593 .cable_detect = ata_cable_40wire,
22594 .set_mode = rz1000_set_mode,
22595 diff -urNp linux-2.6.36.2/drivers/ata/pata_samsung_cf.c linux-2.6.36.2/drivers/ata/pata_samsung_cf.c
22596 --- linux-2.6.36.2/drivers/ata/pata_samsung_cf.c 2010-10-20 16:30:22.000000000 -0400
22597 +++ linux-2.6.36.2/drivers/ata/pata_samsung_cf.c 2010-12-09 20:24:14.000000000 -0500
22598 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
22599 ATA_PIO_SHT(DRV_NAME),
22602 -static struct ata_port_operations pata_s3c_port_ops = {
22603 +static const struct ata_port_operations pata_s3c_port_ops = {
22604 .inherits = &ata_sff_port_ops,
22605 .sff_check_status = pata_s3c_check_status,
22606 .sff_check_altstatus = pata_s3c_check_altstatus,
22607 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
22608 .set_piomode = pata_s3c_set_piomode,
22611 -static struct ata_port_operations pata_s5p_port_ops = {
22612 +static const struct ata_port_operations pata_s5p_port_ops = {
22613 .inherits = &ata_sff_port_ops,
22614 .set_piomode = pata_s3c_set_piomode,
22616 diff -urNp linux-2.6.36.2/drivers/ata/pata_sc1200.c linux-2.6.36.2/drivers/ata/pata_sc1200.c
22617 --- linux-2.6.36.2/drivers/ata/pata_sc1200.c 2010-10-20 16:30:22.000000000 -0400
22618 +++ linux-2.6.36.2/drivers/ata/pata_sc1200.c 2010-12-09 20:24:14.000000000 -0500
22619 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22620 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22623 -static struct ata_port_operations sc1200_port_ops = {
22624 +static const struct ata_port_operations sc1200_port_ops = {
22625 .inherits = &ata_bmdma_port_ops,
22626 .qc_prep = ata_bmdma_dumb_qc_prep,
22627 .qc_issue = sc1200_qc_issue,
22628 diff -urNp linux-2.6.36.2/drivers/ata/pata_scc.c linux-2.6.36.2/drivers/ata/pata_scc.c
22629 --- linux-2.6.36.2/drivers/ata/pata_scc.c 2010-10-20 16:30:22.000000000 -0400
22630 +++ linux-2.6.36.2/drivers/ata/pata_scc.c 2010-12-09 20:24:14.000000000 -0500
22631 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
22632 ATA_BMDMA_SHT(DRV_NAME),
22635 -static struct ata_port_operations scc_pata_ops = {
22636 +static const struct ata_port_operations scc_pata_ops = {
22637 .inherits = &ata_bmdma_port_ops,
22639 .set_piomode = scc_set_piomode,
22640 diff -urNp linux-2.6.36.2/drivers/ata/pata_sch.c linux-2.6.36.2/drivers/ata/pata_sch.c
22641 --- linux-2.6.36.2/drivers/ata/pata_sch.c 2010-10-20 16:30:22.000000000 -0400
22642 +++ linux-2.6.36.2/drivers/ata/pata_sch.c 2010-12-09 20:24:14.000000000 -0500
22643 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22644 ATA_BMDMA_SHT(DRV_NAME),
22647 -static struct ata_port_operations sch_pata_ops = {
22648 +static const struct ata_port_operations sch_pata_ops = {
22649 .inherits = &ata_bmdma_port_ops,
22650 .cable_detect = ata_cable_unknown,
22651 .set_piomode = sch_set_piomode,
22652 diff -urNp linux-2.6.36.2/drivers/ata/pata_serverworks.c linux-2.6.36.2/drivers/ata/pata_serverworks.c
22653 --- linux-2.6.36.2/drivers/ata/pata_serverworks.c 2010-10-20 16:30:22.000000000 -0400
22654 +++ linux-2.6.36.2/drivers/ata/pata_serverworks.c 2010-12-09 20:24:14.000000000 -0500
22655 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22656 ATA_BMDMA_SHT(DRV_NAME),
22659 -static struct ata_port_operations serverworks_osb4_port_ops = {
22660 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22661 .inherits = &ata_bmdma_port_ops,
22662 .cable_detect = serverworks_cable_detect,
22663 .mode_filter = serverworks_osb4_filter,
22664 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22665 .set_dmamode = serverworks_set_dmamode,
22668 -static struct ata_port_operations serverworks_csb_port_ops = {
22669 +static const struct ata_port_operations serverworks_csb_port_ops = {
22670 .inherits = &serverworks_osb4_port_ops,
22671 .mode_filter = serverworks_csb_filter,
22673 diff -urNp linux-2.6.36.2/drivers/ata/pata_sil680.c linux-2.6.36.2/drivers/ata/pata_sil680.c
22674 --- linux-2.6.36.2/drivers/ata/pata_sil680.c 2010-10-20 16:30:22.000000000 -0400
22675 +++ linux-2.6.36.2/drivers/ata/pata_sil680.c 2010-12-09 20:24:14.000000000 -0500
22676 @@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
22677 ATA_BMDMA_SHT(DRV_NAME),
22681 -static struct ata_port_operations sil680_port_ops = {
22682 +static const struct ata_port_operations sil680_port_ops = {
22683 .inherits = &ata_bmdma32_port_ops,
22684 .sff_exec_command = sil680_sff_exec_command,
22685 .cable_detect = sil680_cable_detect,
22686 diff -urNp linux-2.6.36.2/drivers/ata/pata_sis.c linux-2.6.36.2/drivers/ata/pata_sis.c
22687 --- linux-2.6.36.2/drivers/ata/pata_sis.c 2010-10-20 16:30:22.000000000 -0400
22688 +++ linux-2.6.36.2/drivers/ata/pata_sis.c 2010-12-09 20:24:14.000000000 -0500
22689 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22690 ATA_BMDMA_SHT(DRV_NAME),
22693 -static struct ata_port_operations sis_133_for_sata_ops = {
22694 +static const struct ata_port_operations sis_133_for_sata_ops = {
22695 .inherits = &ata_bmdma_port_ops,
22696 .set_piomode = sis_133_set_piomode,
22697 .set_dmamode = sis_133_set_dmamode,
22698 .cable_detect = sis_133_cable_detect,
22701 -static struct ata_port_operations sis_base_ops = {
22702 +static const struct ata_port_operations sis_base_ops = {
22703 .inherits = &ata_bmdma_port_ops,
22704 .prereset = sis_pre_reset,
22707 -static struct ata_port_operations sis_133_ops = {
22708 +static const struct ata_port_operations sis_133_ops = {
22709 .inherits = &sis_base_ops,
22710 .set_piomode = sis_133_set_piomode,
22711 .set_dmamode = sis_133_set_dmamode,
22712 .cable_detect = sis_133_cable_detect,
22715 -static struct ata_port_operations sis_133_early_ops = {
22716 +static const struct ata_port_operations sis_133_early_ops = {
22717 .inherits = &sis_base_ops,
22718 .set_piomode = sis_100_set_piomode,
22719 .set_dmamode = sis_133_early_set_dmamode,
22720 .cable_detect = sis_66_cable_detect,
22723 -static struct ata_port_operations sis_100_ops = {
22724 +static const struct ata_port_operations sis_100_ops = {
22725 .inherits = &sis_base_ops,
22726 .set_piomode = sis_100_set_piomode,
22727 .set_dmamode = sis_100_set_dmamode,
22728 .cable_detect = sis_66_cable_detect,
22731 -static struct ata_port_operations sis_66_ops = {
22732 +static const struct ata_port_operations sis_66_ops = {
22733 .inherits = &sis_base_ops,
22734 .set_piomode = sis_old_set_piomode,
22735 .set_dmamode = sis_66_set_dmamode,
22736 .cable_detect = sis_66_cable_detect,
22739 -static struct ata_port_operations sis_old_ops = {
22740 +static const struct ata_port_operations sis_old_ops = {
22741 .inherits = &sis_base_ops,
22742 .set_piomode = sis_old_set_piomode,
22743 .set_dmamode = sis_old_set_dmamode,
22744 diff -urNp linux-2.6.36.2/drivers/ata/pata_sl82c105.c linux-2.6.36.2/drivers/ata/pata_sl82c105.c
22745 --- linux-2.6.36.2/drivers/ata/pata_sl82c105.c 2010-10-20 16:30:22.000000000 -0400
22746 +++ linux-2.6.36.2/drivers/ata/pata_sl82c105.c 2010-12-09 20:24:14.000000000 -0500
22747 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
22748 ATA_BMDMA_SHT(DRV_NAME),
22751 -static struct ata_port_operations sl82c105_port_ops = {
22752 +static const struct ata_port_operations sl82c105_port_ops = {
22753 .inherits = &ata_bmdma_port_ops,
22754 .qc_defer = sl82c105_qc_defer,
22755 .bmdma_start = sl82c105_bmdma_start,
22756 diff -urNp linux-2.6.36.2/drivers/ata/pata_triflex.c linux-2.6.36.2/drivers/ata/pata_triflex.c
22757 --- linux-2.6.36.2/drivers/ata/pata_triflex.c 2010-10-20 16:30:22.000000000 -0400
22758 +++ linux-2.6.36.2/drivers/ata/pata_triflex.c 2010-12-09 20:24:14.000000000 -0500
22759 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22760 ATA_BMDMA_SHT(DRV_NAME),
22763 -static struct ata_port_operations triflex_port_ops = {
22764 +static const struct ata_port_operations triflex_port_ops = {
22765 .inherits = &ata_bmdma_port_ops,
22766 .bmdma_start = triflex_bmdma_start,
22767 .bmdma_stop = triflex_bmdma_stop,
22768 diff -urNp linux-2.6.36.2/drivers/ata/pata_via.c linux-2.6.36.2/drivers/ata/pata_via.c
22769 --- linux-2.6.36.2/drivers/ata/pata_via.c 2010-10-20 16:30:22.000000000 -0400
22770 +++ linux-2.6.36.2/drivers/ata/pata_via.c 2010-12-09 20:24:14.000000000 -0500
22771 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22772 ATA_BMDMA_SHT(DRV_NAME),
22775 -static struct ata_port_operations via_port_ops = {
22776 +static const struct ata_port_operations via_port_ops = {
22777 .inherits = &ata_bmdma_port_ops,
22778 .cable_detect = via_cable_detect,
22779 .set_piomode = via_set_piomode,
22780 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22781 .mode_filter = via_mode_filter,
22784 -static struct ata_port_operations via_port_ops_noirq = {
22785 +static const struct ata_port_operations via_port_ops_noirq = {
22786 .inherits = &via_port_ops,
22787 .sff_data_xfer = ata_sff_data_xfer_noirq,
22789 diff -urNp linux-2.6.36.2/drivers/ata/pdc_adma.c linux-2.6.36.2/drivers/ata/pdc_adma.c
22790 --- linux-2.6.36.2/drivers/ata/pdc_adma.c 2010-10-20 16:30:22.000000000 -0400
22791 +++ linux-2.6.36.2/drivers/ata/pdc_adma.c 2010-12-09 20:24:14.000000000 -0500
22792 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22793 .dma_boundary = ADMA_DMA_BOUNDARY,
22796 -static struct ata_port_operations adma_ata_ops = {
22797 +static const struct ata_port_operations adma_ata_ops = {
22798 .inherits = &ata_sff_port_ops,
22800 .lost_interrupt = ATA_OP_NULL,
22801 diff -urNp linux-2.6.36.2/drivers/ata/sata_dwc_460ex.c linux-2.6.36.2/drivers/ata/sata_dwc_460ex.c
22802 --- linux-2.6.36.2/drivers/ata/sata_dwc_460ex.c 2010-10-20 16:30:22.000000000 -0400
22803 +++ linux-2.6.36.2/drivers/ata/sata_dwc_460ex.c 2010-12-09 20:24:14.000000000 -0500
22804 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
22805 .dma_boundary = ATA_DMA_BOUNDARY,
22808 -static struct ata_port_operations sata_dwc_ops = {
22809 +static const struct ata_port_operations sata_dwc_ops = {
22810 .inherits = &ata_sff_port_ops,
22812 .error_handler = sata_dwc_error_handler,
22813 diff -urNp linux-2.6.36.2/drivers/ata/sata_fsl.c linux-2.6.36.2/drivers/ata/sata_fsl.c
22814 --- linux-2.6.36.2/drivers/ata/sata_fsl.c 2010-10-20 16:30:22.000000000 -0400
22815 +++ linux-2.6.36.2/drivers/ata/sata_fsl.c 2010-12-09 20:24:14.000000000 -0500
22816 @@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
22817 .dma_boundary = ATA_DMA_BOUNDARY,
22820 -static struct ata_port_operations sata_fsl_ops = {
22821 +static const struct ata_port_operations sata_fsl_ops = {
22822 .inherits = &sata_pmp_port_ops,
22824 .qc_defer = ata_std_qc_defer,
22825 diff -urNp linux-2.6.36.2/drivers/ata/sata_inic162x.c linux-2.6.36.2/drivers/ata/sata_inic162x.c
22826 --- linux-2.6.36.2/drivers/ata/sata_inic162x.c 2010-10-20 16:30:22.000000000 -0400
22827 +++ linux-2.6.36.2/drivers/ata/sata_inic162x.c 2010-12-09 20:24:14.000000000 -0500
22828 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22832 -static struct ata_port_operations inic_port_ops = {
22833 +static const struct ata_port_operations inic_port_ops = {
22834 .inherits = &sata_port_ops,
22836 .check_atapi_dma = inic_check_atapi_dma,
22837 diff -urNp linux-2.6.36.2/drivers/ata/sata_mv.c linux-2.6.36.2/drivers/ata/sata_mv.c
22838 --- linux-2.6.36.2/drivers/ata/sata_mv.c 2010-10-20 16:30:22.000000000 -0400
22839 +++ linux-2.6.36.2/drivers/ata/sata_mv.c 2010-12-09 20:24:14.000000000 -0500
22840 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22841 .dma_boundary = MV_DMA_BOUNDARY,
22844 -static struct ata_port_operations mv5_ops = {
22845 +static const struct ata_port_operations mv5_ops = {
22846 .inherits = &ata_sff_port_ops,
22848 .lost_interrupt = ATA_OP_NULL,
22849 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22850 .port_stop = mv_port_stop,
22853 -static struct ata_port_operations mv6_ops = {
22854 +static const struct ata_port_operations mv6_ops = {
22855 .inherits = &ata_bmdma_port_ops,
22857 .lost_interrupt = ATA_OP_NULL,
22858 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22859 .port_stop = mv_port_stop,
22862 -static struct ata_port_operations mv_iie_ops = {
22863 +static const struct ata_port_operations mv_iie_ops = {
22864 .inherits = &mv6_ops,
22865 .dev_config = ATA_OP_NULL,
22866 .qc_prep = mv_qc_prep_iie,
22867 diff -urNp linux-2.6.36.2/drivers/ata/sata_nv.c linux-2.6.36.2/drivers/ata/sata_nv.c
22868 --- linux-2.6.36.2/drivers/ata/sata_nv.c 2010-10-20 16:30:22.000000000 -0400
22869 +++ linux-2.6.36.2/drivers/ata/sata_nv.c 2010-12-09 20:24:14.000000000 -0500
22870 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22871 * cases. Define nv_hardreset() which only kicks in for post-boot
22872 * probing and use it for all variants.
22874 -static struct ata_port_operations nv_generic_ops = {
22875 +static const struct ata_port_operations nv_generic_ops = {
22876 .inherits = &ata_bmdma_port_ops,
22877 .lost_interrupt = ATA_OP_NULL,
22878 .scr_read = nv_scr_read,
22879 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22880 .hardreset = nv_hardreset,
22883 -static struct ata_port_operations nv_nf2_ops = {
22884 +static const struct ata_port_operations nv_nf2_ops = {
22885 .inherits = &nv_generic_ops,
22886 .freeze = nv_nf2_freeze,
22887 .thaw = nv_nf2_thaw,
22890 -static struct ata_port_operations nv_ck804_ops = {
22891 +static const struct ata_port_operations nv_ck804_ops = {
22892 .inherits = &nv_generic_ops,
22893 .freeze = nv_ck804_freeze,
22894 .thaw = nv_ck804_thaw,
22895 .host_stop = nv_ck804_host_stop,
22898 -static struct ata_port_operations nv_adma_ops = {
22899 +static const struct ata_port_operations nv_adma_ops = {
22900 .inherits = &nv_ck804_ops,
22902 .check_atapi_dma = nv_adma_check_atapi_dma,
22903 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22904 .host_stop = nv_adma_host_stop,
22907 -static struct ata_port_operations nv_swncq_ops = {
22908 +static const struct ata_port_operations nv_swncq_ops = {
22909 .inherits = &nv_generic_ops,
22911 .qc_defer = ata_std_qc_defer,
22912 diff -urNp linux-2.6.36.2/drivers/ata/sata_promise.c linux-2.6.36.2/drivers/ata/sata_promise.c
22913 --- linux-2.6.36.2/drivers/ata/sata_promise.c 2010-10-20 16:30:22.000000000 -0400
22914 +++ linux-2.6.36.2/drivers/ata/sata_promise.c 2010-12-09 20:24:14.000000000 -0500
22915 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22916 .error_handler = pdc_error_handler,
22919 -static struct ata_port_operations pdc_sata_ops = {
22920 +static const struct ata_port_operations pdc_sata_ops = {
22921 .inherits = &pdc_common_ops,
22922 .cable_detect = pdc_sata_cable_detect,
22923 .freeze = pdc_sata_freeze,
22924 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22926 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22927 and ->freeze/thaw that ignore the hotplug controls. */
22928 -static struct ata_port_operations pdc_old_sata_ops = {
22929 +static const struct ata_port_operations pdc_old_sata_ops = {
22930 .inherits = &pdc_sata_ops,
22931 .freeze = pdc_freeze,
22933 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22936 -static struct ata_port_operations pdc_pata_ops = {
22937 +static const struct ata_port_operations pdc_pata_ops = {
22938 .inherits = &pdc_common_ops,
22939 .cable_detect = pdc_pata_cable_detect,
22940 .freeze = pdc_freeze,
22941 diff -urNp linux-2.6.36.2/drivers/ata/sata_qstor.c linux-2.6.36.2/drivers/ata/sata_qstor.c
22942 --- linux-2.6.36.2/drivers/ata/sata_qstor.c 2010-10-20 16:30:22.000000000 -0400
22943 +++ linux-2.6.36.2/drivers/ata/sata_qstor.c 2010-12-09 20:24:14.000000000 -0500
22944 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22945 .dma_boundary = QS_DMA_BOUNDARY,
22948 -static struct ata_port_operations qs_ata_ops = {
22949 +static const struct ata_port_operations qs_ata_ops = {
22950 .inherits = &ata_sff_port_ops,
22952 .check_atapi_dma = qs_check_atapi_dma,
22953 diff -urNp linux-2.6.36.2/drivers/ata/sata_sil24.c linux-2.6.36.2/drivers/ata/sata_sil24.c
22954 --- linux-2.6.36.2/drivers/ata/sata_sil24.c 2010-10-20 16:30:22.000000000 -0400
22955 +++ linux-2.6.36.2/drivers/ata/sata_sil24.c 2010-12-09 20:24:14.000000000 -0500
22956 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22957 .dma_boundary = ATA_DMA_BOUNDARY,
22960 -static struct ata_port_operations sil24_ops = {
22961 +static const struct ata_port_operations sil24_ops = {
22962 .inherits = &sata_pmp_port_ops,
22964 .qc_defer = sil24_qc_defer,
22965 diff -urNp linux-2.6.36.2/drivers/ata/sata_sil.c linux-2.6.36.2/drivers/ata/sata_sil.c
22966 --- linux-2.6.36.2/drivers/ata/sata_sil.c 2010-10-20 16:30:22.000000000 -0400
22967 +++ linux-2.6.36.2/drivers/ata/sata_sil.c 2010-12-09 20:24:14.000000000 -0500
22968 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22969 .sg_tablesize = ATA_MAX_PRD
22972 -static struct ata_port_operations sil_ops = {
22973 +static const struct ata_port_operations sil_ops = {
22974 .inherits = &ata_bmdma32_port_ops,
22975 .dev_config = sil_dev_config,
22976 .set_mode = sil_set_mode,
22977 diff -urNp linux-2.6.36.2/drivers/ata/sata_sis.c linux-2.6.36.2/drivers/ata/sata_sis.c
22978 --- linux-2.6.36.2/drivers/ata/sata_sis.c 2010-10-20 16:30:22.000000000 -0400
22979 +++ linux-2.6.36.2/drivers/ata/sata_sis.c 2010-12-09 20:24:14.000000000 -0500
22980 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22981 ATA_BMDMA_SHT(DRV_NAME),
22984 -static struct ata_port_operations sis_ops = {
22985 +static const struct ata_port_operations sis_ops = {
22986 .inherits = &ata_bmdma_port_ops,
22987 .scr_read = sis_scr_read,
22988 .scr_write = sis_scr_write,
22989 diff -urNp linux-2.6.36.2/drivers/ata/sata_svw.c linux-2.6.36.2/drivers/ata/sata_svw.c
22990 --- linux-2.6.36.2/drivers/ata/sata_svw.c 2010-10-20 16:30:22.000000000 -0400
22991 +++ linux-2.6.36.2/drivers/ata/sata_svw.c 2010-12-09 20:24:14.000000000 -0500
22992 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22996 -static struct ata_port_operations k2_sata_ops = {
22997 +static const struct ata_port_operations k2_sata_ops = {
22998 .inherits = &ata_bmdma_port_ops,
22999 .sff_tf_load = k2_sata_tf_load,
23000 .sff_tf_read = k2_sata_tf_read,
23001 diff -urNp linux-2.6.36.2/drivers/ata/sata_sx4.c linux-2.6.36.2/drivers/ata/sata_sx4.c
23002 --- linux-2.6.36.2/drivers/ata/sata_sx4.c 2010-10-20 16:30:22.000000000 -0400
23003 +++ linux-2.6.36.2/drivers/ata/sata_sx4.c 2010-12-09 20:24:14.000000000 -0500
23004 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
23007 /* TODO: inherit from base port_ops after converting to new EH */
23008 -static struct ata_port_operations pdc_20621_ops = {
23009 +static const struct ata_port_operations pdc_20621_ops = {
23010 .inherits = &ata_sff_port_ops,
23012 .check_atapi_dma = pdc_check_atapi_dma,
23013 diff -urNp linux-2.6.36.2/drivers/ata/sata_uli.c linux-2.6.36.2/drivers/ata/sata_uli.c
23014 --- linux-2.6.36.2/drivers/ata/sata_uli.c 2010-10-20 16:30:22.000000000 -0400
23015 +++ linux-2.6.36.2/drivers/ata/sata_uli.c 2010-12-09 20:24:14.000000000 -0500
23016 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
23017 ATA_BMDMA_SHT(DRV_NAME),
23020 -static struct ata_port_operations uli_ops = {
23021 +static const struct ata_port_operations uli_ops = {
23022 .inherits = &ata_bmdma_port_ops,
23023 .scr_read = uli_scr_read,
23024 .scr_write = uli_scr_write,
23025 diff -urNp linux-2.6.36.2/drivers/ata/sata_via.c linux-2.6.36.2/drivers/ata/sata_via.c
23026 --- linux-2.6.36.2/drivers/ata/sata_via.c 2010-12-09 20:53:46.000000000 -0500
23027 +++ linux-2.6.36.2/drivers/ata/sata_via.c 2010-12-09 20:54:34.000000000 -0500
23028 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
23029 ATA_BMDMA_SHT(DRV_NAME),
23032 -static struct ata_port_operations svia_base_ops = {
23033 +static const struct ata_port_operations svia_base_ops = {
23034 .inherits = &ata_bmdma_port_ops,
23035 .sff_tf_load = svia_tf_load,
23038 -static struct ata_port_operations vt6420_sata_ops = {
23039 +static const struct ata_port_operations vt6420_sata_ops = {
23040 .inherits = &svia_base_ops,
23041 .freeze = svia_noop_freeze,
23042 .prereset = vt6420_prereset,
23043 .bmdma_start = vt6420_bmdma_start,
23046 -static struct ata_port_operations vt6421_pata_ops = {
23047 +static const struct ata_port_operations vt6421_pata_ops = {
23048 .inherits = &svia_base_ops,
23049 .cable_detect = vt6421_pata_cable_detect,
23050 .set_piomode = vt6421_set_pio_mode,
23051 .set_dmamode = vt6421_set_dma_mode,
23054 -static struct ata_port_operations vt6421_sata_ops = {
23055 +static const struct ata_port_operations vt6421_sata_ops = {
23056 .inherits = &svia_base_ops,
23057 .scr_read = svia_scr_read,
23058 .scr_write = svia_scr_write,
23061 -static struct ata_port_operations vt8251_ops = {
23062 +static const struct ata_port_operations vt8251_ops = {
23063 .inherits = &svia_base_ops,
23064 .hardreset = sata_std_hardreset,
23065 .scr_read = vt8251_scr_read,
23066 diff -urNp linux-2.6.36.2/drivers/ata/sata_vsc.c linux-2.6.36.2/drivers/ata/sata_vsc.c
23067 --- linux-2.6.36.2/drivers/ata/sata_vsc.c 2010-10-20 16:30:22.000000000 -0400
23068 +++ linux-2.6.36.2/drivers/ata/sata_vsc.c 2010-12-09 20:24:14.000000000 -0500
23069 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
23073 -static struct ata_port_operations vsc_sata_ops = {
23074 +static const struct ata_port_operations vsc_sata_ops = {
23075 .inherits = &ata_bmdma_port_ops,
23076 /* The IRQ handling is not quite standard SFF behaviour so we
23077 cannot use the default lost interrupt handler */
23078 diff -urNp linux-2.6.36.2/drivers/atm/adummy.c linux-2.6.36.2/drivers/atm/adummy.c
23079 --- linux-2.6.36.2/drivers/atm/adummy.c 2010-10-20 16:30:22.000000000 -0400
23080 +++ linux-2.6.36.2/drivers/atm/adummy.c 2010-12-09 20:24:24.000000000 -0500
23081 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
23082 vcc->pop(vcc, skb);
23084 dev_kfree_skb_any(skb);
23085 - atomic_inc(&vcc->stats->tx);
23086 + atomic_inc_unchecked(&vcc->stats->tx);
23090 diff -urNp linux-2.6.36.2/drivers/atm/ambassador.c linux-2.6.36.2/drivers/atm/ambassador.c
23091 --- linux-2.6.36.2/drivers/atm/ambassador.c 2010-10-20 16:30:22.000000000 -0400
23092 +++ linux-2.6.36.2/drivers/atm/ambassador.c 2010-12-09 20:24:24.000000000 -0500
23093 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
23094 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
23097 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23098 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23100 // free the descriptor
23102 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
23103 dump_skb ("<<<", vc, skb);
23106 - atomic_inc(&atm_vcc->stats->rx);
23107 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23108 __net_timestamp(skb);
23109 // end of our responsability
23110 atm_vcc->push (atm_vcc, skb);
23111 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
23113 PRINTK (KERN_INFO, "dropped over-size frame");
23114 // should we count this?
23115 - atomic_inc(&atm_vcc->stats->rx_drop);
23116 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23120 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
23123 if (check_area (skb->data, skb->len)) {
23124 - atomic_inc(&atm_vcc->stats->tx_err);
23125 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
23126 return -ENOMEM; // ?
23129 diff -urNp linux-2.6.36.2/drivers/atm/atmtcp.c linux-2.6.36.2/drivers/atm/atmtcp.c
23130 --- linux-2.6.36.2/drivers/atm/atmtcp.c 2010-10-20 16:30:22.000000000 -0400
23131 +++ linux-2.6.36.2/drivers/atm/atmtcp.c 2010-12-09 20:24:24.000000000 -0500
23132 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
23133 if (vcc->pop) vcc->pop(vcc,skb);
23134 else dev_kfree_skb(skb);
23135 if (dev_data) return 0;
23136 - atomic_inc(&vcc->stats->tx_err);
23137 + atomic_inc_unchecked(&vcc->stats->tx_err);
23140 size = skb->len+sizeof(struct atmtcp_hdr);
23141 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
23143 if (vcc->pop) vcc->pop(vcc,skb);
23144 else dev_kfree_skb(skb);
23145 - atomic_inc(&vcc->stats->tx_err);
23146 + atomic_inc_unchecked(&vcc->stats->tx_err);
23149 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
23150 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
23151 if (vcc->pop) vcc->pop(vcc,skb);
23152 else dev_kfree_skb(skb);
23153 out_vcc->push(out_vcc,new_skb);
23154 - atomic_inc(&vcc->stats->tx);
23155 - atomic_inc(&out_vcc->stats->rx);
23156 + atomic_inc_unchecked(&vcc->stats->tx);
23157 + atomic_inc_unchecked(&out_vcc->stats->rx);
23161 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
23162 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
23163 read_unlock(&vcc_sklist_lock);
23165 - atomic_inc(&vcc->stats->tx_err);
23166 + atomic_inc_unchecked(&vcc->stats->tx_err);
23169 skb_pull(skb,sizeof(struct atmtcp_hdr));
23170 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
23171 __net_timestamp(new_skb);
23172 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
23173 out_vcc->push(out_vcc,new_skb);
23174 - atomic_inc(&vcc->stats->tx);
23175 - atomic_inc(&out_vcc->stats->rx);
23176 + atomic_inc_unchecked(&vcc->stats->tx);
23177 + atomic_inc_unchecked(&out_vcc->stats->rx);
23179 if (vcc->pop) vcc->pop(vcc,skb);
23180 else dev_kfree_skb(skb);
23181 diff -urNp linux-2.6.36.2/drivers/atm/eni.c linux-2.6.36.2/drivers/atm/eni.c
23182 --- linux-2.6.36.2/drivers/atm/eni.c 2010-10-20 16:30:22.000000000 -0400
23183 +++ linux-2.6.36.2/drivers/atm/eni.c 2010-12-09 20:24:24.000000000 -0500
23184 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
23185 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
23188 - atomic_inc(&vcc->stats->rx_err);
23189 + atomic_inc_unchecked(&vcc->stats->rx_err);
23192 length = ATM_CELL_SIZE-1; /* no HEC */
23193 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23197 - atomic_inc(&vcc->stats->rx_err);
23198 + atomic_inc_unchecked(&vcc->stats->rx_err);
23201 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
23202 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23203 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
23204 vcc->dev->number,vcc->vci,length,size << 2,descr);
23206 - atomic_inc(&vcc->stats->rx_err);
23207 + atomic_inc_unchecked(&vcc->stats->rx_err);
23210 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
23211 @@ -771,7 +771,7 @@ rx_dequeued++;
23212 vcc->push(vcc,skb);
23215 - atomic_inc(&vcc->stats->rx);
23216 + atomic_inc_unchecked(&vcc->stats->rx);
23218 wake_up(&eni_dev->rx_wait);
23220 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
23222 if (vcc->pop) vcc->pop(vcc,skb);
23223 else dev_kfree_skb_irq(skb);
23224 - atomic_inc(&vcc->stats->tx);
23225 + atomic_inc_unchecked(&vcc->stats->tx);
23226 wake_up(&eni_dev->tx_wait);
23229 diff -urNp linux-2.6.36.2/drivers/atm/firestream.c linux-2.6.36.2/drivers/atm/firestream.c
23230 --- linux-2.6.36.2/drivers/atm/firestream.c 2010-10-20 16:30:22.000000000 -0400
23231 +++ linux-2.6.36.2/drivers/atm/firestream.c 2010-12-09 20:24:24.000000000 -0500
23232 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
23236 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23237 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23239 fs_dprintk (FS_DEBUG_TXMEM, "i");
23240 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
23241 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
23243 skb_put (skb, qe->p1 & 0xffff);
23244 ATM_SKB(skb)->vcc = atm_vcc;
23245 - atomic_inc(&atm_vcc->stats->rx);
23246 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23247 __net_timestamp(skb);
23248 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23249 atm_vcc->push (atm_vcc, skb);
23250 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
23254 - atomic_inc(&atm_vcc->stats->rx_drop);
23255 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23257 case 0x1f: /* Reassembly abort: no buffers. */
23258 /* Silently increment error counter. */
23260 - atomic_inc(&atm_vcc->stats->rx_drop);
23261 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23263 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23264 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23265 diff -urNp linux-2.6.36.2/drivers/atm/fore200e.c linux-2.6.36.2/drivers/atm/fore200e.c
23266 --- linux-2.6.36.2/drivers/atm/fore200e.c 2010-10-20 16:30:22.000000000 -0400
23267 +++ linux-2.6.36.2/drivers/atm/fore200e.c 2010-12-09 20:24:24.000000000 -0500
23268 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23270 /* check error condition */
23271 if (*entry->status & STATUS_ERROR)
23272 - atomic_inc(&vcc->stats->tx_err);
23273 + atomic_inc_unchecked(&vcc->stats->tx_err);
23275 - atomic_inc(&vcc->stats->tx);
23276 + atomic_inc_unchecked(&vcc->stats->tx);
23280 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23282 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23284 - atomic_inc(&vcc->stats->rx_drop);
23285 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23289 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23291 dev_kfree_skb_any(skb);
23293 - atomic_inc(&vcc->stats->rx_drop);
23294 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23298 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23300 vcc->push(vcc, skb);
23301 - atomic_inc(&vcc->stats->rx);
23302 + atomic_inc_unchecked(&vcc->stats->rx);
23304 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23306 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23307 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23308 fore200e->atm_dev->number,
23309 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23310 - atomic_inc(&vcc->stats->rx_err);
23311 + atomic_inc_unchecked(&vcc->stats->rx_err);
23315 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23319 - atomic_inc(&vcc->stats->tx_err);
23320 + atomic_inc_unchecked(&vcc->stats->tx_err);
23322 fore200e->tx_sat++;
23323 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23324 diff -urNp linux-2.6.36.2/drivers/atm/he.c linux-2.6.36.2/drivers/atm/he.c
23325 --- linux-2.6.36.2/drivers/atm/he.c 2010-10-20 16:30:22.000000000 -0400
23326 +++ linux-2.6.36.2/drivers/atm/he.c 2010-12-09 20:24:24.000000000 -0500
23327 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23329 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23330 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23331 - atomic_inc(&vcc->stats->rx_drop);
23332 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23333 goto return_host_buffers;
23336 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23337 RBRQ_LEN_ERR(he_dev->rbrq_head)
23339 vcc->vpi, vcc->vci);
23340 - atomic_inc(&vcc->stats->rx_err);
23341 + atomic_inc_unchecked(&vcc->stats->rx_err);
23342 goto return_host_buffers;
23345 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23346 vcc->push(vcc, skb);
23347 spin_lock(&he_dev->global_lock);
23349 - atomic_inc(&vcc->stats->rx);
23350 + atomic_inc_unchecked(&vcc->stats->rx);
23352 return_host_buffers:
23354 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23355 tpd->vcc->pop(tpd->vcc, tpd->skb);
23357 dev_kfree_skb_any(tpd->skb);
23358 - atomic_inc(&tpd->vcc->stats->tx_err);
23359 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23361 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23363 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23364 vcc->pop(vcc, skb);
23366 dev_kfree_skb_any(skb);
23367 - atomic_inc(&vcc->stats->tx_err);
23368 + atomic_inc_unchecked(&vcc->stats->tx_err);
23372 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23373 vcc->pop(vcc, skb);
23375 dev_kfree_skb_any(skb);
23376 - atomic_inc(&vcc->stats->tx_err);
23377 + atomic_inc_unchecked(&vcc->stats->tx_err);
23381 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23382 vcc->pop(vcc, skb);
23384 dev_kfree_skb_any(skb);
23385 - atomic_inc(&vcc->stats->tx_err);
23386 + atomic_inc_unchecked(&vcc->stats->tx_err);
23387 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23390 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23391 vcc->pop(vcc, skb);
23393 dev_kfree_skb_any(skb);
23394 - atomic_inc(&vcc->stats->tx_err);
23395 + atomic_inc_unchecked(&vcc->stats->tx_err);
23396 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23399 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23400 __enqueue_tpd(he_dev, tpd, cid);
23401 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23403 - atomic_inc(&vcc->stats->tx);
23404 + atomic_inc_unchecked(&vcc->stats->tx);
23408 diff -urNp linux-2.6.36.2/drivers/atm/horizon.c linux-2.6.36.2/drivers/atm/horizon.c
23409 --- linux-2.6.36.2/drivers/atm/horizon.c 2010-10-20 16:30:22.000000000 -0400
23410 +++ linux-2.6.36.2/drivers/atm/horizon.c 2010-12-09 20:24:24.000000000 -0500
23411 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
23413 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
23415 - atomic_inc(&vcc->stats->rx);
23416 + atomic_inc_unchecked(&vcc->stats->rx);
23417 __net_timestamp(skb);
23418 // end of our responsability
23419 vcc->push (vcc, skb);
23420 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
23421 dev->tx_iovec = NULL;
23424 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23425 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23428 hrz_kfree_skb (skb);
23429 diff -urNp linux-2.6.36.2/drivers/atm/idt77252.c linux-2.6.36.2/drivers/atm/idt77252.c
23430 --- linux-2.6.36.2/drivers/atm/idt77252.c 2010-10-20 16:30:22.000000000 -0400
23431 +++ linux-2.6.36.2/drivers/atm/idt77252.c 2010-12-09 20:24:24.000000000 -0500
23432 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
23434 dev_kfree_skb(skb);
23436 - atomic_inc(&vcc->stats->tx);
23437 + atomic_inc_unchecked(&vcc->stats->tx);
23440 atomic_dec(&scq->used);
23441 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
23442 if ((sb = dev_alloc_skb(64)) == NULL) {
23443 printk("%s: Can't allocate buffers for aal0.\n",
23445 - atomic_add(i, &vcc->stats->rx_drop);
23446 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23449 if (!atm_charge(vcc, sb->truesize)) {
23450 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
23452 - atomic_add(i - 1, &vcc->stats->rx_drop);
23453 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
23457 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
23458 ATM_SKB(sb)->vcc = vcc;
23459 __net_timestamp(sb);
23460 vcc->push(vcc, sb);
23461 - atomic_inc(&vcc->stats->rx);
23462 + atomic_inc_unchecked(&vcc->stats->rx);
23464 cell += ATM_CELL_PAYLOAD;
23466 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
23468 card->name, len, rpp->len, readl(SAR_REG_CDC));
23469 recycle_rx_pool_skb(card, rpp);
23470 - atomic_inc(&vcc->stats->rx_err);
23471 + atomic_inc_unchecked(&vcc->stats->rx_err);
23474 if (stat & SAR_RSQE_CRC) {
23475 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
23476 recycle_rx_pool_skb(card, rpp);
23477 - atomic_inc(&vcc->stats->rx_err);
23478 + atomic_inc_unchecked(&vcc->stats->rx_err);
23481 if (skb_queue_len(&rpp->queue) > 1) {
23482 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
23483 RXPRINTK("%s: Can't alloc RX skb.\n",
23485 recycle_rx_pool_skb(card, rpp);
23486 - atomic_inc(&vcc->stats->rx_err);
23487 + atomic_inc_unchecked(&vcc->stats->rx_err);
23490 if (!atm_charge(vcc, skb->truesize)) {
23491 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
23492 __net_timestamp(skb);
23494 vcc->push(vcc, skb);
23495 - atomic_inc(&vcc->stats->rx);
23496 + atomic_inc_unchecked(&vcc->stats->rx);
23500 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
23501 __net_timestamp(skb);
23503 vcc->push(vcc, skb);
23504 - atomic_inc(&vcc->stats->rx);
23505 + atomic_inc_unchecked(&vcc->stats->rx);
23507 if (skb->truesize > SAR_FB_SIZE_3)
23508 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
23509 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
23510 if (vcc->qos.aal != ATM_AAL0) {
23511 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
23512 card->name, vpi, vci);
23513 - atomic_inc(&vcc->stats->rx_drop);
23514 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23518 if ((sb = dev_alloc_skb(64)) == NULL) {
23519 printk("%s: Can't allocate buffers for AAL0.\n",
23521 - atomic_inc(&vcc->stats->rx_err);
23522 + atomic_inc_unchecked(&vcc->stats->rx_err);
23526 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
23527 ATM_SKB(sb)->vcc = vcc;
23528 __net_timestamp(sb);
23529 vcc->push(vcc, sb);
23530 - atomic_inc(&vcc->stats->rx);
23531 + atomic_inc_unchecked(&vcc->stats->rx);
23534 skb_pull(queue, 64);
23535 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23538 printk("%s: NULL connection in send().\n", card->name);
23539 - atomic_inc(&vcc->stats->tx_err);
23540 + atomic_inc_unchecked(&vcc->stats->tx_err);
23541 dev_kfree_skb(skb);
23544 if (!test_bit(VCF_TX, &vc->flags)) {
23545 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
23546 - atomic_inc(&vcc->stats->tx_err);
23547 + atomic_inc_unchecked(&vcc->stats->tx_err);
23548 dev_kfree_skb(skb);
23551 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23554 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
23555 - atomic_inc(&vcc->stats->tx_err);
23556 + atomic_inc_unchecked(&vcc->stats->tx_err);
23557 dev_kfree_skb(skb);
23561 if (skb_shinfo(skb)->nr_frags != 0) {
23562 printk("%s: No scatter-gather yet.\n", card->name);
23563 - atomic_inc(&vcc->stats->tx_err);
23564 + atomic_inc_unchecked(&vcc->stats->tx_err);
23565 dev_kfree_skb(skb);
23568 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23570 err = queue_skb(card, vc, skb, oam);
23572 - atomic_inc(&vcc->stats->tx_err);
23573 + atomic_inc_unchecked(&vcc->stats->tx_err);
23574 dev_kfree_skb(skb);
23577 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
23578 skb = dev_alloc_skb(64);
23580 printk("%s: Out of memory in send_oam().\n", card->name);
23581 - atomic_inc(&vcc->stats->tx_err);
23582 + atomic_inc_unchecked(&vcc->stats->tx_err);
23585 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
23586 diff -urNp linux-2.6.36.2/drivers/atm/iphase.c linux-2.6.36.2/drivers/atm/iphase.c
23587 --- linux-2.6.36.2/drivers/atm/iphase.c 2010-10-20 16:30:22.000000000 -0400
23588 +++ linux-2.6.36.2/drivers/atm/iphase.c 2010-12-09 20:24:24.000000000 -0500
23589 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
23590 status = (u_short) (buf_desc_ptr->desc_mode);
23591 if (status & (RX_CER | RX_PTE | RX_OFL))
23593 - atomic_inc(&vcc->stats->rx_err);
23594 + atomic_inc_unchecked(&vcc->stats->rx_err);
23595 IF_ERR(printk("IA: bad packet, dropping it");)
23596 if (status & RX_CER) {
23597 IF_ERR(printk(" cause: packet CRC error\n");)
23598 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
23599 len = dma_addr - buf_addr;
23600 if (len > iadev->rx_buf_sz) {
23601 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23602 - atomic_inc(&vcc->stats->rx_err);
23603 + atomic_inc_unchecked(&vcc->stats->rx_err);
23604 goto out_free_desc;
23607 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
23608 ia_vcc = INPH_IA_VCC(vcc);
23609 if (ia_vcc == NULL)
23611 - atomic_inc(&vcc->stats->rx_err);
23612 + atomic_inc_unchecked(&vcc->stats->rx_err);
23613 dev_kfree_skb_any(skb);
23614 atm_return(vcc, atm_guess_pdu2truesize(len));
23616 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23617 if ((length > iadev->rx_buf_sz) || (length >
23618 (skb->len - sizeof(struct cpcs_trailer))))
23620 - atomic_inc(&vcc->stats->rx_err);
23621 + atomic_inc_unchecked(&vcc->stats->rx_err);
23622 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23623 length, skb->len);)
23624 dev_kfree_skb_any(skb);
23625 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23627 IF_RX(printk("rx_dle_intr: skb push");)
23628 vcc->push(vcc,skb);
23629 - atomic_inc(&vcc->stats->rx);
23630 + atomic_inc_unchecked(&vcc->stats->rx);
23631 iadev->rx_pkt_cnt++;
23634 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23636 struct k_sonet_stats *stats;
23637 stats = &PRIV(_ia_dev[board])->sonet_stats;
23638 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23639 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23640 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23641 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23642 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23643 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23644 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23645 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23646 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23647 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23648 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23649 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23650 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23651 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23652 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23653 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23654 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23655 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23657 ia_cmds.status = 0;
23659 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23660 if ((desc == 0) || (desc > iadev->num_tx_desc))
23662 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23663 - atomic_inc(&vcc->stats->tx);
23664 + atomic_inc_unchecked(&vcc->stats->tx);
23666 vcc->pop(vcc, skb);
23668 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23669 ATM_DESC(skb) = vcc->vci;
23670 skb_queue_tail(&iadev->tx_dma_q, skb);
23672 - atomic_inc(&vcc->stats->tx);
23673 + atomic_inc_unchecked(&vcc->stats->tx);
23674 iadev->tx_pkt_cnt++;
23675 /* Increment transaction counter */
23676 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23679 /* add flow control logic */
23680 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23681 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23682 if (iavcc->vc_desc_cnt > 10) {
23683 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23684 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23685 diff -urNp linux-2.6.36.2/drivers/atm/lanai.c linux-2.6.36.2/drivers/atm/lanai.c
23686 --- linux-2.6.36.2/drivers/atm/lanai.c 2010-10-20 16:30:22.000000000 -0400
23687 +++ linux-2.6.36.2/drivers/atm/lanai.c 2010-12-09 20:24:24.000000000 -0500
23688 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23689 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23690 lanai_endtx(lanai, lvcc);
23691 lanai_free_skb(lvcc->tx.atmvcc, skb);
23692 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23693 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23696 /* Try to fill the buffer - don't call unless there is backlog */
23697 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23698 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23699 __net_timestamp(skb);
23700 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23701 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23702 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23704 lvcc->rx.buf.ptr = end;
23705 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23706 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23707 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23708 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23709 lanai->stats.service_rxnotaal5++;
23710 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23711 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23714 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23715 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23717 read_unlock(&vcc_sklist_lock);
23718 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23719 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23720 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23721 lvcc->stats.x.aal5.service_trash++;
23722 bytes = (SERVICE_GET_END(s) * 16) -
23723 (((unsigned long) lvcc->rx.buf.ptr) -
23724 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23726 if (s & SERVICE_STREAM) {
23727 read_unlock(&vcc_sklist_lock);
23728 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23729 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23730 lvcc->stats.x.aal5.service_stream++;
23731 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23732 "PDU on VCI %d!\n", lanai->number, vci);
23733 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23736 DPRINTK("got rx crc error on vci %d\n", vci);
23737 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23738 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23739 lvcc->stats.x.aal5.service_rxcrc++;
23740 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23741 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23742 diff -urNp linux-2.6.36.2/drivers/atm/nicstar.c linux-2.6.36.2/drivers/atm/nicstar.c
23743 --- linux-2.6.36.2/drivers/atm/nicstar.c 2010-10-20 16:30:22.000000000 -0400
23744 +++ linux-2.6.36.2/drivers/atm/nicstar.c 2010-12-09 20:24:24.000000000 -0500
23745 @@ -1653,7 +1653,7 @@ static int ns_send(struct atm_vcc *vcc,
23746 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
23747 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
23749 - atomic_inc(&vcc->stats->tx_err);
23750 + atomic_inc_unchecked(&vcc->stats->tx_err);
23751 dev_kfree_skb_any(skb);
23754 @@ -1661,7 +1661,7 @@ static int ns_send(struct atm_vcc *vcc,
23756 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
23758 - atomic_inc(&vcc->stats->tx_err);
23759 + atomic_inc_unchecked(&vcc->stats->tx_err);
23760 dev_kfree_skb_any(skb);
23763 @@ -1669,14 +1669,14 @@ static int ns_send(struct atm_vcc *vcc,
23764 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
23765 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
23767 - atomic_inc(&vcc->stats->tx_err);
23768 + atomic_inc_unchecked(&vcc->stats->tx_err);
23769 dev_kfree_skb_any(skb);
23773 if (skb_shinfo(skb)->nr_frags != 0) {
23774 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23775 - atomic_inc(&vcc->stats->tx_err);
23776 + atomic_inc_unchecked(&vcc->stats->tx_err);
23777 dev_kfree_skb_any(skb);
23780 @@ -1724,11 +1724,11 @@ static int ns_send(struct atm_vcc *vcc,
23783 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
23784 - atomic_inc(&vcc->stats->tx_err);
23785 + atomic_inc_unchecked(&vcc->stats->tx_err);
23786 dev_kfree_skb_any(skb);
23789 - atomic_inc(&vcc->stats->tx);
23790 + atomic_inc_unchecked(&vcc->stats->tx);
23794 @@ -2045,14 +2045,14 @@ static void dequeue_rx(ns_dev * card, ns
23796 ("nicstar%d: Can't allocate buffers for aal0.\n",
23798 - atomic_add(i, &vcc->stats->rx_drop);
23799 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23802 if (!atm_charge(vcc, sb->truesize)) {
23804 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
23806 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23807 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23808 dev_kfree_skb_any(sb);
23811 @@ -2067,7 +2067,7 @@ static void dequeue_rx(ns_dev * card, ns
23812 ATM_SKB(sb)->vcc = vcc;
23813 __net_timestamp(sb);
23814 vcc->push(vcc, sb);
23815 - atomic_inc(&vcc->stats->rx);
23816 + atomic_inc_unchecked(&vcc->stats->rx);
23817 cell += ATM_CELL_PAYLOAD;
23820 @@ -2084,7 +2084,7 @@ static void dequeue_rx(ns_dev * card, ns
23821 if (iovb == NULL) {
23822 printk("nicstar%d: Out of iovec buffers.\n",
23824 - atomic_inc(&vcc->stats->rx_drop);
23825 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23826 recycle_rx_buf(card, skb);
23829 @@ -2108,7 +2108,7 @@ static void dequeue_rx(ns_dev * card, ns
23830 small or large buffer itself. */
23831 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
23832 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23833 - atomic_inc(&vcc->stats->rx_err);
23834 + atomic_inc_unchecked(&vcc->stats->rx_err);
23835 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23837 NS_PRV_IOVCNT(iovb) = 0;
23838 @@ -2128,7 +2128,7 @@ static void dequeue_rx(ns_dev * card, ns
23839 ("nicstar%d: Expected a small buffer, and this is not one.\n",
23841 which_list(card, skb);
23842 - atomic_inc(&vcc->stats->rx_err);
23843 + atomic_inc_unchecked(&vcc->stats->rx_err);
23844 recycle_rx_buf(card, skb);
23846 recycle_iov_buf(card, iovb);
23847 @@ -2141,7 +2141,7 @@ static void dequeue_rx(ns_dev * card, ns
23848 ("nicstar%d: Expected a large buffer, and this is not one.\n",
23850 which_list(card, skb);
23851 - atomic_inc(&vcc->stats->rx_err);
23852 + atomic_inc_unchecked(&vcc->stats->rx_err);
23853 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23854 NS_PRV_IOVCNT(iovb));
23856 @@ -2164,7 +2164,7 @@ static void dequeue_rx(ns_dev * card, ns
23857 printk(" - PDU size mismatch.\n");
23860 - atomic_inc(&vcc->stats->rx_err);
23861 + atomic_inc_unchecked(&vcc->stats->rx_err);
23862 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23863 NS_PRV_IOVCNT(iovb));
23865 @@ -2178,7 +2178,7 @@ static void dequeue_rx(ns_dev * card, ns
23866 /* skb points to a small buffer */
23867 if (!atm_charge(vcc, skb->truesize)) {
23868 push_rxbufs(card, skb);
23869 - atomic_inc(&vcc->stats->rx_drop);
23870 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23873 dequeue_sm_buf(card, skb);
23874 @@ -2188,7 +2188,7 @@ static void dequeue_rx(ns_dev * card, ns
23875 ATM_SKB(skb)->vcc = vcc;
23876 __net_timestamp(skb);
23877 vcc->push(vcc, skb);
23878 - atomic_inc(&vcc->stats->rx);
23879 + atomic_inc_unchecked(&vcc->stats->rx);
23881 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
23882 struct sk_buff *sb;
23883 @@ -2199,7 +2199,7 @@ static void dequeue_rx(ns_dev * card, ns
23884 if (len <= NS_SMBUFSIZE) {
23885 if (!atm_charge(vcc, sb->truesize)) {
23886 push_rxbufs(card, sb);
23887 - atomic_inc(&vcc->stats->rx_drop);
23888 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23891 dequeue_sm_buf(card, sb);
23892 @@ -2209,7 +2209,7 @@ static void dequeue_rx(ns_dev * card, ns
23893 ATM_SKB(sb)->vcc = vcc;
23894 __net_timestamp(sb);
23895 vcc->push(vcc, sb);
23896 - atomic_inc(&vcc->stats->rx);
23897 + atomic_inc_unchecked(&vcc->stats->rx);
23900 push_rxbufs(card, skb);
23901 @@ -2218,7 +2218,7 @@ static void dequeue_rx(ns_dev * card, ns
23903 if (!atm_charge(vcc, skb->truesize)) {
23904 push_rxbufs(card, skb);
23905 - atomic_inc(&vcc->stats->rx_drop);
23906 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23908 dequeue_lg_buf(card, skb);
23909 #ifdef NS_USE_DESTRUCTORS
23910 @@ -2231,7 +2231,7 @@ static void dequeue_rx(ns_dev * card, ns
23911 ATM_SKB(skb)->vcc = vcc;
23912 __net_timestamp(skb);
23913 vcc->push(vcc, skb);
23914 - atomic_inc(&vcc->stats->rx);
23915 + atomic_inc_unchecked(&vcc->stats->rx);
23918 push_rxbufs(card, sb);
23919 @@ -2252,7 +2252,7 @@ static void dequeue_rx(ns_dev * card, ns
23921 ("nicstar%d: Out of huge buffers.\n",
23923 - atomic_inc(&vcc->stats->rx_drop);
23924 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23925 recycle_iovec_rx_bufs(card,
23928 @@ -2303,7 +2303,7 @@ static void dequeue_rx(ns_dev * card, ns
23929 card->hbpool.count++;
23931 dev_kfree_skb_any(hb);
23932 - atomic_inc(&vcc->stats->rx_drop);
23933 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23935 /* Copy the small buffer to the huge buffer */
23936 sb = (struct sk_buff *)iov->iov_base;
23937 @@ -2340,7 +2340,7 @@ static void dequeue_rx(ns_dev * card, ns
23938 #endif /* NS_USE_DESTRUCTORS */
23939 __net_timestamp(hb);
23940 vcc->push(vcc, hb);
23941 - atomic_inc(&vcc->stats->rx);
23942 + atomic_inc_unchecked(&vcc->stats->rx);
23946 diff -urNp linux-2.6.36.2/drivers/atm/solos-pci.c linux-2.6.36.2/drivers/atm/solos-pci.c
23947 --- linux-2.6.36.2/drivers/atm/solos-pci.c 2010-10-20 16:30:22.000000000 -0400
23948 +++ linux-2.6.36.2/drivers/atm/solos-pci.c 2010-12-09 20:24:24.000000000 -0500
23949 @@ -717,7 +717,7 @@ void solos_bh(unsigned long card_arg)
23951 atm_charge(vcc, skb->truesize);
23952 vcc->push(vcc, skb);
23953 - atomic_inc(&vcc->stats->rx);
23954 + atomic_inc_unchecked(&vcc->stats->rx);
23958 @@ -1025,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
23959 vcc = SKB_CB(oldskb)->vcc;
23962 - atomic_inc(&vcc->stats->tx);
23963 + atomic_inc_unchecked(&vcc->stats->tx);
23964 solos_pop(vcc, oldskb);
23966 dev_kfree_skb_irq(oldskb);
23967 diff -urNp linux-2.6.36.2/drivers/atm/suni.c linux-2.6.36.2/drivers/atm/suni.c
23968 --- linux-2.6.36.2/drivers/atm/suni.c 2010-10-20 16:30:22.000000000 -0400
23969 +++ linux-2.6.36.2/drivers/atm/suni.c 2010-12-09 20:24:24.000000000 -0500
23970 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23973 #define ADD_LIMITED(s,v) \
23974 - atomic_add((v),&stats->s); \
23975 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23976 + atomic_add_unchecked((v),&stats->s); \
23977 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23980 static void suni_hz(unsigned long from_timer)
23981 diff -urNp linux-2.6.36.2/drivers/atm/uPD98402.c linux-2.6.36.2/drivers/atm/uPD98402.c
23982 --- linux-2.6.36.2/drivers/atm/uPD98402.c 2010-10-20 16:30:22.000000000 -0400
23983 +++ linux-2.6.36.2/drivers/atm/uPD98402.c 2010-12-09 20:24:24.000000000 -0500
23984 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23985 struct sonet_stats tmp;
23988 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23989 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23990 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23991 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23992 if (zero && !error) {
23993 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23996 #define ADD_LIMITED(s,v) \
23997 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23998 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23999 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24000 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
24001 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
24002 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24005 static void stat_event(struct atm_dev *dev)
24006 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
24007 if (reason & uPD98402_INT_PFM) stat_event(dev);
24008 if (reason & uPD98402_INT_PCO) {
24009 (void) GET(PCOCR); /* clear interrupt cause */
24010 - atomic_add(GET(HECCT),
24011 + atomic_add_unchecked(GET(HECCT),
24012 &PRIV(dev)->sonet_stats.uncorr_hcs);
24014 if ((reason & uPD98402_INT_RFO) &&
24015 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
24016 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
24017 uPD98402_INT_LOS),PIMR); /* enable them */
24018 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
24019 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24020 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
24021 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
24022 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24023 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
24024 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
24028 diff -urNp linux-2.6.36.2/drivers/atm/zatm.c linux-2.6.36.2/drivers/atm/zatm.c
24029 --- linux-2.6.36.2/drivers/atm/zatm.c 2010-10-20 16:30:22.000000000 -0400
24030 +++ linux-2.6.36.2/drivers/atm/zatm.c 2010-12-09 20:24:24.000000000 -0500
24031 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24034 dev_kfree_skb_irq(skb);
24035 - if (vcc) atomic_inc(&vcc->stats->rx_err);
24036 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
24039 if (!atm_charge(vcc,skb->truesize)) {
24040 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24042 ATM_SKB(skb)->vcc = vcc;
24043 vcc->push(vcc,skb);
24044 - atomic_inc(&vcc->stats->rx);
24045 + atomic_inc_unchecked(&vcc->stats->rx);
24047 zout(pos & 0xffff,MTA(mbx));
24048 #if 0 /* probably a stupid idea */
24049 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
24050 skb_queue_head(&zatm_vcc->backlog,skb);
24053 - atomic_inc(&vcc->stats->tx);
24054 + atomic_inc_unchecked(&vcc->stats->tx);
24055 wake_up(&zatm_vcc->tx_wait);
24058 diff -urNp linux-2.6.36.2/drivers/char/agp/frontend.c linux-2.6.36.2/drivers/char/agp/frontend.c
24059 --- linux-2.6.36.2/drivers/char/agp/frontend.c 2010-10-20 16:30:22.000000000 -0400
24060 +++ linux-2.6.36.2/drivers/char/agp/frontend.c 2010-12-09 20:24:14.000000000 -0500
24061 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
24062 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
24065 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
24066 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
24069 client = agp_find_client_by_pid(reserve.pid);
24070 diff -urNp linux-2.6.36.2/drivers/char/agp/intel-agp.c linux-2.6.36.2/drivers/char/agp/intel-agp.c
24071 --- linux-2.6.36.2/drivers/char/agp/intel-agp.c 2010-12-09 20:53:46.000000000 -0500
24072 +++ linux-2.6.36.2/drivers/char/agp/intel-agp.c 2010-12-09 20:54:34.000000000 -0500
24073 @@ -1057,7 +1057,7 @@ static struct pci_device_id agp_intel_pc
24074 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
24075 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
24076 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
24078 + { 0, 0, 0, 0, 0, 0, 0 }
24081 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
24082 diff -urNp linux-2.6.36.2/drivers/char/hpet.c linux-2.6.36.2/drivers/char/hpet.c
24083 --- linux-2.6.36.2/drivers/char/hpet.c 2010-12-09 20:53:46.000000000 -0500
24084 +++ linux-2.6.36.2/drivers/char/hpet.c 2010-12-09 20:54:34.000000000 -0500
24085 @@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
24089 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
24090 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
24092 static long hpet_ioctl(struct file *file, unsigned int cmd,
24094 @@ -568,7 +568,7 @@ static inline unsigned long hpet_time_di
24098 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
24099 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
24101 struct hpet_timer __iomem *timer;
24102 struct hpet __iomem *hpet;
24103 @@ -611,11 +611,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
24105 struct hpet_info info;
24107 + memset(&info, 0, sizeof(info));
24109 if (devp->hd_ireqfreq)
24111 hpet_time_div(hpetp, devp->hd_ireqfreq);
24113 - info.hi_ireqfreq = 0;
24115 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
24116 info.hi_hpet = hpetp->hp_which;
24117 @@ -1015,7 +1015,7 @@ static struct acpi_driver hpet_acpi_driv
24121 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
24122 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
24124 static int __init hpet_init(void)
24126 diff -urNp linux-2.6.36.2/drivers/char/hvc_console.h linux-2.6.36.2/drivers/char/hvc_console.h
24127 --- linux-2.6.36.2/drivers/char/hvc_console.h 2010-10-20 16:30:22.000000000 -0400
24128 +++ linux-2.6.36.2/drivers/char/hvc_console.h 2010-12-09 20:24:14.000000000 -0500
24129 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
24130 /* register a vterm for hvc tty operation (module_init or hotplug add) */
24131 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
24132 const struct hv_ops *ops, int outbuf_size);
24134 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
24135 extern int hvc_remove(struct hvc_struct *hp);
24137 diff -urNp linux-2.6.36.2/drivers/char/hvcs.c linux-2.6.36.2/drivers/char/hvcs.c
24138 --- linux-2.6.36.2/drivers/char/hvcs.c 2010-10-20 16:30:22.000000000 -0400
24139 +++ linux-2.6.36.2/drivers/char/hvcs.c 2010-12-09 20:24:14.000000000 -0500
24140 @@ -270,7 +270,7 @@ struct hvcs_struct {
24141 unsigned int index;
24143 struct tty_struct *tty;
24145 + atomic_t open_count;
24148 * Used to tell the driver kernel_thread what operations need to take
24149 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
24151 spin_lock_irqsave(&hvcsd->lock, flags);
24153 - if (hvcsd->open_count > 0) {
24154 + if (atomic_read(&hvcsd->open_count) > 0) {
24155 spin_unlock_irqrestore(&hvcsd->lock, flags);
24156 printk(KERN_INFO "HVCS: vterm state unchanged. "
24157 "The hvcs device node is still in use.\n");
24158 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
24159 if ((retval = hvcs_partner_connect(hvcsd)))
24160 goto error_release;
24162 - hvcsd->open_count = 1;
24163 + atomic_set(&hvcsd->open_count, 1);
24165 tty->driver_data = hvcsd;
24167 @@ -1170,7 +1170,7 @@ fast_open:
24169 spin_lock_irqsave(&hvcsd->lock, flags);
24170 kref_get(&hvcsd->kref);
24171 - hvcsd->open_count++;
24172 + atomic_inc(&hvcsd->open_count);
24173 hvcsd->todo_mask |= HVCS_SCHED_READ;
24174 spin_unlock_irqrestore(&hvcsd->lock, flags);
24176 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
24177 hvcsd = tty->driver_data;
24179 spin_lock_irqsave(&hvcsd->lock, flags);
24180 - if (--hvcsd->open_count == 0) {
24181 + if (atomic_dec_and_test(&hvcsd->open_count)) {
24183 vio_disable_interrupts(hvcsd->vdev);
24185 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
24186 free_irq(irq, hvcsd);
24187 kref_put(&hvcsd->kref, destroy_hvcs_struct);
24189 - } else if (hvcsd->open_count < 0) {
24190 + } else if (atomic_read(&hvcsd->open_count) < 0) {
24191 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
24192 " is missmanaged.\n",
24193 - hvcsd->vdev->unit_address, hvcsd->open_count);
24194 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
24197 spin_unlock_irqrestore(&hvcsd->lock, flags);
24198 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
24200 spin_lock_irqsave(&hvcsd->lock, flags);
24201 /* Preserve this so that we know how many kref refs to put */
24202 - temp_open_count = hvcsd->open_count;
24203 + temp_open_count = atomic_read(&hvcsd->open_count);
24206 * Don't kref put inside the spinlock because the destruction
24207 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
24208 hvcsd->tty->driver_data = NULL;
24211 - hvcsd->open_count = 0;
24212 + atomic_set(&hvcsd->open_count, 0);
24214 /* This will drop any buffered data on the floor which is OK in a hangup
24216 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
24217 * the middle of a write operation? This is a crummy place to do this
24218 * but we want to keep it all in the spinlock.
24220 - if (hvcsd->open_count <= 0) {
24221 + if (atomic_read(&hvcsd->open_count) <= 0) {
24222 spin_unlock_irqrestore(&hvcsd->lock, flags);
24225 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
24227 struct hvcs_struct *hvcsd = tty->driver_data;
24229 - if (!hvcsd || hvcsd->open_count <= 0)
24230 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
24233 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
24234 diff -urNp linux-2.6.36.2/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.36.2/drivers/char/ipmi/ipmi_msghandler.c
24235 --- linux-2.6.36.2/drivers/char/ipmi/ipmi_msghandler.c 2010-10-20 16:30:22.000000000 -0400
24236 +++ linux-2.6.36.2/drivers/char/ipmi/ipmi_msghandler.c 2010-12-09 20:24:15.000000000 -0500
24237 @@ -414,7 +414,7 @@ struct ipmi_smi {
24238 struct proc_dir_entry *proc_dir;
24239 char proc_dir_name[10];
24241 - atomic_t stats[IPMI_NUM_STATS];
24242 + atomic_unchecked_t stats[IPMI_NUM_STATS];
24245 * run_to_completion duplicate of smb_info, smi_info
24246 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
24249 #define ipmi_inc_stat(intf, stat) \
24250 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
24251 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
24252 #define ipmi_get_stat(intf, stat) \
24253 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
24254 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
24256 static int is_lan_addr(struct ipmi_addr *addr)
24258 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
24259 INIT_LIST_HEAD(&intf->cmd_rcvrs);
24260 init_waitqueue_head(&intf->waitq);
24261 for (i = 0; i < IPMI_NUM_STATS; i++)
24262 - atomic_set(&intf->stats[i], 0);
24263 + atomic_set_unchecked(&intf->stats[i], 0);
24265 intf->proc_dir = NULL;
24267 diff -urNp linux-2.6.36.2/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.36.2/drivers/char/ipmi/ipmi_si_intf.c
24268 --- linux-2.6.36.2/drivers/char/ipmi/ipmi_si_intf.c 2010-12-09 20:53:46.000000000 -0500
24269 +++ linux-2.6.36.2/drivers/char/ipmi/ipmi_si_intf.c 2010-12-09 20:54:34.000000000 -0500
24270 @@ -286,7 +286,7 @@ struct smi_info {
24271 unsigned char slave_addr;
24273 /* Counters and things for the proc filesystem. */
24274 - atomic_t stats[SI_NUM_STATS];
24275 + atomic_unchecked_t stats[SI_NUM_STATS];
24277 struct task_struct *thread;
24279 @@ -294,9 +294,9 @@ struct smi_info {
24282 #define smi_inc_stat(smi, stat) \
24283 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
24284 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
24285 #define smi_get_stat(smi, stat) \
24286 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
24287 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
24289 #define SI_MAX_PARMS 4
24291 @@ -3179,7 +3179,7 @@ static int try_smi_init(struct smi_info
24292 atomic_set(&new_smi->req_events, 0);
24293 new_smi->run_to_completion = 0;
24294 for (i = 0; i < SI_NUM_STATS; i++)
24295 - atomic_set(&new_smi->stats[i], 0);
24296 + atomic_set_unchecked(&new_smi->stats[i], 0);
24298 new_smi->interrupt_disabled = 1;
24299 atomic_set(&new_smi->stop_operation, 0);
24300 diff -urNp linux-2.6.36.2/drivers/char/keyboard.c linux-2.6.36.2/drivers/char/keyboard.c
24301 --- linux-2.6.36.2/drivers/char/keyboard.c 2010-10-20 16:30:22.000000000 -0400
24302 +++ linux-2.6.36.2/drivers/char/keyboard.c 2010-12-09 20:24:14.000000000 -0500
24303 @@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
24304 kbd->kbdmode == VC_MEDIUMRAW) &&
24305 value != KVAL(K_SAK))
24306 return; /* SAK is allowed even in raw mode */
24308 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
24310 + void *func = fn_handler[value];
24311 + if (func == fn_show_state || func == fn_show_ptregs ||
24312 + func == fn_show_mem)
24317 fn_handler[value](vc);
24320 @@ -1396,7 +1406,7 @@ static const struct input_device_id kbd_
24321 .evbit = { BIT_MASK(EV_SND) },
24324 - { }, /* Terminating entry */
24325 + { 0 }, /* Terminating entry */
24328 MODULE_DEVICE_TABLE(input, kbd_ids);
24329 diff -urNp linux-2.6.36.2/drivers/char/mem.c linux-2.6.36.2/drivers/char/mem.c
24330 --- linux-2.6.36.2/drivers/char/mem.c 2010-10-20 16:30:22.000000000 -0400
24331 +++ linux-2.6.36.2/drivers/char/mem.c 2010-12-09 20:24:14.000000000 -0500
24333 #include <linux/raw.h>
24334 #include <linux/tty.h>
24335 #include <linux/capability.h>
24336 +#include <linux/security.h>
24337 #include <linux/ptrace.h>
24338 #include <linux/device.h>
24339 #include <linux/highmem.h>
24341 # include <linux/efi.h>
24344 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24345 +extern struct file_operations grsec_fops;
24348 static inline unsigned long size_inside_page(unsigned long start,
24349 unsigned long size)
24351 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
24353 while (count > 0) {
24354 unsigned long remaining;
24357 sz = size_inside_page(p, count);
24359 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
24363 - remaining = copy_to_user(buf, ptr, sz);
24364 +#ifdef CONFIG_PAX_USERCOPY
24365 + temp = kmalloc(sz, GFP_KERNEL);
24367 + unxlate_dev_mem_ptr(p, ptr);
24370 + memcpy(temp, ptr, sz);
24375 + remaining = copy_to_user(buf, temp, sz);
24377 +#ifdef CONFIG_PAX_USERCOPY
24381 unxlate_dev_mem_ptr(p, ptr);
24384 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
24385 if (!valid_phys_addr_range(p, count))
24388 +#ifdef CONFIG_GRKERNSEC_KMEM
24389 + gr_handle_mem_write();
24395 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
24396 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
24397 &vma->vm_page_prot))
24400 +#ifdef CONFIG_GRKERNSEC_KMEM
24401 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
24405 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
24407 vma->vm_page_prot);
24408 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
24409 size_t count, loff_t *ppos)
24411 unsigned long p = *ppos;
24412 - ssize_t low_count, read, sz;
24413 + ssize_t low_count, read, sz, err = 0;
24414 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
24418 if (p < (unsigned long) high_memory) {
24419 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
24422 while (low_count > 0) {
24425 sz = size_inside_page(p, low_count);
24428 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
24430 kbuf = xlate_dev_kmem_ptr((char *)p);
24432 - if (copy_to_user(buf, kbuf, sz))
24433 +#ifdef CONFIG_PAX_USERCOPY
24434 + temp = kmalloc(sz, GFP_KERNEL);
24437 + memcpy(temp, kbuf, sz);
24442 + err = copy_to_user(buf, temp, sz);
24444 +#ifdef CONFIG_PAX_USERCOPY
24452 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
24453 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
24456 +#ifdef CONFIG_GRKERNSEC_KMEM
24457 + gr_handle_kmem_write();
24461 if (p < (unsigned long) high_memory) {
24462 unsigned long to_write = min_t(unsigned long, count,
24463 (unsigned long)high_memory - p);
24464 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
24466 static int open_port(struct inode * inode, struct file * filp)
24468 +#ifdef CONFIG_GRKERNSEC_KMEM
24469 + gr_handle_open_port();
24473 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
24476 +static int open_mem(struct inode * inode, struct file * filp)
24478 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
24481 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
24482 #define full_lseek null_lseek
24483 #define write_zero write_null
24484 #define read_full read_zero
24485 -#define open_mem open_port
24486 #define open_kmem open_mem
24487 #define open_oldmem open_mem
24489 @@ -855,6 +917,9 @@ static const struct memdev {
24490 #ifdef CONFIG_CRASH_DUMP
24491 [12] = { "oldmem", 0, &oldmem_fops, NULL },
24493 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24494 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
24498 static int memory_open(struct inode *inode, struct file *filp)
24499 diff -urNp linux-2.6.36.2/drivers/char/n_gsm.c linux-2.6.36.2/drivers/char/n_gsm.c
24500 --- linux-2.6.36.2/drivers/char/n_gsm.c 2010-10-20 16:30:22.000000000 -0400
24501 +++ linux-2.6.36.2/drivers/char/n_gsm.c 2010-12-09 20:24:14.000000000 -0500
24502 @@ -1577,7 +1577,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
24504 spin_lock_init(&dlci->lock);
24505 dlci->fifo = &dlci->_fifo;
24506 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
24507 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
24511 diff -urNp linux-2.6.36.2/drivers/char/n_tty.c linux-2.6.36.2/drivers/char/n_tty.c
24512 --- linux-2.6.36.2/drivers/char/n_tty.c 2010-10-20 16:30:22.000000000 -0400
24513 +++ linux-2.6.36.2/drivers/char/n_tty.c 2010-12-09 20:24:15.000000000 -0500
24514 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
24516 *ops = tty_ldisc_N_TTY;
24518 - ops->refcount = ops->flags = 0;
24519 + atomic_set(&ops->refcount, 0);
24522 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
24523 diff -urNp linux-2.6.36.2/drivers/char/nvram.c linux-2.6.36.2/drivers/char/nvram.c
24524 --- linux-2.6.36.2/drivers/char/nvram.c 2010-10-20 16:30:22.000000000 -0400
24525 +++ linux-2.6.36.2/drivers/char/nvram.c 2010-12-09 20:24:14.000000000 -0500
24526 @@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
24528 spin_unlock_irq(&rtc_lock);
24530 - if (copy_to_user(buf, contents, tmp - contents))
24531 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
24535 @@ -434,7 +434,10 @@ static const struct file_operations nvra
24536 static struct miscdevice nvram_dev = {
24546 static int __init nvram_init(void)
24547 diff -urNp linux-2.6.36.2/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.36.2/drivers/char/pcmcia/ipwireless/tty.c
24548 --- linux-2.6.36.2/drivers/char/pcmcia/ipwireless/tty.c 2010-10-20 16:30:22.000000000 -0400
24549 +++ linux-2.6.36.2/drivers/char/pcmcia/ipwireless/tty.c 2010-12-09 20:24:15.000000000 -0500
24550 @@ -51,7 +51,7 @@ struct ipw_tty {
24552 struct ipw_network *network;
24553 struct tty_struct *linux_tty;
24555 + atomic_t open_count;
24556 unsigned int control_lines;
24557 struct mutex ipw_tty_mutex;
24558 int tx_bytes_queued;
24559 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
24560 mutex_unlock(&tty->ipw_tty_mutex);
24563 - if (tty->open_count == 0)
24564 + if (atomic_read(&tty->open_count) == 0)
24565 tty->tx_bytes_queued = 0;
24567 - tty->open_count++;
24568 + atomic_inc(&tty->open_count);
24570 tty->linux_tty = linux_tty;
24571 linux_tty->driver_data = tty;
24572 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
24574 static void do_ipw_close(struct ipw_tty *tty)
24576 - tty->open_count--;
24578 - if (tty->open_count == 0) {
24579 + if (atomic_dec_return(&tty->open_count) == 0) {
24580 struct tty_struct *linux_tty = tty->linux_tty;
24582 if (linux_tty != NULL) {
24583 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
24586 mutex_lock(&tty->ipw_tty_mutex);
24587 - if (tty->open_count == 0) {
24588 + if (atomic_read(&tty->open_count) == 0) {
24589 mutex_unlock(&tty->ipw_tty_mutex);
24592 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
24596 - if (!tty->open_count) {
24597 + if (!atomic_read(&tty->open_count)) {
24598 mutex_unlock(&tty->ipw_tty_mutex);
24601 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
24604 mutex_lock(&tty->ipw_tty_mutex);
24605 - if (!tty->open_count) {
24606 + if (!atomic_read(&tty->open_count)) {
24607 mutex_unlock(&tty->ipw_tty_mutex);
24610 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
24614 - if (!tty->open_count)
24615 + if (!atomic_read(&tty->open_count))
24618 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
24619 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
24623 - if (!tty->open_count)
24624 + if (!atomic_read(&tty->open_count))
24627 return tty->tx_bytes_queued;
24628 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
24632 - if (!tty->open_count)
24633 + if (!atomic_read(&tty->open_count))
24636 return get_control_lines(tty);
24637 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24641 - if (!tty->open_count)
24642 + if (!atomic_read(&tty->open_count))
24645 return set_control_lines(tty, set, clear);
24646 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
24650 - if (!tty->open_count)
24651 + if (!atomic_read(&tty->open_count))
24654 /* FIXME: Exactly how is the tty object locked here .. */
24655 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
24656 against a parallel ioctl etc */
24657 mutex_lock(&ttyj->ipw_tty_mutex);
24659 - while (ttyj->open_count)
24660 + while (atomic_read(&ttyj->open_count))
24661 do_ipw_close(ttyj);
24662 ipwireless_disassociate_network_ttys(network,
24663 ttyj->channel_idx);
24664 diff -urNp linux-2.6.36.2/drivers/char/pty.c linux-2.6.36.2/drivers/char/pty.c
24665 --- linux-2.6.36.2/drivers/char/pty.c 2010-10-20 16:30:22.000000000 -0400
24666 +++ linux-2.6.36.2/drivers/char/pty.c 2010-12-09 20:24:14.000000000 -0500
24667 @@ -698,7 +698,18 @@ out:
24671 -static struct file_operations ptmx_fops;
24672 +static const struct file_operations ptmx_fops = {
24673 + .llseek = no_llseek,
24674 + .read = tty_read,
24675 + .write = tty_write,
24676 + .poll = tty_poll,
24677 + .unlocked_ioctl = tty_ioctl,
24678 + .compat_ioctl = tty_compat_ioctl,
24679 + .open = ptmx_open,
24680 + .release = tty_release,
24681 + .fasync = tty_fasync,
24685 static void __init unix98_pty_init(void)
24687 @@ -752,9 +763,6 @@ static void __init unix98_pty_init(void)
24688 register_sysctl_table(pty_root_table);
24690 /* Now create the /dev/ptmx special device */
24691 - tty_default_fops(&ptmx_fops);
24692 - ptmx_fops.open = ptmx_open;
24694 cdev_init(&ptmx_cdev, &ptmx_fops);
24695 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
24696 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
24697 diff -urNp linux-2.6.36.2/drivers/char/random.c linux-2.6.36.2/drivers/char/random.c
24698 --- linux-2.6.36.2/drivers/char/random.c 2010-10-20 16:30:22.000000000 -0400
24699 +++ linux-2.6.36.2/drivers/char/random.c 2010-12-09 20:24:14.000000000 -0500
24700 @@ -254,8 +254,13 @@
24702 * Configuration information
24704 +#ifdef CONFIG_GRKERNSEC_RANDNET
24705 +#define INPUT_POOL_WORDS 512
24706 +#define OUTPUT_POOL_WORDS 128
24708 #define INPUT_POOL_WORDS 128
24709 #define OUTPUT_POOL_WORDS 32
24711 #define SEC_XFER_SIZE 512
24712 #define EXTRACT_SIZE 10
24714 @@ -293,10 +298,17 @@ static struct poolinfo {
24716 int tap1, tap2, tap3, tap4, tap5;
24717 } poolinfo_table[] = {
24718 +#ifdef CONFIG_GRKERNSEC_RANDNET
24719 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24720 + { 512, 411, 308, 208, 104, 1 },
24721 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24722 + { 128, 103, 76, 51, 25, 1 },
24724 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24725 { 128, 103, 76, 51, 25, 1 },
24726 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24727 { 32, 26, 20, 14, 7, 1 },
24730 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24731 { 2048, 1638, 1231, 819, 411, 1 },
24732 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24734 extract_buf(r, tmp);
24735 i = min_t(int, nbytes, EXTRACT_SIZE);
24736 - if (copy_to_user(buf, tmp, i)) {
24737 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24741 @@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24742 #include <linux/sysctl.h>
24744 static int min_read_thresh = 8, min_write_thresh;
24745 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24746 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24747 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24748 static char sysctl_bootid[16];
24750 diff -urNp linux-2.6.36.2/drivers/char/sonypi.c linux-2.6.36.2/drivers/char/sonypi.c
24751 --- linux-2.6.36.2/drivers/char/sonypi.c 2010-10-20 16:30:22.000000000 -0400
24752 +++ linux-2.6.36.2/drivers/char/sonypi.c 2010-12-09 20:24:15.000000000 -0500
24753 @@ -491,7 +491,7 @@ static struct sonypi_device {
24754 spinlock_t fifo_lock;
24755 wait_queue_head_t fifo_proc_list;
24756 struct fasync_struct *fifo_async;
24758 + atomic_t open_count;
24760 struct input_dev *input_jog_dev;
24761 struct input_dev *input_key_dev;
24762 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
24763 static int sonypi_misc_release(struct inode *inode, struct file *file)
24765 mutex_lock(&sonypi_device.lock);
24766 - sonypi_device.open_count--;
24767 + atomic_dec(&sonypi_device.open_count);
24768 mutex_unlock(&sonypi_device.lock);
24771 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
24773 mutex_lock(&sonypi_device.lock);
24774 /* Flush input queue on first open */
24775 - if (!sonypi_device.open_count)
24776 + if (!atomic_read(&sonypi_device.open_count))
24777 kfifo_reset(&sonypi_device.fifo);
24778 - sonypi_device.open_count++;
24779 + atomic_inc(&sonypi_device.open_count);
24780 mutex_unlock(&sonypi_device.lock);
24783 diff -urNp linux-2.6.36.2/drivers/char/tpm/tpm_bios.c linux-2.6.36.2/drivers/char/tpm/tpm_bios.c
24784 --- linux-2.6.36.2/drivers/char/tpm/tpm_bios.c 2010-10-20 16:30:22.000000000 -0400
24785 +++ linux-2.6.36.2/drivers/char/tpm/tpm_bios.c 2010-12-09 20:24:15.000000000 -0500
24786 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24789 if ((event->event_type == 0 && event->event_size == 0) ||
24790 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24791 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24795 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24798 if ((event->event_type == 0 && event->event_size == 0) ||
24799 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24800 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24804 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24807 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24808 - seq_putc(m, data[i]);
24809 + if (!seq_putc(m, data[i]))
24814 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24815 log->bios_event_log_end = log->bios_event_log + len;
24817 virt = acpi_os_map_memory(start, len);
24819 + kfree(log->bios_event_log);
24820 + log->bios_event_log = NULL;
24824 memcpy(log->bios_event_log, virt, len);
24826 diff -urNp linux-2.6.36.2/drivers/char/tty_io.c linux-2.6.36.2/drivers/char/tty_io.c
24827 --- linux-2.6.36.2/drivers/char/tty_io.c 2010-12-09 20:53:46.000000000 -0500
24828 +++ linux-2.6.36.2/drivers/char/tty_io.c 2010-12-09 20:54:34.000000000 -0500
24829 @@ -139,21 +139,11 @@ EXPORT_SYMBOL(tty_mutex);
24830 /* Spinlock to protect the tty->tty_files list */
24831 DEFINE_SPINLOCK(tty_files_lock);
24833 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24834 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24835 ssize_t redirected_tty_write(struct file *, const char __user *,
24837 -static unsigned int tty_poll(struct file *, poll_table *);
24838 static int tty_open(struct inode *, struct file *);
24839 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24840 -#ifdef CONFIG_COMPAT
24841 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24842 - unsigned long arg);
24844 -#define tty_compat_ioctl NULL
24846 static int __tty_fasync(int fd, struct file *filp, int on);
24847 -static int tty_fasync(int fd, struct file *filp, int on);
24848 static void release_tty(struct tty_struct *tty, int idx);
24849 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24850 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24851 @@ -932,7 +922,7 @@ EXPORT_SYMBOL(start_tty);
24852 * read calls may be outstanding in parallel.
24855 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24856 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24860 @@ -958,6 +948,8 @@ static ssize_t tty_read(struct file *fil
24864 +EXPORT_SYMBOL(tty_read);
24866 void tty_write_unlock(struct tty_struct *tty)
24868 mutex_unlock(&tty->atomic_write_lock);
24869 @@ -1107,7 +1099,7 @@ void tty_write_message(struct tty_struct
24870 * write method will not be invoked in parallel for each device.
24873 -static ssize_t tty_write(struct file *file, const char __user *buf,
24874 +ssize_t tty_write(struct file *file, const char __user *buf,
24875 size_t count, loff_t *ppos)
24877 struct inode *inode = file->f_path.dentry->d_inode;
24878 @@ -1133,6 +1125,8 @@ static ssize_t tty_write(struct file *fi
24882 +EXPORT_SYMBOL(tty_write);
24884 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24885 size_t count, loff_t *ppos)
24887 @@ -1947,6 +1941,8 @@ got_driver:
24891 +EXPORT_SYMBOL(tty_release);
24894 * tty_poll - check tty status
24895 * @filp: file being polled
24896 @@ -1959,7 +1955,7 @@ got_driver:
24897 * may be re-entered freely by other callers.
24900 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
24901 +unsigned int tty_poll(struct file *filp, poll_table *wait)
24903 struct tty_struct *tty = file_tty(filp);
24904 struct tty_ldisc *ld;
24905 @@ -2016,7 +2012,9 @@ out:
24909 -static int tty_fasync(int fd, struct file *filp, int on)
24910 +EXPORT_SYMBOL(tty_poll);
24912 +int tty_fasync(int fd, struct file *filp, int on)
24916 @@ -2025,6 +2023,8 @@ static int tty_fasync(int fd, struct fil
24920 +EXPORT_SYMBOL(tty_fasync);
24923 * tiocsti - fake input character
24924 * @tty: tty to fake input into
24925 @@ -2657,8 +2657,10 @@ long tty_ioctl(struct file *file, unsign
24929 +EXPORT_SYMBOL(tty_ioctl);
24931 #ifdef CONFIG_COMPAT
24932 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24933 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
24936 struct inode *inode = file->f_dentry->d_inode;
24937 @@ -2682,6 +2684,9 @@ static long tty_compat_ioctl(struct file
24942 +EXPORT_SYMBOL(tty_compat_ioctl);
24947 @@ -3125,11 +3130,6 @@ struct tty_struct *get_current_tty(void)
24949 EXPORT_SYMBOL_GPL(get_current_tty);
24951 -void tty_default_fops(struct file_operations *fops)
24953 - *fops = tty_fops;
24957 * Initialize the console device. This is called *early*, so
24958 * we can't necessarily depend on lots of kernel help here.
24959 diff -urNp linux-2.6.36.2/drivers/char/tty_ldisc.c linux-2.6.36.2/drivers/char/tty_ldisc.c
24960 --- linux-2.6.36.2/drivers/char/tty_ldisc.c 2010-12-09 20:53:46.000000000 -0500
24961 +++ linux-2.6.36.2/drivers/char/tty_ldisc.c 2010-12-09 20:54:34.000000000 -0500
24962 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
24963 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24964 struct tty_ldisc_ops *ldo = ld->ops;
24967 + atomic_dec(&ldo->refcount);
24968 module_put(ldo->owner);
24969 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24971 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
24972 spin_lock_irqsave(&tty_ldisc_lock, flags);
24973 tty_ldiscs[disc] = new_ldisc;
24974 new_ldisc->num = disc;
24975 - new_ldisc->refcount = 0;
24976 + atomic_set(&new_ldisc->refcount, 0);
24977 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24980 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
24983 spin_lock_irqsave(&tty_ldisc_lock, flags);
24984 - if (tty_ldiscs[disc]->refcount)
24985 + if (atomic_read(&tty_ldiscs[disc]->refcount))
24988 tty_ldiscs[disc] = NULL;
24989 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
24991 ret = ERR_PTR(-EAGAIN);
24992 if (try_module_get(ldops->owner)) {
24993 - ldops->refcount++;
24994 + atomic_inc(&ldops->refcount);
24998 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
24999 unsigned long flags;
25001 spin_lock_irqsave(&tty_ldisc_lock, flags);
25002 - ldops->refcount--;
25003 + atomic_dec(&ldops->refcount);
25004 module_put(ldops->owner);
25005 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
25007 diff -urNp linux-2.6.36.2/drivers/char/vt_ioctl.c linux-2.6.36.2/drivers/char/vt_ioctl.c
25008 --- linux-2.6.36.2/drivers/char/vt_ioctl.c 2010-12-09 20:53:46.000000000 -0500
25009 +++ linux-2.6.36.2/drivers/char/vt_ioctl.c 2010-12-09 20:54:34.000000000 -0500
25010 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
25011 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
25014 - if (!capable(CAP_SYS_TTY_CONFIG))
25019 key_map = key_maps[s];
25020 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
25021 val = (i ? K_HOLE : K_NOSUCHMAP);
25022 return put_user(val, &user_kbe->kb_value);
25024 + if (!capable(CAP_SYS_TTY_CONFIG))
25030 if (!i && v == K_NOSUCHMAP) {
25031 /* deallocate map */
25032 key_map = key_maps[s];
25033 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
25037 - if (!capable(CAP_SYS_TTY_CONFIG))
25040 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
25043 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
25045 return ((p && *p) ? -EOVERFLOW : 0);
25047 + if (!capable(CAP_SYS_TTY_CONFIG))
25053 diff -urNp linux-2.6.36.2/drivers/cpuidle/sysfs.c linux-2.6.36.2/drivers/cpuidle/sysfs.c
25054 --- linux-2.6.36.2/drivers/cpuidle/sysfs.c 2010-10-20 16:30:22.000000000 -0400
25055 +++ linux-2.6.36.2/drivers/cpuidle/sysfs.c 2010-12-09 20:24:12.000000000 -0500
25056 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
25057 .release = cpuidle_state_sysfs_release,
25060 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
25061 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
25063 kobject_put(&device->kobjs[i]->kobj);
25064 wait_for_completion(&device->kobjs[i]->kobj_unregister);
25065 diff -urNp linux-2.6.36.2/drivers/edac/edac_core.h linux-2.6.36.2/drivers/edac/edac_core.h
25066 --- linux-2.6.36.2/drivers/edac/edac_core.h 2010-10-20 16:30:22.000000000 -0400
25067 +++ linux-2.6.36.2/drivers/edac/edac_core.h 2010-12-09 20:24:15.000000000 -0500
25068 @@ -85,11 +85,11 @@ extern const char *edac_mem_types[];
25070 #else /* !CONFIG_EDAC_DEBUG */
25072 -#define debugf0( ... )
25073 -#define debugf1( ... )
25074 -#define debugf2( ... )
25075 -#define debugf3( ... )
25076 -#define debugf4( ... )
25077 +#define debugf0( ... ) do {} while (0)
25078 +#define debugf1( ... ) do {} while (0)
25079 +#define debugf2( ... ) do {} while (0)
25080 +#define debugf3( ... ) do {} while (0)
25081 +#define debugf4( ... ) do {} while (0)
25083 #endif /* !CONFIG_EDAC_DEBUG */
25085 diff -urNp linux-2.6.36.2/drivers/edac/edac_mc_sysfs.c linux-2.6.36.2/drivers/edac/edac_mc_sysfs.c
25086 --- linux-2.6.36.2/drivers/edac/edac_mc_sysfs.c 2010-10-20 16:30:22.000000000 -0400
25087 +++ linux-2.6.36.2/drivers/edac/edac_mc_sysfs.c 2010-12-09 20:24:15.000000000 -0500
25088 @@ -764,7 +764,7 @@ static void edac_inst_grp_release(struct
25091 /* Intermediate show/store table */
25092 -static struct sysfs_ops inst_grp_ops = {
25093 +static const struct sysfs_ops inst_grp_ops = {
25094 .show = inst_grp_show,
25095 .store = inst_grp_store
25097 diff -urNp linux-2.6.36.2/drivers/firewire/core-cdev.c linux-2.6.36.2/drivers/firewire/core-cdev.c
25098 --- linux-2.6.36.2/drivers/firewire/core-cdev.c 2010-10-20 16:30:22.000000000 -0400
25099 +++ linux-2.6.36.2/drivers/firewire/core-cdev.c 2010-12-09 20:24:21.000000000 -0500
25100 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
25103 if ((request->channels == 0 && request->bandwidth == 0) ||
25104 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
25105 - request->bandwidth < 0)
25106 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
25109 r = kmalloc(sizeof(*r), GFP_KERNEL);
25110 diff -urNp linux-2.6.36.2/drivers/firmware/dmi_scan.c linux-2.6.36.2/drivers/firmware/dmi_scan.c
25111 --- linux-2.6.36.2/drivers/firmware/dmi_scan.c 2010-10-20 16:30:22.000000000 -0400
25112 +++ linux-2.6.36.2/drivers/firmware/dmi_scan.c 2010-12-09 20:24:29.000000000 -0500
25113 @@ -412,11 +412,6 @@ void __init dmi_scan_machine(void)
25118 - * no iounmap() for that ioremap(); it would be a no-op, but
25119 - * it's so early in setup that sucker gets confused into doing
25120 - * what it shouldn't if we actually call it.
25122 p = dmi_ioremap(0xF0000, 0x10000);
25125 diff -urNp linux-2.6.36.2/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.36.2/drivers/gpu/drm/drm_crtc_helper.c
25126 --- linux-2.6.36.2/drivers/gpu/drm/drm_crtc_helper.c 2010-10-20 16:30:22.000000000 -0400
25127 +++ linux-2.6.36.2/drivers/gpu/drm/drm_crtc_helper.c 2010-12-09 20:24:23.000000000 -0500
25128 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
25129 struct drm_crtc *tmp;
25132 - WARN(!crtc, "checking null crtc?");
25137 diff -urNp linux-2.6.36.2/drivers/gpu/drm/drm_drv.c linux-2.6.36.2/drivers/gpu/drm/drm_drv.c
25138 --- linux-2.6.36.2/drivers/gpu/drm/drm_drv.c 2010-10-20 16:30:22.000000000 -0400
25139 +++ linux-2.6.36.2/drivers/gpu/drm/drm_drv.c 2010-12-09 20:24:23.000000000 -0500
25140 @@ -428,7 +428,7 @@ long drm_ioctl(struct file *filp,
25142 dev = file_priv->minor->dev;
25143 atomic_inc(&dev->ioctl_count);
25144 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
25145 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
25146 ++file_priv->ioctl_count;
25148 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
25149 diff -urNp linux-2.6.36.2/drivers/gpu/drm/drm_fops.c linux-2.6.36.2/drivers/gpu/drm/drm_fops.c
25150 --- linux-2.6.36.2/drivers/gpu/drm/drm_fops.c 2010-10-20 16:30:22.000000000 -0400
25151 +++ linux-2.6.36.2/drivers/gpu/drm/drm_fops.c 2010-12-09 20:24:23.000000000 -0500
25152 @@ -71,7 +71,7 @@ static int drm_setup(struct drm_device *
25155 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
25156 - atomic_set(&dev->counts[i], 0);
25157 + atomic_set_unchecked(&dev->counts[i], 0);
25159 dev->sigdata.lock = NULL;
25161 @@ -135,8 +135,8 @@ int drm_open(struct inode *inode, struct
25163 retcode = drm_open_helper(inode, filp, dev);
25165 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
25166 - if (!dev->open_count++)
25167 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
25168 + if (atomic_inc_return(&dev->open_count) == 1)
25169 retcode = drm_setup(dev);
25172 @@ -471,7 +471,7 @@ int drm_release(struct inode *inode, str
25174 mutex_lock(&drm_global_mutex);
25176 - DRM_DEBUG("open_count = %d\n", dev->open_count);
25177 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
25179 if (dev->driver->preclose)
25180 dev->driver->preclose(dev, file_priv);
25181 @@ -483,7 +483,7 @@ int drm_release(struct inode *inode, str
25182 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
25183 task_pid_nr(current),
25184 (long)old_encode_dev(file_priv->minor->device),
25185 - dev->open_count);
25186 + atomic_read(&dev->open_count));
25188 /* if the master has gone away we can't do anything with the lock */
25189 if (file_priv->minor->master)
25190 @@ -564,8 +564,8 @@ int drm_release(struct inode *inode, str
25191 * End inline drm_release
25194 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
25195 - if (!--dev->open_count) {
25196 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
25197 + if (atomic_dec_and_test(&dev->open_count)) {
25198 if (atomic_read(&dev->ioctl_count)) {
25199 DRM_ERROR("Device busy: %d\n",
25200 atomic_read(&dev->ioctl_count));
25201 diff -urNp linux-2.6.36.2/drivers/gpu/drm/drm_global.c linux-2.6.36.2/drivers/gpu/drm/drm_global.c
25202 --- linux-2.6.36.2/drivers/gpu/drm/drm_global.c 2010-10-20 16:30:22.000000000 -0400
25203 +++ linux-2.6.36.2/drivers/gpu/drm/drm_global.c 2010-12-09 20:24:23.000000000 -0500
25205 struct drm_global_item {
25206 struct mutex mutex;
25209 + atomic_t refcount;
25212 static struct drm_global_item glob[DRM_GLOBAL_NUM];
25213 @@ -49,7 +49,7 @@ void drm_global_init(void)
25214 struct drm_global_item *item = &glob[i];
25215 mutex_init(&item->mutex);
25216 item->object = NULL;
25217 - item->refcount = 0;
25218 + atomic_set(&item->refcount, 0);
25222 @@ -59,7 +59,7 @@ void drm_global_release(void)
25223 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
25224 struct drm_global_item *item = &glob[i];
25225 BUG_ON(item->object != NULL);
25226 - BUG_ON(item->refcount != 0);
25227 + BUG_ON(atomic_read(&item->refcount) != 0);
25231 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
25234 mutex_lock(&item->mutex);
25235 - if (item->refcount == 0) {
25236 + if (atomic_read(&item->refcount) == 0) {
25237 item->object = kzalloc(ref->size, GFP_KERNEL);
25238 if (unlikely(item->object == NULL)) {
25240 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
25244 - ++item->refcount;
25245 + atomic_inc(&item->refcount);
25246 ref->object = item->object;
25247 object = item->object;
25248 mutex_unlock(&item->mutex);
25249 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
25250 struct drm_global_item *item = &glob[ref->global_type];
25252 mutex_lock(&item->mutex);
25253 - BUG_ON(item->refcount == 0);
25254 + BUG_ON(atomic_read(&item->refcount) == 0);
25255 BUG_ON(ref->object != item->object);
25256 - if (--item->refcount == 0) {
25257 + if (atomic_dec_and_test(&item->refcount)) {
25259 item->object = NULL;
25261 diff -urNp linux-2.6.36.2/drivers/gpu/drm/drm_info.c linux-2.6.36.2/drivers/gpu/drm/drm_info.c
25262 --- linux-2.6.36.2/drivers/gpu/drm/drm_info.c 2010-10-20 16:30:22.000000000 -0400
25263 +++ linux-2.6.36.2/drivers/gpu/drm/drm_info.c 2010-12-09 20:24:23.000000000 -0500
25264 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
25265 struct drm_local_map *map;
25266 struct drm_map_list *r_list;
25268 - /* Hardcoded from _DRM_FRAME_BUFFER,
25269 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
25270 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
25271 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
25272 + static const char * const types[] = {
25273 + [_DRM_FRAME_BUFFER] = "FB",
25274 + [_DRM_REGISTERS] = "REG",
25275 + [_DRM_SHM] = "SHM",
25276 + [_DRM_AGP] = "AGP",
25277 + [_DRM_SCATTER_GATHER] = "SG",
25278 + [_DRM_CONSISTENT] = "PCI",
25279 + [_DRM_GEM] = "GEM" };
25283 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
25287 - if (map->type < 0 || map->type > 5)
25288 + if (map->type >= ARRAY_SIZE(types))
25291 type = types[map->type];
25292 diff -urNp linux-2.6.36.2/drivers/gpu/drm/drm_ioctl.c linux-2.6.36.2/drivers/gpu/drm/drm_ioctl.c
25293 --- linux-2.6.36.2/drivers/gpu/drm/drm_ioctl.c 2010-10-20 16:30:22.000000000 -0400
25294 +++ linux-2.6.36.2/drivers/gpu/drm/drm_ioctl.c 2010-12-09 20:24:23.000000000 -0500
25295 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
25296 stats->data[i].value =
25297 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
25299 - stats->data[i].value = atomic_read(&dev->counts[i]);
25300 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
25301 stats->data[i].type = dev->types[i];
25304 diff -urNp linux-2.6.36.2/drivers/gpu/drm/drm_lock.c linux-2.6.36.2/drivers/gpu/drm/drm_lock.c
25305 --- linux-2.6.36.2/drivers/gpu/drm/drm_lock.c 2010-10-20 16:30:22.000000000 -0400
25306 +++ linux-2.6.36.2/drivers/gpu/drm/drm_lock.c 2010-12-09 20:24:23.000000000 -0500
25307 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
25308 if (drm_lock_take(&master->lock, lock->context)) {
25309 master->lock.file_priv = file_priv;
25310 master->lock.lock_time = jiffies;
25311 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
25312 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
25313 break; /* Got lock */
25316 @@ -167,7 +167,7 @@ int drm_unlock(struct drm_device *dev, v
25320 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
25321 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
25323 /* kernel_context_switch isn't used by any of the x86 drm
25324 * modules but is required by the Sparc driver.
25325 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i810/i810_dma.c linux-2.6.36.2/drivers/gpu/drm/i810/i810_dma.c
25326 --- linux-2.6.36.2/drivers/gpu/drm/i810/i810_dma.c 2010-10-20 16:30:22.000000000 -0400
25327 +++ linux-2.6.36.2/drivers/gpu/drm/i810/i810_dma.c 2010-12-09 20:24:23.000000000 -0500
25328 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
25329 dma->buflist[vertex->idx],
25330 vertex->discard, vertex->used);
25332 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25333 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25334 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25335 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25336 sarea_priv->last_enqueue = dev_priv->counter - 1;
25337 sarea_priv->last_dispatch = (int)hw_status[5];
25339 @@ -1113,8 +1113,8 @@ static int i810_dma_mc(struct drm_device
25340 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
25343 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25344 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25345 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25346 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25347 sarea_priv->last_enqueue = dev_priv->counter - 1;
25348 sarea_priv->last_dispatch = (int)hw_status[5];
25350 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7017.c
25351 --- linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7017.c 2010-10-20 16:30:22.000000000 -0400
25352 +++ linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7017.c 2010-12-09 20:24:24.000000000 -0500
25353 @@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
25357 -struct intel_dvo_dev_ops ch7017_ops = {
25358 +const struct intel_dvo_dev_ops ch7017_ops = {
25359 .init = ch7017_init,
25360 .detect = ch7017_detect,
25361 .mode_valid = ch7017_mode_valid,
25362 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7xxx.c
25363 --- linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-10-20 16:30:22.000000000 -0400
25364 +++ linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-12-09 20:24:23.000000000 -0500
25365 @@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
25369 -struct intel_dvo_dev_ops ch7xxx_ops = {
25370 +const struct intel_dvo_dev_ops ch7xxx_ops = {
25371 .init = ch7xxx_init,
25372 .detect = ch7xxx_detect,
25373 .mode_valid = ch7xxx_mode_valid,
25374 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/dvo.h linux-2.6.36.2/drivers/gpu/drm/i915/dvo.h
25375 --- linux-2.6.36.2/drivers/gpu/drm/i915/dvo.h 2010-10-20 16:30:22.000000000 -0400
25376 +++ linux-2.6.36.2/drivers/gpu/drm/i915/dvo.h 2010-12-09 20:24:24.000000000 -0500
25377 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
25379 * \return singly-linked list of modes or NULL if no modes found.
25381 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
25382 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
25385 * Clean up driver-specific bits of the output
25387 - void (*destroy) (struct intel_dvo_device *dvo);
25388 + void (* const destroy) (struct intel_dvo_device *dvo);
25391 * Debugging hook to dump device registers to log file
25393 - void (*dump_regs)(struct intel_dvo_device *dvo);
25394 + void (* const dump_regs)(struct intel_dvo_device *dvo);
25397 -extern struct intel_dvo_dev_ops sil164_ops;
25398 -extern struct intel_dvo_dev_ops ch7xxx_ops;
25399 -extern struct intel_dvo_dev_ops ivch_ops;
25400 -extern struct intel_dvo_dev_ops tfp410_ops;
25401 -extern struct intel_dvo_dev_ops ch7017_ops;
25402 +extern const struct intel_dvo_dev_ops sil164_ops;
25403 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
25404 +extern const struct intel_dvo_dev_ops ivch_ops;
25405 +extern const struct intel_dvo_dev_ops tfp410_ops;
25406 +extern const struct intel_dvo_dev_ops ch7017_ops;
25408 #endif /* _INTEL_DVO_H */
25409 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ivch.c
25410 --- linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ivch.c 2010-10-20 16:30:22.000000000 -0400
25411 +++ linux-2.6.36.2/drivers/gpu/drm/i915/dvo_ivch.c 2010-12-09 20:24:23.000000000 -0500
25412 @@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
25416 -struct intel_dvo_dev_ops ivch_ops= {
25417 +const struct intel_dvo_dev_ops ivch_ops= {
25420 .mode_valid = ivch_mode_valid,
25421 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.36.2/drivers/gpu/drm/i915/dvo_sil164.c
25422 --- linux-2.6.36.2/drivers/gpu/drm/i915/dvo_sil164.c 2010-10-20 16:30:22.000000000 -0400
25423 +++ linux-2.6.36.2/drivers/gpu/drm/i915/dvo_sil164.c 2010-12-09 20:24:23.000000000 -0500
25424 @@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
25428 -struct intel_dvo_dev_ops sil164_ops = {
25429 +const struct intel_dvo_dev_ops sil164_ops = {
25430 .init = sil164_init,
25431 .detect = sil164_detect,
25432 .mode_valid = sil164_mode_valid,
25433 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.36.2/drivers/gpu/drm/i915/dvo_tfp410.c
25434 --- linux-2.6.36.2/drivers/gpu/drm/i915/dvo_tfp410.c 2010-10-20 16:30:22.000000000 -0400
25435 +++ linux-2.6.36.2/drivers/gpu/drm/i915/dvo_tfp410.c 2010-12-09 20:24:24.000000000 -0500
25436 @@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
25440 -struct intel_dvo_dev_ops tfp410_ops = {
25441 +const struct intel_dvo_dev_ops tfp410_ops = {
25442 .init = tfp410_init,
25443 .detect = tfp410_detect,
25444 .mode_valid = tfp410_mode_valid,
25445 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/i915_dma.c linux-2.6.36.2/drivers/gpu/drm/i915/i915_dma.c
25446 --- linux-2.6.36.2/drivers/gpu/drm/i915/i915_dma.c 2010-12-09 20:53:46.000000000 -0500
25447 +++ linux-2.6.36.2/drivers/gpu/drm/i915/i915_dma.c 2010-12-09 20:54:34.000000000 -0500
25448 @@ -1357,7 +1357,7 @@ static bool i915_switcheroo_can_switch(s
25451 spin_lock(&dev->count_lock);
25452 - can_switch = (dev->open_count == 0);
25453 + can_switch = (atomic_read(&dev->open_count) == 0);
25454 spin_unlock(&dev->count_lock);
25457 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/i915_drv.c linux-2.6.36.2/drivers/gpu/drm/i915/i915_drv.c
25458 --- linux-2.6.36.2/drivers/gpu/drm/i915/i915_drv.c 2010-10-20 16:30:22.000000000 -0400
25459 +++ linux-2.6.36.2/drivers/gpu/drm/i915/i915_drv.c 2010-12-09 20:24:23.000000000 -0500
25460 @@ -492,7 +492,7 @@ static const struct dev_pm_ops i915_pm_o
25461 .restore = i915_pm_resume,
25464 -static struct vm_operations_struct i915_gem_vm_ops = {
25465 +static const struct vm_operations_struct i915_gem_vm_ops = {
25466 .fault = i915_gem_fault,
25467 .open = drm_gem_vm_open,
25468 .close = drm_gem_vm_close,
25469 diff -urNp linux-2.6.36.2/drivers/gpu/drm/i915/i915_gem.c linux-2.6.36.2/drivers/gpu/drm/i915/i915_gem.c
25470 --- linux-2.6.36.2/drivers/gpu/drm/i915/i915_gem.c 2010-10-20 16:30:22.000000000 -0400
25471 +++ linux-2.6.36.2/drivers/gpu/drm/i915/i915_gem.c 2010-12-09 20:24:24.000000000 -0500
25472 @@ -476,12 +476,17 @@ i915_gem_pread_ioctl(struct drm_device *
25475 if (!access_ok(VERIFY_WRITE,
25476 - (char __user *)(uintptr_t)args->data_ptr,
25477 + (char __user *) (uintptr_t)args->data_ptr,
25483 + if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
25484 + drm_gem_object_unreference_unlocked(obj);
25488 if (i915_gem_object_needs_bit17_swizzle(obj)) {
25489 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
25491 @@ -940,12 +945,17 @@ i915_gem_pwrite_ioctl(struct drm_device
25494 if (!access_ok(VERIFY_READ,
25495 - (char __user *)(uintptr_t)args->data_ptr,
25496 + (char __user *) (uintptr_t)args->data_ptr,
25502 + if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
25503 + drm_gem_object_unreference_unlocked(obj);
25507 /* We can only do the GTT pwrite on untiled buffers, as otherwise
25508 * it would end up going through the fenced access, and we'll get
25509 * different detiling behavior between reading and writing.
25510 diff -urNp linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_backlight.c
25511 --- linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-10-20 16:30:22.000000000 -0400
25512 +++ linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-12-09 20:24:23.000000000 -0500
25513 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
25517 -static struct backlight_ops nv40_bl_ops = {
25518 +static const struct backlight_ops nv40_bl_ops = {
25519 .options = BL_CORE_SUSPENDRESUME,
25520 .get_brightness = nv40_get_intensity,
25521 .update_status = nv40_set_intensity,
25522 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
25526 -static struct backlight_ops nv50_bl_ops = {
25527 +static const struct backlight_ops nv50_bl_ops = {
25528 .options = BL_CORE_SUSPENDRESUME,
25529 .get_brightness = nv50_get_intensity,
25530 .update_status = nv50_set_intensity,
25531 diff -urNp linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_state.c
25532 --- linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_state.c 2010-10-20 16:30:22.000000000 -0400
25533 +++ linux-2.6.36.2/drivers/gpu/drm/nouveau/nouveau_state.c 2010-12-09 20:24:23.000000000 -0500
25534 @@ -501,7 +501,7 @@ static bool nouveau_switcheroo_can_switc
25537 spin_lock(&dev->count_lock);
25538 - can_switch = (dev->open_count == 0);
25539 + can_switch = (atomic_read(&dev->open_count) == 0);
25540 spin_unlock(&dev->count_lock);
25543 diff -urNp linux-2.6.36.2/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.36.2/drivers/gpu/drm/radeon/mkregtable.c
25544 --- linux-2.6.36.2/drivers/gpu/drm/radeon/mkregtable.c 2010-10-20 16:30:22.000000000 -0400
25545 +++ linux-2.6.36.2/drivers/gpu/drm/radeon/mkregtable.c 2010-12-09 20:24:23.000000000 -0500
25546 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
25548 regmatch_t match[4];
25556 struct offset *offset;
25557 char last_reg_s[10];
25559 + unsigned long last_reg;
25562 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
25563 diff -urNp linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_device.c
25564 --- linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_device.c 2010-10-20 16:30:22.000000000 -0400
25565 +++ linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_device.c 2010-12-09 20:24:23.000000000 -0500
25566 @@ -578,7 +578,7 @@ static bool radeon_switcheroo_can_switch
25569 spin_lock(&dev->count_lock);
25570 - can_switch = (dev->open_count == 0);
25571 + can_switch = (atomic_read(&dev->open_count) == 0);
25572 spin_unlock(&dev->count_lock);
25575 diff -urNp linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_state.c
25576 --- linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_state.c 2010-10-20 16:30:22.000000000 -0400
25577 +++ linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_state.c 2010-12-09 20:24:23.000000000 -0500
25578 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
25579 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
25580 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
25582 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25583 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25584 sarea_priv->nbox * sizeof(depth_boxes[0])))
25587 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
25589 drm_radeon_private_t *dev_priv = dev->dev_private;
25590 drm_radeon_getparam_t *param = data;
25594 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
25596 diff -urNp linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_ttm.c
25597 --- linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_ttm.c 2010-10-20 16:30:22.000000000 -0400
25598 +++ linux-2.6.36.2/drivers/gpu/drm/radeon/radeon_ttm.c 2010-12-09 20:24:23.000000000 -0500
25599 @@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
25600 DRM_INFO("radeon: ttm finalized\n");
25603 -static struct vm_operations_struct radeon_ttm_vm_ops;
25604 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
25605 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
25606 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
25607 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
25609 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25611 @@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
25612 struct radeon_device *rdev;
25615 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
25616 - if (bo == NULL) {
25617 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
25619 return VM_FAULT_NOPAGE;
25621 rdev = radeon_get_rdev(bo->bdev);
25622 mutex_lock(&rdev->vram_mutex);
25623 - r = ttm_vm_ops->fault(vma, vmf);
25624 + r = ttm_bo_vm_fault(vma, vmf);
25625 mutex_unlock(&rdev->vram_mutex);
25629 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
25630 + .fault = radeon_ttm_fault,
25631 + .open = ttm_bo_vm_open,
25632 + .close = ttm_bo_vm_close
25635 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
25637 struct drm_file *file_priv;
25638 @@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
25640 file_priv = (struct drm_file *)filp->private_data;
25641 rdev = file_priv->minor->dev->dev_private;
25642 - if (rdev == NULL) {
25646 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
25647 - if (unlikely(r != 0)) {
25651 - if (unlikely(ttm_vm_ops == NULL)) {
25652 - ttm_vm_ops = vma->vm_ops;
25653 - radeon_ttm_vm_ops = *ttm_vm_ops;
25654 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
25656 vma->vm_ops = &radeon_ttm_vm_ops;
25659 diff -urNp linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo.c
25660 --- linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo.c 2010-10-20 16:30:22.000000000 -0400
25661 +++ linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo.c 2010-12-09 20:24:23.000000000 -0500
25663 #include <linux/module.h>
25665 #define TTM_ASSERT_LOCKED(param)
25666 -#define TTM_DEBUG(fmt, arg...)
25667 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
25668 #define TTM_BO_HASH_ORDER 13
25670 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
25671 diff -urNp linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo_vm.c
25672 --- linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-10-20 16:30:22.000000000 -0400
25673 +++ linux-2.6.36.2/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-12-09 20:24:23.000000000 -0500
25674 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
25678 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25679 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25681 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
25682 vma->vm_private_data;
25683 - struct ttm_bo_device *bdev = bo->bdev;
25684 + struct ttm_bo_device *bdev;
25685 unsigned long page_offset;
25686 unsigned long page_last;
25688 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
25689 unsigned long address = (unsigned long)vmf->virtual_address;
25690 int retval = VM_FAULT_NOPAGE;
25693 + return VM_FAULT_NOPAGE;
25697 * Work around locking order reversal in fault / nopfn
25698 * between mmap_sem and bo_reserve: Perform a trylock operation
25699 @@ -212,22 +216,25 @@ out_unlock:
25700 ttm_bo_unreserve(bo);
25703 +EXPORT_SYMBOL(ttm_bo_vm_fault);
25705 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
25706 +void ttm_bo_vm_open(struct vm_area_struct *vma)
25708 struct ttm_buffer_object *bo =
25709 (struct ttm_buffer_object *)vma->vm_private_data;
25711 (void)ttm_bo_reference(bo);
25713 +EXPORT_SYMBOL(ttm_bo_vm_open);
25715 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
25716 +void ttm_bo_vm_close(struct vm_area_struct *vma)
25718 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
25721 vma->vm_private_data = NULL;
25723 +EXPORT_SYMBOL(ttm_bo_vm_close);
25725 static const struct vm_operations_struct ttm_bo_vm_ops = {
25726 .fault = ttm_bo_vm_fault,
25727 diff -urNp linux-2.6.36.2/drivers/hid/hidraw.c linux-2.6.36.2/drivers/hid/hidraw.c
25728 --- linux-2.6.36.2/drivers/hid/hidraw.c 2010-10-20 16:30:22.000000000 -0400
25729 +++ linux-2.6.36.2/drivers/hid/hidraw.c 2010-12-09 20:24:23.000000000 -0500
25730 @@ -250,7 +250,7 @@ static long hidraw_ioctl(struct file *fi
25732 mutex_lock(&minors_lock);
25733 dev = hidraw_table[minor];
25735 + if (dev == NULL) {
25739 diff -urNp linux-2.6.36.2/drivers/hid/usbhid/hiddev.c linux-2.6.36.2/drivers/hid/usbhid/hiddev.c
25740 --- linux-2.6.36.2/drivers/hid/usbhid/hiddev.c 2010-10-20 16:30:22.000000000 -0400
25741 +++ linux-2.6.36.2/drivers/hid/usbhid/hiddev.c 2010-12-09 20:24:23.000000000 -0500
25742 @@ -614,7 +614,7 @@ static long hiddev_ioctl(struct file *fi
25743 return put_user(HID_VERSION, (int __user *)arg);
25745 case HIDIOCAPPLICATION:
25746 - if (arg < 0 || arg >= hid->maxapplication)
25747 + if (arg >= hid->maxapplication)
25750 for (i = 0; i < hid->maxcollection; i++)
25751 diff -urNp linux-2.6.36.2/drivers/hwmon/k8temp.c linux-2.6.36.2/drivers/hwmon/k8temp.c
25752 --- linux-2.6.36.2/drivers/hwmon/k8temp.c 2010-10-20 16:30:22.000000000 -0400
25753 +++ linux-2.6.36.2/drivers/hwmon/k8temp.c 2010-12-09 20:24:16.000000000 -0500
25754 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
25756 static const struct pci_device_id k8temp_ids[] = {
25757 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
25759 + { 0, 0, 0, 0, 0, 0, 0 },
25762 MODULE_DEVICE_TABLE(pci, k8temp_ids);
25763 diff -urNp linux-2.6.36.2/drivers/hwmon/sis5595.c linux-2.6.36.2/drivers/hwmon/sis5595.c
25764 --- linux-2.6.36.2/drivers/hwmon/sis5595.c 2010-10-20 16:30:22.000000000 -0400
25765 +++ linux-2.6.36.2/drivers/hwmon/sis5595.c 2010-12-09 20:24:16.000000000 -0500
25766 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
25768 static const struct pci_device_id sis5595_pci_ids[] = {
25769 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25771 + { 0, 0, 0, 0, 0, 0, 0 }
25774 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
25775 diff -urNp linux-2.6.36.2/drivers/hwmon/via686a.c linux-2.6.36.2/drivers/hwmon/via686a.c
25776 --- linux-2.6.36.2/drivers/hwmon/via686a.c 2010-10-20 16:30:22.000000000 -0400
25777 +++ linux-2.6.36.2/drivers/hwmon/via686a.c 2010-12-09 20:24:16.000000000 -0500
25778 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
25780 static const struct pci_device_id via686a_pci_ids[] = {
25781 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
25783 + { 0, 0, 0, 0, 0, 0, 0 }
25786 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
25787 diff -urNp linux-2.6.36.2/drivers/hwmon/vt8231.c linux-2.6.36.2/drivers/hwmon/vt8231.c
25788 --- linux-2.6.36.2/drivers/hwmon/vt8231.c 2010-10-20 16:30:22.000000000 -0400
25789 +++ linux-2.6.36.2/drivers/hwmon/vt8231.c 2010-12-09 20:24:16.000000000 -0500
25790 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
25792 static const struct pci_device_id vt8231_pci_ids[] = {
25793 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
25795 + { 0, 0, 0, 0, 0, 0, 0 }
25798 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
25799 diff -urNp linux-2.6.36.2/drivers/hwmon/w83791d.c linux-2.6.36.2/drivers/hwmon/w83791d.c
25800 --- linux-2.6.36.2/drivers/hwmon/w83791d.c 2010-10-20 16:30:22.000000000 -0400
25801 +++ linux-2.6.36.2/drivers/hwmon/w83791d.c 2010-12-09 20:24:16.000000000 -0500
25802 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
25803 struct i2c_board_info *info);
25804 static int w83791d_remove(struct i2c_client *client);
25806 -static int w83791d_read(struct i2c_client *client, u8 register);
25807 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
25808 +static int w83791d_read(struct i2c_client *client, u8 reg);
25809 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
25810 static struct w83791d_data *w83791d_update_device(struct device *dev);
25813 diff -urNp linux-2.6.36.2/drivers/i2c/busses/i2c-i801.c linux-2.6.36.2/drivers/i2c/busses/i2c-i801.c
25814 --- linux-2.6.36.2/drivers/i2c/busses/i2c-i801.c 2010-10-20 16:30:22.000000000 -0400
25815 +++ linux-2.6.36.2/drivers/i2c/busses/i2c-i801.c 2010-12-09 20:24:21.000000000 -0500
25816 @@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
25817 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
25818 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
25819 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
25821 + { 0, 0, 0, 0, 0, 0, 0 }
25824 MODULE_DEVICE_TABLE(pci, i801_ids);
25825 diff -urNp linux-2.6.36.2/drivers/i2c/busses/i2c-piix4.c linux-2.6.36.2/drivers/i2c/busses/i2c-piix4.c
25826 --- linux-2.6.36.2/drivers/i2c/busses/i2c-piix4.c 2010-10-20 16:30:22.000000000 -0400
25827 +++ linux-2.6.36.2/drivers/i2c/busses/i2c-piix4.c 2010-12-09 20:24:21.000000000 -0500
25828 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
25830 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
25833 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25836 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
25837 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
25838 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
25839 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
25840 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
25842 + { 0, 0, 0, 0, 0, 0, 0 }
25845 MODULE_DEVICE_TABLE (pci, piix4_ids);
25846 diff -urNp linux-2.6.36.2/drivers/i2c/busses/i2c-sis630.c linux-2.6.36.2/drivers/i2c/busses/i2c-sis630.c
25847 --- linux-2.6.36.2/drivers/i2c/busses/i2c-sis630.c 2010-10-20 16:30:22.000000000 -0400
25848 +++ linux-2.6.36.2/drivers/i2c/busses/i2c-sis630.c 2010-12-09 20:24:21.000000000 -0500
25849 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
25850 static const struct pci_device_id sis630_ids[] __devinitconst = {
25851 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25852 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
25854 + { 0, 0, 0, 0, 0, 0, 0 }
25857 MODULE_DEVICE_TABLE (pci, sis630_ids);
25858 diff -urNp linux-2.6.36.2/drivers/i2c/busses/i2c-sis96x.c linux-2.6.36.2/drivers/i2c/busses/i2c-sis96x.c
25859 --- linux-2.6.36.2/drivers/i2c/busses/i2c-sis96x.c 2010-10-20 16:30:22.000000000 -0400
25860 +++ linux-2.6.36.2/drivers/i2c/busses/i2c-sis96x.c 2010-12-09 20:24:21.000000000 -0500
25861 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25863 static const struct pci_device_id sis96x_ids[] = {
25864 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25866 + { 0, 0, 0, 0, 0, 0, 0 }
25869 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25870 diff -urNp linux-2.6.36.2/drivers/ide/ide-cd.c linux-2.6.36.2/drivers/ide/ide-cd.c
25871 --- linux-2.6.36.2/drivers/ide/ide-cd.c 2010-10-20 16:30:22.000000000 -0400
25872 +++ linux-2.6.36.2/drivers/ide/ide-cd.c 2010-12-09 20:24:21.000000000 -0500
25873 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
25874 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25875 if ((unsigned long)buf & alignment
25876 || blk_rq_bytes(rq) & q->dma_pad_mask
25877 - || object_is_on_stack(buf))
25878 + || object_starts_on_stack(buf))
25882 diff -urNp linux-2.6.36.2/drivers/ieee1394/dv1394.c linux-2.6.36.2/drivers/ieee1394/dv1394.c
25883 --- linux-2.6.36.2/drivers/ieee1394/dv1394.c 2010-10-20 16:30:22.000000000 -0400
25884 +++ linux-2.6.36.2/drivers/ieee1394/dv1394.c 2010-12-09 20:24:15.000000000 -0500
25885 @@ -738,7 +738,7 @@ static void frame_prepare(struct video_c
25886 based upon DIF section and sequence
25889 -static void inline
25890 +static inline void
25891 frame_put_packet (struct frame *f, struct packet *p)
25893 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
25894 @@ -2173,7 +2173,7 @@ static const struct ieee1394_device_id d
25895 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25896 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25899 + { 0, 0, 0, 0, 0, 0 }
25902 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
25903 diff -urNp linux-2.6.36.2/drivers/ieee1394/eth1394.c linux-2.6.36.2/drivers/ieee1394/eth1394.c
25904 --- linux-2.6.36.2/drivers/ieee1394/eth1394.c 2010-10-20 16:30:22.000000000 -0400
25905 +++ linux-2.6.36.2/drivers/ieee1394/eth1394.c 2010-12-09 20:24:15.000000000 -0500
25906 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
25907 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25908 .version = ETHER1394_GASP_VERSION,
25911 + { 0, 0, 0, 0, 0, 0 }
25914 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
25915 diff -urNp linux-2.6.36.2/drivers/ieee1394/hosts.c linux-2.6.36.2/drivers/ieee1394/hosts.c
25916 --- linux-2.6.36.2/drivers/ieee1394/hosts.c 2010-10-20 16:30:22.000000000 -0400
25917 +++ linux-2.6.36.2/drivers/ieee1394/hosts.c 2010-12-09 20:24:16.000000000 -0500
25918 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25921 static struct hpsb_host_driver dummy_driver = {
25923 .transmit_packet = dummy_transmit_packet,
25924 .devctl = dummy_devctl,
25925 .isoctl = dummy_isoctl
25926 diff -urNp linux-2.6.36.2/drivers/ieee1394/ohci1394.c linux-2.6.36.2/drivers/ieee1394/ohci1394.c
25927 --- linux-2.6.36.2/drivers/ieee1394/ohci1394.c 2010-10-20 16:30:22.000000000 -0400
25928 +++ linux-2.6.36.2/drivers/ieee1394/ohci1394.c 2010-12-09 20:24:15.000000000 -0500
25929 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
25930 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25932 /* Module Parameters */
25933 -static int phys_dma = 1;
25934 +static int phys_dma;
25935 module_param(phys_dma, int, 0444);
25936 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25937 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25939 static void dma_trm_tasklet(unsigned long data);
25940 static void dma_trm_reset(struct dma_trm_ctx *d);
25941 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
25942 .subvendor = PCI_ANY_ID,
25943 .subdevice = PCI_ANY_ID,
25946 + { 0, 0, 0, 0, 0, 0, 0 },
25949 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
25950 diff -urNp linux-2.6.36.2/drivers/ieee1394/raw1394.c linux-2.6.36.2/drivers/ieee1394/raw1394.c
25951 --- linux-2.6.36.2/drivers/ieee1394/raw1394.c 2010-10-20 16:30:22.000000000 -0400
25952 +++ linux-2.6.36.2/drivers/ieee1394/raw1394.c 2010-12-09 20:24:15.000000000 -0500
25953 @@ -3001,7 +3001,7 @@ static const struct ieee1394_device_id r
25954 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25955 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25956 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25958 + { 0, 0, 0, 0, 0, 0 }
25961 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
25962 diff -urNp linux-2.6.36.2/drivers/ieee1394/sbp2.c linux-2.6.36.2/drivers/ieee1394/sbp2.c
25963 --- linux-2.6.36.2/drivers/ieee1394/sbp2.c 2010-10-20 16:30:22.000000000 -0400
25964 +++ linux-2.6.36.2/drivers/ieee1394/sbp2.c 2010-12-09 20:24:15.000000000 -0500
25965 @@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
25966 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25967 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25968 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25970 + { 0, 0, 0, 0, 0, 0 }
25972 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25974 @@ -2107,7 +2107,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
25975 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25976 MODULE_LICENSE("GPL");
25978 -static int sbp2_module_init(void)
25979 +static int __init sbp2_module_init(void)
25983 diff -urNp linux-2.6.36.2/drivers/ieee1394/video1394.c linux-2.6.36.2/drivers/ieee1394/video1394.c
25984 --- linux-2.6.36.2/drivers/ieee1394/video1394.c 2010-10-20 16:30:22.000000000 -0400
25985 +++ linux-2.6.36.2/drivers/ieee1394/video1394.c 2010-12-09 20:24:15.000000000 -0500
25986 @@ -1307,7 +1307,7 @@ static const struct ieee1394_device_id v
25987 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25988 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25991 + { 0, 0, 0, 0, 0, 0 }
25994 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
25995 diff -urNp linux-2.6.36.2/drivers/infiniband/core/cm.c linux-2.6.36.2/drivers/infiniband/core/cm.c
25996 --- linux-2.6.36.2/drivers/infiniband/core/cm.c 2010-10-20 16:30:22.000000000 -0400
25997 +++ linux-2.6.36.2/drivers/infiniband/core/cm.c 2010-12-09 20:24:25.000000000 -0500
25998 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
26000 struct cm_counter_group {
26001 struct kobject obj;
26002 - atomic_long_t counter[CM_ATTR_COUNT];
26003 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
26006 struct cm_counter_attribute {
26007 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
26008 struct ib_mad_send_buf *msg = NULL;
26011 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26012 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26013 counter[CM_REQ_COUNTER]);
26015 /* Quick state check to discard duplicate REQs. */
26016 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
26020 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26021 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26022 counter[CM_REP_COUNTER]);
26023 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
26025 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
26026 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
26027 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
26028 spin_unlock_irq(&cm_id_priv->lock);
26029 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26030 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26031 counter[CM_RTU_COUNTER]);
26034 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
26035 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
26036 dreq_msg->local_comm_id);
26038 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26039 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26040 counter[CM_DREQ_COUNTER]);
26041 cm_issue_drep(work->port, work->mad_recv_wc);
26043 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
26044 case IB_CM_MRA_REP_RCVD:
26046 case IB_CM_TIMEWAIT:
26047 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26048 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26049 counter[CM_DREQ_COUNTER]);
26050 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
26052 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
26055 case IB_CM_DREQ_RCVD:
26056 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26057 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26058 counter[CM_DREQ_COUNTER]);
26061 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
26062 ib_modify_mad(cm_id_priv->av.port->mad_agent,
26063 cm_id_priv->msg, timeout)) {
26064 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
26065 - atomic_long_inc(&work->port->
26066 + atomic_long_inc_unchecked(&work->port->
26067 counter_group[CM_RECV_DUPLICATES].
26068 counter[CM_MRA_COUNTER]);
26070 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
26072 case IB_CM_MRA_REQ_RCVD:
26073 case IB_CM_MRA_REP_RCVD:
26074 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26075 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26076 counter[CM_MRA_COUNTER]);
26079 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
26080 case IB_CM_LAP_IDLE:
26082 case IB_CM_MRA_LAP_SENT:
26083 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26084 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26085 counter[CM_LAP_COUNTER]);
26086 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
26088 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
26091 case IB_CM_LAP_RCVD:
26092 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26093 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26094 counter[CM_LAP_COUNTER]);
26097 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
26098 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
26099 if (cur_cm_id_priv) {
26100 spin_unlock_irq(&cm.lock);
26101 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
26102 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
26103 counter[CM_SIDR_REQ_COUNTER]);
26104 goto out; /* Duplicate message. */
26106 @@ -3186,10 +3186,10 @@ static void cm_send_handler(struct ib_ma
26107 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
26110 - atomic_long_add(1 + msg->retries,
26111 + atomic_long_add_unchecked(1 + msg->retries,
26112 &port->counter_group[CM_XMIT].counter[attr_index]);
26114 - atomic_long_add(msg->retries,
26115 + atomic_long_add_unchecked(msg->retries,
26116 &port->counter_group[CM_XMIT_RETRIES].
26117 counter[attr_index]);
26119 @@ -3399,7 +3399,7 @@ static void cm_recv_handler(struct ib_ma
26122 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
26123 - atomic_long_inc(&port->counter_group[CM_RECV].
26124 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
26125 counter[attr_id - CM_ATTR_ID_OFFSET]);
26127 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
26128 @@ -3597,7 +3597,7 @@ static ssize_t cm_show_counter(struct ko
26129 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
26131 return sprintf(buf, "%ld\n",
26132 - atomic_long_read(&group->counter[cm_attr->index]));
26133 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
26136 static const struct sysfs_ops cm_counter_ops = {
26137 diff -urNp linux-2.6.36.2/drivers/infiniband/core/uverbs_marshall.c linux-2.6.36.2/drivers/infiniband/core/uverbs_marshall.c
26138 --- linux-2.6.36.2/drivers/infiniband/core/uverbs_marshall.c 2010-10-20 16:30:22.000000000 -0400
26139 +++ linux-2.6.36.2/drivers/infiniband/core/uverbs_marshall.c 2010-12-09 20:24:25.000000000 -0500
26140 @@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
26141 dst->grh.sgid_index = src->grh.sgid_index;
26142 dst->grh.hop_limit = src->grh.hop_limit;
26143 dst->grh.traffic_class = src->grh.traffic_class;
26144 + memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
26145 dst->dlid = src->dlid;
26147 dst->src_path_bits = src->src_path_bits;
26148 dst->static_rate = src->static_rate;
26149 dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
26150 dst->port_num = src->port_num;
26151 + dst->reserved = 0;
26153 EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
26155 void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
26156 struct ib_qp_attr *src)
26158 + dst->qp_state = src->qp_state;
26159 dst->cur_qp_state = src->cur_qp_state;
26160 dst->path_mtu = src->path_mtu;
26161 dst->path_mig_state = src->path_mig_state;
26162 @@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
26163 dst->rnr_retry = src->rnr_retry;
26164 dst->alt_port_num = src->alt_port_num;
26165 dst->alt_timeout = src->alt_timeout;
26166 + memset(dst->reserved, 0, sizeof(dst->reserved));
26168 EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
26170 diff -urNp linux-2.6.36.2/drivers/infiniband/hw/qib/qib.h linux-2.6.36.2/drivers/infiniband/hw/qib/qib.h
26171 --- linux-2.6.36.2/drivers/infiniband/hw/qib/qib.h 2010-10-20 16:30:22.000000000 -0400
26172 +++ linux-2.6.36.2/drivers/infiniband/hw/qib/qib.h 2010-12-09 20:24:25.000000000 -0500
26174 #include <linux/completion.h>
26175 #include <linux/kref.h>
26176 #include <linux/sched.h>
26177 +#include <linux/slab.h>
26179 #include "qib_common.h"
26180 #include "qib_verbs.h"
26181 diff -urNp linux-2.6.36.2/drivers/input/keyboard/atkbd.c linux-2.6.36.2/drivers/input/keyboard/atkbd.c
26182 --- linux-2.6.36.2/drivers/input/keyboard/atkbd.c 2010-10-20 16:30:22.000000000 -0400
26183 +++ linux-2.6.36.2/drivers/input/keyboard/atkbd.c 2010-12-09 20:24:31.000000000 -0500
26184 @@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
26186 .extra = SERIO_ANY,
26192 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
26193 diff -urNp linux-2.6.36.2/drivers/input/mouse/lifebook.c linux-2.6.36.2/drivers/input/mouse/lifebook.c
26194 --- linux-2.6.36.2/drivers/input/mouse/lifebook.c 2010-10-20 16:30:22.000000000 -0400
26195 +++ linux-2.6.36.2/drivers/input/mouse/lifebook.c 2010-12-09 20:24:31.000000000 -0500
26196 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
26197 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
26201 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
26204 void __init lifebook_module_init(void)
26205 diff -urNp linux-2.6.36.2/drivers/input/mouse/psmouse-base.c linux-2.6.36.2/drivers/input/mouse/psmouse-base.c
26206 --- linux-2.6.36.2/drivers/input/mouse/psmouse-base.c 2010-10-20 16:30:22.000000000 -0400
26207 +++ linux-2.6.36.2/drivers/input/mouse/psmouse-base.c 2010-12-09 20:24:31.000000000 -0500
26208 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
26210 .extra = SERIO_ANY,
26216 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
26217 diff -urNp linux-2.6.36.2/drivers/input/mouse/synaptics.c linux-2.6.36.2/drivers/input/mouse/synaptics.c
26218 --- linux-2.6.36.2/drivers/input/mouse/synaptics.c 2010-10-20 16:30:22.000000000 -0400
26219 +++ linux-2.6.36.2/drivers/input/mouse/synaptics.c 2010-12-09 20:24:31.000000000 -0500
26220 @@ -476,7 +476,7 @@ static void synaptics_process_packet(str
26223 if (SYN_MODEL_PEN(priv->model_id))
26224 - ; /* Nothing, treat a pen as a single finger */
26225 + break; /* Nothing, treat a pen as a single finger */
26228 if (SYN_CAP_PALMDETECT(priv->capabilities))
26229 @@ -705,7 +705,6 @@ static const struct dmi_system_id __init
26230 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
26231 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
26236 /* Toshiba Portege M300 */
26237 @@ -714,9 +713,8 @@ static const struct dmi_system_id __init
26238 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
26239 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
26244 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26248 diff -urNp linux-2.6.36.2/drivers/input/mousedev.c linux-2.6.36.2/drivers/input/mousedev.c
26249 --- linux-2.6.36.2/drivers/input/mousedev.c 2010-10-20 16:30:22.000000000 -0400
26250 +++ linux-2.6.36.2/drivers/input/mousedev.c 2010-12-09 20:24:31.000000000 -0500
26251 @@ -762,7 +762,7 @@ static ssize_t mousedev_read(struct file
26253 spin_unlock_irq(&client->packet_lock);
26255 - if (copy_to_user(buffer, data, count))
26256 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
26260 @@ -1064,7 +1064,7 @@ static struct input_handler mousedev_han
26262 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
26263 static struct miscdevice psaux_mouse = {
26264 - PSMOUSE_MINOR, "psaux", &mousedev_fops
26265 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
26267 static int psaux_registered;
26269 diff -urNp linux-2.6.36.2/drivers/input/serio/i8042-x86ia64io.h linux-2.6.36.2/drivers/input/serio/i8042-x86ia64io.h
26270 --- linux-2.6.36.2/drivers/input/serio/i8042-x86ia64io.h 2010-12-09 20:53:46.000000000 -0500
26271 +++ linux-2.6.36.2/drivers/input/serio/i8042-x86ia64io.h 2010-12-09 20:54:34.000000000 -0500
26272 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
26273 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
26277 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26281 @@ -420,7 +420,7 @@ static const struct dmi_system_id __init
26282 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
26286 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26289 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
26290 @@ -494,7 +494,7 @@ static const struct dmi_system_id __init
26291 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
26295 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26299 @@ -513,7 +513,7 @@ static const struct dmi_system_id __init
26300 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
26304 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26307 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
26308 @@ -537,7 +537,7 @@ static const struct dmi_system_id __init
26309 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
26313 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26317 @@ -611,7 +611,7 @@ static const struct dmi_system_id __init
26318 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
26322 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26325 #endif /* CONFIG_X86 */
26326 diff -urNp linux-2.6.36.2/drivers/input/serio/serio_raw.c linux-2.6.36.2/drivers/input/serio/serio_raw.c
26327 --- linux-2.6.36.2/drivers/input/serio/serio_raw.c 2010-10-20 16:30:22.000000000 -0400
26328 +++ linux-2.6.36.2/drivers/input/serio/serio_raw.c 2010-12-09 20:24:31.000000000 -0500
26329 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
26331 .extra = SERIO_ANY,
26337 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
26338 diff -urNp linux-2.6.36.2/drivers/isdn/gigaset/common.c linux-2.6.36.2/drivers/isdn/gigaset/common.c
26339 --- linux-2.6.36.2/drivers/isdn/gigaset/common.c 2010-10-20 16:30:22.000000000 -0400
26340 +++ linux-2.6.36.2/drivers/isdn/gigaset/common.c 2010-12-09 20:24:18.000000000 -0500
26341 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
26342 cs->commands_pending = 0;
26343 cs->cur_at_seq = 0;
26345 - cs->open_count = 0;
26346 + atomic_set(&cs->open_count, 0);
26349 cs->tty_dev = NULL;
26350 diff -urNp linux-2.6.36.2/drivers/isdn/gigaset/gigaset.h linux-2.6.36.2/drivers/isdn/gigaset/gigaset.h
26351 --- linux-2.6.36.2/drivers/isdn/gigaset/gigaset.h 2010-10-20 16:30:22.000000000 -0400
26352 +++ linux-2.6.36.2/drivers/isdn/gigaset/gigaset.h 2010-12-09 20:24:18.000000000 -0500
26353 @@ -434,7 +434,7 @@ struct cardstate {
26354 spinlock_t cmdlock;
26355 unsigned curlen, cmdbytes;
26357 - unsigned open_count;
26358 + atomic_t open_count;
26359 struct tty_struct *tty;
26360 struct tasklet_struct if_wake_tasklet;
26361 unsigned control_state;
26362 diff -urNp linux-2.6.36.2/drivers/isdn/gigaset/interface.c linux-2.6.36.2/drivers/isdn/gigaset/interface.c
26363 --- linux-2.6.36.2/drivers/isdn/gigaset/interface.c 2010-10-20 16:30:22.000000000 -0400
26364 +++ linux-2.6.36.2/drivers/isdn/gigaset/interface.c 2010-12-09 20:24:18.000000000 -0500
26365 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
26366 return -ERESTARTSYS;
26367 tty->driver_data = cs;
26369 - ++cs->open_count;
26371 - if (cs->open_count == 1) {
26372 + if (atomic_inc_return(&cs->open_count) == 1) {
26373 spin_lock_irqsave(&cs->lock, flags);
26375 spin_unlock_irqrestore(&cs->lock, flags);
26376 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
26378 if (!cs->connected)
26379 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26380 - else if (!cs->open_count)
26381 + else if (!atomic_read(&cs->open_count))
26382 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26384 - if (!--cs->open_count) {
26385 + if (!atomic_dec_return(&cs->open_count)) {
26386 spin_lock_irqsave(&cs->lock, flags);
26388 spin_unlock_irqrestore(&cs->lock, flags);
26389 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
26390 if (!cs->connected) {
26391 gig_dbg(DEBUG_IF, "not connected");
26393 - } else if (!cs->open_count)
26394 + } else if (!atomic_read(&cs->open_count))
26395 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26398 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
26402 - if (!cs->open_count) {
26403 + if (!atomic_read(&cs->open_count)) {
26404 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26407 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
26408 if (!cs->connected) {
26409 gig_dbg(DEBUG_IF, "not connected");
26411 - } else if (!cs->open_count)
26412 + } else if (!atomic_read(&cs->open_count))
26413 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26414 else if (cs->mstate != MS_LOCKED) {
26415 dev_warn(cs->dev, "can't write to unlocked device\n");
26416 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
26418 if (!cs->connected)
26419 gig_dbg(DEBUG_IF, "not connected");
26420 - else if (!cs->open_count)
26421 + else if (!atomic_read(&cs->open_count))
26422 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26423 else if (cs->mstate != MS_LOCKED)
26424 dev_warn(cs->dev, "can't write to unlocked device\n");
26425 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
26427 if (!cs->connected)
26428 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26429 - else if (!cs->open_count)
26430 + else if (!atomic_read(&cs->open_count))
26431 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26433 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26434 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
26436 if (!cs->connected)
26437 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26438 - else if (!cs->open_count)
26439 + else if (!atomic_read(&cs->open_count))
26440 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26442 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26443 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
26447 - if (!cs->open_count) {
26448 + if (!atomic_read(&cs->open_count)) {
26449 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26452 diff -urNp linux-2.6.36.2/drivers/isdn/hardware/avm/b1.c linux-2.6.36.2/drivers/isdn/hardware/avm/b1.c
26453 --- linux-2.6.36.2/drivers/isdn/hardware/avm/b1.c 2010-10-20 16:30:22.000000000 -0400
26454 +++ linux-2.6.36.2/drivers/isdn/hardware/avm/b1.c 2010-12-09 20:24:17.000000000 -0500
26455 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
26458 if (t4file->user) {
26459 - if (copy_from_user(buf, dp, left))
26460 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
26463 memcpy(buf, dp, left);
26464 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
26467 if (config->user) {
26468 - if (copy_from_user(buf, dp, left))
26469 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
26472 memcpy(buf, dp, left);
26473 diff -urNp linux-2.6.36.2/drivers/isdn/icn/icn.c linux-2.6.36.2/drivers/isdn/icn/icn.c
26474 --- linux-2.6.36.2/drivers/isdn/icn/icn.c 2010-10-20 16:30:22.000000000 -0400
26475 +++ linux-2.6.36.2/drivers/isdn/icn/icn.c 2010-12-09 20:24:17.000000000 -0500
26476 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
26480 - if (copy_from_user(msg, buf, count))
26481 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
26484 memcpy(msg, buf, count);
26485 diff -urNp linux-2.6.36.2/drivers/lguest/core.c linux-2.6.36.2/drivers/lguest/core.c
26486 --- linux-2.6.36.2/drivers/lguest/core.c 2010-10-20 16:30:22.000000000 -0400
26487 +++ linux-2.6.36.2/drivers/lguest/core.c 2010-12-09 20:24:31.000000000 -0500
26488 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
26489 * it's worked so far. The end address needs +1 because __get_vm_area
26490 * allocates an extra guard page, so we need space for that.
26493 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
26494 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26495 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
26496 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26498 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26499 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
26500 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26503 if (!switcher_vma) {
26505 printk("lguest: could not map switcher pages high\n");
26506 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
26507 * Now the Switcher is mapped at the right address, we can't fail!
26508 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
26510 - memcpy(switcher_vma->addr, start_switcher_text,
26511 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
26512 end_switcher_text - start_switcher_text);
26514 printk(KERN_INFO "lguest: mapped switcher at %p\n",
26515 diff -urNp linux-2.6.36.2/drivers/macintosh/via-pmu-backlight.c linux-2.6.36.2/drivers/macintosh/via-pmu-backlight.c
26516 --- linux-2.6.36.2/drivers/macintosh/via-pmu-backlight.c 2010-10-20 16:30:22.000000000 -0400
26517 +++ linux-2.6.36.2/drivers/macintosh/via-pmu-backlight.c 2010-12-09 20:24:31.000000000 -0500
26520 #define MAX_PMU_LEVEL 0xFF
26522 -static struct backlight_ops pmu_backlight_data;
26523 +static const struct backlight_ops pmu_backlight_data;
26524 static DEFINE_SPINLOCK(pmu_backlight_lock);
26525 static int sleeping, uses_pmu_bl;
26526 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
26527 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
26528 return bd->props.brightness;
26531 -static struct backlight_ops pmu_backlight_data = {
26532 +static const struct backlight_ops pmu_backlight_data = {
26533 .get_brightness = pmu_backlight_get_brightness,
26534 .update_status = pmu_backlight_update_status,
26536 diff -urNp linux-2.6.36.2/drivers/macintosh/via-pmu.c linux-2.6.36.2/drivers/macintosh/via-pmu.c
26537 --- linux-2.6.36.2/drivers/macintosh/via-pmu.c 2010-10-20 16:30:22.000000000 -0400
26538 +++ linux-2.6.36.2/drivers/macintosh/via-pmu.c 2010-12-09 20:24:31.000000000 -0500
26539 @@ -2256,7 +2256,7 @@ static int pmu_sleep_valid(suspend_state
26540 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
26543 -static struct platform_suspend_ops pmu_pm_ops = {
26544 +static const struct platform_suspend_ops pmu_pm_ops = {
26545 .enter = powerbook_sleep,
26546 .valid = pmu_sleep_valid,
26548 diff -urNp linux-2.6.36.2/drivers/md/bitmap.c linux-2.6.36.2/drivers/md/bitmap.c
26549 --- linux-2.6.36.2/drivers/md/bitmap.c 2010-10-20 16:30:22.000000000 -0400
26550 +++ linux-2.6.36.2/drivers/md/bitmap.c 2010-12-09 20:24:16.000000000 -0500
26553 # define PRINTK(x...) printk(KERN_DEBUG x)
26555 -# define PRINTK(x...)
26556 +# define PRINTK(x...) do {} while (0)
26560 diff -urNp linux-2.6.36.2/drivers/md/dm-table.c linux-2.6.36.2/drivers/md/dm-table.c
26561 --- linux-2.6.36.2/drivers/md/dm-table.c 2010-10-20 16:30:22.000000000 -0400
26562 +++ linux-2.6.36.2/drivers/md/dm-table.c 2010-12-09 20:24:16.000000000 -0500
26563 @@ -366,7 +366,7 @@ static int device_area_is_invalid(struct
26567 - if ((start >= dev_size) || (start + len > dev_size)) {
26568 + if ((start >= dev_size) || (len > dev_size - start)) {
26569 DMWARN("%s: %s too small for target: "
26570 "start=%llu, len=%llu, dev_size=%llu",
26571 dm_device_name(ti->table->md), bdevname(bdev, b),
26572 diff -urNp linux-2.6.36.2/drivers/md/md.c linux-2.6.36.2/drivers/md/md.c
26573 --- linux-2.6.36.2/drivers/md/md.c 2010-12-09 20:53:46.000000000 -0500
26574 +++ linux-2.6.36.2/drivers/md/md.c 2010-12-09 20:54:34.000000000 -0500
26575 @@ -1869,7 +1869,7 @@ static int bind_rdev_to_array(mdk_rdev_t
26577 ko = &part_to_dev(rdev->bdev->bd_part)->kobj;
26578 if (sysfs_create_link(&rdev->kobj, ko, "block"))
26579 - /* failure here is OK */;
26580 + /* failure here is OK */{}
26581 rdev->sysfs_state = sysfs_get_dirent_safe(rdev->kobj.sd, "state");
26583 list_add_rcu(&rdev->same_set, &mddev->disks);
26584 @@ -2481,7 +2481,7 @@ slot_store(mdk_rdev_t *rdev, const char
26585 sysfs_notify_dirent_safe(rdev->sysfs_state);
26586 sprintf(nm, "rd%d", rdev->raid_disk);
26587 if (sysfs_create_link(&rdev->mddev->kobj, &rdev->kobj, nm))
26588 - /* failure here is OK */;
26589 + /* failure here is OK */{}
26590 /* don't wakeup anyone, leave that to userspace. */
26592 if (slot >= rdev->mddev->raid_disks)
26593 @@ -4563,7 +4563,7 @@ int md_run(mddev_t *mddev)
26595 sprintf(nm, "rd%d", rdev->raid_disk);
26596 if (sysfs_create_link(&mddev->kobj, &rdev->kobj, nm))
26597 - /* failure here is OK */;
26598 + /* failure here is OK */{}
26601 set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
26602 @@ -6405,7 +6405,7 @@ static int md_seq_show(struct seq_file *
26603 chunk_kb ? "KB" : "B");
26604 if (bitmap->file) {
26605 seq_printf(seq, ", file: ");
26606 - seq_path(seq, &bitmap->file->f_path, " \t\n");
26607 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
26610 seq_printf(seq, "\n");
26611 @@ -6499,7 +6499,7 @@ static int is_mddev_idle(mddev_t *mddev,
26612 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
26613 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
26614 (int)part_stat_read(&disk->part0, sectors[1]) -
26615 - atomic_read(&disk->sync_io);
26616 + atomic_read_unchecked(&disk->sync_io);
26617 /* sync IO will cause sync_io to increase before the disk_stats
26618 * as sync_io is counted when a request starts, and
26619 * disk_stats is counted when it completes.
26620 @@ -7017,7 +7017,7 @@ static int remove_and_add_spares(mddev_t
26621 sprintf(nm, "rd%d", rdev->raid_disk);
26622 if (sysfs_create_link(&mddev->kobj,
26624 - /* failure here is OK */;
26625 + /* failure here is OK */{}
26627 md_new_event(mddev);
26628 set_bit(MD_CHANGE_DEVS, &mddev->flags);
26629 diff -urNp linux-2.6.36.2/drivers/md/md.h linux-2.6.36.2/drivers/md/md.h
26630 --- linux-2.6.36.2/drivers/md/md.h 2010-10-20 16:30:22.000000000 -0400
26631 +++ linux-2.6.36.2/drivers/md/md.h 2010-12-09 20:24:16.000000000 -0500
26632 @@ -362,7 +362,7 @@ static inline void rdev_dec_pending(mdk_
26634 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
26636 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26637 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26640 struct mdk_personality
26641 diff -urNp linux-2.6.36.2/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.36.2/drivers/media/dvb/dvb-core/dvbdev.c
26642 --- linux-2.6.36.2/drivers/media/dvb/dvb-core/dvbdev.c 2010-10-20 16:30:22.000000000 -0400
26643 +++ linux-2.6.36.2/drivers/media/dvb/dvb-core/dvbdev.c 2010-12-09 20:24:16.000000000 -0500
26644 @@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
26645 const struct dvb_device *template, void *priv, int type)
26647 struct dvb_device *dvbdev;
26648 + /* cannot be const, see this function */
26649 struct file_operations *dvbdevfops;
26650 struct device *clsdev;
26652 diff -urNp linux-2.6.36.2/drivers/media/IR/lirc_dev.c linux-2.6.36.2/drivers/media/IR/lirc_dev.c
26653 --- linux-2.6.36.2/drivers/media/IR/lirc_dev.c 2010-10-20 16:30:22.000000000 -0400
26654 +++ linux-2.6.36.2/drivers/media/IR/lirc_dev.c 2010-12-09 20:24:16.000000000 -0500
26655 @@ -155,7 +155,7 @@ static int lirc_thread(void *irctl)
26659 -static struct file_operations fops = {
26660 +static const struct file_operations fops = {
26661 .owner = THIS_MODULE,
26662 .read = lirc_dev_fop_read,
26663 .write = lirc_dev_fop_write,
26664 diff -urNp linux-2.6.36.2/drivers/media/radio/radio-cadet.c linux-2.6.36.2/drivers/media/radio/radio-cadet.c
26665 --- linux-2.6.36.2/drivers/media/radio/radio-cadet.c 2010-10-20 16:30:22.000000000 -0400
26666 +++ linux-2.6.36.2/drivers/media/radio/radio-cadet.c 2010-12-09 20:24:16.000000000 -0500
26667 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
26668 while (i < count && dev->rdsin != dev->rdsout)
26669 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
26671 - if (copy_to_user(data, readbuf, i))
26672 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
26676 diff -urNp linux-2.6.36.2/drivers/message/fusion/mptbase.c linux-2.6.36.2/drivers/message/fusion/mptbase.c
26677 --- linux-2.6.36.2/drivers/message/fusion/mptbase.c 2010-10-20 16:30:22.000000000 -0400
26678 +++ linux-2.6.36.2/drivers/message/fusion/mptbase.c 2010-12-09 20:24:10.000000000 -0500
26679 @@ -6681,8 +6681,13 @@ static int mpt_iocinfo_proc_show(struct
26680 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
26681 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
26683 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26684 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
26686 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
26687 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
26691 * Rounding UP to nearest 4-kB boundary here...
26693 diff -urNp linux-2.6.36.2/drivers/message/fusion/mptdebug.h linux-2.6.36.2/drivers/message/fusion/mptdebug.h
26694 --- linux-2.6.36.2/drivers/message/fusion/mptdebug.h 2010-10-20 16:30:22.000000000 -0400
26695 +++ linux-2.6.36.2/drivers/message/fusion/mptdebug.h 2010-12-09 20:24:10.000000000 -0500
26700 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
26701 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
26705 diff -urNp linux-2.6.36.2/drivers/message/fusion/mptsas.c linux-2.6.36.2/drivers/message/fusion/mptsas.c
26706 --- linux-2.6.36.2/drivers/message/fusion/mptsas.c 2010-10-20 16:30:22.000000000 -0400
26707 +++ linux-2.6.36.2/drivers/message/fusion/mptsas.c 2010-12-09 20:24:09.000000000 -0500
26708 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
26712 +static inline void
26713 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26715 + if (phy_info->port_details) {
26716 + phy_info->port_details->rphy = rphy;
26717 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26718 + ioc->name, rphy));
26722 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26723 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26724 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26725 + ioc->name, rphy, rphy->dev.release));
26731 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
26732 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
26736 -static inline void
26737 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26739 - if (phy_info->port_details) {
26740 - phy_info->port_details->rphy = rphy;
26741 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26742 - ioc->name, rphy));
26746 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26747 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26748 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26749 - ioc->name, rphy, rphy->dev.release));
26753 static inline struct sas_port *
26754 mptsas_get_port(struct mptsas_phyinfo *phy_info)
26756 diff -urNp linux-2.6.36.2/drivers/message/fusion/mptscsih.c linux-2.6.36.2/drivers/message/fusion/mptscsih.c
26757 --- linux-2.6.36.2/drivers/message/fusion/mptscsih.c 2010-10-20 16:30:22.000000000 -0400
26758 +++ linux-2.6.36.2/drivers/message/fusion/mptscsih.c 2010-12-09 20:24:10.000000000 -0500
26759 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
26761 h = shost_priv(SChost);
26764 - if (h->info_kbuf == NULL)
26765 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26766 - return h->info_kbuf;
26767 - h->info_kbuf[0] = '\0';
26771 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26772 - h->info_kbuf[size-1] = '\0';
26774 + if (h->info_kbuf == NULL)
26775 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26776 + return h->info_kbuf;
26777 + h->info_kbuf[0] = '\0';
26779 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26780 + h->info_kbuf[size-1] = '\0';
26782 return h->info_kbuf;
26784 diff -urNp linux-2.6.36.2/drivers/message/i2o/i2o_proc.c linux-2.6.36.2/drivers/message/i2o/i2o_proc.c
26785 --- linux-2.6.36.2/drivers/message/i2o/i2o_proc.c 2010-10-20 16:30:22.000000000 -0400
26786 +++ linux-2.6.36.2/drivers/message/i2o/i2o_proc.c 2010-12-09 20:24:09.000000000 -0500
26787 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
26788 "Array Controller Device"
26791 -static char *chtostr(u8 * chars, int n)
26795 - return strncat(tmp, (char *)chars, n);
26798 static int i2o_report_query_status(struct seq_file *seq, int block_status,
26801 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
26803 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
26804 seq_printf(seq, "%-#8x", ddm_table.module_id);
26805 - seq_printf(seq, "%-29s",
26806 - chtostr(ddm_table.module_name_version, 28));
26807 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
26808 seq_printf(seq, "%9d ", ddm_table.data_size);
26809 seq_printf(seq, "%8d", ddm_table.code_size);
26811 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
26813 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
26814 seq_printf(seq, "%-#8x", dst->module_id);
26815 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
26816 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
26817 + seq_printf(seq, "%-.28s", dst->module_name_version);
26818 + seq_printf(seq, "%-.8s", dst->date);
26819 seq_printf(seq, "%8d ", dst->module_size);
26820 seq_printf(seq, "%8d ", dst->mpb_size);
26821 seq_printf(seq, "0x%04x", dst->module_flags);
26822 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
26823 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
26824 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
26825 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
26826 - seq_printf(seq, "Vendor info : %s\n",
26827 - chtostr((u8 *) (work32 + 2), 16));
26828 - seq_printf(seq, "Product info : %s\n",
26829 - chtostr((u8 *) (work32 + 6), 16));
26830 - seq_printf(seq, "Description : %s\n",
26831 - chtostr((u8 *) (work32 + 10), 16));
26832 - seq_printf(seq, "Product rev. : %s\n",
26833 - chtostr((u8 *) (work32 + 14), 8));
26834 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
26835 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
26836 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
26837 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
26839 seq_printf(seq, "Serial number : ");
26840 print_serial_number(seq, (u8 *) (work32 + 16),
26841 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
26844 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
26845 - seq_printf(seq, "Module name : %s\n",
26846 - chtostr(result.module_name, 24));
26847 - seq_printf(seq, "Module revision : %s\n",
26848 - chtostr(result.module_rev, 8));
26849 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
26850 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
26852 seq_printf(seq, "Serial number : ");
26853 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
26854 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
26858 - seq_printf(seq, "Device name : %s\n",
26859 - chtostr(result.device_name, 64));
26860 - seq_printf(seq, "Service name : %s\n",
26861 - chtostr(result.service_name, 64));
26862 - seq_printf(seq, "Physical name : %s\n",
26863 - chtostr(result.physical_location, 64));
26864 - seq_printf(seq, "Instance number : %s\n",
26865 - chtostr(result.instance_number, 4));
26866 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
26867 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
26868 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
26869 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
26873 diff -urNp linux-2.6.36.2/drivers/mfd/janz-cmodio.c linux-2.6.36.2/drivers/mfd/janz-cmodio.c
26874 --- linux-2.6.36.2/drivers/mfd/janz-cmodio.c 2010-10-20 16:30:22.000000000 -0400
26875 +++ linux-2.6.36.2/drivers/mfd/janz-cmodio.c 2010-12-09 20:24:26.000000000 -0500
26878 #include <linux/kernel.h>
26879 #include <linux/module.h>
26880 +#include <linux/slab.h>
26881 #include <linux/init.h>
26882 #include <linux/pci.h>
26883 #include <linux/interrupt.h>
26884 diff -urNp linux-2.6.36.2/drivers/misc/kgdbts.c linux-2.6.36.2/drivers/misc/kgdbts.c
26885 --- linux-2.6.36.2/drivers/misc/kgdbts.c 2010-10-20 16:30:22.000000000 -0400
26886 +++ linux-2.6.36.2/drivers/misc/kgdbts.c 2010-12-09 20:24:22.000000000 -0500
26887 @@ -118,7 +118,7 @@
26889 #define MAX_CONFIG_LEN 40
26891 -static struct kgdb_io kgdbts_io_ops;
26892 +static const struct kgdb_io kgdbts_io_ops;
26893 static char get_buf[BUFMAX];
26894 static int get_buf_cnt;
26895 static char put_buf[BUFMAX];
26896 @@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
26897 module_put(THIS_MODULE);
26900 -static struct kgdb_io kgdbts_io_ops = {
26901 +static const struct kgdb_io kgdbts_io_ops = {
26903 .read_char = kgdbts_get_char,
26904 .write_char = kgdbts_put_char,
26905 diff -urNp linux-2.6.36.2/drivers/misc/sgi-gru/gruhandles.c linux-2.6.36.2/drivers/misc/sgi-gru/gruhandles.c
26906 --- linux-2.6.36.2/drivers/misc/sgi-gru/gruhandles.c 2010-10-20 16:30:22.000000000 -0400
26907 +++ linux-2.6.36.2/drivers/misc/sgi-gru/gruhandles.c 2010-12-09 20:24:22.000000000 -0500
26908 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26909 unsigned long nsec;
26911 nsec = CLKS2NSEC(clks);
26912 - atomic_long_inc(&mcs_op_statistics[op].count);
26913 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
26914 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26915 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26916 if (mcs_op_statistics[op].max < nsec)
26917 mcs_op_statistics[op].max = nsec;
26919 diff -urNp linux-2.6.36.2/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.36.2/drivers/misc/sgi-gru/gruprocfs.c
26920 --- linux-2.6.36.2/drivers/misc/sgi-gru/gruprocfs.c 2010-10-20 16:30:22.000000000 -0400
26921 +++ linux-2.6.36.2/drivers/misc/sgi-gru/gruprocfs.c 2010-12-09 20:24:22.000000000 -0500
26924 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26926 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26927 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26929 - unsigned long val = atomic_long_read(v);
26930 + unsigned long val = atomic_long_read_unchecked(v);
26932 seq_printf(s, "%16lu %s\n", val, id);
26934 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26936 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26937 for (op = 0; op < mcsop_last; op++) {
26938 - count = atomic_long_read(&mcs_op_statistics[op].count);
26939 - total = atomic_long_read(&mcs_op_statistics[op].total);
26940 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26941 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26942 max = mcs_op_statistics[op].max;
26943 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26944 count ? total / count : 0, max);
26945 diff -urNp linux-2.6.36.2/drivers/misc/sgi-gru/grutables.h linux-2.6.36.2/drivers/misc/sgi-gru/grutables.h
26946 --- linux-2.6.36.2/drivers/misc/sgi-gru/grutables.h 2010-10-20 16:30:22.000000000 -0400
26947 +++ linux-2.6.36.2/drivers/misc/sgi-gru/grutables.h 2010-12-09 20:24:22.000000000 -0500
26948 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26951 struct gru_stats_s {
26952 - atomic_long_t vdata_alloc;
26953 - atomic_long_t vdata_free;
26954 - atomic_long_t gts_alloc;
26955 - atomic_long_t gts_free;
26956 - atomic_long_t gms_alloc;
26957 - atomic_long_t gms_free;
26958 - atomic_long_t gts_double_allocate;
26959 - atomic_long_t assign_context;
26960 - atomic_long_t assign_context_failed;
26961 - atomic_long_t free_context;
26962 - atomic_long_t load_user_context;
26963 - atomic_long_t load_kernel_context;
26964 - atomic_long_t lock_kernel_context;
26965 - atomic_long_t unlock_kernel_context;
26966 - atomic_long_t steal_user_context;
26967 - atomic_long_t steal_kernel_context;
26968 - atomic_long_t steal_context_failed;
26969 - atomic_long_t nopfn;
26970 - atomic_long_t asid_new;
26971 - atomic_long_t asid_next;
26972 - atomic_long_t asid_wrap;
26973 - atomic_long_t asid_reuse;
26974 - atomic_long_t intr;
26975 - atomic_long_t intr_cbr;
26976 - atomic_long_t intr_tfh;
26977 - atomic_long_t intr_spurious;
26978 - atomic_long_t intr_mm_lock_failed;
26979 - atomic_long_t call_os;
26980 - atomic_long_t call_os_wait_queue;
26981 - atomic_long_t user_flush_tlb;
26982 - atomic_long_t user_unload_context;
26983 - atomic_long_t user_exception;
26984 - atomic_long_t set_context_option;
26985 - atomic_long_t check_context_retarget_intr;
26986 - atomic_long_t check_context_unload;
26987 - atomic_long_t tlb_dropin;
26988 - atomic_long_t tlb_preload_page;
26989 - atomic_long_t tlb_dropin_fail_no_asid;
26990 - atomic_long_t tlb_dropin_fail_upm;
26991 - atomic_long_t tlb_dropin_fail_invalid;
26992 - atomic_long_t tlb_dropin_fail_range_active;
26993 - atomic_long_t tlb_dropin_fail_idle;
26994 - atomic_long_t tlb_dropin_fail_fmm;
26995 - atomic_long_t tlb_dropin_fail_no_exception;
26996 - atomic_long_t tfh_stale_on_fault;
26997 - atomic_long_t mmu_invalidate_range;
26998 - atomic_long_t mmu_invalidate_page;
26999 - atomic_long_t flush_tlb;
27000 - atomic_long_t flush_tlb_gru;
27001 - atomic_long_t flush_tlb_gru_tgh;
27002 - atomic_long_t flush_tlb_gru_zero_asid;
27004 - atomic_long_t copy_gpa;
27005 - atomic_long_t read_gpa;
27007 - atomic_long_t mesq_receive;
27008 - atomic_long_t mesq_receive_none;
27009 - atomic_long_t mesq_send;
27010 - atomic_long_t mesq_send_failed;
27011 - atomic_long_t mesq_noop;
27012 - atomic_long_t mesq_send_unexpected_error;
27013 - atomic_long_t mesq_send_lb_overflow;
27014 - atomic_long_t mesq_send_qlimit_reached;
27015 - atomic_long_t mesq_send_amo_nacked;
27016 - atomic_long_t mesq_send_put_nacked;
27017 - atomic_long_t mesq_page_overflow;
27018 - atomic_long_t mesq_qf_locked;
27019 - atomic_long_t mesq_qf_noop_not_full;
27020 - atomic_long_t mesq_qf_switch_head_failed;
27021 - atomic_long_t mesq_qf_unexpected_error;
27022 - atomic_long_t mesq_noop_unexpected_error;
27023 - atomic_long_t mesq_noop_lb_overflow;
27024 - atomic_long_t mesq_noop_qlimit_reached;
27025 - atomic_long_t mesq_noop_amo_nacked;
27026 - atomic_long_t mesq_noop_put_nacked;
27027 - atomic_long_t mesq_noop_page_overflow;
27028 + atomic_long_unchecked_t vdata_alloc;
27029 + atomic_long_unchecked_t vdata_free;
27030 + atomic_long_unchecked_t gts_alloc;
27031 + atomic_long_unchecked_t gts_free;
27032 + atomic_long_unchecked_t gms_alloc;
27033 + atomic_long_unchecked_t gms_free;
27034 + atomic_long_unchecked_t gts_double_allocate;
27035 + atomic_long_unchecked_t assign_context;
27036 + atomic_long_unchecked_t assign_context_failed;
27037 + atomic_long_unchecked_t free_context;
27038 + atomic_long_unchecked_t load_user_context;
27039 + atomic_long_unchecked_t load_kernel_context;
27040 + atomic_long_unchecked_t lock_kernel_context;
27041 + atomic_long_unchecked_t unlock_kernel_context;
27042 + atomic_long_unchecked_t steal_user_context;
27043 + atomic_long_unchecked_t steal_kernel_context;
27044 + atomic_long_unchecked_t steal_context_failed;
27045 + atomic_long_unchecked_t nopfn;
27046 + atomic_long_unchecked_t asid_new;
27047 + atomic_long_unchecked_t asid_next;
27048 + atomic_long_unchecked_t asid_wrap;
27049 + atomic_long_unchecked_t asid_reuse;
27050 + atomic_long_unchecked_t intr;
27051 + atomic_long_unchecked_t intr_cbr;
27052 + atomic_long_unchecked_t intr_tfh;
27053 + atomic_long_unchecked_t intr_spurious;
27054 + atomic_long_unchecked_t intr_mm_lock_failed;
27055 + atomic_long_unchecked_t call_os;
27056 + atomic_long_unchecked_t call_os_wait_queue;
27057 + atomic_long_unchecked_t user_flush_tlb;
27058 + atomic_long_unchecked_t user_unload_context;
27059 + atomic_long_unchecked_t user_exception;
27060 + atomic_long_unchecked_t set_context_option;
27061 + atomic_long_unchecked_t check_context_retarget_intr;
27062 + atomic_long_unchecked_t check_context_unload;
27063 + atomic_long_unchecked_t tlb_dropin;
27064 + atomic_long_unchecked_t tlb_preload_page;
27065 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
27066 + atomic_long_unchecked_t tlb_dropin_fail_upm;
27067 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
27068 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
27069 + atomic_long_unchecked_t tlb_dropin_fail_idle;
27070 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
27071 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
27072 + atomic_long_unchecked_t tfh_stale_on_fault;
27073 + atomic_long_unchecked_t mmu_invalidate_range;
27074 + atomic_long_unchecked_t mmu_invalidate_page;
27075 + atomic_long_unchecked_t flush_tlb;
27076 + atomic_long_unchecked_t flush_tlb_gru;
27077 + atomic_long_unchecked_t flush_tlb_gru_tgh;
27078 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
27080 + atomic_long_unchecked_t copy_gpa;
27081 + atomic_long_unchecked_t read_gpa;
27083 + atomic_long_unchecked_t mesq_receive;
27084 + atomic_long_unchecked_t mesq_receive_none;
27085 + atomic_long_unchecked_t mesq_send;
27086 + atomic_long_unchecked_t mesq_send_failed;
27087 + atomic_long_unchecked_t mesq_noop;
27088 + atomic_long_unchecked_t mesq_send_unexpected_error;
27089 + atomic_long_unchecked_t mesq_send_lb_overflow;
27090 + atomic_long_unchecked_t mesq_send_qlimit_reached;
27091 + atomic_long_unchecked_t mesq_send_amo_nacked;
27092 + atomic_long_unchecked_t mesq_send_put_nacked;
27093 + atomic_long_unchecked_t mesq_page_overflow;
27094 + atomic_long_unchecked_t mesq_qf_locked;
27095 + atomic_long_unchecked_t mesq_qf_noop_not_full;
27096 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
27097 + atomic_long_unchecked_t mesq_qf_unexpected_error;
27098 + atomic_long_unchecked_t mesq_noop_unexpected_error;
27099 + atomic_long_unchecked_t mesq_noop_lb_overflow;
27100 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
27101 + atomic_long_unchecked_t mesq_noop_amo_nacked;
27102 + atomic_long_unchecked_t mesq_noop_put_nacked;
27103 + atomic_long_unchecked_t mesq_noop_page_overflow;
27107 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
27108 tghop_invalidate, mcsop_last};
27110 struct mcs_op_statistic {
27111 - atomic_long_t count;
27112 - atomic_long_t total;
27113 + atomic_long_unchecked_t count;
27114 + atomic_long_unchecked_t total;
27118 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
27120 #define STAT(id) do { \
27121 if (gru_options & OPT_STATS) \
27122 - atomic_long_inc(&gru_stats.id); \
27123 + atomic_long_inc_unchecked(&gru_stats.id); \
27126 #ifdef CONFIG_SGI_GRU_DEBUG
27127 diff -urNp linux-2.6.36.2/drivers/mtd/devices/doc2000.c linux-2.6.36.2/drivers/mtd/devices/doc2000.c
27128 --- linux-2.6.36.2/drivers/mtd/devices/doc2000.c 2010-10-20 16:30:22.000000000 -0400
27129 +++ linux-2.6.36.2/drivers/mtd/devices/doc2000.c 2010-12-09 20:24:14.000000000 -0500
27130 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
27132 /* The ECC will not be calculated correctly if less than 512 is written */
27134 - if (len != 0x200 && eccbuf)
27135 + if (len != 0x200)
27136 printk(KERN_WARNING
27137 "ECC needs a full sector write (adr: %lx size %lx)\n",
27138 (long) to, (long) len);
27139 diff -urNp linux-2.6.36.2/drivers/mtd/devices/doc2001.c linux-2.6.36.2/drivers/mtd/devices/doc2001.c
27140 --- linux-2.6.36.2/drivers/mtd/devices/doc2001.c 2010-10-20 16:30:22.000000000 -0400
27141 +++ linux-2.6.36.2/drivers/mtd/devices/doc2001.c 2010-12-09 20:24:14.000000000 -0500
27142 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
27143 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
27145 /* Don't allow read past end of device */
27146 - if (from >= this->totlen)
27147 + if (from >= this->totlen || !len)
27150 /* Don't allow a single read to cross a 512-byte block boundary */
27151 diff -urNp linux-2.6.36.2/drivers/mtd/nand/denali.c linux-2.6.36.2/drivers/mtd/nand/denali.c
27152 --- linux-2.6.36.2/drivers/mtd/nand/denali.c 2010-10-20 16:30:22.000000000 -0400
27153 +++ linux-2.6.36.2/drivers/mtd/nand/denali.c 2010-12-09 20:24:14.000000000 -0500
27155 #include <linux/pci.h>
27156 #include <linux/mtd/mtd.h>
27157 #include <linux/module.h>
27158 +#include <linux/slab.h>
27160 #include "denali.h"
27162 diff -urNp linux-2.6.36.2/drivers/mtd/ubi/build.c linux-2.6.36.2/drivers/mtd/ubi/build.c
27163 --- linux-2.6.36.2/drivers/mtd/ubi/build.c 2010-10-20 16:30:22.000000000 -0400
27164 +++ linux-2.6.36.2/drivers/mtd/ubi/build.c 2010-12-09 20:24:14.000000000 -0500
27165 @@ -1283,7 +1283,7 @@ module_exit(ubi_exit);
27166 static int __init bytes_str_to_int(const char *str)
27169 - unsigned long result;
27170 + unsigned long result, scale = 1;
27172 result = simple_strtoul(str, &endp, 0);
27173 if (str == endp || result >= INT_MAX) {
27174 @@ -1294,11 +1294,11 @@ static int __init bytes_str_to_int(const
27186 if (endp[1] == 'i' && endp[2] == 'B')
27189 @@ -1309,7 +1309,13 @@ static int __init bytes_str_to_int(const
27194 + if ((intoverflow_t)result*scale >= INT_MAX) {
27195 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
27200 + return result*scale;
27204 diff -urNp linux-2.6.36.2/drivers/net/cxgb3/cxgb3_main.c linux-2.6.36.2/drivers/net/cxgb3/cxgb3_main.c
27205 --- linux-2.6.36.2/drivers/net/cxgb3/cxgb3_main.c 2010-10-20 16:30:22.000000000 -0400
27206 +++ linux-2.6.36.2/drivers/net/cxgb3/cxgb3_main.c 2010-12-09 20:24:21.000000000 -0500
27207 @@ -2296,7 +2296,7 @@ static int cxgb_extension_ioctl(struct n
27208 case CHELSIO_GET_QSET_NUM:{
27209 struct ch_reg edata;
27211 - memset(&edata, 0, sizeof(struct ch_reg));
27212 + memset(&edata, 0, sizeof(edata));
27214 edata.cmd = CHELSIO_GET_QSET_NUM;
27215 edata.val = pi->nqsets;
27216 diff -urNp linux-2.6.36.2/drivers/net/e1000e/82571.c linux-2.6.36.2/drivers/net/e1000e/82571.c
27217 --- linux-2.6.36.2/drivers/net/e1000e/82571.c 2010-10-20 16:30:22.000000000 -0400
27218 +++ linux-2.6.36.2/drivers/net/e1000e/82571.c 2010-12-09 20:24:19.000000000 -0500
27219 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
27221 struct e1000_hw *hw = &adapter->hw;
27222 struct e1000_mac_info *mac = &hw->mac;
27223 + /* cannot be const */
27224 struct e1000_mac_operations *func = &mac->ops;
27227 @@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
27231 -static struct e1000_mac_operations e82571_mac_ops = {
27232 +static const struct e1000_mac_operations e82571_mac_ops = {
27233 /* .check_mng_mode: mac type dependent */
27234 /* .check_for_link: media type dependent */
27235 .id_led_init = e1000e_id_led_init,
27236 @@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
27237 .read_mac_addr = e1000_read_mac_addr_82571,
27240 -static struct e1000_phy_operations e82_phy_ops_igp = {
27241 +static const struct e1000_phy_operations e82_phy_ops_igp = {
27242 .acquire = e1000_get_hw_semaphore_82571,
27243 .check_polarity = e1000_check_polarity_igp,
27244 .check_reset_block = e1000e_check_reset_block_generic,
27245 @@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
27246 .cfg_on_link_up = NULL,
27249 -static struct e1000_phy_operations e82_phy_ops_m88 = {
27250 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
27251 .acquire = e1000_get_hw_semaphore_82571,
27252 .check_polarity = e1000_check_polarity_m88,
27253 .check_reset_block = e1000e_check_reset_block_generic,
27254 @@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
27255 .cfg_on_link_up = NULL,
27258 -static struct e1000_phy_operations e82_phy_ops_bm = {
27259 +static const struct e1000_phy_operations e82_phy_ops_bm = {
27260 .acquire = e1000_get_hw_semaphore_82571,
27261 .check_polarity = e1000_check_polarity_m88,
27262 .check_reset_block = e1000e_check_reset_block_generic,
27263 @@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
27264 .cfg_on_link_up = NULL,
27267 -static struct e1000_nvm_operations e82571_nvm_ops = {
27268 +static const struct e1000_nvm_operations e82571_nvm_ops = {
27269 .acquire = e1000_acquire_nvm_82571,
27270 .read = e1000e_read_nvm_eerd,
27271 .release = e1000_release_nvm_82571,
27272 diff -urNp linux-2.6.36.2/drivers/net/e1000e/e1000.h linux-2.6.36.2/drivers/net/e1000e/e1000.h
27273 --- linux-2.6.36.2/drivers/net/e1000e/e1000.h 2010-10-20 16:30:22.000000000 -0400
27274 +++ linux-2.6.36.2/drivers/net/e1000e/e1000.h 2010-12-09 20:24:19.000000000 -0500
27275 @@ -379,9 +379,9 @@ struct e1000_info {
27277 u32 max_hw_frame_size;
27278 s32 (*get_variants)(struct e1000_adapter *);
27279 - struct e1000_mac_operations *mac_ops;
27280 - struct e1000_phy_operations *phy_ops;
27281 - struct e1000_nvm_operations *nvm_ops;
27282 + const struct e1000_mac_operations *mac_ops;
27283 + const struct e1000_phy_operations *phy_ops;
27284 + const struct e1000_nvm_operations *nvm_ops;
27287 /* hardware capability, feature, and workaround flags */
27288 diff -urNp linux-2.6.36.2/drivers/net/e1000e/es2lan.c linux-2.6.36.2/drivers/net/e1000e/es2lan.c
27289 --- linux-2.6.36.2/drivers/net/e1000e/es2lan.c 2010-10-20 16:30:22.000000000 -0400
27290 +++ linux-2.6.36.2/drivers/net/e1000e/es2lan.c 2010-12-09 20:24:19.000000000 -0500
27291 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
27293 struct e1000_hw *hw = &adapter->hw;
27294 struct e1000_mac_info *mac = &hw->mac;
27295 + /* cannot be const */
27296 struct e1000_mac_operations *func = &mac->ops;
27298 /* Set media type */
27299 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
27303 -static struct e1000_mac_operations es2_mac_ops = {
27304 +static const struct e1000_mac_operations es2_mac_ops = {
27305 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
27306 .id_led_init = e1000e_id_led_init,
27307 .check_mng_mode = e1000e_check_mng_mode_generic,
27308 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
27309 .setup_led = e1000e_setup_led_generic,
27312 -static struct e1000_phy_operations es2_phy_ops = {
27313 +static const struct e1000_phy_operations es2_phy_ops = {
27314 .acquire = e1000_acquire_phy_80003es2lan,
27315 .check_polarity = e1000_check_polarity_m88,
27316 .check_reset_block = e1000e_check_reset_block_generic,
27317 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
27318 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
27321 -static struct e1000_nvm_operations es2_nvm_ops = {
27322 +static const struct e1000_nvm_operations es2_nvm_ops = {
27323 .acquire = e1000_acquire_nvm_80003es2lan,
27324 .read = e1000e_read_nvm_eerd,
27325 .release = e1000_release_nvm_80003es2lan,
27326 diff -urNp linux-2.6.36.2/drivers/net/e1000e/hw.h linux-2.6.36.2/drivers/net/e1000e/hw.h
27327 --- linux-2.6.36.2/drivers/net/e1000e/hw.h 2010-10-20 16:30:22.000000000 -0400
27328 +++ linux-2.6.36.2/drivers/net/e1000e/hw.h 2010-12-09 20:24:19.000000000 -0500
27329 @@ -800,13 +800,13 @@ struct e1000_phy_operations {
27331 /* Function pointers for the NVM. */
27332 struct e1000_nvm_operations {
27333 - s32 (*acquire)(struct e1000_hw *);
27334 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27335 - void (*release)(struct e1000_hw *);
27336 - s32 (*update)(struct e1000_hw *);
27337 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
27338 - s32 (*validate)(struct e1000_hw *);
27339 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27340 + s32 (* const acquire)(struct e1000_hw *);
27341 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27342 + void (* const release)(struct e1000_hw *);
27343 + s32 (* const update)(struct e1000_hw *);
27344 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
27345 + s32 (* const validate)(struct e1000_hw *);
27346 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27349 struct e1000_mac_info {
27350 @@ -886,6 +886,7 @@ struct e1000_phy_info {
27353 struct e1000_nvm_info {
27354 + /* cannot be const */
27355 struct e1000_nvm_operations ops;
27357 enum e1000_nvm_type type;
27358 diff -urNp linux-2.6.36.2/drivers/net/e1000e/ich8lan.c linux-2.6.36.2/drivers/net/e1000e/ich8lan.c
27359 --- linux-2.6.36.2/drivers/net/e1000e/ich8lan.c 2010-10-20 16:30:22.000000000 -0400
27360 +++ linux-2.6.36.2/drivers/net/e1000e/ich8lan.c 2010-12-09 20:24:19.000000000 -0500
27361 @@ -3856,7 +3856,7 @@ static void e1000_clear_hw_cntrs_ich8lan
27365 -static struct e1000_mac_operations ich8_mac_ops = {
27366 +static const struct e1000_mac_operations ich8_mac_ops = {
27367 .id_led_init = e1000e_id_led_init,
27368 /* check_mng_mode dependent on mac type */
27369 .check_for_link = e1000_check_for_copper_link_ich8lan,
27370 @@ -3875,7 +3875,7 @@ static struct e1000_mac_operations ich8_
27371 /* id_led_init dependent on mac type */
27374 -static struct e1000_phy_operations ich8_phy_ops = {
27375 +static const struct e1000_phy_operations ich8_phy_ops = {
27376 .acquire = e1000_acquire_swflag_ich8lan,
27377 .check_reset_block = e1000_check_reset_block_ich8lan,
27379 @@ -3889,7 +3889,7 @@ static struct e1000_phy_operations ich8_
27380 .write_reg = e1000e_write_phy_reg_igp,
27383 -static struct e1000_nvm_operations ich8_nvm_ops = {
27384 +static const struct e1000_nvm_operations ich8_nvm_ops = {
27385 .acquire = e1000_acquire_nvm_ich8lan,
27386 .read = e1000_read_nvm_ich8lan,
27387 .release = e1000_release_nvm_ich8lan,
27388 diff -urNp linux-2.6.36.2/drivers/net/eql.c linux-2.6.36.2/drivers/net/eql.c
27389 --- linux-2.6.36.2/drivers/net/eql.c 2010-10-20 16:30:22.000000000 -0400
27390 +++ linux-2.6.36.2/drivers/net/eql.c 2010-12-09 20:24:18.000000000 -0500
27391 @@ -555,7 +555,7 @@ static int eql_g_master_cfg(struct net_d
27393 master_config_t mc;
27395 - memset(&mc, 0, sizeof(master_config_t));
27396 + memset(&mc, 0, sizeof(mc));
27398 if (eql_is_master(dev)) {
27399 eql = netdev_priv(dev);
27400 diff -urNp linux-2.6.36.2/drivers/net/igb/e1000_82575.c linux-2.6.36.2/drivers/net/igb/e1000_82575.c
27401 --- linux-2.6.36.2/drivers/net/igb/e1000_82575.c 2010-10-20 16:30:22.000000000 -0400
27402 +++ linux-2.6.36.2/drivers/net/igb/e1000_82575.c 2010-12-09 20:24:18.000000000 -0500
27403 @@ -1698,7 +1698,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
27407 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
27408 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
27409 .init_hw = igb_init_hw_82575,
27410 .check_for_link = igb_check_for_link_82575,
27411 .rar_set = igb_rar_set,
27412 @@ -1706,13 +1706,13 @@ static struct e1000_mac_operations e1000
27413 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
27416 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
27417 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
27418 .acquire = igb_acquire_phy_82575,
27419 .get_cfg_done = igb_get_cfg_done_82575,
27420 .release = igb_release_phy_82575,
27423 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27424 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27425 .acquire = igb_acquire_nvm_82575,
27426 .read = igb_read_nvm_eerd,
27427 .release = igb_release_nvm_82575,
27428 diff -urNp linux-2.6.36.2/drivers/net/igb/e1000_hw.h linux-2.6.36.2/drivers/net/igb/e1000_hw.h
27429 --- linux-2.6.36.2/drivers/net/igb/e1000_hw.h 2010-10-20 16:30:22.000000000 -0400
27430 +++ linux-2.6.36.2/drivers/net/igb/e1000_hw.h 2010-12-09 20:24:18.000000000 -0500
27431 @@ -323,17 +323,17 @@ struct e1000_phy_operations {
27434 struct e1000_nvm_operations {
27435 - s32 (*acquire)(struct e1000_hw *);
27436 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27437 - void (*release)(struct e1000_hw *);
27438 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27439 + s32 (* const acquire)(struct e1000_hw *);
27440 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27441 + void (* const release)(struct e1000_hw *);
27442 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27445 struct e1000_info {
27446 s32 (*get_invariants)(struct e1000_hw *);
27447 - struct e1000_mac_operations *mac_ops;
27448 - struct e1000_phy_operations *phy_ops;
27449 - struct e1000_nvm_operations *nvm_ops;
27450 + const struct e1000_mac_operations *mac_ops;
27451 + const struct e1000_phy_operations *phy_ops;
27452 + const struct e1000_nvm_operations *nvm_ops;
27455 extern const struct e1000_info e1000_82575_info;
27456 @@ -412,6 +412,7 @@ struct e1000_phy_info {
27459 struct e1000_nvm_info {
27460 + /* cannot be const */
27461 struct e1000_nvm_operations ops;
27463 enum e1000_nvm_type type;
27464 diff -urNp linux-2.6.36.2/drivers/net/irda/vlsi_ir.c linux-2.6.36.2/drivers/net/irda/vlsi_ir.c
27465 --- linux-2.6.36.2/drivers/net/irda/vlsi_ir.c 2010-10-20 16:30:22.000000000 -0400
27466 +++ linux-2.6.36.2/drivers/net/irda/vlsi_ir.c 2010-12-09 20:24:19.000000000 -0500
27467 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
27468 /* no race - tx-ring already empty */
27469 vlsi_set_baud(idev, iobase);
27470 netif_wake_queue(ndev);
27475 /* keep the speed change pending like it would
27476 * for any len>0 packet. tx completion interrupt
27477 * will apply it when the tx ring becomes empty.
27480 spin_unlock_irqrestore(&idev->lock, flags);
27481 dev_kfree_skb_any(skb);
27482 return NETDEV_TX_OK;
27483 diff -urNp linux-2.6.36.2/drivers/net/macvtap.c linux-2.6.36.2/drivers/net/macvtap.c
27484 --- linux-2.6.36.2/drivers/net/macvtap.c 2010-10-20 16:30:22.000000000 -0400
27485 +++ linux-2.6.36.2/drivers/net/macvtap.c 2010-12-09 20:24:18.000000000 -0500
27486 @@ -464,8 +464,9 @@ static ssize_t macvtap_get_user(struct m
27487 vnet_hdr_len = q->vnet_hdr_sz;
27490 - if ((len -= vnet_hdr_len) < 0)
27491 + if (len < vnet_hdr_len)
27493 + len -= vnet_hdr_len;
27495 err = memcpy_fromiovecend((void *)&vnet_hdr, iv, 0,
27497 diff -urNp linux-2.6.36.2/drivers/net/pcnet32.c linux-2.6.36.2/drivers/net/pcnet32.c
27498 --- linux-2.6.36.2/drivers/net/pcnet32.c 2010-10-20 16:30:22.000000000 -0400
27499 +++ linux-2.6.36.2/drivers/net/pcnet32.c 2010-12-09 20:24:18.000000000 -0500
27500 @@ -82,7 +82,7 @@ static int cards_found;
27502 * VLB I/O addresses
27504 -static unsigned int pcnet32_portlist[] __initdata =
27505 +static unsigned int pcnet32_portlist[] __devinitdata =
27506 { 0x300, 0x320, 0x340, 0x360, 0 };
27508 static int pcnet32_debug;
27509 diff -urNp linux-2.6.36.2/drivers/net/ppp_generic.c linux-2.6.36.2/drivers/net/ppp_generic.c
27510 --- linux-2.6.36.2/drivers/net/ppp_generic.c 2010-10-20 16:30:22.000000000 -0400
27511 +++ linux-2.6.36.2/drivers/net/ppp_generic.c 2010-12-09 20:24:19.000000000 -0500
27512 @@ -985,7 +985,6 @@ ppp_net_ioctl(struct net_device *dev, st
27513 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
27514 struct ppp_stats stats;
27515 struct ppp_comp_stats cstats;
27519 case SIOCGPPPSTATS:
27520 @@ -1007,8 +1006,7 @@ ppp_net_ioctl(struct net_device *dev, st
27524 - vers = PPP_VERSION;
27525 - if (copy_to_user(addr, vers, strlen(vers) + 1))
27526 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
27530 diff -urNp linux-2.6.36.2/drivers/net/tg3.c linux-2.6.36.2/drivers/net/tg3.c
27531 --- linux-2.6.36.2/drivers/net/tg3.c 2010-10-20 16:30:22.000000000 -0400
27532 +++ linux-2.6.36.2/drivers/net/tg3.c 2010-12-09 20:24:19.000000000 -0500
27533 @@ -12433,7 +12433,7 @@ static void __devinit tg3_read_vpd(struc
27534 cnt = pci_read_vpd(tp->pdev, pos,
27535 TG3_NVM_VPD_LEN - pos,
27537 - if (cnt == -ETIMEDOUT || -EINTR)
27538 + if (cnt == -ETIMEDOUT || cnt == -EINTR)
27541 goto out_not_found;
27542 diff -urNp linux-2.6.36.2/drivers/net/tg3.h linux-2.6.36.2/drivers/net/tg3.h
27543 --- linux-2.6.36.2/drivers/net/tg3.h 2010-10-20 16:30:22.000000000 -0400
27544 +++ linux-2.6.36.2/drivers/net/tg3.h 2010-12-09 20:24:18.000000000 -0500
27545 @@ -131,6 +131,7 @@
27546 #define CHIPREV_ID_5750_A0 0x4000
27547 #define CHIPREV_ID_5750_A1 0x4001
27548 #define CHIPREV_ID_5750_A3 0x4003
27549 +#define CHIPREV_ID_5750_C1 0x4201
27550 #define CHIPREV_ID_5750_C2 0x4202
27551 #define CHIPREV_ID_5752_A0_HW 0x5000
27552 #define CHIPREV_ID_5752_A0 0x6000
27553 diff -urNp linux-2.6.36.2/drivers/net/tulip/de4x5.c linux-2.6.36.2/drivers/net/tulip/de4x5.c
27554 --- linux-2.6.36.2/drivers/net/tulip/de4x5.c 2010-10-20 16:30:22.000000000 -0400
27555 +++ linux-2.6.36.2/drivers/net/tulip/de4x5.c 2010-12-09 20:24:19.000000000 -0500
27556 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
27557 for (i=0; i<ETH_ALEN; i++) {
27558 tmp.addr[i] = dev->dev_addr[i];
27560 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27561 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27564 case DE4X5_SET_HWADDR: /* Set the hardware address */
27565 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
27566 spin_lock_irqsave(&lp->lock, flags);
27567 memcpy(&statbuf, &lp->pktStats, ioc->len);
27568 spin_unlock_irqrestore(&lp->lock, flags);
27569 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
27570 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
27574 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
27575 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
27576 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
27578 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27579 + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
27582 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
27583 diff -urNp linux-2.6.36.2/drivers/net/usb/hso.c linux-2.6.36.2/drivers/net/usb/hso.c
27584 --- linux-2.6.36.2/drivers/net/usb/hso.c 2010-10-20 16:30:22.000000000 -0400
27585 +++ linux-2.6.36.2/drivers/net/usb/hso.c 2010-12-09 20:24:19.000000000 -0500
27586 @@ -257,7 +257,7 @@ struct hso_serial {
27588 /* from usb_serial_port */
27589 struct tty_struct *tty;
27591 + atomic_t open_count;
27592 spinlock_t serial_lock;
27594 int (*write_data) (struct hso_serial *serial);
27595 @@ -1200,7 +1200,7 @@ static void put_rxbuf_data_and_resubmit_
27598 urb = serial->rx_urb[0];
27599 - if (serial->open_count > 0) {
27600 + if (atomic_read(&serial->open_count) > 0) {
27601 count = put_rxbuf_data(urb, serial);
27604 @@ -1236,7 +1236,7 @@ static void hso_std_serial_read_bulk_cal
27605 DUMP1(urb->transfer_buffer, urb->actual_length);
27607 /* Anyone listening? */
27608 - if (serial->open_count == 0)
27609 + if (atomic_read(&serial->open_count) == 0)
27613 @@ -1331,8 +1331,7 @@ static int hso_serial_open(struct tty_st
27614 spin_unlock_irq(&serial->serial_lock);
27616 /* check for port already opened, if not set the termios */
27617 - serial->open_count++;
27618 - if (serial->open_count == 1) {
27619 + if (atomic_inc_return(&serial->open_count) == 1) {
27620 serial->rx_state = RX_IDLE;
27621 /* Force default termio settings */
27622 _hso_serial_set_termios(tty, NULL);
27623 @@ -1344,7 +1343,7 @@ static int hso_serial_open(struct tty_st
27624 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
27626 hso_stop_serial_device(serial->parent);
27627 - serial->open_count--;
27628 + atomic_dec(&serial->open_count);
27629 kref_put(&serial->parent->ref, hso_serial_ref_free);
27632 @@ -1381,10 +1380,10 @@ static void hso_serial_close(struct tty_
27634 /* reset the rts and dtr */
27635 /* do the actual close */
27636 - serial->open_count--;
27637 + atomic_dec(&serial->open_count);
27639 - if (serial->open_count <= 0) {
27640 - serial->open_count = 0;
27641 + if (atomic_read(&serial->open_count) <= 0) {
27642 + atomic_set(&serial->open_count, 0);
27643 spin_lock_irq(&serial->serial_lock);
27644 if (serial->tty == tty) {
27645 serial->tty->driver_data = NULL;
27646 @@ -1466,7 +1465,7 @@ static void hso_serial_set_termios(struc
27648 /* the actual setup */
27649 spin_lock_irqsave(&serial->serial_lock, flags);
27650 - if (serial->open_count)
27651 + if (atomic_read(&serial->open_count))
27652 _hso_serial_set_termios(tty, old);
27654 tty->termios = old;
27655 @@ -1652,10 +1651,11 @@ static int hso_get_count(struct hso_seri
27656 struct uart_icount cnow;
27657 struct hso_tiocmget *tiocmget = serial->tiocmget;
27659 - memset(&icount, 0, sizeof(struct serial_icounter_struct));
27664 + memset(&icount, 0, sizeof(icount));
27666 spin_lock_irq(&serial->serial_lock);
27667 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
27668 spin_unlock_irq(&serial->serial_lock);
27669 @@ -1930,7 +1930,7 @@ static void intr_callback(struct urb *ur
27670 D1("Pending read interrupt on port %d\n", i);
27671 spin_lock(&serial->serial_lock);
27672 if (serial->rx_state == RX_IDLE &&
27673 - serial->open_count > 0) {
27674 + atomic_read(&serial->open_count) > 0) {
27675 /* Setup and send a ctrl req read on
27677 if (!serial->rx_urb_filled[0]) {
27678 @@ -3120,7 +3120,7 @@ static int hso_resume(struct usb_interfa
27679 /* Start all serial ports */
27680 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
27681 if (serial_table[i] && (serial_table[i]->interface == iface)) {
27682 - if (dev2ser(serial_table[i])->open_count) {
27683 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
27685 hso_start_serial_device(serial_table[i], GFP_NOIO);
27686 hso_kick_transmit(dev2ser(serial_table[i]));
27687 diff -urNp linux-2.6.36.2/drivers/net/wireless/b43/debugfs.c linux-2.6.36.2/drivers/net/wireless/b43/debugfs.c
27688 --- linux-2.6.36.2/drivers/net/wireless/b43/debugfs.c 2010-10-20 16:30:22.000000000 -0400
27689 +++ linux-2.6.36.2/drivers/net/wireless/b43/debugfs.c 2010-12-09 20:24:20.000000000 -0500
27690 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
27691 struct b43_debugfs_fops {
27692 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
27693 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
27694 - struct file_operations fops;
27695 + const struct file_operations fops;
27696 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
27697 size_t file_struct_offset;
27699 diff -urNp linux-2.6.36.2/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.36.2/drivers/net/wireless/b43legacy/debugfs.c
27700 --- linux-2.6.36.2/drivers/net/wireless/b43legacy/debugfs.c 2010-10-20 16:30:22.000000000 -0400
27701 +++ linux-2.6.36.2/drivers/net/wireless/b43legacy/debugfs.c 2010-12-09 20:24:20.000000000 -0500
27702 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
27703 struct b43legacy_debugfs_fops {
27704 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
27705 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
27706 - struct file_operations fops;
27707 + const struct file_operations fops;
27708 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
27709 size_t file_struct_offset;
27710 /* Take wl->irq_lock before calling read/write? */
27711 diff -urNp linux-2.6.36.2/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.36.2/drivers/net/wireless/iwlwifi/iwl-debug.h
27712 --- linux-2.6.36.2/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-10-20 16:30:22.000000000 -0400
27713 +++ linux-2.6.36.2/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-12-09 20:24:20.000000000 -0500
27714 @@ -68,8 +68,8 @@ do {
27718 -#define IWL_DEBUG(__priv, level, fmt, args...)
27719 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
27720 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
27721 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
27722 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
27723 const void *p, u32 len)
27725 diff -urNp linux-2.6.36.2/drivers/net/wireless/libertas/debugfs.c linux-2.6.36.2/drivers/net/wireless/libertas/debugfs.c
27726 --- linux-2.6.36.2/drivers/net/wireless/libertas/debugfs.c 2010-10-20 16:30:22.000000000 -0400
27727 +++ linux-2.6.36.2/drivers/net/wireless/libertas/debugfs.c 2010-12-09 20:24:21.000000000 -0500
27728 @@ -701,7 +701,7 @@ out_unlock:
27729 struct lbs_debugfs_files {
27732 - struct file_operations fops;
27733 + const struct file_operations fops;
27736 static const struct lbs_debugfs_files debugfs_files[] = {
27737 diff -urNp linux-2.6.36.2/drivers/net/wireless/rndis_wlan.c linux-2.6.36.2/drivers/net/wireless/rndis_wlan.c
27738 --- linux-2.6.36.2/drivers/net/wireless/rndis_wlan.c 2010-10-20 16:30:22.000000000 -0400
27739 +++ linux-2.6.36.2/drivers/net/wireless/rndis_wlan.c 2010-12-09 20:24:20.000000000 -0500
27740 @@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbn
27742 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
27744 - if (rts_threshold < 0 || rts_threshold > 2347)
27745 + if (rts_threshold > 2347)
27746 rts_threshold = 2347;
27748 tmp = cpu_to_le32(rts_threshold);
27749 diff -urNp linux-2.6.36.2/drivers/oprofile/buffer_sync.c linux-2.6.36.2/drivers/oprofile/buffer_sync.c
27750 --- linux-2.6.36.2/drivers/oprofile/buffer_sync.c 2010-10-20 16:30:22.000000000 -0400
27751 +++ linux-2.6.36.2/drivers/oprofile/buffer_sync.c 2010-12-09 20:24:12.000000000 -0500
27752 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
27753 if (cookie == NO_COOKIE)
27755 if (cookie == INVALID_COOKIE) {
27756 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27757 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27760 if (cookie != last_cookie) {
27761 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
27762 /* add userspace sample */
27765 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
27766 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
27770 cookie = lookup_dcookie(mm, s->eip, &offset);
27772 if (cookie == INVALID_COOKIE) {
27773 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27774 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27778 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
27779 /* ignore backtraces if failed to add a sample */
27780 if (state == sb_bt_start) {
27781 state = sb_bt_ignore;
27782 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
27783 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
27787 diff -urNp linux-2.6.36.2/drivers/oprofile/event_buffer.c linux-2.6.36.2/drivers/oprofile/event_buffer.c
27788 --- linux-2.6.36.2/drivers/oprofile/event_buffer.c 2010-10-20 16:30:22.000000000 -0400
27789 +++ linux-2.6.36.2/drivers/oprofile/event_buffer.c 2010-12-09 20:24:12.000000000 -0500
27790 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
27793 if (buffer_pos == buffer_size) {
27794 - atomic_inc(&oprofile_stats.event_lost_overflow);
27795 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
27799 diff -urNp linux-2.6.36.2/drivers/oprofile/oprof.c linux-2.6.36.2/drivers/oprofile/oprof.c
27800 --- linux-2.6.36.2/drivers/oprofile/oprof.c 2010-10-20 16:30:22.000000000 -0400
27801 +++ linux-2.6.36.2/drivers/oprofile/oprof.c 2010-12-09 20:24:12.000000000 -0500
27802 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
27803 if (oprofile_ops.switch_events())
27806 - atomic_inc(&oprofile_stats.multiplex_counter);
27807 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
27808 start_switch_worker();
27811 diff -urNp linux-2.6.36.2/drivers/oprofile/oprofilefs.c linux-2.6.36.2/drivers/oprofile/oprofilefs.c
27812 --- linux-2.6.36.2/drivers/oprofile/oprofilefs.c 2010-10-20 16:30:22.000000000 -0400
27813 +++ linux-2.6.36.2/drivers/oprofile/oprofilefs.c 2010-12-09 20:24:12.000000000 -0500
27814 @@ -187,7 +187,7 @@ static const struct file_operations atom
27817 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
27818 - char const *name, atomic_t *val)
27819 + char const *name, atomic_unchecked_t *val)
27821 struct dentry *d = __oprofilefs_create_file(sb, root, name,
27822 &atomic_ro_fops, 0444);
27823 diff -urNp linux-2.6.36.2/drivers/oprofile/oprofile_stats.c linux-2.6.36.2/drivers/oprofile/oprofile_stats.c
27824 --- linux-2.6.36.2/drivers/oprofile/oprofile_stats.c 2010-10-20 16:30:22.000000000 -0400
27825 +++ linux-2.6.36.2/drivers/oprofile/oprofile_stats.c 2010-12-09 20:24:12.000000000 -0500
27826 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
27827 cpu_buf->sample_invalid_eip = 0;
27830 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
27831 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
27832 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
27833 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
27834 - atomic_set(&oprofile_stats.multiplex_counter, 0);
27835 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
27836 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
27837 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
27838 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
27839 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
27843 diff -urNp linux-2.6.36.2/drivers/oprofile/oprofile_stats.h linux-2.6.36.2/drivers/oprofile/oprofile_stats.h
27844 --- linux-2.6.36.2/drivers/oprofile/oprofile_stats.h 2010-10-20 16:30:22.000000000 -0400
27845 +++ linux-2.6.36.2/drivers/oprofile/oprofile_stats.h 2010-12-09 20:24:12.000000000 -0500
27846 @@ -13,11 +13,11 @@
27847 #include <asm/atomic.h>
27849 struct oprofile_stat_struct {
27850 - atomic_t sample_lost_no_mm;
27851 - atomic_t sample_lost_no_mapping;
27852 - atomic_t bt_lost_no_mapping;
27853 - atomic_t event_lost_overflow;
27854 - atomic_t multiplex_counter;
27855 + atomic_unchecked_t sample_lost_no_mm;
27856 + atomic_unchecked_t sample_lost_no_mapping;
27857 + atomic_unchecked_t bt_lost_no_mapping;
27858 + atomic_unchecked_t event_lost_overflow;
27859 + atomic_unchecked_t multiplex_counter;
27862 extern struct oprofile_stat_struct oprofile_stats;
27863 diff -urNp linux-2.6.36.2/drivers/parport/procfs.c linux-2.6.36.2/drivers/parport/procfs.c
27864 --- linux-2.6.36.2/drivers/parport/procfs.c 2010-10-20 16:30:22.000000000 -0400
27865 +++ linux-2.6.36.2/drivers/parport/procfs.c 2010-12-09 20:24:10.000000000 -0500
27866 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
27870 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
27871 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
27874 #ifdef CONFIG_PARPORT_1284
27875 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
27879 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
27880 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
27882 #endif /* IEEE1284.3 support. */
27884 diff -urNp linux-2.6.36.2/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.36.2/drivers/pci/hotplug/acpiphp_glue.c
27885 --- linux-2.6.36.2/drivers/pci/hotplug/acpiphp_glue.c 2010-10-20 16:30:22.000000000 -0400
27886 +++ linux-2.6.36.2/drivers/pci/hotplug/acpiphp_glue.c 2010-12-09 20:24:13.000000000 -0500
27887 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
27891 -static struct acpi_dock_ops acpiphp_dock_ops = {
27892 +static const struct acpi_dock_ops acpiphp_dock_ops = {
27893 .handler = handle_hotplug_event_func,
27896 diff -urNp linux-2.6.36.2/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.36.2/drivers/pci/hotplug/cpqphp_nvram.c
27897 --- linux-2.6.36.2/drivers/pci/hotplug/cpqphp_nvram.c 2010-10-20 16:30:22.000000000 -0400
27898 +++ linux-2.6.36.2/drivers/pci/hotplug/cpqphp_nvram.c 2010-12-09 20:24:13.000000000 -0500
27899 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27901 void compaq_nvram_init (void __iomem *rom_start)
27904 +#ifndef CONFIG_PAX_KERNEXEC
27906 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27910 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27912 /* initialize our int15 lock */
27913 diff -urNp linux-2.6.36.2/drivers/pci/intel-iommu.c linux-2.6.36.2/drivers/pci/intel-iommu.c
27914 --- linux-2.6.36.2/drivers/pci/intel-iommu.c 2010-10-20 16:30:22.000000000 -0400
27915 +++ linux-2.6.36.2/drivers/pci/intel-iommu.c 2010-12-09 20:24:13.000000000 -0500
27916 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
27920 -struct dma_map_ops intel_dma_ops = {
27921 +const struct dma_map_ops intel_dma_ops = {
27922 .alloc_coherent = intel_alloc_coherent,
27923 .free_coherent = intel_free_coherent,
27924 .map_sg = intel_map_sg,
27925 diff -urNp linux-2.6.36.2/drivers/pci/pcie/portdrv_pci.c linux-2.6.36.2/drivers/pci/pcie/portdrv_pci.c
27926 --- linux-2.6.36.2/drivers/pci/pcie/portdrv_pci.c 2010-10-20 16:30:22.000000000 -0400
27927 +++ linux-2.6.36.2/drivers/pci/pcie/portdrv_pci.c 2010-12-09 20:24:13.000000000 -0500
27928 @@ -276,7 +276,7 @@ static void pcie_portdrv_err_resume(stru
27929 static const struct pci_device_id port_pci_ids[] = { {
27930 /* handle any PCI-Express port */
27931 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27932 - }, { /* end: all zeroes */ }
27933 + }, { 0, 0, 0, 0, 0, 0, 0 }
27935 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27937 diff -urNp linux-2.6.36.2/drivers/pci/probe.c linux-2.6.36.2/drivers/pci/probe.c
27938 --- linux-2.6.36.2/drivers/pci/probe.c 2010-10-20 16:30:22.000000000 -0400
27939 +++ linux-2.6.36.2/drivers/pci/probe.c 2010-12-09 20:24:13.000000000 -0500
27940 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
27944 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27945 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27946 struct device_attribute *attr,
27949 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27952 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27953 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27954 struct device_attribute *attr,
27957 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
27961 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
27962 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
27964 if (!dev->mmio_always_on) {
27965 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
27966 diff -urNp linux-2.6.36.2/drivers/pci/proc.c linux-2.6.36.2/drivers/pci/proc.c
27967 --- linux-2.6.36.2/drivers/pci/proc.c 2010-12-09 20:53:47.000000000 -0500
27968 +++ linux-2.6.36.2/drivers/pci/proc.c 2010-12-09 20:54:34.000000000 -0500
27969 @@ -479,7 +479,16 @@ static const struct file_operations proc
27970 static int __init pci_proc_init(void)
27972 struct pci_dev *dev = NULL;
27974 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27975 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27976 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27977 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27978 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27981 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27983 proc_create("devices", 0, proc_bus_pci_dir,
27984 &proc_bus_pci_dev_operations);
27985 proc_initialized = 1;
27986 diff -urNp linux-2.6.36.2/drivers/pcmcia/ti113x.h linux-2.6.36.2/drivers/pcmcia/ti113x.h
27987 --- linux-2.6.36.2/drivers/pcmcia/ti113x.h 2010-10-20 16:30:22.000000000 -0400
27988 +++ linux-2.6.36.2/drivers/pcmcia/ti113x.h 2010-12-09 20:24:22.000000000 -0500
27989 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27990 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27991 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27994 + { 0, 0, 0, 0, 0, 0, 0 }
27997 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27998 diff -urNp linux-2.6.36.2/drivers/pcmcia/yenta_socket.c linux-2.6.36.2/drivers/pcmcia/yenta_socket.c
27999 --- linux-2.6.36.2/drivers/pcmcia/yenta_socket.c 2010-10-20 16:30:22.000000000 -0400
28000 +++ linux-2.6.36.2/drivers/pcmcia/yenta_socket.c 2010-12-09 20:24:22.000000000 -0500
28001 @@ -1427,7 +1427,7 @@ static struct pci_device_id yenta_table[
28003 /* match any cardbus bridge */
28004 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
28005 - { /* all zeroes */ }
28006 + { 0, 0, 0, 0, 0, 0, 0 }
28008 MODULE_DEVICE_TABLE(pci, yenta_table);
28010 diff -urNp linux-2.6.36.2/drivers/platform/x86/acer-wmi.c linux-2.6.36.2/drivers/platform/x86/acer-wmi.c
28011 --- linux-2.6.36.2/drivers/platform/x86/acer-wmi.c 2010-10-20 16:30:22.000000000 -0400
28012 +++ linux-2.6.36.2/drivers/platform/x86/acer-wmi.c 2010-12-09 20:24:16.000000000 -0500
28013 @@ -915,7 +915,7 @@ static int update_bl_status(struct backl
28017 -static struct backlight_ops acer_bl_ops = {
28018 +static const struct backlight_ops acer_bl_ops = {
28019 .get_brightness = read_brightness,
28020 .update_status = update_bl_status,
28022 diff -urNp linux-2.6.36.2/drivers/platform/x86/asus_acpi.c linux-2.6.36.2/drivers/platform/x86/asus_acpi.c
28023 --- linux-2.6.36.2/drivers/platform/x86/asus_acpi.c 2010-10-20 16:30:22.000000000 -0400
28024 +++ linux-2.6.36.2/drivers/platform/x86/asus_acpi.c 2010-12-09 20:24:16.000000000 -0500
28025 @@ -1467,7 +1467,7 @@ static int asus_hotk_remove(struct acpi_
28029 -static struct backlight_ops asus_backlight_data = {
28030 +static const struct backlight_ops asus_backlight_data = {
28031 .get_brightness = read_brightness,
28032 .update_status = set_brightness_status,
28034 diff -urNp linux-2.6.36.2/drivers/platform/x86/asus-laptop.c linux-2.6.36.2/drivers/platform/x86/asus-laptop.c
28035 --- linux-2.6.36.2/drivers/platform/x86/asus-laptop.c 2010-11-26 18:26:24.000000000 -0500
28036 +++ linux-2.6.36.2/drivers/platform/x86/asus-laptop.c 2010-12-09 20:24:16.000000000 -0500
28037 @@ -224,7 +224,6 @@ struct asus_laptop {
28038 struct asus_led gled;
28039 struct asus_led kled;
28040 struct workqueue_struct *led_workqueue;
28042 int wireless_status;
28045 @@ -621,7 +620,7 @@ static int update_bl_status(struct backl
28046 return asus_lcd_set(asus, value);
28049 -static struct backlight_ops asusbl_ops = {
28050 +static const struct backlight_ops asusbl_ops = {
28051 .get_brightness = asus_read_brightness,
28052 .update_status = update_bl_status,
28054 diff -urNp linux-2.6.36.2/drivers/platform/x86/dell-laptop.c linux-2.6.36.2/drivers/platform/x86/dell-laptop.c
28055 --- linux-2.6.36.2/drivers/platform/x86/dell-laptop.c 2010-10-20 16:30:22.000000000 -0400
28056 +++ linux-2.6.36.2/drivers/platform/x86/dell-laptop.c 2010-12-09 20:24:16.000000000 -0500
28057 @@ -475,7 +475,7 @@ out:
28058 return buffer->output[1];
28061 -static struct backlight_ops dell_ops = {
28062 +static const struct backlight_ops dell_ops = {
28063 .get_brightness = dell_get_intensity,
28064 .update_status = dell_send_intensity,
28066 diff -urNp linux-2.6.36.2/drivers/platform/x86/eeepc-laptop.c linux-2.6.36.2/drivers/platform/x86/eeepc-laptop.c
28067 --- linux-2.6.36.2/drivers/platform/x86/eeepc-laptop.c 2010-10-20 16:30:22.000000000 -0400
28068 +++ linux-2.6.36.2/drivers/platform/x86/eeepc-laptop.c 2010-12-09 20:24:16.000000000 -0500
28069 @@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
28070 return set_brightness(bd, bd->props.brightness);
28073 -static struct backlight_ops eeepcbl_ops = {
28074 +static const struct backlight_ops eeepcbl_ops = {
28075 .get_brightness = read_brightness,
28076 .update_status = update_bl_status,
28078 diff -urNp linux-2.6.36.2/drivers/platform/x86/fujitsu-laptop.c linux-2.6.36.2/drivers/platform/x86/fujitsu-laptop.c
28079 --- linux-2.6.36.2/drivers/platform/x86/fujitsu-laptop.c 2010-10-20 16:30:22.000000000 -0400
28080 +++ linux-2.6.36.2/drivers/platform/x86/fujitsu-laptop.c 2010-12-09 20:24:16.000000000 -0500
28081 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
28085 -static struct backlight_ops fujitsubl_ops = {
28086 +static const struct backlight_ops fujitsubl_ops = {
28087 .get_brightness = bl_get_brightness,
28088 .update_status = bl_update_status,
28090 diff -urNp linux-2.6.36.2/drivers/platform/x86/sony-laptop.c linux-2.6.36.2/drivers/platform/x86/sony-laptop.c
28091 --- linux-2.6.36.2/drivers/platform/x86/sony-laptop.c 2010-10-20 16:30:22.000000000 -0400
28092 +++ linux-2.6.36.2/drivers/platform/x86/sony-laptop.c 2010-12-09 20:24:16.000000000 -0500
28093 @@ -856,7 +856,7 @@ static int sony_backlight_get_brightness
28096 static struct backlight_device *sony_backlight_device;
28097 -static struct backlight_ops sony_backlight_ops = {
28098 +static const struct backlight_ops sony_backlight_ops = {
28099 .update_status = sony_backlight_update_status,
28100 .get_brightness = sony_backlight_get_brightness,
28102 diff -urNp linux-2.6.36.2/drivers/platform/x86/thinkpad_acpi.c linux-2.6.36.2/drivers/platform/x86/thinkpad_acpi.c
28103 --- linux-2.6.36.2/drivers/platform/x86/thinkpad_acpi.c 2010-10-20 16:30:22.000000000 -0400
28104 +++ linux-2.6.36.2/drivers/platform/x86/thinkpad_acpi.c 2010-12-09 20:24:16.000000000 -0500
28105 @@ -6109,7 +6109,7 @@ static void tpacpi_brightness_notify_cha
28106 BACKLIGHT_UPDATE_HOTKEY);
28109 -static struct backlight_ops ibm_backlight_data = {
28110 +static const struct backlight_ops ibm_backlight_data = {
28111 .get_brightness = brightness_get,
28112 .update_status = brightness_update_status,
28114 diff -urNp linux-2.6.36.2/drivers/platform/x86/toshiba_acpi.c linux-2.6.36.2/drivers/platform/x86/toshiba_acpi.c
28115 --- linux-2.6.36.2/drivers/platform/x86/toshiba_acpi.c 2010-10-20 16:30:22.000000000 -0400
28116 +++ linux-2.6.36.2/drivers/platform/x86/toshiba_acpi.c 2010-12-09 20:24:16.000000000 -0500
28117 @@ -847,7 +847,7 @@ static void remove_toshiba_proc_entries(
28118 remove_proc_entry("version", toshiba_proc_dir);
28121 -static struct backlight_ops toshiba_backlight_data = {
28122 +static const struct backlight_ops toshiba_backlight_data = {
28123 .get_brightness = get_lcd,
28124 .update_status = set_lcd_status,
28126 diff -urNp linux-2.6.36.2/drivers/pnp/pnpbios/bioscalls.c linux-2.6.36.2/drivers/pnp/pnpbios/bioscalls.c
28127 --- linux-2.6.36.2/drivers/pnp/pnpbios/bioscalls.c 2010-10-20 16:30:22.000000000 -0400
28128 +++ linux-2.6.36.2/drivers/pnp/pnpbios/bioscalls.c 2010-12-09 20:24:16.000000000 -0500
28129 @@ -59,7 +59,7 @@ do { \
28130 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
28133 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
28134 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
28135 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
28138 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
28141 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
28143 + pax_open_kernel();
28144 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
28145 + pax_close_kernel();
28147 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
28148 spin_lock_irqsave(&pnp_bios_lock, flags);
28149 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
28151 spin_unlock_irqrestore(&pnp_bios_lock, flags);
28153 + pax_open_kernel();
28154 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
28155 + pax_close_kernel();
28159 /* If we get here and this is set then the PnP BIOS faulted on us. */
28160 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
28164 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
28165 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
28169 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
28170 pnp_bios_callpoint.offset = header->fields.pm16offset;
28171 pnp_bios_callpoint.segment = PNP_CS16;
28173 + pax_open_kernel();
28175 for_each_possible_cpu(i) {
28176 struct desc_struct *gdt = get_cpu_gdt_table(i);
28178 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
28179 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
28180 (unsigned long)__va(header->fields.pm16dseg));
28183 + pax_close_kernel();
28185 diff -urNp linux-2.6.36.2/drivers/pnp/quirks.c linux-2.6.36.2/drivers/pnp/quirks.c
28186 --- linux-2.6.36.2/drivers/pnp/quirks.c 2010-10-20 16:30:22.000000000 -0400
28187 +++ linux-2.6.36.2/drivers/pnp/quirks.c 2010-12-09 20:24:16.000000000 -0500
28188 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
28189 /* PnP resources that might overlap PCI BARs */
28190 {"PNP0c01", quirk_system_pci_resources},
28191 {"PNP0c02", quirk_system_pci_resources},
28196 void pnp_fixup_device(struct pnp_dev *dev)
28197 diff -urNp linux-2.6.36.2/drivers/pnp/resource.c linux-2.6.36.2/drivers/pnp/resource.c
28198 --- linux-2.6.36.2/drivers/pnp/resource.c 2010-10-20 16:30:22.000000000 -0400
28199 +++ linux-2.6.36.2/drivers/pnp/resource.c 2010-12-09 20:24:16.000000000 -0500
28200 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
28203 /* check if the resource is valid */
28204 - if (*irq < 0 || *irq > 15)
28208 /* check if the resource is reserved */
28209 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
28212 /* check if the resource is valid */
28213 - if (*dma < 0 || *dma == 4 || *dma > 7)
28214 + if (*dma == 4 || *dma > 7)
28217 /* check if the resource is reserved */
28218 diff -urNp linux-2.6.36.2/drivers/s390/cio/qdio_debug.c linux-2.6.36.2/drivers/s390/cio/qdio_debug.c
28219 --- linux-2.6.36.2/drivers/s390/cio/qdio_debug.c 2010-10-20 16:30:22.000000000 -0400
28220 +++ linux-2.6.36.2/drivers/s390/cio/qdio_debug.c 2010-12-09 20:24:31.000000000 -0500
28221 @@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
28222 filp->f_path.dentry->d_inode->i_private);
28225 -static struct file_operations debugfs_perf_fops = {
28226 +static const struct file_operations debugfs_perf_fops = {
28227 .owner = THIS_MODULE,
28228 .open = qperf_seq_open,
28230 diff -urNp linux-2.6.36.2/drivers/scsi/ipr.c linux-2.6.36.2/drivers/scsi/ipr.c
28231 --- linux-2.6.36.2/drivers/scsi/ipr.c 2010-10-20 16:30:22.000000000 -0400
28232 +++ linux-2.6.36.2/drivers/scsi/ipr.c 2010-12-09 20:24:12.000000000 -0500
28233 @@ -6156,7 +6156,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
28237 -static struct ata_port_operations ipr_sata_ops = {
28238 +static const struct ata_port_operations ipr_sata_ops = {
28239 .phy_reset = ipr_ata_phy_reset,
28240 .hardreset = ipr_sata_reset,
28241 .post_internal_cmd = ipr_ata_post_internal,
28242 diff -urNp linux-2.6.36.2/drivers/scsi/libfc/fc_exch.c linux-2.6.36.2/drivers/scsi/libfc/fc_exch.c
28243 --- linux-2.6.36.2/drivers/scsi/libfc/fc_exch.c 2010-10-20 16:30:22.000000000 -0400
28244 +++ linux-2.6.36.2/drivers/scsi/libfc/fc_exch.c 2010-12-09 20:24:11.000000000 -0500
28245 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
28246 * all together if not used XXX
28249 - atomic_t no_free_exch;
28250 - atomic_t no_free_exch_xid;
28251 - atomic_t xid_not_found;
28252 - atomic_t xid_busy;
28253 - atomic_t seq_not_found;
28254 - atomic_t non_bls_resp;
28255 + atomic_unchecked_t no_free_exch;
28256 + atomic_unchecked_t no_free_exch_xid;
28257 + atomic_unchecked_t xid_not_found;
28258 + atomic_unchecked_t xid_busy;
28259 + atomic_unchecked_t seq_not_found;
28260 + atomic_unchecked_t non_bls_resp;
28263 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
28264 @@ -670,7 +670,7 @@ static struct fc_exch *fc_exch_em_alloc(
28265 /* allocate memory for exchange */
28266 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
28268 - atomic_inc(&mp->stats.no_free_exch);
28269 + atomic_inc_unchecked(&mp->stats.no_free_exch);
28272 memset(ep, 0, sizeof(*ep));
28273 @@ -718,7 +718,7 @@ out:
28276 spin_unlock_bh(&pool->lock);
28277 - atomic_inc(&mp->stats.no_free_exch_xid);
28278 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
28279 mempool_free(ep, mp->ep_pool);
28282 @@ -863,7 +863,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28283 xid = ntohs(fh->fh_ox_id); /* we originated exch */
28284 ep = fc_exch_find(mp, xid);
28286 - atomic_inc(&mp->stats.xid_not_found);
28287 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28288 reject = FC_RJT_OX_ID;
28291 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28292 ep = fc_exch_find(mp, xid);
28293 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
28295 - atomic_inc(&mp->stats.xid_busy);
28296 + atomic_inc_unchecked(&mp->stats.xid_busy);
28297 reject = FC_RJT_RX_ID;
28300 @@ -904,7 +904,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28302 xid = ep->xid; /* get our XID */
28304 - atomic_inc(&mp->stats.xid_not_found);
28305 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28306 reject = FC_RJT_RX_ID; /* XID not found */
28309 @@ -921,7 +921,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28312 if (sp->id != fh->fh_seq_id) {
28313 - atomic_inc(&mp->stats.seq_not_found);
28314 + atomic_inc_unchecked(&mp->stats.seq_not_found);
28315 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
28318 @@ -1338,22 +1338,22 @@ static void fc_exch_recv_seq_resp(struct
28320 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
28322 - atomic_inc(&mp->stats.xid_not_found);
28323 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28326 if (ep->esb_stat & ESB_ST_COMPLETE) {
28327 - atomic_inc(&mp->stats.xid_not_found);
28328 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28331 if (ep->rxid == FC_XID_UNKNOWN)
28332 ep->rxid = ntohs(fh->fh_rx_id);
28333 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
28334 - atomic_inc(&mp->stats.xid_not_found);
28335 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28338 if (ep->did != ntoh24(fh->fh_s_id) &&
28339 ep->did != FC_FID_FLOGI) {
28340 - atomic_inc(&mp->stats.xid_not_found);
28341 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28345 @@ -1362,7 +1362,7 @@ static void fc_exch_recv_seq_resp(struct
28346 sp->ssb_stat |= SSB_ST_RESP;
28347 sp->id = fh->fh_seq_id;
28348 } else if (sp->id != fh->fh_seq_id) {
28349 - atomic_inc(&mp->stats.seq_not_found);
28350 + atomic_inc_unchecked(&mp->stats.seq_not_found);
28354 @@ -1425,9 +1425,9 @@ static void fc_exch_recv_resp(struct fc_
28355 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
28358 - atomic_inc(&mp->stats.xid_not_found);
28359 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28361 - atomic_inc(&mp->stats.non_bls_resp);
28362 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
28366 diff -urNp linux-2.6.36.2/drivers/scsi/libsas/sas_ata.c linux-2.6.36.2/drivers/scsi/libsas/sas_ata.c
28367 --- linux-2.6.36.2/drivers/scsi/libsas/sas_ata.c 2010-11-26 18:26:24.000000000 -0500
28368 +++ linux-2.6.36.2/drivers/scsi/libsas/sas_ata.c 2010-12-09 20:24:11.000000000 -0500
28369 @@ -344,10 +344,10 @@ static int sas_ata_scr_read(struct ata_l
28373 -static struct ata_port_operations sas_sata_ops = {
28374 +static const struct ata_port_operations sas_sata_ops = {
28375 .phy_reset = sas_ata_phy_reset,
28376 .post_internal_cmd = sas_ata_post_internal,
28377 - .qc_defer = ata_std_qc_defer,
28378 + .qc_defer = ata_std_qc_defer,
28379 .qc_prep = ata_noop_qc_prep,
28380 .qc_issue = sas_ata_qc_issue,
28381 .qc_fill_rtf = sas_ata_qc_fill_rtf,
28382 diff -urNp linux-2.6.36.2/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.36.2/drivers/scsi/mpt2sas/mpt2sas_debug.h
28383 --- linux-2.6.36.2/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-10-20 16:30:22.000000000 -0400
28384 +++ linux-2.6.36.2/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-12-09 20:24:11.000000000 -0500
28389 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
28390 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
28391 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
28394 diff -urNp linux-2.6.36.2/drivers/scsi/qla2xxx/qla_os.c linux-2.6.36.2/drivers/scsi/qla2xxx/qla_os.c
28395 --- linux-2.6.36.2/drivers/scsi/qla2xxx/qla_os.c 2010-12-09 20:53:47.000000000 -0500
28396 +++ linux-2.6.36.2/drivers/scsi/qla2xxx/qla_os.c 2010-12-09 20:54:34.000000000 -0500
28397 @@ -3951,7 +3951,7 @@ static struct pci_driver qla2xxx_pci_dri
28398 .err_handler = &qla2xxx_err_handler,
28401 -static struct file_operations apidev_fops = {
28402 +static const struct file_operations apidev_fops = {
28403 .owner = THIS_MODULE,
28406 diff -urNp linux-2.6.36.2/drivers/scsi/scsi_logging.h linux-2.6.36.2/drivers/scsi/scsi_logging.h
28407 --- linux-2.6.36.2/drivers/scsi/scsi_logging.h 2010-10-20 16:30:22.000000000 -0400
28408 +++ linux-2.6.36.2/drivers/scsi/scsi_logging.h 2010-12-09 20:24:11.000000000 -0500
28409 @@ -51,7 +51,7 @@ do { \
28413 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
28414 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
28415 #endif /* CONFIG_SCSI_LOGGING */
28418 diff -urNp linux-2.6.36.2/drivers/scsi/sg.c linux-2.6.36.2/drivers/scsi/sg.c
28419 --- linux-2.6.36.2/drivers/scsi/sg.c 2010-10-20 16:30:22.000000000 -0400
28420 +++ linux-2.6.36.2/drivers/scsi/sg.c 2010-12-09 20:24:12.000000000 -0500
28421 @@ -2307,7 +2307,7 @@ struct sg_proc_leaf {
28422 const struct file_operations * fops;
28425 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
28426 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
28427 {"allow_dio", &adio_fops},
28428 {"debug", &debug_fops},
28429 {"def_reserved_size", &dressz_fops},
28430 @@ -2322,7 +2322,7 @@ sg_proc_init(void)
28433 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
28434 - struct sg_proc_leaf * leaf;
28435 + const struct sg_proc_leaf * leaf;
28437 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
28439 diff -urNp linux-2.6.36.2/drivers/serial/8250_pci.c linux-2.6.36.2/drivers/serial/8250_pci.c
28440 --- linux-2.6.36.2/drivers/serial/8250_pci.c 2010-10-20 16:30:22.000000000 -0400
28441 +++ linux-2.6.36.2/drivers/serial/8250_pci.c 2010-12-09 20:24:22.000000000 -0500
28442 @@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
28443 PCI_ANY_ID, PCI_ANY_ID,
28444 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
28445 0xffff00, pbn_default },
28447 + { 0, 0, 0, 0, 0, 0, 0 }
28450 static struct pci_driver serial_pci_driver = {
28451 diff -urNp linux-2.6.36.2/drivers/serial/kgdboc.c linux-2.6.36.2/drivers/serial/kgdboc.c
28452 --- linux-2.6.36.2/drivers/serial/kgdboc.c 2010-10-20 16:30:22.000000000 -0400
28453 +++ linux-2.6.36.2/drivers/serial/kgdboc.c 2010-12-09 20:24:22.000000000 -0500
28456 #define MAX_CONFIG_LEN 40
28458 -static struct kgdb_io kgdboc_io_ops;
28459 +/* cannot be const, see configure_kgdboc() */
28460 +static struct kgdb_io kgdboc_io_ops;
28462 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
28463 static int configured = -1;
28464 @@ -233,6 +234,7 @@ static void kgdboc_post_exp_handler(void
28468 +/* cannot be const, see configure_kgdboc() */
28469 static struct kgdb_io kgdboc_io_ops = {
28471 .read_char = kgdboc_get_char,
28472 diff -urNp linux-2.6.36.2/drivers/staging/comedi/comedi_fops.c linux-2.6.36.2/drivers/staging/comedi/comedi_fops.c
28473 --- linux-2.6.36.2/drivers/staging/comedi/comedi_fops.c 2010-10-20 16:30:22.000000000 -0400
28474 +++ linux-2.6.36.2/drivers/staging/comedi/comedi_fops.c 2010-12-09 20:24:27.000000000 -0500
28475 @@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
28476 mutex_unlock(&dev->mutex);
28479 -static struct vm_operations_struct comedi_vm_ops = {
28480 +static const struct vm_operations_struct comedi_vm_ops = {
28481 .close = comedi_unmap,
28484 diff -urNp linux-2.6.36.2/drivers/staging/dream/pmem.c linux-2.6.36.2/drivers/staging/dream/pmem.c
28485 --- linux-2.6.36.2/drivers/staging/dream/pmem.c 2010-10-20 16:30:22.000000000 -0400
28486 +++ linux-2.6.36.2/drivers/staging/dream/pmem.c 2010-12-09 20:24:29.000000000 -0500
28487 @@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
28488 return simple_read_from_buffer(buf, count, ppos, buffer, n);
28491 -static struct file_operations debug_fops = {
28492 +static const struct file_operations debug_fops = {
28493 .read = debug_read,
28494 .open = debug_open,
28496 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.36.2/drivers/staging/dream/qdsp5/adsp_driver.c
28497 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/adsp_driver.c 2010-10-20 16:30:22.000000000 -0400
28498 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/adsp_driver.c 2010-12-09 20:24:29.000000000 -0500
28499 @@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
28500 static dev_t adsp_devno;
28501 static struct class *adsp_class;
28503 -static struct file_operations adsp_fops = {
28504 +static const struct file_operations adsp_fops = {
28505 .owner = THIS_MODULE,
28507 .unlocked_ioctl = adsp_ioctl,
28508 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_aac.c
28509 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_aac.c 2010-10-20 16:30:22.000000000 -0400
28510 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_aac.c 2010-12-09 20:24:29.000000000 -0500
28511 @@ -1023,7 +1023,7 @@ done:
28515 -static struct file_operations audio_aac_fops = {
28516 +static const struct file_operations audio_aac_fops = {
28517 .owner = THIS_MODULE,
28518 .open = audio_open,
28519 .release = audio_release,
28520 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_amrnb.c
28521 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-10-20 16:30:22.000000000 -0400
28522 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-12-09 20:24:29.000000000 -0500
28523 @@ -834,7 +834,7 @@ done:
28527 -static struct file_operations audio_amrnb_fops = {
28528 +static const struct file_operations audio_amrnb_fops = {
28529 .owner = THIS_MODULE,
28530 .open = audamrnb_open,
28531 .release = audamrnb_release,
28532 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_evrc.c
28533 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_evrc.c 2010-10-20 16:30:22.000000000 -0400
28534 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_evrc.c 2010-12-09 20:24:29.000000000 -0500
28535 @@ -806,7 +806,7 @@ dma_fail:
28539 -static struct file_operations audio_evrc_fops = {
28540 +static const struct file_operations audio_evrc_fops = {
28541 .owner = THIS_MODULE,
28542 .open = audevrc_open,
28543 .release = audevrc_release,
28544 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_in.c
28545 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_in.c 2010-10-20 16:30:22.000000000 -0400
28546 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_in.c 2010-12-09 20:24:29.000000000 -0500
28547 @@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
28551 -static struct file_operations audio_fops = {
28552 +static const struct file_operations audio_fops = {
28553 .owner = THIS_MODULE,
28554 .open = audio_in_open,
28555 .release = audio_in_release,
28556 @@ -923,7 +923,7 @@ static struct file_operations audio_fops
28557 .unlocked_ioctl = audio_in_ioctl,
28560 -static struct file_operations audpre_fops = {
28561 +static const struct file_operations audpre_fops = {
28562 .owner = THIS_MODULE,
28563 .open = audpre_open,
28564 .unlocked_ioctl = audpre_ioctl,
28565 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_mp3.c
28566 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_mp3.c 2010-10-20 16:30:22.000000000 -0400
28567 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_mp3.c 2010-12-09 20:24:29.000000000 -0500
28568 @@ -941,7 +941,7 @@ done:
28572 -static struct file_operations audio_mp3_fops = {
28573 +static const struct file_operations audio_mp3_fops = {
28574 .owner = THIS_MODULE,
28575 .open = audio_open,
28576 .release = audio_release,
28577 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_out.c
28578 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_out.c 2010-10-20 16:30:22.000000000 -0400
28579 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_out.c 2010-12-09 20:24:29.000000000 -0500
28580 @@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
28584 -static struct file_operations audio_fops = {
28585 +static const struct file_operations audio_fops = {
28586 .owner = THIS_MODULE,
28587 .open = audio_open,
28588 .release = audio_release,
28589 @@ -809,7 +809,7 @@ static struct file_operations audio_fops
28590 .unlocked_ioctl = audio_ioctl,
28593 -static struct file_operations audpp_fops = {
28594 +static const struct file_operations audpp_fops = {
28595 .owner = THIS_MODULE,
28596 .open = audpp_open,
28597 .unlocked_ioctl = audpp_ioctl,
28598 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_qcelp.c
28599 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-10-20 16:30:22.000000000 -0400
28600 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-12-09 20:24:29.000000000 -0500
28601 @@ -817,7 +817,7 @@ err:
28605 -static struct file_operations audio_qcelp_fops = {
28606 +static const struct file_operations audio_qcelp_fops = {
28607 .owner = THIS_MODULE,
28608 .open = audqcelp_open,
28609 .release = audqcelp_release,
28610 diff -urNp linux-2.6.36.2/drivers/staging/dream/qdsp5/snd.c linux-2.6.36.2/drivers/staging/dream/qdsp5/snd.c
28611 --- linux-2.6.36.2/drivers/staging/dream/qdsp5/snd.c 2010-10-20 16:30:22.000000000 -0400
28612 +++ linux-2.6.36.2/drivers/staging/dream/qdsp5/snd.c 2010-12-09 20:24:29.000000000 -0500
28613 @@ -242,7 +242,7 @@ err:
28617 -static struct file_operations snd_fops = {
28618 +static const struct file_operations snd_fops = {
28619 .owner = THIS_MODULE,
28621 .release = snd_release,
28622 diff -urNp linux-2.6.36.2/drivers/staging/go7007/go7007-v4l2.c linux-2.6.36.2/drivers/staging/go7007/go7007-v4l2.c
28623 --- linux-2.6.36.2/drivers/staging/go7007/go7007-v4l2.c 2010-10-20 16:30:22.000000000 -0400
28624 +++ linux-2.6.36.2/drivers/staging/go7007/go7007-v4l2.c 2010-12-09 20:24:28.000000000 -0500
28625 @@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
28629 -static struct vm_operations_struct go7007_vm_ops = {
28630 +static const struct vm_operations_struct go7007_vm_ops = {
28631 .open = go7007_vm_open,
28632 .close = go7007_vm_close,
28633 .fault = go7007_vm_fault,
28634 diff -urNp linux-2.6.36.2/drivers/staging/hv/hv.c linux-2.6.36.2/drivers/staging/hv/hv.c
28635 --- linux-2.6.36.2/drivers/staging/hv/hv.c 2010-10-20 16:30:22.000000000 -0400
28636 +++ linux-2.6.36.2/drivers/staging/hv/hv.c 2010-12-09 20:24:27.000000000 -0500
28637 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
28638 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
28639 u32 outputAddressHi = outputAddress >> 32;
28640 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
28641 - volatile void *hypercallPage = gHvContext.HypercallPage;
28642 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
28644 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
28645 Control, Input, Output);
28646 diff -urNp linux-2.6.36.2/drivers/staging/msm/msm_fb_bl.c linux-2.6.36.2/drivers/staging/msm/msm_fb_bl.c
28647 --- linux-2.6.36.2/drivers/staging/msm/msm_fb_bl.c 2010-10-20 16:30:22.000000000 -0400
28648 +++ linux-2.6.36.2/drivers/staging/msm/msm_fb_bl.c 2010-12-09 20:24:28.000000000 -0500
28649 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
28653 -static struct backlight_ops msm_fb_bl_ops = {
28654 +static const struct backlight_ops msm_fb_bl_ops = {
28655 .get_brightness = msm_fb_bl_get_brightness,
28656 .update_status = msm_fb_bl_update_status,
28658 diff -urNp linux-2.6.36.2/drivers/staging/phison/phison.c linux-2.6.36.2/drivers/staging/phison/phison.c
28659 --- linux-2.6.36.2/drivers/staging/phison/phison.c 2010-11-26 18:26:24.000000000 -0500
28660 +++ linux-2.6.36.2/drivers/staging/phison/phison.c 2010-12-09 20:24:28.000000000 -0500
28661 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
28662 ATA_BMDMA_SHT(DRV_NAME),
28665 -static struct ata_port_operations phison_ops = {
28666 +static const struct ata_port_operations phison_ops = {
28667 .inherits = &ata_bmdma_port_ops,
28668 .prereset = phison_pre_reset,
28670 diff -urNp linux-2.6.36.2/drivers/staging/pohmelfs/inode.c linux-2.6.36.2/drivers/staging/pohmelfs/inode.c
28671 --- linux-2.6.36.2/drivers/staging/pohmelfs/inode.c 2010-10-20 16:30:22.000000000 -0400
28672 +++ linux-2.6.36.2/drivers/staging/pohmelfs/inode.c 2010-12-09 20:24:28.000000000 -0500
28673 @@ -1852,7 +1852,7 @@ static int pohmelfs_fill_super(struct su
28674 mutex_init(&psb->mcache_lock);
28675 psb->mcache_root = RB_ROOT;
28676 psb->mcache_timeout = msecs_to_jiffies(5000);
28677 - atomic_long_set(&psb->mcache_gen, 0);
28678 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
28680 psb->trans_max_pages = 100;
28682 diff -urNp linux-2.6.36.2/drivers/staging/pohmelfs/mcache.c linux-2.6.36.2/drivers/staging/pohmelfs/mcache.c
28683 --- linux-2.6.36.2/drivers/staging/pohmelfs/mcache.c 2010-10-20 16:30:22.000000000 -0400
28684 +++ linux-2.6.36.2/drivers/staging/pohmelfs/mcache.c 2010-12-09 20:24:28.000000000 -0500
28685 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
28689 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
28690 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
28692 mutex_lock(&psb->mcache_lock);
28693 err = pohmelfs_mcache_insert(psb, m);
28694 diff -urNp linux-2.6.36.2/drivers/staging/pohmelfs/netfs.h linux-2.6.36.2/drivers/staging/pohmelfs/netfs.h
28695 --- linux-2.6.36.2/drivers/staging/pohmelfs/netfs.h 2010-10-20 16:30:22.000000000 -0400
28696 +++ linux-2.6.36.2/drivers/staging/pohmelfs/netfs.h 2010-12-09 20:24:28.000000000 -0500
28697 @@ -571,7 +571,7 @@ struct pohmelfs_config;
28698 struct pohmelfs_sb {
28699 struct rb_root mcache_root;
28700 struct mutex mcache_lock;
28701 - atomic_long_t mcache_gen;
28702 + atomic_long_unchecked_t mcache_gen;
28703 unsigned long mcache_timeout;
28706 diff -urNp linux-2.6.36.2/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.36.2/drivers/staging/rtl8192u/ieee80211/proc.c
28707 --- linux-2.6.36.2/drivers/staging/rtl8192u/ieee80211/proc.c 2010-10-20 16:30:22.000000000 -0400
28708 +++ linux-2.6.36.2/drivers/staging/rtl8192u/ieee80211/proc.c 2010-12-09 20:24:27.000000000 -0500
28709 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
28710 return seq_open(file, &crypto_seq_ops);
28713 -static struct file_operations proc_crypto_ops = {
28714 +static const struct file_operations proc_crypto_ops = {
28715 .open = crypto_info_open,
28717 .llseek = seq_lseek,
28718 diff -urNp linux-2.6.36.2/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.36.2/drivers/staging/samsung-laptop/samsung-laptop.c
28719 --- linux-2.6.36.2/drivers/staging/samsung-laptop/samsung-laptop.c 2010-12-09 20:53:47.000000000 -0500
28720 +++ linux-2.6.36.2/drivers/staging/samsung-laptop/samsung-laptop.c 2010-12-09 20:54:34.000000000 -0500
28721 @@ -269,7 +269,7 @@ static int update_status(struct backligh
28725 -static struct backlight_ops backlight_ops = {
28726 +static const struct backlight_ops backlight_ops = {
28727 .get_brightness = get_brightness,
28728 .update_status = update_status,
28730 diff -urNp linux-2.6.36.2/drivers/staging/spectra/ffsport.c linux-2.6.36.2/drivers/staging/spectra/ffsport.c
28731 --- linux-2.6.36.2/drivers/staging/spectra/ffsport.c 2010-10-20 16:30:22.000000000 -0400
28732 +++ linux-2.6.36.2/drivers/staging/spectra/ffsport.c 2010-12-09 20:24:29.000000000 -0500
28733 @@ -602,7 +602,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
28737 -static struct block_device_operations GLOB_SBD_ops = {
28738 +static const struct block_device_operations GLOB_SBD_ops = {
28739 .owner = THIS_MODULE,
28740 .open = GLOB_SBD_open,
28741 .release = GLOB_SBD_release,
28742 diff -urNp linux-2.6.36.2/drivers/staging/vme/devices/vme_user.c linux-2.6.36.2/drivers/staging/vme/devices/vme_user.c
28743 --- linux-2.6.36.2/drivers/staging/vme/devices/vme_user.c 2010-10-20 16:30:22.000000000 -0400
28744 +++ linux-2.6.36.2/drivers/staging/vme/devices/vme_user.c 2010-12-09 20:24:27.000000000 -0500
28745 @@ -137,7 +137,7 @@ static long vme_user_unlocked_ioctl(stru
28746 static int __init vme_user_probe(struct device *, int, int);
28747 static int __exit vme_user_remove(struct device *, int, int);
28749 -static struct file_operations vme_user_fops = {
28750 +static const struct file_operations vme_user_fops = {
28751 .open = vme_user_open,
28752 .release = vme_user_release,
28753 .read = vme_user_read,
28754 diff -urNp linux-2.6.36.2/drivers/usb/atm/cxacru.c linux-2.6.36.2/drivers/usb/atm/cxacru.c
28755 --- linux-2.6.36.2/drivers/usb/atm/cxacru.c 2010-10-20 16:30:22.000000000 -0400
28756 +++ linux-2.6.36.2/drivers/usb/atm/cxacru.c 2010-12-09 20:24:26.000000000 -0500
28757 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
28758 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
28761 - if (index < 0 || index > 0x7f)
28762 + if (index > 0x7f)
28766 diff -urNp linux-2.6.36.2/drivers/usb/atm/usbatm.c linux-2.6.36.2/drivers/usb/atm/usbatm.c
28767 --- linux-2.6.36.2/drivers/usb/atm/usbatm.c 2010-10-20 16:30:22.000000000 -0400
28768 +++ linux-2.6.36.2/drivers/usb/atm/usbatm.c 2010-12-09 20:24:26.000000000 -0500
28769 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
28770 if (printk_ratelimit())
28771 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
28772 __func__, vpi, vci);
28773 - atomic_inc(&vcc->stats->rx_err);
28774 + atomic_inc_unchecked(&vcc->stats->rx_err);
28778 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
28779 if (length > ATM_MAX_AAL5_PDU) {
28780 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
28781 __func__, length, vcc);
28782 - atomic_inc(&vcc->stats->rx_err);
28783 + atomic_inc_unchecked(&vcc->stats->rx_err);
28787 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
28788 if (sarb->len < pdu_length) {
28789 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
28790 __func__, pdu_length, sarb->len, vcc);
28791 - atomic_inc(&vcc->stats->rx_err);
28792 + atomic_inc_unchecked(&vcc->stats->rx_err);
28796 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
28797 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
28799 - atomic_inc(&vcc->stats->rx_err);
28800 + atomic_inc_unchecked(&vcc->stats->rx_err);
28804 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
28805 if (printk_ratelimit())
28806 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
28808 - atomic_inc(&vcc->stats->rx_drop);
28809 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28813 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
28815 vcc->push(vcc, skb);
28817 - atomic_inc(&vcc->stats->rx);
28818 + atomic_inc_unchecked(&vcc->stats->rx);
28822 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
28823 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28825 usbatm_pop(vcc, skb);
28826 - atomic_inc(&vcc->stats->tx);
28827 + atomic_inc_unchecked(&vcc->stats->tx);
28829 skb = skb_dequeue(&instance->sndqueue);
28831 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
28833 return sprintf(page,
28834 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28835 - atomic_read(&atm_dev->stats.aal5.tx),
28836 - atomic_read(&atm_dev->stats.aal5.tx_err),
28837 - atomic_read(&atm_dev->stats.aal5.rx),
28838 - atomic_read(&atm_dev->stats.aal5.rx_err),
28839 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28840 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28841 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28842 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28843 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28844 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28847 if (instance->disconnected)
28848 diff -urNp linux-2.6.36.2/drivers/usb/class/cdc-acm.c linux-2.6.36.2/drivers/usb/class/cdc-acm.c
28849 --- linux-2.6.36.2/drivers/usb/class/cdc-acm.c 2010-10-20 16:30:22.000000000 -0400
28850 +++ linux-2.6.36.2/drivers/usb/class/cdc-acm.c 2010-12-09 20:24:25.000000000 -0500
28851 @@ -1634,7 +1634,7 @@ static const struct usb_device_id acm_id
28852 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28853 USB_CDC_ACM_PROTO_AT_CDMA) },
28856 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28859 MODULE_DEVICE_TABLE(usb, acm_ids);
28860 diff -urNp linux-2.6.36.2/drivers/usb/class/cdc-wdm.c linux-2.6.36.2/drivers/usb/class/cdc-wdm.c
28861 --- linux-2.6.36.2/drivers/usb/class/cdc-wdm.c 2010-10-20 16:30:22.000000000 -0400
28862 +++ linux-2.6.36.2/drivers/usb/class/cdc-wdm.c 2010-12-09 20:24:25.000000000 -0500
28863 @@ -342,7 +342,7 @@ static ssize_t wdm_write
28867 - if (!file->f_flags && O_NONBLOCK)
28868 + if (!(file->f_flags & O_NONBLOCK))
28869 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
28872 diff -urNp linux-2.6.36.2/drivers/usb/class/usblp.c linux-2.6.36.2/drivers/usb/class/usblp.c
28873 --- linux-2.6.36.2/drivers/usb/class/usblp.c 2010-10-20 16:30:22.000000000 -0400
28874 +++ linux-2.6.36.2/drivers/usb/class/usblp.c 2010-12-09 20:24:25.000000000 -0500
28875 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
28876 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28877 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28878 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28883 static int usblp_wwait(struct usblp *usblp, int nonblock);
28884 @@ -1397,7 +1397,7 @@ static const struct usb_device_id usblp_
28885 { USB_INTERFACE_INFO(7, 1, 2) },
28886 { USB_INTERFACE_INFO(7, 1, 3) },
28887 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28888 - { } /* Terminating entry */
28889 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28892 MODULE_DEVICE_TABLE(usb, usblp_ids);
28893 diff -urNp linux-2.6.36.2/drivers/usb/core/hcd.c linux-2.6.36.2/drivers/usb/core/hcd.c
28894 --- linux-2.6.36.2/drivers/usb/core/hcd.c 2010-10-20 16:30:22.000000000 -0400
28895 +++ linux-2.6.36.2/drivers/usb/core/hcd.c 2010-12-09 20:24:25.000000000 -0500
28896 @@ -2420,7 +2420,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28898 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28900 -struct usb_mon_operations *mon_ops;
28901 +const struct usb_mon_operations *mon_ops;
28904 * The registration is unlocked.
28905 @@ -2430,7 +2430,7 @@ struct usb_mon_operations *mon_ops;
28906 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28909 -int usb_mon_register (struct usb_mon_operations *ops)
28910 +int usb_mon_register (const struct usb_mon_operations *ops)
28914 diff -urNp linux-2.6.36.2/drivers/usb/core/hub.c linux-2.6.36.2/drivers/usb/core/hub.c
28915 --- linux-2.6.36.2/drivers/usb/core/hub.c 2010-11-26 18:26:24.000000000 -0500
28916 +++ linux-2.6.36.2/drivers/usb/core/hub.c 2010-12-09 20:24:26.000000000 -0500
28917 @@ -3459,7 +3459,7 @@ static const struct usb_device_id hub_id
28918 .bDeviceClass = USB_CLASS_HUB},
28919 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28920 .bInterfaceClass = USB_CLASS_HUB},
28921 - { } /* Terminating entry */
28922 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28925 MODULE_DEVICE_TABLE (usb, hub_id_table);
28926 diff -urNp linux-2.6.36.2/drivers/usb/core/message.c linux-2.6.36.2/drivers/usb/core/message.c
28927 --- linux-2.6.36.2/drivers/usb/core/message.c 2010-11-26 18:26:24.000000000 -0500
28928 +++ linux-2.6.36.2/drivers/usb/core/message.c 2010-12-09 20:24:26.000000000 -0500
28929 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28930 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28932 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28934 - smallbuf = kmalloc(++len, GFP_NOIO);
28936 + smallbuf = kmalloc(len, GFP_NOIO);
28939 memcpy(smallbuf, buf, len);
28940 diff -urNp linux-2.6.36.2/drivers/usb/early/ehci-dbgp.c linux-2.6.36.2/drivers/usb/early/ehci-dbgp.c
28941 --- linux-2.6.36.2/drivers/usb/early/ehci-dbgp.c 2010-10-20 16:30:22.000000000 -0400
28942 +++ linux-2.6.36.2/drivers/usb/early/ehci-dbgp.c 2010-12-09 20:24:25.000000000 -0500
28943 @@ -96,6 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
28947 +/* cannot be const, see kgdbdbgp_parse_config */
28948 static struct kgdb_io kgdbdbgp_io_ops;
28949 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
28951 @@ -1026,6 +1027,7 @@ static void kgdbdbgp_write_char(u8 chr)
28952 early_dbgp_write(NULL, &chr, 1);
28955 +/* cannot be const, see kgdbdbgp_parse_config() */
28956 static struct kgdb_io kgdbdbgp_io_ops = {
28957 .name = "kgdbdbgp",
28958 .read_char = kgdbdbgp_read_char,
28959 diff -urNp linux-2.6.36.2/drivers/usb/host/ehci-pci.c linux-2.6.36.2/drivers/usb/host/ehci-pci.c
28960 --- linux-2.6.36.2/drivers/usb/host/ehci-pci.c 2010-12-09 20:53:47.000000000 -0500
28961 +++ linux-2.6.36.2/drivers/usb/host/ehci-pci.c 2010-12-09 20:54:34.000000000 -0500
28962 @@ -457,7 +457,7 @@ static const struct pci_device_id pci_id
28963 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28964 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28966 - { /* end: all zeroes */ }
28967 + { 0, 0, 0, 0, 0, 0, 0 }
28969 MODULE_DEVICE_TABLE(pci, pci_ids);
28971 diff -urNp linux-2.6.36.2/drivers/usb/host/uhci-hcd.c linux-2.6.36.2/drivers/usb/host/uhci-hcd.c
28972 --- linux-2.6.36.2/drivers/usb/host/uhci-hcd.c 2010-10-20 16:30:22.000000000 -0400
28973 +++ linux-2.6.36.2/drivers/usb/host/uhci-hcd.c 2010-12-09 20:24:25.000000000 -0500
28974 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
28975 /* handle any USB UHCI controller */
28976 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28977 .driver_data = (unsigned long) &uhci_driver,
28978 - }, { /* end: all zeroes */ }
28979 + }, { 0, 0, 0, 0, 0, 0, 0 }
28982 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28983 diff -urNp linux-2.6.36.2/drivers/usb/mon/mon_main.c linux-2.6.36.2/drivers/usb/mon/mon_main.c
28984 --- linux-2.6.36.2/drivers/usb/mon/mon_main.c 2010-10-20 16:30:22.000000000 -0400
28985 +++ linux-2.6.36.2/drivers/usb/mon/mon_main.c 2010-12-09 20:24:25.000000000 -0500
28986 @@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
28990 -static struct usb_mon_operations mon_ops_0 = {
28991 +static const struct usb_mon_operations mon_ops_0 = {
28992 .urb_submit = mon_submit,
28993 .urb_submit_error = mon_submit_error,
28994 .urb_complete = mon_complete,
28995 diff -urNp linux-2.6.36.2/drivers/usb/storage/debug.h linux-2.6.36.2/drivers/usb/storage/debug.h
28996 --- linux-2.6.36.2/drivers/usb/storage/debug.h 2010-10-20 16:30:22.000000000 -0400
28997 +++ linux-2.6.36.2/drivers/usb/storage/debug.h 2010-12-09 20:24:25.000000000 -0500
28998 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28999 #define US_DEBUGPX(x...) printk( x )
29000 #define US_DEBUG(x) x
29002 -#define US_DEBUGP(x...)
29003 -#define US_DEBUGPX(x...)
29004 -#define US_DEBUG(x)
29005 +#define US_DEBUGP(x...) do {} while (0)
29006 +#define US_DEBUGPX(x...) do {} while (0)
29007 +#define US_DEBUG(x) do {} while (0)
29011 diff -urNp linux-2.6.36.2/drivers/usb/storage/usb.c linux-2.6.36.2/drivers/usb/storage/usb.c
29012 --- linux-2.6.36.2/drivers/usb/storage/usb.c 2010-10-20 16:30:22.000000000 -0400
29013 +++ linux-2.6.36.2/drivers/usb/storage/usb.c 2010-12-09 20:24:25.000000000 -0500
29014 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
29016 static struct us_unusual_dev us_unusual_dev_list[] = {
29017 # include "unusual_devs.h"
29018 - { } /* Terminating entry */
29019 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
29023 diff -urNp linux-2.6.36.2/drivers/usb/storage/usual-tables.c linux-2.6.36.2/drivers/usb/storage/usual-tables.c
29024 --- linux-2.6.36.2/drivers/usb/storage/usual-tables.c 2010-10-20 16:30:22.000000000 -0400
29025 +++ linux-2.6.36.2/drivers/usb/storage/usual-tables.c 2010-12-09 20:24:25.000000000 -0500
29028 struct usb_device_id usb_storage_usb_ids[] = {
29029 # include "unusual_devs.h"
29030 - { } /* Terminating entry */
29031 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
29033 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
29035 diff -urNp linux-2.6.36.2/drivers/uwb/wlp/messages.c linux-2.6.36.2/drivers/uwb/wlp/messages.c
29036 --- linux-2.6.36.2/drivers/uwb/wlp/messages.c 2010-10-20 16:30:22.000000000 -0400
29037 +++ linux-2.6.36.2/drivers/uwb/wlp/messages.c 2010-12-09 20:24:22.000000000 -0500
29038 @@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
29039 size_t len = skb->len;
29042 - struct wlp_nonce enonce, rnonce;
29043 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
29044 enum wlp_assc_error assc_err;
29045 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
29046 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
29047 diff -urNp linux-2.6.36.2/drivers/vhost/vhost.c linux-2.6.36.2/drivers/vhost/vhost.c
29048 --- linux-2.6.36.2/drivers/vhost/vhost.c 2010-10-20 16:30:22.000000000 -0400
29049 +++ linux-2.6.36.2/drivers/vhost/vhost.c 2010-12-09 20:24:15.000000000 -0500
29050 @@ -503,7 +503,7 @@ static int init_used(struct vhost_virtqu
29051 return get_user(vq->last_used_idx, &used->idx);
29054 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
29055 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
29057 struct file *eventfp, *filep = NULL,
29058 *pollstart = NULL, *pollstop = NULL;
29059 diff -urNp linux-2.6.36.2/drivers/video/atmel_lcdfb.c linux-2.6.36.2/drivers/video/atmel_lcdfb.c
29060 --- linux-2.6.36.2/drivers/video/atmel_lcdfb.c 2010-10-20 16:30:22.000000000 -0400
29061 +++ linux-2.6.36.2/drivers/video/atmel_lcdfb.c 2010-12-09 20:24:30.000000000 -0500
29062 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
29063 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
29066 -static struct backlight_ops atmel_lcdc_bl_ops = {
29067 +static const struct backlight_ops atmel_lcdc_bl_ops = {
29068 .update_status = atmel_bl_update_status,
29069 .get_brightness = atmel_bl_get_brightness,
29071 diff -urNp linux-2.6.36.2/drivers/video/aty/aty128fb.c linux-2.6.36.2/drivers/video/aty/aty128fb.c
29072 --- linux-2.6.36.2/drivers/video/aty/aty128fb.c 2010-10-20 16:30:22.000000000 -0400
29073 +++ linux-2.6.36.2/drivers/video/aty/aty128fb.c 2010-12-09 20:24:30.000000000 -0500
29074 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
29075 return bd->props.brightness;
29078 -static struct backlight_ops aty128_bl_data = {
29079 +static const struct backlight_ops aty128_bl_data = {
29080 .get_brightness = aty128_bl_get_brightness,
29081 .update_status = aty128_bl_update_status,
29083 diff -urNp linux-2.6.36.2/drivers/video/aty/atyfb_base.c linux-2.6.36.2/drivers/video/aty/atyfb_base.c
29084 --- linux-2.6.36.2/drivers/video/aty/atyfb_base.c 2010-10-20 16:30:22.000000000 -0400
29085 +++ linux-2.6.36.2/drivers/video/aty/atyfb_base.c 2010-12-09 20:24:30.000000000 -0500
29086 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
29087 return bd->props.brightness;
29090 -static struct backlight_ops aty_bl_data = {
29091 +static const struct backlight_ops aty_bl_data = {
29092 .get_brightness = aty_bl_get_brightness,
29093 .update_status = aty_bl_update_status,
29095 diff -urNp linux-2.6.36.2/drivers/video/aty/radeon_backlight.c linux-2.6.36.2/drivers/video/aty/radeon_backlight.c
29096 --- linux-2.6.36.2/drivers/video/aty/radeon_backlight.c 2010-10-20 16:30:22.000000000 -0400
29097 +++ linux-2.6.36.2/drivers/video/aty/radeon_backlight.c 2010-12-09 20:24:30.000000000 -0500
29098 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
29099 return bd->props.brightness;
29102 -static struct backlight_ops radeon_bl_data = {
29103 +static const struct backlight_ops radeon_bl_data = {
29104 .get_brightness = radeon_bl_get_brightness,
29105 .update_status = radeon_bl_update_status,
29107 diff -urNp linux-2.6.36.2/drivers/video/backlight/88pm860x_bl.c linux-2.6.36.2/drivers/video/backlight/88pm860x_bl.c
29108 --- linux-2.6.36.2/drivers/video/backlight/88pm860x_bl.c 2010-10-20 16:30:22.000000000 -0400
29109 +++ linux-2.6.36.2/drivers/video/backlight/88pm860x_bl.c 2010-12-09 20:24:30.000000000 -0500
29110 @@ -155,7 +155,7 @@ out:
29114 -static struct backlight_ops pm860x_backlight_ops = {
29115 +static const struct backlight_ops pm860x_backlight_ops = {
29116 .options = BL_CORE_SUSPENDRESUME,
29117 .update_status = pm860x_backlight_update_status,
29118 .get_brightness = pm860x_backlight_get_brightness,
29119 diff -urNp linux-2.6.36.2/drivers/video/backlight/max8925_bl.c linux-2.6.36.2/drivers/video/backlight/max8925_bl.c
29120 --- linux-2.6.36.2/drivers/video/backlight/max8925_bl.c 2010-10-20 16:30:22.000000000 -0400
29121 +++ linux-2.6.36.2/drivers/video/backlight/max8925_bl.c 2010-12-09 20:24:30.000000000 -0500
29122 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
29126 -static struct backlight_ops max8925_backlight_ops = {
29127 +static const struct backlight_ops max8925_backlight_ops = {
29128 .options = BL_CORE_SUSPENDRESUME,
29129 .update_status = max8925_backlight_update_status,
29130 .get_brightness = max8925_backlight_get_brightness,
29131 diff -urNp linux-2.6.36.2/drivers/video/fbcmap.c linux-2.6.36.2/drivers/video/fbcmap.c
29132 --- linux-2.6.36.2/drivers/video/fbcmap.c 2010-10-20 16:30:22.000000000 -0400
29133 +++ linux-2.6.36.2/drivers/video/fbcmap.c 2010-12-09 20:24:30.000000000 -0500
29134 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
29138 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
29139 - !info->fbops->fb_setcmap)) {
29140 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
29144 diff -urNp linux-2.6.36.2/drivers/video/fbmem.c linux-2.6.36.2/drivers/video/fbmem.c
29145 --- linux-2.6.36.2/drivers/video/fbmem.c 2010-10-20 16:30:22.000000000 -0400
29146 +++ linux-2.6.36.2/drivers/video/fbmem.c 2010-12-09 20:24:29.000000000 -0500
29147 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
29148 image->dx += image->width + 8;
29150 } else if (rotate == FB_ROTATE_UD) {
29151 - for (x = 0; x < num && image->dx >= 0; x++) {
29152 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
29153 info->fbops->fb_imageblit(info, image);
29154 image->dx -= image->width + 8;
29156 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
29157 image->dy += image->height + 8;
29159 } else if (rotate == FB_ROTATE_CCW) {
29160 - for (x = 0; x < num && image->dy >= 0; x++) {
29161 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
29162 info->fbops->fb_imageblit(info, image);
29163 image->dy -= image->height + 8;
29165 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
29167 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
29169 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
29170 + if (con2fb.framebuffer >= FB_MAX)
29172 if (!registered_fb[con2fb.framebuffer])
29173 request_module("fb%d", con2fb.framebuffer);
29174 diff -urNp linux-2.6.36.2/drivers/video/fbmon.c linux-2.6.36.2/drivers/video/fbmon.c
29175 --- linux-2.6.36.2/drivers/video/fbmon.c 2010-10-20 16:30:22.000000000 -0400
29176 +++ linux-2.6.36.2/drivers/video/fbmon.c 2010-12-09 20:24:29.000000000 -0500
29179 #define DPRINTK(fmt, args...) printk(fmt,## args)
29181 -#define DPRINTK(fmt, args...)
29182 +#define DPRINTK(fmt, args...) do {} while (0)
29185 #define FBMON_FIX_HEADER 1
29186 diff -urNp linux-2.6.36.2/drivers/video/i810/i810_accel.c linux-2.6.36.2/drivers/video/i810/i810_accel.c
29187 --- linux-2.6.36.2/drivers/video/i810/i810_accel.c 2010-10-20 16:30:22.000000000 -0400
29188 +++ linux-2.6.36.2/drivers/video/i810/i810_accel.c 2010-12-09 20:24:30.000000000 -0500
29189 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
29192 printk("ringbuffer lockup!!!\n");
29193 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
29194 i810_report_error(mmio);
29195 par->dev_flags |= LOCKUP;
29196 info->pixmap.scan_align = 1;
29197 diff -urNp linux-2.6.36.2/drivers/video/i810/i810_main.c linux-2.6.36.2/drivers/video/i810/i810_main.c
29198 --- linux-2.6.36.2/drivers/video/i810/i810_main.c 2010-10-20 16:30:22.000000000 -0400
29199 +++ linux-2.6.36.2/drivers/video/i810/i810_main.c 2010-12-09 20:24:30.000000000 -0500
29200 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
29201 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
29202 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
29203 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
29205 + { 0, 0, 0, 0, 0, 0, 0 },
29208 static struct pci_driver i810fb_driver = {
29209 diff -urNp linux-2.6.36.2/drivers/video/modedb.c linux-2.6.36.2/drivers/video/modedb.c
29210 --- linux-2.6.36.2/drivers/video/modedb.c 2010-10-20 16:30:22.000000000 -0400
29211 +++ linux-2.6.36.2/drivers/video/modedb.c 2010-12-09 20:24:30.000000000 -0500
29212 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
29214 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
29215 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
29216 - 0, FB_VMODE_NONINTERLACED
29217 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29219 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
29220 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
29221 - 0, FB_VMODE_NONINTERLACED
29222 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29224 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
29225 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
29226 - 0, FB_VMODE_NONINTERLACED
29227 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29229 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
29230 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
29231 - 0, FB_VMODE_INTERLACED
29232 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
29234 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
29235 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
29236 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29237 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29239 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
29240 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
29241 - 0, FB_VMODE_NONINTERLACED
29242 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29244 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
29245 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
29246 - 0, FB_VMODE_NONINTERLACED
29247 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29249 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
29250 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
29251 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29252 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29254 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
29255 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
29256 - 0, FB_VMODE_NONINTERLACED
29257 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29259 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
29260 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
29261 - 0, FB_VMODE_INTERLACED
29262 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
29264 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
29265 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
29266 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29267 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29269 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
29270 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
29271 - 0, FB_VMODE_NONINTERLACED
29272 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29274 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
29275 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
29276 - 0, FB_VMODE_NONINTERLACED
29277 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29279 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
29280 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
29281 - 0, FB_VMODE_NONINTERLACED
29282 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29284 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
29285 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
29286 - 0, FB_VMODE_NONINTERLACED
29287 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29289 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
29290 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
29291 - 0, FB_VMODE_NONINTERLACED
29292 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29294 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
29295 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
29296 - 0, FB_VMODE_INTERLACED
29297 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
29299 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
29300 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
29301 - 0, FB_VMODE_NONINTERLACED
29302 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29304 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
29305 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
29306 - 0, FB_VMODE_NONINTERLACED
29307 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29309 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
29310 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
29311 - 0, FB_VMODE_NONINTERLACED
29312 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29314 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
29315 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
29316 - 0, FB_VMODE_NONINTERLACED
29317 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29319 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
29320 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
29321 - 0, FB_VMODE_NONINTERLACED
29322 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29324 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
29325 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
29326 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29327 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29329 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
29330 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
29331 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29332 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29334 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
29335 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
29336 - 0, FB_VMODE_NONINTERLACED
29337 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29339 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
29340 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
29341 - 0, FB_VMODE_NONINTERLACED
29342 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29344 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
29345 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
29346 - 0, FB_VMODE_NONINTERLACED
29347 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29349 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
29350 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
29351 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29352 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29354 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
29355 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
29356 - 0, FB_VMODE_NONINTERLACED
29357 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29359 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
29360 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
29361 - 0, FB_VMODE_NONINTERLACED
29362 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29364 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
29365 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
29366 - 0, FB_VMODE_NONINTERLACED
29367 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29369 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
29370 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
29371 - 0, FB_VMODE_NONINTERLACED
29372 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29374 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
29375 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
29376 - 0, FB_VMODE_NONINTERLACED
29377 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29379 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
29380 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
29381 - 0, FB_VMODE_NONINTERLACED
29382 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29384 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
29385 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
29386 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29387 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29389 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
29390 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
29391 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29392 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29394 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
29395 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
29396 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29397 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29399 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
29400 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
29401 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29402 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29404 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
29405 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
29406 - 0, FB_VMODE_NONINTERLACED
29407 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29409 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
29410 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
29411 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29412 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29414 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
29415 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
29416 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29417 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29419 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
29420 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
29421 - 0, FB_VMODE_NONINTERLACED
29422 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29424 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
29425 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
29426 - 0, FB_VMODE_NONINTERLACED
29427 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29429 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
29430 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
29431 - 0, FB_VMODE_DOUBLE
29432 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29434 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
29435 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
29436 - 0, FB_VMODE_DOUBLE
29437 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29439 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
29440 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
29441 - 0, FB_VMODE_DOUBLE
29442 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29444 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
29445 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
29446 - 0, FB_VMODE_DOUBLE
29447 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29449 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
29450 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
29451 - 0, FB_VMODE_DOUBLE
29452 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29454 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
29455 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
29456 - 0, FB_VMODE_DOUBLE
29457 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29459 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
29460 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
29461 - 0, FB_VMODE_DOUBLE
29462 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29464 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
29465 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
29466 - 0, FB_VMODE_DOUBLE
29467 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29469 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
29470 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
29471 - 0, FB_VMODE_DOUBLE
29472 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29474 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
29475 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
29476 - 0, FB_VMODE_DOUBLE
29477 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29479 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
29480 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
29481 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29482 - FB_VMODE_NONINTERLACED
29483 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29485 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
29486 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
29487 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29488 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29490 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
29491 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
29492 - 0, FB_VMODE_NONINTERLACED
29493 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29495 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
29496 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
29497 - 0, FB_VMODE_NONINTERLACED
29498 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29500 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29501 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
29502 - 0, FB_VMODE_INTERLACED
29503 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
29505 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29506 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
29507 - 0, FB_VMODE_INTERLACED
29508 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
29512 diff -urNp linux-2.6.36.2/drivers/video/nvidia/nv_backlight.c linux-2.6.36.2/drivers/video/nvidia/nv_backlight.c
29513 --- linux-2.6.36.2/drivers/video/nvidia/nv_backlight.c 2010-10-20 16:30:22.000000000 -0400
29514 +++ linux-2.6.36.2/drivers/video/nvidia/nv_backlight.c 2010-12-09 20:24:30.000000000 -0500
29515 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
29516 return bd->props.brightness;
29519 -static struct backlight_ops nvidia_bl_ops = {
29520 +static const struct backlight_ops nvidia_bl_ops = {
29521 .get_brightness = nvidia_bl_get_brightness,
29522 .update_status = nvidia_bl_update_status,
29524 diff -urNp linux-2.6.36.2/drivers/video/omap2/displays/panel-taal.c linux-2.6.36.2/drivers/video/omap2/displays/panel-taal.c
29525 --- linux-2.6.36.2/drivers/video/omap2/displays/panel-taal.c 2010-10-20 16:30:22.000000000 -0400
29526 +++ linux-2.6.36.2/drivers/video/omap2/displays/panel-taal.c 2010-12-09 20:24:30.000000000 -0500
29527 @@ -465,7 +465,7 @@ static int taal_bl_get_intensity(struct
29531 -static struct backlight_ops taal_bl_ops = {
29532 +static const struct backlight_ops taal_bl_ops = {
29533 .get_brightness = taal_bl_get_intensity,
29534 .update_status = taal_bl_update_status,
29536 diff -urNp linux-2.6.36.2/drivers/video/riva/fbdev.c linux-2.6.36.2/drivers/video/riva/fbdev.c
29537 --- linux-2.6.36.2/drivers/video/riva/fbdev.c 2010-10-20 16:30:22.000000000 -0400
29538 +++ linux-2.6.36.2/drivers/video/riva/fbdev.c 2010-12-09 20:24:30.000000000 -0500
29539 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
29540 return bd->props.brightness;
29543 -static struct backlight_ops riva_bl_ops = {
29544 +static const struct backlight_ops riva_bl_ops = {
29545 .get_brightness = riva_bl_get_brightness,
29546 .update_status = riva_bl_update_status,
29548 diff -urNp linux-2.6.36.2/drivers/video/uvesafb.c linux-2.6.36.2/drivers/video/uvesafb.c
29549 --- linux-2.6.36.2/drivers/video/uvesafb.c 2010-10-20 16:30:22.000000000 -0400
29550 +++ linux-2.6.36.2/drivers/video/uvesafb.c 2010-12-09 20:24:30.000000000 -0500
29552 #include <linux/io.h>
29553 #include <linux/mutex.h>
29554 #include <linux/slab.h>
29555 +#include <linux/moduleloader.h>
29556 #include <video/edid.h>
29557 #include <video/uvesafb.h>
29559 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
29563 - return call_usermodehelper(v86d_path, argv, envp, 1);
29564 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
29568 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
29569 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
29570 par->pmi_setpal = par->ypan = 0;
29573 +#ifdef CONFIG_PAX_KERNEXEC
29574 +#ifdef CONFIG_MODULES
29575 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
29577 + if (!par->pmi_code) {
29578 + par->pmi_setpal = par->ypan = 0;
29583 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
29584 + task->t.regs.edi);
29586 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29587 + pax_open_kernel();
29588 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
29589 + pax_close_kernel();
29591 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
29592 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
29594 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
29595 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
29598 printk(KERN_INFO "uvesafb: protected mode interface info at "
29600 (u16)task->t.regs.es, (u16)task->t.regs.edi);
29601 @@ -1800,6 +1823,11 @@ out:
29602 if (par->vbe_modes)
29603 kfree(par->vbe_modes);
29605 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29606 + if (par->pmi_code)
29607 + module_free_exec(NULL, par->pmi_code);
29610 framebuffer_release(info);
29613 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
29614 kfree(par->vbe_state_orig);
29615 if (par->vbe_state_saved)
29616 kfree(par->vbe_state_saved);
29618 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29619 + if (par->pmi_code)
29620 + module_free_exec(NULL, par->pmi_code);
29625 framebuffer_release(info);
29626 diff -urNp linux-2.6.36.2/drivers/video/vesafb.c linux-2.6.36.2/drivers/video/vesafb.c
29627 --- linux-2.6.36.2/drivers/video/vesafb.c 2010-10-20 16:30:22.000000000 -0400
29628 +++ linux-2.6.36.2/drivers/video/vesafb.c 2010-12-09 20:24:29.000000000 -0500
29632 #include <linux/module.h>
29633 +#include <linux/moduleloader.h>
29634 #include <linux/kernel.h>
29635 #include <linux/errno.h>
29636 #include <linux/string.h>
29637 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
29638 static int vram_total __initdata; /* Set total amount of memory */
29639 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29640 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29641 -static void (*pmi_start)(void) __read_mostly;
29642 -static void (*pmi_pal) (void) __read_mostly;
29643 +static void (*pmi_start)(void) __read_only;
29644 +static void (*pmi_pal) (void) __read_only;
29645 static int depth __read_mostly;
29646 static int vga_compat __read_mostly;
29647 /* --------------------------------------------------------------------- */
29648 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29649 unsigned int size_vmode;
29650 unsigned int size_remap;
29651 unsigned int size_total;
29652 + void *pmi_code = NULL;
29654 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29656 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29657 size_remap = size_total;
29658 vesafb_fix.smem_len = size_remap;
29661 - screen_info.vesapm_seg = 0;
29664 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29665 printk(KERN_WARNING
29666 "vesafb: cannot reserve video memory at 0x%lx\n",
29667 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29668 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29669 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29673 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29674 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29676 +#elif !defined(CONFIG_PAX_KERNEXEC)
29681 + screen_info.vesapm_seg = 0;
29683 if (screen_info.vesapm_seg) {
29684 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29685 - screen_info.vesapm_seg,screen_info.vesapm_off);
29686 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29687 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29690 if (screen_info.vesapm_seg < 0xc000)
29691 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29693 if (ypan || pmi_setpal) {
29694 unsigned short *pmi_base;
29695 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29696 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29697 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29699 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29701 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29702 + pax_open_kernel();
29703 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29705 + pmi_code = pmi_base;
29708 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29709 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29711 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29712 + pmi_start = ktva_ktla(pmi_start);
29713 + pmi_pal = ktva_ktla(pmi_pal);
29714 + pax_close_kernel();
29717 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29719 printk(KERN_INFO "vesafb: pmi: ports = ");
29720 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29721 info->node, info->fix.id);
29725 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29726 + module_free_exec(NULL, pmi_code);
29729 if (info->screen_base)
29730 iounmap(info->screen_base);
29731 framebuffer_release(info);
29732 diff -urNp linux-2.6.36.2/fs/9p/vfs_inode.c linux-2.6.36.2/fs/9p/vfs_inode.c
29733 --- linux-2.6.36.2/fs/9p/vfs_inode.c 2010-10-20 16:30:22.000000000 -0400
29734 +++ linux-2.6.36.2/fs/9p/vfs_inode.c 2010-12-09 20:24:36.000000000 -0500
29735 @@ -1539,7 +1539,7 @@ static void *v9fs_vfs_follow_link(struct
29737 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29739 - char *s = nd_get_link(nd);
29740 + const char *s = nd_get_link(nd);
29742 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29743 IS_ERR(s) ? "<error>" : s);
29744 diff -urNp linux-2.6.36.2/fs/aio.c linux-2.6.36.2/fs/aio.c
29745 --- linux-2.6.36.2/fs/aio.c 2010-10-20 16:30:22.000000000 -0400
29746 +++ linux-2.6.36.2/fs/aio.c 2010-12-09 20:24:38.000000000 -0500
29747 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29748 size += sizeof(struct io_event) * nr_events;
29749 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29751 - if (nr_pages < 0)
29752 + if (nr_pages <= 0)
29755 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29756 diff -urNp linux-2.6.36.2/fs/attr.c linux-2.6.36.2/fs/attr.c
29757 --- linux-2.6.36.2/fs/attr.c 2010-10-20 16:30:22.000000000 -0400
29758 +++ linux-2.6.36.2/fs/attr.c 2010-12-09 20:24:38.000000000 -0500
29759 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
29760 unsigned long limit;
29762 limit = rlimit(RLIMIT_FSIZE);
29763 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29764 if (limit != RLIM_INFINITY && offset > limit)
29766 if (offset > inode->i_sb->s_maxbytes)
29767 diff -urNp linux-2.6.36.2/fs/autofs/root.c linux-2.6.36.2/fs/autofs/root.c
29768 --- linux-2.6.36.2/fs/autofs/root.c 2010-10-20 16:30:22.000000000 -0400
29769 +++ linux-2.6.36.2/fs/autofs/root.c 2010-12-09 20:24:41.000000000 -0500
29770 @@ -27,7 +27,9 @@ static int autofs_root_unlink(struct ino
29771 static int autofs_root_rmdir(struct inode *,struct dentry *);
29772 static int autofs_root_mkdir(struct inode *,struct dentry *,int);
29773 static long autofs_root_ioctl(struct file *,unsigned int,unsigned long);
29774 +#ifdef CONFIG_COMPAT
29775 static long autofs_root_compat_ioctl(struct file *,unsigned int,unsigned long);
29778 const struct file_operations autofs_root_operations = {
29779 .llseek = generic_file_llseek,
29780 @@ -306,7 +308,8 @@ static int autofs_root_symlink(struct in
29781 set_bit(n,sbi->symlink_bitmap);
29782 sl = &sbi->symlink[n];
29783 sl->len = strlen(symname);
29784 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
29785 + slsize = sl->len+1;
29786 + sl->data = kmalloc(slsize, GFP_KERNEL);
29788 clear_bit(n,sbi->symlink_bitmap);
29790 diff -urNp linux-2.6.36.2/fs/autofs4/root.c linux-2.6.36.2/fs/autofs4/root.c
29791 --- linux-2.6.36.2/fs/autofs4/root.c 2010-10-20 16:30:22.000000000 -0400
29792 +++ linux-2.6.36.2/fs/autofs4/root.c 2010-12-09 20:24:42.000000000 -0500
29793 @@ -28,7 +28,9 @@ static int autofs4_dir_unlink(struct ino
29794 static int autofs4_dir_rmdir(struct inode *,struct dentry *);
29795 static int autofs4_dir_mkdir(struct inode *,struct dentry *,int);
29796 static long autofs4_root_ioctl(struct file *,unsigned int,unsigned long);
29797 +#ifdef CONFIG_COMPAT
29798 static long autofs4_root_compat_ioctl(struct file *,unsigned int,unsigned long);
29800 static int autofs4_dir_open(struct inode *inode, struct file *file);
29801 static struct dentry *autofs4_lookup(struct inode *,struct dentry *, struct nameidata *);
29802 static void *autofs4_follow_link(struct dentry *, struct nameidata *);
29803 diff -urNp linux-2.6.36.2/fs/autofs4/symlink.c linux-2.6.36.2/fs/autofs4/symlink.c
29804 --- linux-2.6.36.2/fs/autofs4/symlink.c 2010-10-20 16:30:22.000000000 -0400
29805 +++ linux-2.6.36.2/fs/autofs4/symlink.c 2010-12-09 20:24:42.000000000 -0500
29807 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
29809 struct autofs_info *ino = autofs4_dentry_ino(dentry);
29810 - nd_set_link(nd, (char *)ino->u.symlink);
29811 + nd_set_link(nd, ino->u.symlink);
29815 diff -urNp linux-2.6.36.2/fs/befs/linuxvfs.c linux-2.6.36.2/fs/befs/linuxvfs.c
29816 --- linux-2.6.36.2/fs/befs/linuxvfs.c 2010-10-20 16:30:22.000000000 -0400
29817 +++ linux-2.6.36.2/fs/befs/linuxvfs.c 2010-12-09 20:24:39.000000000 -0500
29818 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
29820 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29821 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29822 - char *link = nd_get_link(nd);
29823 + const char *link = nd_get_link(nd);
29827 diff -urNp linux-2.6.36.2/fs/binfmt_aout.c linux-2.6.36.2/fs/binfmt_aout.c
29828 --- linux-2.6.36.2/fs/binfmt_aout.c 2010-10-20 16:30:22.000000000 -0400
29829 +++ linux-2.6.36.2/fs/binfmt_aout.c 2010-12-09 20:24:40.000000000 -0500
29831 #include <linux/string.h>
29832 #include <linux/fs.h>
29833 #include <linux/file.h>
29834 +#include <linux/security.h>
29835 #include <linux/stat.h>
29836 #include <linux/fcntl.h>
29837 #include <linux/ptrace.h>
29838 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29840 # define START_STACK(u) ((void __user *)u.start_stack)
29842 + memset(&dump, 0, sizeof(dump));
29847 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29849 /* If the size of the dump file exceeds the rlimit, then see what would happen
29850 if we wrote the stack, but not the data area. */
29851 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
29852 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
29855 /* Make sure we have enough room to write the stack and data areas. */
29856 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
29857 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29860 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
29861 rlim = rlimit(RLIMIT_DATA);
29862 if (rlim >= RLIM_INFINITY)
29865 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29866 if (ex.a_data + ex.a_bss > rlim)
29869 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
29870 install_exec_creds(bprm);
29871 current->flags &= ~PF_FORKNOEXEC;
29873 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29874 + current->mm->pax_flags = 0UL;
29877 +#ifdef CONFIG_PAX_PAGEEXEC
29878 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29879 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29881 +#ifdef CONFIG_PAX_EMUTRAMP
29882 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29883 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29886 +#ifdef CONFIG_PAX_MPROTECT
29887 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29888 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29894 if (N_MAGIC(ex) == OMAGIC) {
29895 unsigned long text_addr, map_size;
29897 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
29899 down_write(¤t->mm->mmap_sem);
29900 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29901 - PROT_READ | PROT_WRITE | PROT_EXEC,
29902 + PROT_READ | PROT_WRITE,
29903 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29904 fd_offset + ex.a_text);
29905 up_write(¤t->mm->mmap_sem);
29906 diff -urNp linux-2.6.36.2/fs/binfmt_elf.c linux-2.6.36.2/fs/binfmt_elf.c
29907 --- linux-2.6.36.2/fs/binfmt_elf.c 2010-10-20 16:30:22.000000000 -0400
29908 +++ linux-2.6.36.2/fs/binfmt_elf.c 2010-12-09 20:24:38.000000000 -0500
29909 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29910 #define elf_core_dump NULL
29913 +#ifdef CONFIG_PAX_MPROTECT
29914 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29917 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29918 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29920 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29921 .load_binary = load_elf_binary,
29922 .load_shlib = load_elf_library,
29923 .core_dump = elf_core_dump,
29925 +#ifdef CONFIG_PAX_MPROTECT
29926 + .handle_mprotect= elf_handle_mprotect,
29929 .min_coredump = ELF_EXEC_PAGESIZE,
29932 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29934 static int set_brk(unsigned long start, unsigned long end)
29936 + unsigned long e = end;
29938 start = ELF_PAGEALIGN(start);
29939 end = ELF_PAGEALIGN(end);
29941 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29942 if (BAD_ADDR(addr))
29945 - current->mm->start_brk = current->mm->brk = end;
29946 + current->mm->start_brk = current->mm->brk = e;
29950 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29951 elf_addr_t __user *u_rand_bytes;
29952 const char *k_platform = ELF_PLATFORM;
29953 const char *k_base_platform = ELF_BASE_PLATFORM;
29954 - unsigned char k_rand_bytes[16];
29955 + u32 k_rand_bytes[4];
29957 elf_addr_t *elf_info;
29959 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29960 * Generate 16 random bytes for userspace PRNG seeding.
29962 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29963 - u_rand_bytes = (elf_addr_t __user *)
29964 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29965 + srandom32(k_rand_bytes[0] ^ random32());
29966 + srandom32(k_rand_bytes[1] ^ random32());
29967 + srandom32(k_rand_bytes[2] ^ random32());
29968 + srandom32(k_rand_bytes[3] ^ random32());
29969 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29970 + u_rand_bytes = (elf_addr_t __user *) p;
29971 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29974 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29976 struct elf_phdr *elf_phdata;
29977 struct elf_phdr *eppnt;
29978 - unsigned long load_addr = 0;
29979 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29980 int load_addr_set = 0;
29981 unsigned long last_bss = 0, elf_bss = 0;
29982 - unsigned long error = ~0UL;
29983 + unsigned long error = -EINVAL;
29984 unsigned long total_size;
29985 int retval, i, size;
29987 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29991 +#ifdef CONFIG_PAX_SEGMEXEC
29992 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29993 + pax_task_size = SEGMEXEC_TASK_SIZE;
29996 eppnt = elf_phdata;
29997 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29998 if (eppnt->p_type == PT_LOAD) {
29999 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
30000 k = load_addr + eppnt->p_vaddr;
30002 eppnt->p_filesz > eppnt->p_memsz ||
30003 - eppnt->p_memsz > TASK_SIZE ||
30004 - TASK_SIZE - eppnt->p_memsz < k) {
30005 + eppnt->p_memsz > pax_task_size ||
30006 + pax_task_size - eppnt->p_memsz < k) {
30010 @@ -533,6 +553,177 @@ out:
30014 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
30015 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
30017 + unsigned long pax_flags = 0UL;
30019 +#ifdef CONFIG_PAX_PAGEEXEC
30020 + if (elf_phdata->p_flags & PF_PAGEEXEC)
30021 + pax_flags |= MF_PAX_PAGEEXEC;
30024 +#ifdef CONFIG_PAX_SEGMEXEC
30025 + if (elf_phdata->p_flags & PF_SEGMEXEC)
30026 + pax_flags |= MF_PAX_SEGMEXEC;
30029 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30030 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30031 + if ((__supported_pte_mask & _PAGE_NX))
30032 + pax_flags &= ~MF_PAX_SEGMEXEC;
30034 + pax_flags &= ~MF_PAX_PAGEEXEC;
30038 +#ifdef CONFIG_PAX_EMUTRAMP
30039 + if (elf_phdata->p_flags & PF_EMUTRAMP)
30040 + pax_flags |= MF_PAX_EMUTRAMP;
30043 +#ifdef CONFIG_PAX_MPROTECT
30044 + if (elf_phdata->p_flags & PF_MPROTECT)
30045 + pax_flags |= MF_PAX_MPROTECT;
30048 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
30049 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
30050 + pax_flags |= MF_PAX_RANDMMAP;
30053 + return pax_flags;
30057 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30058 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
30060 + unsigned long pax_flags = 0UL;
30062 +#ifdef CONFIG_PAX_PAGEEXEC
30063 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
30064 + pax_flags |= MF_PAX_PAGEEXEC;
30067 +#ifdef CONFIG_PAX_SEGMEXEC
30068 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
30069 + pax_flags |= MF_PAX_SEGMEXEC;
30072 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30073 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30074 + if ((__supported_pte_mask & _PAGE_NX))
30075 + pax_flags &= ~MF_PAX_SEGMEXEC;
30077 + pax_flags &= ~MF_PAX_PAGEEXEC;
30081 +#ifdef CONFIG_PAX_EMUTRAMP
30082 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
30083 + pax_flags |= MF_PAX_EMUTRAMP;
30086 +#ifdef CONFIG_PAX_MPROTECT
30087 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
30088 + pax_flags |= MF_PAX_MPROTECT;
30091 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
30092 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
30093 + pax_flags |= MF_PAX_RANDMMAP;
30096 + return pax_flags;
30100 +#ifdef CONFIG_PAX_EI_PAX
30101 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
30103 + unsigned long pax_flags = 0UL;
30105 +#ifdef CONFIG_PAX_PAGEEXEC
30106 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
30107 + pax_flags |= MF_PAX_PAGEEXEC;
30110 +#ifdef CONFIG_PAX_SEGMEXEC
30111 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
30112 + pax_flags |= MF_PAX_SEGMEXEC;
30115 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30116 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30117 + if ((__supported_pte_mask & _PAGE_NX))
30118 + pax_flags &= ~MF_PAX_SEGMEXEC;
30120 + pax_flags &= ~MF_PAX_PAGEEXEC;
30124 +#ifdef CONFIG_PAX_EMUTRAMP
30125 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
30126 + pax_flags |= MF_PAX_EMUTRAMP;
30129 +#ifdef CONFIG_PAX_MPROTECT
30130 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
30131 + pax_flags |= MF_PAX_MPROTECT;
30134 +#ifdef CONFIG_PAX_ASLR
30135 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
30136 + pax_flags |= MF_PAX_RANDMMAP;
30139 + return pax_flags;
30143 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
30144 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
30146 + unsigned long pax_flags = 0UL;
30148 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30152 +#ifdef CONFIG_PAX_EI_PAX
30153 + pax_flags = pax_parse_ei_pax(elf_ex);
30156 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30157 + for (i = 0UL; i < elf_ex->e_phnum; i++)
30158 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
30159 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
30160 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
30161 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
30162 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
30163 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
30166 +#ifdef CONFIG_PAX_SOFTMODE
30167 + if (pax_softmode)
30168 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
30172 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
30177 + if (0 > pax_check_flags(&pax_flags))
30180 + current->mm->pax_flags = pax_flags;
30186 * These are the functions used to load ELF style executables and shared
30187 * libraries. There is no binary dependent code anywhere else.
30188 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
30190 unsigned int random_variable = 0;
30192 +#ifdef CONFIG_PAX_RANDUSTACK
30193 + if (randomize_va_space)
30194 + return stack_top - current->mm->delta_stack;
30197 if ((current->flags & PF_RANDOMIZE) &&
30198 !(current->personality & ADDR_NO_RANDOMIZE)) {
30199 random_variable = get_random_int() & STACK_RND_MASK;
30200 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
30201 unsigned long load_addr = 0, load_bias = 0;
30202 int load_addr_set = 0;
30203 char * elf_interpreter = NULL;
30204 - unsigned long error;
30205 + unsigned long error = 0;
30206 struct elf_phdr *elf_ppnt, *elf_phdata;
30207 unsigned long elf_bss, elf_brk;
30209 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
30210 unsigned long start_code, end_code, start_data, end_data;
30211 unsigned long reloc_func_desc = 0;
30212 int executable_stack = EXSTACK_DEFAULT;
30213 - unsigned long def_flags = 0;
30215 struct elfhdr elf_ex;
30216 struct elfhdr interp_elf_ex;
30218 + unsigned long pax_task_size = TASK_SIZE;
30220 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
30222 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
30224 /* OK, This is the point of no return */
30225 current->flags &= ~PF_FORKNOEXEC;
30226 - current->mm->def_flags = def_flags;
30228 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30229 + current->mm->pax_flags = 0UL;
30232 +#ifdef CONFIG_PAX_DLRESOLVE
30233 + current->mm->call_dl_resolve = 0UL;
30236 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
30237 + current->mm->call_syscall = 0UL;
30240 +#ifdef CONFIG_PAX_ASLR
30241 + current->mm->delta_mmap = 0UL;
30242 + current->mm->delta_stack = 0UL;
30245 + current->mm->def_flags = 0;
30247 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
30248 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
30249 + send_sig(SIGKILL, current, 0);
30250 + goto out_free_dentry;
30254 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
30255 + pax_set_initial_flags(bprm);
30256 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
30257 + if (pax_set_initial_flags_func)
30258 + (pax_set_initial_flags_func)(bprm);
30261 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
30262 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
30263 + current->mm->context.user_cs_limit = PAGE_SIZE;
30264 + current->mm->def_flags |= VM_PAGEEXEC;
30268 +#ifdef CONFIG_PAX_SEGMEXEC
30269 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
30270 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
30271 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
30272 + pax_task_size = SEGMEXEC_TASK_SIZE;
30276 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
30277 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30278 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
30283 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
30284 may depend on the personality. */
30285 SET_PERSONALITY(loc->elf_ex);
30287 +#ifdef CONFIG_PAX_ASLR
30288 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
30289 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
30290 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
30294 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30295 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30296 + executable_stack = EXSTACK_DISABLE_X;
30297 + current->personality &= ~READ_IMPLIES_EXEC;
30301 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
30302 current->personality |= READ_IMPLIES_EXEC;
30304 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
30306 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
30309 +#ifdef CONFIG_PAX_RANDMMAP
30310 + /* PaX: randomize base address at the default exe base if requested */
30311 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
30312 +#ifdef CONFIG_SPARC64
30313 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
30315 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
30317 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
30318 + elf_flags |= MAP_FIXED;
30324 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
30325 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
30326 * allowed task size. Note that p_filesz must always be
30327 * <= p_memsz so it is only necessary to check p_memsz.
30329 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
30330 - elf_ppnt->p_memsz > TASK_SIZE ||
30331 - TASK_SIZE - elf_ppnt->p_memsz < k) {
30332 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
30333 + elf_ppnt->p_memsz > pax_task_size ||
30334 + pax_task_size - elf_ppnt->p_memsz < k) {
30335 /* set_brk can never work. Avoid overflows. */
30336 send_sig(SIGKILL, current, 0);
30338 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
30339 start_data += load_bias;
30340 end_data += load_bias;
30342 +#ifdef CONFIG_PAX_RANDMMAP
30343 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
30344 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
30347 /* Calling set_brk effectively mmaps the pages that we need
30348 * for the bss and break sections. We must do this before
30349 * mapping in the interpreter, to make sure it doesn't wind
30350 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
30351 goto out_free_dentry;
30353 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
30354 - send_sig(SIGSEGV, current, 0);
30355 - retval = -EFAULT; /* Nobody gets to see this, but.. */
30356 - goto out_free_dentry;
30358 + * This bss-zeroing can fail if the ELF
30359 + * file specifies odd protections. So
30360 + * we don't check the return value
30364 if (elf_interpreter) {
30365 @@ -1091,7 +1377,7 @@ out:
30366 * Decide what to dump of a segment, part, all or none.
30368 static unsigned long vma_dump_size(struct vm_area_struct *vma,
30369 - unsigned long mm_flags)
30370 + unsigned long mm_flags, long signr)
30372 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
30374 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
30375 if (vma->vm_file == NULL)
30378 - if (FILTER(MAPPED_PRIVATE))
30379 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
30383 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
30385 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
30390 - while (auxv[i - 2] != AT_NULL);
30391 + } while (auxv[i - 2] != AT_NULL);
30392 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
30395 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
30398 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
30399 - unsigned long mm_flags)
30400 + struct coredump_params *cprm)
30402 struct vm_area_struct *vma;
30405 for (vma = first_vma(current, gate_vma); vma != NULL;
30406 vma = next_vma(vma, gate_vma))
30407 - size += vma_dump_size(vma, mm_flags);
30408 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30412 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
30414 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
30416 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
30417 + offset += elf_core_vma_data_size(gate_vma, cprm);
30418 offset += elf_core_extra_data_size();
30421 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
30424 size += sizeof(*elf);
30425 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30426 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
30429 size += sizeof(*phdr4note);
30430 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30431 if (size > cprm->limit
30432 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
30434 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
30435 phdr.p_offset = offset;
30436 phdr.p_vaddr = vma->vm_start;
30438 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
30439 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30440 phdr.p_memsz = vma->vm_end - vma->vm_start;
30441 offset += phdr.p_filesz;
30442 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
30443 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
30444 phdr.p_align = ELF_EXEC_PAGESIZE;
30446 size += sizeof(phdr);
30447 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30448 if (size > cprm->limit
30449 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
30451 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
30452 unsigned long addr;
30455 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
30456 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30458 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
30460 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
30461 page = get_dump_page(addr);
30463 void *kaddr = kmap(page);
30464 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
30465 stop = ((size += PAGE_SIZE) > cprm->limit) ||
30466 !dump_write(cprm->file, kaddr,
30468 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
30470 if (e_phnum == PN_XNUM) {
30471 size += sizeof(*shdr4extnum);
30472 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30473 if (size > cprm->limit
30474 || !dump_write(cprm->file, shdr4extnum,
30475 sizeof(*shdr4extnum)))
30476 @@ -2068,6 +2359,97 @@ out:
30478 #endif /* CONFIG_ELF_CORE */
30480 +#ifdef CONFIG_PAX_MPROTECT
30481 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
30482 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
30483 + * we'll remove VM_MAYWRITE for good on RELRO segments.
30485 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
30486 + * basis because we want to allow the common case and not the special ones.
30488 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
30490 + struct elfhdr elf_h;
30491 + struct elf_phdr elf_p;
30493 + unsigned long oldflags;
30494 + bool is_textrel_rw, is_textrel_rx, is_relro;
30496 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
30499 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
30500 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
30502 +#ifdef CONFIG_PAX_ELFRELOCS
30503 + /* possible TEXTREL */
30504 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
30505 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
30507 + is_textrel_rw = false;
30508 + is_textrel_rx = false;
30511 + /* possible RELRO */
30512 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
30514 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
30517 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
30518 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
30520 +#ifdef CONFIG_PAX_ETEXECRELOCS
30521 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30523 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
30526 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30527 + !elf_check_arch(&elf_h) ||
30528 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
30529 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
30532 + for (i = 0UL; i < elf_h.e_phnum; i++) {
30533 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
30535 + switch (elf_p.p_type) {
30537 + if (!is_textrel_rw && !is_textrel_rx)
30540 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
30543 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
30545 + if (dyn.d_tag == DT_NULL)
30547 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
30548 + gr_log_textrel(vma);
30549 + if (is_textrel_rw)
30550 + vma->vm_flags |= VM_MAYWRITE;
30552 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
30553 + vma->vm_flags &= ~VM_MAYWRITE;
30560 + case PT_GNU_RELRO:
30563 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
30564 + vma->vm_flags &= ~VM_MAYWRITE;
30571 static int __init init_elf_binfmt(void)
30573 return register_binfmt(&elf_format);
30574 diff -urNp linux-2.6.36.2/fs/binfmt_flat.c linux-2.6.36.2/fs/binfmt_flat.c
30575 --- linux-2.6.36.2/fs/binfmt_flat.c 2010-10-20 16:30:22.000000000 -0400
30576 +++ linux-2.6.36.2/fs/binfmt_flat.c 2010-12-09 20:24:37.000000000 -0500
30577 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
30578 realdatastart = (unsigned long) -ENOMEM;
30579 printk("Unable to allocate RAM for process data, errno %d\n",
30580 (int)-realdatastart);
30581 + down_write(¤t->mm->mmap_sem);
30582 do_munmap(current->mm, textpos, text_len);
30583 + up_write(¤t->mm->mmap_sem);
30584 ret = realdatastart;
30587 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
30589 if (IS_ERR_VALUE(result)) {
30590 printk("Unable to read data+bss, errno %d\n", (int)-result);
30591 + down_write(¤t->mm->mmap_sem);
30592 do_munmap(current->mm, textpos, text_len);
30593 do_munmap(current->mm, realdatastart, len);
30594 + up_write(¤t->mm->mmap_sem);
30598 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
30600 if (IS_ERR_VALUE(result)) {
30601 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
30602 + down_write(¤t->mm->mmap_sem);
30603 do_munmap(current->mm, textpos, text_len + data_len + extra +
30604 MAX_SHARED_LIBS * sizeof(unsigned long));
30605 + up_write(¤t->mm->mmap_sem);
30609 diff -urNp linux-2.6.36.2/fs/binfmt_misc.c linux-2.6.36.2/fs/binfmt_misc.c
30610 --- linux-2.6.36.2/fs/binfmt_misc.c 2010-10-20 16:30:22.000000000 -0400
30611 +++ linux-2.6.36.2/fs/binfmt_misc.c 2010-12-09 20:24:36.000000000 -0500
30612 @@ -694,7 +694,7 @@ static int bm_fill_super(struct super_bl
30613 static struct tree_descr bm_files[] = {
30614 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
30615 [3] = {"register", &bm_register_operations, S_IWUSR},
30616 - /* last one */ {""}
30617 + /* last one */ {"", NULL, 0}
30619 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
30621 diff -urNp linux-2.6.36.2/fs/bio.c linux-2.6.36.2/fs/bio.c
30622 --- linux-2.6.36.2/fs/bio.c 2010-12-09 20:53:48.000000000 -0500
30623 +++ linux-2.6.36.2/fs/bio.c 2010-12-09 20:24:41.000000000 -0500
30624 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
30625 const int read = bio_data_dir(bio) == READ;
30626 struct bio_map_data *bmd = bio->bi_private;
30628 - char *p = bmd->sgvecs[0].iov_base;
30629 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
30631 __bio_for_each_segment(bvec, bio, i, 0) {
30632 char *addr = page_address(bvec->bv_page);
30633 diff -urNp linux-2.6.36.2/fs/block_dev.c linux-2.6.36.2/fs/block_dev.c
30634 --- linux-2.6.36.2/fs/block_dev.c 2010-10-20 16:30:22.000000000 -0400
30635 +++ linux-2.6.36.2/fs/block_dev.c 2010-12-09 20:24:39.000000000 -0500
30636 @@ -648,7 +648,7 @@ static bool bd_may_claim(struct block_de
30637 else if (bdev->bd_contains == bdev)
30638 return true; /* is a whole device which isn't held */
30640 - else if (whole->bd_holder == bd_claim)
30641 + else if (whole->bd_holder == (void *)bd_claim)
30642 return true; /* is a partition of a device that is being partitioned */
30643 else if (whole->bd_holder != NULL)
30644 return false; /* is a partition of a held device */
30645 diff -urNp linux-2.6.36.2/fs/btrfs/ctree.c linux-2.6.36.2/fs/btrfs/ctree.c
30646 --- linux-2.6.36.2/fs/btrfs/ctree.c 2010-10-20 16:30:22.000000000 -0400
30647 +++ linux-2.6.36.2/fs/btrfs/ctree.c 2010-12-09 20:24:37.000000000 -0500
30648 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
30649 free_extent_buffer(buf);
30650 add_root_to_dirty_list(root);
30652 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
30653 - parent_start = parent->start;
30655 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
30657 + parent_start = parent->start;
30659 + parent_start = 0;
30663 WARN_ON(trans->transid != btrfs_header_generation(parent));
30664 @@ -3763,7 +3766,6 @@ setup_items_for_insert(struct btrfs_tran
30668 - struct btrfs_disk_key disk_key;
30669 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
30670 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
30672 diff -urNp linux-2.6.36.2/fs/btrfs/disk-io.c linux-2.6.36.2/fs/btrfs/disk-io.c
30673 --- linux-2.6.36.2/fs/btrfs/disk-io.c 2010-10-20 16:30:22.000000000 -0400
30674 +++ linux-2.6.36.2/fs/btrfs/disk-io.c 2010-12-09 20:24:37.000000000 -0500
30676 #include "tree-log.h"
30677 #include "free-space-cache.h"
30679 -static struct extent_io_ops btree_extent_io_ops;
30680 +static const struct extent_io_ops btree_extent_io_ops;
30681 static void end_workqueue_fn(struct btrfs_work *work);
30682 static void free_fs_root(struct btrfs_root *root);
30684 @@ -2597,7 +2597,7 @@ out:
30688 -static struct extent_io_ops btree_extent_io_ops = {
30689 +static const struct extent_io_ops btree_extent_io_ops = {
30690 .write_cache_pages_lock_hook = btree_lock_page_hook,
30691 .readpage_end_io_hook = btree_readpage_end_io_hook,
30692 .submit_bio_hook = btree_submit_bio_hook,
30693 diff -urNp linux-2.6.36.2/fs/btrfs/extent_io.h linux-2.6.36.2/fs/btrfs/extent_io.h
30694 --- linux-2.6.36.2/fs/btrfs/extent_io.h 2010-10-20 16:30:22.000000000 -0400
30695 +++ linux-2.6.36.2/fs/btrfs/extent_io.h 2010-12-09 20:24:37.000000000 -0500
30696 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
30697 struct bio *bio, int mirror_num,
30698 unsigned long bio_flags, u64 bio_offset);
30699 struct extent_io_ops {
30700 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30701 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30702 u64 start, u64 end, int *page_started,
30703 unsigned long *nr_written);
30704 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30705 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30706 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30707 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30708 extent_submit_bio_hook_t *submit_bio_hook;
30709 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30710 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30711 size_t size, struct bio *bio,
30712 unsigned long bio_flags);
30713 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30714 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30715 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30716 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30717 u64 start, u64 end,
30718 struct extent_state *state);
30719 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30720 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30721 u64 start, u64 end,
30722 struct extent_state *state);
30723 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30724 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30725 struct extent_state *state);
30726 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30727 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30728 struct extent_state *state, int uptodate);
30729 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30730 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30732 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30733 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30735 - int (*merge_extent_hook)(struct inode *inode,
30736 + int (* const merge_extent_hook)(struct inode *inode,
30737 struct extent_state *new,
30738 struct extent_state *other);
30739 - int (*split_extent_hook)(struct inode *inode,
30740 + int (* const split_extent_hook)(struct inode *inode,
30741 struct extent_state *orig, u64 split);
30742 - int (*write_cache_pages_lock_hook)(struct page *page);
30743 + int (* const write_cache_pages_lock_hook)(struct page *page);
30746 struct extent_io_tree {
30747 @@ -90,7 +90,7 @@ struct extent_io_tree {
30750 spinlock_t buffer_lock;
30751 - struct extent_io_ops *ops;
30752 + const struct extent_io_ops *ops;
30755 struct extent_state {
30756 diff -urNp linux-2.6.36.2/fs/btrfs/free-space-cache.c linux-2.6.36.2/fs/btrfs/free-space-cache.c
30757 --- linux-2.6.36.2/fs/btrfs/free-space-cache.c 2010-10-20 16:30:22.000000000 -0400
30758 +++ linux-2.6.36.2/fs/btrfs/free-space-cache.c 2010-12-09 20:24:37.000000000 -0500
30759 @@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30762 if (entry->bytes < bytes || entry->offset < min_start) {
30763 - struct rb_node *node;
30765 node = rb_next(&entry->offset_index);
30768 @@ -1227,7 +1225,7 @@ again:
30770 while (entry->bitmap || found_bitmap ||
30771 (!entry->bitmap && entry->bytes < min_bytes)) {
30772 - struct rb_node *node = rb_next(&entry->offset_index);
30773 + node = rb_next(&entry->offset_index);
30775 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30776 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30777 diff -urNp linux-2.6.36.2/fs/btrfs/inode.c linux-2.6.36.2/fs/btrfs/inode.c
30778 --- linux-2.6.36.2/fs/btrfs/inode.c 2010-10-20 16:30:22.000000000 -0400
30779 +++ linux-2.6.36.2/fs/btrfs/inode.c 2010-12-09 20:24:37.000000000 -0500
30780 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30781 static const struct address_space_operations btrfs_aops;
30782 static const struct address_space_operations btrfs_symlink_aops;
30783 static const struct file_operations btrfs_dir_file_operations;
30784 -static struct extent_io_ops btrfs_extent_io_ops;
30785 +static const struct extent_io_ops btrfs_extent_io_ops;
30787 static struct kmem_cache *btrfs_inode_cachep;
30788 struct kmem_cache *btrfs_trans_handle_cachep;
30789 @@ -6964,7 +6964,7 @@ static const struct file_operations btrf
30790 .fsync = btrfs_sync_file,
30793 -static struct extent_io_ops btrfs_extent_io_ops = {
30794 +static const struct extent_io_ops btrfs_extent_io_ops = {
30795 .fill_delalloc = run_delalloc_range,
30796 .submit_bio_hook = btrfs_submit_bio_hook,
30797 .merge_bio_hook = btrfs_merge_bio_hook,
30798 diff -urNp linux-2.6.36.2/fs/btrfs/relocation.c linux-2.6.36.2/fs/btrfs/relocation.c
30799 --- linux-2.6.36.2/fs/btrfs/relocation.c 2010-10-20 16:30:22.000000000 -0400
30800 +++ linux-2.6.36.2/fs/btrfs/relocation.c 2010-12-09 20:24:37.000000000 -0500
30801 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
30803 spin_unlock(&rc->reloc_root_tree.lock);
30805 - BUG_ON((struct btrfs_root *)node->data != root);
30806 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
30809 spin_lock(&rc->reloc_root_tree.lock);
30810 diff -urNp linux-2.6.36.2/fs/cachefiles/bind.c linux-2.6.36.2/fs/cachefiles/bind.c
30811 --- linux-2.6.36.2/fs/cachefiles/bind.c 2010-10-20 16:30:22.000000000 -0400
30812 +++ linux-2.6.36.2/fs/cachefiles/bind.c 2010-12-09 20:24:41.000000000 -0500
30813 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
30816 /* start by checking things over */
30817 - ASSERT(cache->fstop_percent >= 0 &&
30818 - cache->fstop_percent < cache->fcull_percent &&
30819 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
30820 cache->fcull_percent < cache->frun_percent &&
30821 cache->frun_percent < 100);
30823 - ASSERT(cache->bstop_percent >= 0 &&
30824 - cache->bstop_percent < cache->bcull_percent &&
30825 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
30826 cache->bcull_percent < cache->brun_percent &&
30827 cache->brun_percent < 100);
30829 diff -urNp linux-2.6.36.2/fs/cachefiles/daemon.c linux-2.6.36.2/fs/cachefiles/daemon.c
30830 --- linux-2.6.36.2/fs/cachefiles/daemon.c 2010-10-20 16:30:22.000000000 -0400
30831 +++ linux-2.6.36.2/fs/cachefiles/daemon.c 2010-12-09 20:24:41.000000000 -0500
30832 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
30836 - if (copy_to_user(_buffer, buffer, n) != 0)
30837 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
30841 @@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
30842 if (test_bit(CACHEFILES_DEAD, &cache->flags))
30845 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
30846 + if (datalen > PAGE_SIZE - 1)
30847 return -EOPNOTSUPP;
30849 /* drag the command string into the kernel so we can parse it */
30850 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
30851 if (args[0] != '%' || args[1] != '\0')
30854 - if (fstop < 0 || fstop >= cache->fcull_percent)
30855 + if (fstop >= cache->fcull_percent)
30856 return cachefiles_daemon_range_error(cache, args);
30858 cache->fstop_percent = fstop;
30859 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
30860 if (args[0] != '%' || args[1] != '\0')
30863 - if (bstop < 0 || bstop >= cache->bcull_percent)
30864 + if (bstop >= cache->bcull_percent)
30865 return cachefiles_daemon_range_error(cache, args);
30867 cache->bstop_percent = bstop;
30868 diff -urNp linux-2.6.36.2/fs/cachefiles/rdwr.c linux-2.6.36.2/fs/cachefiles/rdwr.c
30869 --- linux-2.6.36.2/fs/cachefiles/rdwr.c 2010-10-20 16:30:22.000000000 -0400
30870 +++ linux-2.6.36.2/fs/cachefiles/rdwr.c 2010-12-09 20:24:41.000000000 -0500
30871 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
30874 ret = file->f_op->write(
30875 - file, (const void __user *) data, len, &pos);
30876 + file, (__force const void __user *) data, len, &pos);
30880 diff -urNp linux-2.6.36.2/fs/ceph/dir.c linux-2.6.36.2/fs/ceph/dir.c
30881 --- linux-2.6.36.2/fs/ceph/dir.c 2010-10-20 16:30:22.000000000 -0400
30882 +++ linux-2.6.36.2/fs/ceph/dir.c 2010-12-09 20:24:36.000000000 -0500
30883 @@ -230,7 +230,7 @@ static int ceph_readdir(struct file *fil
30884 struct ceph_client *client = ceph_inode_to_client(inode);
30885 struct ceph_mds_client *mdsc = &client->mdsc;
30886 unsigned frag = fpos_frag(filp->f_pos);
30887 - int off = fpos_off(filp->f_pos);
30888 + unsigned int off = fpos_off(filp->f_pos);
30891 struct ceph_mds_reply_info_parsed *rinfo;
30892 @@ -359,7 +359,7 @@ more:
30893 rinfo = &fi->last_readdir->r_reply_info;
30894 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
30895 rinfo->dir_nr, off, fi->offset);
30896 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
30897 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
30898 u64 pos = ceph_make_fpos(frag, off);
30899 struct ceph_mds_reply_inode *in =
30900 rinfo->dir_in[off - fi->offset].in;
30901 diff -urNp linux-2.6.36.2/fs/cifs/cifs_uniupr.h linux-2.6.36.2/fs/cifs/cifs_uniupr.h
30902 --- linux-2.6.36.2/fs/cifs/cifs_uniupr.h 2010-10-20 16:30:22.000000000 -0400
30903 +++ linux-2.6.36.2/fs/cifs/cifs_uniupr.h 2010-12-09 20:24:40.000000000 -0500
30904 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30905 {0x0490, 0x04cc, UniCaseRangeU0490},
30906 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30907 {0xff40, 0xff5a, UniCaseRangeUff40},
30913 diff -urNp linux-2.6.36.2/fs/cifs/link.c linux-2.6.36.2/fs/cifs/link.c
30914 --- linux-2.6.36.2/fs/cifs/link.c 2010-10-20 16:30:22.000000000 -0400
30915 +++ linux-2.6.36.2/fs/cifs/link.c 2010-12-09 20:24:40.000000000 -0500
30916 @@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
30918 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30920 - char *p = nd_get_link(nd);
30921 + const char *p = nd_get_link(nd);
30925 diff -urNp linux-2.6.36.2/fs/compat_binfmt_elf.c linux-2.6.36.2/fs/compat_binfmt_elf.c
30926 --- linux-2.6.36.2/fs/compat_binfmt_elf.c 2010-10-20 16:30:22.000000000 -0400
30927 +++ linux-2.6.36.2/fs/compat_binfmt_elf.c 2010-12-09 20:24:36.000000000 -0500
30928 @@ -30,11 +30,13 @@
30934 #define elfhdr elf32_hdr
30935 #define elf_phdr elf32_phdr
30936 #define elf_shdr elf32_shdr
30937 #define elf_note elf32_note
30938 +#define elf_dyn Elf32_Dyn
30939 #define elf_addr_t Elf32_Addr
30942 diff -urNp linux-2.6.36.2/fs/compat.c linux-2.6.36.2/fs/compat.c
30943 --- linux-2.6.36.2/fs/compat.c 2010-12-09 20:53:48.000000000 -0500
30944 +++ linux-2.6.36.2/fs/compat.c 2010-12-09 20:24:41.000000000 -0500
30945 @@ -593,7 +593,7 @@ ssize_t compat_rw_copy_check_uvector(int
30949 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
30950 + if (nr_segs > UIO_MAXIOV)
30952 if (nr_segs > fast_segs) {
30954 @@ -1447,6 +1447,7 @@ static int compat_copy_strings(int argc,
30956 page = get_arg_page(bprm, pos, 1);
30958 + /* We've exceed the stack rlimit. */
30962 @@ -1488,6 +1489,11 @@ int compat_do_execve(char * filename,
30963 compat_uptr_t __user *envp,
30964 struct pt_regs * regs)
30966 +#ifdef CONFIG_GRKERNSEC
30967 + struct file *old_exec_file;
30968 + struct acl_subject_label *old_acl;
30969 + struct rlimit old_rlim[RLIM_NLIMITS];
30971 struct linux_binprm *bprm;
30973 struct files_struct *displaced;
30974 @@ -1524,6 +1530,14 @@ int compat_do_execve(char * filename,
30975 bprm->filename = filename;
30976 bprm->interp = filename;
30978 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30979 + retval = -EAGAIN;
30980 + if (gr_handle_nproc())
30982 + retval = -EACCES;
30983 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30986 retval = bprm_mm_init(bprm);
30989 @@ -1553,9 +1567,40 @@ int compat_do_execve(char * filename,
30993 + if (!gr_tpe_allow(file)) {
30994 + retval = -EACCES;
30998 + if (gr_check_crash_exec(file)) {
30999 + retval = -EACCES;
31003 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
31005 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
31007 +#ifdef CONFIG_GRKERNSEC
31008 + old_acl = current->acl;
31009 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
31010 + old_exec_file = current->exec_file;
31012 + current->exec_file = file;
31015 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
31016 + bprm->unsafe & LSM_UNSAFE_SHARE);
31020 retval = search_binary_handler(bprm, regs);
31024 +#ifdef CONFIG_GRKERNSEC
31025 + if (old_exec_file)
31026 + fput(old_exec_file);
31029 /* execve succeeded */
31030 current->fs->in_exec = 0;
31031 @@ -1566,6 +1611,14 @@ int compat_do_execve(char * filename,
31032 put_files_struct(displaced);
31036 +#ifdef CONFIG_GRKERNSEC
31037 + current->acl = old_acl;
31038 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
31039 + fput(current->exec_file);
31040 + current->exec_file = old_exec_file;
31045 acct_arg_size(bprm, 0);
31046 diff -urNp linux-2.6.36.2/fs/compat_ioctl.c linux-2.6.36.2/fs/compat_ioctl.c
31047 --- linux-2.6.36.2/fs/compat_ioctl.c 2010-10-20 16:30:22.000000000 -0400
31048 +++ linux-2.6.36.2/fs/compat_ioctl.c 2010-12-09 20:24:37.000000000 -0500
31049 @@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsi
31051 err = get_user(palp, &up->palette);
31052 err |= get_user(length, &up->length);
31056 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
31057 err = put_user(compat_ptr(palp), &up_native->palette);
31058 @@ -1731,8 +1733,8 @@ asmlinkage long compat_sys_ioctl(unsigne
31059 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
31062 - a = *(unsigned int *)p;
31063 - b = *(unsigned int *)q;
31064 + a = *(const unsigned int *)p;
31065 + b = *(const unsigned int *)q;
31069 diff -urNp linux-2.6.36.2/fs/debugfs/inode.c linux-2.6.36.2/fs/debugfs/inode.c
31070 --- linux-2.6.36.2/fs/debugfs/inode.c 2010-10-20 16:30:22.000000000 -0400
31071 +++ linux-2.6.36.2/fs/debugfs/inode.c 2010-12-09 20:24:38.000000000 -0500
31072 @@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
31074 static int debug_fill_super(struct super_block *sb, void *data, int silent)
31076 - static struct tree_descr debug_files[] = {{""}};
31077 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
31079 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
31081 diff -urNp linux-2.6.36.2/fs/dlm/lockspace.c linux-2.6.36.2/fs/dlm/lockspace.c
31082 --- linux-2.6.36.2/fs/dlm/lockspace.c 2010-10-20 16:30:22.000000000 -0400
31083 +++ linux-2.6.36.2/fs/dlm/lockspace.c 2010-12-09 20:24:42.000000000 -0500
31084 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
31088 -static struct kset_uevent_ops dlm_uevent_ops = {
31089 +static const struct kset_uevent_ops dlm_uevent_ops = {
31090 .uevent = dlm_uevent,
31093 diff -urNp linux-2.6.36.2/fs/ecryptfs/inode.c linux-2.6.36.2/fs/ecryptfs/inode.c
31094 --- linux-2.6.36.2/fs/ecryptfs/inode.c 2010-12-09 20:53:48.000000000 -0500
31095 +++ linux-2.6.36.2/fs/ecryptfs/inode.c 2010-12-09 20:54:37.000000000 -0500
31096 @@ -745,7 +745,7 @@ static int ecryptfs_readlink_lower(struc
31099 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
31100 - (char __user *)lower_buf,
31101 + (__force char __user *)lower_buf,
31105 @@ -791,7 +791,7 @@ static void *ecryptfs_follow_link(struct
31109 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
31110 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
31114 @@ -806,7 +806,7 @@ out:
31116 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
31118 - char *buf = nd_get_link(nd);
31119 + const char *buf = nd_get_link(nd);
31120 if (!IS_ERR(buf)) {
31121 /* Free the char* */
31123 diff -urNp linux-2.6.36.2/fs/ecryptfs/miscdev.c linux-2.6.36.2/fs/ecryptfs/miscdev.c
31124 --- linux-2.6.36.2/fs/ecryptfs/miscdev.c 2010-10-20 16:30:22.000000000 -0400
31125 +++ linux-2.6.36.2/fs/ecryptfs/miscdev.c 2010-12-09 20:24:40.000000000 -0500
31126 @@ -328,7 +328,7 @@ check_list:
31127 goto out_unlock_msg_ctx;
31129 if (msg_ctx->msg) {
31130 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
31131 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
31132 goto out_unlock_msg_ctx;
31133 i += packet_length_size;
31134 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
31135 diff -urNp linux-2.6.36.2/fs/exec.c linux-2.6.36.2/fs/exec.c
31136 --- linux-2.6.36.2/fs/exec.c 2010-12-09 20:53:48.000000000 -0500
31137 +++ linux-2.6.36.2/fs/exec.c 2010-12-09 20:24:41.000000000 -0500
31138 @@ -54,12 +54,24 @@
31139 #include <linux/fsnotify.h>
31140 #include <linux/fs_struct.h>
31141 #include <linux/pipe_fs_i.h>
31142 +#include <linux/random.h>
31143 +#include <linux/seq_file.h>
31145 +#ifdef CONFIG_PAX_REFCOUNT
31146 +#include <linux/kallsyms.h>
31147 +#include <linux/kdebug.h>
31150 #include <asm/uaccess.h>
31151 #include <asm/mmu_context.h>
31152 #include <asm/tlb.h>
31153 #include "internal.h"
31155 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
31156 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
31157 +EXPORT_SYMBOL(pax_set_initial_flags_func);
31161 char core_pattern[CORENAME_MAX_SIZE] = "core";
31162 unsigned int core_pipe_limit;
31163 @@ -113,7 +125,7 @@ SYSCALL_DEFINE1(uselib, const char __use
31166 file = do_filp_open(AT_FDCWD, tmp,
31167 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
31168 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
31169 MAY_READ | MAY_EXEC | MAY_OPEN);
31171 error = PTR_ERR(file);
31172 @@ -180,18 +192,10 @@ struct page *get_arg_page(struct linux_b
31178 -#ifdef CONFIG_STACK_GROWSUP
31180 - ret = expand_stack_downwards(bprm->vma, pos);
31185 - ret = get_user_pages(current, bprm->mm, pos,
31186 - 1, write, 1, &page, NULL);
31188 + if (0 > expand_stack_downwards(bprm->vma, pos))
31190 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
31194 @@ -266,8 +270,18 @@ static int __bprm_mm_init(struct linux_b
31195 vma->vm_end = STACK_TOP_MAX;
31196 vma->vm_start = vma->vm_end - PAGE_SIZE;
31197 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
31199 +#ifdef CONFIG_PAX_SEGMEXEC
31200 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
31203 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
31204 INIT_LIST_HEAD(&vma->anon_vma_chain);
31206 + err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
31210 err = insert_vm_struct(mm, vma);
31213 @@ -275,6 +289,12 @@ static int __bprm_mm_init(struct linux_b
31214 mm->stack_vm = mm->total_vm = 1;
31215 up_write(&mm->mmap_sem);
31216 bprm->p = vma->vm_end - sizeof(void *);
31218 +#ifdef CONFIG_PAX_RANDUSTACK
31219 + if (randomize_va_space)
31220 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
31225 up_write(&mm->mmap_sem);
31226 @@ -510,7 +530,7 @@ int copy_strings_kernel(int argc, const
31228 mm_segment_t oldfs = get_fs();
31230 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
31231 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
31235 @@ -540,7 +560,8 @@ static int shift_arg_pages(struct vm_are
31236 unsigned long new_end = old_end - shift;
31237 struct mmu_gather *tlb;
31239 - BUG_ON(new_start > new_end);
31240 + if (new_start >= new_end || new_start < mmap_min_addr)
31244 * ensure there are no vmas between where we want to go
31245 @@ -549,6 +570,10 @@ static int shift_arg_pages(struct vm_are
31246 if (vma != find_vma(mm, new_start))
31249 +#ifdef CONFIG_PAX_SEGMEXEC
31250 + BUG_ON(pax_find_mirror_vma(vma));
31254 * cover the whole range: [new_start, old_end)
31256 @@ -629,10 +654,6 @@ int setup_arg_pages(struct linux_binprm
31257 stack_top = arch_align_stack(stack_top);
31258 stack_top = PAGE_ALIGN(stack_top);
31260 - if (unlikely(stack_top < mmap_min_addr) ||
31261 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
31264 stack_shift = vma->vm_end - stack_top;
31266 bprm->p -= stack_shift;
31267 @@ -644,8 +665,28 @@ int setup_arg_pages(struct linux_binprm
31268 bprm->exec -= stack_shift;
31270 down_write(&mm->mmap_sem);
31272 + /* Move stack pages down in memory. */
31273 + if (stack_shift) {
31274 + ret = shift_arg_pages(vma, stack_shift);
31279 vm_flags = VM_STACK_FLAGS;
31281 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31282 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
31283 + vm_flags &= ~VM_EXEC;
31285 +#ifdef CONFIG_PAX_MPROTECT
31286 + if (mm->pax_flags & MF_PAX_MPROTECT)
31287 + vm_flags &= ~VM_MAYEXEC;
31294 * Adjust stack execute permissions; explicitly enable for
31295 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
31296 @@ -664,13 +705,6 @@ int setup_arg_pages(struct linux_binprm
31298 BUG_ON(prev != vma);
31300 - /* Move stack pages down in memory. */
31301 - if (stack_shift) {
31302 - ret = shift_arg_pages(vma, stack_shift);
31307 /* mprotect_fixup is overkill to remove the temporary stack flags */
31308 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
31310 @@ -711,7 +745,7 @@ struct file *open_exec(const char *name)
31313 file = do_filp_open(AT_FDCWD, name,
31314 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
31315 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
31316 MAY_EXEC | MAY_OPEN);
31319 @@ -748,7 +782,7 @@ int kernel_read(struct file *file, loff_
31322 /* The cast to a user pointer is valid due to the set_fs() */
31323 - result = vfs_read(file, (void __user *)addr, count, &pos);
31324 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
31328 @@ -1166,7 +1200,7 @@ int check_unsafe_exec(struct linux_binpr
31332 - if (p->fs->users > n_fs) {
31333 + if (atomic_read(&p->fs->users) > n_fs) {
31334 bprm->unsafe |= LSM_UNSAFE_SHARE;
31337 @@ -1362,6 +1396,11 @@ int do_execve(const char * filename,
31338 const char __user *const __user *envp,
31339 struct pt_regs * regs)
31341 +#ifdef CONFIG_GRKERNSEC
31342 + struct file *old_exec_file;
31343 + struct acl_subject_label *old_acl;
31344 + struct rlimit old_rlim[RLIM_NLIMITS];
31346 struct linux_binprm *bprm;
31348 struct files_struct *displaced;
31349 @@ -1398,6 +1437,18 @@ int do_execve(const char * filename,
31350 bprm->filename = filename;
31351 bprm->interp = filename;
31353 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
31355 + if (gr_handle_nproc()) {
31356 + retval = -EAGAIN;
31360 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
31361 + retval = -EACCES;
31365 retval = bprm_mm_init(bprm);
31368 @@ -1427,10 +1478,41 @@ int do_execve(const char * filename,
31372 + if (!gr_tpe_allow(file)) {
31373 + retval = -EACCES;
31377 + if (gr_check_crash_exec(file)) {
31378 + retval = -EACCES;
31382 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
31384 + gr_handle_exec_args(bprm, argv);
31386 +#ifdef CONFIG_GRKERNSEC
31387 + old_acl = current->acl;
31388 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
31389 + old_exec_file = current->exec_file;
31391 + current->exec_file = file;
31394 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
31395 + bprm->unsafe & LSM_UNSAFE_SHARE);
31399 current->flags &= ~PF_KTHREAD;
31400 retval = search_binary_handler(bprm,regs);
31404 +#ifdef CONFIG_GRKERNSEC
31405 + if (old_exec_file)
31406 + fput(old_exec_file);
31409 /* execve succeeded */
31410 current->fs->in_exec = 0;
31411 @@ -1441,10 +1523,18 @@ int do_execve(const char * filename,
31412 put_files_struct(displaced);
31416 +#ifdef CONFIG_GRKERNSEC
31417 + current->acl = old_acl;
31418 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
31419 + fput(current->exec_file);
31420 + current->exec_file = old_exec_file;
31425 acct_arg_size(bprm, 0);
31427 + mmput (bprm->mm);
31431 @@ -1606,6 +1696,217 @@ out:
31435 +int pax_check_flags(unsigned long *flags)
31439 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
31440 + if (*flags & MF_PAX_SEGMEXEC)
31442 + *flags &= ~MF_PAX_SEGMEXEC;
31443 + retval = -EINVAL;
31447 + if ((*flags & MF_PAX_PAGEEXEC)
31449 +#ifdef CONFIG_PAX_PAGEEXEC
31450 + && (*flags & MF_PAX_SEGMEXEC)
31455 + *flags &= ~MF_PAX_PAGEEXEC;
31456 + retval = -EINVAL;
31459 + if ((*flags & MF_PAX_MPROTECT)
31461 +#ifdef CONFIG_PAX_MPROTECT
31462 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31467 + *flags &= ~MF_PAX_MPROTECT;
31468 + retval = -EINVAL;
31471 + if ((*flags & MF_PAX_EMUTRAMP)
31473 +#ifdef CONFIG_PAX_EMUTRAMP
31474 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31479 + *flags &= ~MF_PAX_EMUTRAMP;
31480 + retval = -EINVAL;
31486 +EXPORT_SYMBOL(pax_check_flags);
31488 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31489 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
31491 + struct task_struct *tsk = current;
31492 + struct mm_struct *mm = current->mm;
31493 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
31494 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
31495 + char *path_exec = NULL;
31496 + char *path_fault = NULL;
31497 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
31499 + if (buffer_exec && buffer_fault) {
31500 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
31502 + down_read(&mm->mmap_sem);
31504 + while (vma && (!vma_exec || !vma_fault)) {
31505 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
31507 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
31509 + vma = vma->vm_next;
31512 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
31513 + if (IS_ERR(path_exec))
31514 + path_exec = "<path too long>";
31516 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
31519 + path_exec = buffer_exec;
31521 + path_exec = "<path too long>";
31525 + start = vma_fault->vm_start;
31526 + end = vma_fault->vm_end;
31527 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
31528 + if (vma_fault->vm_file) {
31529 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
31530 + if (IS_ERR(path_fault))
31531 + path_fault = "<path too long>";
31533 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
31534 + if (path_fault) {
31536 + path_fault = buffer_fault;
31538 + path_fault = "<path too long>";
31541 + path_fault = "<anonymous mapping>";
31543 + up_read(&mm->mmap_sem);
31545 + if (tsk->signal->curr_ip)
31546 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
31548 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
31549 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
31550 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
31551 + task_uid(tsk), task_euid(tsk), pc, sp);
31552 + free_page((unsigned long)buffer_exec);
31553 + free_page((unsigned long)buffer_fault);
31554 + pax_report_insns(pc, sp);
31555 + do_coredump(SIGKILL, SIGKILL, regs);
31559 +#ifdef CONFIG_PAX_REFCOUNT
31560 +void pax_report_refcount_overflow(struct pt_regs *regs)
31562 + if (current->signal->curr_ip)
31563 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31564 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
31566 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31567 + current->comm, task_pid_nr(current), current_uid(), current_euid());
31568 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
31570 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
31574 +#ifdef CONFIG_PAX_USERCOPY
31575 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
31576 +int object_is_on_stack(const void *obj, unsigned long len)
31578 + const void * const stack = task_stack_page(current);
31579 + const void * const stackend = stack + THREAD_SIZE;
31581 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31582 + const void *frame = NULL;
31583 + const void *oldframe;
31586 + if (obj + len < obj)
31589 + if (obj + len <= stack || stackend <= obj)
31592 + if (obj < stack || stackend < obj + len)
31595 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31596 + oldframe = __builtin_frame_address(1);
31598 + frame = __builtin_frame_address(2);
31600 + low ----------------------------------------------> high
31601 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31602 + ^----------------^
31603 + allow copies only within here
31605 + while (stack <= frame && frame < stackend) {
31606 + /* if obj + len extends past the last frame, this
31607 + check won't pass and the next frame will be 0,
31608 + causing us to bail out and correctly report
31609 + the copy as invalid
31611 + if (obj + len <= frame)
31612 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31613 + oldframe = frame;
31614 + frame = *(const void * const *)frame;
31623 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
31625 + if (current->signal->curr_ip)
31626 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
31627 + ¤t->signal->curr_ip, ptr, len);
31629 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
31631 + do_group_exit(SIGKILL);
31634 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
31636 + if (current->signal->curr_ip)
31637 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
31638 + ¤t->signal->curr_ip, ptr, len);
31640 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
31642 + do_group_exit(SIGKILL);
31646 static int zap_process(struct task_struct *start, int exit_code)
31648 struct task_struct *t;
31649 @@ -1816,17 +2117,17 @@ static void wait_for_dump_helpers(struct
31650 pipe = file->f_path.dentry->d_inode->i_pipe;
31655 + atomic_inc(&pipe->readers);
31656 + atomic_dec(&pipe->writers);
31658 - while ((pipe->readers > 1) && (!signal_pending(current))) {
31659 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
31660 wake_up_interruptible_sync(&pipe->wait);
31661 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
31667 + atomic_dec(&pipe->readers);
31668 + atomic_inc(&pipe->writers);
31672 @@ -1934,6 +2235,10 @@ void do_coredump(long signr, int exit_co
31674 clear_thread_flag(TIF_SIGPENDING);
31676 + if (signr == SIGKILL || signr == SIGILL)
31677 + gr_handle_brute_attach(current);
31678 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
31680 ispipe = format_corename(corename, signr);
31683 diff -urNp linux-2.6.36.2/fs/ext2/balloc.c linux-2.6.36.2/fs/ext2/balloc.c
31684 --- linux-2.6.36.2/fs/ext2/balloc.c 2010-10-20 16:30:22.000000000 -0400
31685 +++ linux-2.6.36.2/fs/ext2/balloc.c 2010-12-09 20:24:39.000000000 -0500
31686 @@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
31688 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31689 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31690 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31691 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31692 sbi->s_resuid != current_fsuid() &&
31693 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31695 diff -urNp linux-2.6.36.2/fs/ext2/xattr.c linux-2.6.36.2/fs/ext2/xattr.c
31696 --- linux-2.6.36.2/fs/ext2/xattr.c 2010-10-20 16:30:22.000000000 -0400
31697 +++ linux-2.6.36.2/fs/ext2/xattr.c 2010-12-09 20:24:39.000000000 -0500
31702 -# define ea_idebug(f...)
31703 -# define ea_bdebug(f...)
31704 +# define ea_idebug(inode, f...) do {} while (0)
31705 +# define ea_bdebug(bh, f...) do {} while (0)
31708 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
31709 diff -urNp linux-2.6.36.2/fs/ext3/balloc.c linux-2.6.36.2/fs/ext3/balloc.c
31710 --- linux-2.6.36.2/fs/ext3/balloc.c 2010-10-20 16:30:22.000000000 -0400
31711 +++ linux-2.6.36.2/fs/ext3/balloc.c 2010-12-09 20:24:40.000000000 -0500
31712 @@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
31714 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31715 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31716 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31717 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31718 sbi->s_resuid != current_fsuid() &&
31719 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31721 diff -urNp linux-2.6.36.2/fs/ext3/namei.c linux-2.6.36.2/fs/ext3/namei.c
31722 --- linux-2.6.36.2/fs/ext3/namei.c 2010-10-20 16:30:22.000000000 -0400
31723 +++ linux-2.6.36.2/fs/ext3/namei.c 2010-12-09 20:24:40.000000000 -0500
31724 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
31725 char *data1 = (*bh)->b_data, *data2;
31726 unsigned split, move, size;
31727 struct ext3_dir_entry_2 *de = NULL, *de2;
31731 bh2 = ext3_append (handle, dir, &newblock, &err);
31733 diff -urNp linux-2.6.36.2/fs/ext3/xattr.c linux-2.6.36.2/fs/ext3/xattr.c
31734 --- linux-2.6.36.2/fs/ext3/xattr.c 2010-10-20 16:30:22.000000000 -0400
31735 +++ linux-2.6.36.2/fs/ext3/xattr.c 2010-12-09 20:24:40.000000000 -0500
31740 -# define ea_idebug(f...)
31741 -# define ea_bdebug(f...)
31742 +# define ea_idebug(f...) do {} while (0)
31743 +# define ea_bdebug(f...) do {} while (0)
31746 static void ext3_xattr_cache_insert(struct buffer_head *);
31747 diff -urNp linux-2.6.36.2/fs/ext4/balloc.c linux-2.6.36.2/fs/ext4/balloc.c
31748 --- linux-2.6.36.2/fs/ext4/balloc.c 2010-10-20 16:30:22.000000000 -0400
31749 +++ linux-2.6.36.2/fs/ext4/balloc.c 2010-12-09 20:24:41.000000000 -0500
31750 @@ -518,7 +518,7 @@ int ext4_has_free_blocks(struct ext4_sb_
31751 /* Hm, nope. Are (enough) root reserved blocks available? */
31752 if (sbi->s_resuid == current_fsuid() ||
31753 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
31754 - capable(CAP_SYS_RESOURCE)) {
31755 + capable_nolog(CAP_SYS_RESOURCE)) {
31756 if (free_blocks >= (nblocks + dirty_blocks))
31759 diff -urNp linux-2.6.36.2/fs/ext4/namei.c linux-2.6.36.2/fs/ext4/namei.c
31760 --- linux-2.6.36.2/fs/ext4/namei.c 2010-10-20 16:30:22.000000000 -0400
31761 +++ linux-2.6.36.2/fs/ext4/namei.c 2010-12-09 20:24:41.000000000 -0500
31762 @@ -1170,7 +1170,7 @@ static struct ext4_dir_entry_2 *do_split
31763 char *data1 = (*bh)->b_data, *data2;
31764 unsigned split, move, size;
31765 struct ext4_dir_entry_2 *de = NULL, *de2;
31769 bh2 = ext4_append (handle, dir, &newblock, &err);
31771 diff -urNp linux-2.6.36.2/fs/ext4/xattr.c linux-2.6.36.2/fs/ext4/xattr.c
31772 --- linux-2.6.36.2/fs/ext4/xattr.c 2010-10-20 16:30:22.000000000 -0400
31773 +++ linux-2.6.36.2/fs/ext4/xattr.c 2010-12-09 20:24:41.000000000 -0500
31778 -# define ea_idebug(f...)
31779 -# define ea_bdebug(f...)
31780 +# define ea_idebug(inode, f...) do {} while (0)
31781 +# define ea_bdebug(bh, f...) do {} while (0)
31784 static void ext4_xattr_cache_insert(struct buffer_head *);
31785 diff -urNp linux-2.6.36.2/fs/fcntl.c linux-2.6.36.2/fs/fcntl.c
31786 --- linux-2.6.36.2/fs/fcntl.c 2010-10-20 16:30:22.000000000 -0400
31787 +++ linux-2.6.36.2/fs/fcntl.c 2010-12-09 20:24:38.000000000 -0500
31788 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
31792 + if (gr_handle_chroot_fowner(pid, type))
31794 + if (gr_check_protected_task_fowner(pid, type))
31797 f_modown(filp, pid, type, force);
31800 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
31803 case F_DUPFD_CLOEXEC:
31804 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
31805 if (arg >= rlimit(RLIMIT_NOFILE))
31807 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
31808 diff -urNp linux-2.6.36.2/fs/fifo.c linux-2.6.36.2/fs/fifo.c
31809 --- linux-2.6.36.2/fs/fifo.c 2010-10-20 16:30:22.000000000 -0400
31810 +++ linux-2.6.36.2/fs/fifo.c 2010-12-09 20:24:38.000000000 -0500
31811 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
31813 filp->f_op = &read_pipefifo_fops;
31815 - if (pipe->readers++ == 0)
31816 + if (atomic_inc_return(&pipe->readers) == 1)
31817 wake_up_partner(inode);
31819 - if (!pipe->writers) {
31820 + if (!atomic_read(&pipe->writers)) {
31821 if ((filp->f_flags & O_NONBLOCK)) {
31822 /* suppress POLLHUP until we have
31824 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
31825 * errno=ENXIO when there is no process reading the FIFO.
31828 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
31829 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
31832 filp->f_op = &write_pipefifo_fops;
31834 - if (!pipe->writers++)
31835 + if (atomic_inc_return(&pipe->writers) == 1)
31836 wake_up_partner(inode);
31838 - if (!pipe->readers) {
31839 + if (!atomic_read(&pipe->readers)) {
31840 wait_for_partner(inode, &pipe->r_counter);
31841 if (signal_pending(current))
31843 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
31845 filp->f_op = &rdwr_pipefifo_fops;
31849 + atomic_inc(&pipe->readers);
31850 + atomic_inc(&pipe->writers);
31853 - if (pipe->readers == 1 || pipe->writers == 1)
31854 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
31855 wake_up_partner(inode);
31858 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
31862 - if (!--pipe->readers)
31863 + if (atomic_dec_and_test(&pipe->readers))
31864 wake_up_interruptible(&pipe->wait);
31865 ret = -ERESTARTSYS;
31869 - if (!--pipe->writers)
31870 + if (atomic_dec_and_test(&pipe->writers))
31871 wake_up_interruptible(&pipe->wait);
31872 ret = -ERESTARTSYS;
31876 - if (!pipe->readers && !pipe->writers)
31877 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
31878 free_pipe_info(inode);
31881 diff -urNp linux-2.6.36.2/fs/file.c linux-2.6.36.2/fs/file.c
31882 --- linux-2.6.36.2/fs/file.c 2010-10-20 16:30:22.000000000 -0400
31883 +++ linux-2.6.36.2/fs/file.c 2010-12-09 20:24:38.000000000 -0500
31885 #include <linux/slab.h>
31886 #include <linux/vmalloc.h>
31887 #include <linux/file.h>
31888 +#include <linux/security.h>
31889 #include <linux/fdtable.h>
31890 #include <linux/bitops.h>
31891 #include <linux/interrupt.h>
31892 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
31893 * N.B. For clone tasks sharing a files structure, this test
31894 * will limit the total number of files that can be opened.
31896 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
31897 if (nr >= rlimit(RLIMIT_NOFILE))
31900 diff -urNp linux-2.6.36.2/fs/fs_struct.c linux-2.6.36.2/fs/fs_struct.c
31901 --- linux-2.6.36.2/fs/fs_struct.c 2010-10-20 16:30:22.000000000 -0400
31902 +++ linux-2.6.36.2/fs/fs_struct.c 2010-12-09 20:24:36.000000000 -0500
31904 #include <linux/slab.h>
31905 #include <linux/fs_struct.h>
31906 #include <linux/vserver/global.h>
31907 +#include <linux/grsecurity.h>
31910 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
31911 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
31912 old_root = fs->root;
31915 + gr_set_chroot_entries(current, path);
31916 spin_unlock(&fs->lock);
31917 if (old_root.dentry)
31918 path_put(&old_root);
31919 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
31920 && fs->root.mnt == old_root->mnt) {
31921 path_get(new_root);
31922 fs->root = *new_root;
31923 + gr_set_chroot_entries(p, new_root);
31926 if (fs->pwd.dentry == old_root->dentry
31927 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
31929 spin_lock(&fs->lock);
31931 - kill = !--fs->users;
31932 + gr_clear_chroot_entries(tsk);
31933 + kill = !atomic_dec_return(&fs->users);
31934 spin_unlock(&fs->lock);
31937 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
31938 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31939 /* We don't need to lock fs - think why ;-) */
31942 + atomic_set(&fs->users, 1);
31944 spin_lock_init(&fs->lock);
31945 fs->umask = old->umask;
31946 @@ -122,8 +126,9 @@ int unshare_fs_struct(void)
31948 task_lock(current);
31949 spin_lock(&fs->lock);
31950 - kill = !--fs->users;
31951 + kill = !atomic_dec_return(&fs->users);
31952 current->fs = new_fs;
31953 + gr_set_chroot_entries(current, &new_fs->root);
31954 spin_unlock(&fs->lock);
31955 task_unlock(current);
31957 @@ -142,7 +147,7 @@ EXPORT_SYMBOL(current_umask);
31959 /* to be mentioned only in INIT_TASK */
31960 struct fs_struct init_fs = {
31962 + .users = ATOMIC_INIT(1),
31963 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
31966 @@ -157,12 +162,13 @@ void daemonize_fs_struct(void)
31967 task_lock(current);
31969 spin_lock(&init_fs.lock);
31971 + atomic_inc(&init_fs.users);
31972 spin_unlock(&init_fs.lock);
31974 spin_lock(&fs->lock);
31975 current->fs = &init_fs;
31976 - kill = !--fs->users;
31977 + gr_set_chroot_entries(current, ¤t->fs->root);
31978 + kill = !atomic_dec_return(&fs->users);
31979 spin_unlock(&fs->lock);
31981 task_unlock(current);
31982 diff -urNp linux-2.6.36.2/fs/fuse/control.c linux-2.6.36.2/fs/fuse/control.c
31983 --- linux-2.6.36.2/fs/fuse/control.c 2010-10-20 16:30:22.000000000 -0400
31984 +++ linux-2.6.36.2/fs/fuse/control.c 2010-12-09 20:24:39.000000000 -0500
31985 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31987 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31989 - struct tree_descr empty_descr = {""};
31990 + struct tree_descr empty_descr = {"", NULL, 0};
31991 struct fuse_conn *fc;
31994 diff -urNp linux-2.6.36.2/fs/fuse/cuse.c linux-2.6.36.2/fs/fuse/cuse.c
31995 --- linux-2.6.36.2/fs/fuse/cuse.c 2010-10-20 16:30:22.000000000 -0400
31996 +++ linux-2.6.36.2/fs/fuse/cuse.c 2010-12-09 20:24:39.000000000 -0500
31997 @@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
32001 -static struct file_operations cuse_channel_fops; /* initialized during init */
32003 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
32004 + .owner = THIS_MODULE,
32005 + .llseek = no_llseek,
32006 + .read = do_sync_read,
32007 + .aio_read = fuse_dev_read,
32008 + .write = do_sync_write,
32009 + .aio_write = fuse_dev_write,
32010 + .poll = fuse_dev_poll,
32011 + .open = cuse_channel_open,
32012 + .release = cuse_channel_release,
32013 + .fasync = fuse_dev_fasync,
32016 /**************************************************************************
32017 * Misc stuff and module initializatiion
32018 @@ -576,12 +586,6 @@ static int __init cuse_init(void)
32019 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
32020 INIT_LIST_HEAD(&cuse_conntbl[i]);
32022 - /* inherit and extend fuse_dev_operations */
32023 - cuse_channel_fops = fuse_dev_operations;
32024 - cuse_channel_fops.owner = THIS_MODULE;
32025 - cuse_channel_fops.open = cuse_channel_open;
32026 - cuse_channel_fops.release = cuse_channel_release;
32028 cuse_class = class_create(THIS_MODULE, "cuse");
32029 if (IS_ERR(cuse_class))
32030 return PTR_ERR(cuse_class);
32031 diff -urNp linux-2.6.36.2/fs/fuse/dev.c linux-2.6.36.2/fs/fuse/dev.c
32032 --- linux-2.6.36.2/fs/fuse/dev.c 2010-10-20 16:30:22.000000000 -0400
32033 +++ linux-2.6.36.2/fs/fuse/dev.c 2010-12-09 20:24:39.000000000 -0500
32034 @@ -1049,7 +1049,7 @@ static ssize_t fuse_dev_do_read(struct f
32038 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32039 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32040 unsigned long nr_segs, loff_t pos)
32042 struct fuse_copy_state cs;
32043 @@ -1063,6 +1063,8 @@ static ssize_t fuse_dev_read(struct kioc
32044 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
32047 +EXPORT_SYMBOL_GPL(fuse_dev_read);
32049 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
32050 struct pipe_buffer *buf)
32052 @@ -1106,7 +1108,7 @@ static ssize_t fuse_dev_splice_read(stru
32056 - if (!pipe->readers) {
32057 + if (!atomic_read(&pipe->readers)) {
32058 send_sig(SIGPIPE, current, 0);
32061 @@ -1604,7 +1606,7 @@ static ssize_t fuse_dev_do_write(struct
32065 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32066 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32067 unsigned long nr_segs, loff_t pos)
32069 struct fuse_copy_state cs;
32070 @@ -1617,6 +1619,8 @@ static ssize_t fuse_dev_write(struct kio
32071 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
32074 +EXPORT_SYMBOL_GPL(fuse_dev_write);
32076 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
32077 struct file *out, loff_t *ppos,
32078 size_t len, unsigned int flags)
32079 @@ -1695,7 +1699,7 @@ out:
32083 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
32084 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
32086 unsigned mask = POLLOUT | POLLWRNORM;
32087 struct fuse_conn *fc = fuse_get_conn(file);
32088 @@ -1714,6 +1718,8 @@ static unsigned fuse_dev_poll(struct fil
32092 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
32095 * Abort all requests on the given list (pending or processing)
32097 @@ -1831,7 +1837,7 @@ int fuse_dev_release(struct inode *inode
32099 EXPORT_SYMBOL_GPL(fuse_dev_release);
32101 -static int fuse_dev_fasync(int fd, struct file *file, int on)
32102 +int fuse_dev_fasync(int fd, struct file *file, int on)
32104 struct fuse_conn *fc = fuse_get_conn(file);
32106 @@ -1841,6 +1847,8 @@ static int fuse_dev_fasync(int fd, struc
32107 return fasync_helper(fd, file, on, &fc->fasync);
32110 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
32112 const struct file_operations fuse_dev_operations = {
32113 .owner = THIS_MODULE,
32114 .llseek = no_llseek,
32115 diff -urNp linux-2.6.36.2/fs/fuse/dir.c linux-2.6.36.2/fs/fuse/dir.c
32116 --- linux-2.6.36.2/fs/fuse/dir.c 2010-10-20 16:30:22.000000000 -0400
32117 +++ linux-2.6.36.2/fs/fuse/dir.c 2010-12-09 20:24:39.000000000 -0500
32118 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
32122 -static void free_link(char *link)
32123 +static void free_link(const char *link)
32126 free_page((unsigned long) link);
32127 diff -urNp linux-2.6.36.2/fs/fuse/fuse_i.h linux-2.6.36.2/fs/fuse/fuse_i.h
32128 --- linux-2.6.36.2/fs/fuse/fuse_i.h 2010-10-20 16:30:22.000000000 -0400
32129 +++ linux-2.6.36.2/fs/fuse/fuse_i.h 2010-12-09 20:24:39.000000000 -0500
32130 @@ -525,6 +525,16 @@ extern const struct file_operations fuse
32132 extern const struct dentry_operations fuse_dentry_operations;
32134 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32135 + unsigned long nr_segs, loff_t pos);
32137 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32138 + unsigned long nr_segs, loff_t pos);
32140 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
32142 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
32145 * Inode to nodeid comparison.
32147 diff -urNp linux-2.6.36.2/fs/hfs/inode.c linux-2.6.36.2/fs/hfs/inode.c
32148 --- linux-2.6.36.2/fs/hfs/inode.c 2010-10-20 16:30:22.000000000 -0400
32149 +++ linux-2.6.36.2/fs/hfs/inode.c 2010-12-09 20:24:36.000000000 -0500
32150 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
32152 if (S_ISDIR(main_inode->i_mode)) {
32153 if (fd.entrylength < sizeof(struct hfs_cat_dir))
32156 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
32157 sizeof(struct hfs_cat_dir));
32158 if (rec.type != HFS_CDR_DIR ||
32159 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
32160 sizeof(struct hfs_cat_file));
32162 if (fd.entrylength < sizeof(struct hfs_cat_file))
32165 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
32166 sizeof(struct hfs_cat_file));
32167 if (rec.type != HFS_CDR_FIL ||
32168 diff -urNp linux-2.6.36.2/fs/hfsplus/inode.c linux-2.6.36.2/fs/hfsplus/inode.c
32169 --- linux-2.6.36.2/fs/hfsplus/inode.c 2010-10-20 16:30:22.000000000 -0400
32170 +++ linux-2.6.36.2/fs/hfsplus/inode.c 2010-12-09 20:24:41.000000000 -0500
32171 @@ -477,7 +477,7 @@ int hfsplus_cat_read_inode(struct inode
32172 struct hfsplus_cat_folder *folder = &entry.folder;
32174 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
32177 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
32178 sizeof(struct hfsplus_cat_folder));
32179 hfsplus_get_perms(inode, &folder->permissions, 1);
32180 @@ -494,7 +494,7 @@ int hfsplus_cat_read_inode(struct inode
32181 struct hfsplus_cat_file *file = &entry.file;
32183 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
32186 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
32187 sizeof(struct hfsplus_cat_file));
32189 @@ -550,7 +550,7 @@ int hfsplus_cat_write_inode(struct inode
32190 struct hfsplus_cat_folder *folder = &entry.folder;
32192 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
32195 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
32196 sizeof(struct hfsplus_cat_folder));
32197 /* simple node checks? */
32198 @@ -572,7 +572,7 @@ int hfsplus_cat_write_inode(struct inode
32199 struct hfsplus_cat_file *file = &entry.file;
32201 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
32204 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
32205 sizeof(struct hfsplus_cat_file));
32206 hfsplus_inode_write_fork(inode, &file->data_fork);
32207 diff -urNp linux-2.6.36.2/fs/hugetlbfs/inode.c linux-2.6.36.2/fs/hugetlbfs/inode.c
32208 --- linux-2.6.36.2/fs/hugetlbfs/inode.c 2010-10-20 16:30:22.000000000 -0400
32209 +++ linux-2.6.36.2/fs/hugetlbfs/inode.c 2010-12-09 20:24:41.000000000 -0500
32210 @@ -891,7 +891,7 @@ static struct file_system_type hugetlbfs
32211 .kill_sb = kill_litter_super,
32214 -static struct vfsmount *hugetlbfs_vfsmount;
32215 +struct vfsmount *hugetlbfs_vfsmount;
32217 static int can_do_hugetlb_shm(void)
32219 diff -urNp linux-2.6.36.2/fs/ioctl.c linux-2.6.36.2/fs/ioctl.c
32220 --- linux-2.6.36.2/fs/ioctl.c 2010-10-20 16:30:22.000000000 -0400
32221 +++ linux-2.6.36.2/fs/ioctl.c 2010-12-09 20:24:40.000000000 -0500
32222 @@ -87,7 +87,7 @@ int fiemap_fill_next_extent(struct fiema
32223 u64 phys, u64 len, u32 flags)
32225 struct fiemap_extent extent;
32226 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
32227 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
32229 /* only count the extents */
32230 if (fieinfo->fi_extents_max == 0) {
32231 @@ -197,7 +197,7 @@ static int ioctl_fiemap(struct file *fil
32233 fieinfo.fi_flags = fiemap.fm_flags;
32234 fieinfo.fi_extents_max = fiemap.fm_extent_count;
32235 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
32236 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
32238 if (fiemap.fm_extent_count != 0 &&
32239 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
32240 @@ -210,7 +210,7 @@ static int ioctl_fiemap(struct file *fil
32241 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
32242 fiemap.fm_flags = fieinfo.fi_flags;
32243 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
32244 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
32245 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
32249 diff -urNp linux-2.6.36.2/fs/jffs2/debug.h linux-2.6.36.2/fs/jffs2/debug.h
32250 --- linux-2.6.36.2/fs/jffs2/debug.h 2010-10-20 16:30:22.000000000 -0400
32251 +++ linux-2.6.36.2/fs/jffs2/debug.h 2010-12-09 20:24:40.000000000 -0500
32252 @@ -53,13 +53,13 @@
32253 #if CONFIG_JFFS2_FS_DEBUG > 0
32257 +#define D1(x) do {} while (0);
32260 #if CONFIG_JFFS2_FS_DEBUG > 1
32264 +#define D2(x) do {} while (0);
32267 /* The prefixes of JFFS2 messages */
32268 @@ -115,73 +115,73 @@
32269 #ifdef JFFS2_DBG_READINODE_MESSAGES
32270 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32272 -#define dbg_readinode(fmt, ...)
32273 +#define dbg_readinode(fmt, ...) do {} while (0)
32275 #ifdef JFFS2_DBG_READINODE2_MESSAGES
32276 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32278 -#define dbg_readinode2(fmt, ...)
32279 +#define dbg_readinode2(fmt, ...) do {} while (0)
32282 /* Fragtree build debugging messages */
32283 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
32284 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32286 -#define dbg_fragtree(fmt, ...)
32287 +#define dbg_fragtree(fmt, ...) do {} while (0)
32289 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
32290 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32292 -#define dbg_fragtree2(fmt, ...)
32293 +#define dbg_fragtree2(fmt, ...) do {} while (0)
32296 /* Directory entry list manilulation debugging messages */
32297 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
32298 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32300 -#define dbg_dentlist(fmt, ...)
32301 +#define dbg_dentlist(fmt, ...) do {} while (0)
32304 /* Print the messages about manipulating node_refs */
32305 #ifdef JFFS2_DBG_NODEREF_MESSAGES
32306 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32308 -#define dbg_noderef(fmt, ...)
32309 +#define dbg_noderef(fmt, ...) do {} while (0)
32312 /* Manipulations with the list of inodes (JFFS2 inocache) */
32313 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
32314 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32316 -#define dbg_inocache(fmt, ...)
32317 +#define dbg_inocache(fmt, ...) do {} while (0)
32320 /* Summary debugging messages */
32321 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
32322 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32324 -#define dbg_summary(fmt, ...)
32325 +#define dbg_summary(fmt, ...) do {} while (0)
32328 /* File system build messages */
32329 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
32330 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32332 -#define dbg_fsbuild(fmt, ...)
32333 +#define dbg_fsbuild(fmt, ...) do {} while (0)
32336 /* Watch the object allocations */
32337 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
32338 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32340 -#define dbg_memalloc(fmt, ...)
32341 +#define dbg_memalloc(fmt, ...) do {} while (0)
32344 /* Watch the XATTR subsystem */
32345 #ifdef JFFS2_DBG_XATTR_MESSAGES
32346 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32348 -#define dbg_xattr(fmt, ...)
32349 +#define dbg_xattr(fmt, ...) do {} while (0)
32352 /* "Sanity" checks */
32353 diff -urNp linux-2.6.36.2/fs/jffs2/erase.c linux-2.6.36.2/fs/jffs2/erase.c
32354 --- linux-2.6.36.2/fs/jffs2/erase.c 2010-10-20 16:30:22.000000000 -0400
32355 +++ linux-2.6.36.2/fs/jffs2/erase.c 2010-12-09 20:24:40.000000000 -0500
32356 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
32357 struct jffs2_unknown_node marker = {
32358 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
32359 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32360 - .totlen = cpu_to_je32(c->cleanmarker_size)
32361 + .totlen = cpu_to_je32(c->cleanmarker_size),
32362 + .hdr_crc = cpu_to_je32(0)
32365 jffs2_prealloc_raw_node_refs(c, jeb, 1);
32366 diff -urNp linux-2.6.36.2/fs/jffs2/summary.h linux-2.6.36.2/fs/jffs2/summary.h
32367 --- linux-2.6.36.2/fs/jffs2/summary.h 2010-10-20 16:30:22.000000000 -0400
32368 +++ linux-2.6.36.2/fs/jffs2/summary.h 2010-12-09 20:24:40.000000000 -0500
32369 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
32371 #define jffs2_sum_active() (0)
32372 #define jffs2_sum_init(a) (0)
32373 -#define jffs2_sum_exit(a)
32374 -#define jffs2_sum_disable_collecting(a)
32375 +#define jffs2_sum_exit(a) do {} while (0)
32376 +#define jffs2_sum_disable_collecting(a) do {} while (0)
32377 #define jffs2_sum_is_disabled(a) (0)
32378 -#define jffs2_sum_reset_collected(a)
32379 +#define jffs2_sum_reset_collected(a) do {} while (0)
32380 #define jffs2_sum_add_kvec(a,b,c,d) (0)
32381 -#define jffs2_sum_move_collected(a,b)
32382 +#define jffs2_sum_move_collected(a,b) do {} while (0)
32383 #define jffs2_sum_write_sumnode(a) (0)
32384 -#define jffs2_sum_add_padding_mem(a,b)
32385 -#define jffs2_sum_add_inode_mem(a,b,c)
32386 -#define jffs2_sum_add_dirent_mem(a,b,c)
32387 -#define jffs2_sum_add_xattr_mem(a,b,c)
32388 -#define jffs2_sum_add_xref_mem(a,b,c)
32389 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
32390 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
32391 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
32392 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
32393 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
32394 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
32396 #endif /* CONFIG_JFFS2_SUMMARY */
32397 diff -urNp linux-2.6.36.2/fs/jffs2/wbuf.c linux-2.6.36.2/fs/jffs2/wbuf.c
32398 --- linux-2.6.36.2/fs/jffs2/wbuf.c 2010-10-20 16:30:22.000000000 -0400
32399 +++ linux-2.6.36.2/fs/jffs2/wbuf.c 2010-12-09 20:24:40.000000000 -0500
32400 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
32402 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
32403 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32404 - .totlen = constant_cpu_to_je32(8)
32405 + .totlen = constant_cpu_to_je32(8),
32406 + .hdr_crc = constant_cpu_to_je32(0)
32410 diff -urNp linux-2.6.36.2/fs/Kconfig.binfmt linux-2.6.36.2/fs/Kconfig.binfmt
32411 --- linux-2.6.36.2/fs/Kconfig.binfmt 2010-10-20 16:30:22.000000000 -0400
32412 +++ linux-2.6.36.2/fs/Kconfig.binfmt 2010-12-09 20:24:38.000000000 -0500
32413 @@ -86,7 +86,7 @@ config HAVE_AOUT
32416 tristate "Kernel support for a.out and ECOFF binaries"
32417 - depends on HAVE_AOUT
32418 + depends on HAVE_AOUT && BROKEN
32420 A.out (Assembler.OUTput) is a set of formats for libraries and
32421 executables used in the earliest versions of UNIX. Linux used
32422 diff -urNp linux-2.6.36.2/fs/lockd/svc.c linux-2.6.36.2/fs/lockd/svc.c
32423 --- linux-2.6.36.2/fs/lockd/svc.c 2010-10-20 16:30:22.000000000 -0400
32424 +++ linux-2.6.36.2/fs/lockd/svc.c 2010-12-09 20:24:38.000000000 -0500
32427 static struct svc_program nlmsvc_program;
32429 -struct nlmsvc_binding * nlmsvc_ops;
32430 +const struct nlmsvc_binding * nlmsvc_ops;
32431 EXPORT_SYMBOL_GPL(nlmsvc_ops);
32433 static DEFINE_MUTEX(nlmsvc_mutex);
32434 diff -urNp linux-2.6.36.2/fs/locks.c linux-2.6.36.2/fs/locks.c
32435 --- linux-2.6.36.2/fs/locks.c 2010-10-20 16:30:22.000000000 -0400
32436 +++ linux-2.6.36.2/fs/locks.c 2010-12-09 20:24:41.000000000 -0500
32437 @@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
32440 if (filp->f_op && filp->f_op->flock) {
32441 - struct file_lock fl = {
32442 + struct file_lock flock = {
32443 .fl_pid = current->tgid,
32445 .fl_flags = FL_FLOCK,
32446 .fl_type = F_UNLCK,
32447 .fl_end = OFFSET_MAX,
32449 - filp->f_op->flock(filp, F_SETLKW, &fl);
32450 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
32451 - fl.fl_ops->fl_release_private(&fl);
32452 + filp->f_op->flock(filp, F_SETLKW, &flock);
32453 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
32454 + flock.fl_ops->fl_release_private(&flock);
32458 diff -urNp linux-2.6.36.2/fs/namei.c linux-2.6.36.2/fs/namei.c
32459 --- linux-2.6.36.2/fs/namei.c 2010-10-20 16:30:22.000000000 -0400
32460 +++ linux-2.6.36.2/fs/namei.c 2010-12-09 20:24:40.000000000 -0500
32461 @@ -221,14 +221,6 @@ int generic_permission(struct inode *ino
32465 - * Read/write DACs are always overridable.
32466 - * Executable DACs are overridable if at least one exec bit is set.
32468 - if (!(mask & MAY_EXEC) || execute_ok(inode))
32469 - if (capable(CAP_DAC_OVERRIDE))
32473 * Searching includes executable on directories, else just read.
32475 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
32476 @@ -236,6 +228,14 @@ int generic_permission(struct inode *ino
32477 if (capable(CAP_DAC_READ_SEARCH))
32481 + * Read/write DACs are always overridable.
32482 + * Executable DACs are overridable if at least one exec bit is set.
32484 + if (!(mask & MAY_EXEC) || execute_ok(inode))
32485 + if (capable(CAP_DAC_OVERRIDE))
32491 @@ -473,7 +473,8 @@ static int exec_permission(struct inode
32495 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
32496 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
32497 + capable(CAP_DAC_OVERRIDE))
32501 @@ -542,7 +543,7 @@ __do_follow_link(struct path *path, stru
32502 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
32503 error = PTR_ERR(*p);
32505 - char *s = nd_get_link(nd);
32506 + const char *s = nd_get_link(nd);
32509 error = __vfs_follow_link(nd, s);
32510 @@ -575,6 +576,13 @@ static inline int do_follow_link(struct
32511 err = security_inode_follow_link(path->dentry, nd);
32515 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
32516 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
32521 current->link_count++;
32522 current->total_link_count++;
32524 @@ -967,11 +975,18 @@ return_reval:
32528 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
32529 + path_put(&nd->path);
32534 path_put_conditional(&next, nd);
32537 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
32540 path_put(&nd->path);
32543 @@ -1403,6 +1418,30 @@ int vfs_create(struct inode *dir, struct
32548 + * Note that while the flag value (low two bits) for sys_open means:
32550 + * 01 - write-only
32551 + * 10 - read-write
32553 + * it is changed into
32554 + * 00 - no permissions needed
32555 + * 01 - read-permission
32556 + * 10 - write-permission
32557 + * 11 - read-write
32558 + * for the internal routines (ie open_namei()/follow_link() etc)
32559 + * This is more logical, and also allows the 00 "no perm needed"
32560 + * to be used for symlinks (where the permissions are checked
32564 +static inline int open_to_namei_flags(int flag)
32566 + if ((flag+1) & O_ACCMODE)
32571 int may_open(struct path *path, int acc_mode, int flag)
32573 struct dentry *dentry = path->dentry;
32574 @@ -1451,7 +1490,26 @@ int may_open(struct path *path, int acc_
32576 * Ensure there are no outstanding leases on the file.
32578 - return break_lease(inode, flag);
32579 + error = break_lease(inode, flag);
32583 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
32588 + if (gr_handle_rawio(inode)) {
32593 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
32601 static int handle_truncate(struct path *path)
32602 @@ -1485,6 +1543,12 @@ static int __open_namei_create(struct na
32605 struct dentry *dir = nd->path.dentry;
32606 + int flag = open_to_namei_flags(open_flag);
32608 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
32613 if (!IS_POSIXACL(dir->d_inode))
32614 mode &= ~current_umask();
32615 @@ -1492,6 +1556,8 @@ static int __open_namei_create(struct na
32618 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
32620 + gr_handle_create(path->dentry, nd->path.mnt);
32622 mutex_unlock(&dir->d_inode->i_mutex);
32623 dput(nd->path.dentry);
32624 @@ -1502,30 +1568,6 @@ out_unlock:
32625 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
32629 - * Note that while the flag value (low two bits) for sys_open means:
32631 - * 01 - write-only
32632 - * 10 - read-write
32634 - * it is changed into
32635 - * 00 - no permissions needed
32636 - * 01 - read-permission
32637 - * 10 - write-permission
32638 - * 11 - read-write
32639 - * for the internal routines (ie open_namei()/follow_link() etc)
32640 - * This is more logical, and also allows the 00 "no perm needed"
32641 - * to be used for symlinks (where the permissions are checked
32645 -static inline int open_to_namei_flags(int flag)
32647 - if ((flag+1) & O_ACCMODE)
32652 static int open_will_truncate(int flag, struct inode *inode)
32655 @@ -1594,6 +1636,7 @@ static struct file *do_last(struct namei
32656 int mode, const char *pathname)
32658 struct dentry *dir = nd->path.dentry;
32659 + int flag = open_to_namei_flags(open_flag);
32661 int error = -EISDIR;
32663 @@ -1642,6 +1685,7 @@ static struct file *do_last(struct namei
32665 path_to_nameidata(path, nd);
32666 audit_inode(pathname, nd->path.dentry);
32671 @@ -1694,6 +1738,14 @@ static struct file *do_last(struct namei
32673 * It already exists.
32676 + /* only check if O_CREAT is specified, all other checks need to go
32678 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
32680 + goto exit_mutex_unlock;
32683 mutex_unlock(&dir->d_inode->i_mutex);
32684 audit_inode(pathname, path->dentry);
32686 @@ -2014,6 +2066,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32687 error = may_mknod(mode);
32691 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
32696 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
32701 error = mnt_want_write(nd.path.mnt);
32704 @@ -2034,6 +2097,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32707 mnt_drop_write(nd.path.mnt);
32710 + gr_handle_create(dentry, nd.path.mnt);
32714 @@ -2086,6 +2152,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32715 if (IS_ERR(dentry))
32718 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
32723 if (!IS_POSIXACL(nd.path.dentry->d_inode))
32724 mode &= ~current_umask();
32725 error = mnt_want_write(nd.path.mnt);
32726 @@ -2097,6 +2168,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32727 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
32729 mnt_drop_write(nd.path.mnt);
32732 + gr_handle_create(dentry, nd.path.mnt);
32737 @@ -2178,6 +2253,8 @@ static long do_rmdir(int dfd, const char
32739 struct dentry *dentry;
32740 struct nameidata nd;
32741 + ino_t saved_ino = 0;
32742 + dev_t saved_dev = 0;
32744 error = user_path_parent(dfd, pathname, &nd, &name);
32746 @@ -2202,6 +2279,19 @@ static long do_rmdir(int dfd, const char
32747 error = PTR_ERR(dentry);
32748 if (IS_ERR(dentry))
32751 + if (dentry->d_inode != NULL) {
32752 + if (dentry->d_inode->i_nlink <= 1) {
32753 + saved_ino = dentry->d_inode->i_ino;
32754 + saved_dev = dentry->d_inode->i_sb->s_dev;
32757 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
32763 error = mnt_want_write(nd.path.mnt);
32766 @@ -2209,6 +2299,8 @@ static long do_rmdir(int dfd, const char
32769 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
32770 + if (!error && (saved_dev || saved_ino))
32771 + gr_handle_delete(saved_ino, saved_dev);
32773 mnt_drop_write(nd.path.mnt);
32775 @@ -2271,6 +2363,8 @@ static long do_unlinkat(int dfd, const c
32776 struct dentry *dentry;
32777 struct nameidata nd;
32778 struct inode *inode = NULL;
32779 + ino_t saved_ino = 0;
32780 + dev_t saved_dev = 0;
32782 error = user_path_parent(dfd, pathname, &nd, &name);
32784 @@ -2290,8 +2384,19 @@ static long do_unlinkat(int dfd, const c
32785 if (nd.last.name[nd.last.len])
32787 inode = dentry->d_inode;
32790 + if (inode->i_nlink <= 1) {
32791 + saved_ino = inode->i_ino;
32792 + saved_dev = inode->i_sb->s_dev;
32795 atomic_inc(&inode->i_count);
32797 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
32802 error = mnt_want_write(nd.path.mnt);
32805 @@ -2299,6 +2404,8 @@ static long do_unlinkat(int dfd, const c
32808 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
32809 + if (!error && (saved_ino || saved_dev))
32810 + gr_handle_delete(saved_ino, saved_dev);
32812 mnt_drop_write(nd.path.mnt);
32814 @@ -2376,6 +2483,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
32815 if (IS_ERR(dentry))
32818 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
32823 error = mnt_want_write(nd.path.mnt);
32826 @@ -2383,6 +2495,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
32828 goto out_drop_write;
32829 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
32831 + gr_handle_create(dentry, nd.path.mnt);
32833 mnt_drop_write(nd.path.mnt);
32835 @@ -2475,6 +2589,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32836 error = PTR_ERR(new_dentry);
32837 if (IS_ERR(new_dentry))
32840 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
32841 + old_path.dentry->d_inode,
32842 + old_path.dentry->d_inode->i_mode, to)) {
32847 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
32848 + old_path.dentry, old_path.mnt, to)) {
32853 error = mnt_want_write(nd.path.mnt);
32856 @@ -2482,6 +2610,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32858 goto out_drop_write;
32859 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
32861 + gr_handle_create(new_dentry, nd.path.mnt);
32863 mnt_drop_write(nd.path.mnt);
32865 @@ -2715,6 +2845,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32866 if (new_dentry == trap)
32869 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
32870 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
32875 error = mnt_want_write(oldnd.path.mnt);
32878 @@ -2724,6 +2860,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32880 error = vfs_rename(old_dir->d_inode, old_dentry,
32881 new_dir->d_inode, new_dentry);
32883 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
32884 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
32886 mnt_drop_write(oldnd.path.mnt);
32888 diff -urNp linux-2.6.36.2/fs/namespace.c linux-2.6.36.2/fs/namespace.c
32889 --- linux-2.6.36.2/fs/namespace.c 2010-10-20 16:30:22.000000000 -0400
32890 +++ linux-2.6.36.2/fs/namespace.c 2010-12-09 20:24:41.000000000 -0500
32891 @@ -1142,6 +1142,9 @@ static int do_umount(struct vfsmount *mn
32892 if (!(sb->s_flags & MS_RDONLY))
32893 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
32894 up_write(&sb->s_umount);
32896 + gr_log_remount(mnt->mnt_devname, retval);
32901 @@ -1161,6 +1164,9 @@ static int do_umount(struct vfsmount *mn
32902 br_write_unlock(vfsmount_lock);
32903 up_write(&namespace_sem);
32904 release_mounts(&umount_list);
32906 + gr_log_unmount(mnt->mnt_devname, retval);
32911 @@ -2056,6 +2062,16 @@ long do_mount(char *dev_name, char *dir_
32912 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
32915 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
32920 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
32925 if (flags & MS_REMOUNT)
32926 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
32928 @@ -2070,6 +2086,9 @@ long do_mount(char *dev_name, char *dir_
32929 dev_name, data_page);
32933 + gr_log_mount(dev_name, dir_name, retval);
32938 @@ -2276,6 +2295,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
32942 + if (gr_handle_chroot_pivot()) {
32948 get_fs_root(current->fs, &root);
32949 down_write(&namespace_sem);
32950 mutex_lock(&old.dentry->d_inode->i_mutex);
32951 diff -urNp linux-2.6.36.2/fs/nfs/inode.c linux-2.6.36.2/fs/nfs/inode.c
32952 --- linux-2.6.36.2/fs/nfs/inode.c 2010-10-20 16:30:22.000000000 -0400
32953 +++ linux-2.6.36.2/fs/nfs/inode.c 2010-12-09 20:24:37.000000000 -0500
32954 @@ -982,16 +982,16 @@ static int nfs_size_need_update(const st
32955 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
32958 -static atomic_long_t nfs_attr_generation_counter;
32959 +static atomic_long_unchecked_t nfs_attr_generation_counter;
32961 static unsigned long nfs_read_attr_generation_counter(void)
32963 - return atomic_long_read(&nfs_attr_generation_counter);
32964 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
32967 unsigned long nfs_inc_attr_generation_counter(void)
32969 - return atomic_long_inc_return(&nfs_attr_generation_counter);
32970 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
32973 void nfs_fattr_init(struct nfs_fattr *fattr)
32974 diff -urNp linux-2.6.36.2/fs/nfs/nfs4proc.c linux-2.6.36.2/fs/nfs/nfs4proc.c
32975 --- linux-2.6.36.2/fs/nfs/nfs4proc.c 2010-12-09 20:53:48.000000000 -0500
32976 +++ linux-2.6.36.2/fs/nfs/nfs4proc.c 2010-12-09 20:54:38.000000000 -0500
32977 @@ -1184,7 +1184,7 @@ static int _nfs4_do_open_reclaim(struct
32978 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
32980 struct nfs_server *server = NFS_SERVER(state->inode);
32981 - struct nfs4_exception exception = { };
32982 + struct nfs4_exception exception = {0, 0};
32985 err = _nfs4_do_open_reclaim(ctx, state);
32986 @@ -1226,7 +1226,7 @@ static int _nfs4_open_delegation_recall(
32988 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
32990 - struct nfs4_exception exception = { };
32991 + struct nfs4_exception exception = {0, 0};
32992 struct nfs_server *server = NFS_SERVER(state->inode);
32995 @@ -1595,7 +1595,7 @@ static int _nfs4_open_expired(struct nfs
32996 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
32998 struct nfs_server *server = NFS_SERVER(state->inode);
32999 - struct nfs4_exception exception = { };
33000 + struct nfs4_exception exception = {0, 0};
33004 @@ -1711,7 +1711,7 @@ out_err:
33006 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
33008 - struct nfs4_exception exception = { };
33009 + struct nfs4_exception exception = {0, 0};
33010 struct nfs4_state *res;
33013 @@ -1802,7 +1802,7 @@ static int nfs4_do_setattr(struct inode
33014 struct nfs4_state *state)
33016 struct nfs_server *server = NFS_SERVER(inode);
33017 - struct nfs4_exception exception = { };
33018 + struct nfs4_exception exception = {0, 0};
33021 err = nfs4_handle_exception(server,
33022 @@ -2179,7 +2179,7 @@ static int _nfs4_server_capabilities(str
33024 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
33026 - struct nfs4_exception exception = { };
33027 + struct nfs4_exception exception = {0, 0};
33030 err = nfs4_handle_exception(server,
33031 @@ -2213,7 +2213,7 @@ static int _nfs4_lookup_root(struct nfs_
33032 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
33033 struct nfs_fsinfo *info)
33035 - struct nfs4_exception exception = { };
33036 + struct nfs4_exception exception = {0, 0};
33039 err = nfs4_handle_exception(server,
33040 @@ -2301,7 +2301,7 @@ static int _nfs4_proc_getattr(struct nfs
33042 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
33044 - struct nfs4_exception exception = { };
33045 + struct nfs4_exception exception = {0, 0};
33048 err = nfs4_handle_exception(server,
33049 @@ -2389,7 +2389,7 @@ static int nfs4_proc_lookupfh(struct nfs
33050 struct qstr *name, struct nfs_fh *fhandle,
33051 struct nfs_fattr *fattr)
33053 - struct nfs4_exception exception = { };
33054 + struct nfs4_exception exception = {0, 0};
33057 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
33058 @@ -2418,7 +2418,7 @@ static int _nfs4_proc_lookup(struct inod
33060 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
33062 - struct nfs4_exception exception = { };
33063 + struct nfs4_exception exception = {0, 0};
33066 err = nfs4_handle_exception(NFS_SERVER(dir),
33067 @@ -2485,7 +2485,7 @@ static int _nfs4_proc_access(struct inod
33069 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
33071 - struct nfs4_exception exception = { };
33072 + struct nfs4_exception exception = {0, 0};
33075 err = nfs4_handle_exception(NFS_SERVER(inode),
33076 @@ -2541,7 +2541,7 @@ static int _nfs4_proc_readlink(struct in
33077 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
33078 unsigned int pgbase, unsigned int pglen)
33080 - struct nfs4_exception exception = { };
33081 + struct nfs4_exception exception = {0, 0};
33084 err = nfs4_handle_exception(NFS_SERVER(inode),
33085 @@ -2637,7 +2637,7 @@ out:
33087 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
33089 - struct nfs4_exception exception = { };
33090 + struct nfs4_exception exception = {0, 0};
33093 err = nfs4_handle_exception(NFS_SERVER(dir),
33094 @@ -2713,7 +2713,7 @@ out:
33095 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
33096 struct inode *new_dir, struct qstr *new_name)
33098 - struct nfs4_exception exception = { };
33099 + struct nfs4_exception exception = {0, 0};
33102 err = nfs4_handle_exception(NFS_SERVER(old_dir),
33103 @@ -2762,7 +2762,7 @@ out:
33105 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
33107 - struct nfs4_exception exception = { };
33108 + struct nfs4_exception exception = {0, 0};
33111 err = nfs4_handle_exception(NFS_SERVER(inode),
33112 @@ -2854,7 +2854,7 @@ out:
33113 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
33114 struct page *page, unsigned int len, struct iattr *sattr)
33116 - struct nfs4_exception exception = { };
33117 + struct nfs4_exception exception = {0, 0};
33120 err = nfs4_handle_exception(NFS_SERVER(dir),
33121 @@ -2885,7 +2885,7 @@ out:
33122 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
33123 struct iattr *sattr)
33125 - struct nfs4_exception exception = { };
33126 + struct nfs4_exception exception = {0, 0};
33129 err = nfs4_handle_exception(NFS_SERVER(dir),
33130 @@ -2934,7 +2934,7 @@ static int _nfs4_proc_readdir(struct den
33131 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
33132 u64 cookie, struct page *page, unsigned int count, int plus)
33134 - struct nfs4_exception exception = { };
33135 + struct nfs4_exception exception = {0, 0};
33138 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
33139 @@ -2982,7 +2982,7 @@ out:
33140 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
33141 struct iattr *sattr, dev_t rdev)
33143 - struct nfs4_exception exception = { };
33144 + struct nfs4_exception exception = {0, 0};
33147 err = nfs4_handle_exception(NFS_SERVER(dir),
33148 @@ -3014,7 +3014,7 @@ static int _nfs4_proc_statfs(struct nfs_
33150 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
33152 - struct nfs4_exception exception = { };
33153 + struct nfs4_exception exception = {0, 0};
33156 err = nfs4_handle_exception(server,
33157 @@ -3045,7 +3045,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
33159 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
33161 - struct nfs4_exception exception = { };
33162 + struct nfs4_exception exception = {0, 0};
33166 @@ -3091,7 +3091,7 @@ static int _nfs4_proc_pathconf(struct nf
33167 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
33168 struct nfs_pathconf *pathconf)
33170 - struct nfs4_exception exception = { };
33171 + struct nfs4_exception exception = {0, 0};
33175 @@ -3408,7 +3408,7 @@ out_free:
33177 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
33179 - struct nfs4_exception exception = { };
33180 + struct nfs4_exception exception = {0, 0};
33183 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
33184 @@ -3464,7 +3464,7 @@ static int __nfs4_proc_set_acl(struct in
33186 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
33188 - struct nfs4_exception exception = { };
33189 + struct nfs4_exception exception = {0, 0};
33192 err = nfs4_handle_exception(NFS_SERVER(inode),
33193 @@ -3746,7 +3746,7 @@ out:
33194 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
33196 struct nfs_server *server = NFS_SERVER(inode);
33197 - struct nfs4_exception exception = { };
33198 + struct nfs4_exception exception = {0, 0};
33201 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
33202 @@ -3819,7 +3819,7 @@ out:
33204 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
33206 - struct nfs4_exception exception = { };
33207 + struct nfs4_exception exception = {0, 0};
33211 @@ -4230,7 +4230,7 @@ static int _nfs4_do_setlk(struct nfs4_st
33212 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
33214 struct nfs_server *server = NFS_SERVER(state->inode);
33215 - struct nfs4_exception exception = { };
33216 + struct nfs4_exception exception = {0, 0};
33220 @@ -4248,7 +4248,7 @@ static int nfs4_lock_reclaim(struct nfs4
33221 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
33223 struct nfs_server *server = NFS_SERVER(state->inode);
33224 - struct nfs4_exception exception = { };
33225 + struct nfs4_exception exception = {0, 0};
33228 err = nfs4_set_lock_state(state, request);
33229 @@ -4313,7 +4313,7 @@ out:
33231 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
33233 - struct nfs4_exception exception = { };
33234 + struct nfs4_exception exception = {0, 0};
33238 @@ -4373,7 +4373,7 @@ nfs4_proc_lock(struct file *filp, int cm
33239 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
33241 struct nfs_server *server = NFS_SERVER(state->inode);
33242 - struct nfs4_exception exception = { };
33243 + struct nfs4_exception exception = {0, 0};
33246 err = nfs4_set_lock_state(state, fl);
33247 diff -urNp linux-2.6.36.2/fs/nfsd/lockd.c linux-2.6.36.2/fs/nfsd/lockd.c
33248 --- linux-2.6.36.2/fs/nfsd/lockd.c 2010-10-20 16:30:22.000000000 -0400
33249 +++ linux-2.6.36.2/fs/nfsd/lockd.c 2010-12-09 20:24:36.000000000 -0500
33250 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
33254 -static struct nlmsvc_binding nfsd_nlm_ops = {
33255 +static const struct nlmsvc_binding nfsd_nlm_ops = {
33256 .fopen = nlm_fopen, /* open file for locking */
33257 .fclose = nlm_fclose, /* close file */
33259 diff -urNp linux-2.6.36.2/fs/nfsd/nfsctl.c linux-2.6.36.2/fs/nfsd/nfsctl.c
33260 --- linux-2.6.36.2/fs/nfsd/nfsctl.c 2010-10-20 16:30:22.000000000 -0400
33261 +++ linux-2.6.36.2/fs/nfsd/nfsctl.c 2010-12-09 20:24:36.000000000 -0500
33262 @@ -163,7 +163,7 @@ static int export_features_open(struct i
33263 return single_open(file, export_features_show, NULL);
33266 -static struct file_operations export_features_operations = {
33267 +static const struct file_operations export_features_operations = {
33268 .open = export_features_open,
33270 .llseek = seq_lseek,
33271 diff -urNp linux-2.6.36.2/fs/nfsd/vfs.c linux-2.6.36.2/fs/nfsd/vfs.c
33272 --- linux-2.6.36.2/fs/nfsd/vfs.c 2010-10-20 16:30:22.000000000 -0400
33273 +++ linux-2.6.36.2/fs/nfsd/vfs.c 2010-12-09 20:24:36.000000000 -0500
33274 @@ -926,7 +926,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
33278 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
33279 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
33283 @@ -1039,7 +1039,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
33285 /* Write the data. */
33286 oldfs = get_fs(); set_fs(KERNEL_DS);
33287 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
33288 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
33292 @@ -1556,7 +1556,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
33295 oldfs = get_fs(); set_fs(KERNEL_DS);
33296 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
33297 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
33301 diff -urNp linux-2.6.36.2/fs/nls/nls_base.c linux-2.6.36.2/fs/nls/nls_base.c
33302 --- linux-2.6.36.2/fs/nls/nls_base.c 2010-10-20 16:30:22.000000000 -0400
33303 +++ linux-2.6.36.2/fs/nls/nls_base.c 2010-12-09 20:24:40.000000000 -0500
33304 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
33305 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
33306 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
33307 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
33308 - {0, /* end of table */}
33309 + {0, 0, 0, 0, 0, /* end of table */}
33312 #define UNICODE_MAX 0x0010ffff
33313 diff -urNp linux-2.6.36.2/fs/ntfs/dir.c linux-2.6.36.2/fs/ntfs/dir.c
33314 --- linux-2.6.36.2/fs/ntfs/dir.c 2010-10-20 16:30:22.000000000 -0400
33315 +++ linux-2.6.36.2/fs/ntfs/dir.c 2010-12-09 20:24:42.000000000 -0500
33316 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
33317 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
33318 ~(s64)(ndir->itype.index.block_size - 1)));
33319 /* Bounds checks. */
33320 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33321 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33322 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
33323 "inode 0x%lx or driver bug.", vdir->i_ino);
33325 diff -urNp linux-2.6.36.2/fs/ntfs/file.c linux-2.6.36.2/fs/ntfs/file.c
33326 --- linux-2.6.36.2/fs/ntfs/file.c 2010-10-20 16:30:22.000000000 -0400
33327 +++ linux-2.6.36.2/fs/ntfs/file.c 2010-12-09 20:24:42.000000000 -0500
33328 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
33329 #endif /* NTFS_RW */
33332 -const struct file_operations ntfs_empty_file_ops = {};
33333 +const struct file_operations ntfs_empty_file_ops __read_only;
33335 -const struct inode_operations ntfs_empty_inode_ops = {};
33336 +const struct inode_operations ntfs_empty_inode_ops __read_only;
33337 diff -urNp linux-2.6.36.2/fs/ocfs2/localalloc.c linux-2.6.36.2/fs/ocfs2/localalloc.c
33338 --- linux-2.6.36.2/fs/ocfs2/localalloc.c 2010-10-20 16:30:22.000000000 -0400
33339 +++ linux-2.6.36.2/fs/ocfs2/localalloc.c 2010-12-09 20:24:38.000000000 -0500
33340 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
33344 - atomic_inc(&osb->alloc_stats.moves);
33345 + atomic_inc_unchecked(&osb->alloc_stats.moves);
33349 diff -urNp linux-2.6.36.2/fs/ocfs2/ocfs2.h linux-2.6.36.2/fs/ocfs2/ocfs2.h
33350 --- linux-2.6.36.2/fs/ocfs2/ocfs2.h 2010-10-20 16:30:22.000000000 -0400
33351 +++ linux-2.6.36.2/fs/ocfs2/ocfs2.h 2010-12-09 20:24:38.000000000 -0500
33352 @@ -223,11 +223,11 @@ enum ocfs2_vol_state
33354 struct ocfs2_alloc_stats
33357 - atomic_t local_data;
33358 - atomic_t bitmap_data;
33359 - atomic_t bg_allocs;
33360 - atomic_t bg_extends;
33361 + atomic_unchecked_t moves;
33362 + atomic_unchecked_t local_data;
33363 + atomic_unchecked_t bitmap_data;
33364 + atomic_unchecked_t bg_allocs;
33365 + atomic_unchecked_t bg_extends;
33368 enum ocfs2_local_alloc_state
33369 diff -urNp linux-2.6.36.2/fs/ocfs2/suballoc.c linux-2.6.36.2/fs/ocfs2/suballoc.c
33370 --- linux-2.6.36.2/fs/ocfs2/suballoc.c 2010-10-20 16:30:22.000000000 -0400
33371 +++ linux-2.6.36.2/fs/ocfs2/suballoc.c 2010-12-09 20:24:38.000000000 -0500
33372 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
33373 mlog_errno(status);
33376 - atomic_inc(&osb->alloc_stats.bg_extends);
33377 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
33379 /* You should never ask for this much metadata */
33380 BUG_ON(bits_wanted >
33381 @@ -2004,7 +2004,7 @@ int ocfs2_claim_metadata(handle_t *handl
33382 mlog_errno(status);
33385 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33386 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33388 *suballoc_loc = res.sr_bg_blkno;
33389 *suballoc_bit_start = res.sr_bit_offset;
33390 @@ -2211,7 +2211,7 @@ int ocfs2_claim_new_inode(handle_t *hand
33391 mlog_errno(status);
33394 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33395 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33397 BUG_ON(res.sr_bits != 1);
33399 @@ -2316,7 +2316,7 @@ int __ocfs2_claim_clusters(handle_t *han
33403 - atomic_inc(&osb->alloc_stats.local_data);
33404 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
33406 if (min_clusters > (osb->bitmap_cpg - 1)) {
33407 /* The only paths asking for contiguousness
33408 @@ -2342,7 +2342,7 @@ int __ocfs2_claim_clusters(handle_t *han
33409 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
33411 res.sr_bit_offset);
33412 - atomic_inc(&osb->alloc_stats.bitmap_data);
33413 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
33414 *num_clusters = res.sr_bits;
33417 diff -urNp linux-2.6.36.2/fs/ocfs2/super.c linux-2.6.36.2/fs/ocfs2/super.c
33418 --- linux-2.6.36.2/fs/ocfs2/super.c 2010-10-20 16:30:22.000000000 -0400
33419 +++ linux-2.6.36.2/fs/ocfs2/super.c 2010-12-09 20:24:38.000000000 -0500
33420 @@ -292,11 +292,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
33421 "%10s => GlobalAllocs: %d LocalAllocs: %d "
33422 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
33424 - atomic_read(&osb->alloc_stats.bitmap_data),
33425 - atomic_read(&osb->alloc_stats.local_data),
33426 - atomic_read(&osb->alloc_stats.bg_allocs),
33427 - atomic_read(&osb->alloc_stats.moves),
33428 - atomic_read(&osb->alloc_stats.bg_extends));
33429 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
33430 + atomic_read_unchecked(&osb->alloc_stats.local_data),
33431 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
33432 + atomic_read_unchecked(&osb->alloc_stats.moves),
33433 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
33435 out += snprintf(buf + out, len - out,
33436 "%10s => State: %u Descriptor: %llu Size: %u bits "
33437 @@ -2046,11 +2046,11 @@ static int ocfs2_initialize_super(struct
33438 spin_lock_init(&osb->osb_xattr_lock);
33439 ocfs2_init_steal_slots(osb);
33441 - atomic_set(&osb->alloc_stats.moves, 0);
33442 - atomic_set(&osb->alloc_stats.local_data, 0);
33443 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
33444 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
33445 - atomic_set(&osb->alloc_stats.bg_extends, 0);
33446 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
33447 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
33448 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
33449 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
33450 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
33452 /* Copy the blockcheck stats from the superblock probe */
33453 osb->osb_ecc_stats = *stats;
33454 diff -urNp linux-2.6.36.2/fs/ocfs2/symlink.c linux-2.6.36.2/fs/ocfs2/symlink.c
33455 --- linux-2.6.36.2/fs/ocfs2/symlink.c 2010-10-20 16:30:22.000000000 -0400
33456 +++ linux-2.6.36.2/fs/ocfs2/symlink.c 2010-12-09 20:24:38.000000000 -0500
33457 @@ -148,7 +148,7 @@ bail:
33459 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33461 - char *link = nd_get_link(nd);
33462 + const char *link = nd_get_link(nd);
33466 diff -urNp linux-2.6.36.2/fs/open.c linux-2.6.36.2/fs/open.c
33467 --- linux-2.6.36.2/fs/open.c 2010-10-20 16:30:22.000000000 -0400
33468 +++ linux-2.6.36.2/fs/open.c 2010-12-09 20:24:41.000000000 -0500
33469 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
33470 error = locks_verify_truncate(inode, NULL, length);
33472 error = security_path_truncate(&path);
33474 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
33478 error = do_truncate(path.dentry, length, 0, NULL);
33480 @@ -345,6 +349,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
33481 if (__mnt_is_readonly(path.mnt))
33484 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
33490 @@ -371,6 +378,8 @@ SYSCALL_DEFINE1(chdir, const char __user
33494 + gr_log_chdir(path.dentry, path.mnt);
33496 set_fs_pwd(current->fs, &path);
33499 @@ -397,6 +406,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
33502 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
33504 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
33508 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
33511 set_fs_pwd(current->fs, &file->f_path);
33513 @@ -425,7 +441,18 @@ SYSCALL_DEFINE1(chroot, const char __use
33517 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
33518 + goto dput_and_out;
33520 + if (gr_handle_chroot_caps(&path)) {
33522 + goto dput_and_out;
33525 set_fs_root(current->fs, &path);
33527 + gr_handle_chroot_chdir(&path);
33532 @@ -453,12 +480,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
33533 err = mnt_want_write_file(file);
33537 mutex_lock(&inode->i_mutex);
33539 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
33544 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
33547 if (mode == (mode_t) -1)
33548 mode = inode->i_mode;
33550 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
33555 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33556 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33557 err = notify_change(dentry, &newattrs);
33558 @@ -486,12 +526,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
33559 error = mnt_want_write(path.mnt);
33563 mutex_lock(&inode->i_mutex);
33565 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
33570 error = security_path_chmod(path.dentry, path.mnt, mode);
33573 if (mode == (mode_t) -1)
33574 mode = inode->i_mode;
33576 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
33581 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33582 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33583 error = notify_change(path.dentry, &newattrs);
33584 @@ -515,6 +568,9 @@ static int chown_common(struct path *pat
33586 struct iattr newattrs;
33588 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
33591 newattrs.ia_valid = ATTR_CTIME;
33592 if (user != (uid_t) -1) {
33593 newattrs.ia_valid |= ATTR_UID;
33594 diff -urNp linux-2.6.36.2/fs/pipe.c linux-2.6.36.2/fs/pipe.c
33595 --- linux-2.6.36.2/fs/pipe.c 2010-12-09 20:53:48.000000000 -0500
33596 +++ linux-2.6.36.2/fs/pipe.c 2010-12-09 20:54:38.000000000 -0500
33597 @@ -420,9 +420,9 @@ redo:
33599 if (bufs) /* More to do? */
33601 - if (!pipe->writers)
33602 + if (!atomic_read(&pipe->writers))
33604 - if (!pipe->waiting_writers) {
33605 + if (!atomic_read(&pipe->waiting_writers)) {
33606 /* syscall merging: Usually we must not sleep
33607 * if O_NONBLOCK is set, or if we got some data.
33608 * But if a writer sleeps in kernel space, then
33609 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
33610 mutex_lock(&inode->i_mutex);
33611 pipe = inode->i_pipe;
33613 - if (!pipe->readers) {
33614 + if (!atomic_read(&pipe->readers)) {
33615 send_sig(SIGPIPE, current, 0);
33618 @@ -530,7 +530,7 @@ redo1:
33622 - if (!pipe->readers) {
33623 + if (!atomic_read(&pipe->readers)) {
33624 send_sig(SIGPIPE, current, 0);
33627 @@ -616,9 +616,9 @@ redo2:
33628 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
33631 - pipe->waiting_writers++;
33632 + atomic_inc(&pipe->waiting_writers);
33634 - pipe->waiting_writers--;
33635 + atomic_dec(&pipe->waiting_writers);
33638 mutex_unlock(&inode->i_mutex);
33639 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
33641 if (filp->f_mode & FMODE_READ) {
33642 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
33643 - if (!pipe->writers && filp->f_version != pipe->w_counter)
33644 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
33648 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
33649 * Most Unices do not set POLLERR for FIFOs but on Linux they
33650 * behave exactly like pipes for poll().
33652 - if (!pipe->readers)
33653 + if (!atomic_read(&pipe->readers))
33657 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
33659 mutex_lock(&inode->i_mutex);
33660 pipe = inode->i_pipe;
33661 - pipe->readers -= decr;
33662 - pipe->writers -= decw;
33663 + atomic_sub(decr, &pipe->readers);
33664 + atomic_sub(decw, &pipe->writers);
33666 - if (!pipe->readers && !pipe->writers) {
33667 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
33668 free_pipe_info(inode);
33670 wake_up_interruptible_sync(&pipe->wait);
33671 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
33673 if (inode->i_pipe) {
33675 - inode->i_pipe->readers++;
33676 + atomic_inc(&inode->i_pipe->readers);
33679 mutex_unlock(&inode->i_mutex);
33680 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
33682 if (inode->i_pipe) {
33684 - inode->i_pipe->writers++;
33685 + atomic_inc(&inode->i_pipe->writers);
33688 mutex_unlock(&inode->i_mutex);
33689 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
33690 if (inode->i_pipe) {
33692 if (filp->f_mode & FMODE_READ)
33693 - inode->i_pipe->readers++;
33694 + atomic_inc(&inode->i_pipe->readers);
33695 if (filp->f_mode & FMODE_WRITE)
33696 - inode->i_pipe->writers++;
33697 + atomic_inc(&inode->i_pipe->writers);
33700 mutex_unlock(&inode->i_mutex);
33701 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
33702 inode->i_pipe = NULL;
33705 -static struct vfsmount *pipe_mnt __read_mostly;
33706 +struct vfsmount *pipe_mnt __read_mostly;
33709 * pipefs_dname() is called from d_path().
33710 @@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
33712 inode->i_pipe = pipe;
33714 - pipe->readers = pipe->writers = 1;
33715 + atomic_set(&pipe->readers, 1);
33716 + atomic_set(&pipe->writers, 1);
33717 inode->i_fop = &rdwr_pipefifo_fops;
33720 diff -urNp linux-2.6.36.2/fs/proc/array.c linux-2.6.36.2/fs/proc/array.c
33721 --- linux-2.6.36.2/fs/proc/array.c 2010-10-20 16:30:22.000000000 -0400
33722 +++ linux-2.6.36.2/fs/proc/array.c 2010-12-09 20:24:41.000000000 -0500
33724 #include <linux/tty.h>
33725 #include <linux/string.h>
33726 #include <linux/mman.h>
33727 +#include <linux/grsecurity.h>
33728 #include <linux/proc_fs.h>
33729 #include <linux/ioport.h>
33730 #include <linux/uaccess.h>
33731 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
33732 seq_printf(m, "\n");
33735 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33736 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
33739 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
33740 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
33741 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
33742 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
33743 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
33744 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
33746 + seq_printf(m, "PaX:\t-----\n");
33750 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
33751 struct pid *pid, struct task_struct *task)
33753 @@ -357,9 +373,24 @@ int proc_pid_status(struct seq_file *m,
33754 task_show_regs(m, task);
33756 task_context_switch_counts(m, task);
33758 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33759 + task_pax(m, task);
33762 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
33763 + task_grsec_rbac(m, task);
33769 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33770 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33771 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33772 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33775 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
33776 struct pid *pid, struct task_struct *task, int whole)
33778 @@ -452,6 +483,19 @@ static int do_task_stat(struct seq_file
33779 gtime = task->gtime;
33782 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33783 + if (PAX_RAND_FLAGS(mm)) {
33789 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33795 /* scale priority and nice values from timeslices to -20..20 */
33796 /* to make it look like a "normal" Unix priority/nice value */
33797 priority = task_prio(task);
33798 @@ -492,9 +536,15 @@ static int do_task_stat(struct seq_file
33800 mm ? get_mm_rss(mm) : 0,
33802 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33803 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
33804 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
33805 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
33807 mm ? mm->start_code : 0,
33808 mm ? mm->end_code : 0,
33809 (permitted && mm) ? mm->start_stack : 0,
33813 /* The signal information here is obsolete.
33814 @@ -547,3 +597,10 @@ int proc_pid_statm(struct seq_file *m, s
33819 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33820 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
33822 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
33825 diff -urNp linux-2.6.36.2/fs/proc/base.c linux-2.6.36.2/fs/proc/base.c
33826 --- linux-2.6.36.2/fs/proc/base.c 2010-12-09 20:53:48.000000000 -0500
33827 +++ linux-2.6.36.2/fs/proc/base.c 2010-12-09 20:54:38.000000000 -0500
33828 @@ -104,6 +104,22 @@ struct pid_entry {
33832 +struct getdents_callback {
33833 + struct linux_dirent __user * current_dir;
33834 + struct linux_dirent __user * previous;
33835 + struct file * file;
33840 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
33841 + loff_t offset, u64 ino, unsigned int d_type)
33843 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
33844 + buf->error = -EINVAL;
33848 #define NOD(NAME, MODE, IOP, FOP, OP) { \
33850 .len = sizeof(NAME) - 1, \
33851 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
33852 if (task == current)
33855 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
33859 * If current is actively ptrace'ing, and would also be
33860 * permitted to freshly attach with ptrace now, permit it.
33861 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
33863 goto out_mm; /* Shh! No looking before we're done */
33865 + if (gr_acl_handle_procpidmem(task))
33868 len = mm->arg_end - mm->arg_start;
33870 if (len > PAGE_SIZE)
33871 @@ -277,12 +299,28 @@ out:
33875 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33876 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33877 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33878 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33881 static int proc_pid_auxv(struct task_struct *task, char *buffer)
33884 struct mm_struct *mm = get_task_mm(task);
33886 unsigned int nwords = 0;
33888 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33889 + /* allow if we're currently ptracing this task */
33890 + if (PAX_RAND_FLAGS(mm) &&
33891 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
33899 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
33900 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
33904 -#ifdef CONFIG_KALLSYMS
33905 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33907 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
33908 * Returns the resolved symbol. If that fails, simply return the address.
33909 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
33911 #endif /* CONFIG_KALLSYMS */
33913 -#ifdef CONFIG_STACKTRACE
33914 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33916 #define MAX_STACK_TRACE_DEPTH 64
33918 @@ -509,7 +547,7 @@ static int proc_pid_limits(struct task_s
33922 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33923 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33924 static int proc_pid_syscall(struct task_struct *task, char *buffer)
33927 @@ -928,6 +966,9 @@ static ssize_t environ_read(struct file
33931 + if (gr_acl_handle_procpidmem(task))
33934 if (!ptrace_may_access(task, PTRACE_MODE_READ))
33937 @@ -1614,7 +1655,11 @@ static struct inode *proc_pid_make_inode
33939 cred = __task_cred(task);
33940 inode->i_uid = cred->euid;
33941 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33942 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33944 inode->i_gid = cred->egid;
33948 security_task_to_inode(task, inode);
33949 @@ -1632,6 +1677,9 @@ static int pid_getattr(struct vfsmount *
33950 struct inode *inode = dentry->d_inode;
33951 struct task_struct *task;
33952 const struct cred *cred;
33953 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33954 + const struct cred *tmpcred = current_cred();
33957 generic_fillattr(inode, stat);
33959 @@ -1639,12 +1687,34 @@ static int pid_getattr(struct vfsmount *
33962 task = pid_task(proc_pid(inode), PIDTYPE_PID);
33964 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
33965 + rcu_read_unlock();
33970 + cred = __task_cred(task);
33971 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33972 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
33973 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33974 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33978 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33979 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33980 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33981 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33982 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33984 task_dumpable(task)) {
33985 - cred = __task_cred(task);
33986 stat->uid = cred->euid;
33987 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33988 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
33990 stat->gid = cred->egid;
33995 @@ -1676,11 +1746,20 @@ static int pid_revalidate(struct dentry
33998 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33999 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34000 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
34001 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34002 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
34004 task_dumpable(task)) {
34006 cred = __task_cred(task);
34007 inode->i_uid = cred->euid;
34008 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34009 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34011 inode->i_gid = cred->egid;
34016 @@ -1801,7 +1880,8 @@ static int proc_fd_info(struct inode *in
34017 int fd = proc_fd(inode);
34020 - files = get_files_struct(task);
34021 + if (!gr_acl_handle_procpidmem(task))
34022 + files = get_files_struct(task);
34023 put_task_struct(task);
34026 @@ -2053,12 +2133,22 @@ static const struct file_operations proc
34027 static int proc_fd_permission(struct inode *inode, int mask)
34030 + struct task_struct *task;
34032 rv = generic_permission(inode, mask, NULL);
34036 if (task_pid(current) == proc_pid(inode))
34039 + task = get_proc_task(inode);
34040 + if (task == NULL)
34043 + if (gr_acl_handle_procpidmem(task))
34046 + put_task_struct(task);
34051 @@ -2167,6 +2257,9 @@ static struct dentry *proc_pident_lookup
34055 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34059 * Yes, it does not scale. And it should not. Don't add
34060 * new entries into /proc/<tgid>/ without very good reasons.
34061 @@ -2211,6 +2304,9 @@ static int proc_pident_readdir(struct fi
34065 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34071 @@ -2480,7 +2576,7 @@ static void *proc_self_follow_link(struc
34072 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
34075 - char *s = nd_get_link(nd);
34076 + const char *s = nd_get_link(nd);
34080 @@ -2680,7 +2776,7 @@ static const struct pid_entry tgid_base_
34081 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
34083 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
34084 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34085 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34086 INF("syscall", S_IRUSR, proc_pid_syscall),
34088 INF("cmdline", S_IRUGO, proc_pid_cmdline),
34089 @@ -2705,10 +2801,10 @@ static const struct pid_entry tgid_base_
34090 #ifdef CONFIG_SECURITY
34091 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
34093 -#ifdef CONFIG_KALLSYMS
34094 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34095 INF("wchan", S_IRUGO, proc_pid_wchan),
34097 -#ifdef CONFIG_STACKTRACE
34098 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34099 ONE("stack", S_IRUSR, proc_pid_stack),
34101 #ifdef CONFIG_SCHEDSTATS
34102 @@ -2739,6 +2835,9 @@ static const struct pid_entry tgid_base_
34103 INF("io", S_IRUGO, proc_tgid_io_accounting),
34105 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
34106 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
34107 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
34111 static int proc_tgid_base_readdir(struct file * filp,
34112 @@ -2863,7 +2962,14 @@ static struct dentry *proc_pid_instantia
34116 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34117 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
34118 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34119 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34120 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
34122 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
34124 inode->i_op = &proc_tgid_base_inode_operations;
34125 inode->i_fop = &proc_tgid_base_operations;
34126 inode->i_flags|=S_IMMUTABLE;
34127 @@ -2905,7 +3011,11 @@ struct dentry *proc_pid_lookup(struct in
34131 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34132 + goto out_put_task;
34134 result = proc_pid_instantiate(dir, dentry, task, NULL);
34136 put_task_struct(task);
34139 @@ -2970,6 +3080,11 @@ int proc_pid_readdir(struct file * filp,
34141 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
34142 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
34143 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34144 + const struct cred *tmpcred = current_cred();
34145 + const struct cred *itercred;
34147 + filldir_t __filldir = filldir;
34148 struct tgid_iter iter;
34149 struct pid_namespace *ns;
34151 @@ -2988,8 +3103,27 @@ int proc_pid_readdir(struct file * filp,
34152 for (iter = next_tgid(ns, iter);
34154 iter.tgid += 1, iter = next_tgid(ns, iter)) {
34155 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34157 + itercred = __task_cred(iter.task);
34159 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
34160 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34161 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
34162 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34163 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
34168 + __filldir = &gr_fake_filldir;
34170 + __filldir = filldir;
34171 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34172 + rcu_read_unlock();
34174 filp->f_pos = iter.tgid + TGID_OFFSET;
34175 if (!vx_proc_task_visible(iter.task))
34177 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
34178 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
34179 put_task_struct(iter.task);
34180 @@ -3016,7 +3150,7 @@ static const struct pid_entry tid_base_s
34181 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
34183 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
34184 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34185 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34186 INF("syscall", S_IRUSR, proc_pid_syscall),
34188 INF("cmdline", S_IRUGO, proc_pid_cmdline),
34189 @@ -3040,10 +3174,10 @@ static const struct pid_entry tid_base_s
34190 #ifdef CONFIG_SECURITY
34191 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
34193 -#ifdef CONFIG_KALLSYMS
34194 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34195 INF("wchan", S_IRUGO, proc_pid_wchan),
34197 -#ifdef CONFIG_STACKTRACE
34198 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34199 ONE("stack", S_IRUSR, proc_pid_stack),
34201 #ifdef CONFIG_SCHEDSTATS
34202 diff -urNp linux-2.6.36.2/fs/proc/cmdline.c linux-2.6.36.2/fs/proc/cmdline.c
34203 --- linux-2.6.36.2/fs/proc/cmdline.c 2010-10-20 16:30:22.000000000 -0400
34204 +++ linux-2.6.36.2/fs/proc/cmdline.c 2010-12-09 20:24:41.000000000 -0500
34205 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
34207 static int __init proc_cmdline_init(void)
34209 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34210 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
34212 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
34216 module_init(proc_cmdline_init);
34217 diff -urNp linux-2.6.36.2/fs/proc/devices.c linux-2.6.36.2/fs/proc/devices.c
34218 --- linux-2.6.36.2/fs/proc/devices.c 2010-10-20 16:30:22.000000000 -0400
34219 +++ linux-2.6.36.2/fs/proc/devices.c 2010-12-09 20:24:41.000000000 -0500
34220 @@ -64,7 +64,11 @@ static const struct file_operations proc
34222 static int __init proc_devices_init(void)
34224 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34225 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
34227 proc_create("devices", 0, NULL, &proc_devinfo_operations);
34231 module_init(proc_devices_init);
34232 diff -urNp linux-2.6.36.2/fs/proc/inode.c linux-2.6.36.2/fs/proc/inode.c
34233 --- linux-2.6.36.2/fs/proc/inode.c 2010-10-20 16:30:22.000000000 -0400
34234 +++ linux-2.6.36.2/fs/proc/inode.c 2010-12-09 20:24:41.000000000 -0500
34235 @@ -426,7 +426,11 @@ struct inode *proc_get_inode(struct supe
34237 inode->i_mode = de->mode;
34238 inode->i_uid = de->uid;
34239 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34240 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34242 inode->i_gid = de->gid;
34246 inode->i_size = de->size;
34247 diff -urNp linux-2.6.36.2/fs/proc/internal.h linux-2.6.36.2/fs/proc/internal.h
34248 --- linux-2.6.36.2/fs/proc/internal.h 2010-10-20 16:30:22.000000000 -0400
34249 +++ linux-2.6.36.2/fs/proc/internal.h 2010-12-09 20:24:41.000000000 -0500
34250 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
34251 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
34252 struct pid *pid, struct task_struct *task);
34254 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
34255 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
34257 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
34259 extern const struct file_operations proc_maps_operations;
34260 diff -urNp linux-2.6.36.2/fs/proc/Kconfig linux-2.6.36.2/fs/proc/Kconfig
34261 --- linux-2.6.36.2/fs/proc/Kconfig 2010-10-20 16:30:22.000000000 -0400
34262 +++ linux-2.6.36.2/fs/proc/Kconfig 2010-12-09 20:24:41.000000000 -0500
34263 @@ -30,12 +30,12 @@ config PROC_FS
34266 bool "/proc/kcore support" if !ARM
34267 - depends on PROC_FS && MMU
34268 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
34271 bool "/proc/vmcore support (EXPERIMENTAL)"
34272 - depends on PROC_FS && CRASH_DUMP
34274 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
34277 Exports the dump image of crashed kernel in ELF format.
34279 @@ -59,8 +59,8 @@ config PROC_SYSCTL
34282 config PROC_PAGE_MONITOR
34284 - depends on PROC_FS && MMU
34286 + depends on PROC_FS && MMU && !GRKERNSEC
34287 bool "Enable /proc page monitoring" if EMBEDDED
34289 Various /proc files exist to monitor process memory utilization:
34290 diff -urNp linux-2.6.36.2/fs/proc/kcore.c linux-2.6.36.2/fs/proc/kcore.c
34291 --- linux-2.6.36.2/fs/proc/kcore.c 2010-10-20 16:30:22.000000000 -0400
34292 +++ linux-2.6.36.2/fs/proc/kcore.c 2010-12-09 20:24:41.000000000 -0500
34293 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
34294 * the addresses in the elf_phdr on our list.
34296 start = kc_offset_to_vaddr(*fpos - elf_buflen);
34297 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
34298 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
34299 + if (tsz > buflen)
34304 struct kcore_list *m;
34306 @@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
34309 if (kern_addr_valid(start)) {
34313 - n = copy_to_user(buffer, (char *)start, tsz);
34315 - * We cannot distingush between fault on source
34316 - * and fault on destination. When this happens
34317 - * we clear too and hope it will trigger the
34321 - if (clear_user(buffer + tsz - n,
34323 + elf_buf = kmalloc(tsz, GFP_KERNEL);
34326 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
34327 + if (copy_to_user(buffer, elf_buf, tsz)) {
34334 if (clear_user(buffer, tsz))
34336 @@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
34338 static int open_kcore(struct inode *inode, struct file *filp)
34340 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
34343 if (!capable(CAP_SYS_RAWIO))
34345 if (kcore_need_update)
34346 diff -urNp linux-2.6.36.2/fs/proc/meminfo.c linux-2.6.36.2/fs/proc/meminfo.c
34347 --- linux-2.6.36.2/fs/proc/meminfo.c 2010-10-20 16:30:22.000000000 -0400
34348 +++ linux-2.6.36.2/fs/proc/meminfo.c 2010-12-09 20:24:41.000000000 -0500
34349 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
34351 vmi.largest_chunk >> 10
34352 #ifdef CONFIG_MEMORY_FAILURE
34353 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
34354 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
34358 diff -urNp linux-2.6.36.2/fs/proc/nommu.c linux-2.6.36.2/fs/proc/nommu.c
34359 --- linux-2.6.36.2/fs/proc/nommu.c 2010-10-20 16:30:22.000000000 -0400
34360 +++ linux-2.6.36.2/fs/proc/nommu.c 2010-12-09 20:24:41.000000000 -0500
34361 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
34364 seq_printf(m, "%*c", len, ' ');
34365 - seq_path(m, &file->f_path, "");
34366 + seq_path(m, &file->f_path, "\n\\");
34370 diff -urNp linux-2.6.36.2/fs/proc/proc_net.c linux-2.6.36.2/fs/proc/proc_net.c
34371 --- linux-2.6.36.2/fs/proc/proc_net.c 2010-10-20 16:30:22.000000000 -0400
34372 +++ linux-2.6.36.2/fs/proc/proc_net.c 2010-12-09 20:24:41.000000000 -0500
34373 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
34374 struct task_struct *task;
34375 struct nsproxy *ns;
34376 struct net *net = NULL;
34377 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34378 + const struct cred *cred = current_cred();
34381 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34384 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34385 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
34390 task = pid_task(proc_pid(dir), PIDTYPE_PID);
34391 diff -urNp linux-2.6.36.2/fs/proc/proc_sysctl.c linux-2.6.36.2/fs/proc/proc_sysctl.c
34392 --- linux-2.6.36.2/fs/proc/proc_sysctl.c 2010-10-20 16:30:22.000000000 -0400
34393 +++ linux-2.6.36.2/fs/proc/proc_sysctl.c 2010-12-09 20:24:41.000000000 -0500
34395 #include <linux/security.h>
34396 #include "internal.h"
34398 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
34400 static const struct dentry_operations proc_sys_dentry_operations;
34401 static const struct file_operations proc_sys_file_operations;
34402 static const struct inode_operations proc_sys_inode_operations;
34403 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
34407 + if (gr_handle_sysctl(p, MAY_EXEC))
34410 err = ERR_PTR(-ENOMEM);
34411 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
34413 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
34414 if (*pos < file->f_pos)
34417 + if (gr_handle_sysctl(table, 0))
34420 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
34423 @@ -353,6 +361,9 @@ static int proc_sys_getattr(struct vfsmo
34425 return PTR_ERR(head);
34427 + if (table && gr_handle_sysctl(table, MAY_EXEC))
34430 generic_fillattr(inode, stat);
34432 stat->mode = (stat->mode & S_IFMT) | table->mode;
34433 diff -urNp linux-2.6.36.2/fs/proc/root.c linux-2.6.36.2/fs/proc/root.c
34434 --- linux-2.6.36.2/fs/proc/root.c 2010-10-20 16:30:22.000000000 -0400
34435 +++ linux-2.6.36.2/fs/proc/root.c 2010-12-09 20:24:41.000000000 -0500
34436 @@ -133,7 +133,15 @@ void __init proc_root_init(void)
34437 #ifdef CONFIG_PROC_DEVICETREE
34438 proc_device_tree_init();
34440 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34441 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34442 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
34443 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34444 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
34447 proc_mkdir("bus", NULL);
34452 diff -urNp linux-2.6.36.2/fs/proc/task_mmu.c linux-2.6.36.2/fs/proc/task_mmu.c
34453 --- linux-2.6.36.2/fs/proc/task_mmu.c 2010-10-20 16:30:22.000000000 -0400
34454 +++ linux-2.6.36.2/fs/proc/task_mmu.c 2010-12-09 20:24:41.000000000 -0500
34455 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
34456 "VmExe:\t%8lu kB\n"
34457 "VmLib:\t%8lu kB\n"
34458 "VmPTE:\t%8lu kB\n"
34459 - "VmSwap:\t%8lu kB\n",
34460 - hiwater_vm << (PAGE_SHIFT-10),
34461 + "VmSwap:\t%8lu kB\n"
34463 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34464 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
34467 + ,hiwater_vm << (PAGE_SHIFT-10),
34468 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
34469 mm->locked_vm << (PAGE_SHIFT-10),
34470 hiwater_rss << (PAGE_SHIFT-10),
34471 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
34472 data << (PAGE_SHIFT-10),
34473 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
34474 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
34475 - swap << (PAGE_SHIFT-10));
34476 + swap << (PAGE_SHIFT-10)
34478 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34479 + , mm->context.user_cs_base, mm->context.user_cs_limit
34485 unsigned long task_vsize(struct mm_struct *mm)
34486 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
34490 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34491 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34492 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34493 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34496 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
34498 struct mm_struct *mm = vma->vm_mm;
34499 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
34500 int flags = vma->vm_flags;
34501 unsigned long ino = 0;
34502 unsigned long long pgoff = 0;
34503 - unsigned long start;
34507 @@ -221,20 +237,24 @@ static void show_map_vma(struct seq_file
34508 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
34511 - /* We don't show the stack guard page in /proc/maps */
34512 - start = vma->vm_start;
34513 - if (vma->vm_flags & VM_GROWSDOWN)
34514 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
34515 - start += PAGE_SIZE;
34517 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
34519 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34520 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
34521 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
34526 flags & VM_READ ? 'r' : '-',
34527 flags & VM_WRITE ? 'w' : '-',
34528 flags & VM_EXEC ? 'x' : '-',
34529 flags & VM_MAYSHARE ? 's' : 'p',
34530 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34531 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
34535 MAJOR(dev), MINOR(dev), ino, &len);
34538 @@ -243,16 +263,16 @@ static void show_map_vma(struct seq_file
34541 pad_len_spaces(m, len);
34542 - seq_path(m, &file->f_path, "\n");
34543 + seq_path(m, &file->f_path, "\n\\");
34545 const char *name = arch_vma_name(vma);
34548 - if (vma->vm_start <= mm->start_brk &&
34549 - vma->vm_end >= mm->brk) {
34550 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
34552 - } else if (vma->vm_start <= mm->start_stack &&
34553 - vma->vm_end >= mm->start_stack) {
34554 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
34555 + (vma->vm_start <= mm->start_stack &&
34556 + vma->vm_end >= mm->start_stack)) {
34560 @@ -394,11 +414,16 @@ static int show_smap(struct seq_file *m,
34563 memset(&mss, 0, sizeof mss);
34565 - /* mmap_sem is held in m_start */
34566 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34567 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34569 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34570 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
34573 + /* mmap_sem is held in m_start */
34574 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34575 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34576 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34579 show_map_vma(m, vma);
34582 @@ -413,7 +438,11 @@ static int show_smap(struct seq_file *m,
34584 "KernelPageSize: %8lu kB\n"
34585 "MMUPageSize: %8lu kB\n",
34586 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34587 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
34589 (vma->vm_end - vma->vm_start) >> 10,
34591 mss.resident >> 10,
34592 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
34593 mss.shared_clean >> 10,
34594 diff -urNp linux-2.6.36.2/fs/proc/task_nommu.c linux-2.6.36.2/fs/proc/task_nommu.c
34595 --- linux-2.6.36.2/fs/proc/task_nommu.c 2010-10-20 16:30:22.000000000 -0400
34596 +++ linux-2.6.36.2/fs/proc/task_nommu.c 2010-12-09 20:24:41.000000000 -0500
34597 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
34599 bytes += kobjsize(mm);
34601 - if (current->fs && current->fs->users > 1)
34602 + if (current->fs && atomic_read(¤t->fs->users) > 1)
34603 sbytes += kobjsize(current->fs);
34605 bytes += kobjsize(current->fs);
34606 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
34609 pad_len_spaces(m, len);
34610 - seq_path(m, &file->f_path, "");
34611 + seq_path(m, &file->f_path, "\n\\");
34613 if (vma->vm_start <= mm->start_stack &&
34614 vma->vm_end >= mm->start_stack) {
34615 diff -urNp linux-2.6.36.2/fs/readdir.c linux-2.6.36.2/fs/readdir.c
34616 --- linux-2.6.36.2/fs/readdir.c 2010-10-20 16:30:22.000000000 -0400
34617 +++ linux-2.6.36.2/fs/readdir.c 2010-12-09 20:24:38.000000000 -0500
34619 #include <linux/security.h>
34620 #include <linux/syscalls.h>
34621 #include <linux/unistd.h>
34622 +#include <linux/namei.h>
34624 #include <asm/uaccess.h>
34626 @@ -67,6 +68,7 @@ struct old_linux_dirent {
34628 struct readdir_callback {
34629 struct old_linux_dirent __user * dirent;
34630 + struct file * file;
34634 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
34635 buf->result = -EOVERFLOW;
34639 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34643 dirent = buf->dirent;
34644 if (!access_ok(VERIFY_WRITE, dirent,
34645 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
34648 buf.dirent = dirent;
34651 error = vfs_readdir(file, fillonedir, &buf);
34653 @@ -142,6 +149,7 @@ struct linux_dirent {
34654 struct getdents_callback {
34655 struct linux_dirent __user * current_dir;
34656 struct linux_dirent __user * previous;
34657 + struct file * file;
34661 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
34662 buf->error = -EOVERFLOW;
34666 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34669 dirent = buf->previous;
34671 if (__put_user(offset, &dirent->d_off))
34672 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
34673 buf.previous = NULL;
34678 error = vfs_readdir(file, filldir, &buf);
34680 @@ -229,6 +242,7 @@ out:
34681 struct getdents_callback64 {
34682 struct linux_dirent64 __user * current_dir;
34683 struct linux_dirent64 __user * previous;
34684 + struct file *file;
34688 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
34689 buf->error = -EINVAL; /* only used if we fail.. */
34690 if (reclen > buf->count)
34693 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34696 dirent = buf->previous;
34698 if (__put_user(offset, &dirent->d_off))
34699 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
34701 buf.current_dir = dirent;
34702 buf.previous = NULL;
34707 diff -urNp linux-2.6.36.2/fs/reiserfs/do_balan.c linux-2.6.36.2/fs/reiserfs/do_balan.c
34708 --- linux-2.6.36.2/fs/reiserfs/do_balan.c 2010-10-20 16:30:22.000000000 -0400
34709 +++ linux-2.6.36.2/fs/reiserfs/do_balan.c 2010-12-09 20:24:38.000000000 -0500
34710 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
34714 - atomic_inc(&(fs_generation(tb->tb_sb)));
34715 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
34716 do_balance_starts(tb);
34718 /* balance leaf returns 0 except if combining L R and S into
34719 diff -urNp linux-2.6.36.2/fs/reiserfs/item_ops.c linux-2.6.36.2/fs/reiserfs/item_ops.c
34720 --- linux-2.6.36.2/fs/reiserfs/item_ops.c 2010-10-20 16:30:22.000000000 -0400
34721 +++ linux-2.6.36.2/fs/reiserfs/item_ops.c 2010-12-09 20:24:38.000000000 -0500
34722 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
34723 vi->vi_index, vi->vi_type, vi->vi_ih);
34726 -static struct item_operations stat_data_ops = {
34727 +static const struct item_operations stat_data_ops = {
34728 .bytes_number = sd_bytes_number,
34729 .decrement_key = sd_decrement_key,
34730 .is_left_mergeable = sd_is_left_mergeable,
34731 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
34732 vi->vi_index, vi->vi_type, vi->vi_ih);
34735 -static struct item_operations direct_ops = {
34736 +static const struct item_operations direct_ops = {
34737 .bytes_number = direct_bytes_number,
34738 .decrement_key = direct_decrement_key,
34739 .is_left_mergeable = direct_is_left_mergeable,
34740 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
34741 vi->vi_index, vi->vi_type, vi->vi_ih);
34744 -static struct item_operations indirect_ops = {
34745 +static const struct item_operations indirect_ops = {
34746 .bytes_number = indirect_bytes_number,
34747 .decrement_key = indirect_decrement_key,
34748 .is_left_mergeable = indirect_is_left_mergeable,
34749 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
34753 -static struct item_operations direntry_ops = {
34754 +static const struct item_operations direntry_ops = {
34755 .bytes_number = direntry_bytes_number,
34756 .decrement_key = direntry_decrement_key,
34757 .is_left_mergeable = direntry_is_left_mergeable,
34758 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
34759 "Invalid item type observed, run fsck ASAP");
34762 -static struct item_operations errcatch_ops = {
34763 +static const struct item_operations errcatch_ops = {
34764 errcatch_bytes_number,
34765 errcatch_decrement_key,
34766 errcatch_is_left_mergeable,
34767 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
34768 #error Item types must use disk-format assigned values.
34771 -struct item_operations *item_ops[TYPE_ANY + 1] = {
34772 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
34776 diff -urNp linux-2.6.36.2/fs/reiserfs/procfs.c linux-2.6.36.2/fs/reiserfs/procfs.c
34777 --- linux-2.6.36.2/fs/reiserfs/procfs.c 2010-10-20 16:30:22.000000000 -0400
34778 +++ linux-2.6.36.2/fs/reiserfs/procfs.c 2010-12-09 20:24:38.000000000 -0500
34779 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
34780 "SMALL_TAILS " : "NO_TAILS ",
34781 replay_only(sb) ? "REPLAY_ONLY " : "",
34782 convert_reiserfs(sb) ? "CONV " : "",
34783 - atomic_read(&r->s_generation_counter),
34784 + atomic_read_unchecked(&r->s_generation_counter),
34785 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
34786 SF(s_do_balance), SF(s_unneeded_left_neighbor),
34787 SF(s_good_search_by_key_reada), SF(s_bmaps),
34788 diff -urNp linux-2.6.36.2/fs/select.c linux-2.6.36.2/fs/select.c
34789 --- linux-2.6.36.2/fs/select.c 2010-10-20 16:30:22.000000000 -0400
34790 +++ linux-2.6.36.2/fs/select.c 2010-12-09 20:24:40.000000000 -0500
34792 #include <linux/module.h>
34793 #include <linux/slab.h>
34794 #include <linux/poll.h>
34795 +#include <linux/security.h>
34796 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
34797 #include <linux/file.h>
34798 #include <linux/fdtable.h>
34799 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
34800 struct poll_list *walk = head;
34801 unsigned long todo = nfds;
34803 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
34804 if (nfds > rlimit(RLIMIT_NOFILE))
34807 diff -urNp linux-2.6.36.2/fs/seq_file.c linux-2.6.36.2/fs/seq_file.c
34808 --- linux-2.6.36.2/fs/seq_file.c 2010-10-20 16:30:22.000000000 -0400
34809 +++ linux-2.6.36.2/fs/seq_file.c 2010-12-09 20:24:41.000000000 -0500
34810 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
34814 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34815 + m->size = PAGE_SIZE;
34816 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34820 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
34824 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34826 + m->buf = kmalloc(m->size, GFP_KERNEL);
34827 return !m->buf ? -ENOMEM : -EAGAIN;
34830 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
34831 m->version = file->f_version;
34832 /* grab buffer if we didn't have one */
34834 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34835 + m->size = PAGE_SIZE;
34836 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34840 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
34844 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34846 + m->buf = kmalloc(m->size, GFP_KERNEL);
34850 diff -urNp linux-2.6.36.2/fs/smbfs/symlink.c linux-2.6.36.2/fs/smbfs/symlink.c
34851 --- linux-2.6.36.2/fs/smbfs/symlink.c 2010-10-20 16:30:22.000000000 -0400
34852 +++ linux-2.6.36.2/fs/smbfs/symlink.c 2010-12-09 20:24:40.000000000 -0500
34853 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
34855 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
34857 - char *s = nd_get_link(nd);
34858 + const char *s = nd_get_link(nd);
34862 diff -urNp linux-2.6.36.2/fs/splice.c linux-2.6.36.2/fs/splice.c
34863 --- linux-2.6.36.2/fs/splice.c 2010-12-09 20:53:48.000000000 -0500
34864 +++ linux-2.6.36.2/fs/splice.c 2010-12-09 20:54:38.000000000 -0500
34865 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
34869 - if (!pipe->readers) {
34870 + if (!atomic_read(&pipe->readers)) {
34871 send_sig(SIGPIPE, current, 0);
34874 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
34878 - pipe->waiting_writers++;
34879 + atomic_inc(&pipe->waiting_writers);
34881 - pipe->waiting_writers--;
34882 + atomic_dec(&pipe->waiting_writers);
34886 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
34889 /* The cast to a user pointer is valid due to the set_fs() */
34890 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
34891 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
34895 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
34898 /* The cast to a user pointer is valid due to the set_fs() */
34899 - res = vfs_write(file, (const char __user *)buf, count, &pos);
34900 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
34904 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
34907 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
34908 - vec[i].iov_base = (void __user *) page_address(page);
34909 + vec[i].iov_base = (__force void __user *) page_address(page);
34910 vec[i].iov_len = this_len;
34911 spd.pages[i] = page;
34913 @@ -849,10 +849,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
34914 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
34916 while (!pipe->nrbufs) {
34917 - if (!pipe->writers)
34918 + if (!atomic_read(&pipe->writers))
34921 - if (!pipe->waiting_writers && sd->num_spliced)
34922 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
34925 if (sd->flags & SPLICE_F_NONBLOCK)
34926 @@ -1189,7 +1189,7 @@ ssize_t splice_direct_to_actor(struct fi
34927 * out of the pipe right after the splice_to_pipe(). So set
34928 * PIPE_READERS appropriately.
34930 - pipe->readers = 1;
34931 + atomic_set(&pipe->readers, 1);
34933 current->splice_pipe = pipe;
34935 @@ -1745,9 +1745,9 @@ static int ipipe_prep(struct pipe_inode_
34936 ret = -ERESTARTSYS;
34939 - if (!pipe->writers)
34940 + if (!atomic_read(&pipe->writers))
34942 - if (!pipe->waiting_writers) {
34943 + if (!atomic_read(&pipe->waiting_writers)) {
34944 if (flags & SPLICE_F_NONBLOCK) {
34947 @@ -1779,7 +1779,7 @@ static int opipe_prep(struct pipe_inode_
34950 while (pipe->nrbufs >= pipe->buffers) {
34951 - if (!pipe->readers) {
34952 + if (!atomic_read(&pipe->readers)) {
34953 send_sig(SIGPIPE, current, 0);
34956 @@ -1792,9 +1792,9 @@ static int opipe_prep(struct pipe_inode_
34957 ret = -ERESTARTSYS;
34960 - pipe->waiting_writers++;
34961 + atomic_inc(&pipe->waiting_writers);
34963 - pipe->waiting_writers--;
34964 + atomic_dec(&pipe->waiting_writers);
34968 @@ -1830,14 +1830,14 @@ retry:
34969 pipe_double_lock(ipipe, opipe);
34972 - if (!opipe->readers) {
34973 + if (!atomic_read(&opipe->readers)) {
34974 send_sig(SIGPIPE, current, 0);
34980 - if (!ipipe->nrbufs && !ipipe->writers)
34981 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
34985 @@ -1937,7 +1937,7 @@ static int link_pipe(struct pipe_inode_i
34986 pipe_double_lock(ipipe, opipe);
34989 - if (!opipe->readers) {
34990 + if (!atomic_read(&opipe->readers)) {
34991 send_sig(SIGPIPE, current, 0);
34994 @@ -1982,7 +1982,7 @@ static int link_pipe(struct pipe_inode_i
34995 * return EAGAIN if we have the potential of some data in the
34996 * future, otherwise just return 0
34998 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
34999 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
35002 pipe_unlock(ipipe);
35003 diff -urNp linux-2.6.36.2/fs/sysfs/symlink.c linux-2.6.36.2/fs/sysfs/symlink.c
35004 --- linux-2.6.36.2/fs/sysfs/symlink.c 2010-10-20 16:30:22.000000000 -0400
35005 +++ linux-2.6.36.2/fs/sysfs/symlink.c 2010-12-09 20:24:41.000000000 -0500
35006 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
35008 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
35010 - char *page = nd_get_link(nd);
35011 + const char *page = nd_get_link(nd);
35013 free_page((unsigned long)page);
35015 diff -urNp linux-2.6.36.2/fs/udf/misc.c linux-2.6.36.2/fs/udf/misc.c
35016 --- linux-2.6.36.2/fs/udf/misc.c 2010-10-20 16:30:22.000000000 -0400
35017 +++ linux-2.6.36.2/fs/udf/misc.c 2010-12-09 20:24:38.000000000 -0500
35018 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
35019 iinfo->i_lenEAttr += size;
35020 return (struct genericFormat *)&ea[offset];
35024 + if (loc & 0x02) {
35029 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
35031 u8 udf_tag_checksum(const struct tag *t)
35033 - u8 *data = (u8 *)t;
35034 + const u8 *data = (const u8 *)t;
35037 for (i = 0; i < sizeof(struct tag); ++i)
35038 diff -urNp linux-2.6.36.2/fs/udf/udfdecl.h linux-2.6.36.2/fs/udf/udfdecl.h
35039 --- linux-2.6.36.2/fs/udf/udfdecl.h 2010-10-20 16:30:22.000000000 -0400
35040 +++ linux-2.6.36.2/fs/udf/udfdecl.h 2010-12-09 20:24:38.000000000 -0500
35041 @@ -26,7 +26,7 @@ do { \
35045 -#define udf_debug(f, a...) /**/
35046 +#define udf_debug(f, a...) do {} while (0)
35049 #define udf_info(f, a...) \
35050 diff -urNp linux-2.6.36.2/fs/utimes.c linux-2.6.36.2/fs/utimes.c
35051 --- linux-2.6.36.2/fs/utimes.c 2010-10-20 16:30:22.000000000 -0400
35052 +++ linux-2.6.36.2/fs/utimes.c 2010-12-09 20:24:38.000000000 -0500
35054 #include <linux/compiler.h>
35055 #include <linux/file.h>
35056 #include <linux/fs.h>
35057 +#include <linux/security.h>
35058 #include <linux/linkage.h>
35059 #include <linux/mount.h>
35060 #include <linux/namei.h>
35061 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
35062 goto mnt_drop_write_and_out;
35066 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
35068 + goto mnt_drop_write_and_out;
35071 mutex_lock(&inode->i_mutex);
35072 error = notify_change(path->dentry, &newattrs);
35073 mutex_unlock(&inode->i_mutex);
35074 diff -urNp linux-2.6.36.2/fs/xattr_acl.c linux-2.6.36.2/fs/xattr_acl.c
35075 --- linux-2.6.36.2/fs/xattr_acl.c 2010-10-20 16:30:22.000000000 -0400
35076 +++ linux-2.6.36.2/fs/xattr_acl.c 2010-12-09 20:24:41.000000000 -0500
35079 posix_acl_from_xattr(const void *value, size_t size)
35081 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
35082 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
35083 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
35084 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
35086 struct posix_acl *acl;
35087 struct posix_acl_entry *acl_e;
35088 diff -urNp linux-2.6.36.2/fs/xattr.c linux-2.6.36.2/fs/xattr.c
35089 --- linux-2.6.36.2/fs/xattr.c 2010-10-20 16:30:22.000000000 -0400
35090 +++ linux-2.6.36.2/fs/xattr.c 2010-12-09 20:24:38.000000000 -0500
35091 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
35092 * Extended attribute SET operations
35095 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
35096 +setxattr(struct path *path, const char __user *name, const void __user *value,
35097 size_t size, int flags)
35100 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
35101 return PTR_ERR(kvalue);
35104 - error = vfs_setxattr(d, kname, kvalue, size, flags);
35105 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
35110 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
35115 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
35117 error = mnt_want_write(path.mnt);
35119 - error = setxattr(path.dentry, name, value, size, flags);
35120 + error = setxattr(&path, name, value, size, flags);
35121 mnt_drop_write(path.mnt);
35124 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
35126 error = mnt_want_write(path.mnt);
35128 - error = setxattr(path.dentry, name, value, size, flags);
35129 + error = setxattr(&path, name, value, size, flags);
35130 mnt_drop_write(path.mnt);
35133 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
35134 const void __user *,value, size_t, size, int, flags)
35137 - struct dentry *dentry;
35138 int error = -EBADF;
35143 - dentry = f->f_path.dentry;
35144 - audit_inode(NULL, dentry);
35145 + audit_inode(NULL, f->f_path.dentry);
35146 error = mnt_want_write_file(f);
35148 - error = setxattr(dentry, name, value, size, flags);
35149 + error = setxattr(&f->f_path, name, value, size, flags);
35150 mnt_drop_write(f->f_path.mnt);
35153 diff -urNp linux-2.6.36.2/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.36.2/fs/xfs/linux-2.6/xfs_ioctl.c
35154 --- linux-2.6.36.2/fs/xfs/linux-2.6/xfs_ioctl.c 2010-10-20 16:30:22.000000000 -0400
35155 +++ linux-2.6.36.2/fs/xfs/linux-2.6/xfs_ioctl.c 2010-12-09 20:24:39.000000000 -0500
35156 @@ -127,7 +127,7 @@ xfs_find_handle(
35160 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
35161 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
35162 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
35165 @@ -416,7 +416,7 @@ xfs_attrlist_by_handle(
35166 if (IS_ERR(dentry))
35167 return PTR_ERR(dentry);
35169 - kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
35170 + kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
35174 diff -urNp linux-2.6.36.2/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.36.2/fs/xfs/linux-2.6/xfs_iops.c
35175 --- linux-2.6.36.2/fs/xfs/linux-2.6/xfs_iops.c 2010-10-20 16:30:22.000000000 -0400
35176 +++ linux-2.6.36.2/fs/xfs/linux-2.6/xfs_iops.c 2010-12-09 20:24:39.000000000 -0500
35177 @@ -472,7 +472,7 @@ xfs_vn_put_link(
35178 struct nameidata *nd,
35181 - char *s = nd_get_link(nd);
35182 + const char *s = nd_get_link(nd);
35186 diff -urNp linux-2.6.36.2/fs/xfs/xfs_bmap.c linux-2.6.36.2/fs/xfs/xfs_bmap.c
35187 --- linux-2.6.36.2/fs/xfs/xfs_bmap.c 2010-10-20 16:30:22.000000000 -0400
35188 +++ linux-2.6.36.2/fs/xfs/xfs_bmap.c 2010-12-09 20:24:39.000000000 -0500
35189 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
35193 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
35194 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
35198 diff -urNp linux-2.6.36.2/grsecurity/gracl_alloc.c linux-2.6.36.2/grsecurity/gracl_alloc.c
35199 --- linux-2.6.36.2/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
35200 +++ linux-2.6.36.2/grsecurity/gracl_alloc.c 2010-12-09 20:24:32.000000000 -0500
35202 +#include <linux/kernel.h>
35203 +#include <linux/mm.h>
35204 +#include <linux/slab.h>
35205 +#include <linux/vmalloc.h>
35206 +#include <linux/gracl.h>
35207 +#include <linux/grsecurity.h>
35209 +static unsigned long alloc_stack_next = 1;
35210 +static unsigned long alloc_stack_size = 1;
35211 +static void **alloc_stack;
35213 +static __inline__ int
35216 + if (alloc_stack_next == 1)
35219 + kfree(alloc_stack[alloc_stack_next - 2]);
35221 + alloc_stack_next--;
35226 +static __inline__ int
35227 +alloc_push(void *buf)
35229 + if (alloc_stack_next >= alloc_stack_size)
35232 + alloc_stack[alloc_stack_next - 1] = buf;
35234 + alloc_stack_next++;
35240 +acl_alloc(unsigned long len)
35242 + void *ret = NULL;
35244 + if (!len || len > PAGE_SIZE)
35247 + ret = kmalloc(len, GFP_KERNEL);
35250 + if (alloc_push(ret)) {
35261 +acl_alloc_num(unsigned long num, unsigned long len)
35263 + if (!len || (num > (PAGE_SIZE / len)))
35266 + return acl_alloc(num * len);
35270 +acl_free_all(void)
35272 + if (gr_acl_is_enabled() || !alloc_stack)
35275 + while (alloc_pop()) ;
35277 + if (alloc_stack) {
35278 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
35279 + kfree(alloc_stack);
35281 + vfree(alloc_stack);
35284 + alloc_stack = NULL;
35285 + alloc_stack_size = 1;
35286 + alloc_stack_next = 1;
35292 +acl_alloc_stack_init(unsigned long size)
35294 + if ((size * sizeof (void *)) <= PAGE_SIZE)
35296 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
35298 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
35300 + alloc_stack_size = size;
35302 + if (!alloc_stack)
35307 diff -urNp linux-2.6.36.2/grsecurity/gracl.c linux-2.6.36.2/grsecurity/gracl.c
35308 --- linux-2.6.36.2/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
35309 +++ linux-2.6.36.2/grsecurity/gracl.c 2010-12-09 20:24:32.000000000 -0500
35311 +#include <linux/kernel.h>
35312 +#include <linux/module.h>
35313 +#include <linux/sched.h>
35314 +#include <linux/mm.h>
35315 +#include <linux/file.h>
35316 +#include <linux/fs.h>
35317 +#include <linux/namei.h>
35318 +#include <linux/mount.h>
35319 +#include <linux/tty.h>
35320 +#include <linux/proc_fs.h>
35321 +#include <linux/smp_lock.h>
35322 +#include <linux/slab.h>
35323 +#include <linux/vmalloc.h>
35324 +#include <linux/types.h>
35325 +#include <linux/sysctl.h>
35326 +#include <linux/netdevice.h>
35327 +#include <linux/ptrace.h>
35328 +#include <linux/gracl.h>
35329 +#include <linux/gralloc.h>
35330 +#include <linux/grsecurity.h>
35331 +#include <linux/grinternal.h>
35332 +#include <linux/pid_namespace.h>
35333 +#include <linux/fdtable.h>
35334 +#include <linux/percpu.h>
35336 +#include <asm/uaccess.h>
35337 +#include <asm/errno.h>
35338 +#include <asm/mman.h>
35340 +static struct acl_role_db acl_role_set;
35341 +static struct name_db name_set;
35342 +static struct inodev_db inodev_set;
35344 +/* for keeping track of userspace pointers used for subjects, so we
35345 + can share references in the kernel as well
35348 +static struct path real_root;
35350 +static struct acl_subj_map_db subj_map_set;
35352 +static struct acl_role_label *default_role;
35354 +static struct acl_role_label *role_list;
35356 +static u16 acl_sp_role_value;
35358 +extern char *gr_shared_page[4];
35359 +static DECLARE_MUTEX(gr_dev_sem);
35360 +DEFINE_RWLOCK(gr_inode_lock);
35362 +struct gr_arg *gr_usermode;
35364 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
35366 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
35367 +extern void gr_clear_learn_entries(void);
35369 +#ifdef CONFIG_GRKERNSEC_RESLOG
35370 +extern void gr_log_resource(const struct task_struct *task,
35371 + const int res, const unsigned long wanted, const int gt);
35374 +unsigned char *gr_system_salt;
35375 +unsigned char *gr_system_sum;
35377 +static struct sprole_pw **acl_special_roles = NULL;
35378 +static __u16 num_sprole_pws = 0;
35380 +static struct acl_role_label *kernel_role = NULL;
35382 +static unsigned int gr_auth_attempts = 0;
35383 +static unsigned long gr_auth_expires = 0UL;
35385 +extern struct vfsmount *sock_mnt;
35386 +extern struct vfsmount *pipe_mnt;
35387 +extern struct vfsmount *shm_mnt;
35388 +#ifdef CONFIG_HUGETLBFS
35389 +extern struct vfsmount *hugetlbfs_vfsmount;
35392 +static struct acl_object_label *fakefs_obj;
35394 +extern int gr_init_uidset(void);
35395 +extern void gr_free_uidset(void);
35396 +extern void gr_remove_uid(uid_t uid);
35397 +extern int gr_find_uid(uid_t uid);
35399 +extern spinlock_t vfsmount_lock;
35402 +gr_acl_is_enabled(void)
35404 + return (gr_status & GR_READY);
35407 +static char gr_task_roletype_to_char(struct task_struct *task)
35409 + switch (task->role->roletype &
35410 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
35411 + GR_ROLE_SPECIAL)) {
35412 + case GR_ROLE_DEFAULT:
35414 + case GR_ROLE_USER:
35416 + case GR_ROLE_GROUP:
35418 + case GR_ROLE_SPECIAL:
35425 +char gr_roletype_to_char(void)
35427 + return gr_task_roletype_to_char(current);
35431 +gr_acl_tpe_check(void)
35433 + if (unlikely(!(gr_status & GR_READY)))
35435 + if (current->role->roletype & GR_ROLE_TPE)
35442 +gr_handle_rawio(const struct inode *inode)
35444 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
35445 + if (inode && S_ISBLK(inode->i_mode) &&
35446 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
35447 + !capable(CAP_SYS_RAWIO))
35454 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
35456 + if (likely(lena != lenb))
35459 + return !memcmp(a, b, lena);
35463 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
35467 + retval = __d_path(path, root, buf, buflen);
35468 + if (unlikely(IS_ERR(retval)))
35469 + retval = strcpy(buf, "<path too long>");
35470 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
35471 + retval[1] = '\0';
35477 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35478 + char *buf, int buflen)
35480 + struct path path;
35483 + path.dentry = (struct dentry *)dentry;
35484 + path.mnt = (struct vfsmount *)vfsmnt;
35486 + /* we can use real_root.dentry, real_root.mnt, because this is only called
35487 + by the RBAC system */
35488 + res = gen_full_path(&path, &real_root, buf, buflen);
35494 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35495 + char *buf, int buflen)
35498 + struct path path;
35499 + struct path root;
35500 + struct task_struct *reaper = &init_task;
35502 + path.dentry = (struct dentry *)dentry;
35503 + path.mnt = (struct vfsmount *)vfsmnt;
35505 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
35506 + get_fs_root(reaper->fs, &root);
35508 + spin_lock(&dcache_lock);
35509 + res = gen_full_path(&path, &root, buf, buflen);
35510 + spin_unlock(&dcache_lock);
35517 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
35520 + spin_lock(&dcache_lock);
35521 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35523 + spin_unlock(&dcache_lock);
35528 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
35530 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35535 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
35537 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
35542 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
35544 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
35549 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
35551 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
35556 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
35558 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
35563 +to_gr_audit(const __u32 reqmode)
35565 + /* masks off auditable permission flags, then shifts them to create
35566 + auditing flags, and adds the special case of append auditing if
35567 + we're requesting write */
35568 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
35571 +struct acl_subject_label *
35572 +lookup_subject_map(const struct acl_subject_label *userp)
35574 + unsigned int index = shash(userp, subj_map_set.s_size);
35575 + struct subject_map *match;
35577 + match = subj_map_set.s_hash[index];
35579 + while (match && match->user != userp)
35580 + match = match->next;
35582 + if (match != NULL)
35583 + return match->kernel;
35589 +insert_subj_map_entry(struct subject_map *subjmap)
35591 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
35592 + struct subject_map **curr;
35594 + subjmap->prev = NULL;
35596 + curr = &subj_map_set.s_hash[index];
35597 + if (*curr != NULL)
35598 + (*curr)->prev = subjmap;
35600 + subjmap->next = *curr;
35606 +static struct acl_role_label *
35607 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
35610 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
35611 + struct acl_role_label *match;
35612 + struct role_allowed_ip *ipp;
35614 + u32 curr_ip = task->signal->curr_ip;
35616 + task->signal->saved_ip = curr_ip;
35618 + match = acl_role_set.r_hash[index];
35621 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
35622 + for (x = 0; x < match->domain_child_num; x++) {
35623 + if (match->domain_children[x] == uid)
35626 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
35628 + match = match->next;
35631 + if (match == NULL) {
35633 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
35634 + match = acl_role_set.r_hash[index];
35637 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
35638 + for (x = 0; x < match->domain_child_num; x++) {
35639 + if (match->domain_children[x] == gid)
35642 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
35644 + match = match->next;
35647 + if (match == NULL)
35648 + match = default_role;
35649 + if (match->allowed_ips == NULL)
35652 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35654 + ((ntohl(curr_ip) & ipp->netmask) ==
35655 + (ntohl(ipp->addr) & ipp->netmask)))
35658 + match = default_role;
35660 + } else if (match->allowed_ips == NULL) {
35663 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35665 + ((ntohl(curr_ip) & ipp->netmask) ==
35666 + (ntohl(ipp->addr) & ipp->netmask)))
35675 +struct acl_subject_label *
35676 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
35677 + const struct acl_role_label *role)
35679 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35680 + struct acl_subject_label *match;
35682 + match = role->subj_hash[index];
35684 + while (match && (match->inode != ino || match->device != dev ||
35685 + (match->mode & GR_DELETED))) {
35686 + match = match->next;
35689 + if (match && !(match->mode & GR_DELETED))
35695 +struct acl_subject_label *
35696 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
35697 + const struct acl_role_label *role)
35699 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35700 + struct acl_subject_label *match;
35702 + match = role->subj_hash[index];
35704 + while (match && (match->inode != ino || match->device != dev ||
35705 + !(match->mode & GR_DELETED))) {
35706 + match = match->next;
35709 + if (match && (match->mode & GR_DELETED))
35715 +static struct acl_object_label *
35716 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
35717 + const struct acl_subject_label *subj)
35719 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35720 + struct acl_object_label *match;
35722 + match = subj->obj_hash[index];
35724 + while (match && (match->inode != ino || match->device != dev ||
35725 + (match->mode & GR_DELETED))) {
35726 + match = match->next;
35729 + if (match && !(match->mode & GR_DELETED))
35735 +static struct acl_object_label *
35736 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
35737 + const struct acl_subject_label *subj)
35739 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35740 + struct acl_object_label *match;
35742 + match = subj->obj_hash[index];
35744 + while (match && (match->inode != ino || match->device != dev ||
35745 + !(match->mode & GR_DELETED))) {
35746 + match = match->next;
35749 + if (match && (match->mode & GR_DELETED))
35752 + match = subj->obj_hash[index];
35754 + while (match && (match->inode != ino || match->device != dev ||
35755 + (match->mode & GR_DELETED))) {
35756 + match = match->next;
35759 + if (match && !(match->mode & GR_DELETED))
35765 +static struct name_entry *
35766 +lookup_name_entry(const char *name)
35768 + unsigned int len = strlen(name);
35769 + unsigned int key = full_name_hash(name, len);
35770 + unsigned int index = key % name_set.n_size;
35771 + struct name_entry *match;
35773 + match = name_set.n_hash[index];
35775 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
35776 + match = match->next;
35781 +static struct name_entry *
35782 +lookup_name_entry_create(const char *name)
35784 + unsigned int len = strlen(name);
35785 + unsigned int key = full_name_hash(name, len);
35786 + unsigned int index = key % name_set.n_size;
35787 + struct name_entry *match;
35789 + match = name_set.n_hash[index];
35791 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35792 + !match->deleted))
35793 + match = match->next;
35795 + if (match && match->deleted)
35798 + match = name_set.n_hash[index];
35800 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35802 + match = match->next;
35804 + if (match && !match->deleted)
35810 +static struct inodev_entry *
35811 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
35813 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
35814 + struct inodev_entry *match;
35816 + match = inodev_set.i_hash[index];
35818 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
35819 + match = match->next;
35825 +insert_inodev_entry(struct inodev_entry *entry)
35827 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
35828 + inodev_set.i_size);
35829 + struct inodev_entry **curr;
35831 + entry->prev = NULL;
35833 + curr = &inodev_set.i_hash[index];
35834 + if (*curr != NULL)
35835 + (*curr)->prev = entry;
35837 + entry->next = *curr;
35844 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
35846 + unsigned int index =
35847 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
35848 + struct acl_role_label **curr;
35849 + struct acl_role_label *tmp;
35851 + curr = &acl_role_set.r_hash[index];
35853 + /* if role was already inserted due to domains and already has
35854 + a role in the same bucket as it attached, then we need to
35855 + combine these two buckets
35857 + if (role->next) {
35858 + tmp = role->next;
35859 + while (tmp->next)
35861 + tmp->next = *curr;
35863 + role->next = *curr;
35870 +insert_acl_role_label(struct acl_role_label *role)
35874 + if (role_list == NULL) {
35875 + role_list = role;
35876 + role->prev = NULL;
35878 + role->prev = role_list;
35879 + role_list = role;
35882 + /* used for hash chains */
35883 + role->next = NULL;
35885 + if (role->roletype & GR_ROLE_DOMAIN) {
35886 + for (i = 0; i < role->domain_child_num; i++)
35887 + __insert_acl_role_label(role, role->domain_children[i]);
35889 + __insert_acl_role_label(role, role->uidgid);
35893 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
35895 + struct name_entry **curr, *nentry;
35896 + struct inodev_entry *ientry;
35897 + unsigned int len = strlen(name);
35898 + unsigned int key = full_name_hash(name, len);
35899 + unsigned int index = key % name_set.n_size;
35901 + curr = &name_set.n_hash[index];
35903 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
35904 + curr = &((*curr)->next);
35906 + if (*curr != NULL)
35909 + nentry = acl_alloc(sizeof (struct name_entry));
35910 + if (nentry == NULL)
35912 + ientry = acl_alloc(sizeof (struct inodev_entry));
35913 + if (ientry == NULL)
35915 + ientry->nentry = nentry;
35917 + nentry->key = key;
35918 + nentry->name = name;
35919 + nentry->inode = inode;
35920 + nentry->device = device;
35921 + nentry->len = len;
35922 + nentry->deleted = deleted;
35924 + nentry->prev = NULL;
35925 + curr = &name_set.n_hash[index];
35926 + if (*curr != NULL)
35927 + (*curr)->prev = nentry;
35928 + nentry->next = *curr;
35931 + /* insert us into the table searchable by inode/dev */
35932 + insert_inodev_entry(ientry);
35938 +insert_acl_obj_label(struct acl_object_label *obj,
35939 + struct acl_subject_label *subj)
35941 + unsigned int index =
35942 + fhash(obj->inode, obj->device, subj->obj_hash_size);
35943 + struct acl_object_label **curr;
35946 + obj->prev = NULL;
35948 + curr = &subj->obj_hash[index];
35949 + if (*curr != NULL)
35950 + (*curr)->prev = obj;
35952 + obj->next = *curr;
35959 +insert_acl_subj_label(struct acl_subject_label *obj,
35960 + struct acl_role_label *role)
35962 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
35963 + struct acl_subject_label **curr;
35965 + obj->prev = NULL;
35967 + curr = &role->subj_hash[index];
35968 + if (*curr != NULL)
35969 + (*curr)->prev = obj;
35971 + obj->next = *curr;
35977 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
35980 +create_table(__u32 * len, int elementsize)
35982 + unsigned int table_sizes[] = {
35983 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
35984 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
35985 + 4194301, 8388593, 16777213, 33554393, 67108859
35987 + void *newtable = NULL;
35988 + unsigned int pwr = 0;
35990 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
35991 + table_sizes[pwr] <= *len)
35994 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
35997 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
35999 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
36001 + newtable = vmalloc(table_sizes[pwr] * elementsize);
36003 + *len = table_sizes[pwr];
36009 +init_variables(const struct gr_arg *arg)
36011 + struct task_struct *reaper = &init_task;
36012 + unsigned int stacksize;
36014 + subj_map_set.s_size = arg->role_db.num_subjects;
36015 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
36016 + name_set.n_size = arg->role_db.num_objects;
36017 + inodev_set.i_size = arg->role_db.num_objects;
36019 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
36020 + !name_set.n_size || !inodev_set.i_size)
36023 + if (!gr_init_uidset())
36026 + /* set up the stack that holds allocation info */
36028 + stacksize = arg->role_db.num_pointers + 5;
36030 + if (!acl_alloc_stack_init(stacksize))
36033 + /* grab reference for the real root dentry and vfsmount */
36034 + get_fs_root(reaper->fs, &real_root);
36036 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
36037 + if (fakefs_obj == NULL)
36039 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
36041 + subj_map_set.s_hash =
36042 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
36043 + acl_role_set.r_hash =
36044 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
36045 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
36046 + inodev_set.i_hash =
36047 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
36049 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
36050 + !name_set.n_hash || !inodev_set.i_hash)
36053 + memset(subj_map_set.s_hash, 0,
36054 + sizeof(struct subject_map *) * subj_map_set.s_size);
36055 + memset(acl_role_set.r_hash, 0,
36056 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
36057 + memset(name_set.n_hash, 0,
36058 + sizeof (struct name_entry *) * name_set.n_size);
36059 + memset(inodev_set.i_hash, 0,
36060 + sizeof (struct inodev_entry *) * inodev_set.i_size);
36065 +/* free information not needed after startup
36066 + currently contains user->kernel pointer mappings for subjects
36070 +free_init_variables(void)
36074 + if (subj_map_set.s_hash) {
36075 + for (i = 0; i < subj_map_set.s_size; i++) {
36076 + if (subj_map_set.s_hash[i]) {
36077 + kfree(subj_map_set.s_hash[i]);
36078 + subj_map_set.s_hash[i] = NULL;
36082 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
36084 + kfree(subj_map_set.s_hash);
36086 + vfree(subj_map_set.s_hash);
36093 +free_variables(void)
36095 + struct acl_subject_label *s;
36096 + struct acl_role_label *r;
36097 + struct task_struct *task, *task2;
36100 + gr_clear_learn_entries();
36102 + read_lock(&tasklist_lock);
36103 + do_each_thread(task2, task) {
36104 + task->acl_sp_role = 0;
36105 + task->acl_role_id = 0;
36106 + task->acl = NULL;
36107 + task->role = NULL;
36108 + } while_each_thread(task2, task);
36109 + read_unlock(&tasklist_lock);
36111 + /* release the reference to the real root dentry and vfsmount */
36112 + path_put(&real_root);
36114 + /* free all object hash tables */
36116 + FOR_EACH_ROLE_START(r)
36117 + if (r->subj_hash == NULL)
36119 + FOR_EACH_SUBJECT_START(r, s, x)
36120 + if (s->obj_hash == NULL)
36122 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
36123 + kfree(s->obj_hash);
36125 + vfree(s->obj_hash);
36126 + FOR_EACH_SUBJECT_END(s, x)
36127 + FOR_EACH_NESTED_SUBJECT_START(r, s)
36128 + if (s->obj_hash == NULL)
36130 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
36131 + kfree(s->obj_hash);
36133 + vfree(s->obj_hash);
36134 + FOR_EACH_NESTED_SUBJECT_END(s)
36135 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
36136 + kfree(r->subj_hash);
36138 + vfree(r->subj_hash);
36139 + r->subj_hash = NULL;
36141 + FOR_EACH_ROLE_END(r)
36145 + if (acl_role_set.r_hash) {
36146 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
36148 + kfree(acl_role_set.r_hash);
36150 + vfree(acl_role_set.r_hash);
36152 + if (name_set.n_hash) {
36153 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
36155 + kfree(name_set.n_hash);
36157 + vfree(name_set.n_hash);
36160 + if (inodev_set.i_hash) {
36161 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
36163 + kfree(inodev_set.i_hash);
36165 + vfree(inodev_set.i_hash);
36168 + gr_free_uidset();
36170 + memset(&name_set, 0, sizeof (struct name_db));
36171 + memset(&inodev_set, 0, sizeof (struct inodev_db));
36172 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
36173 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
36175 + default_role = NULL;
36176 + role_list = NULL;
36182 +count_user_objs(struct acl_object_label *userp)
36184 + struct acl_object_label o_tmp;
36188 + if (copy_from_user(&o_tmp, userp,
36189 + sizeof (struct acl_object_label)))
36192 + userp = o_tmp.prev;
36199 +static struct acl_subject_label *
36200 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
36203 +copy_user_glob(struct acl_object_label *obj)
36205 + struct acl_object_label *g_tmp, **guser;
36206 + unsigned int len;
36209 + if (obj->globbed == NULL)
36212 + guser = &obj->globbed;
36214 + g_tmp = (struct acl_object_label *)
36215 + acl_alloc(sizeof (struct acl_object_label));
36216 + if (g_tmp == NULL)
36219 + if (copy_from_user(g_tmp, *guser,
36220 + sizeof (struct acl_object_label)))
36223 + len = strnlen_user(g_tmp->filename, PATH_MAX);
36225 + if (!len || len >= PATH_MAX)
36228 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36231 + if (copy_from_user(tmp, g_tmp->filename, len))
36233 + tmp[len-1] = '\0';
36234 + g_tmp->filename = tmp;
36237 + guser = &(g_tmp->next);
36244 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
36245 + struct acl_role_label *role)
36247 + struct acl_object_label *o_tmp;
36248 + unsigned int len;
36253 + if ((o_tmp = (struct acl_object_label *)
36254 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
36257 + if (copy_from_user(o_tmp, userp,
36258 + sizeof (struct acl_object_label)))
36261 + userp = o_tmp->prev;
36263 + len = strnlen_user(o_tmp->filename, PATH_MAX);
36265 + if (!len || len >= PATH_MAX)
36268 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36271 + if (copy_from_user(tmp, o_tmp->filename, len))
36273 + tmp[len-1] = '\0';
36274 + o_tmp->filename = tmp;
36276 + insert_acl_obj_label(o_tmp, subj);
36277 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
36278 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
36281 + ret = copy_user_glob(o_tmp);
36285 + if (o_tmp->nested) {
36286 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
36287 + if (IS_ERR(o_tmp->nested))
36288 + return PTR_ERR(o_tmp->nested);
36290 + /* insert into nested subject list */
36291 + o_tmp->nested->next = role->hash->first;
36292 + role->hash->first = o_tmp->nested;
36300 +count_user_subjs(struct acl_subject_label *userp)
36302 + struct acl_subject_label s_tmp;
36306 + if (copy_from_user(&s_tmp, userp,
36307 + sizeof (struct acl_subject_label)))
36310 + userp = s_tmp.prev;
36311 + /* do not count nested subjects against this count, since
36312 + they are not included in the hash table, but are
36313 + attached to objects. We have already counted
36314 + the subjects in userspace for the allocation
36317 + if (!(s_tmp.mode & GR_NESTED))
36325 +copy_user_allowedips(struct acl_role_label *rolep)
36327 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
36329 + ruserip = rolep->allowed_ips;
36331 + while (ruserip) {
36334 + if ((rtmp = (struct role_allowed_ip *)
36335 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
36338 + if (copy_from_user(rtmp, ruserip,
36339 + sizeof (struct role_allowed_ip)))
36342 + ruserip = rtmp->prev;
36345 + rtmp->prev = NULL;
36346 + rolep->allowed_ips = rtmp;
36348 + rlast->next = rtmp;
36349 + rtmp->prev = rlast;
36353 + rtmp->next = NULL;
36360 +copy_user_transitions(struct acl_role_label *rolep)
36362 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
36364 + unsigned int len;
36367 + rusertp = rolep->transitions;
36369 + while (rusertp) {
36372 + if ((rtmp = (struct role_transition *)
36373 + acl_alloc(sizeof (struct role_transition))) == NULL)
36376 + if (copy_from_user(rtmp, rusertp,
36377 + sizeof (struct role_transition)))
36380 + rusertp = rtmp->prev;
36382 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
36384 + if (!len || len >= GR_SPROLE_LEN)
36387 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36390 + if (copy_from_user(tmp, rtmp->rolename, len))
36392 + tmp[len-1] = '\0';
36393 + rtmp->rolename = tmp;
36396 + rtmp->prev = NULL;
36397 + rolep->transitions = rtmp;
36399 + rlast->next = rtmp;
36400 + rtmp->prev = rlast;
36404 + rtmp->next = NULL;
36410 +static struct acl_subject_label *
36411 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
36413 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
36414 + unsigned int len;
36417 + struct acl_ip_label **i_tmp, *i_utmp2;
36418 + struct gr_hash_struct ghash;
36419 + struct subject_map *subjmap;
36420 + unsigned int i_num;
36423 + s_tmp = lookup_subject_map(userp);
36425 + /* we've already copied this subject into the kernel, just return
36426 + the reference to it, and don't copy it over again
36431 + if ((s_tmp = (struct acl_subject_label *)
36432 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
36433 + return ERR_PTR(-ENOMEM);
36435 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
36436 + if (subjmap == NULL)
36437 + return ERR_PTR(-ENOMEM);
36439 + subjmap->user = userp;
36440 + subjmap->kernel = s_tmp;
36441 + insert_subj_map_entry(subjmap);
36443 + if (copy_from_user(s_tmp, userp,
36444 + sizeof (struct acl_subject_label)))
36445 + return ERR_PTR(-EFAULT);
36447 + len = strnlen_user(s_tmp->filename, PATH_MAX);
36449 + if (!len || len >= PATH_MAX)
36450 + return ERR_PTR(-EINVAL);
36452 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36453 + return ERR_PTR(-ENOMEM);
36455 + if (copy_from_user(tmp, s_tmp->filename, len))
36456 + return ERR_PTR(-EFAULT);
36457 + tmp[len-1] = '\0';
36458 + s_tmp->filename = tmp;
36460 + if (!strcmp(s_tmp->filename, "/"))
36461 + role->root_label = s_tmp;
36463 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
36464 + return ERR_PTR(-EFAULT);
36466 + /* copy user and group transition tables */
36468 + if (s_tmp->user_trans_num) {
36471 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
36472 + if (uidlist == NULL)
36473 + return ERR_PTR(-ENOMEM);
36474 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
36475 + return ERR_PTR(-EFAULT);
36477 + s_tmp->user_transitions = uidlist;
36480 + if (s_tmp->group_trans_num) {
36483 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
36484 + if (gidlist == NULL)
36485 + return ERR_PTR(-ENOMEM);
36486 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
36487 + return ERR_PTR(-EFAULT);
36489 + s_tmp->group_transitions = gidlist;
36492 + /* set up object hash table */
36493 + num_objs = count_user_objs(ghash.first);
36495 + s_tmp->obj_hash_size = num_objs;
36496 + s_tmp->obj_hash =
36497 + (struct acl_object_label **)
36498 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
36500 + if (!s_tmp->obj_hash)
36501 + return ERR_PTR(-ENOMEM);
36503 + memset(s_tmp->obj_hash, 0,
36504 + s_tmp->obj_hash_size *
36505 + sizeof (struct acl_object_label *));
36507 + /* add in objects */
36508 + err = copy_user_objs(ghash.first, s_tmp, role);
36511 + return ERR_PTR(err);
36513 + /* set pointer for parent subject */
36514 + if (s_tmp->parent_subject) {
36515 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
36517 + if (IS_ERR(s_tmp2))
36520 + s_tmp->parent_subject = s_tmp2;
36523 + /* add in ip acls */
36525 + if (!s_tmp->ip_num) {
36526 + s_tmp->ips = NULL;
36531 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
36532 + sizeof (struct acl_ip_label *));
36535 + return ERR_PTR(-ENOMEM);
36537 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
36538 + *(i_tmp + i_num) =
36539 + (struct acl_ip_label *)
36540 + acl_alloc(sizeof (struct acl_ip_label));
36541 + if (!*(i_tmp + i_num))
36542 + return ERR_PTR(-ENOMEM);
36544 + if (copy_from_user
36545 + (&i_utmp2, s_tmp->ips + i_num,
36546 + sizeof (struct acl_ip_label *)))
36547 + return ERR_PTR(-EFAULT);
36549 + if (copy_from_user
36550 + (*(i_tmp + i_num), i_utmp2,
36551 + sizeof (struct acl_ip_label)))
36552 + return ERR_PTR(-EFAULT);
36554 + if ((*(i_tmp + i_num))->iface == NULL)
36557 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
36558 + if (!len || len >= IFNAMSIZ)
36559 + return ERR_PTR(-EINVAL);
36560 + tmp = acl_alloc(len);
36562 + return ERR_PTR(-ENOMEM);
36563 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
36564 + return ERR_PTR(-EFAULT);
36565 + (*(i_tmp + i_num))->iface = tmp;
36568 + s_tmp->ips = i_tmp;
36571 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
36572 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
36573 + return ERR_PTR(-ENOMEM);
36579 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
36581 + struct acl_subject_label s_pre;
36582 + struct acl_subject_label * ret;
36586 + if (copy_from_user(&s_pre, userp,
36587 + sizeof (struct acl_subject_label)))
36590 + /* do not add nested subjects here, add
36591 + while parsing objects
36594 + if (s_pre.mode & GR_NESTED) {
36595 + userp = s_pre.prev;
36599 + ret = do_copy_user_subj(userp, role);
36601 + err = PTR_ERR(ret);
36605 + insert_acl_subj_label(ret, role);
36607 + userp = s_pre.prev;
36614 +copy_user_acl(struct gr_arg *arg)
36616 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
36617 + struct sprole_pw *sptmp;
36618 + struct gr_hash_struct *ghash;
36619 + uid_t *domainlist;
36620 + unsigned int r_num;
36621 + unsigned int len;
36627 + /* we need a default and kernel role */
36628 + if (arg->role_db.num_roles < 2)
36631 + /* copy special role authentication info from userspace */
36633 + num_sprole_pws = arg->num_sprole_pws;
36634 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
36636 + if (!acl_special_roles) {
36641 + for (i = 0; i < num_sprole_pws; i++) {
36642 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
36647 + if (copy_from_user(sptmp, arg->sprole_pws + i,
36648 + sizeof (struct sprole_pw))) {
36654 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
36656 + if (!len || len >= GR_SPROLE_LEN) {
36661 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36666 + if (copy_from_user(tmp, sptmp->rolename, len)) {
36670 + tmp[len-1] = '\0';
36671 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36672 + printk(KERN_ALERT "Copying special role %s\n", tmp);
36674 + sptmp->rolename = tmp;
36675 + acl_special_roles[i] = sptmp;
36678 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
36680 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
36681 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
36688 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
36689 + sizeof (struct acl_role_label *))) {
36694 + if (copy_from_user(r_tmp, r_utmp2,
36695 + sizeof (struct acl_role_label))) {
36700 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
36702 + if (!len || len >= PATH_MAX) {
36707 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36711 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
36715 + tmp[len-1] = '\0';
36716 + r_tmp->rolename = tmp;
36718 + if (!strcmp(r_tmp->rolename, "default")
36719 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
36720 + default_role = r_tmp;
36721 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
36722 + kernel_role = r_tmp;
36725 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
36729 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
36734 + r_tmp->hash = ghash;
36736 + num_subjs = count_user_subjs(r_tmp->hash->first);
36738 + r_tmp->subj_hash_size = num_subjs;
36739 + r_tmp->subj_hash =
36740 + (struct acl_subject_label **)
36741 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
36743 + if (!r_tmp->subj_hash) {
36748 + err = copy_user_allowedips(r_tmp);
36752 + /* copy domain info */
36753 + if (r_tmp->domain_children != NULL) {
36754 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
36755 + if (domainlist == NULL) {
36759 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
36763 + r_tmp->domain_children = domainlist;
36766 + err = copy_user_transitions(r_tmp);
36770 + memset(r_tmp->subj_hash, 0,
36771 + r_tmp->subj_hash_size *
36772 + sizeof (struct acl_subject_label *));
36774 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
36779 + /* set nested subject list to null */
36780 + r_tmp->hash->first = NULL;
36782 + insert_acl_role_label(r_tmp);
36787 + free_variables();
36794 +gracl_init(struct gr_arg *args)
36798 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
36799 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
36801 + if (init_variables(args)) {
36802 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
36804 + free_variables();
36808 + error = copy_user_acl(args);
36809 + free_init_variables();
36811 + free_variables();
36815 + if ((error = gr_set_acls(0))) {
36816 + free_variables();
36820 + pax_open_kernel();
36821 + gr_status |= GR_READY;
36822 + pax_close_kernel();
36828 +/* derived from glibc fnmatch() 0: match, 1: no match*/
36831 +glob_match(const char *p, const char *n)
36835 + while ((c = *p++) != '\0') {
36840 + else if (*n == '/')
36848 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
36851 + else if (c == '?') {
36861 + const char *endp;
36863 + if ((endp = strchr(n, '/')) == NULL)
36864 + endp = n + strlen(n);
36867 + for (--p; n < endp; ++n)
36868 + if (!glob_match(p, n))
36870 + } else if (c == '/') {
36871 + while (*n != '\0' && *n != '/')
36873 + if (*n == '/' && !glob_match(p, n + 1))
36876 + for (--p; n < endp; ++n)
36877 + if (*n == c && !glob_match(p, n))
36888 + if (*n == '\0' || *n == '/')
36891 + not = (*p == '!' || *p == '^');
36897 + unsigned char fn = (unsigned char)*n;
36907 + if (c == '-' && *p != ']') {
36908 + unsigned char cend = *p++;
36910 + if (cend == '\0')
36913 + if (cold <= fn && fn <= cend)
36927 + while (c != ']') {
36954 +static struct acl_object_label *
36955 +chk_glob_label(struct acl_object_label *globbed,
36956 + struct dentry *dentry, struct vfsmount *mnt, char **path)
36958 + struct acl_object_label *tmp;
36960 + if (*path == NULL)
36961 + *path = gr_to_filename_nolock(dentry, mnt);
36966 + if (!glob_match(tmp->filename, *path))
36974 +static struct acl_object_label *
36975 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36976 + const ino_t curr_ino, const dev_t curr_dev,
36977 + const struct acl_subject_label *subj, char **path, const int checkglob)
36979 + struct acl_subject_label *tmpsubj;
36980 + struct acl_object_label *retval;
36981 + struct acl_object_label *retval2;
36983 + tmpsubj = (struct acl_subject_label *) subj;
36984 + read_lock(&gr_inode_lock);
36986 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
36988 + if (checkglob && retval->globbed) {
36989 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
36990 + (struct vfsmount *)orig_mnt, path);
36992 + retval = retval2;
36996 + } while ((tmpsubj = tmpsubj->parent_subject));
36997 + read_unlock(&gr_inode_lock);
37002 +static __inline__ struct acl_object_label *
37003 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
37004 + const struct dentry *curr_dentry,
37005 + const struct acl_subject_label *subj, char **path, const int checkglob)
37007 + return __full_lookup(orig_dentry, orig_mnt,
37008 + curr_dentry->d_inode->i_ino,
37009 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
37012 +static struct acl_object_label *
37013 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37014 + const struct acl_subject_label *subj, char *path, const int checkglob)
37016 + struct dentry *dentry = (struct dentry *) l_dentry;
37017 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
37018 + struct acl_object_label *retval;
37020 + spin_lock(&dcache_lock);
37022 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
37023 +#ifdef CONFIG_HUGETLBFS
37024 + mnt == hugetlbfs_vfsmount ||
37026 + /* ignore Eric Biederman */
37027 + IS_PRIVATE(l_dentry->d_inode))) {
37028 + retval = fakefs_obj;
37033 + if (dentry == real_root.dentry && mnt == real_root.mnt)
37036 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
37037 + if (mnt->mnt_parent == mnt)
37040 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37041 + if (retval != NULL)
37044 + dentry = mnt->mnt_mountpoint;
37045 + mnt = mnt->mnt_parent;
37049 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37050 + if (retval != NULL)
37053 + dentry = dentry->d_parent;
37056 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37058 + if (retval == NULL)
37059 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
37061 + spin_unlock(&dcache_lock);
37065 +static __inline__ struct acl_object_label *
37066 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37067 + const struct acl_subject_label *subj)
37069 + char *path = NULL;
37070 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
37073 +static __inline__ struct acl_object_label *
37074 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37075 + const struct acl_subject_label *subj)
37077 + char *path = NULL;
37078 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
37081 +static __inline__ struct acl_object_label *
37082 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37083 + const struct acl_subject_label *subj, char *path)
37085 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
37088 +static struct acl_subject_label *
37089 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37090 + const struct acl_role_label *role)
37092 + struct dentry *dentry = (struct dentry *) l_dentry;
37093 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
37094 + struct acl_subject_label *retval;
37096 + spin_lock(&dcache_lock);
37099 + if (dentry == real_root.dentry && mnt == real_root.mnt)
37101 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
37102 + if (mnt->mnt_parent == mnt)
37105 + read_lock(&gr_inode_lock);
37107 + lookup_acl_subj_label(dentry->d_inode->i_ino,
37108 + dentry->d_inode->i_sb->s_dev, role);
37109 + read_unlock(&gr_inode_lock);
37110 + if (retval != NULL)
37113 + dentry = mnt->mnt_mountpoint;
37114 + mnt = mnt->mnt_parent;
37118 + read_lock(&gr_inode_lock);
37119 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
37120 + dentry->d_inode->i_sb->s_dev, role);
37121 + read_unlock(&gr_inode_lock);
37122 + if (retval != NULL)
37125 + dentry = dentry->d_parent;
37128 + read_lock(&gr_inode_lock);
37129 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
37130 + dentry->d_inode->i_sb->s_dev, role);
37131 + read_unlock(&gr_inode_lock);
37133 + if (unlikely(retval == NULL)) {
37134 + read_lock(&gr_inode_lock);
37135 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
37136 + real_root.dentry->d_inode->i_sb->s_dev, role);
37137 + read_unlock(&gr_inode_lock);
37140 + spin_unlock(&dcache_lock);
37146 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
37148 + struct task_struct *task = current;
37149 + const struct cred *cred = current_cred();
37151 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
37152 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37153 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37154 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
37160 +gr_log_learn_sysctl(const char *path, const __u32 mode)
37162 + struct task_struct *task = current;
37163 + const struct cred *cred = current_cred();
37165 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
37166 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37167 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37168 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
37174 +gr_log_learn_id_change(const char type, const unsigned int real,
37175 + const unsigned int effective, const unsigned int fs)
37177 + struct task_struct *task = current;
37178 + const struct cred *cred = current_cred();
37180 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
37181 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37182 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37183 + type, real, effective, fs, &task->signal->saved_ip);
37189 +gr_check_link(const struct dentry * new_dentry,
37190 + const struct dentry * parent_dentry,
37191 + const struct vfsmount * parent_mnt,
37192 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
37194 + struct acl_object_label *obj;
37195 + __u32 oldmode, newmode;
37198 + if (unlikely(!(gr_status & GR_READY)))
37199 + return (GR_CREATE | GR_LINK);
37201 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
37202 + oldmode = obj->mode;
37204 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37205 + oldmode |= (GR_CREATE | GR_LINK);
37207 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
37208 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
37209 + needmode |= GR_SETID | GR_AUDIT_SETID;
37212 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
37213 + oldmode | needmode);
37215 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
37216 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
37217 + GR_INHERIT | GR_AUDIT_INHERIT);
37219 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
37222 + if ((oldmode & needmode) != needmode)
37225 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
37226 + if ((newmode & needmode) != needmode)
37229 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
37232 + needmode = oldmode;
37233 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
37234 + needmode |= GR_SETID;
37236 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37237 + gr_log_learn(old_dentry, old_mnt, needmode);
37238 + return (GR_CREATE | GR_LINK);
37239 + } else if (newmode & GR_SUPPRESS)
37240 + return GR_SUPPRESS;
37246 +gr_search_file(const struct dentry * dentry, const __u32 mode,
37247 + const struct vfsmount * mnt)
37249 + __u32 retval = mode;
37250 + struct acl_subject_label *curracl;
37251 + struct acl_object_label *currobj;
37253 + if (unlikely(!(gr_status & GR_READY)))
37254 + return (mode & ~GR_AUDITS);
37256 + curracl = current->acl;
37258 + currobj = chk_obj_label(dentry, mnt, curracl);
37259 + retval = currobj->mode & mode;
37262 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
37263 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
37264 + __u32 new_mode = mode;
37266 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37268 + retval = new_mode;
37270 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
37271 + new_mode |= GR_INHERIT;
37273 + if (!(mode & GR_NOLEARN))
37274 + gr_log_learn(dentry, mnt, new_mode);
37281 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
37282 + const struct vfsmount * mnt, const __u32 mode)
37284 + struct name_entry *match;
37285 + struct acl_object_label *matchpo;
37286 + struct acl_subject_label *curracl;
37290 + if (unlikely(!(gr_status & GR_READY)))
37291 + return (mode & ~GR_AUDITS);
37293 + preempt_disable();
37294 + path = gr_to_filename_rbac(new_dentry, mnt);
37295 + match = lookup_name_entry_create(path);
37298 + goto check_parent;
37300 + curracl = current->acl;
37302 + read_lock(&gr_inode_lock);
37303 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
37304 + read_unlock(&gr_inode_lock);
37307 + if ((matchpo->mode & mode) !=
37308 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
37309 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37310 + __u32 new_mode = mode;
37312 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37314 + gr_log_learn(new_dentry, mnt, new_mode);
37316 + preempt_enable();
37319 + preempt_enable();
37320 + return (matchpo->mode & mode);
37324 + curracl = current->acl;
37326 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
37327 + retval = matchpo->mode & mode;
37329 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
37330 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
37331 + __u32 new_mode = mode;
37333 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37335 + gr_log_learn(new_dentry, mnt, new_mode);
37336 + preempt_enable();
37340 + preempt_enable();
37345 +gr_check_hidden_task(const struct task_struct *task)
37347 + if (unlikely(!(gr_status & GR_READY)))
37350 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
37357 +gr_check_protected_task(const struct task_struct *task)
37359 + if (unlikely(!(gr_status & GR_READY) || !task))
37362 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37363 + task->acl != current->acl)
37370 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
37372 + struct task_struct *p;
37375 + if (unlikely(!(gr_status & GR_READY) || !pid))
37378 + read_lock(&tasklist_lock);
37379 + do_each_pid_task(pid, type, p) {
37380 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37381 + p->acl != current->acl) {
37385 + } while_each_pid_task(pid, type, p);
37387 + read_unlock(&tasklist_lock);
37393 +gr_copy_label(struct task_struct *tsk)
37395 + tsk->signal->used_accept = 0;
37396 + tsk->acl_sp_role = 0;
37397 + tsk->acl_role_id = current->acl_role_id;
37398 + tsk->acl = current->acl;
37399 + tsk->role = current->role;
37400 + tsk->signal->curr_ip = current->signal->curr_ip;
37401 + tsk->signal->saved_ip = current->signal->saved_ip;
37402 + if (current->exec_file)
37403 + get_file(current->exec_file);
37404 + tsk->exec_file = current->exec_file;
37405 + tsk->is_writable = current->is_writable;
37406 + if (unlikely(current->signal->used_accept)) {
37407 + current->signal->curr_ip = 0;
37408 + current->signal->saved_ip = 0;
37415 +gr_set_proc_res(struct task_struct *task)
37417 + struct acl_subject_label *proc;
37418 + unsigned short i;
37420 + proc = task->acl;
37422 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
37425 + for (i = 0; i < RLIM_NLIMITS; i++) {
37426 + if (!(proc->resmask & (1 << i)))
37429 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
37430 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
37437 +gr_check_user_change(int real, int effective, int fs)
37444 + int effectiveok = 0;
37447 + if (unlikely(!(gr_status & GR_READY)))
37450 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37451 + gr_log_learn_id_change('u', real, effective, fs);
37453 + num = current->acl->user_trans_num;
37454 + uidlist = current->acl->user_transitions;
37456 + if (uidlist == NULL)
37461 + if (effective == -1)
37466 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
37467 + for (i = 0; i < num; i++) {
37468 + curuid = (int)uidlist[i];
37469 + if (real == curuid)
37471 + if (effective == curuid)
37473 + if (fs == curuid)
37476 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
37477 + for (i = 0; i < num; i++) {
37478 + curuid = (int)uidlist[i];
37479 + if (real == curuid)
37481 + if (effective == curuid)
37483 + if (fs == curuid)
37486 + /* not in deny list */
37494 + if (realok && effectiveok && fsok)
37497 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37503 +gr_check_group_change(int real, int effective, int fs)
37510 + int effectiveok = 0;
37513 + if (unlikely(!(gr_status & GR_READY)))
37516 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37517 + gr_log_learn_id_change('g', real, effective, fs);
37519 + num = current->acl->group_trans_num;
37520 + gidlist = current->acl->group_transitions;
37522 + if (gidlist == NULL)
37527 + if (effective == -1)
37532 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
37533 + for (i = 0; i < num; i++) {
37534 + curgid = (int)gidlist[i];
37535 + if (real == curgid)
37537 + if (effective == curgid)
37539 + if (fs == curgid)
37542 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
37543 + for (i = 0; i < num; i++) {
37544 + curgid = (int)gidlist[i];
37545 + if (real == curgid)
37547 + if (effective == curgid)
37549 + if (fs == curgid)
37552 + /* not in deny list */
37560 + if (realok && effectiveok && fsok)
37563 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37569 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
37571 + struct acl_role_label *role = task->role;
37572 + struct acl_subject_label *subj = NULL;
37573 + struct acl_object_label *obj;
37574 + struct file *filp;
37576 + if (unlikely(!(gr_status & GR_READY)))
37579 + filp = task->exec_file;
37581 + /* kernel process, we'll give them the kernel role */
37582 + if (unlikely(!filp)) {
37583 + task->role = kernel_role;
37584 + task->acl = kernel_role->root_label;
37586 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
37587 + role = lookup_acl_role_label(task, uid, gid);
37589 + /* perform subject lookup in possibly new role
37590 + we can use this result below in the case where role == task->role
37592 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
37594 + /* if we changed uid/gid, but result in the same role
37595 + and are using inheritance, don't lose the inherited subject
37596 + if current subject is other than what normal lookup
37597 + would result in, we arrived via inheritance, don't
37600 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
37601 + (subj == task->acl)))
37602 + task->acl = subj;
37604 + task->role = role;
37606 + task->is_writable = 0;
37608 + /* ignore additional mmap checks for processes that are writable
37609 + by the default ACL */
37610 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37611 + if (unlikely(obj->mode & GR_WRITE))
37612 + task->is_writable = 1;
37613 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37614 + if (unlikely(obj->mode & GR_WRITE))
37615 + task->is_writable = 1;
37617 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37618 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37621 + gr_set_proc_res(task);
37627 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
37628 + const int unsafe_share)
37630 + struct task_struct *task = current;
37631 + struct acl_subject_label *newacl;
37632 + struct acl_object_label *obj;
37635 + if (unlikely(!(gr_status & GR_READY)))
37638 + newacl = chk_subj_label(dentry, mnt, task->role);
37641 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
37642 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
37643 + !(task->role->roletype & GR_ROLE_GOD) &&
37644 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
37645 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
37646 + task_unlock(task);
37647 + if (unsafe_share)
37648 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
37650 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
37653 + task_unlock(task);
37655 + obj = chk_obj_label(dentry, mnt, task->acl);
37656 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
37658 + if (!(task->acl->mode & GR_INHERITLEARN) &&
37659 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
37661 + task->acl = obj->nested;
37663 + task->acl = newacl;
37664 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
37665 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
37667 + task->is_writable = 0;
37669 + /* ignore additional mmap checks for processes that are writable
37670 + by the default ACL */
37671 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
37672 + if (unlikely(obj->mode & GR_WRITE))
37673 + task->is_writable = 1;
37674 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
37675 + if (unlikely(obj->mode & GR_WRITE))
37676 + task->is_writable = 1;
37678 + gr_set_proc_res(task);
37680 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37681 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37686 +/* always called with valid inodev ptr */
37688 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
37690 + struct acl_object_label *matchpo;
37691 + struct acl_subject_label *matchps;
37692 + struct acl_subject_label *subj;
37693 + struct acl_role_label *role;
37696 + FOR_EACH_ROLE_START(role)
37697 + FOR_EACH_SUBJECT_START(role, subj, x)
37698 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
37699 + matchpo->mode |= GR_DELETED;
37700 + FOR_EACH_SUBJECT_END(subj,x)
37701 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37702 + if (subj->inode == ino && subj->device == dev)
37703 + subj->mode |= GR_DELETED;
37704 + FOR_EACH_NESTED_SUBJECT_END(subj)
37705 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
37706 + matchps->mode |= GR_DELETED;
37707 + FOR_EACH_ROLE_END(role)
37709 + inodev->nentry->deleted = 1;
37715 +gr_handle_delete(const ino_t ino, const dev_t dev)
37717 + struct inodev_entry *inodev;
37719 + if (unlikely(!(gr_status & GR_READY)))
37722 + write_lock(&gr_inode_lock);
37723 + inodev = lookup_inodev_entry(ino, dev);
37724 + if (inodev != NULL)
37725 + do_handle_delete(inodev, ino, dev);
37726 + write_unlock(&gr_inode_lock);
37732 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
37733 + const ino_t newinode, const dev_t newdevice,
37734 + struct acl_subject_label *subj)
37736 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
37737 + struct acl_object_label *match;
37739 + match = subj->obj_hash[index];
37741 + while (match && (match->inode != oldinode ||
37742 + match->device != olddevice ||
37743 + !(match->mode & GR_DELETED)))
37744 + match = match->next;
37746 + if (match && (match->inode == oldinode)
37747 + && (match->device == olddevice)
37748 + && (match->mode & GR_DELETED)) {
37749 + if (match->prev == NULL) {
37750 + subj->obj_hash[index] = match->next;
37751 + if (match->next != NULL)
37752 + match->next->prev = NULL;
37754 + match->prev->next = match->next;
37755 + if (match->next != NULL)
37756 + match->next->prev = match->prev;
37758 + match->prev = NULL;
37759 + match->next = NULL;
37760 + match->inode = newinode;
37761 + match->device = newdevice;
37762 + match->mode &= ~GR_DELETED;
37764 + insert_acl_obj_label(match, subj);
37771 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
37772 + const ino_t newinode, const dev_t newdevice,
37773 + struct acl_role_label *role)
37775 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
37776 + struct acl_subject_label *match;
37778 + match = role->subj_hash[index];
37780 + while (match && (match->inode != oldinode ||
37781 + match->device != olddevice ||
37782 + !(match->mode & GR_DELETED)))
37783 + match = match->next;
37785 + if (match && (match->inode == oldinode)
37786 + && (match->device == olddevice)
37787 + && (match->mode & GR_DELETED)) {
37788 + if (match->prev == NULL) {
37789 + role->subj_hash[index] = match->next;
37790 + if (match->next != NULL)
37791 + match->next->prev = NULL;
37793 + match->prev->next = match->next;
37794 + if (match->next != NULL)
37795 + match->next->prev = match->prev;
37797 + match->prev = NULL;
37798 + match->next = NULL;
37799 + match->inode = newinode;
37800 + match->device = newdevice;
37801 + match->mode &= ~GR_DELETED;
37803 + insert_acl_subj_label(match, role);
37810 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
37811 + const ino_t newinode, const dev_t newdevice)
37813 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
37814 + struct inodev_entry *match;
37816 + match = inodev_set.i_hash[index];
37818 + while (match && (match->nentry->inode != oldinode ||
37819 + match->nentry->device != olddevice || !match->nentry->deleted))
37820 + match = match->next;
37822 + if (match && (match->nentry->inode == oldinode)
37823 + && (match->nentry->device == olddevice) &&
37824 + match->nentry->deleted) {
37825 + if (match->prev == NULL) {
37826 + inodev_set.i_hash[index] = match->next;
37827 + if (match->next != NULL)
37828 + match->next->prev = NULL;
37830 + match->prev->next = match->next;
37831 + if (match->next != NULL)
37832 + match->next->prev = match->prev;
37834 + match->prev = NULL;
37835 + match->next = NULL;
37836 + match->nentry->inode = newinode;
37837 + match->nentry->device = newdevice;
37838 + match->nentry->deleted = 0;
37840 + insert_inodev_entry(match);
37847 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
37848 + const struct vfsmount *mnt)
37850 + struct acl_subject_label *subj;
37851 + struct acl_role_label *role;
37854 + FOR_EACH_ROLE_START(role)
37855 + update_acl_subj_label(matchn->inode, matchn->device,
37856 + dentry->d_inode->i_ino,
37857 + dentry->d_inode->i_sb->s_dev, role);
37859 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37860 + if ((subj->inode == dentry->d_inode->i_ino) &&
37861 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
37862 + subj->inode = dentry->d_inode->i_ino;
37863 + subj->device = dentry->d_inode->i_sb->s_dev;
37865 + FOR_EACH_NESTED_SUBJECT_END(subj)
37866 + FOR_EACH_SUBJECT_START(role, subj, x)
37867 + update_acl_obj_label(matchn->inode, matchn->device,
37868 + dentry->d_inode->i_ino,
37869 + dentry->d_inode->i_sb->s_dev, subj);
37870 + FOR_EACH_SUBJECT_END(subj,x)
37871 + FOR_EACH_ROLE_END(role)
37873 + update_inodev_entry(matchn->inode, matchn->device,
37874 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
37880 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
37882 + struct name_entry *matchn;
37884 + if (unlikely(!(gr_status & GR_READY)))
37887 + preempt_disable();
37888 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
37890 + if (unlikely((unsigned long)matchn)) {
37891 + write_lock(&gr_inode_lock);
37892 + do_handle_create(matchn, dentry, mnt);
37893 + write_unlock(&gr_inode_lock);
37895 + preempt_enable();
37901 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37902 + struct dentry *old_dentry,
37903 + struct dentry *new_dentry,
37904 + struct vfsmount *mnt, const __u8 replace)
37906 + struct name_entry *matchn;
37907 + struct inodev_entry *inodev;
37909 + /* vfs_rename swaps the name and parent link for old_dentry and
37911 + at this point, old_dentry has the new name, parent link, and inode
37912 + for the renamed file
37913 + if a file is being replaced by a rename, new_dentry has the inode
37914 + and name for the replaced file
37917 + if (unlikely(!(gr_status & GR_READY)))
37920 + preempt_disable();
37921 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
37923 + /* we wouldn't have to check d_inode if it weren't for
37924 + NFS silly-renaming
37927 + write_lock(&gr_inode_lock);
37928 + if (unlikely(replace && new_dentry->d_inode)) {
37929 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
37930 + new_dentry->d_inode->i_sb->s_dev);
37931 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
37932 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
37933 + new_dentry->d_inode->i_sb->s_dev);
37936 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
37937 + old_dentry->d_inode->i_sb->s_dev);
37938 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
37939 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
37940 + old_dentry->d_inode->i_sb->s_dev);
37942 + if (unlikely((unsigned long)matchn))
37943 + do_handle_create(matchn, old_dentry, mnt);
37945 + write_unlock(&gr_inode_lock);
37946 + preempt_enable();
37952 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
37953 + unsigned char **sum)
37955 + struct acl_role_label *r;
37956 + struct role_allowed_ip *ipp;
37957 + struct role_transition *trans;
37960 + u32 curr_ip = current->signal->curr_ip;
37962 + current->signal->saved_ip = curr_ip;
37964 + /* check transition table */
37966 + for (trans = current->role->transitions; trans; trans = trans->next) {
37967 + if (!strcmp(rolename, trans->rolename)) {
37976 + /* handle special roles that do not require authentication
37979 + FOR_EACH_ROLE_START(r)
37980 + if (!strcmp(rolename, r->rolename) &&
37981 + (r->roletype & GR_ROLE_SPECIAL)) {
37983 + if (r->allowed_ips != NULL) {
37984 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
37985 + if ((ntohl(curr_ip) & ipp->netmask) ==
37986 + (ntohl(ipp->addr) & ipp->netmask))
37994 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
37995 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
38001 + FOR_EACH_ROLE_END(r)
38003 + for (i = 0; i < num_sprole_pws; i++) {
38004 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
38005 + *salt = acl_special_roles[i]->salt;
38006 + *sum = acl_special_roles[i]->sum;
38015 +assign_special_role(char *rolename)
38017 + struct acl_object_label *obj;
38018 + struct acl_role_label *r;
38019 + struct acl_role_label *assigned = NULL;
38020 + struct task_struct *tsk;
38021 + struct file *filp;
38023 + FOR_EACH_ROLE_START(r)
38024 + if (!strcmp(rolename, r->rolename) &&
38025 + (r->roletype & GR_ROLE_SPECIAL)) {
38029 + FOR_EACH_ROLE_END(r)
38034 + read_lock(&tasklist_lock);
38035 + read_lock(&grsec_exec_file_lock);
38037 + tsk = current->real_parent;
38041 + filp = tsk->exec_file;
38042 + if (filp == NULL)
38045 + tsk->is_writable = 0;
38047 + tsk->acl_sp_role = 1;
38048 + tsk->acl_role_id = ++acl_sp_role_value;
38049 + tsk->role = assigned;
38050 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
38052 + /* ignore additional mmap checks for processes that are writable
38053 + by the default ACL */
38054 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38055 + if (unlikely(obj->mode & GR_WRITE))
38056 + tsk->is_writable = 1;
38057 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
38058 + if (unlikely(obj->mode & GR_WRITE))
38059 + tsk->is_writable = 1;
38061 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
38062 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
38066 + read_unlock(&grsec_exec_file_lock);
38067 + read_unlock(&tasklist_lock);
38071 +int gr_check_secure_terminal(struct task_struct *task)
38073 + struct task_struct *p, *p2, *p3;
38074 + struct files_struct *files;
38075 + struct fdtable *fdt;
38076 + struct file *our_file = NULL, *file;
38079 + if (task->signal->tty == NULL)
38082 + files = get_files_struct(task);
38083 + if (files != NULL) {
38085 + fdt = files_fdtable(files);
38086 + for (i=0; i < fdt->max_fds; i++) {
38087 + file = fcheck_files(files, i);
38088 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
38093 + rcu_read_unlock();
38094 + put_files_struct(files);
38097 + if (our_file == NULL)
38100 + read_lock(&tasklist_lock);
38101 + do_each_thread(p2, p) {
38102 + files = get_files_struct(p);
38103 + if (files == NULL ||
38104 + (p->signal && p->signal->tty == task->signal->tty)) {
38105 + if (files != NULL)
38106 + put_files_struct(files);
38110 + fdt = files_fdtable(files);
38111 + for (i=0; i < fdt->max_fds; i++) {
38112 + file = fcheck_files(files, i);
38113 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
38114 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
38116 + while (p3->pid > 0) {
38119 + p3 = p3->real_parent;
38123 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
38124 + gr_handle_alertkill(p);
38125 + rcu_read_unlock();
38126 + put_files_struct(files);
38127 + read_unlock(&tasklist_lock);
38132 + rcu_read_unlock();
38133 + put_files_struct(files);
38134 + } while_each_thread(p2, p);
38135 + read_unlock(&tasklist_lock);
38142 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
38144 + struct gr_arg_wrapper uwrap;
38145 + unsigned char *sprole_salt = NULL;
38146 + unsigned char *sprole_sum = NULL;
38147 + int error = sizeof (struct gr_arg_wrapper);
38150 + down(&gr_dev_sem);
38152 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
38157 + if (count != sizeof (struct gr_arg_wrapper)) {
38158 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
38164 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
38165 + gr_auth_expires = 0;
38166 + gr_auth_attempts = 0;
38169 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
38174 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
38179 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
38184 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
38185 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
38186 + time_after(gr_auth_expires, get_seconds())) {
38191 + /* if non-root trying to do anything other than use a special role,
38192 + do not attempt authentication, do not count towards authentication
38196 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
38197 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
38203 + /* ensure pw and special role name are null terminated */
38205 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
38206 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
38209 + * We have our enough of the argument structure..(we have yet
38210 + * to copy_from_user the tables themselves) . Copy the tables
38211 + * only if we need them, i.e. for loading operations. */
38213 + switch (gr_usermode->mode) {
38215 + if (gr_status & GR_READY) {
38217 + if (!gr_check_secure_terminal(current))
38222 + case GR_SHUTDOWN:
38223 + if ((gr_status & GR_READY)
38224 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38225 + pax_open_kernel();
38226 + gr_status &= ~GR_READY;
38227 + pax_close_kernel();
38229 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
38230 + free_variables();
38231 + memset(gr_usermode, 0, sizeof (struct gr_arg));
38232 + memset(gr_system_salt, 0, GR_SALT_LEN);
38233 + memset(gr_system_sum, 0, GR_SHA_LEN);
38234 + } else if (gr_status & GR_READY) {
38235 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
38238 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
38243 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
38244 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
38246 + if (gr_status & GR_READY)
38250 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
38254 + if (!(gr_status & GR_READY)) {
38255 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
38257 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38260 + pax_open_kernel();
38261 + gr_status &= ~GR_READY;
38262 + pax_close_kernel();
38264 + free_variables();
38265 + if (!(error2 = gracl_init(gr_usermode))) {
38267 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
38271 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38274 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38279 + if (unlikely(!(gr_status & GR_READY))) {
38280 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
38285 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38286 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
38287 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
38288 + struct acl_subject_label *segvacl;
38290 + lookup_acl_subj_label(gr_usermode->segv_inode,
38291 + gr_usermode->segv_device,
38294 + segvacl->crashes = 0;
38295 + segvacl->expires = 0;
38297 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
38298 + gr_remove_uid(gr_usermode->segv_uid);
38301 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
38306 + case GR_SPROLEPAM:
38307 + if (unlikely(!(gr_status & GR_READY))) {
38308 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
38313 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
38314 + current->role->expires = 0;
38315 + current->role->auth_attempts = 0;
38318 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
38319 + time_after(current->role->expires, get_seconds())) {
38324 + if (lookup_special_role_auth
38325 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
38326 + && ((!sprole_salt && !sprole_sum)
38327 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
38329 + assign_special_role(gr_usermode->sp_role);
38330 + read_lock(&tasklist_lock);
38331 + if (current->real_parent)
38332 + p = current->real_parent->role->rolename;
38333 + read_unlock(&tasklist_lock);
38334 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
38335 + p, acl_sp_role_value);
38337 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
38339 + if(!(current->role->auth_attempts++))
38340 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38345 + case GR_UNSPROLE:
38346 + if (unlikely(!(gr_status & GR_READY))) {
38347 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
38352 + if (current->role->roletype & GR_ROLE_SPECIAL) {
38356 + read_lock(&tasklist_lock);
38357 + if (current->real_parent) {
38358 + p = current->real_parent->role->rolename;
38359 + i = current->real_parent->acl_role_id;
38361 + read_unlock(&tasklist_lock);
38363 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
38371 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
38376 + if (error != -EPERM)
38379 + if(!(gr_auth_attempts++))
38380 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38388 +gr_set_acls(const int type)
38390 + struct acl_object_label *obj;
38391 + struct task_struct *task, *task2;
38392 + struct file *filp;
38393 + struct acl_role_label *role = current->role;
38394 + __u16 acl_role_id = current->acl_role_id;
38395 + const struct cred *cred;
38397 + struct name_entry *nmatch;
38398 + struct acl_subject_label *tmpsubj;
38401 + read_lock(&tasklist_lock);
38402 + read_lock(&grsec_exec_file_lock);
38403 + do_each_thread(task2, task) {
38404 + /* check to see if we're called from the exit handler,
38405 + if so, only replace ACLs that have inherited the admin
38408 + if (type && (task->role != role ||
38409 + task->acl_role_id != acl_role_id))
38412 + task->acl_role_id = 0;
38413 + task->acl_sp_role = 0;
38415 + if ((filp = task->exec_file)) {
38416 + cred = __task_cred(task);
38417 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
38419 + /* the following is to apply the correct subject
38420 + on binaries running when the RBAC system
38421 + is enabled, when the binaries have been
38422 + replaced or deleted since their execution
38424 + when the RBAC system starts, the inode/dev
38425 + from exec_file will be one the RBAC system
38426 + is unaware of. It only knows the inode/dev
38427 + of the present file on disk, or the absence
38430 + preempt_disable();
38431 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
38433 + nmatch = lookup_name_entry(tmpname);
38434 + preempt_enable();
38437 + if (nmatch->deleted)
38438 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
38440 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
38441 + if (tmpsubj != NULL)
38442 + task->acl = tmpsubj;
38444 + if (tmpsubj == NULL)
38445 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
38448 + struct acl_subject_label *curr;
38449 + curr = task->acl;
38451 + task->is_writable = 0;
38452 + /* ignore additional mmap checks for processes that are writable
38453 + by the default ACL */
38454 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38455 + if (unlikely(obj->mode & GR_WRITE))
38456 + task->is_writable = 1;
38457 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38458 + if (unlikely(obj->mode & GR_WRITE))
38459 + task->is_writable = 1;
38461 + gr_set_proc_res(task);
38463 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
38464 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38467 + read_unlock(&grsec_exec_file_lock);
38468 + read_unlock(&tasklist_lock);
38469 + rcu_read_unlock();
38470 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
38474 + // it's a kernel process
38475 + task->role = kernel_role;
38476 + task->acl = kernel_role->root_label;
38477 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
38478 + task->acl->mode &= ~GR_PROCFIND;
38481 + } while_each_thread(task2, task);
38482 + read_unlock(&grsec_exec_file_lock);
38483 + read_unlock(&tasklist_lock);
38484 + rcu_read_unlock();
38490 +gr_learn_resource(const struct task_struct *task,
38491 + const int res, const unsigned long wanted, const int gt)
38493 + struct acl_subject_label *acl;
38494 + const struct cred *cred;
38496 + if (unlikely((gr_status & GR_READY) &&
38497 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
38498 + goto skip_reslog;
38500 +#ifdef CONFIG_GRKERNSEC_RESLOG
38501 + gr_log_resource(task, res, wanted, gt);
38505 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
38510 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
38511 + !(acl->resmask & (1 << (unsigned short) res))))
38514 + if (wanted >= acl->res[res].rlim_cur) {
38515 + unsigned long res_add;
38517 + res_add = wanted;
38520 + res_add += GR_RLIM_CPU_BUMP;
38522 + case RLIMIT_FSIZE:
38523 + res_add += GR_RLIM_FSIZE_BUMP;
38525 + case RLIMIT_DATA:
38526 + res_add += GR_RLIM_DATA_BUMP;
38528 + case RLIMIT_STACK:
38529 + res_add += GR_RLIM_STACK_BUMP;
38531 + case RLIMIT_CORE:
38532 + res_add += GR_RLIM_CORE_BUMP;
38535 + res_add += GR_RLIM_RSS_BUMP;
38537 + case RLIMIT_NPROC:
38538 + res_add += GR_RLIM_NPROC_BUMP;
38540 + case RLIMIT_NOFILE:
38541 + res_add += GR_RLIM_NOFILE_BUMP;
38543 + case RLIMIT_MEMLOCK:
38544 + res_add += GR_RLIM_MEMLOCK_BUMP;
38547 + res_add += GR_RLIM_AS_BUMP;
38549 + case RLIMIT_LOCKS:
38550 + res_add += GR_RLIM_LOCKS_BUMP;
38552 + case RLIMIT_SIGPENDING:
38553 + res_add += GR_RLIM_SIGPENDING_BUMP;
38555 + case RLIMIT_MSGQUEUE:
38556 + res_add += GR_RLIM_MSGQUEUE_BUMP;
38558 + case RLIMIT_NICE:
38559 + res_add += GR_RLIM_NICE_BUMP;
38561 + case RLIMIT_RTPRIO:
38562 + res_add += GR_RLIM_RTPRIO_BUMP;
38564 + case RLIMIT_RTTIME:
38565 + res_add += GR_RLIM_RTTIME_BUMP;
38569 + acl->res[res].rlim_cur = res_add;
38571 + if (wanted > acl->res[res].rlim_max)
38572 + acl->res[res].rlim_max = res_add;
38574 + /* only log the subject filename, since resource logging is supported for
38575 + single-subject learning only */
38577 + cred = __task_cred(task);
38578 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38579 + task->role->roletype, cred->uid, cred->gid, acl->filename,
38580 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
38581 + "", (unsigned long) res, &task->signal->saved_ip);
38582 + rcu_read_unlock();
38588 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
38590 +pax_set_initial_flags(struct linux_binprm *bprm)
38592 + struct task_struct *task = current;
38593 + struct acl_subject_label *proc;
38594 + unsigned long flags;
38596 + if (unlikely(!(gr_status & GR_READY)))
38599 + flags = pax_get_flags(task);
38601 + proc = task->acl;
38603 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
38604 + flags &= ~MF_PAX_PAGEEXEC;
38605 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
38606 + flags &= ~MF_PAX_SEGMEXEC;
38607 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
38608 + flags &= ~MF_PAX_RANDMMAP;
38609 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
38610 + flags &= ~MF_PAX_EMUTRAMP;
38611 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
38612 + flags &= ~MF_PAX_MPROTECT;
38614 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
38615 + flags |= MF_PAX_PAGEEXEC;
38616 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
38617 + flags |= MF_PAX_SEGMEXEC;
38618 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
38619 + flags |= MF_PAX_RANDMMAP;
38620 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
38621 + flags |= MF_PAX_EMUTRAMP;
38622 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
38623 + flags |= MF_PAX_MPROTECT;
38625 + pax_set_flags(task, flags);
38631 +#ifdef CONFIG_SYSCTL
38632 +/* Eric Biederman likes breaking userland ABI and every inode-based security
38633 + system to save 35kb of memory */
38635 +/* we modify the passed in filename, but adjust it back before returning */
38636 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
38638 + struct name_entry *nmatch;
38639 + char *p, *lastp = NULL;
38640 + struct acl_object_label *obj = NULL, *tmp;
38641 + struct acl_subject_label *tmpsubj;
38644 + read_lock(&gr_inode_lock);
38646 + p = name + len - 1;
38648 + nmatch = lookup_name_entry(name);
38649 + if (lastp != NULL)
38652 + if (nmatch == NULL)
38653 + goto next_component;
38654 + tmpsubj = current->acl;
38656 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
38657 + if (obj != NULL) {
38658 + tmp = obj->globbed;
38660 + if (!glob_match(tmp->filename, name)) {
38668 + } while ((tmpsubj = tmpsubj->parent_subject));
38674 + while (*p != '/')
38686 + read_unlock(&gr_inode_lock);
38687 + /* obj returned will always be non-null */
38691 +/* returns 0 when allowing, non-zero on error
38692 + op of 0 is used for readdir, so we don't log the names of hidden files
38695 +gr_handle_sysctl(const struct ctl_table *table, const int op)
38697 + struct ctl_table *tmp;
38698 + const char *proc_sys = "/proc/sys";
38700 + struct acl_object_label *obj;
38701 + unsigned short len = 0, pos = 0, depth = 0, i;
38705 + if (unlikely(!(gr_status & GR_READY)))
38708 + /* for now, ignore operations on non-sysctl entries if it's not a
38710 + if (table->child != NULL && op != 0)
38714 + /* it's only a read if it's an entry, read on dirs is for readdir */
38715 + if (op & MAY_READ)
38717 + if (op & MAY_WRITE)
38718 + mode |= GR_WRITE;
38720 + preempt_disable();
38722 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
38724 + /* it's only a read/write if it's an actual entry, not a dir
38725 + (which are opened for readdir)
38728 + /* convert the requested sysctl entry into a pathname */
38730 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38731 + len += strlen(tmp->procname);
38736 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
38741 + memset(path, 0, PAGE_SIZE);
38743 + memcpy(path, proc_sys, strlen(proc_sys));
38745 + pos += strlen(proc_sys);
38747 + for (; depth > 0; depth--) {
38750 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38751 + if (depth == i) {
38752 + memcpy(path + pos, tmp->procname,
38753 + strlen(tmp->procname));
38754 + pos += strlen(tmp->procname);
38760 + obj = gr_lookup_by_name(path, pos);
38761 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
38763 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
38764 + ((err & mode) != mode))) {
38765 + __u32 new_mode = mode;
38767 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38770 + gr_log_learn_sysctl(path, new_mode);
38771 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
38772 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
38774 + } else if (!(err & GR_FIND)) {
38776 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
38777 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
38778 + path, (mode & GR_READ) ? " reading" : "",
38779 + (mode & GR_WRITE) ? " writing" : "");
38781 + } else if ((err & mode) != mode) {
38783 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
38784 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
38785 + path, (mode & GR_READ) ? " reading" : "",
38786 + (mode & GR_WRITE) ? " writing" : "");
38792 + preempt_enable();
38799 +gr_handle_proc_ptrace(struct task_struct *task)
38801 + struct file *filp;
38802 + struct task_struct *tmp = task;
38803 + struct task_struct *curtemp = current;
38806 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38807 + if (unlikely(!(gr_status & GR_READY)))
38811 + read_lock(&tasklist_lock);
38812 + read_lock(&grsec_exec_file_lock);
38813 + filp = task->exec_file;
38815 + while (tmp->pid > 0) {
38816 + if (tmp == curtemp)
38818 + tmp = tmp->real_parent;
38821 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38822 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
38823 + read_unlock(&grsec_exec_file_lock);
38824 + read_unlock(&tasklist_lock);
38828 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38829 + if (!(gr_status & GR_READY)) {
38830 + read_unlock(&grsec_exec_file_lock);
38831 + read_unlock(&tasklist_lock);
38836 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
38837 + read_unlock(&grsec_exec_file_lock);
38838 + read_unlock(&tasklist_lock);
38840 + if (retmode & GR_NOPTRACE)
38843 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
38844 + && (current->acl != task->acl || (current->acl != current->role->root_label
38845 + && current->pid != task->pid)))
38851 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
38853 + if (unlikely(!(gr_status & GR_READY)))
38856 + if (!(current->role->roletype & GR_ROLE_GOD))
38859 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
38860 + p->role->rolename, gr_task_roletype_to_char(p),
38861 + p->acl->filename);
38865 +gr_handle_ptrace(struct task_struct *task, const long request)
38867 + struct task_struct *tmp = task;
38868 + struct task_struct *curtemp = current;
38871 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38872 + if (unlikely(!(gr_status & GR_READY)))
38876 + read_lock(&tasklist_lock);
38877 + while (tmp->pid > 0) {
38878 + if (tmp == curtemp)
38880 + tmp = tmp->real_parent;
38883 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38884 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
38885 + read_unlock(&tasklist_lock);
38886 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38889 + read_unlock(&tasklist_lock);
38891 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38892 + if (!(gr_status & GR_READY))
38896 + read_lock(&grsec_exec_file_lock);
38897 + if (unlikely(!task->exec_file)) {
38898 + read_unlock(&grsec_exec_file_lock);
38902 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
38903 + read_unlock(&grsec_exec_file_lock);
38905 + if (retmode & GR_NOPTRACE) {
38906 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38910 + if (retmode & GR_PTRACERD) {
38911 + switch (request) {
38912 + case PTRACE_POKETEXT:
38913 + case PTRACE_POKEDATA:
38914 + case PTRACE_POKEUSR:
38915 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
38916 + case PTRACE_SETREGS:
38917 + case PTRACE_SETFPREGS:
38920 + case PTRACE_SETFPXREGS:
38922 +#ifdef CONFIG_ALTIVEC
38923 + case PTRACE_SETVRREGS:
38929 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
38930 + !(current->role->roletype & GR_ROLE_GOD) &&
38931 + (current->acl != task->acl)) {
38932 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38939 +static int is_writable_mmap(const struct file *filp)
38941 + struct task_struct *task = current;
38942 + struct acl_object_label *obj, *obj2;
38944 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
38945 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
38946 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38947 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
38948 + task->role->root_label);
38949 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
38950 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
38958 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
38962 + if (unlikely(!file || !(prot & PROT_EXEC)))
38965 + if (is_writable_mmap(file))
38969 + gr_search_file(file->f_path.dentry,
38970 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38971 + file->f_path.mnt);
38973 + if (!gr_tpe_allow(file))
38976 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38977 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38979 + } else if (unlikely(!(mode & GR_EXEC))) {
38981 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38982 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38990 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38994 + if (unlikely(!file || !(prot & PROT_EXEC)))
38997 + if (is_writable_mmap(file))
39001 + gr_search_file(file->f_path.dentry,
39002 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
39003 + file->f_path.mnt);
39005 + if (!gr_tpe_allow(file))
39008 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
39009 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39011 + } else if (unlikely(!(mode & GR_EXEC))) {
39013 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
39014 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39022 +gr_acl_handle_psacct(struct task_struct *task, const long code)
39024 + unsigned long runtime;
39025 + unsigned long cputime;
39026 + unsigned int wday, cday;
39030 + struct timespec timeval;
39032 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
39033 + !(task->acl->mode & GR_PROCACCT)))
39036 + do_posix_clock_monotonic_gettime(&timeval);
39037 + runtime = timeval.tv_sec - task->start_time.tv_sec;
39038 + wday = runtime / (3600 * 24);
39039 + runtime -= wday * (3600 * 24);
39040 + whr = runtime / 3600;
39041 + runtime -= whr * 3600;
39042 + wmin = runtime / 60;
39043 + runtime -= wmin * 60;
39046 + cputime = (task->utime + task->stime) / HZ;
39047 + cday = cputime / (3600 * 24);
39048 + cputime -= cday * (3600 * 24);
39049 + chr = cputime / 3600;
39050 + cputime -= chr * 3600;
39051 + cmin = cputime / 60;
39052 + cputime -= cmin * 60;
39055 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
39060 +void gr_set_kernel_label(struct task_struct *task)
39062 + if (gr_status & GR_READY) {
39063 + task->role = kernel_role;
39064 + task->acl = kernel_role->root_label;
39069 +#ifdef CONFIG_TASKSTATS
39070 +int gr_is_taskstats_denied(int pid)
39072 + struct task_struct *task;
39073 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39074 + const struct cred *cred;
39078 + /* restrict taskstats viewing to un-chrooted root users
39079 + who have the 'view' subject flag if the RBAC system is enabled
39083 + read_lock(&tasklist_lock);
39084 + task = find_task_by_vpid(pid);
39086 +#ifdef CONFIG_GRKERNSEC_CHROOT
39087 + if (proc_is_chrooted(task))
39090 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39091 + cred = __task_cred(task);
39092 +#ifdef CONFIG_GRKERNSEC_PROC_USER
39093 + if (cred->uid != 0)
39095 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39096 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
39100 + if (gr_status & GR_READY) {
39101 + if (!(task->acl->mode & GR_VIEW))
39107 + read_unlock(&tasklist_lock);
39108 + rcu_read_unlock();
39114 +/* AUXV entries are filled via a descendant of search_binary_handler
39115 + after we've already applied the subject for the target
39117 +int gr_acl_enable_at_secure(void)
39119 + if (unlikely(!(gr_status & GR_READY)))
39122 + if (current->acl->mode & GR_ATSECURE)
39128 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
39130 + struct task_struct *task = current;
39131 + struct dentry *dentry = file->f_path.dentry;
39132 + struct vfsmount *mnt = file->f_path.mnt;
39133 + struct acl_object_label *obj, *tmp;
39134 + struct acl_subject_label *subj;
39135 + unsigned int bufsize;
39139 + if (unlikely(!(gr_status & GR_READY)))
39142 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
39145 + /* ignore Eric Biederman */
39146 + if (IS_PRIVATE(dentry->d_inode))
39149 + subj = task->acl;
39151 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
39153 + return (obj->mode & GR_FIND) ? 1 : 0;
39154 + } while ((subj = subj->parent_subject));
39156 + /* this is purely an optimization since we're looking for an object
39157 + for the directory we're doing a readdir on
39158 + if it's possible for any globbed object to match the entry we're
39159 + filling into the directory, then the object we find here will be
39160 + an anchor point with attached globbed objects
39162 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
39163 + if (obj->globbed == NULL)
39164 + return (obj->mode & GR_FIND) ? 1 : 0;
39166 + is_not_root = ((obj->filename[0] == '/') &&
39167 + (obj->filename[1] == '\0')) ? 0 : 1;
39168 + bufsize = PAGE_SIZE - namelen - is_not_root;
39170 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
39171 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
39174 + preempt_disable();
39175 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
39178 + bufsize = strlen(path);
39180 + /* if base is "/", don't append an additional slash */
39182 + *(path + bufsize) = '/';
39183 + memcpy(path + bufsize + is_not_root, name, namelen);
39184 + *(path + bufsize + namelen + is_not_root) = '\0';
39186 + tmp = obj->globbed;
39188 + if (!glob_match(tmp->filename, path)) {
39189 + preempt_enable();
39190 + return (tmp->mode & GR_FIND) ? 1 : 0;
39194 + preempt_enable();
39195 + return (obj->mode & GR_FIND) ? 1 : 0;
39198 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
39199 +EXPORT_SYMBOL(gr_acl_is_enabled);
39201 +EXPORT_SYMBOL(gr_learn_resource);
39202 +EXPORT_SYMBOL(gr_set_kernel_label);
39203 +#ifdef CONFIG_SECURITY
39204 +EXPORT_SYMBOL(gr_check_user_change);
39205 +EXPORT_SYMBOL(gr_check_group_change);
39208 diff -urNp linux-2.6.36.2/grsecurity/gracl_cap.c linux-2.6.36.2/grsecurity/gracl_cap.c
39209 --- linux-2.6.36.2/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
39210 +++ linux-2.6.36.2/grsecurity/gracl_cap.c 2010-12-09 20:24:32.000000000 -0500
39212 +#include <linux/kernel.h>
39213 +#include <linux/module.h>
39214 +#include <linux/sched.h>
39215 +#include <linux/gracl.h>
39216 +#include <linux/grsecurity.h>
39217 +#include <linux/grinternal.h>
39219 +static const char *captab_log[] = {
39221 + "CAP_DAC_OVERRIDE",
39222 + "CAP_DAC_READ_SEARCH",
39229 + "CAP_LINUX_IMMUTABLE",
39230 + "CAP_NET_BIND_SERVICE",
39231 + "CAP_NET_BROADCAST",
39236 + "CAP_SYS_MODULE",
39238 + "CAP_SYS_CHROOT",
39239 + "CAP_SYS_PTRACE",
39244 + "CAP_SYS_RESOURCE",
39246 + "CAP_SYS_TTY_CONFIG",
39249 + "CAP_AUDIT_WRITE",
39250 + "CAP_AUDIT_CONTROL",
39252 + "CAP_MAC_OVERRIDE",
39256 +EXPORT_SYMBOL(gr_is_capable);
39257 +EXPORT_SYMBOL(gr_is_capable_nolog);
39260 +gr_is_capable(const int cap)
39262 + struct task_struct *task = current;
39263 + const struct cred *cred = current_cred();
39264 + struct acl_subject_label *curracl;
39265 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39266 + kernel_cap_t cap_audit = __cap_empty_set;
39268 + if (!gr_acl_is_enabled())
39271 + curracl = task->acl;
39273 + cap_drop = curracl->cap_lower;
39274 + cap_mask = curracl->cap_mask;
39275 + cap_audit = curracl->cap_invert_audit;
39277 + while ((curracl = curracl->parent_subject)) {
39278 + /* if the cap isn't specified in the current computed mask but is specified in the
39279 + current level subject, and is lowered in the current level subject, then add
39280 + it to the set of dropped capabilities
39281 + otherwise, add the current level subject's mask to the current computed mask
39283 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39284 + cap_raise(cap_mask, cap);
39285 + if (cap_raised(curracl->cap_lower, cap))
39286 + cap_raise(cap_drop, cap);
39287 + if (cap_raised(curracl->cap_invert_audit, cap))
39288 + cap_raise(cap_audit, cap);
39292 + if (!cap_raised(cap_drop, cap)) {
39293 + if (cap_raised(cap_audit, cap))
39294 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
39298 + curracl = task->acl;
39300 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
39301 + && cap_raised(cred->cap_effective, cap)) {
39302 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
39303 + task->role->roletype, cred->uid,
39304 + cred->gid, task->exec_file ?
39305 + gr_to_filename(task->exec_file->f_path.dentry,
39306 + task->exec_file->f_path.mnt) : curracl->filename,
39307 + curracl->filename, 0UL,
39308 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
39312 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
39313 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
39318 +gr_is_capable_nolog(const int cap)
39320 + struct acl_subject_label *curracl;
39321 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39323 + if (!gr_acl_is_enabled())
39326 + curracl = current->acl;
39328 + cap_drop = curracl->cap_lower;
39329 + cap_mask = curracl->cap_mask;
39331 + while ((curracl = curracl->parent_subject)) {
39332 + /* if the cap isn't specified in the current computed mask but is specified in the
39333 + current level subject, and is lowered in the current level subject, then add
39334 + it to the set of dropped capabilities
39335 + otherwise, add the current level subject's mask to the current computed mask
39337 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39338 + cap_raise(cap_mask, cap);
39339 + if (cap_raised(curracl->cap_lower, cap))
39340 + cap_raise(cap_drop, cap);
39344 + if (!cap_raised(cap_drop, cap))
39350 diff -urNp linux-2.6.36.2/grsecurity/gracl_fs.c linux-2.6.36.2/grsecurity/gracl_fs.c
39351 --- linux-2.6.36.2/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
39352 +++ linux-2.6.36.2/grsecurity/gracl_fs.c 2010-12-09 20:24:32.000000000 -0500
39354 +#include <linux/kernel.h>
39355 +#include <linux/sched.h>
39356 +#include <linux/types.h>
39357 +#include <linux/fs.h>
39358 +#include <linux/file.h>
39359 +#include <linux/stat.h>
39360 +#include <linux/grsecurity.h>
39361 +#include <linux/grinternal.h>
39362 +#include <linux/gracl.h>
39365 +gr_acl_handle_hidden_file(const struct dentry * dentry,
39366 + const struct vfsmount * mnt)
39370 + if (unlikely(!dentry->d_inode))
39374 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
39376 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
39377 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39379 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
39380 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39382 + } else if (unlikely(!(mode & GR_FIND)))
39389 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
39392 + __u32 reqmode = GR_FIND;
39395 + if (unlikely(!dentry->d_inode))
39398 + if (unlikely(fmode & O_APPEND))
39399 + reqmode |= GR_APPEND;
39400 + else if (unlikely(fmode & FMODE_WRITE))
39401 + reqmode |= GR_WRITE;
39402 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39403 + reqmode |= GR_READ;
39404 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
39405 + reqmode &= ~GR_READ;
39407 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39410 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39411 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39412 + reqmode & GR_READ ? " reading" : "",
39413 + reqmode & GR_WRITE ? " writing" : reqmode &
39414 + GR_APPEND ? " appending" : "");
39417 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39419 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39420 + reqmode & GR_READ ? " reading" : "",
39421 + reqmode & GR_WRITE ? " writing" : reqmode &
39422 + GR_APPEND ? " appending" : "");
39424 + } else if (unlikely((mode & reqmode) != reqmode))
39431 +gr_acl_handle_creat(const struct dentry * dentry,
39432 + const struct dentry * p_dentry,
39433 + const struct vfsmount * p_mnt, const int fmode,
39436 + __u32 reqmode = GR_WRITE | GR_CREATE;
39439 + if (unlikely(fmode & O_APPEND))
39440 + reqmode |= GR_APPEND;
39441 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39442 + reqmode |= GR_READ;
39443 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
39444 + reqmode |= GR_SETID;
39447 + gr_check_create(dentry, p_dentry, p_mnt,
39448 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39450 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39451 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39452 + reqmode & GR_READ ? " reading" : "",
39453 + reqmode & GR_WRITE ? " writing" : reqmode &
39454 + GR_APPEND ? " appending" : "");
39457 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39459 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39460 + reqmode & GR_READ ? " reading" : "",
39461 + reqmode & GR_WRITE ? " writing" : reqmode &
39462 + GR_APPEND ? " appending" : "");
39464 + } else if (unlikely((mode & reqmode) != reqmode))
39471 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
39474 + __u32 mode, reqmode = GR_FIND;
39476 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
39477 + reqmode |= GR_EXEC;
39478 + if (fmode & S_IWOTH)
39479 + reqmode |= GR_WRITE;
39480 + if (fmode & S_IROTH)
39481 + reqmode |= GR_READ;
39484 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39487 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39488 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39489 + reqmode & GR_READ ? " reading" : "",
39490 + reqmode & GR_WRITE ? " writing" : "",
39491 + reqmode & GR_EXEC ? " executing" : "");
39494 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39496 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39497 + reqmode & GR_READ ? " reading" : "",
39498 + reqmode & GR_WRITE ? " writing" : "",
39499 + reqmode & GR_EXEC ? " executing" : "");
39501 + } else if (unlikely((mode & reqmode) != reqmode))
39507 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
39511 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
39513 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39514 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
39516 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39517 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
39519 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39522 + return (reqmode);
39526 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
39528 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
39532 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
39534 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
39538 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
39540 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
39544 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
39546 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
39550 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
39553 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
39556 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39557 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39558 + GR_FCHMOD_ACL_MSG);
39560 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
39565 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
39568 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39569 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39570 + GR_CHMOD_ACL_MSG);
39572 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
39577 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
39579 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
39583 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
39585 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
39589 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
39591 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
39595 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
39597 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
39598 + GR_UNIXCONNECT_ACL_MSG);
39601 +/* hardlinks require at minimum create permission,
39602 + any additional privilege required is based on the
39603 + privilege of the file being linked to
39606 +gr_acl_handle_link(const struct dentry * new_dentry,
39607 + const struct dentry * parent_dentry,
39608 + const struct vfsmount * parent_mnt,
39609 + const struct dentry * old_dentry,
39610 + const struct vfsmount * old_mnt, const char *to)
39613 + __u32 needmode = GR_CREATE | GR_LINK;
39614 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
39617 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
39620 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
39621 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39623 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39624 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39626 + } else if (unlikely((mode & needmode) != needmode))
39633 +gr_acl_handle_symlink(const struct dentry * new_dentry,
39634 + const struct dentry * parent_dentry,
39635 + const struct vfsmount * parent_mnt, const char *from)
39637 + __u32 needmode = GR_WRITE | GR_CREATE;
39641 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
39642 + GR_CREATE | GR_AUDIT_CREATE |
39643 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
39645 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
39646 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39648 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39649 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39651 + } else if (unlikely((mode & needmode) != needmode))
39654 + return (GR_WRITE | GR_CREATE);
39657 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
39661 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39663 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39664 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
39666 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39667 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
39669 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39672 + return (reqmode);
39676 +gr_acl_handle_mknod(const struct dentry * new_dentry,
39677 + const struct dentry * parent_dentry,
39678 + const struct vfsmount * parent_mnt,
39681 + __u32 reqmode = GR_WRITE | GR_CREATE;
39682 + if (unlikely(mode & (S_ISUID | S_ISGID)))
39683 + reqmode |= GR_SETID;
39685 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39686 + reqmode, GR_MKNOD_ACL_MSG);
39690 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
39691 + const struct dentry *parent_dentry,
39692 + const struct vfsmount *parent_mnt)
39694 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39695 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
39698 +#define RENAME_CHECK_SUCCESS(old, new) \
39699 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
39700 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
39703 +gr_acl_handle_rename(struct dentry *new_dentry,
39704 + struct dentry *parent_dentry,
39705 + const struct vfsmount *parent_mnt,
39706 + struct dentry *old_dentry,
39707 + struct inode *old_parent_inode,
39708 + struct vfsmount *old_mnt, const char *newname)
39710 + __u32 comp1, comp2;
39713 + if (unlikely(!gr_acl_is_enabled()))
39716 + if (!new_dentry->d_inode) {
39717 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
39718 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
39719 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
39720 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
39721 + GR_DELETE | GR_AUDIT_DELETE |
39722 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39723 + GR_SUPPRESS, old_mnt);
39725 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
39726 + GR_CREATE | GR_DELETE |
39727 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
39728 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39729 + GR_SUPPRESS, parent_mnt);
39731 + gr_search_file(old_dentry,
39732 + GR_READ | GR_WRITE | GR_AUDIT_READ |
39733 + GR_DELETE | GR_AUDIT_DELETE |
39734 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
39737 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
39738 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
39739 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39740 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
39741 + && !(comp2 & GR_SUPPRESS)) {
39742 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39744 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
39751 +gr_acl_handle_exit(void)
39755 + struct file *exec_file;
39757 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
39758 + id = current->acl_role_id;
39759 + rolename = current->role->rolename;
39761 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
39764 + write_lock(&grsec_exec_file_lock);
39765 + exec_file = current->exec_file;
39766 + current->exec_file = NULL;
39767 + write_unlock(&grsec_exec_file_lock);
39774 +gr_acl_handle_procpidmem(const struct task_struct *task)
39776 + if (unlikely(!gr_acl_is_enabled()))
39779 + if (task != current && task->acl->mode & GR_PROTPROCFD)
39784 diff -urNp linux-2.6.36.2/grsecurity/gracl_ip.c linux-2.6.36.2/grsecurity/gracl_ip.c
39785 --- linux-2.6.36.2/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
39786 +++ linux-2.6.36.2/grsecurity/gracl_ip.c 2010-12-09 20:33:49.000000000 -0500
39788 +#include <linux/kernel.h>
39789 +#include <asm/uaccess.h>
39790 +#include <asm/errno.h>
39791 +#include <net/sock.h>
39792 +#include <linux/file.h>
39793 +#include <linux/fs.h>
39794 +#include <linux/net.h>
39795 +#include <linux/in.h>
39796 +#include <linux/skbuff.h>
39797 +#include <linux/ip.h>
39798 +#include <linux/udp.h>
39799 +#include <linux/smp_lock.h>
39800 +#include <linux/types.h>
39801 +#include <linux/sched.h>
39802 +#include <linux/netdevice.h>
39803 +#include <linux/inetdevice.h>
39804 +#include <linux/gracl.h>
39805 +#include <linux/grsecurity.h>
39806 +#include <linux/grinternal.h>
39808 +#define GR_BIND 0x01
39809 +#define GR_CONNECT 0x02
39810 +#define GR_INVERT 0x04
39811 +#define GR_BINDOVERRIDE 0x08
39812 +#define GR_CONNECTOVERRIDE 0x10
39813 +#define GR_SOCK_FAMILY 0x20
39815 +static const char * gr_protocols[IPPROTO_MAX] = {
39816 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
39817 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
39818 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
39819 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
39820 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
39821 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
39822 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
39823 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
39824 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
39825 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
39826 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
39827 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
39828 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
39829 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
39830 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
39831 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
39832 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
39833 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
39834 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
39835 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
39836 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
39837 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
39838 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
39839 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
39840 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
39841 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
39842 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
39843 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
39844 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
39845 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
39846 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
39847 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
39850 +static const char * gr_socktypes[SOCK_MAX] = {
39851 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
39852 + "unknown:7", "unknown:8", "unknown:9", "packet"
39855 +static const char * gr_sockfamilies[AF_MAX+1] = {
39856 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
39857 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
39858 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "tipc", "bluetooth",
39859 + "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
39863 +gr_proto_to_name(unsigned char proto)
39865 + return gr_protocols[proto];
39869 +gr_socktype_to_name(unsigned char type)
39871 + return gr_socktypes[type];
39875 +gr_sockfamily_to_name(unsigned char family)
39877 + return gr_sockfamilies[family];
39881 +gr_search_socket(const int domain, const int type, const int protocol)
39883 + struct acl_subject_label *curr;
39884 + const struct cred *cred = current_cred();
39886 + if (unlikely(!gr_acl_is_enabled()))
39889 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
39890 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
39891 + goto exit; // let the kernel handle it
39893 + curr = current->acl;
39895 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
39896 + /* the family is allowed, if this is PF_INET allow it only if
39897 + the extra sock type/protocol checks pass */
39898 + if (domain == PF_INET)
39902 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39903 + __u32 fakeip = 0;
39904 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39905 + current->role->roletype, cred->uid,
39906 + cred->gid, current->exec_file ?
39907 + gr_to_filename(current->exec_file->f_path.dentry,
39908 + current->exec_file->f_path.mnt) :
39909 + curr->filename, curr->filename,
39910 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
39911 + ¤t->signal->saved_ip);
39918 + /* the rest of this checking is for IPv4 only */
39922 + if ((curr->ip_type & (1 << type)) &&
39923 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
39926 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39927 + /* we don't place acls on raw sockets , and sometimes
39928 + dgram/ip sockets are opened for ioctl and not
39929 + bind/connect, so we'll fake a bind learn log */
39930 + if (type == SOCK_RAW || type == SOCK_PACKET) {
39931 + __u32 fakeip = 0;
39932 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39933 + current->role->roletype, cred->uid,
39934 + cred->gid, current->exec_file ?
39935 + gr_to_filename(current->exec_file->f_path.dentry,
39936 + current->exec_file->f_path.mnt) :
39937 + curr->filename, curr->filename,
39938 + &fakeip, 0, type,
39939 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
39940 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
39941 + __u32 fakeip = 0;
39942 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39943 + current->role->roletype, cred->uid,
39944 + cred->gid, current->exec_file ?
39945 + gr_to_filename(current->exec_file->f_path.dentry,
39946 + current->exec_file->f_path.mnt) :
39947 + curr->filename, curr->filename,
39948 + &fakeip, 0, type,
39949 + protocol, GR_BIND, ¤t->signal->saved_ip);
39951 + /* we'll log when they use connect or bind */
39956 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
39957 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
39964 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
39966 + if ((ip->mode & mode) &&
39967 + (ip_port >= ip->low) &&
39968 + (ip_port <= ip->high) &&
39969 + ((ntohl(ip_addr) & our_netmask) ==
39970 + (ntohl(our_addr) & our_netmask))
39971 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
39972 + && (ip->type & (1 << type))) {
39973 + if (ip->mode & GR_INVERT)
39974 + return 2; // specifically denied
39976 + return 1; // allowed
39979 + return 0; // not specifically allowed, may continue parsing
39983 +gr_search_connectbind(const int full_mode, struct sock *sk,
39984 + struct sockaddr_in *addr, const int type)
39986 + char iface[IFNAMSIZ] = {0};
39987 + struct acl_subject_label *curr;
39988 + struct acl_ip_label *ip;
39989 + struct inet_sock *isk;
39990 + struct net_device *dev;
39991 + struct in_device *idev;
39994 + int mode = full_mode & (GR_BIND | GR_CONNECT);
39995 + __u32 ip_addr = 0;
39997 + __u32 our_netmask;
39999 + __u16 ip_port = 0;
40000 + const struct cred *cred = current_cred();
40002 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
40005 + curr = current->acl;
40006 + isk = inet_sk(sk);
40008 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
40009 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
40010 + addr->sin_addr.s_addr = curr->inaddr_any_override;
40011 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
40012 + struct sockaddr_in saddr;
40015 + saddr.sin_family = AF_INET;
40016 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
40017 + saddr.sin_port = isk->inet_sport;
40019 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
40023 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
40031 + ip_addr = addr->sin_addr.s_addr;
40032 + ip_port = ntohs(addr->sin_port);
40034 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
40035 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40036 + current->role->roletype, cred->uid,
40037 + cred->gid, current->exec_file ?
40038 + gr_to_filename(current->exec_file->f_path.dentry,
40039 + current->exec_file->f_path.mnt) :
40040 + curr->filename, curr->filename,
40041 + &ip_addr, ip_port, type,
40042 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
40046 + for (i = 0; i < curr->ip_num; i++) {
40047 + ip = *(curr->ips + i);
40048 + if (ip->iface != NULL) {
40049 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
40050 + p = strchr(iface, ':');
40053 + dev = dev_get_by_name(sock_net(sk), iface);
40056 + idev = in_dev_get(dev);
40057 + if (idev == NULL) {
40063 + if (!strcmp(ip->iface, ifa->ifa_label)) {
40064 + our_addr = ifa->ifa_address;
40065 + our_netmask = 0xffffffff;
40066 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
40068 + rcu_read_unlock();
40069 + in_dev_put(idev);
40072 + } else if (ret == 2) {
40073 + rcu_read_unlock();
40074 + in_dev_put(idev);
40079 + } endfor_ifa(idev);
40080 + rcu_read_unlock();
40081 + in_dev_put(idev);
40084 + our_addr = ip->addr;
40085 + our_netmask = ip->netmask;
40086 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
40089 + else if (ret == 2)
40095 + if (mode == GR_BIND)
40096 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
40097 + else if (mode == GR_CONNECT)
40098 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
40104 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
40106 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
40110 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
40112 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
40115 +int gr_search_listen(struct socket *sock)
40117 + struct sock *sk = sock->sk;
40118 + struct sockaddr_in addr;
40120 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
40121 + addr.sin_port = inet_sk(sk)->inet_sport;
40123 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
40126 +int gr_search_accept(struct socket *sock)
40128 + struct sock *sk = sock->sk;
40129 + struct sockaddr_in addr;
40131 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
40132 + addr.sin_port = inet_sk(sk)->inet_sport;
40134 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
40138 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
40141 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
40143 + struct sockaddr_in sin;
40144 + const struct inet_sock *inet = inet_sk(sk);
40146 + sin.sin_addr.s_addr = inet->inet_daddr;
40147 + sin.sin_port = inet->inet_dport;
40149 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
40154 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
40156 + struct sockaddr_in sin;
40158 + if (unlikely(skb->len < sizeof (struct udphdr)))
40159 + return 0; // skip this packet
40161 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
40162 + sin.sin_port = udp_hdr(skb)->source;
40164 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
40166 diff -urNp linux-2.6.36.2/grsecurity/gracl_learn.c linux-2.6.36.2/grsecurity/gracl_learn.c
40167 --- linux-2.6.36.2/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
40168 +++ linux-2.6.36.2/grsecurity/gracl_learn.c 2010-12-09 20:24:32.000000000 -0500
40170 +#include <linux/kernel.h>
40171 +#include <linux/mm.h>
40172 +#include <linux/sched.h>
40173 +#include <linux/poll.h>
40174 +#include <linux/smp_lock.h>
40175 +#include <linux/string.h>
40176 +#include <linux/file.h>
40177 +#include <linux/types.h>
40178 +#include <linux/vmalloc.h>
40179 +#include <linux/grinternal.h>
40181 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
40182 + size_t count, loff_t *ppos);
40183 +extern int gr_acl_is_enabled(void);
40185 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
40186 +static int gr_learn_attached;
40188 +/* use a 512k buffer */
40189 +#define LEARN_BUFFER_SIZE (512 * 1024)
40191 +static DEFINE_SPINLOCK(gr_learn_lock);
40192 +static DECLARE_MUTEX(gr_learn_user_sem);
40194 +/* we need to maintain two buffers, so that the kernel context of grlearn
40195 + uses a semaphore around the userspace copying, and the other kernel contexts
40196 + use a spinlock when copying into the buffer, since they cannot sleep
40198 +static char *learn_buffer;
40199 +static char *learn_buffer_user;
40200 +static int learn_buffer_len;
40201 +static int learn_buffer_user_len;
40204 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
40206 + DECLARE_WAITQUEUE(wait, current);
40207 + ssize_t retval = 0;
40209 + add_wait_queue(&learn_wait, &wait);
40210 + set_current_state(TASK_INTERRUPTIBLE);
40212 + down(&gr_learn_user_sem);
40213 + spin_lock(&gr_learn_lock);
40214 + if (learn_buffer_len)
40216 + spin_unlock(&gr_learn_lock);
40217 + up(&gr_learn_user_sem);
40218 + if (file->f_flags & O_NONBLOCK) {
40219 + retval = -EAGAIN;
40222 + if (signal_pending(current)) {
40223 + retval = -ERESTARTSYS;
40230 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
40231 + learn_buffer_user_len = learn_buffer_len;
40232 + retval = learn_buffer_len;
40233 + learn_buffer_len = 0;
40235 + spin_unlock(&gr_learn_lock);
40237 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
40238 + retval = -EFAULT;
40240 + up(&gr_learn_user_sem);
40242 + set_current_state(TASK_RUNNING);
40243 + remove_wait_queue(&learn_wait, &wait);
40247 +static unsigned int
40248 +poll_learn(struct file * file, poll_table * wait)
40250 + poll_wait(file, &learn_wait, wait);
40252 + if (learn_buffer_len)
40253 + return (POLLIN | POLLRDNORM);
40259 +gr_clear_learn_entries(void)
40263 + down(&gr_learn_user_sem);
40264 + if (learn_buffer != NULL) {
40265 + spin_lock(&gr_learn_lock);
40266 + tmp = learn_buffer;
40267 + learn_buffer = NULL;
40268 + spin_unlock(&gr_learn_lock);
40269 + vfree(learn_buffer);
40271 + if (learn_buffer_user != NULL) {
40272 + vfree(learn_buffer_user);
40273 + learn_buffer_user = NULL;
40275 + learn_buffer_len = 0;
40276 + up(&gr_learn_user_sem);
40282 +gr_add_learn_entry(const char *fmt, ...)
40285 + unsigned int len;
40287 + if (!gr_learn_attached)
40290 + spin_lock(&gr_learn_lock);
40292 + /* leave a gap at the end so we know when it's "full" but don't have to
40293 + compute the exact length of the string we're trying to append
40295 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
40296 + spin_unlock(&gr_learn_lock);
40297 + wake_up_interruptible(&learn_wait);
40300 + if (learn_buffer == NULL) {
40301 + spin_unlock(&gr_learn_lock);
40305 + va_start(args, fmt);
40306 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
40309 + learn_buffer_len += len + 1;
40311 + spin_unlock(&gr_learn_lock);
40312 + wake_up_interruptible(&learn_wait);
40318 +open_learn(struct inode *inode, struct file *file)
40320 + if (file->f_mode & FMODE_READ && gr_learn_attached)
40322 + if (file->f_mode & FMODE_READ) {
40324 + down(&gr_learn_user_sem);
40325 + if (learn_buffer == NULL)
40326 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
40327 + if (learn_buffer_user == NULL)
40328 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
40329 + if (learn_buffer == NULL) {
40330 + retval = -ENOMEM;
40333 + if (learn_buffer_user == NULL) {
40334 + retval = -ENOMEM;
40337 + learn_buffer_len = 0;
40338 + learn_buffer_user_len = 0;
40339 + gr_learn_attached = 1;
40341 + up(&gr_learn_user_sem);
40348 +close_learn(struct inode *inode, struct file *file)
40352 + if (file->f_mode & FMODE_READ) {
40353 + down(&gr_learn_user_sem);
40354 + if (learn_buffer != NULL) {
40355 + spin_lock(&gr_learn_lock);
40356 + tmp = learn_buffer;
40357 + learn_buffer = NULL;
40358 + spin_unlock(&gr_learn_lock);
40361 + if (learn_buffer_user != NULL) {
40362 + vfree(learn_buffer_user);
40363 + learn_buffer_user = NULL;
40365 + learn_buffer_len = 0;
40366 + learn_buffer_user_len = 0;
40367 + gr_learn_attached = 0;
40368 + up(&gr_learn_user_sem);
40374 +const struct file_operations grsec_fops = {
40375 + .read = read_learn,
40376 + .write = write_grsec_handler,
40377 + .open = open_learn,
40378 + .release = close_learn,
40379 + .poll = poll_learn,
40381 diff -urNp linux-2.6.36.2/grsecurity/gracl_res.c linux-2.6.36.2/grsecurity/gracl_res.c
40382 --- linux-2.6.36.2/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
40383 +++ linux-2.6.36.2/grsecurity/gracl_res.c 2010-12-09 20:24:32.000000000 -0500
40385 +#include <linux/kernel.h>
40386 +#include <linux/sched.h>
40387 +#include <linux/gracl.h>
40388 +#include <linux/grinternal.h>
40390 +static const char *restab_log[] = {
40391 + [RLIMIT_CPU] = "RLIMIT_CPU",
40392 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
40393 + [RLIMIT_DATA] = "RLIMIT_DATA",
40394 + [RLIMIT_STACK] = "RLIMIT_STACK",
40395 + [RLIMIT_CORE] = "RLIMIT_CORE",
40396 + [RLIMIT_RSS] = "RLIMIT_RSS",
40397 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
40398 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
40399 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
40400 + [RLIMIT_AS] = "RLIMIT_AS",
40401 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
40402 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
40403 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
40404 + [RLIMIT_NICE] = "RLIMIT_NICE",
40405 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
40406 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
40407 + [GR_CRASH_RES] = "RLIMIT_CRASH"
40411 +gr_log_resource(const struct task_struct *task,
40412 + const int res, const unsigned long wanted, const int gt)
40414 + const struct cred *cred;
40415 + unsigned long rlim;
40417 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
40420 + // not yet supported resource
40421 + if (unlikely(!restab_log[res]))
40424 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
40425 + rlim = task_rlimit_max(task, res);
40427 + rlim = task_rlimit(task, res);
40429 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
40433 + cred = __task_cred(task);
40435 + if (res == RLIMIT_NPROC &&
40436 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
40437 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
40438 + goto out_rcu_unlock;
40439 + else if (res == RLIMIT_MEMLOCK &&
40440 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
40441 + goto out_rcu_unlock;
40442 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
40443 + goto out_rcu_unlock;
40444 + rcu_read_unlock();
40446 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
40450 + rcu_read_unlock();
40453 diff -urNp linux-2.6.36.2/grsecurity/gracl_segv.c linux-2.6.36.2/grsecurity/gracl_segv.c
40454 --- linux-2.6.36.2/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
40455 +++ linux-2.6.36.2/grsecurity/gracl_segv.c 2010-12-09 20:24:32.000000000 -0500
40457 +#include <linux/kernel.h>
40458 +#include <linux/mm.h>
40459 +#include <asm/uaccess.h>
40460 +#include <asm/errno.h>
40461 +#include <asm/mman.h>
40462 +#include <net/sock.h>
40463 +#include <linux/file.h>
40464 +#include <linux/fs.h>
40465 +#include <linux/net.h>
40466 +#include <linux/in.h>
40467 +#include <linux/smp_lock.h>
40468 +#include <linux/slab.h>
40469 +#include <linux/types.h>
40470 +#include <linux/sched.h>
40471 +#include <linux/timer.h>
40472 +#include <linux/gracl.h>
40473 +#include <linux/grsecurity.h>
40474 +#include <linux/grinternal.h>
40476 +static struct crash_uid *uid_set;
40477 +static unsigned short uid_used;
40478 +static DEFINE_SPINLOCK(gr_uid_lock);
40479 +extern rwlock_t gr_inode_lock;
40480 +extern struct acl_subject_label *
40481 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
40482 + struct acl_role_label *role);
40483 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
40486 +gr_init_uidset(void)
40489 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
40492 + return uid_set ? 1 : 0;
40496 +gr_free_uidset(void)
40505 +gr_find_uid(const uid_t uid)
40507 + struct crash_uid *tmp = uid_set;
40509 + int low = 0, high = uid_used - 1, mid;
40511 + while (high >= low) {
40512 + mid = (low + high) >> 1;
40513 + buid = tmp[mid].uid;
40525 +static __inline__ void
40526 +gr_insertsort(void)
40528 + unsigned short i, j;
40529 + struct crash_uid index;
40531 + for (i = 1; i < uid_used; i++) {
40532 + index = uid_set[i];
40534 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
40535 + uid_set[j] = uid_set[j - 1];
40538 + uid_set[j] = index;
40544 +static __inline__ void
40545 +gr_insert_uid(const uid_t uid, const unsigned long expires)
40549 + if (uid_used == GR_UIDTABLE_MAX)
40552 + loc = gr_find_uid(uid);
40555 + uid_set[loc].expires = expires;
40559 + uid_set[uid_used].uid = uid;
40560 + uid_set[uid_used].expires = expires;
40569 +gr_remove_uid(const unsigned short loc)
40571 + unsigned short i;
40573 + for (i = loc + 1; i < uid_used; i++)
40574 + uid_set[i - 1] = uid_set[i];
40582 +gr_check_crash_uid(const uid_t uid)
40587 + if (unlikely(!gr_acl_is_enabled()))
40590 + spin_lock(&gr_uid_lock);
40591 + loc = gr_find_uid(uid);
40596 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
40597 + gr_remove_uid(loc);
40602 + spin_unlock(&gr_uid_lock);
40606 +static __inline__ int
40607 +proc_is_setxid(const struct cred *cred)
40609 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
40610 + cred->uid != cred->fsuid)
40612 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
40613 + cred->gid != cred->fsgid)
40618 +static __inline__ int
40619 +gr_fake_force_sig(int sig, struct task_struct *t)
40621 + unsigned long int flags;
40622 + int ret, blocked, ignored;
40623 + struct k_sigaction *action;
40625 + spin_lock_irqsave(&t->sighand->siglock, flags);
40626 + action = &t->sighand->action[sig-1];
40627 + ignored = action->sa.sa_handler == SIG_IGN;
40628 + blocked = sigismember(&t->blocked, sig);
40629 + if (blocked || ignored) {
40630 + action->sa.sa_handler = SIG_DFL;
40632 + sigdelset(&t->blocked, sig);
40633 + recalc_sigpending_and_wake(t);
40636 + if (action->sa.sa_handler == SIG_DFL)
40637 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
40638 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
40640 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
40646 +gr_handle_crash(struct task_struct *task, const int sig)
40648 + struct acl_subject_label *curr;
40649 + struct acl_subject_label *curr2;
40650 + struct task_struct *tsk, *tsk2;
40651 + const struct cred *cred;
40652 + const struct cred *cred2;
40654 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
40657 + if (unlikely(!gr_acl_is_enabled()))
40660 + curr = task->acl;
40662 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
40665 + if (time_before_eq(curr->expires, get_seconds())) {
40666 + curr->expires = 0;
40667 + curr->crashes = 0;
40672 + if (!curr->expires)
40673 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
40675 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40676 + time_after(curr->expires, get_seconds())) {
40678 + cred = __task_cred(task);
40679 + if (cred->uid && proc_is_setxid(cred)) {
40680 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40681 + spin_lock(&gr_uid_lock);
40682 + gr_insert_uid(cred->uid, curr->expires);
40683 + spin_unlock(&gr_uid_lock);
40684 + curr->expires = 0;
40685 + curr->crashes = 0;
40686 + read_lock(&tasklist_lock);
40687 + do_each_thread(tsk2, tsk) {
40688 + cred2 = __task_cred(tsk);
40689 + if (tsk != task && cred2->uid == cred->uid)
40690 + gr_fake_force_sig(SIGKILL, tsk);
40691 + } while_each_thread(tsk2, tsk);
40692 + read_unlock(&tasklist_lock);
40694 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40695 + read_lock(&tasklist_lock);
40696 + do_each_thread(tsk2, tsk) {
40697 + if (likely(tsk != task)) {
40698 + curr2 = tsk->acl;
40700 + if (curr2->device == curr->device &&
40701 + curr2->inode == curr->inode)
40702 + gr_fake_force_sig(SIGKILL, tsk);
40704 + } while_each_thread(tsk2, tsk);
40705 + read_unlock(&tasklist_lock);
40707 + rcu_read_unlock();
40714 +gr_check_crash_exec(const struct file *filp)
40716 + struct acl_subject_label *curr;
40718 + if (unlikely(!gr_acl_is_enabled()))
40721 + read_lock(&gr_inode_lock);
40722 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
40723 + filp->f_path.dentry->d_inode->i_sb->s_dev,
40725 + read_unlock(&gr_inode_lock);
40727 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
40728 + (!curr->crashes && !curr->expires))
40731 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40732 + time_after(curr->expires, get_seconds()))
40734 + else if (time_before_eq(curr->expires, get_seconds())) {
40735 + curr->crashes = 0;
40736 + curr->expires = 0;
40743 +gr_handle_alertkill(struct task_struct *task)
40745 + struct acl_subject_label *curracl;
40747 + struct task_struct *p, *p2;
40749 + if (unlikely(!gr_acl_is_enabled()))
40752 + curracl = task->acl;
40753 + curr_ip = task->signal->curr_ip;
40755 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
40756 + read_lock(&tasklist_lock);
40757 + do_each_thread(p2, p) {
40758 + if (p->signal->curr_ip == curr_ip)
40759 + gr_fake_force_sig(SIGKILL, p);
40760 + } while_each_thread(p2, p);
40761 + read_unlock(&tasklist_lock);
40762 + } else if (curracl->mode & GR_KILLPROC)
40763 + gr_fake_force_sig(SIGKILL, task);
40767 diff -urNp linux-2.6.36.2/grsecurity/gracl_shm.c linux-2.6.36.2/grsecurity/gracl_shm.c
40768 --- linux-2.6.36.2/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
40769 +++ linux-2.6.36.2/grsecurity/gracl_shm.c 2010-12-09 20:24:32.000000000 -0500
40771 +#include <linux/kernel.h>
40772 +#include <linux/mm.h>
40773 +#include <linux/sched.h>
40774 +#include <linux/file.h>
40775 +#include <linux/ipc.h>
40776 +#include <linux/gracl.h>
40777 +#include <linux/grsecurity.h>
40778 +#include <linux/grinternal.h>
40781 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40782 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40784 + struct task_struct *task;
40786 + if (!gr_acl_is_enabled())
40790 + read_lock(&tasklist_lock);
40792 + task = find_task_by_vpid(shm_cprid);
40794 + if (unlikely(!task))
40795 + task = find_task_by_vpid(shm_lapid);
40797 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
40798 + (task->pid == shm_lapid)) &&
40799 + (task->acl->mode & GR_PROTSHM) &&
40800 + (task->acl != current->acl))) {
40801 + read_unlock(&tasklist_lock);
40802 + rcu_read_unlock();
40803 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
40806 + read_unlock(&tasklist_lock);
40807 + rcu_read_unlock();
40811 diff -urNp linux-2.6.36.2/grsecurity/grsec_chdir.c linux-2.6.36.2/grsecurity/grsec_chdir.c
40812 --- linux-2.6.36.2/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
40813 +++ linux-2.6.36.2/grsecurity/grsec_chdir.c 2010-12-09 20:24:32.000000000 -0500
40815 +#include <linux/kernel.h>
40816 +#include <linux/sched.h>
40817 +#include <linux/fs.h>
40818 +#include <linux/file.h>
40819 +#include <linux/grsecurity.h>
40820 +#include <linux/grinternal.h>
40823 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
40825 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40826 + if ((grsec_enable_chdir && grsec_enable_group &&
40827 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
40828 + !grsec_enable_group)) {
40829 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
40834 diff -urNp linux-2.6.36.2/grsecurity/grsec_chroot.c linux-2.6.36.2/grsecurity/grsec_chroot.c
40835 --- linux-2.6.36.2/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
40836 +++ linux-2.6.36.2/grsecurity/grsec_chroot.c 2010-12-09 20:24:32.000000000 -0500
40838 +#include <linux/kernel.h>
40839 +#include <linux/module.h>
40840 +#include <linux/sched.h>
40841 +#include <linux/file.h>
40842 +#include <linux/fs.h>
40843 +#include <linux/mount.h>
40844 +#include <linux/types.h>
40845 +#include <linux/pid_namespace.h>
40846 +#include <linux/grsecurity.h>
40847 +#include <linux/grinternal.h>
40849 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
40851 +#ifdef CONFIG_GRKERNSEC
40852 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
40853 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
40854 + task->gr_is_chrooted = 1;
40856 + task->gr_is_chrooted = 0;
40858 + task->gr_chroot_dentry = path->dentry;
40863 +void gr_clear_chroot_entries(struct task_struct *task)
40865 +#ifdef CONFIG_GRKERNSEC
40866 + task->gr_is_chrooted = 0;
40867 + task->gr_chroot_dentry = NULL;
40873 +gr_handle_chroot_unix(struct pid *pid)
40875 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40876 + struct task_struct *p;
40878 + if (unlikely(!grsec_enable_chroot_unix))
40881 + if (likely(!proc_is_chrooted(current)))
40885 + read_lock(&tasklist_lock);
40886 + p = pid_task(pid, PIDTYPE_PID);
40887 + if (unlikely(!have_same_root(current, p))) {
40888 + read_unlock(&tasklist_lock);
40889 + rcu_read_unlock();
40890 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
40893 + read_unlock(&tasklist_lock);
40894 + rcu_read_unlock();
40900 +gr_handle_chroot_nice(void)
40902 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40903 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
40904 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
40912 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
40914 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40915 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
40916 + && proc_is_chrooted(current)) {
40917 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
40925 +gr_handle_chroot_rawio(const struct inode *inode)
40927 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40928 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
40929 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
40936 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
40938 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40939 + struct task_struct *p;
40941 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
40944 + read_lock(&tasklist_lock);
40945 + do_each_pid_task(pid, type, p) {
40946 + if (!have_same_root(current, p)) {
40950 + } while_each_pid_task(pid, type, p);
40952 + read_unlock(&tasklist_lock);
40959 +gr_pid_is_chrooted(struct task_struct *p)
40961 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40962 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
40965 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
40966 + !have_same_root(current, p)) {
40973 +EXPORT_SYMBOL(gr_pid_is_chrooted);
40975 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
40976 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
40978 + struct dentry *dentry = (struct dentry *)u_dentry;
40979 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
40980 + struct path realroot, currentroot;
40981 + struct task_struct *reaper = &init_task;
40984 + get_fs_root(reaper->fs, &realroot);
40985 + get_fs_root(current->fs, ¤troot);
40987 + spin_lock(&dcache_lock);
40989 + if (unlikely((dentry == realroot.dentry && mnt == realroot.mnt)
40990 + || (dentry == currentroot.dentry && mnt == currentroot.mnt)))
40992 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
40993 + if (mnt->mnt_parent == mnt)
40995 + dentry = mnt->mnt_mountpoint;
40996 + mnt = mnt->mnt_parent;
40999 + dentry = dentry->d_parent;
41001 + spin_unlock(&dcache_lock);
41003 + path_put(¤troot);
41005 + /* access is outside of chroot */
41006 + if (dentry == realroot.dentry && mnt == realroot.mnt)
41009 + path_put(&realroot);
41015 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
41017 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41018 + if (!grsec_enable_chroot_fchdir)
41021 + if (!proc_is_chrooted(current))
41023 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
41024 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
41032 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41033 + const time_t shm_createtime)
41035 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41036 + struct pid *pid = NULL;
41037 + time_t starttime;
41039 + if (unlikely(!grsec_enable_chroot_shmat))
41042 + if (likely(!proc_is_chrooted(current)))
41046 + read_lock(&tasklist_lock);
41048 + pid = find_vpid(shm_cprid);
41050 + struct task_struct *p;
41051 + p = pid_task(pid, PIDTYPE_PID);
41052 + starttime = p->start_time.tv_sec;
41053 + if (unlikely(!have_same_root(current, p) &&
41054 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
41055 + read_unlock(&tasklist_lock);
41056 + rcu_read_unlock();
41057 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
41061 + pid = find_vpid(shm_lapid);
41063 + struct task_struct *p;
41064 + p = pid_task(pid, PIDTYPE_PID);
41065 + if (unlikely(!have_same_root(current, p))) {
41066 + read_unlock(&tasklist_lock);
41067 + rcu_read_unlock();
41068 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
41074 + read_unlock(&tasklist_lock);
41075 + rcu_read_unlock();
41081 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
41083 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41084 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
41085 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
41091 +gr_handle_chroot_mknod(const struct dentry *dentry,
41092 + const struct vfsmount *mnt, const int mode)
41094 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41095 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
41096 + proc_is_chrooted(current)) {
41097 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
41105 +gr_handle_chroot_mount(const struct dentry *dentry,
41106 + const struct vfsmount *mnt, const char *dev_name)
41108 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41109 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
41110 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
41118 +gr_handle_chroot_pivot(void)
41120 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41121 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
41122 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
41130 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
41132 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41133 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
41134 + !gr_is_outside_chroot(dentry, mnt)) {
41135 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
41143 +gr_handle_chroot_caps(struct path *path)
41145 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41146 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
41147 + (init_task.fs->root.dentry != path->dentry) &&
41148 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
41150 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
41151 + const struct cred *old = current_cred();
41152 + struct cred *new = prepare_creds();
41156 + new->cap_permitted = cap_drop(old->cap_permitted,
41158 + new->cap_inheritable = cap_drop(old->cap_inheritable,
41160 + new->cap_effective = cap_drop(old->cap_effective,
41163 + commit_creds(new);
41172 +gr_handle_chroot_sysctl(const int op)
41174 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41175 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
41176 + proc_is_chrooted(current))
41183 +gr_handle_chroot_chdir(struct path *path)
41185 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41186 + if (grsec_enable_chroot_chdir)
41187 + set_fs_pwd(current->fs, path);
41193 +gr_handle_chroot_chmod(const struct dentry *dentry,
41194 + const struct vfsmount *mnt, const int mode)
41196 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41197 + if (grsec_enable_chroot_chmod &&
41198 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
41199 + proc_is_chrooted(current)) {
41200 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
41207 +#ifdef CONFIG_SECURITY
41208 +EXPORT_SYMBOL(gr_handle_chroot_caps);
41210 diff -urNp linux-2.6.36.2/grsecurity/grsec_disabled.c linux-2.6.36.2/grsecurity/grsec_disabled.c
41211 --- linux-2.6.36.2/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
41212 +++ linux-2.6.36.2/grsecurity/grsec_disabled.c 2010-12-09 20:24:32.000000000 -0500
41214 +#include <linux/kernel.h>
41215 +#include <linux/module.h>
41216 +#include <linux/sched.h>
41217 +#include <linux/file.h>
41218 +#include <linux/fs.h>
41219 +#include <linux/kdev_t.h>
41220 +#include <linux/net.h>
41221 +#include <linux/in.h>
41222 +#include <linux/ip.h>
41223 +#include <linux/skbuff.h>
41224 +#include <linux/sysctl.h>
41226 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
41228 +pax_set_initial_flags(struct linux_binprm *bprm)
41234 +#ifdef CONFIG_SYSCTL
41236 +gr_handle_sysctl(const struct ctl_table * table, const int op)
41242 +#ifdef CONFIG_TASKSTATS
41243 +int gr_is_taskstats_denied(int pid)
41250 +gr_acl_is_enabled(void)
41256 +gr_handle_rawio(const struct inode *inode)
41262 +gr_acl_handle_psacct(struct task_struct *task, const long code)
41268 +gr_handle_ptrace(struct task_struct *task, const long request)
41274 +gr_handle_proc_ptrace(struct task_struct *task)
41280 +gr_learn_resource(const struct task_struct *task,
41281 + const int res, const unsigned long wanted, const int gt)
41287 +gr_set_acls(const int type)
41293 +gr_check_hidden_task(const struct task_struct *tsk)
41299 +gr_check_protected_task(const struct task_struct *task)
41305 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
41311 +gr_copy_label(struct task_struct *tsk)
41317 +gr_set_pax_flags(struct task_struct *task)
41323 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
41324 + const int unsafe_share)
41330 +gr_handle_delete(const ino_t ino, const dev_t dev)
41336 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
41342 +gr_handle_crash(struct task_struct *task, const int sig)
41348 +gr_check_crash_exec(const struct file *filp)
41354 +gr_check_crash_uid(const uid_t uid)
41360 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
41361 + struct dentry *old_dentry,
41362 + struct dentry *new_dentry,
41363 + struct vfsmount *mnt, const __u8 replace)
41369 +gr_search_socket(const int family, const int type, const int protocol)
41375 +gr_search_connectbind(const int mode, const struct socket *sock,
41376 + const struct sockaddr_in *addr)
41382 +gr_is_capable(const int cap)
41388 +gr_is_capable_nolog(const int cap)
41394 +gr_handle_alertkill(struct task_struct *task)
41400 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
41406 +gr_acl_handle_hidden_file(const struct dentry * dentry,
41407 + const struct vfsmount * mnt)
41413 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
41420 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
41426 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
41432 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
41433 + unsigned int *vm_flags)
41439 +gr_acl_handle_truncate(const struct dentry * dentry,
41440 + const struct vfsmount * mnt)
41446 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
41452 +gr_acl_handle_access(const struct dentry * dentry,
41453 + const struct vfsmount * mnt, const int fmode)
41459 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
41466 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
41473 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
41479 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
41485 +grsecurity_init(void)
41491 +gr_acl_handle_mknod(const struct dentry * new_dentry,
41492 + const struct dentry * parent_dentry,
41493 + const struct vfsmount * parent_mnt,
41500 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
41501 + const struct dentry * parent_dentry,
41502 + const struct vfsmount * parent_mnt)
41508 +gr_acl_handle_symlink(const struct dentry * new_dentry,
41509 + const struct dentry * parent_dentry,
41510 + const struct vfsmount * parent_mnt, const char *from)
41516 +gr_acl_handle_link(const struct dentry * new_dentry,
41517 + const struct dentry * parent_dentry,
41518 + const struct vfsmount * parent_mnt,
41519 + const struct dentry * old_dentry,
41520 + const struct vfsmount * old_mnt, const char *to)
41526 +gr_acl_handle_rename(const struct dentry *new_dentry,
41527 + const struct dentry *parent_dentry,
41528 + const struct vfsmount *parent_mnt,
41529 + const struct dentry *old_dentry,
41530 + const struct inode *old_parent_inode,
41531 + const struct vfsmount *old_mnt, const char *newname)
41537 +gr_acl_handle_filldir(const struct file *file, const char *name,
41538 + const int namelen, const ino_t ino)
41544 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41545 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41551 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
41557 +gr_search_accept(const struct socket *sock)
41563 +gr_search_listen(const struct socket *sock)
41569 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
41575 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
41581 +gr_acl_handle_creat(const struct dentry * dentry,
41582 + const struct dentry * p_dentry,
41583 + const struct vfsmount * p_mnt, const int fmode,
41590 +gr_acl_handle_exit(void)
41596 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
41602 +gr_set_role_label(const uid_t uid, const gid_t gid)
41608 +gr_acl_handle_procpidmem(const struct task_struct *task)
41614 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
41620 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
41626 +gr_set_kernel_label(struct task_struct *task)
41632 +gr_check_user_change(int real, int effective, int fs)
41638 +gr_check_group_change(int real, int effective, int fs)
41643 +int gr_acl_enable_at_secure(void)
41648 +EXPORT_SYMBOL(gr_is_capable);
41649 +EXPORT_SYMBOL(gr_is_capable_nolog);
41650 +EXPORT_SYMBOL(gr_learn_resource);
41651 +EXPORT_SYMBOL(gr_set_kernel_label);
41652 +#ifdef CONFIG_SECURITY
41653 +EXPORT_SYMBOL(gr_check_user_change);
41654 +EXPORT_SYMBOL(gr_check_group_change);
41656 diff -urNp linux-2.6.36.2/grsecurity/grsec_exec.c linux-2.6.36.2/grsecurity/grsec_exec.c
41657 --- linux-2.6.36.2/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
41658 +++ linux-2.6.36.2/grsecurity/grsec_exec.c 2010-12-09 20:24:32.000000000 -0500
41660 +#include <linux/kernel.h>
41661 +#include <linux/sched.h>
41662 +#include <linux/file.h>
41663 +#include <linux/binfmts.h>
41664 +#include <linux/smp_lock.h>
41665 +#include <linux/fs.h>
41666 +#include <linux/types.h>
41667 +#include <linux/grdefs.h>
41668 +#include <linux/grinternal.h>
41669 +#include <linux/capability.h>
41671 +#include <asm/uaccess.h>
41673 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41674 +static char gr_exec_arg_buf[132];
41675 +static DECLARE_MUTEX(gr_exec_arg_sem);
41679 +gr_handle_nproc(void)
41681 +#ifdef CONFIG_GRKERNSEC_EXECVE
41682 + const struct cred *cred = current_cred();
41683 + if (grsec_enable_execve && cred->user &&
41684 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
41685 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
41686 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
41694 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
41696 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41697 + char *grarg = gr_exec_arg_buf;
41698 + unsigned int i, x, execlen = 0;
41701 + if (!((grsec_enable_execlog && grsec_enable_group &&
41702 + in_group_p(grsec_audit_gid))
41703 + || (grsec_enable_execlog && !grsec_enable_group)))
41706 + down(&gr_exec_arg_sem);
41707 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41709 + if (unlikely(argv == NULL))
41712 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41713 + const char __user *p;
41714 + unsigned int len;
41716 + if (copy_from_user(&p, argv + i, sizeof(p)))
41720 + len = strnlen_user(p, 128 - execlen);
41721 + if (len > 128 - execlen)
41722 + len = 128 - execlen;
41723 + else if (len > 0)
41725 + if (copy_from_user(grarg + execlen, p, len))
41728 + /* rewrite unprintable characters */
41729 + for (x = 0; x < len; x++) {
41730 + c = *(grarg + execlen + x);
41731 + if (c < 32 || c > 126)
41732 + *(grarg + execlen + x) = ' ';
41736 + *(grarg + execlen) = ' ';
41737 + *(grarg + execlen + 1) = '\0';
41742 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41743 + bprm->file->f_path.mnt, grarg);
41744 + up(&gr_exec_arg_sem);
41748 diff -urNp linux-2.6.36.2/grsecurity/grsec_fifo.c linux-2.6.36.2/grsecurity/grsec_fifo.c
41749 --- linux-2.6.36.2/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
41750 +++ linux-2.6.36.2/grsecurity/grsec_fifo.c 2010-12-09 20:24:32.000000000 -0500
41752 +#include <linux/kernel.h>
41753 +#include <linux/sched.h>
41754 +#include <linux/fs.h>
41755 +#include <linux/file.h>
41756 +#include <linux/grinternal.h>
41759 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
41760 + const struct dentry *dir, const int flag, const int acc_mode)
41762 +#ifdef CONFIG_GRKERNSEC_FIFO
41763 + const struct cred *cred = current_cred();
41765 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
41766 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
41767 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
41768 + (cred->fsuid != dentry->d_inode->i_uid)) {
41769 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
41770 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
41776 diff -urNp linux-2.6.36.2/grsecurity/grsec_fork.c linux-2.6.36.2/grsecurity/grsec_fork.c
41777 --- linux-2.6.36.2/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
41778 +++ linux-2.6.36.2/grsecurity/grsec_fork.c 2010-12-09 20:24:32.000000000 -0500
41780 +#include <linux/kernel.h>
41781 +#include <linux/sched.h>
41782 +#include <linux/grsecurity.h>
41783 +#include <linux/grinternal.h>
41784 +#include <linux/errno.h>
41787 +gr_log_forkfail(const int retval)
41789 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41790 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
41791 + switch (retval) {
41793 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
41796 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
41803 diff -urNp linux-2.6.36.2/grsecurity/grsec_init.c linux-2.6.36.2/grsecurity/grsec_init.c
41804 --- linux-2.6.36.2/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
41805 +++ linux-2.6.36.2/grsecurity/grsec_init.c 2010-12-09 20:24:32.000000000 -0500
41807 +#include <linux/kernel.h>
41808 +#include <linux/sched.h>
41809 +#include <linux/mm.h>
41810 +#include <linux/smp_lock.h>
41811 +#include <linux/gracl.h>
41812 +#include <linux/slab.h>
41813 +#include <linux/vmalloc.h>
41814 +#include <linux/percpu.h>
41815 +#include <linux/module.h>
41817 +int grsec_enable_link;
41818 +int grsec_enable_dmesg;
41819 +int grsec_enable_harden_ptrace;
41820 +int grsec_enable_fifo;
41821 +int grsec_enable_execve;
41822 +int grsec_enable_execlog;
41823 +int grsec_enable_signal;
41824 +int grsec_enable_forkfail;
41825 +int grsec_enable_audit_ptrace;
41826 +int grsec_enable_time;
41827 +int grsec_enable_audit_textrel;
41828 +int grsec_enable_group;
41829 +int grsec_audit_gid;
41830 +int grsec_enable_chdir;
41831 +int grsec_enable_mount;
41832 +int grsec_enable_rofs;
41833 +int grsec_enable_chroot_findtask;
41834 +int grsec_enable_chroot_mount;
41835 +int grsec_enable_chroot_shmat;
41836 +int grsec_enable_chroot_fchdir;
41837 +int grsec_enable_chroot_double;
41838 +int grsec_enable_chroot_pivot;
41839 +int grsec_enable_chroot_chdir;
41840 +int grsec_enable_chroot_chmod;
41841 +int grsec_enable_chroot_mknod;
41842 +int grsec_enable_chroot_nice;
41843 +int grsec_enable_chroot_execlog;
41844 +int grsec_enable_chroot_caps;
41845 +int grsec_enable_chroot_sysctl;
41846 +int grsec_enable_chroot_unix;
41847 +int grsec_enable_tpe;
41848 +int grsec_tpe_gid;
41849 +int grsec_enable_blackhole;
41850 +#ifdef CONFIG_IPV6_MODULE
41851 +EXPORT_SYMBOL(grsec_enable_blackhole);
41853 +int grsec_lastack_retries;
41854 +int grsec_enable_tpe_all;
41855 +int grsec_enable_tpe_invert;
41856 +int grsec_enable_socket_all;
41857 +int grsec_socket_all_gid;
41858 +int grsec_enable_socket_client;
41859 +int grsec_socket_client_gid;
41860 +int grsec_enable_socket_server;
41861 +int grsec_socket_server_gid;
41862 +int grsec_resource_logging;
41863 +int grsec_disable_privio;
41864 +int grsec_enable_log_rwxmaps;
41867 +DEFINE_SPINLOCK(grsec_alert_lock);
41868 +unsigned long grsec_alert_wtime = 0;
41869 +unsigned long grsec_alert_fyet = 0;
41871 +DEFINE_SPINLOCK(grsec_audit_lock);
41873 +DEFINE_RWLOCK(grsec_exec_file_lock);
41875 +char *gr_shared_page[4];
41877 +char *gr_alert_log_fmt;
41878 +char *gr_audit_log_fmt;
41879 +char *gr_alert_log_buf;
41880 +char *gr_audit_log_buf;
41882 +extern struct gr_arg *gr_usermode;
41883 +extern unsigned char *gr_system_salt;
41884 +extern unsigned char *gr_system_sum;
41887 +grsecurity_init(void)
41890 + /* create the per-cpu shared pages */
41893 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
41896 + for (j = 0; j < 4; j++) {
41897 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
41898 + if (gr_shared_page[j] == NULL) {
41899 + panic("Unable to allocate grsecurity shared page");
41904 + /* allocate log buffers */
41905 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
41906 + if (!gr_alert_log_fmt) {
41907 + panic("Unable to allocate grsecurity alert log format buffer");
41910 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
41911 + if (!gr_audit_log_fmt) {
41912 + panic("Unable to allocate grsecurity audit log format buffer");
41915 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41916 + if (!gr_alert_log_buf) {
41917 + panic("Unable to allocate grsecurity alert log buffer");
41920 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41921 + if (!gr_audit_log_buf) {
41922 + panic("Unable to allocate grsecurity audit log buffer");
41926 + /* allocate memory for authentication structure */
41927 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
41928 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
41929 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
41931 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
41932 + panic("Unable to allocate grsecurity authentication structure");
41937 +#ifdef CONFIG_GRKERNSEC_IO
41938 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
41939 + grsec_disable_privio = 1;
41940 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41941 + grsec_disable_privio = 1;
41943 + grsec_disable_privio = 0;
41947 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41948 + /* for backward compatibility, tpe_invert always defaults to on if
41949 + enabled in the kernel
41951 + grsec_enable_tpe_invert = 1;
41954 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41955 +#ifndef CONFIG_GRKERNSEC_SYSCTL
41959 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41960 + grsec_enable_audit_textrel = 1;
41962 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41963 + grsec_enable_log_rwxmaps = 1;
41965 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41966 + grsec_enable_group = 1;
41967 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
41969 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41970 + grsec_enable_chdir = 1;
41972 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41973 + grsec_enable_harden_ptrace = 1;
41975 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41976 + grsec_enable_mount = 1;
41978 +#ifdef CONFIG_GRKERNSEC_LINK
41979 + grsec_enable_link = 1;
41981 +#ifdef CONFIG_GRKERNSEC_DMESG
41982 + grsec_enable_dmesg = 1;
41984 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41985 + grsec_enable_blackhole = 1;
41986 + grsec_lastack_retries = 4;
41988 +#ifdef CONFIG_GRKERNSEC_FIFO
41989 + grsec_enable_fifo = 1;
41991 +#ifdef CONFIG_GRKERNSEC_EXECVE
41992 + grsec_enable_execve = 1;
41994 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41995 + grsec_enable_execlog = 1;
41997 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41998 + grsec_enable_signal = 1;
42000 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42001 + grsec_enable_forkfail = 1;
42003 +#ifdef CONFIG_GRKERNSEC_TIME
42004 + grsec_enable_time = 1;
42006 +#ifdef CONFIG_GRKERNSEC_RESLOG
42007 + grsec_resource_logging = 1;
42009 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42010 + grsec_enable_chroot_findtask = 1;
42012 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
42013 + grsec_enable_chroot_unix = 1;
42015 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42016 + grsec_enable_chroot_mount = 1;
42018 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
42019 + grsec_enable_chroot_fchdir = 1;
42021 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
42022 + grsec_enable_chroot_shmat = 1;
42024 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42025 + grsec_enable_audit_ptrace = 1;
42027 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42028 + grsec_enable_chroot_double = 1;
42030 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42031 + grsec_enable_chroot_pivot = 1;
42033 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42034 + grsec_enable_chroot_chdir = 1;
42036 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42037 + grsec_enable_chroot_chmod = 1;
42039 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
42040 + grsec_enable_chroot_mknod = 1;
42042 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
42043 + grsec_enable_chroot_nice = 1;
42045 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
42046 + grsec_enable_chroot_execlog = 1;
42048 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
42049 + grsec_enable_chroot_caps = 1;
42051 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
42052 + grsec_enable_chroot_sysctl = 1;
42054 +#ifdef CONFIG_GRKERNSEC_TPE
42055 + grsec_enable_tpe = 1;
42056 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
42057 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42058 + grsec_enable_tpe_all = 1;
42061 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42062 + grsec_enable_socket_all = 1;
42063 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
42065 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42066 + grsec_enable_socket_client = 1;
42067 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
42069 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42070 + grsec_enable_socket_server = 1;
42071 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
42077 diff -urNp linux-2.6.36.2/grsecurity/grsec_link.c linux-2.6.36.2/grsecurity/grsec_link.c
42078 --- linux-2.6.36.2/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
42079 +++ linux-2.6.36.2/grsecurity/grsec_link.c 2010-12-09 20:24:32.000000000 -0500
42081 +#include <linux/kernel.h>
42082 +#include <linux/sched.h>
42083 +#include <linux/fs.h>
42084 +#include <linux/file.h>
42085 +#include <linux/grinternal.h>
42088 +gr_handle_follow_link(const struct inode *parent,
42089 + const struct inode *inode,
42090 + const struct dentry *dentry, const struct vfsmount *mnt)
42092 +#ifdef CONFIG_GRKERNSEC_LINK
42093 + const struct cred *cred = current_cred();
42095 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
42096 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
42097 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
42098 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
42106 +gr_handle_hardlink(const struct dentry *dentry,
42107 + const struct vfsmount *mnt,
42108 + struct inode *inode, const int mode, const char *to)
42110 +#ifdef CONFIG_GRKERNSEC_LINK
42111 + const struct cred *cred = current_cred();
42113 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
42114 + (!S_ISREG(mode) || (mode & S_ISUID) ||
42115 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
42116 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
42117 + !capable(CAP_FOWNER) && cred->uid) {
42118 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
42124 diff -urNp linux-2.6.36.2/grsecurity/grsec_log.c linux-2.6.36.2/grsecurity/grsec_log.c
42125 --- linux-2.6.36.2/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
42126 +++ linux-2.6.36.2/grsecurity/grsec_log.c 2010-12-09 20:24:32.000000000 -0500
42128 +#include <linux/kernel.h>
42129 +#include <linux/sched.h>
42130 +#include <linux/file.h>
42131 +#include <linux/tty.h>
42132 +#include <linux/fs.h>
42133 +#include <linux/grinternal.h>
42135 +#ifdef CONFIG_TREE_PREEMPT_RCU
42136 +#define DISABLE_PREEMPT() preempt_disable()
42137 +#define ENABLE_PREEMPT() preempt_enable()
42139 +#define DISABLE_PREEMPT()
42140 +#define ENABLE_PREEMPT()
42143 +#define BEGIN_LOCKS(x) \
42144 + DISABLE_PREEMPT(); \
42145 + rcu_read_lock(); \
42146 + read_lock(&tasklist_lock); \
42147 + read_lock(&grsec_exec_file_lock); \
42148 + if (x != GR_DO_AUDIT) \
42149 + spin_lock(&grsec_alert_lock); \
42151 + spin_lock(&grsec_audit_lock)
42153 +#define END_LOCKS(x) \
42154 + if (x != GR_DO_AUDIT) \
42155 + spin_unlock(&grsec_alert_lock); \
42157 + spin_unlock(&grsec_audit_lock); \
42158 + read_unlock(&grsec_exec_file_lock); \
42159 + read_unlock(&tasklist_lock); \
42160 + rcu_read_unlock(); \
42161 + ENABLE_PREEMPT(); \
42162 + if (x == GR_DONT_AUDIT) \
42163 + gr_handle_alertkill(current)
42170 +extern char *gr_alert_log_fmt;
42171 +extern char *gr_audit_log_fmt;
42172 +extern char *gr_alert_log_buf;
42173 +extern char *gr_audit_log_buf;
42175 +static int gr_log_start(int audit)
42177 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
42178 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
42179 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42181 + if (audit == GR_DO_AUDIT)
42184 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
42185 + grsec_alert_wtime = jiffies;
42186 + grsec_alert_fyet = 0;
42187 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
42188 + grsec_alert_fyet++;
42189 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
42190 + grsec_alert_wtime = jiffies;
42191 + grsec_alert_fyet++;
42192 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
42194 + } else return FLOODING;
42197 + memset(buf, 0, PAGE_SIZE);
42198 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
42199 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
42200 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42201 + } else if (current->signal->curr_ip) {
42202 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
42203 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
42204 + } else if (gr_acl_is_enabled()) {
42205 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
42206 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42208 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
42209 + strcpy(buf, fmt);
42212 + return NO_FLOODING;
42215 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42216 + __attribute__ ((format (printf, 2, 0)));
42218 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42220 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42221 + unsigned int len = strlen(buf);
42223 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42228 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42229 + __attribute__ ((format (printf, 2, 3)));
42231 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42233 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42234 + unsigned int len = strlen(buf);
42237 + va_start(ap, msg);
42238 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42244 +static void gr_log_end(int audit)
42246 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42247 + unsigned int len = strlen(buf);
42249 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
42250 + printk("%s\n", buf);
42255 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
42258 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
42259 + char *str1, *str2, *str3;
42262 + unsigned long ulong1, ulong2;
42263 + struct dentry *dentry;
42264 + struct vfsmount *mnt;
42265 + struct file *file;
42266 + struct task_struct *task;
42267 + const struct cred *cred, *pcred;
42270 + BEGIN_LOCKS(audit);
42271 + logtype = gr_log_start(audit);
42272 + if (logtype == FLOODING) {
42273 + END_LOCKS(audit);
42276 + va_start(ap, argtypes);
42277 + switch (argtypes) {
42278 + case GR_TTYSNIFF:
42279 + task = va_arg(ap, struct task_struct *);
42280 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
42282 + case GR_SYSCTL_HIDDEN:
42283 + str1 = va_arg(ap, char *);
42284 + gr_log_middle_varargs(audit, msg, result, str1);
42287 + dentry = va_arg(ap, struct dentry *);
42288 + mnt = va_arg(ap, struct vfsmount *);
42289 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
42291 + case GR_RBAC_STR:
42292 + dentry = va_arg(ap, struct dentry *);
42293 + mnt = va_arg(ap, struct vfsmount *);
42294 + str1 = va_arg(ap, char *);
42295 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
42297 + case GR_STR_RBAC:
42298 + str1 = va_arg(ap, char *);
42299 + dentry = va_arg(ap, struct dentry *);
42300 + mnt = va_arg(ap, struct vfsmount *);
42301 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
42303 + case GR_RBAC_MODE2:
42304 + dentry = va_arg(ap, struct dentry *);
42305 + mnt = va_arg(ap, struct vfsmount *);
42306 + str1 = va_arg(ap, char *);
42307 + str2 = va_arg(ap, char *);
42308 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
42310 + case GR_RBAC_MODE3:
42311 + dentry = va_arg(ap, struct dentry *);
42312 + mnt = va_arg(ap, struct vfsmount *);
42313 + str1 = va_arg(ap, char *);
42314 + str2 = va_arg(ap, char *);
42315 + str3 = va_arg(ap, char *);
42316 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
42318 + case GR_FILENAME:
42319 + dentry = va_arg(ap, struct dentry *);
42320 + mnt = va_arg(ap, struct vfsmount *);
42321 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
42323 + case GR_STR_FILENAME:
42324 + str1 = va_arg(ap, char *);
42325 + dentry = va_arg(ap, struct dentry *);
42326 + mnt = va_arg(ap, struct vfsmount *);
42327 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
42329 + case GR_FILENAME_STR:
42330 + dentry = va_arg(ap, struct dentry *);
42331 + mnt = va_arg(ap, struct vfsmount *);
42332 + str1 = va_arg(ap, char *);
42333 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
42335 + case GR_FILENAME_TWO_INT:
42336 + dentry = va_arg(ap, struct dentry *);
42337 + mnt = va_arg(ap, struct vfsmount *);
42338 + num1 = va_arg(ap, int);
42339 + num2 = va_arg(ap, int);
42340 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
42342 + case GR_FILENAME_TWO_INT_STR:
42343 + dentry = va_arg(ap, struct dentry *);
42344 + mnt = va_arg(ap, struct vfsmount *);
42345 + num1 = va_arg(ap, int);
42346 + num2 = va_arg(ap, int);
42347 + str1 = va_arg(ap, char *);
42348 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
42351 + file = va_arg(ap, struct file *);
42352 + ulong1 = va_arg(ap, unsigned long);
42353 + ulong2 = va_arg(ap, unsigned long);
42354 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
42357 + task = va_arg(ap, struct task_struct *);
42358 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
42360 + case GR_RESOURCE:
42361 + task = va_arg(ap, struct task_struct *);
42362 + cred = __task_cred(task);
42363 + pcred = __task_cred(task->real_parent);
42364 + ulong1 = va_arg(ap, unsigned long);
42365 + str1 = va_arg(ap, char *);
42366 + ulong2 = va_arg(ap, unsigned long);
42367 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42370 + task = va_arg(ap, struct task_struct *);
42371 + cred = __task_cred(task);
42372 + pcred = __task_cred(task->real_parent);
42373 + str1 = va_arg(ap, char *);
42374 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42377 + str1 = va_arg(ap, char *);
42378 + voidptr = va_arg(ap, void *);
42379 + gr_log_middle_varargs(audit, msg, str1, voidptr);
42382 + task = va_arg(ap, struct task_struct *);
42383 + cred = __task_cred(task);
42384 + pcred = __task_cred(task->real_parent);
42385 + num1 = va_arg(ap, int);
42386 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42389 + task = va_arg(ap, struct task_struct *);
42390 + cred = __task_cred(task);
42391 + pcred = __task_cred(task->real_parent);
42392 + ulong1 = va_arg(ap, unsigned long);
42393 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
42396 + task = va_arg(ap, struct task_struct *);
42397 + cred = __task_cred(task);
42398 + pcred = __task_cred(task->real_parent);
42399 + ulong1 = va_arg(ap, unsigned long);
42400 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
42403 + file = va_arg(ap, struct file *);
42404 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
42408 + unsigned int wday, cday;
42412 + char cur_tty[64] = { 0 };
42413 + char parent_tty[64] = { 0 };
42415 + task = va_arg(ap, struct task_struct *);
42416 + wday = va_arg(ap, unsigned int);
42417 + cday = va_arg(ap, unsigned int);
42418 + whr = va_arg(ap, int);
42419 + chr = va_arg(ap, int);
42420 + wmin = va_arg(ap, int);
42421 + cmin = va_arg(ap, int);
42422 + wsec = va_arg(ap, int);
42423 + csec = va_arg(ap, int);
42424 + ulong1 = va_arg(ap, unsigned long);
42425 + cred = __task_cred(task);
42426 + pcred = __task_cred(task->real_parent);
42428 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42432 + gr_log_middle(audit, msg, ap);
42435 + gr_log_end(audit);
42436 + END_LOCKS(audit);
42438 diff -urNp linux-2.6.36.2/grsecurity/grsec_mem.c linux-2.6.36.2/grsecurity/grsec_mem.c
42439 --- linux-2.6.36.2/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
42440 +++ linux-2.6.36.2/grsecurity/grsec_mem.c 2010-12-09 20:24:32.000000000 -0500
42442 +#include <linux/kernel.h>
42443 +#include <linux/sched.h>
42444 +#include <linux/mm.h>
42445 +#include <linux/mman.h>
42446 +#include <linux/grinternal.h>
42449 +gr_handle_ioperm(void)
42451 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
42456 +gr_handle_iopl(void)
42458 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
42463 +gr_handle_mem_write(void)
42465 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
42470 +gr_handle_kmem_write(void)
42472 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
42477 +gr_handle_open_port(void)
42479 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
42484 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
42486 + unsigned long start, end;
42489 + end = start + vma->vm_end - vma->vm_start;
42491 + if (start > end) {
42492 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42496 + /* allowed ranges : ISA I/O BIOS */
42497 + if ((start >= __pa(high_memory))
42498 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
42499 + || (start >= 0x000a0000 && end <= 0x00100000)
42500 + || (start >= 0x00000000 && end <= 0x00001000)
42505 + if (vma->vm_flags & VM_WRITE) {
42506 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42509 + vma->vm_flags &= ~VM_MAYWRITE;
42515 +gr_log_nonroot_mod_load(const char *modname)
42517 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
42522 +gr_handle_vm86(void)
42524 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
42527 diff -urNp linux-2.6.36.2/grsecurity/grsec_mount.c linux-2.6.36.2/grsecurity/grsec_mount.c
42528 --- linux-2.6.36.2/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
42529 +++ linux-2.6.36.2/grsecurity/grsec_mount.c 2010-12-09 20:24:32.000000000 -0500
42531 +#include <linux/kernel.h>
42532 +#include <linux/sched.h>
42533 +#include <linux/mount.h>
42534 +#include <linux/grsecurity.h>
42535 +#include <linux/grinternal.h>
42538 +gr_log_remount(const char *devname, const int retval)
42540 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42541 + if (grsec_enable_mount && (retval >= 0))
42542 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
42548 +gr_log_unmount(const char *devname, const int retval)
42550 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42551 + if (grsec_enable_mount && (retval >= 0))
42552 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
42558 +gr_log_mount(const char *from, const char *to, const int retval)
42560 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42561 + if (grsec_enable_mount && (retval >= 0))
42562 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
42568 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
42570 +#ifdef CONFIG_GRKERNSEC_ROFS
42571 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
42572 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
42581 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
42583 +#ifdef CONFIG_GRKERNSEC_ROFS
42584 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
42585 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
42586 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
42593 diff -urNp linux-2.6.36.2/grsecurity/grsec_pax.c linux-2.6.36.2/grsecurity/grsec_pax.c
42594 --- linux-2.6.36.2/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
42595 +++ linux-2.6.36.2/grsecurity/grsec_pax.c 2010-12-09 20:24:32.000000000 -0500
42597 +#include <linux/kernel.h>
42598 +#include <linux/sched.h>
42599 +#include <linux/mm.h>
42600 +#include <linux/file.h>
42601 +#include <linux/grinternal.h>
42602 +#include <linux/grsecurity.h>
42605 +gr_log_textrel(struct vm_area_struct * vma)
42607 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42608 + if (grsec_enable_audit_textrel)
42609 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42615 +gr_log_rwxmmap(struct file *file)
42617 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42618 + if (grsec_enable_log_rwxmaps)
42619 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
42625 +gr_log_rwxmprotect(struct file *file)
42627 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42628 + if (grsec_enable_log_rwxmaps)
42629 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
42633 diff -urNp linux-2.6.36.2/grsecurity/grsec_ptrace.c linux-2.6.36.2/grsecurity/grsec_ptrace.c
42634 --- linux-2.6.36.2/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
42635 +++ linux-2.6.36.2/grsecurity/grsec_ptrace.c 2010-12-09 20:24:32.000000000 -0500
42637 +#include <linux/kernel.h>
42638 +#include <linux/sched.h>
42639 +#include <linux/grinternal.h>
42640 +#include <linux/grsecurity.h>
42643 +gr_audit_ptrace(struct task_struct *task)
42645 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42646 + if (grsec_enable_audit_ptrace)
42647 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
42651 diff -urNp linux-2.6.36.2/grsecurity/grsec_sig.c linux-2.6.36.2/grsecurity/grsec_sig.c
42652 --- linux-2.6.36.2/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
42653 +++ linux-2.6.36.2/grsecurity/grsec_sig.c 2010-12-09 20:24:32.000000000 -0500
42655 +#include <linux/kernel.h>
42656 +#include <linux/sched.h>
42657 +#include <linux/delay.h>
42658 +#include <linux/grsecurity.h>
42659 +#include <linux/grinternal.h>
42661 +char *signames[] = {
42662 + [SIGSEGV] = "Segmentation fault",
42663 + [SIGILL] = "Illegal instruction",
42664 + [SIGABRT] = "Abort",
42665 + [SIGBUS] = "Invalid alignment/Bus error"
42669 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
42671 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42672 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
42673 + (sig == SIGABRT) || (sig == SIGBUS))) {
42674 + if (t->pid == current->pid) {
42675 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
42677 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
42685 +gr_handle_signal(const struct task_struct *p, const int sig)
42687 +#ifdef CONFIG_GRKERNSEC
42688 + if (current->pid > 1 && gr_check_protected_task(p)) {
42689 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
42691 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
42698 +void gr_handle_brute_attach(struct task_struct *p)
42700 +#ifdef CONFIG_GRKERNSEC_BRUTE
42701 + read_lock(&tasklist_lock);
42702 + read_lock(&grsec_exec_file_lock);
42703 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
42704 + p->real_parent->brute = 1;
42705 + read_unlock(&grsec_exec_file_lock);
42706 + read_unlock(&tasklist_lock);
42711 +void gr_handle_brute_check(void)
42713 +#ifdef CONFIG_GRKERNSEC_BRUTE
42714 + if (current->brute)
42715 + msleep(30 * 1000);
42720 diff -urNp linux-2.6.36.2/grsecurity/grsec_sock.c linux-2.6.36.2/grsecurity/grsec_sock.c
42721 --- linux-2.6.36.2/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
42722 +++ linux-2.6.36.2/grsecurity/grsec_sock.c 2010-12-09 20:24:32.000000000 -0500
42724 +#include <linux/kernel.h>
42725 +#include <linux/module.h>
42726 +#include <linux/sched.h>
42727 +#include <linux/file.h>
42728 +#include <linux/net.h>
42729 +#include <linux/in.h>
42730 +#include <linux/ip.h>
42731 +#include <net/sock.h>
42732 +#include <net/inet_sock.h>
42733 +#include <linux/grsecurity.h>
42734 +#include <linux/grinternal.h>
42735 +#include <linux/gracl.h>
42737 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
42738 +EXPORT_SYMBOL(gr_cap_rtnetlink);
42740 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
42741 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
42743 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
42744 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
42746 +#ifdef CONFIG_UNIX_MODULE
42747 +EXPORT_SYMBOL(gr_acl_handle_unix);
42748 +EXPORT_SYMBOL(gr_acl_handle_mknod);
42749 +EXPORT_SYMBOL(gr_handle_chroot_unix);
42750 +EXPORT_SYMBOL(gr_handle_create);
42753 +#ifdef CONFIG_GRKERNSEC
42754 +#define gr_conn_table_size 32749
42755 +struct conn_table_entry {
42756 + struct conn_table_entry *next;
42757 + struct signal_struct *sig;
42760 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
42761 +DEFINE_SPINLOCK(gr_conn_table_lock);
42763 +extern const char * gr_socktype_to_name(unsigned char type);
42764 +extern const char * gr_proto_to_name(unsigned char proto);
42766 +static __inline__ int
42767 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
42769 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
42772 +static __inline__ int
42773 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
42774 + __u16 sport, __u16 dport)
42776 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
42777 + sig->gr_sport == sport && sig->gr_dport == dport))
42783 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
42785 + struct conn_table_entry **match;
42786 + unsigned int index;
42788 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42789 + sig->gr_sport, sig->gr_dport,
42790 + gr_conn_table_size);
42792 + newent->sig = sig;
42794 + match = &gr_conn_table[index];
42795 + newent->next = *match;
42801 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
42803 + struct conn_table_entry *match, *last = NULL;
42804 + unsigned int index;
42806 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42807 + sig->gr_sport, sig->gr_dport,
42808 + gr_conn_table_size);
42810 + match = gr_conn_table[index];
42811 + while (match && !conn_match(match->sig,
42812 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
42813 + sig->gr_dport)) {
42815 + match = match->next;
42820 + last->next = match->next;
42822 + gr_conn_table[index] = NULL;
42829 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
42830 + __u16 sport, __u16 dport)
42832 + struct conn_table_entry *match;
42833 + unsigned int index;
42835 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
42837 + match = gr_conn_table[index];
42838 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
42839 + match = match->next;
42842 + return match->sig;
42849 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
42851 +#ifdef CONFIG_GRKERNSEC
42852 + struct signal_struct *sig = task->signal;
42853 + struct conn_table_entry *newent;
42855 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
42856 + if (newent == NULL)
42858 + /* no bh lock needed since we are called with bh disabled */
42859 + spin_lock(&gr_conn_table_lock);
42860 + gr_del_task_from_ip_table_nolock(sig);
42861 + sig->gr_saddr = inet->inet_rcv_saddr;
42862 + sig->gr_daddr = inet->inet_daddr;
42863 + sig->gr_sport = inet->inet_sport;
42864 + sig->gr_dport = inet->inet_dport;
42865 + gr_add_to_task_ip_table_nolock(sig, newent);
42866 + spin_unlock(&gr_conn_table_lock);
42871 +void gr_del_task_from_ip_table(struct task_struct *task)
42873 +#ifdef CONFIG_GRKERNSEC
42874 + spin_lock_bh(&gr_conn_table_lock);
42875 + gr_del_task_from_ip_table_nolock(task->signal);
42876 + spin_unlock_bh(&gr_conn_table_lock);
42882 +gr_attach_curr_ip(const struct sock *sk)
42884 +#ifdef CONFIG_GRKERNSEC
42885 + struct signal_struct *p, *set;
42886 + const struct inet_sock *inet = inet_sk(sk);
42888 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
42891 + set = current->signal;
42893 + spin_lock_bh(&gr_conn_table_lock);
42894 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
42895 + inet->inet_dport, inet->inet_sport);
42896 + if (unlikely(p != NULL)) {
42897 + set->curr_ip = p->curr_ip;
42898 + set->used_accept = 1;
42899 + gr_del_task_from_ip_table_nolock(p);
42900 + spin_unlock_bh(&gr_conn_table_lock);
42903 + spin_unlock_bh(&gr_conn_table_lock);
42905 + set->curr_ip = inet->inet_daddr;
42906 + set->used_accept = 1;
42912 +gr_handle_sock_all(const int family, const int type, const int protocol)
42914 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42915 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
42916 + (family != AF_UNIX) && (family != AF_LOCAL)) {
42917 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
42925 +gr_handle_sock_server(const struct sockaddr *sck)
42927 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42928 + if (grsec_enable_socket_server &&
42929 + in_group_p(grsec_socket_server_gid) &&
42930 + sck && (sck->sa_family != AF_UNIX) &&
42931 + (sck->sa_family != AF_LOCAL)) {
42932 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42940 +gr_handle_sock_server_other(const struct sock *sck)
42942 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42943 + if (grsec_enable_socket_server &&
42944 + in_group_p(grsec_socket_server_gid) &&
42945 + sck && (sck->sk_family != AF_UNIX) &&
42946 + (sck->sk_family != AF_LOCAL)) {
42947 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42955 +gr_handle_sock_client(const struct sockaddr *sck)
42957 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42958 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
42959 + sck && (sck->sa_family != AF_UNIX) &&
42960 + (sck->sa_family != AF_LOCAL)) {
42961 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
42969 +gr_cap_rtnetlink(struct sock *sock)
42971 +#ifdef CONFIG_GRKERNSEC
42972 + if (!gr_acl_is_enabled())
42973 + return current_cap();
42974 + else if (sock->sk_protocol == NETLINK_ISCSI &&
42975 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
42976 + gr_is_capable(CAP_SYS_ADMIN))
42977 + return current_cap();
42978 + else if (sock->sk_protocol == NETLINK_AUDIT &&
42979 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
42980 + gr_is_capable(CAP_AUDIT_WRITE) &&
42981 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
42982 + gr_is_capable(CAP_AUDIT_CONTROL))
42983 + return current_cap();
42984 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
42985 + ((sock->sk_protocol == NETLINK_ROUTE) ?
42986 + gr_is_capable_nolog(CAP_NET_ADMIN) :
42987 + gr_is_capable(CAP_NET_ADMIN)))
42988 + return current_cap();
42990 + return __cap_empty_set;
42992 + return current_cap();
42995 diff -urNp linux-2.6.36.2/grsecurity/grsec_sysctl.c linux-2.6.36.2/grsecurity/grsec_sysctl.c
42996 --- linux-2.6.36.2/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
42997 +++ linux-2.6.36.2/grsecurity/grsec_sysctl.c 2010-12-09 20:24:32.000000000 -0500
42999 +#include <linux/kernel.h>
43000 +#include <linux/sched.h>
43001 +#include <linux/sysctl.h>
43002 +#include <linux/grsecurity.h>
43003 +#include <linux/grinternal.h>
43006 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
43008 +#ifdef CONFIG_GRKERNSEC_SYSCTL
43009 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
43010 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
43017 +#ifdef CONFIG_GRKERNSEC_ROFS
43018 +static int __maybe_unused one = 1;
43021 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
43022 +struct ctl_table grsecurity_table[] = {
43023 +#ifdef CONFIG_GRKERNSEC_SYSCTL
43024 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
43025 +#ifdef CONFIG_GRKERNSEC_IO
43027 + .procname = "disable_priv_io",
43028 + .data = &grsec_disable_privio,
43029 + .maxlen = sizeof(int),
43031 + .proc_handler = &proc_dointvec,
43035 +#ifdef CONFIG_GRKERNSEC_LINK
43037 + .procname = "linking_restrictions",
43038 + .data = &grsec_enable_link,
43039 + .maxlen = sizeof(int),
43041 + .proc_handler = &proc_dointvec,
43044 +#ifdef CONFIG_GRKERNSEC_FIFO
43046 + .procname = "fifo_restrictions",
43047 + .data = &grsec_enable_fifo,
43048 + .maxlen = sizeof(int),
43050 + .proc_handler = &proc_dointvec,
43053 +#ifdef CONFIG_GRKERNSEC_EXECVE
43055 + .procname = "execve_limiting",
43056 + .data = &grsec_enable_execve,
43057 + .maxlen = sizeof(int),
43059 + .proc_handler = &proc_dointvec,
43062 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
43064 + .procname = "ip_blackhole",
43065 + .data = &grsec_enable_blackhole,
43066 + .maxlen = sizeof(int),
43068 + .proc_handler = &proc_dointvec,
43071 + .procname = "lastack_retries",
43072 + .data = &grsec_lastack_retries,
43073 + .maxlen = sizeof(int),
43075 + .proc_handler = &proc_dointvec,
43078 +#ifdef CONFIG_GRKERNSEC_EXECLOG
43080 + .procname = "exec_logging",
43081 + .data = &grsec_enable_execlog,
43082 + .maxlen = sizeof(int),
43084 + .proc_handler = &proc_dointvec,
43087 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
43089 + .procname = "rwxmap_logging",
43090 + .data = &grsec_enable_log_rwxmaps,
43091 + .maxlen = sizeof(int),
43093 + .proc_handler = &proc_dointvec,
43096 +#ifdef CONFIG_GRKERNSEC_SIGNAL
43098 + .procname = "signal_logging",
43099 + .data = &grsec_enable_signal,
43100 + .maxlen = sizeof(int),
43102 + .proc_handler = &proc_dointvec,
43105 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
43107 + .procname = "forkfail_logging",
43108 + .data = &grsec_enable_forkfail,
43109 + .maxlen = sizeof(int),
43111 + .proc_handler = &proc_dointvec,
43114 +#ifdef CONFIG_GRKERNSEC_TIME
43116 + .procname = "timechange_logging",
43117 + .data = &grsec_enable_time,
43118 + .maxlen = sizeof(int),
43120 + .proc_handler = &proc_dointvec,
43123 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
43125 + .procname = "chroot_deny_shmat",
43126 + .data = &grsec_enable_chroot_shmat,
43127 + .maxlen = sizeof(int),
43129 + .proc_handler = &proc_dointvec,
43132 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
43134 + .procname = "chroot_deny_unix",
43135 + .data = &grsec_enable_chroot_unix,
43136 + .maxlen = sizeof(int),
43138 + .proc_handler = &proc_dointvec,
43141 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
43143 + .procname = "chroot_deny_mount",
43144 + .data = &grsec_enable_chroot_mount,
43145 + .maxlen = sizeof(int),
43147 + .proc_handler = &proc_dointvec,
43150 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
43152 + .procname = "chroot_deny_fchdir",
43153 + .data = &grsec_enable_chroot_fchdir,
43154 + .maxlen = sizeof(int),
43156 + .proc_handler = &proc_dointvec,
43159 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
43161 + .procname = "chroot_deny_chroot",
43162 + .data = &grsec_enable_chroot_double,
43163 + .maxlen = sizeof(int),
43165 + .proc_handler = &proc_dointvec,
43168 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
43170 + .procname = "chroot_deny_pivot",
43171 + .data = &grsec_enable_chroot_pivot,
43172 + .maxlen = sizeof(int),
43174 + .proc_handler = &proc_dointvec,
43177 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
43179 + .procname = "chroot_enforce_chdir",
43180 + .data = &grsec_enable_chroot_chdir,
43181 + .maxlen = sizeof(int),
43183 + .proc_handler = &proc_dointvec,
43186 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
43188 + .procname = "chroot_deny_chmod",
43189 + .data = &grsec_enable_chroot_chmod,
43190 + .maxlen = sizeof(int),
43192 + .proc_handler = &proc_dointvec,
43195 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
43197 + .procname = "chroot_deny_mknod",
43198 + .data = &grsec_enable_chroot_mknod,
43199 + .maxlen = sizeof(int),
43201 + .proc_handler = &proc_dointvec,
43204 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
43206 + .procname = "chroot_restrict_nice",
43207 + .data = &grsec_enable_chroot_nice,
43208 + .maxlen = sizeof(int),
43210 + .proc_handler = &proc_dointvec,
43213 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
43215 + .procname = "chroot_execlog",
43216 + .data = &grsec_enable_chroot_execlog,
43217 + .maxlen = sizeof(int),
43219 + .proc_handler = &proc_dointvec,
43222 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43224 + .procname = "chroot_caps",
43225 + .data = &grsec_enable_chroot_caps,
43226 + .maxlen = sizeof(int),
43228 + .proc_handler = &proc_dointvec,
43231 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
43233 + .procname = "chroot_deny_sysctl",
43234 + .data = &grsec_enable_chroot_sysctl,
43235 + .maxlen = sizeof(int),
43237 + .proc_handler = &proc_dointvec,
43240 +#ifdef CONFIG_GRKERNSEC_TPE
43242 + .procname = "tpe",
43243 + .data = &grsec_enable_tpe,
43244 + .maxlen = sizeof(int),
43246 + .proc_handler = &proc_dointvec,
43249 + .procname = "tpe_gid",
43250 + .data = &grsec_tpe_gid,
43251 + .maxlen = sizeof(int),
43253 + .proc_handler = &proc_dointvec,
43256 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43258 + .procname = "tpe_invert",
43259 + .data = &grsec_enable_tpe_invert,
43260 + .maxlen = sizeof(int),
43262 + .proc_handler = &proc_dointvec,
43265 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43267 + .procname = "tpe_restrict_all",
43268 + .data = &grsec_enable_tpe_all,
43269 + .maxlen = sizeof(int),
43271 + .proc_handler = &proc_dointvec,
43274 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
43276 + .procname = "socket_all",
43277 + .data = &grsec_enable_socket_all,
43278 + .maxlen = sizeof(int),
43280 + .proc_handler = &proc_dointvec,
43283 + .procname = "socket_all_gid",
43284 + .data = &grsec_socket_all_gid,
43285 + .maxlen = sizeof(int),
43287 + .proc_handler = &proc_dointvec,
43290 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
43292 + .procname = "socket_client",
43293 + .data = &grsec_enable_socket_client,
43294 + .maxlen = sizeof(int),
43296 + .proc_handler = &proc_dointvec,
43299 + .procname = "socket_client_gid",
43300 + .data = &grsec_socket_client_gid,
43301 + .maxlen = sizeof(int),
43303 + .proc_handler = &proc_dointvec,
43306 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43308 + .procname = "socket_server",
43309 + .data = &grsec_enable_socket_server,
43310 + .maxlen = sizeof(int),
43312 + .proc_handler = &proc_dointvec,
43315 + .procname = "socket_server_gid",
43316 + .data = &grsec_socket_server_gid,
43317 + .maxlen = sizeof(int),
43319 + .proc_handler = &proc_dointvec,
43322 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
43324 + .procname = "audit_group",
43325 + .data = &grsec_enable_group,
43326 + .maxlen = sizeof(int),
43328 + .proc_handler = &proc_dointvec,
43331 + .procname = "audit_gid",
43332 + .data = &grsec_audit_gid,
43333 + .maxlen = sizeof(int),
43335 + .proc_handler = &proc_dointvec,
43338 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
43340 + .procname = "audit_chdir",
43341 + .data = &grsec_enable_chdir,
43342 + .maxlen = sizeof(int),
43344 + .proc_handler = &proc_dointvec,
43347 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43349 + .procname = "audit_mount",
43350 + .data = &grsec_enable_mount,
43351 + .maxlen = sizeof(int),
43353 + .proc_handler = &proc_dointvec,
43356 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
43358 + .procname = "audit_textrel",
43359 + .data = &grsec_enable_audit_textrel,
43360 + .maxlen = sizeof(int),
43362 + .proc_handler = &proc_dointvec,
43365 +#ifdef CONFIG_GRKERNSEC_DMESG
43367 + .procname = "dmesg",
43368 + .data = &grsec_enable_dmesg,
43369 + .maxlen = sizeof(int),
43371 + .proc_handler = &proc_dointvec,
43374 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
43376 + .procname = "chroot_findtask",
43377 + .data = &grsec_enable_chroot_findtask,
43378 + .maxlen = sizeof(int),
43380 + .proc_handler = &proc_dointvec,
43383 +#ifdef CONFIG_GRKERNSEC_RESLOG
43385 + .procname = "resource_logging",
43386 + .data = &grsec_resource_logging,
43387 + .maxlen = sizeof(int),
43389 + .proc_handler = &proc_dointvec,
43392 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43394 + .procname = "audit_ptrace",
43395 + .data = &grsec_enable_audit_ptrace,
43396 + .maxlen = sizeof(int),
43398 + .proc_handler = &proc_dointvec,
43401 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
43403 + .procname = "harden_ptrace",
43404 + .data = &grsec_enable_harden_ptrace,
43405 + .maxlen = sizeof(int),
43407 + .proc_handler = &proc_dointvec,
43411 + .procname = "grsec_lock",
43412 + .data = &grsec_lock,
43413 + .maxlen = sizeof(int),
43415 + .proc_handler = &proc_dointvec,
43418 +#ifdef CONFIG_GRKERNSEC_ROFS
43420 + .procname = "romount_protect",
43421 + .data = &grsec_enable_rofs,
43422 + .maxlen = sizeof(int),
43424 + .proc_handler = &proc_dointvec_minmax,
43432 diff -urNp linux-2.6.36.2/grsecurity/grsec_time.c linux-2.6.36.2/grsecurity/grsec_time.c
43433 --- linux-2.6.36.2/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
43434 +++ linux-2.6.36.2/grsecurity/grsec_time.c 2010-12-09 20:24:32.000000000 -0500
43436 +#include <linux/kernel.h>
43437 +#include <linux/sched.h>
43438 +#include <linux/grinternal.h>
43441 +gr_log_timechange(void)
43443 +#ifdef CONFIG_GRKERNSEC_TIME
43444 + if (grsec_enable_time)
43445 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
43449 diff -urNp linux-2.6.36.2/grsecurity/grsec_tpe.c linux-2.6.36.2/grsecurity/grsec_tpe.c
43450 --- linux-2.6.36.2/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
43451 +++ linux-2.6.36.2/grsecurity/grsec_tpe.c 2010-12-09 20:24:32.000000000 -0500
43453 +#include <linux/kernel.h>
43454 +#include <linux/sched.h>
43455 +#include <linux/file.h>
43456 +#include <linux/fs.h>
43457 +#include <linux/grinternal.h>
43459 +extern int gr_acl_tpe_check(void);
43462 +gr_tpe_allow(const struct file *file)
43464 +#ifdef CONFIG_GRKERNSEC
43465 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
43466 + const struct cred *cred = current_cred();
43468 + if (cred->uid && ((grsec_enable_tpe &&
43469 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43470 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
43471 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
43473 + in_group_p(grsec_tpe_gid)
43475 + ) || gr_acl_tpe_check()) &&
43476 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
43477 + (inode->i_mode & S_IWOTH))))) {
43478 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43481 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43482 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
43483 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
43484 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
43485 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43492 diff -urNp linux-2.6.36.2/grsecurity/grsum.c linux-2.6.36.2/grsecurity/grsum.c
43493 --- linux-2.6.36.2/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
43494 +++ linux-2.6.36.2/grsecurity/grsum.c 2010-12-09 20:24:32.000000000 -0500
43496 +#include <linux/err.h>
43497 +#include <linux/kernel.h>
43498 +#include <linux/sched.h>
43499 +#include <linux/mm.h>
43500 +#include <linux/scatterlist.h>
43501 +#include <linux/crypto.h>
43502 +#include <linux/gracl.h>
43505 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
43506 +#error "crypto and sha256 must be built into the kernel"
43510 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
43513 + struct crypto_hash *tfm;
43514 + struct hash_desc desc;
43515 + struct scatterlist sg;
43516 + unsigned char temp_sum[GR_SHA_LEN];
43517 + volatile int retval = 0;
43518 + volatile int dummy = 0;
43521 + sg_init_table(&sg, 1);
43523 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
43524 + if (IS_ERR(tfm)) {
43525 + /* should never happen, since sha256 should be built in */
43532 + crypto_hash_init(&desc);
43535 + sg_set_buf(&sg, p, GR_SALT_LEN);
43536 + crypto_hash_update(&desc, &sg, sg.length);
43539 + sg_set_buf(&sg, p, strlen(p));
43541 + crypto_hash_update(&desc, &sg, sg.length);
43543 + crypto_hash_final(&desc, temp_sum);
43545 + memset(entry->pw, 0, GR_PW_LEN);
43547 + for (i = 0; i < GR_SHA_LEN; i++)
43548 + if (sum[i] != temp_sum[i])
43551 + dummy = 1; // waste a cycle
43553 + crypto_free_hash(tfm);
43557 diff -urNp linux-2.6.36.2/grsecurity/Kconfig linux-2.6.36.2/grsecurity/Kconfig
43558 --- linux-2.6.36.2/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
43559 +++ linux-2.6.36.2/grsecurity/Kconfig 2010-12-09 20:24:32.000000000 -0500
43562 +# grecurity configuration
43568 + bool "Grsecurity"
43570 + select CRYPTO_SHA256
43572 + If you say Y here, you will be able to configure many features
43573 + that will enhance the security of your system. It is highly
43574 + recommended that you say Y here and read through the help
43575 + for each option so that you fully understand the features and
43576 + can evaluate their usefulness for your machine.
43579 + prompt "Security Level"
43580 + depends on GRKERNSEC
43581 + default GRKERNSEC_CUSTOM
43583 +config GRKERNSEC_LOW
43585 + select GRKERNSEC_LINK
43586 + select GRKERNSEC_FIFO
43587 + select GRKERNSEC_EXECVE
43588 + select GRKERNSEC_RANDNET
43589 + select GRKERNSEC_DMESG
43590 + select GRKERNSEC_CHROOT
43591 + select GRKERNSEC_CHROOT_CHDIR
43594 + If you choose this option, several of the grsecurity options will
43595 + be enabled that will give you greater protection against a number
43596 + of attacks, while assuring that none of your software will have any
43597 + conflicts with the additional security measures. If you run a lot
43598 + of unusual software, or you are having problems with the higher
43599 + security levels, you should say Y here. With this option, the
43600 + following features are enabled:
43602 + - Linking restrictions
43603 + - FIFO restrictions
43604 + - Enforcing RLIMIT_NPROC on execve
43605 + - Restricted dmesg
43606 + - Enforced chdir("/") on chroot
43607 + - Runtime module disabling
43609 +config GRKERNSEC_MEDIUM
43612 + select PAX_EI_PAX
43613 + select PAX_PT_PAX_FLAGS
43614 + select PAX_HAVE_ACL_FLAGS
43615 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43616 + select GRKERNSEC_CHROOT
43617 + select GRKERNSEC_CHROOT_SYSCTL
43618 + select GRKERNSEC_LINK
43619 + select GRKERNSEC_FIFO
43620 + select GRKERNSEC_EXECVE
43621 + select GRKERNSEC_DMESG
43622 + select GRKERNSEC_RANDNET
43623 + select GRKERNSEC_FORKFAIL
43624 + select GRKERNSEC_TIME
43625 + select GRKERNSEC_SIGNAL
43626 + select GRKERNSEC_CHROOT
43627 + select GRKERNSEC_CHROOT_UNIX
43628 + select GRKERNSEC_CHROOT_MOUNT
43629 + select GRKERNSEC_CHROOT_PIVOT
43630 + select GRKERNSEC_CHROOT_DOUBLE
43631 + select GRKERNSEC_CHROOT_CHDIR
43632 + select GRKERNSEC_CHROOT_MKNOD
43633 + select GRKERNSEC_PROC
43634 + select GRKERNSEC_PROC_USERGROUP
43635 + select PAX_RANDUSTACK
43637 + select PAX_RANDMMAP
43638 + select PAX_REFCOUNT if (X86 || SPARC64)
43639 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
43642 + If you say Y here, several features in addition to those included
43643 + in the low additional security level will be enabled. These
43644 + features provide even more security to your system, though in rare
43645 + cases they may be incompatible with very old or poorly written
43646 + software. If you enable this option, make sure that your auth
43647 + service (identd) is running as gid 1001. With this option,
43648 + the following features (in addition to those provided in the
43649 + low additional security level) will be enabled:
43651 + - Failed fork logging
43652 + - Time change logging
43654 + - Deny mounts in chroot
43655 + - Deny double chrooting
43656 + - Deny sysctl writes in chroot
43657 + - Deny mknod in chroot
43658 + - Deny access to abstract AF_UNIX sockets out of chroot
43659 + - Deny pivot_root in chroot
43660 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
43661 + - /proc restrictions with special GID set to 10 (usually wheel)
43662 + - Address Space Layout Randomization (ASLR)
43663 + - Prevent exploitation of most refcount overflows
43664 + - Bounds checking of copying between the kernel and userland
43666 +config GRKERNSEC_HIGH
43668 + select GRKERNSEC_LINK
43669 + select GRKERNSEC_FIFO
43670 + select GRKERNSEC_EXECVE
43671 + select GRKERNSEC_DMESG
43672 + select GRKERNSEC_FORKFAIL
43673 + select GRKERNSEC_TIME
43674 + select GRKERNSEC_SIGNAL
43675 + select GRKERNSEC_CHROOT
43676 + select GRKERNSEC_CHROOT_SHMAT
43677 + select GRKERNSEC_CHROOT_UNIX
43678 + select GRKERNSEC_CHROOT_MOUNT
43679 + select GRKERNSEC_CHROOT_FCHDIR
43680 + select GRKERNSEC_CHROOT_PIVOT
43681 + select GRKERNSEC_CHROOT_DOUBLE
43682 + select GRKERNSEC_CHROOT_CHDIR
43683 + select GRKERNSEC_CHROOT_MKNOD
43684 + select GRKERNSEC_CHROOT_CAPS
43685 + select GRKERNSEC_CHROOT_SYSCTL
43686 + select GRKERNSEC_CHROOT_FINDTASK
43687 + select GRKERNSEC_PROC
43688 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43689 + select GRKERNSEC_HIDESYM
43690 + select GRKERNSEC_BRUTE
43691 + select GRKERNSEC_PROC_USERGROUP
43692 + select GRKERNSEC_KMEM
43693 + select GRKERNSEC_RESLOG
43694 + select GRKERNSEC_RANDNET
43695 + select GRKERNSEC_PROC_ADD
43696 + select GRKERNSEC_CHROOT_CHMOD
43697 + select GRKERNSEC_CHROOT_NICE
43698 + select GRKERNSEC_AUDIT_MOUNT
43699 + select GRKERNSEC_MODHARDEN if (MODULES)
43700 + select GRKERNSEC_HARDEN_PTRACE
43701 + select GRKERNSEC_VM86 if (X86_32)
43703 + select PAX_RANDUSTACK
43705 + select PAX_RANDMMAP
43706 + select PAX_NOEXEC
43707 + select PAX_MPROTECT
43708 + select PAX_EI_PAX
43709 + select PAX_PT_PAX_FLAGS
43710 + select PAX_HAVE_ACL_FLAGS
43711 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
43712 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
43713 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
43714 + select PAX_SEGMEXEC if (X86_32)
43715 + select PAX_PAGEEXEC
43716 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
43717 + select PAX_EMUTRAMP if (PARISC)
43718 + select PAX_EMUSIGRT if (PARISC)
43719 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
43720 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
43721 + select PAX_REFCOUNT if (X86 || SPARC64)
43722 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
43724 + If you say Y here, many of the features of grsecurity will be
43725 + enabled, which will protect you against many kinds of attacks
43726 + against your system. The heightened security comes at a cost
43727 + of an increased chance of incompatibilities with rare software
43728 + on your machine. Since this security level enables PaX, you should
43729 + view <http://pax.grsecurity.net> and read about the PaX
43730 + project. While you are there, download chpax and run it on
43731 + binaries that cause problems with PaX. Also remember that
43732 + since the /proc restrictions are enabled, you must run your
43733 + identd as gid 1001. This security level enables the following
43734 + features in addition to those listed in the low and medium
43737 + - Additional /proc restrictions
43738 + - Chmod restrictions in chroot
43739 + - No signals, ptrace, or viewing of processes outside of chroot
43740 + - Capability restrictions in chroot
43741 + - Deny fchdir out of chroot
43742 + - Priority restrictions in chroot
43743 + - Segmentation-based implementation of PaX
43744 + - Mprotect restrictions
43745 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
43746 + - Kernel stack randomization
43747 + - Mount/unmount/remount logging
43748 + - Kernel symbol hiding
43749 + - Prevention of memory exhaustion-based exploits
43750 + - Hardening of module auto-loading
43751 + - Ptrace restrictions
43752 + - Restricted vm86 mode
43754 +config GRKERNSEC_CUSTOM
43757 + If you say Y here, you will be able to configure every grsecurity
43758 + option, which allows you to enable many more features that aren't
43759 + covered in the basic security levels. These additional features
43760 + include TPE, socket restrictions, and the sysctl system for
43761 + grsecurity. It is advised that you read through the help for
43762 + each option to determine its usefulness in your situation.
43766 +menu "Address Space Protection"
43767 +depends on GRKERNSEC
43769 +config GRKERNSEC_KMEM
43770 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
43772 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
43773 + be written to via mmap or otherwise to modify the running kernel.
43774 + /dev/port will also not be allowed to be opened. If you have module
43775 + support disabled, enabling this will close up four ways that are
43776 + currently used to insert malicious code into the running kernel.
43777 + Even with all these features enabled, we still highly recommend that
43778 + you use the RBAC system, as it is still possible for an attacker to
43779 + modify the running kernel through privileged I/O granted by ioperm/iopl.
43780 + If you are not using XFree86, you may be able to stop this additional
43781 + case by enabling the 'Disable privileged I/O' option. Though nothing
43782 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
43783 + but only to video memory, which is the only writing we allow in this
43784 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
43785 + not be allowed to mprotect it with PROT_WRITE later.
43786 + It is highly recommended that you say Y here if you meet all the
43787 + conditions above.
43789 +config GRKERNSEC_VM86
43790 + bool "Restrict VM86 mode"
43791 + depends on X86_32
43794 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
43795 + make use of a special execution mode on 32bit x86 processors called
43796 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
43797 + video cards and will still work with this option enabled. The purpose
43798 + of the option is to prevent exploitation of emulation errors in
43799 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
43800 + Nearly all users should be able to enable this option.
43802 +config GRKERNSEC_IO
43803 + bool "Disable privileged I/O"
43806 + select RTC_INTF_DEV
43807 + select RTC_DRV_CMOS
43810 + If you say Y here, all ioperm and iopl calls will return an error.
43811 + Ioperm and iopl can be used to modify the running kernel.
43812 + Unfortunately, some programs need this access to operate properly,
43813 + the most notable of which are XFree86 and hwclock. hwclock can be
43814 + remedied by having RTC support in the kernel, so real-time
43815 + clock support is enabled if this option is enabled, to ensure
43816 + that hwclock operates correctly. XFree86 still will not
43817 + operate correctly with this option enabled, so DO NOT CHOOSE Y
43818 + IF YOU USE XFree86. If you use XFree86 and you still want to
43819 + protect your kernel against modification, use the RBAC system.
43821 +config GRKERNSEC_PROC_MEMMAP
43822 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
43823 + default y if (PAX_NOEXEC || PAX_ASLR)
43824 + depends on PAX_NOEXEC || PAX_ASLR
43826 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
43827 + give no information about the addresses of its mappings if
43828 + PaX features that rely on random addresses are enabled on the task.
43829 + If you use PaX it is greatly recommended that you say Y here as it
43830 + closes up a hole that makes the full ASLR useless for suid
43833 +config GRKERNSEC_BRUTE
43834 + bool "Deter exploit bruteforcing"
43836 + If you say Y here, attempts to bruteforce exploits against forking
43837 + daemons such as apache or sshd will be deterred. When a child of a
43838 + forking daemon is killed by PaX or crashes due to an illegal
43839 + instruction, the parent process will be delayed 30 seconds upon every
43840 + subsequent fork until the administrator is able to assess the
43841 + situation and restart the daemon. It is recommended that you also
43842 + enable signal logging in the auditing section so that logs are
43843 + generated when a process performs an illegal instruction.
43845 +config GRKERNSEC_MODHARDEN
43846 + bool "Harden module auto-loading"
43847 + depends on MODULES
43849 + If you say Y here, module auto-loading in response to use of some
43850 + feature implemented by an unloaded module will be restricted to
43851 + root users. Enabling this option helps defend against attacks
43852 + by unprivileged users who abuse the auto-loading behavior to
43853 + cause a vulnerable module to load that is then exploited.
43855 + If this option prevents a legitimate use of auto-loading for a
43856 + non-root user, the administrator can execute modprobe manually
43857 + with the exact name of the module mentioned in the alert log.
43858 + Alternatively, the administrator can add the module to the list
43859 + of modules loaded at boot by modifying init scripts.
43861 + Modification of init scripts will most likely be needed on
43862 + Ubuntu servers with encrypted home directory support enabled,
43863 + as the first non-root user logging in will cause the ecb(aes),
43864 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
43866 +config GRKERNSEC_HIDESYM
43867 + bool "Hide kernel symbols"
43869 + If you say Y here, getting information on loaded modules, and
43870 + displaying all kernel symbols through a syscall will be restricted
43871 + to users with CAP_SYS_MODULE. For software compatibility reasons,
43872 + /proc/kallsyms will be restricted to the root user. The RBAC
43873 + system can hide that entry even from root.
43875 + This option also prevents leaking of kernel addresses through
43876 + several /proc entries.
43878 + Note that this option is only effective provided the following
43879 + conditions are met:
43880 + 1) The kernel using grsecurity is not precompiled by some distribution
43881 + 2) You have also enabled GRKERNSEC_DMESG
43882 + 3) You are using the RBAC system and hiding other files such as your
43883 + kernel image and System.map. Alternatively, enabling this option
43884 + causes the permissions on /boot, /lib/modules, and the kernel
43885 + source directory to change at compile time to prevent
43886 + reading by non-root users.
43887 + If the above conditions are met, this option will aid in providing a
43888 + useful protection against local kernel exploitation of overflows
43889 + and arbitrary read/write vulnerabilities.
43892 +menu "Role Based Access Control Options"
43893 +depends on GRKERNSEC
43895 +config GRKERNSEC_NO_RBAC
43896 + bool "Disable RBAC system"
43898 + If you say Y here, the /dev/grsec device will be removed from the kernel,
43899 + preventing the RBAC system from being enabled. You should only say Y
43900 + here if you have no intention of using the RBAC system, so as to prevent
43901 + an attacker with root access from misusing the RBAC system to hide files
43902 + and processes when loadable module support and /dev/[k]mem have been
43905 +config GRKERNSEC_ACL_HIDEKERN
43906 + bool "Hide kernel processes"
43908 + If you say Y here, all kernel threads will be hidden to all
43909 + processes but those whose subject has the "view hidden processes"
43912 +config GRKERNSEC_ACL_MAXTRIES
43913 + int "Maximum tries before password lockout"
43916 + This option enforces the maximum number of times a user can attempt
43917 + to authorize themselves with the grsecurity RBAC system before being
43918 + denied the ability to attempt authorization again for a specified time.
43919 + The lower the number, the harder it will be to brute-force a password.
43921 +config GRKERNSEC_ACL_TIMEOUT
43922 + int "Time to wait after max password tries, in seconds"
43925 + This option specifies the time the user must wait after attempting to
43926 + authorize to the RBAC system with the maximum number of invalid
43927 + passwords. The higher the number, the harder it will be to brute-force
43931 +menu "Filesystem Protections"
43932 +depends on GRKERNSEC
43934 +config GRKERNSEC_PROC
43935 + bool "Proc restrictions"
43937 + If you say Y here, the permissions of the /proc filesystem
43938 + will be altered to enhance system security and privacy. You MUST
43939 + choose either a user only restriction or a user and group restriction.
43940 + Depending upon the option you choose, you can either restrict users to
43941 + see only the processes they themselves run, or choose a group that can
43942 + view all processes and files normally restricted to root if you choose
43943 + the "restrict to user only" option. NOTE: If you're running identd as
43944 + a non-root user, you will have to run it as the group you specify here.
43946 +config GRKERNSEC_PROC_USER
43947 + bool "Restrict /proc to user only"
43948 + depends on GRKERNSEC_PROC
43950 + If you say Y here, non-root users will only be able to view their own
43951 + processes, and restricts them from viewing network-related information,
43952 + and viewing kernel symbol and module information.
43954 +config GRKERNSEC_PROC_USERGROUP
43955 + bool "Allow special group"
43956 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
43958 + If you say Y here, you will be able to select a group that will be
43959 + able to view all processes and network-related information. If you've
43960 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
43961 + remain hidden. This option is useful if you want to run identd as
43964 +config GRKERNSEC_PROC_GID
43965 + int "GID for special group"
43966 + depends on GRKERNSEC_PROC_USERGROUP
43969 +config GRKERNSEC_PROC_ADD
43970 + bool "Additional restrictions"
43971 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
43973 + If you say Y here, additional restrictions will be placed on
43974 + /proc that keep normal users from viewing device information and
43975 + slabinfo information that could be useful for exploits.
43977 +config GRKERNSEC_LINK
43978 + bool "Linking restrictions"
43980 + If you say Y here, /tmp race exploits will be prevented, since users
43981 + will no longer be able to follow symlinks owned by other users in
43982 + world-writable +t directories (i.e. /tmp), unless the owner of the
43983 + symlink is the owner of the directory. users will also not be
43984 + able to hardlink to files they do not own. If the sysctl option is
43985 + enabled, a sysctl option with name "linking_restrictions" is created.
43987 +config GRKERNSEC_FIFO
43988 + bool "FIFO restrictions"
43990 + If you say Y here, users will not be able to write to FIFOs they don't
43991 + own in world-writable +t directories (i.e. /tmp), unless the owner of
43992 + the FIFO is the same owner of the directory it's held in. If the sysctl
43993 + option is enabled, a sysctl option with name "fifo_restrictions" is
43996 +config GRKERNSEC_ROFS
43997 + bool "Runtime read-only mount protection"
43999 + If you say Y here, a sysctl option with name "romount_protect" will
44000 + be created. By setting this option to 1 at runtime, filesystems
44001 + will be protected in the following ways:
44002 + * No new writable mounts will be allowed
44003 + * Existing read-only mounts won't be able to be remounted read/write
44004 + * Write operations will be denied on all block devices
44005 + This option acts independently of grsec_lock: once it is set to 1,
44006 + it cannot be turned off. Therefore, please be mindful of the resulting
44007 + behavior if this option is enabled in an init script on a read-only
44008 + filesystem. This feature is mainly intended for secure embedded systems.
44010 +config GRKERNSEC_CHROOT
44011 + bool "Chroot jail restrictions"
44013 + If you say Y here, you will be able to choose several options that will
44014 + make breaking out of a chrooted jail much more difficult. If you
44015 + encounter no software incompatibilities with the following options, it
44016 + is recommended that you enable each one.
44018 +config GRKERNSEC_CHROOT_MOUNT
44019 + bool "Deny mounts"
44020 + depends on GRKERNSEC_CHROOT
44022 + If you say Y here, processes inside a chroot will not be able to
44023 + mount or remount filesystems. If the sysctl option is enabled, a
44024 + sysctl option with name "chroot_deny_mount" is created.
44026 +config GRKERNSEC_CHROOT_DOUBLE
44027 + bool "Deny double-chroots"
44028 + depends on GRKERNSEC_CHROOT
44030 + If you say Y here, processes inside a chroot will not be able to chroot
44031 + again outside the chroot. This is a widely used method of breaking
44032 + out of a chroot jail and should not be allowed. If the sysctl
44033 + option is enabled, a sysctl option with name
44034 + "chroot_deny_chroot" is created.
44036 +config GRKERNSEC_CHROOT_PIVOT
44037 + bool "Deny pivot_root in chroot"
44038 + depends on GRKERNSEC_CHROOT
44040 + If you say Y here, processes inside a chroot will not be able to use
44041 + a function called pivot_root() that was introduced in Linux 2.3.41. It
44042 + works similar to chroot in that it changes the root filesystem. This
44043 + function could be misused in a chrooted process to attempt to break out
44044 + of the chroot, and therefore should not be allowed. If the sysctl
44045 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
44048 +config GRKERNSEC_CHROOT_CHDIR
44049 + bool "Enforce chdir(\"/\") on all chroots"
44050 + depends on GRKERNSEC_CHROOT
44052 + If you say Y here, the current working directory of all newly-chrooted
44053 + applications will be set to the the root directory of the chroot.
44054 + The man page on chroot(2) states:
44055 + Note that this call does not change the current working
44056 + directory, so that `.' can be outside the tree rooted at
44057 + `/'. In particular, the super-user can escape from a
44058 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
44060 + It is recommended that you say Y here, since it's not known to break
44061 + any software. If the sysctl option is enabled, a sysctl option with
44062 + name "chroot_enforce_chdir" is created.
44064 +config GRKERNSEC_CHROOT_CHMOD
44065 + bool "Deny (f)chmod +s"
44066 + depends on GRKERNSEC_CHROOT
44068 + If you say Y here, processes inside a chroot will not be able to chmod
44069 + or fchmod files to make them have suid or sgid bits. This protects
44070 + against another published method of breaking a chroot. If the sysctl
44071 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
44074 +config GRKERNSEC_CHROOT_FCHDIR
44075 + bool "Deny fchdir out of chroot"
44076 + depends on GRKERNSEC_CHROOT
44078 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
44079 + to a file descriptor of the chrooting process that points to a directory
44080 + outside the filesystem will be stopped. If the sysctl option
44081 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
44083 +config GRKERNSEC_CHROOT_MKNOD
44084 + bool "Deny mknod"
44085 + depends on GRKERNSEC_CHROOT
44087 + If you say Y here, processes inside a chroot will not be allowed to
44088 + mknod. The problem with using mknod inside a chroot is that it
44089 + would allow an attacker to create a device entry that is the same
44090 + as one on the physical root of your system, which could range from
44091 + anything from the console device to a device for your harddrive (which
44092 + they could then use to wipe the drive or steal data). It is recommended
44093 + that you say Y here, unless you run into software incompatibilities.
44094 + If the sysctl option is enabled, a sysctl option with name
44095 + "chroot_deny_mknod" is created.
44097 +config GRKERNSEC_CHROOT_SHMAT
44098 + bool "Deny shmat() out of chroot"
44099 + depends on GRKERNSEC_CHROOT
44101 + If you say Y here, processes inside a chroot will not be able to attach
44102 + to shared memory segments that were created outside of the chroot jail.
44103 + It is recommended that you say Y here. If the sysctl option is enabled,
44104 + a sysctl option with name "chroot_deny_shmat" is created.
44106 +config GRKERNSEC_CHROOT_UNIX
44107 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
44108 + depends on GRKERNSEC_CHROOT
44110 + If you say Y here, processes inside a chroot will not be able to
44111 + connect to abstract (meaning not belonging to a filesystem) Unix
44112 + domain sockets that were bound outside of a chroot. It is recommended
44113 + that you say Y here. If the sysctl option is enabled, a sysctl option
44114 + with name "chroot_deny_unix" is created.
44116 +config GRKERNSEC_CHROOT_FINDTASK
44117 + bool "Protect outside processes"
44118 + depends on GRKERNSEC_CHROOT
44120 + If you say Y here, processes inside a chroot will not be able to
44121 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
44122 + getsid, or view any process outside of the chroot. If the sysctl
44123 + option is enabled, a sysctl option with name "chroot_findtask" is
44126 +config GRKERNSEC_CHROOT_NICE
44127 + bool "Restrict priority changes"
44128 + depends on GRKERNSEC_CHROOT
44130 + If you say Y here, processes inside a chroot will not be able to raise
44131 + the priority of processes in the chroot, or alter the priority of
44132 + processes outside the chroot. This provides more security than simply
44133 + removing CAP_SYS_NICE from the process' capability set. If the
44134 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
44137 +config GRKERNSEC_CHROOT_SYSCTL
44138 + bool "Deny sysctl writes"
44139 + depends on GRKERNSEC_CHROOT
44141 + If you say Y here, an attacker in a chroot will not be able to
44142 + write to sysctl entries, either by sysctl(2) or through a /proc
44143 + interface. It is strongly recommended that you say Y here. If the
44144 + sysctl option is enabled, a sysctl option with name
44145 + "chroot_deny_sysctl" is created.
44147 +config GRKERNSEC_CHROOT_CAPS
44148 + bool "Capability restrictions"
44149 + depends on GRKERNSEC_CHROOT
44151 + If you say Y here, the capabilities on all root processes within a
44152 + chroot jail will be lowered to stop module insertion, raw i/o,
44153 + system and net admin tasks, rebooting the system, modifying immutable
44154 + files, modifying IPC owned by another, and changing the system time.
44155 + This is left an option because it can break some apps. Disable this
44156 + if your chrooted apps are having problems performing those kinds of
44157 + tasks. If the sysctl option is enabled, a sysctl option with
44158 + name "chroot_caps" is created.
44161 +menu "Kernel Auditing"
44162 +depends on GRKERNSEC
44164 +config GRKERNSEC_AUDIT_GROUP
44165 + bool "Single group for auditing"
44167 + If you say Y here, the exec, chdir, and (un)mount logging features
44168 + will only operate on a group you specify. This option is recommended
44169 + if you only want to watch certain users instead of having a large
44170 + amount of logs from the entire system. If the sysctl option is enabled,
44171 + a sysctl option with name "audit_group" is created.
44173 +config GRKERNSEC_AUDIT_GID
44174 + int "GID for auditing"
44175 + depends on GRKERNSEC_AUDIT_GROUP
44178 +config GRKERNSEC_EXECLOG
44179 + bool "Exec logging"
44181 + If you say Y here, all execve() calls will be logged (since the
44182 + other exec*() calls are frontends to execve(), all execution
44183 + will be logged). Useful for shell-servers that like to keep track
44184 + of their users. If the sysctl option is enabled, a sysctl option with
44185 + name "exec_logging" is created.
44186 + WARNING: This option when enabled will produce a LOT of logs, especially
44187 + on an active system.
44189 +config GRKERNSEC_RESLOG
44190 + bool "Resource logging"
44192 + If you say Y here, all attempts to overstep resource limits will
44193 + be logged with the resource name, the requested size, and the current
44194 + limit. It is highly recommended that you say Y here. If the sysctl
44195 + option is enabled, a sysctl option with name "resource_logging" is
44196 + created. If the RBAC system is enabled, the sysctl value is ignored.
44198 +config GRKERNSEC_CHROOT_EXECLOG
44199 + bool "Log execs within chroot"
44201 + If you say Y here, all executions inside a chroot jail will be logged
44202 + to syslog. This can cause a large amount of logs if certain
44203 + applications (eg. djb's daemontools) are installed on the system, and
44204 + is therefore left as an option. If the sysctl option is enabled, a
44205 + sysctl option with name "chroot_execlog" is created.
44207 +config GRKERNSEC_AUDIT_PTRACE
44208 + bool "Ptrace logging"
44210 + If you say Y here, all attempts to attach to a process via ptrace
44211 + will be logged. If the sysctl option is enabled, a sysctl option
44212 + with name "audit_ptrace" is created.
44214 +config GRKERNSEC_AUDIT_CHDIR
44215 + bool "Chdir logging"
44217 + If you say Y here, all chdir() calls will be logged. If the sysctl
44218 + option is enabled, a sysctl option with name "audit_chdir" is created.
44220 +config GRKERNSEC_AUDIT_MOUNT
44221 + bool "(Un)Mount logging"
44223 + If you say Y here, all mounts and unmounts will be logged. If the
44224 + sysctl option is enabled, a sysctl option with name "audit_mount" is
44227 +config GRKERNSEC_SIGNAL
44228 + bool "Signal logging"
44230 + If you say Y here, certain important signals will be logged, such as
44231 + SIGSEGV, which will as a result inform you of when a error in a program
44232 + occurred, which in some cases could mean a possible exploit attempt.
44233 + If the sysctl option is enabled, a sysctl option with name
44234 + "signal_logging" is created.
44236 +config GRKERNSEC_FORKFAIL
44237 + bool "Fork failure logging"
44239 + If you say Y here, all failed fork() attempts will be logged.
44240 + This could suggest a fork bomb, or someone attempting to overstep
44241 + their process limit. If the sysctl option is enabled, a sysctl option
44242 + with name "forkfail_logging" is created.
44244 +config GRKERNSEC_TIME
44245 + bool "Time change logging"
44247 + If you say Y here, any changes of the system clock will be logged.
44248 + If the sysctl option is enabled, a sysctl option with name
44249 + "timechange_logging" is created.
44251 +config GRKERNSEC_PROC_IPADDR
44252 + bool "/proc/<pid>/ipaddr support"
44254 + If you say Y here, a new entry will be added to each /proc/<pid>
44255 + directory that contains the IP address of the person using the task.
44256 + The IP is carried across local TCP and AF_UNIX stream sockets.
44257 + This information can be useful for IDS/IPSes to perform remote response
44258 + to a local attack. The entry is readable by only the owner of the
44259 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
44260 + the RBAC system), and thus does not create privacy concerns.
44262 +config GRKERNSEC_RWXMAP_LOG
44263 + bool 'Denied RWX mmap/mprotect logging'
44264 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
44266 + If you say Y here, calls to mmap() and mprotect() with explicit
44267 + usage of PROT_WRITE and PROT_EXEC together will be logged when
44268 + denied by the PAX_MPROTECT feature. If the sysctl option is
44269 + enabled, a sysctl option with name "rwxmap_logging" is created.
44271 +config GRKERNSEC_AUDIT_TEXTREL
44272 + bool 'ELF text relocations logging (READ HELP)'
44273 + depends on PAX_MPROTECT
44275 + If you say Y here, text relocations will be logged with the filename
44276 + of the offending library or binary. The purpose of the feature is
44277 + to help Linux distribution developers get rid of libraries and
44278 + binaries that need text relocations which hinder the future progress
44279 + of PaX. Only Linux distribution developers should say Y here, and
44280 + never on a production machine, as this option creates an information
44281 + leak that could aid an attacker in defeating the randomization of
44282 + a single memory region. If the sysctl option is enabled, a sysctl
44283 + option with name "audit_textrel" is created.
44287 +menu "Executable Protections"
44288 +depends on GRKERNSEC
44290 +config GRKERNSEC_EXECVE
44291 + bool "Enforce RLIMIT_NPROC on execs"
44293 + If you say Y here, users with a resource limit on processes will
44294 + have the value checked during execve() calls. The current system
44295 + only checks the system limit during fork() calls. If the sysctl option
44296 + is enabled, a sysctl option with name "execve_limiting" is created.
44298 +config GRKERNSEC_DMESG
44299 + bool "Dmesg(8) restriction"
44301 + If you say Y here, non-root users will not be able to use dmesg(8)
44302 + to view up to the last 4kb of messages in the kernel's log buffer.
44303 + The kernel's log buffer often contains kernel addresses and other
44304 + identifying information useful to an attacker in fingerprinting a
44305 + system for a targeted exploit.
44306 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
44309 +config GRKERNSEC_HARDEN_PTRACE
44310 + bool "Deter ptrace-based process snooping"
44312 + If you say Y here, TTY sniffers and other malicious monitoring
44313 + programs implemented through ptrace will be defeated. If you
44314 + have been using the RBAC system, this option has already been
44315 + enabled for several years for all users, with the ability to make
44316 + fine-grained exceptions.
44318 + This option only affects the ability of non-root users to ptrace
44319 + processes that are not a descendent of the ptracing process.
44320 + This means that strace ./binary and gdb ./binary will still work,
44321 + but attaching to arbitrary processes will not. If the sysctl
44322 + option is enabled, a sysctl option with name "harden_ptrace" is
44325 +config GRKERNSEC_TPE
44326 + bool "Trusted Path Execution (TPE)"
44328 + If you say Y here, you will be able to choose a gid to add to the
44329 + supplementary groups of users you want to mark as "untrusted."
44330 + These users will not be able to execute any files that are not in
44331 + root-owned directories writable only by root. If the sysctl option
44332 + is enabled, a sysctl option with name "tpe" is created.
44334 +config GRKERNSEC_TPE_ALL
44335 + bool "Partially restrict all non-root users"
44336 + depends on GRKERNSEC_TPE
44338 + If you say Y here, all non-root users will be covered under
44339 + a weaker TPE restriction. This is separate from, and in addition to,
44340 + the main TPE options that you have selected elsewhere. Thus, if a
44341 + "trusted" GID is chosen, this restriction applies to even that GID.
44342 + Under this restriction, all non-root users will only be allowed to
44343 + execute files in directories they own that are not group or
44344 + world-writable, or in directories owned by root and writable only by
44345 + root. If the sysctl option is enabled, a sysctl option with name
44346 + "tpe_restrict_all" is created.
44348 +config GRKERNSEC_TPE_INVERT
44349 + bool "Invert GID option"
44350 + depends on GRKERNSEC_TPE
44352 + If you say Y here, the group you specify in the TPE configuration will
44353 + decide what group TPE restrictions will be *disabled* for. This
44354 + option is useful if you want TPE restrictions to be applied to most
44355 + users on the system. If the sysctl option is enabled, a sysctl option
44356 + with name "tpe_invert" is created. Unlike other sysctl options, this
44357 + entry will default to on for backward-compatibility.
44359 +config GRKERNSEC_TPE_GID
44360 + int "GID for untrusted users"
44361 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
44364 + Setting this GID determines what group TPE restrictions will be
44365 + *enabled* for. If the sysctl option is enabled, a sysctl option
44366 + with name "tpe_gid" is created.
44368 +config GRKERNSEC_TPE_GID
44369 + int "GID for trusted users"
44370 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
44373 + Setting this GID determines what group TPE restrictions will be
44374 + *disabled* for. If the sysctl option is enabled, a sysctl option
44375 + with name "tpe_gid" is created.
44378 +menu "Network Protections"
44379 +depends on GRKERNSEC
44381 +config GRKERNSEC_RANDNET
44382 + bool "Larger entropy pools"
44384 + If you say Y here, the entropy pools used for many features of Linux
44385 + and grsecurity will be doubled in size. Since several grsecurity
44386 + features use additional randomness, it is recommended that you say Y
44387 + here. Saying Y here has a similar effect as modifying
44388 + /proc/sys/kernel/random/poolsize.
44390 +config GRKERNSEC_BLACKHOLE
44391 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
44393 + If you say Y here, neither TCP resets nor ICMP
44394 + destination-unreachable packets will be sent in response to packets
44395 + sent to ports for which no associated listening process exists.
44396 + This feature supports both IPV4 and IPV6 and exempts the
44397 + loopback interface from blackholing. Enabling this feature
44398 + makes a host more resilient to DoS attacks and reduces network
44399 + visibility against scanners.
44401 + The blackhole feature as-implemented is equivalent to the FreeBSD
44402 + blackhole feature, as it prevents RST responses to all packets, not
44403 + just SYNs. Under most application behavior this causes no
44404 + problems, but applications (like haproxy) may not close certain
44405 + connections in a way that cleanly terminates them on the remote
44406 + end, leaving the remote host in LAST_ACK state. Because of this
44407 + side-effect and to prevent intentional LAST_ACK DoSes, this
44408 + feature also adds automatic mitigation against such attacks.
44409 + The mitigation drastically reduces the amount of time a socket
44410 + can spend in LAST_ACK state. If you're using haproxy and not
44411 + all servers it connects to have this option enabled, consider
44412 + disabling this feature on the haproxy host.
44414 + If the sysctl option is enabled, two sysctl options with names
44415 + "ip_blackhole" and "lastack_retries" will be created.
44416 + While "ip_blackhole" takes the standard zero/non-zero on/off
44417 + toggle, "lastack_retries" uses the same kinds of values as
44418 + "tcp_retries1" and "tcp_retries2". The default value of 4
44419 + prevents a socket from lasting more than 45 seconds in LAST_ACK
44422 +config GRKERNSEC_SOCKET
44423 + bool "Socket restrictions"
44425 + If you say Y here, you will be able to choose from several options.
44426 + If you assign a GID on your system and add it to the supplementary
44427 + groups of users you want to restrict socket access to, this patch
44428 + will perform up to three things, based on the option(s) you choose.
44430 +config GRKERNSEC_SOCKET_ALL
44431 + bool "Deny any sockets to group"
44432 + depends on GRKERNSEC_SOCKET
44434 + If you say Y here, you will be able to choose a GID of whose users will
44435 + be unable to connect to other hosts from your machine or run server
44436 + applications from your machine. If the sysctl option is enabled, a
44437 + sysctl option with name "socket_all" is created.
44439 +config GRKERNSEC_SOCKET_ALL_GID
44440 + int "GID to deny all sockets for"
44441 + depends on GRKERNSEC_SOCKET_ALL
44444 + Here you can choose the GID to disable socket access for. Remember to
44445 + add the users you want socket access disabled for to the GID
44446 + specified here. If the sysctl option is enabled, a sysctl option
44447 + with name "socket_all_gid" is created.
44449 +config GRKERNSEC_SOCKET_CLIENT
44450 + bool "Deny client sockets to group"
44451 + depends on GRKERNSEC_SOCKET
44453 + If you say Y here, you will be able to choose a GID of whose users will
44454 + be unable to connect to other hosts from your machine, but will be
44455 + able to run servers. If this option is enabled, all users in the group
44456 + you specify will have to use passive mode when initiating ftp transfers
44457 + from the shell on your machine. If the sysctl option is enabled, a
44458 + sysctl option with name "socket_client" is created.
44460 +config GRKERNSEC_SOCKET_CLIENT_GID
44461 + int "GID to deny client sockets for"
44462 + depends on GRKERNSEC_SOCKET_CLIENT
44465 + Here you can choose the GID to disable client socket access for.
44466 + Remember to add the users you want client socket access disabled for to
44467 + the GID specified here. If the sysctl option is enabled, a sysctl
44468 + option with name "socket_client_gid" is created.
44470 +config GRKERNSEC_SOCKET_SERVER
44471 + bool "Deny server sockets to group"
44472 + depends on GRKERNSEC_SOCKET
44474 + If you say Y here, you will be able to choose a GID of whose users will
44475 + be unable to run server applications from your machine. If the sysctl
44476 + option is enabled, a sysctl option with name "socket_server" is created.
44478 +config GRKERNSEC_SOCKET_SERVER_GID
44479 + int "GID to deny server sockets for"
44480 + depends on GRKERNSEC_SOCKET_SERVER
44483 + Here you can choose the GID to disable server socket access for.
44484 + Remember to add the users you want server socket access disabled for to
44485 + the GID specified here. If the sysctl option is enabled, a sysctl
44486 + option with name "socket_server_gid" is created.
44489 +menu "Sysctl support"
44490 +depends on GRKERNSEC && SYSCTL
44492 +config GRKERNSEC_SYSCTL
44493 + bool "Sysctl support"
44495 + If you say Y here, you will be able to change the options that
44496 + grsecurity runs with at bootup, without having to recompile your
44497 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
44498 + to enable (1) or disable (0) various features. All the sysctl entries
44499 + are mutable until the "grsec_lock" entry is set to a non-zero value.
44500 + All features enabled in the kernel configuration are disabled at boot
44501 + if you do not say Y to the "Turn on features by default" option.
44502 + All options should be set at startup, and the grsec_lock entry should
44503 + be set to a non-zero value after all the options are set.
44504 + *THIS IS EXTREMELY IMPORTANT*
44506 +config GRKERNSEC_SYSCTL_DISTRO
44507 + bool "Extra sysctl support for distro makers (READ HELP)"
44508 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
44510 + If you say Y here, additional sysctl options will be created
44511 + for features that affect processes running as root. Therefore,
44512 + it is critical when using this option that the grsec_lock entry be
44513 + enabled after boot. Only distros with prebuilt kernel packages
44514 + with this option enabled that can ensure grsec_lock is enabled
44515 + after boot should use this option.
44516 + *Failure to set grsec_lock after boot makes all grsec features
44517 + this option covers useless*
44519 + Currently this option creates the following sysctl entries:
44520 + "Disable Privileged I/O": "disable_priv_io"
44522 +config GRKERNSEC_SYSCTL_ON
44523 + bool "Turn on features by default"
44524 + depends on GRKERNSEC_SYSCTL
44526 + If you say Y here, instead of having all features enabled in the
44527 + kernel configuration disabled at boot time, the features will be
44528 + enabled at boot time. It is recommended you say Y here unless
44529 + there is some reason you would want all sysctl-tunable features to
44530 + be disabled by default. As mentioned elsewhere, it is important
44531 + to enable the grsec_lock entry once you have finished modifying
44532 + the sysctl entries.
44535 +menu "Logging Options"
44536 +depends on GRKERNSEC
44538 +config GRKERNSEC_FLOODTIME
44539 + int "Seconds in between log messages (minimum)"
44542 + This option allows you to enforce the number of seconds between
44543 + grsecurity log messages. The default should be suitable for most
44544 + people, however, if you choose to change it, choose a value small enough
44545 + to allow informative logs to be produced, but large enough to
44546 + prevent flooding.
44548 +config GRKERNSEC_FLOODBURST
44549 + int "Number of messages in a burst (maximum)"
44552 + This option allows you to choose the maximum number of messages allowed
44553 + within the flood time interval you chose in a separate option. The
44554 + default should be suitable for most people, however if you find that
44555 + many of your logs are being interpreted as flooding, you may want to
44556 + raise this value.
44561 diff -urNp linux-2.6.36.2/grsecurity/Makefile linux-2.6.36.2/grsecurity/Makefile
44562 --- linux-2.6.36.2/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
44563 +++ linux-2.6.36.2/grsecurity/Makefile 2010-12-09 20:24:32.000000000 -0500
44565 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
44566 +# during 2001-2009 it has been completely redesigned by Brad Spengler
44567 +# into an RBAC system
44569 +# All code in this directory and various hooks inserted throughout the kernel
44570 +# are copyright Brad Spengler - Open Source Security, Inc., and released
44571 +# under the GPL v2 or higher
44573 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
44574 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
44575 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
44577 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
44578 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
44579 + gracl_learn.o grsec_log.o
44580 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
44582 +ifndef CONFIG_GRKERNSEC
44583 +obj-y += grsec_disabled.o
44586 +ifdef CONFIG_GRKERNSEC_HIDESYM
44587 +extra-y := grsec_hidesym.o
44588 +$(obj)/grsec_hidesym.o:
44589 + @-chmod -f 500 /boot
44590 + @-chmod -f 500 /lib/modules
44592 + @echo ' grsec: protected kernel image paths'
44594 diff -urNp linux-2.6.36.2/include/acpi/acoutput.h linux-2.6.36.2/include/acpi/acoutput.h
44595 --- linux-2.6.36.2/include/acpi/acoutput.h 2010-10-20 16:30:22.000000000 -0400
44596 +++ linux-2.6.36.2/include/acpi/acoutput.h 2010-12-09 20:24:04.000000000 -0500
44597 @@ -269,8 +269,8 @@
44598 * leaving no executable debug code!
44600 #define ACPI_FUNCTION_NAME(a)
44601 -#define ACPI_DEBUG_PRINT(pl)
44602 -#define ACPI_DEBUG_PRINT_RAW(pl)
44603 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
44604 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
44606 #endif /* ACPI_DEBUG_OUTPUT */
44608 diff -urNp linux-2.6.36.2/include/acpi/acpi_drivers.h linux-2.6.36.2/include/acpi/acpi_drivers.h
44609 --- linux-2.6.36.2/include/acpi/acpi_drivers.h 2010-10-20 16:30:22.000000000 -0400
44610 +++ linux-2.6.36.2/include/acpi/acpi_drivers.h 2010-12-09 20:24:04.000000000 -0500
44611 @@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
44613 -------------------------------------------------------------------------- */
44614 struct acpi_dock_ops {
44615 - acpi_notify_handler handler;
44616 - acpi_notify_handler uevent;
44617 + const acpi_notify_handler handler;
44618 + const acpi_notify_handler uevent;
44621 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
44622 @@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
44623 extern int register_dock_notifier(struct notifier_block *nb);
44624 extern void unregister_dock_notifier(struct notifier_block *nb);
44625 extern int register_hotplug_dock_device(acpi_handle handle,
44626 - struct acpi_dock_ops *ops,
44627 + const struct acpi_dock_ops *ops,
44629 extern void unregister_hotplug_dock_device(acpi_handle handle);
44631 @@ -146,7 +146,7 @@ static inline void unregister_dock_notif
44634 static inline int register_hotplug_dock_device(acpi_handle handle,
44635 - struct acpi_dock_ops *ops,
44636 + const struct acpi_dock_ops *ops,
44640 diff -urNp linux-2.6.36.2/include/asm-generic/atomic-long.h linux-2.6.36.2/include/asm-generic/atomic-long.h
44641 --- linux-2.6.36.2/include/asm-generic/atomic-long.h 2010-10-20 16:30:22.000000000 -0400
44642 +++ linux-2.6.36.2/include/asm-generic/atomic-long.h 2010-12-09 20:24:07.000000000 -0500
44645 typedef atomic64_t atomic_long_t;
44647 +#ifdef CONFIG_PAX_REFCOUNT
44648 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
44650 +typedef atomic64_t atomic_long_unchecked_t;
44653 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
44655 static inline long atomic_long_read(atomic_long_t *l)
44656 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
44657 return (long)atomic64_read(v);
44660 +#ifdef CONFIG_PAX_REFCOUNT
44661 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44663 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44665 + return (long)atomic64_read_unchecked(v);
44669 static inline void atomic_long_set(atomic_long_t *l, long i)
44671 atomic64_t *v = (atomic64_t *)l;
44672 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
44673 atomic64_set(v, i);
44676 +#ifdef CONFIG_PAX_REFCOUNT
44677 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44679 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44681 + atomic64_set_unchecked(v, i);
44685 static inline void atomic_long_inc(atomic_long_t *l)
44687 atomic64_t *v = (atomic64_t *)l;
44688 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
44692 +#ifdef CONFIG_PAX_REFCOUNT
44693 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44695 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44697 + atomic64_inc_unchecked(v);
44701 static inline void atomic_long_dec(atomic_long_t *l)
44703 atomic64_t *v = (atomic64_t *)l;
44704 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
44708 +#ifdef CONFIG_PAX_REFCOUNT
44709 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44711 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44713 + atomic64_dec_unchecked(v);
44717 static inline void atomic_long_add(long i, atomic_long_t *l)
44719 atomic64_t *v = (atomic64_t *)l;
44720 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
44721 atomic64_add(i, v);
44724 +#ifdef CONFIG_PAX_REFCOUNT
44725 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44727 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44729 + atomic64_add_unchecked(i, v);
44733 static inline void atomic_long_sub(long i, atomic_long_t *l)
44735 atomic64_t *v = (atomic64_t *)l;
44736 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
44737 atomic64_sub(i, v);
44740 +#ifdef CONFIG_PAX_REFCOUNT
44741 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44743 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44745 + atomic64_sub_unchecked(i, v);
44749 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44751 atomic64_t *v = (atomic64_t *)l;
44752 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
44753 return (long)atomic64_inc_return(v);
44756 +#ifdef CONFIG_PAX_REFCOUNT
44757 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44759 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44761 + return (long)atomic64_inc_return_unchecked(v);
44765 static inline long atomic_long_dec_return(atomic_long_t *l)
44767 atomic64_t *v = (atomic64_t *)l;
44768 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
44770 typedef atomic_t atomic_long_t;
44772 +#ifdef CONFIG_PAX_REFCOUNT
44773 +typedef atomic_unchecked_t atomic_long_unchecked_t;
44775 +typedef atomic_t atomic_long_unchecked_t;
44778 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
44779 static inline long atomic_long_read(atomic_long_t *l)
44781 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
44782 return (long)atomic_read(v);
44785 +#ifdef CONFIG_PAX_REFCOUNT
44786 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44788 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44790 + return (long)atomic_read_unchecked(v);
44794 static inline void atomic_long_set(atomic_long_t *l, long i)
44796 atomic_t *v = (atomic_t *)l;
44797 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
44801 +#ifdef CONFIG_PAX_REFCOUNT
44802 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44804 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44806 + atomic_set_unchecked(v, i);
44810 static inline void atomic_long_inc(atomic_long_t *l)
44812 atomic_t *v = (atomic_t *)l;
44813 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
44817 +#ifdef CONFIG_PAX_REFCOUNT
44818 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44820 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44822 + atomic_inc_unchecked(v);
44826 static inline void atomic_long_dec(atomic_long_t *l)
44828 atomic_t *v = (atomic_t *)l;
44829 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
44833 +#ifdef CONFIG_PAX_REFCOUNT
44834 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44836 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44838 + atomic_dec_unchecked(v);
44842 static inline void atomic_long_add(long i, atomic_long_t *l)
44844 atomic_t *v = (atomic_t *)l;
44845 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
44849 +#ifdef CONFIG_PAX_REFCOUNT
44850 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44852 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44854 + atomic_add_unchecked(i, v);
44858 static inline void atomic_long_sub(long i, atomic_long_t *l)
44860 atomic_t *v = (atomic_t *)l;
44861 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
44865 +#ifdef CONFIG_PAX_REFCOUNT
44866 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44868 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44870 + atomic_sub_unchecked(i, v);
44874 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44876 atomic_t *v = (atomic_t *)l;
44877 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
44878 return (long)atomic_inc_return(v);
44881 +#ifdef CONFIG_PAX_REFCOUNT
44882 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44884 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44886 + return (long)atomic_inc_return_unchecked(v);
44890 static inline long atomic_long_dec_return(atomic_long_t *l)
44892 atomic_t *v = (atomic_t *)l;
44893 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
44895 #endif /* BITS_PER_LONG == 64 */
44897 +#ifdef CONFIG_PAX_REFCOUNT
44898 +static inline void pax_refcount_needs_these_functions(void)
44900 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
44901 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
44902 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
44903 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
44904 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
44905 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
44906 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
44908 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
44909 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
44910 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
44911 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
44912 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
44913 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
44914 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
44917 +#define atomic_read_unchecked(v) atomic_read(v)
44918 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
44919 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
44920 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
44921 +#define atomic_inc_unchecked(v) atomic_inc(v)
44922 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
44923 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
44925 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
44926 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
44927 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
44928 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
44929 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
44930 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
44931 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
44934 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
44935 diff -urNp linux-2.6.36.2/include/asm-generic/dma-mapping-common.h linux-2.6.36.2/include/asm-generic/dma-mapping-common.h
44936 --- linux-2.6.36.2/include/asm-generic/dma-mapping-common.h 2010-10-20 16:30:22.000000000 -0400
44937 +++ linux-2.6.36.2/include/asm-generic/dma-mapping-common.h 2010-12-09 20:24:07.000000000 -0500
44938 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
44939 enum dma_data_direction dir,
44940 struct dma_attrs *attrs)
44942 - struct dma_map_ops *ops = get_dma_ops(dev);
44943 + const struct dma_map_ops *ops = get_dma_ops(dev);
44946 kmemcheck_mark_initialized(ptr, size);
44947 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
44948 enum dma_data_direction dir,
44949 struct dma_attrs *attrs)
44951 - struct dma_map_ops *ops = get_dma_ops(dev);
44952 + const struct dma_map_ops *ops = get_dma_ops(dev);
44954 BUG_ON(!valid_dma_direction(dir));
44955 if (ops->unmap_page)
44956 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
44957 int nents, enum dma_data_direction dir,
44958 struct dma_attrs *attrs)
44960 - struct dma_map_ops *ops = get_dma_ops(dev);
44961 + const struct dma_map_ops *ops = get_dma_ops(dev);
44963 struct scatterlist *s;
44965 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
44966 int nents, enum dma_data_direction dir,
44967 struct dma_attrs *attrs)
44969 - struct dma_map_ops *ops = get_dma_ops(dev);
44970 + const struct dma_map_ops *ops = get_dma_ops(dev);
44972 BUG_ON(!valid_dma_direction(dir));
44973 debug_dma_unmap_sg(dev, sg, nents, dir);
44974 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
44975 size_t offset, size_t size,
44976 enum dma_data_direction dir)
44978 - struct dma_map_ops *ops = get_dma_ops(dev);
44979 + const struct dma_map_ops *ops = get_dma_ops(dev);
44982 kmemcheck_mark_initialized(page_address(page) + offset, size);
44983 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
44984 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
44985 size_t size, enum dma_data_direction dir)
44987 - struct dma_map_ops *ops = get_dma_ops(dev);
44988 + const struct dma_map_ops *ops = get_dma_ops(dev);
44990 BUG_ON(!valid_dma_direction(dir));
44991 if (ops->unmap_page)
44992 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
44994 enum dma_data_direction dir)
44996 - struct dma_map_ops *ops = get_dma_ops(dev);
44997 + const struct dma_map_ops *ops = get_dma_ops(dev);
44999 BUG_ON(!valid_dma_direction(dir));
45000 if (ops->sync_single_for_cpu)
45001 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
45002 dma_addr_t addr, size_t size,
45003 enum dma_data_direction dir)
45005 - struct dma_map_ops *ops = get_dma_ops(dev);
45006 + const struct dma_map_ops *ops = get_dma_ops(dev);
45008 BUG_ON(!valid_dma_direction(dir));
45009 if (ops->sync_single_for_device)
45010 @@ -139,7 +139,7 @@ static inline void
45011 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
45012 int nelems, enum dma_data_direction dir)
45014 - struct dma_map_ops *ops = get_dma_ops(dev);
45015 + const struct dma_map_ops *ops = get_dma_ops(dev);
45017 BUG_ON(!valid_dma_direction(dir));
45018 if (ops->sync_sg_for_cpu)
45019 @@ -151,7 +151,7 @@ static inline void
45020 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
45021 int nelems, enum dma_data_direction dir)
45023 - struct dma_map_ops *ops = get_dma_ops(dev);
45024 + const struct dma_map_ops *ops = get_dma_ops(dev);
45026 BUG_ON(!valid_dma_direction(dir));
45027 if (ops->sync_sg_for_device)
45028 diff -urNp linux-2.6.36.2/include/asm-generic/futex.h linux-2.6.36.2/include/asm-generic/futex.h
45029 --- linux-2.6.36.2/include/asm-generic/futex.h 2010-10-20 16:30:22.000000000 -0400
45030 +++ linux-2.6.36.2/include/asm-generic/futex.h 2010-12-09 20:24:07.000000000 -0500
45032 #include <asm/errno.h>
45035 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
45036 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
45038 int op = (encoded_op >> 28) & 7;
45039 int cmp = (encoded_op >> 24) & 15;
45040 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
45044 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
45045 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
45049 diff -urNp linux-2.6.36.2/include/asm-generic/int-l64.h linux-2.6.36.2/include/asm-generic/int-l64.h
45050 --- linux-2.6.36.2/include/asm-generic/int-l64.h 2010-10-20 16:30:22.000000000 -0400
45051 +++ linux-2.6.36.2/include/asm-generic/int-l64.h 2010-12-09 20:24:07.000000000 -0500
45052 @@ -46,6 +46,8 @@ typedef unsigned int u32;
45053 typedef signed long s64;
45054 typedef unsigned long u64;
45056 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
45059 #define U8_C(x) x ## U
45061 diff -urNp linux-2.6.36.2/include/asm-generic/int-ll64.h linux-2.6.36.2/include/asm-generic/int-ll64.h
45062 --- linux-2.6.36.2/include/asm-generic/int-ll64.h 2010-10-20 16:30:22.000000000 -0400
45063 +++ linux-2.6.36.2/include/asm-generic/int-ll64.h 2010-12-09 20:24:07.000000000 -0500
45064 @@ -51,6 +51,8 @@ typedef unsigned int u32;
45065 typedef signed long long s64;
45066 typedef unsigned long long u64;
45068 +typedef unsigned long long intoverflow_t;
45071 #define U8_C(x) x ## U
45073 diff -urNp linux-2.6.36.2/include/asm-generic/kmap_types.h linux-2.6.36.2/include/asm-generic/kmap_types.h
45074 --- linux-2.6.36.2/include/asm-generic/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
45075 +++ linux-2.6.36.2/include/asm-generic/kmap_types.h 2010-12-09 20:24:07.000000000 -0500
45076 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
45078 KMAP_D(18) KM_NMI_PTE,
45080 +KMAP_D(20) KM_CLEARPAGE,
45082 * Remember to update debug_kmap_atomic() when adding new kmap types!
45084 -KMAP_D(20) KM_TYPE_NR
45085 +KMAP_D(21) KM_TYPE_NR
45089 diff -urNp linux-2.6.36.2/include/asm-generic/pgtable.h linux-2.6.36.2/include/asm-generic/pgtable.h
45090 --- linux-2.6.36.2/include/asm-generic/pgtable.h 2010-10-20 16:30:22.000000000 -0400
45091 +++ linux-2.6.36.2/include/asm-generic/pgtable.h 2010-12-09 20:24:07.000000000 -0500
45092 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
45093 unsigned long size);
45096 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
45097 +static inline unsigned long pax_open_kernel(void) { return 0; }
45100 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
45101 +static inline unsigned long pax_close_kernel(void) { return 0; }
45104 #endif /* !__ASSEMBLY__ */
45106 #endif /* _ASM_GENERIC_PGTABLE_H */
45107 diff -urNp linux-2.6.36.2/include/asm-generic/pgtable-nopmd.h linux-2.6.36.2/include/asm-generic/pgtable-nopmd.h
45108 --- linux-2.6.36.2/include/asm-generic/pgtable-nopmd.h 2010-10-20 16:30:22.000000000 -0400
45109 +++ linux-2.6.36.2/include/asm-generic/pgtable-nopmd.h 2010-12-09 20:24:07.000000000 -0500
45111 #ifndef _PGTABLE_NOPMD_H
45112 #define _PGTABLE_NOPMD_H
45114 -#ifndef __ASSEMBLY__
45116 #include <asm-generic/pgtable-nopud.h>
45120 #define __PAGETABLE_PMD_FOLDED
45122 +#define PMD_SHIFT PUD_SHIFT
45123 +#define PTRS_PER_PMD 1
45124 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
45125 +#define PMD_MASK (~(PMD_SIZE-1))
45127 +#ifndef __ASSEMBLY__
45132 * Having the pmd type consist of a pud gets the size right, and allows
45133 * us to conceptually access the pud entry that this pmd is folded into
45134 @@ -16,11 +21,6 @@ struct mm_struct;
45136 typedef struct { pud_t pud; } pmd_t;
45138 -#define PMD_SHIFT PUD_SHIFT
45139 -#define PTRS_PER_PMD 1
45140 -#define PMD_SIZE (1UL << PMD_SHIFT)
45141 -#define PMD_MASK (~(PMD_SIZE-1))
45144 * The "pud_xxx()" functions here are trivial for a folded two-level
45145 * setup: the pmd is never bad, and a pmd always exists (as it's folded
45146 diff -urNp linux-2.6.36.2/include/asm-generic/pgtable-nopud.h linux-2.6.36.2/include/asm-generic/pgtable-nopud.h
45147 --- linux-2.6.36.2/include/asm-generic/pgtable-nopud.h 2010-10-20 16:30:22.000000000 -0400
45148 +++ linux-2.6.36.2/include/asm-generic/pgtable-nopud.h 2010-12-09 20:24:07.000000000 -0500
45150 #ifndef _PGTABLE_NOPUD_H
45151 #define _PGTABLE_NOPUD_H
45153 -#ifndef __ASSEMBLY__
45155 #define __PAGETABLE_PUD_FOLDED
45157 +#define PUD_SHIFT PGDIR_SHIFT
45158 +#define PTRS_PER_PUD 1
45159 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
45160 +#define PUD_MASK (~(PUD_SIZE-1))
45162 +#ifndef __ASSEMBLY__
45165 * Having the pud type consist of a pgd gets the size right, and allows
45166 * us to conceptually access the pgd entry that this pud is folded into
45169 typedef struct { pgd_t pgd; } pud_t;
45171 -#define PUD_SHIFT PGDIR_SHIFT
45172 -#define PTRS_PER_PUD 1
45173 -#define PUD_SIZE (1UL << PUD_SHIFT)
45174 -#define PUD_MASK (~(PUD_SIZE-1))
45177 * The "pgd_xxx()" functions here are trivial for a folded two-level
45178 * setup: the pud is never bad, and a pud always exists (as it's folded
45179 diff -urNp linux-2.6.36.2/include/asm-generic/vmlinux.lds.h linux-2.6.36.2/include/asm-generic/vmlinux.lds.h
45180 --- linux-2.6.36.2/include/asm-generic/vmlinux.lds.h 2010-10-20 16:30:22.000000000 -0400
45181 +++ linux-2.6.36.2/include/asm-generic/vmlinux.lds.h 2010-12-09 20:24:07.000000000 -0500
45182 @@ -209,6 +209,7 @@
45183 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
45184 VMLINUX_SYMBOL(__start_rodata) = .; \
45185 *(.rodata) *(.rodata.*) \
45186 + *(.data..read_only) \
45187 *(__vermagic) /* Kernel version magic */ \
45188 *(__markers_strings) /* Markers: strings */ \
45189 *(__tracepoints_strings)/* Tracepoints: strings */ \
45190 @@ -667,22 +668,24 @@
45191 * section in the linker script will go there too. @phdr should have
45194 - * Note that this macros defines __per_cpu_load as an absolute symbol.
45195 + * Note that this macros defines per_cpu_load as an absolute symbol.
45196 * If there is no need to put the percpu section at a predetermined
45197 * address, use PERCPU().
45199 #define PERCPU_VADDR(vaddr, phdr) \
45200 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
45201 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
45202 + per_cpu_load = .; \
45203 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
45205 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
45206 VMLINUX_SYMBOL(__per_cpu_start) = .; \
45207 *(.data..percpu..first) \
45208 - *(.data..percpu..page_aligned) \
45210 + . = ALIGN(PAGE_SIZE); \
45211 + *(.data..percpu..page_aligned) \
45212 *(.data..percpu..shared_aligned) \
45213 VMLINUX_SYMBOL(__per_cpu_end) = .; \
45215 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
45216 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
45219 * PERCPU - define output section for percpu area, simple version
45220 diff -urNp linux-2.6.36.2/include/drm/drm_pciids.h linux-2.6.36.2/include/drm/drm_pciids.h
45221 --- linux-2.6.36.2/include/drm/drm_pciids.h 2010-10-20 16:30:22.000000000 -0400
45222 +++ linux-2.6.36.2/include/drm/drm_pciids.h 2010-12-09 20:24:04.000000000 -0500
45223 @@ -419,7 +419,7 @@
45224 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45225 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45226 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45228 + {0, 0, 0, 0, 0, 0}
45230 #define r128_PCI_IDS \
45231 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45232 @@ -459,14 +459,14 @@
45233 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45234 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45235 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45237 + {0, 0, 0, 0, 0, 0}
45239 #define mga_PCI_IDS \
45240 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45241 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45242 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
45243 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
45245 + {0, 0, 0, 0, 0, 0}
45247 #define mach64_PCI_IDS \
45248 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45249 @@ -489,7 +489,7 @@
45250 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45251 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45252 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45254 + {0, 0, 0, 0, 0, 0}
45256 #define sisdrv_PCI_IDS \
45257 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45258 @@ -500,7 +500,7 @@
45259 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45260 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45261 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45263 + {0, 0, 0, 0, 0, 0}
45265 #define tdfx_PCI_IDS \
45266 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45267 @@ -509,7 +509,7 @@
45268 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45269 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45270 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45272 + {0, 0, 0, 0, 0, 0}
45274 #define viadrv_PCI_IDS \
45275 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45276 @@ -521,14 +521,14 @@
45277 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45278 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
45279 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
45281 + {0, 0, 0, 0, 0, 0}
45283 #define i810_PCI_IDS \
45284 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45285 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45286 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45287 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45289 + {0, 0, 0, 0, 0, 0}
45291 #define i830_PCI_IDS \
45292 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45293 @@ -536,11 +536,11 @@
45294 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45295 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45296 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45298 + {0, 0, 0, 0, 0, 0}
45300 #define gamma_PCI_IDS \
45301 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45303 + {0, 0, 0, 0, 0, 0}
45305 #define savage_PCI_IDS \
45306 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
45307 @@ -566,10 +566,10 @@
45308 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
45309 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45310 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45312 + {0, 0, 0, 0, 0, 0}
45314 #define ffb_PCI_IDS \
45316 + {0, 0, 0, 0, 0, 0}
45318 #define i915_PCI_IDS \
45319 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45320 @@ -603,4 +603,4 @@
45321 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45322 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45323 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45325 + {0, 0, 0, 0, 0, 0}
45326 diff -urNp linux-2.6.36.2/include/drm/drmP.h linux-2.6.36.2/include/drm/drmP.h
45327 --- linux-2.6.36.2/include/drm/drmP.h 2010-10-20 16:30:22.000000000 -0400
45328 +++ linux-2.6.36.2/include/drm/drmP.h 2010-12-09 20:24:04.000000000 -0500
45329 @@ -813,7 +813,7 @@ struct drm_driver {
45330 void (*vgaarb_irq)(struct drm_device *dev, bool state);
45332 /* Driver private ops for this object */
45333 - struct vm_operations_struct *gem_vm_ops;
45334 + const struct vm_operations_struct *gem_vm_ops;
45338 @@ -923,7 +923,7 @@ struct drm_device {
45340 /** \name Usage Counters */
45342 - int open_count; /**< Outstanding files open */
45343 + atomic_t open_count; /**< Outstanding files open */
45344 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
45345 atomic_t vma_count; /**< Outstanding vma areas open */
45346 int buf_use; /**< Buffers in use -- cannot alloc */
45347 @@ -934,7 +934,7 @@ struct drm_device {
45349 unsigned long counters;
45350 enum drm_stat_type types[15];
45351 - atomic_t counts[15];
45352 + atomic_unchecked_t counts[15];
45355 struct list_head filelist;
45356 diff -urNp linux-2.6.36.2/include/linux/a.out.h linux-2.6.36.2/include/linux/a.out.h
45357 --- linux-2.6.36.2/include/linux/a.out.h 2010-10-20 16:30:22.000000000 -0400
45358 +++ linux-2.6.36.2/include/linux/a.out.h 2010-12-09 20:24:05.000000000 -0500
45359 @@ -39,6 +39,14 @@ enum machine_type {
45360 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
45363 +/* Constants for the N_FLAGS field */
45364 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45365 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
45366 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
45367 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
45368 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45369 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45371 #if !defined (N_MAGIC)
45372 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
45374 diff -urNp linux-2.6.36.2/include/linux/atmdev.h linux-2.6.36.2/include/linux/atmdev.h
45375 --- linux-2.6.36.2/include/linux/atmdev.h 2010-10-20 16:30:22.000000000 -0400
45376 +++ linux-2.6.36.2/include/linux/atmdev.h 2010-12-09 20:24:06.000000000 -0500
45377 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
45380 struct k_atm_aal_stats {
45381 -#define __HANDLE_ITEM(i) atomic_t i
45382 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
45384 #undef __HANDLE_ITEM
45386 diff -urNp linux-2.6.36.2/include/linux/binfmts.h linux-2.6.36.2/include/linux/binfmts.h
45387 --- linux-2.6.36.2/include/linux/binfmts.h 2010-12-09 20:53:48.000000000 -0500
45388 +++ linux-2.6.36.2/include/linux/binfmts.h 2010-12-09 20:24:05.000000000 -0500
45389 @@ -92,6 +92,7 @@ struct linux_binfmt {
45390 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
45391 int (*load_shlib)(struct file *);
45392 int (*core_dump)(struct coredump_params *cprm);
45393 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
45394 unsigned long min_coredump; /* minimal dump size */
45397 diff -urNp linux-2.6.36.2/include/linux/blkdev.h linux-2.6.36.2/include/linux/blkdev.h
45398 --- linux-2.6.36.2/include/linux/blkdev.h 2010-12-09 20:53:48.000000000 -0500
45399 +++ linux-2.6.36.2/include/linux/blkdev.h 2010-12-09 20:54:39.000000000 -0500
45400 @@ -1249,19 +1249,19 @@ static inline int blk_integrity_rq(struc
45401 #endif /* CONFIG_BLK_DEV_INTEGRITY */
45403 struct block_device_operations {
45404 - int (*open) (struct block_device *, fmode_t);
45405 - int (*release) (struct gendisk *, fmode_t);
45406 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45407 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45408 - int (*direct_access) (struct block_device *, sector_t,
45409 + int (* const open) (struct block_device *, fmode_t);
45410 + int (* const release) (struct gendisk *, fmode_t);
45411 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45412 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45413 + int (* const direct_access) (struct block_device *, sector_t,
45414 void **, unsigned long *);
45415 - int (*media_changed) (struct gendisk *);
45416 - void (*unlock_native_capacity) (struct gendisk *);
45417 - int (*revalidate_disk) (struct gendisk *);
45418 - int (*getgeo)(struct block_device *, struct hd_geometry *);
45419 + int (* const media_changed) (struct gendisk *);
45420 + void (* const unlock_native_capacity) (struct gendisk *);
45421 + int (* const revalidate_disk) (struct gendisk *);
45422 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
45423 /* this callback is with swap_lock and sometimes page table lock held */
45424 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
45425 - struct module *owner;
45426 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
45427 + struct module * const owner;
45430 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
45431 diff -urNp linux-2.6.36.2/include/linux/byteorder/little_endian.h linux-2.6.36.2/include/linux/byteorder/little_endian.h
45432 --- linux-2.6.36.2/include/linux/byteorder/little_endian.h 2010-10-20 16:30:22.000000000 -0400
45433 +++ linux-2.6.36.2/include/linux/byteorder/little_endian.h 2010-12-09 20:24:06.000000000 -0500
45434 @@ -42,51 +42,51 @@
45436 static inline __le64 __cpu_to_le64p(const __u64 *p)
45438 - return (__force __le64)*p;
45439 + return (__force const __le64)*p;
45441 static inline __u64 __le64_to_cpup(const __le64 *p)
45443 - return (__force __u64)*p;
45444 + return (__force const __u64)*p;
45446 static inline __le32 __cpu_to_le32p(const __u32 *p)
45448 - return (__force __le32)*p;
45449 + return (__force const __le32)*p;
45451 static inline __u32 __le32_to_cpup(const __le32 *p)
45453 - return (__force __u32)*p;
45454 + return (__force const __u32)*p;
45456 static inline __le16 __cpu_to_le16p(const __u16 *p)
45458 - return (__force __le16)*p;
45459 + return (__force const __le16)*p;
45461 static inline __u16 __le16_to_cpup(const __le16 *p)
45463 - return (__force __u16)*p;
45464 + return (__force const __u16)*p;
45466 static inline __be64 __cpu_to_be64p(const __u64 *p)
45468 - return (__force __be64)__swab64p(p);
45469 + return (__force const __be64)__swab64p(p);
45471 static inline __u64 __be64_to_cpup(const __be64 *p)
45473 - return __swab64p((__u64 *)p);
45474 + return __swab64p((const __u64 *)p);
45476 static inline __be32 __cpu_to_be32p(const __u32 *p)
45478 - return (__force __be32)__swab32p(p);
45479 + return (__force const __be32)__swab32p(p);
45481 static inline __u32 __be32_to_cpup(const __be32 *p)
45483 - return __swab32p((__u32 *)p);
45484 + return __swab32p((const __u32 *)p);
45486 static inline __be16 __cpu_to_be16p(const __u16 *p)
45488 - return (__force __be16)__swab16p(p);
45489 + return (__force const __be16)__swab16p(p);
45491 static inline __u16 __be16_to_cpup(const __be16 *p)
45493 - return __swab16p((__u16 *)p);
45494 + return __swab16p((const __u16 *)p);
45496 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
45497 #define __le64_to_cpus(x) do { (void)(x); } while (0)
45498 diff -urNp linux-2.6.36.2/include/linux/cache.h linux-2.6.36.2/include/linux/cache.h
45499 --- linux-2.6.36.2/include/linux/cache.h 2010-10-20 16:30:22.000000000 -0400
45500 +++ linux-2.6.36.2/include/linux/cache.h 2010-12-09 20:24:05.000000000 -0500
45502 #define __read_mostly
45505 +#ifndef __read_only
45506 +#define __read_only __read_mostly
45509 #ifndef ____cacheline_aligned
45510 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
45512 diff -urNp linux-2.6.36.2/include/linux/capability.h linux-2.6.36.2/include/linux/capability.h
45513 --- linux-2.6.36.2/include/linux/capability.h 2010-10-20 16:30:22.000000000 -0400
45514 +++ linux-2.6.36.2/include/linux/capability.h 2010-12-09 20:24:06.000000000 -0500
45515 @@ -558,6 +558,7 @@ extern const kernel_cap_t __cap_init_eff
45516 (security_real_capable_noaudit((t), (cap)) == 0)
45518 extern int capable(int cap);
45519 +int capable_nolog(int cap);
45521 /* audit system wants to get cap info from files as well */
45523 diff -urNp linux-2.6.36.2/include/linux/compiler-gcc4.h linux-2.6.36.2/include/linux/compiler-gcc4.h
45524 --- linux-2.6.36.2/include/linux/compiler-gcc4.h 2010-10-20 16:30:22.000000000 -0400
45525 +++ linux-2.6.36.2/include/linux/compiler-gcc4.h 2010-12-09 20:24:06.000000000 -0500
45530 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
45531 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
45532 +#define __bos0(ptr) __bos((ptr), 0)
45533 +#define __bos1(ptr) __bos((ptr), 1)
45536 #if __GNUC_MINOR__ > 0
45537 diff -urNp linux-2.6.36.2/include/linux/compiler.h linux-2.6.36.2/include/linux/compiler.h
45538 --- linux-2.6.36.2/include/linux/compiler.h 2010-10-20 16:30:22.000000000 -0400
45539 +++ linux-2.6.36.2/include/linux/compiler.h 2010-12-09 20:24:06.000000000 -0500
45540 @@ -269,6 +269,22 @@ void ftrace_likely_update(struct ftrace_
45544 +#ifndef __alloc_size
45545 +#define __alloc_size
45560 /* Simple shorthand for a section definition */
45562 # define __section(S) __attribute__ ((__section__(#S)))
45563 diff -urNp linux-2.6.36.2/include/linux/decompress/mm.h linux-2.6.36.2/include/linux/decompress/mm.h
45564 --- linux-2.6.36.2/include/linux/decompress/mm.h 2010-10-20 16:30:22.000000000 -0400
45565 +++ linux-2.6.36.2/include/linux/decompress/mm.h 2010-12-09 20:24:06.000000000 -0500
45566 @@ -78,7 +78,7 @@ static void free(void *where)
45567 * warnings when not needed (indeed large_malloc / large_free are not
45568 * needed by inflate */
45570 -#define malloc(a) kmalloc(a, GFP_KERNEL)
45571 +#define malloc(a) kmalloc((a), GFP_KERNEL)
45572 #define free(a) kfree(a)
45574 #define large_malloc(a) vmalloc(a)
45575 diff -urNp linux-2.6.36.2/include/linux/dma-mapping.h linux-2.6.36.2/include/linux/dma-mapping.h
45576 --- linux-2.6.36.2/include/linux/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
45577 +++ linux-2.6.36.2/include/linux/dma-mapping.h 2010-12-09 20:24:05.000000000 -0500
45578 @@ -16,40 +16,40 @@ enum dma_data_direction {
45581 struct dma_map_ops {
45582 - void* (*alloc_coherent)(struct device *dev, size_t size,
45583 + void* (* const alloc_coherent)(struct device *dev, size_t size,
45584 dma_addr_t *dma_handle, gfp_t gfp);
45585 - void (*free_coherent)(struct device *dev, size_t size,
45586 + void (* const free_coherent)(struct device *dev, size_t size,
45587 void *vaddr, dma_addr_t dma_handle);
45588 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
45589 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
45590 unsigned long offset, size_t size,
45591 enum dma_data_direction dir,
45592 struct dma_attrs *attrs);
45593 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
45594 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
45595 size_t size, enum dma_data_direction dir,
45596 struct dma_attrs *attrs);
45597 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
45598 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
45599 int nents, enum dma_data_direction dir,
45600 struct dma_attrs *attrs);
45601 - void (*unmap_sg)(struct device *dev,
45602 + void (* const unmap_sg)(struct device *dev,
45603 struct scatterlist *sg, int nents,
45604 enum dma_data_direction dir,
45605 struct dma_attrs *attrs);
45606 - void (*sync_single_for_cpu)(struct device *dev,
45607 + void (* const sync_single_for_cpu)(struct device *dev,
45608 dma_addr_t dma_handle, size_t size,
45609 enum dma_data_direction dir);
45610 - void (*sync_single_for_device)(struct device *dev,
45611 + void (* const sync_single_for_device)(struct device *dev,
45612 dma_addr_t dma_handle, size_t size,
45613 enum dma_data_direction dir);
45614 - void (*sync_sg_for_cpu)(struct device *dev,
45615 + void (* const sync_sg_for_cpu)(struct device *dev,
45616 struct scatterlist *sg, int nents,
45617 enum dma_data_direction dir);
45618 - void (*sync_sg_for_device)(struct device *dev,
45619 + void (* const sync_sg_for_device)(struct device *dev,
45620 struct scatterlist *sg, int nents,
45621 enum dma_data_direction dir);
45622 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
45623 - int (*dma_supported)(struct device *dev, u64 mask);
45624 - int (*set_dma_mask)(struct device *dev, u64 mask);
45626 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
45627 + int (* const dma_supported)(struct device *dev, u64 mask);
45628 + int (* set_dma_mask)(struct device *dev, u64 mask);
45629 + const int is_phys;
45632 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
45633 diff -urNp linux-2.6.36.2/include/linux/elf.h linux-2.6.36.2/include/linux/elf.h
45634 --- linux-2.6.36.2/include/linux/elf.h 2010-10-20 16:30:22.000000000 -0400
45635 +++ linux-2.6.36.2/include/linux/elf.h 2010-12-09 20:24:06.000000000 -0500
45636 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
45637 #define PT_GNU_EH_FRAME 0x6474e550
45639 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
45640 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
45642 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
45644 +/* Constants for the e_flags field */
45645 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45646 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
45647 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
45648 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
45649 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45650 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45653 * Extended Numbering
45654 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
45655 #define DT_DEBUG 21
45656 #define DT_TEXTREL 22
45657 #define DT_JMPREL 23
45658 +#define DT_FLAGS 30
45659 + #define DF_TEXTREL 0x00000004
45660 #define DT_ENCODING 32
45661 #define OLD_DT_LOOS 0x60000000
45662 #define DT_LOOS 0x6000000d
45663 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
45667 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
45668 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
45669 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
45670 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
45671 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
45672 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
45673 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
45674 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
45675 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
45676 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
45677 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
45678 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
45680 typedef struct elf32_phdr{
45682 Elf32_Off p_offset;
45683 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
45689 #define ELFMAG0 0x7f /* EI_MAG */
45690 #define ELFMAG1 'E'
45691 #define ELFMAG2 'L'
45692 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
45693 #define elf_note elf32_note
45694 #define elf_addr_t Elf32_Off
45695 #define Elf_Half Elf32_Half
45696 +#define elf_dyn Elf32_Dyn
45700 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
45701 #define elf_note elf64_note
45702 #define elf_addr_t Elf64_Off
45703 #define Elf_Half Elf64_Half
45704 +#define elf_dyn Elf64_Dyn
45708 diff -urNp linux-2.6.36.2/include/linux/fs.h linux-2.6.36.2/include/linux/fs.h
45709 --- linux-2.6.36.2/include/linux/fs.h 2010-10-20 16:30:22.000000000 -0400
45710 +++ linux-2.6.36.2/include/linux/fs.h 2010-12-09 20:24:05.000000000 -0500
45711 @@ -92,6 +92,11 @@ struct inodes_stat_t {
45712 /* Expect random access pattern */
45713 #define FMODE_RANDOM ((__force fmode_t)0x1000)
45715 +/* Hack for grsec so as not to require read permission simply to execute
45718 +#define FMODE_GREXEC ((__force fmode_t)0x2000)
45720 /* File was opened by fanotify and shouldn't generate fanotify events */
45721 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
45723 @@ -569,41 +574,41 @@ typedef int (*read_actor_t)(read_descrip
45724 unsigned long, unsigned long);
45726 struct address_space_operations {
45727 - int (*writepage)(struct page *page, struct writeback_control *wbc);
45728 - int (*readpage)(struct file *, struct page *);
45729 - void (*sync_page)(struct page *);
45730 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
45731 + int (* const readpage)(struct file *, struct page *);
45732 + void (* const sync_page)(struct page *);
45734 /* Write back some dirty pages from this mapping. */
45735 - int (*writepages)(struct address_space *, struct writeback_control *);
45736 + int (* const writepages)(struct address_space *, struct writeback_control *);
45738 /* Set a page dirty. Return true if this dirtied it */
45739 - int (*set_page_dirty)(struct page *page);
45740 + int (* const set_page_dirty)(struct page *page);
45742 - int (*readpages)(struct file *filp, struct address_space *mapping,
45743 + int (* const readpages)(struct file *filp, struct address_space *mapping,
45744 struct list_head *pages, unsigned nr_pages);
45746 - int (*write_begin)(struct file *, struct address_space *mapping,
45747 + int (* const write_begin)(struct file *, struct address_space *mapping,
45748 loff_t pos, unsigned len, unsigned flags,
45749 struct page **pagep, void **fsdata);
45750 - int (*write_end)(struct file *, struct address_space *mapping,
45751 + int (* const write_end)(struct file *, struct address_space *mapping,
45752 loff_t pos, unsigned len, unsigned copied,
45753 struct page *page, void *fsdata);
45755 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
45756 - sector_t (*bmap)(struct address_space *, sector_t);
45757 - void (*invalidatepage) (struct page *, unsigned long);
45758 - int (*releasepage) (struct page *, gfp_t);
45759 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
45760 + sector_t (* const bmap)(struct address_space *, sector_t);
45761 + void (* const invalidatepage) (struct page *, unsigned long);
45762 + int (* const releasepage) (struct page *, gfp_t);
45763 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
45764 loff_t offset, unsigned long nr_segs);
45765 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
45766 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
45767 void **, unsigned long *);
45768 /* migrate the contents of a page to the specified target */
45769 - int (*migratepage) (struct address_space *,
45770 + int (* const migratepage) (struct address_space *,
45771 struct page *, struct page *);
45772 - int (*launder_page) (struct page *);
45773 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
45774 + int (* const launder_page) (struct page *);
45775 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
45777 - int (*error_remove_page)(struct address_space *, struct page *);
45778 + int (* const error_remove_page)(struct address_space *, struct page *);
45782 @@ -1029,19 +1034,19 @@ static inline int file_check_writeable(s
45783 typedef struct files_struct *fl_owner_t;
45785 struct file_lock_operations {
45786 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45787 - void (*fl_release_private)(struct file_lock *);
45788 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45789 + void (* const fl_release_private)(struct file_lock *);
45792 struct lock_manager_operations {
45793 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
45794 - void (*fl_notify)(struct file_lock *); /* unblock callback */
45795 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
45796 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45797 - void (*fl_release_private)(struct file_lock *);
45798 - void (*fl_break)(struct file_lock *);
45799 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
45800 - int (*fl_change)(struct file_lock **, int);
45801 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
45802 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
45803 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
45804 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45805 + void (* const fl_release_private)(struct file_lock *);
45806 + void (* const fl_break)(struct file_lock *);
45807 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
45808 + int (* const fl_change)(struct file_lock **, int);
45811 struct lock_manager {
45812 @@ -1442,7 +1447,7 @@ struct fiemap_extent_info {
45813 unsigned int fi_flags; /* Flags as passed from user */
45814 unsigned int fi_extents_mapped; /* Number of mapped extents */
45815 unsigned int fi_extents_max; /* Size of fiemap_extent array */
45816 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
45817 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
45820 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
45821 diff -urNp linux-2.6.36.2/include/linux/fs_struct.h linux-2.6.36.2/include/linux/fs_struct.h
45822 --- linux-2.6.36.2/include/linux/fs_struct.h 2010-10-20 16:30:22.000000000 -0400
45823 +++ linux-2.6.36.2/include/linux/fs_struct.h 2010-12-09 20:24:06.000000000 -0500
45825 #include <linux/path.h>
45833 diff -urNp linux-2.6.36.2/include/linux/genhd.h linux-2.6.36.2/include/linux/genhd.h
45834 --- linux-2.6.36.2/include/linux/genhd.h 2010-10-20 16:30:22.000000000 -0400
45835 +++ linux-2.6.36.2/include/linux/genhd.h 2010-12-09 20:24:06.000000000 -0500
45836 @@ -162,7 +162,7 @@ struct gendisk {
45838 struct timer_rand_state *random;
45840 - atomic_t sync_io; /* RAID */
45841 + atomic_unchecked_t sync_io; /* RAID */
45842 struct work_struct async_notify;
45843 #ifdef CONFIG_BLK_DEV_INTEGRITY
45844 struct blk_integrity *integrity;
45845 diff -urNp linux-2.6.36.2/include/linux/gracl.h linux-2.6.36.2/include/linux/gracl.h
45846 --- linux-2.6.36.2/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
45847 +++ linux-2.6.36.2/include/linux/gracl.h 2010-12-09 20:24:05.000000000 -0500
45852 +#include <linux/grdefs.h>
45853 +#include <linux/resource.h>
45854 +#include <linux/capability.h>
45855 +#include <linux/dcache.h>
45856 +#include <asm/resource.h>
45858 +/* Major status information */
45860 +#define GR_VERSION "grsecurity 2.2.1"
45861 +#define GRSECURITY_VERSION 0x2201
45872 + GR_SPROLEPAM = 8,
45875 +/* Password setup definitions
45876 + * kernel/grhash.c */
45879 + GR_SALT_LEN = 16,
45884 + GR_SPROLE_LEN = 64,
45887 +#define GR_NLIMITS 32
45889 +/* Begin Data Structures */
45891 +struct sprole_pw {
45892 + unsigned char *rolename;
45893 + unsigned char salt[GR_SALT_LEN];
45894 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
45897 +struct name_entry {
45904 + struct name_entry *prev;
45905 + struct name_entry *next;
45908 +struct inodev_entry {
45909 + struct name_entry *nentry;
45910 + struct inodev_entry *prev;
45911 + struct inodev_entry *next;
45914 +struct acl_role_db {
45915 + struct acl_role_label **r_hash;
45919 +struct inodev_db {
45920 + struct inodev_entry **i_hash;
45925 + struct name_entry **n_hash;
45929 +struct crash_uid {
45931 + unsigned long expires;
45934 +struct gr_hash_struct {
45936 + void **nametable;
45938 + __u32 table_size;
45943 +/* Userspace Grsecurity ACL data structures */
45945 +struct acl_subject_label {
45950 + kernel_cap_t cap_mask;
45951 + kernel_cap_t cap_lower;
45952 + kernel_cap_t cap_invert_audit;
45954 + struct rlimit res[GR_NLIMITS];
45957 + __u8 user_trans_type;
45958 + __u8 group_trans_type;
45959 + uid_t *user_transitions;
45960 + gid_t *group_transitions;
45961 + __u16 user_trans_num;
45962 + __u16 group_trans_num;
45964 + __u32 sock_families[2];
45965 + __u32 ip_proto[8];
45967 + struct acl_ip_label **ips;
45969 + __u32 inaddr_any_override;
45972 + unsigned long expires;
45974 + struct acl_subject_label *parent_subject;
45975 + struct gr_hash_struct *hash;
45976 + struct acl_subject_label *prev;
45977 + struct acl_subject_label *next;
45979 + struct acl_object_label **obj_hash;
45980 + __u32 obj_hash_size;
45984 +struct role_allowed_ip {
45988 + struct role_allowed_ip *prev;
45989 + struct role_allowed_ip *next;
45992 +struct role_transition {
45995 + struct role_transition *prev;
45996 + struct role_transition *next;
45999 +struct acl_role_label {
46004 + __u16 auth_attempts;
46005 + unsigned long expires;
46007 + struct acl_subject_label *root_label;
46008 + struct gr_hash_struct *hash;
46010 + struct acl_role_label *prev;
46011 + struct acl_role_label *next;
46013 + struct role_transition *transitions;
46014 + struct role_allowed_ip *allowed_ips;
46015 + uid_t *domain_children;
46016 + __u16 domain_child_num;
46018 + struct acl_subject_label **subj_hash;
46019 + __u32 subj_hash_size;
46022 +struct user_acl_role_db {
46023 + struct acl_role_label **r_table;
46024 + __u32 num_pointers; /* Number of allocations to track */
46025 + __u32 num_roles; /* Number of roles */
46026 + __u32 num_domain_children; /* Number of domain children */
46027 + __u32 num_subjects; /* Number of subjects */
46028 + __u32 num_objects; /* Number of objects */
46031 +struct acl_object_label {
46037 + struct acl_subject_label *nested;
46038 + struct acl_object_label *globbed;
46040 + /* next two structures not used */
46042 + struct acl_object_label *prev;
46043 + struct acl_object_label *next;
46046 +struct acl_ip_label {
46055 + /* next two structures not used */
46057 + struct acl_ip_label *prev;
46058 + struct acl_ip_label *next;
46062 + struct user_acl_role_db role_db;
46063 + unsigned char pw[GR_PW_LEN];
46064 + unsigned char salt[GR_SALT_LEN];
46065 + unsigned char sum[GR_SHA_LEN];
46066 + unsigned char sp_role[GR_SPROLE_LEN];
46067 + struct sprole_pw *sprole_pws;
46068 + dev_t segv_device;
46069 + ino_t segv_inode;
46071 + __u16 num_sprole_pws;
46075 +struct gr_arg_wrapper {
46076 + struct gr_arg *arg;
46081 +struct subject_map {
46082 + struct acl_subject_label *user;
46083 + struct acl_subject_label *kernel;
46084 + struct subject_map *prev;
46085 + struct subject_map *next;
46088 +struct acl_subj_map_db {
46089 + struct subject_map **s_hash;
46093 +/* End Data Structures Section */
46095 +/* Hash functions generated by empirical testing by Brad Spengler
46096 + Makes good use of the low bits of the inode. Generally 0-1 times
46097 + in loop for successful match. 0-3 for unsuccessful match.
46098 + Shift/add algorithm with modulus of table size and an XOR*/
46100 +static __inline__ unsigned int
46101 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
46103 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
46106 + static __inline__ unsigned int
46107 +shash(const struct acl_subject_label *userp, const unsigned int sz)
46109 + return ((const unsigned long)userp % sz);
46112 +static __inline__ unsigned int
46113 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
46115 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
46118 +static __inline__ unsigned int
46119 +nhash(const char *name, const __u16 len, const unsigned int sz)
46121 + return full_name_hash((const unsigned char *)name, len) % sz;
46124 +#define FOR_EACH_ROLE_START(role) \
46125 + role = role_list; \
46128 +#define FOR_EACH_ROLE_END(role) \
46129 + role = role->prev; \
46132 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
46135 + while (iter < role->subj_hash_size) { \
46136 + if (subj == NULL) \
46137 + subj = role->subj_hash[iter]; \
46138 + if (subj == NULL) { \
46143 +#define FOR_EACH_SUBJECT_END(subj,iter) \
46144 + subj = subj->next; \
46145 + if (subj == NULL) \
46150 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
46151 + subj = role->hash->first; \
46152 + while (subj != NULL) {
46154 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
46155 + subj = subj->next; \
46160 diff -urNp linux-2.6.36.2/include/linux/gralloc.h linux-2.6.36.2/include/linux/gralloc.h
46161 --- linux-2.6.36.2/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
46162 +++ linux-2.6.36.2/include/linux/gralloc.h 2010-12-09 20:24:06.000000000 -0500
46164 +#ifndef __GRALLOC_H
46165 +#define __GRALLOC_H
46167 +void acl_free_all(void);
46168 +int acl_alloc_stack_init(unsigned long size);
46169 +void *acl_alloc(unsigned long len);
46170 +void *acl_alloc_num(unsigned long num, unsigned long len);
46173 diff -urNp linux-2.6.36.2/include/linux/grdefs.h linux-2.6.36.2/include/linux/grdefs.h
46174 --- linux-2.6.36.2/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
46175 +++ linux-2.6.36.2/include/linux/grdefs.h 2010-12-09 20:24:06.000000000 -0500
46180 +/* Begin grsecurity status declarations */
46184 + GR_STATUS_INIT = 0x00 // disabled state
46187 +/* Begin ACL declarations */
46192 + GR_ROLE_USER = 0x0001,
46193 + GR_ROLE_GROUP = 0x0002,
46194 + GR_ROLE_DEFAULT = 0x0004,
46195 + GR_ROLE_SPECIAL = 0x0008,
46196 + GR_ROLE_AUTH = 0x0010,
46197 + GR_ROLE_NOPW = 0x0020,
46198 + GR_ROLE_GOD = 0x0040,
46199 + GR_ROLE_LEARN = 0x0080,
46200 + GR_ROLE_TPE = 0x0100,
46201 + GR_ROLE_DOMAIN = 0x0200,
46202 + GR_ROLE_PAM = 0x0400
46205 +/* ACL Subject and Object mode flags */
46207 + GR_DELETED = 0x80000000
46210 +/* ACL Object-only mode flags */
46212 + GR_READ = 0x00000001,
46213 + GR_APPEND = 0x00000002,
46214 + GR_WRITE = 0x00000004,
46215 + GR_EXEC = 0x00000008,
46216 + GR_FIND = 0x00000010,
46217 + GR_INHERIT = 0x00000020,
46218 + GR_SETID = 0x00000040,
46219 + GR_CREATE = 0x00000080,
46220 + GR_DELETE = 0x00000100,
46221 + GR_LINK = 0x00000200,
46222 + GR_AUDIT_READ = 0x00000400,
46223 + GR_AUDIT_APPEND = 0x00000800,
46224 + GR_AUDIT_WRITE = 0x00001000,
46225 + GR_AUDIT_EXEC = 0x00002000,
46226 + GR_AUDIT_FIND = 0x00004000,
46227 + GR_AUDIT_INHERIT= 0x00008000,
46228 + GR_AUDIT_SETID = 0x00010000,
46229 + GR_AUDIT_CREATE = 0x00020000,
46230 + GR_AUDIT_DELETE = 0x00040000,
46231 + GR_AUDIT_LINK = 0x00080000,
46232 + GR_PTRACERD = 0x00100000,
46233 + GR_NOPTRACE = 0x00200000,
46234 + GR_SUPPRESS = 0x00400000,
46235 + GR_NOLEARN = 0x00800000
46238 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
46239 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
46240 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
46242 +/* ACL subject-only mode flags */
46244 + GR_KILL = 0x00000001,
46245 + GR_VIEW = 0x00000002,
46246 + GR_PROTECTED = 0x00000004,
46247 + GR_LEARN = 0x00000008,
46248 + GR_OVERRIDE = 0x00000010,
46249 + /* just a placeholder, this mode is only used in userspace */
46250 + GR_DUMMY = 0x00000020,
46251 + GR_PROTSHM = 0x00000040,
46252 + GR_KILLPROC = 0x00000080,
46253 + GR_KILLIPPROC = 0x00000100,
46254 + /* just a placeholder, this mode is only used in userspace */
46255 + GR_NOTROJAN = 0x00000200,
46256 + GR_PROTPROCFD = 0x00000400,
46257 + GR_PROCACCT = 0x00000800,
46258 + GR_RELAXPTRACE = 0x00001000,
46259 + GR_NESTED = 0x00002000,
46260 + GR_INHERITLEARN = 0x00004000,
46261 + GR_PROCFIND = 0x00008000,
46262 + GR_POVERRIDE = 0x00010000,
46263 + GR_KERNELAUTH = 0x00020000,
46264 + GR_ATSECURE = 0x00040000
46268 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
46269 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
46270 + GR_PAX_ENABLE_MPROTECT = 0x0004,
46271 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
46272 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
46273 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
46274 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
46275 + GR_PAX_DISABLE_MPROTECT = 0x0400,
46276 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
46277 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
46281 + GR_ID_USER = 0x01,
46282 + GR_ID_GROUP = 0x02,
46286 + GR_ID_ALLOW = 0x01,
46287 + GR_ID_DENY = 0x02,
46290 +#define GR_CRASH_RES 31
46291 +#define GR_UIDTABLE_MAX 500
46293 +/* begin resource learning section */
46295 + GR_RLIM_CPU_BUMP = 60,
46296 + GR_RLIM_FSIZE_BUMP = 50000,
46297 + GR_RLIM_DATA_BUMP = 10000,
46298 + GR_RLIM_STACK_BUMP = 1000,
46299 + GR_RLIM_CORE_BUMP = 10000,
46300 + GR_RLIM_RSS_BUMP = 500000,
46301 + GR_RLIM_NPROC_BUMP = 1,
46302 + GR_RLIM_NOFILE_BUMP = 5,
46303 + GR_RLIM_MEMLOCK_BUMP = 50000,
46304 + GR_RLIM_AS_BUMP = 500000,
46305 + GR_RLIM_LOCKS_BUMP = 2,
46306 + GR_RLIM_SIGPENDING_BUMP = 5,
46307 + GR_RLIM_MSGQUEUE_BUMP = 10000,
46308 + GR_RLIM_NICE_BUMP = 1,
46309 + GR_RLIM_RTPRIO_BUMP = 1,
46310 + GR_RLIM_RTTIME_BUMP = 1000000
46314 diff -urNp linux-2.6.36.2/include/linux/grinternal.h linux-2.6.36.2/include/linux/grinternal.h
46315 --- linux-2.6.36.2/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
46316 +++ linux-2.6.36.2/include/linux/grinternal.h 2010-12-09 20:24:05.000000000 -0500
46318 +#ifndef __GRINTERNAL_H
46319 +#define __GRINTERNAL_H
46321 +#ifdef CONFIG_GRKERNSEC
46323 +#include <linux/fs.h>
46324 +#include <linux/mnt_namespace.h>
46325 +#include <linux/nsproxy.h>
46326 +#include <linux/gracl.h>
46327 +#include <linux/grdefs.h>
46328 +#include <linux/grmsg.h>
46330 +void gr_add_learn_entry(const char *fmt, ...)
46331 + __attribute__ ((format (printf, 1, 2)));
46332 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
46333 + const struct vfsmount *mnt);
46334 +__u32 gr_check_create(const struct dentry *new_dentry,
46335 + const struct dentry *parent,
46336 + const struct vfsmount *mnt, const __u32 mode);
46337 +int gr_check_protected_task(const struct task_struct *task);
46338 +__u32 to_gr_audit(const __u32 reqmode);
46339 +int gr_set_acls(const int type);
46341 +int gr_acl_is_enabled(void);
46342 +char gr_roletype_to_char(void);
46344 +void gr_handle_alertkill(struct task_struct *task);
46345 +char *gr_to_filename(const struct dentry *dentry,
46346 + const struct vfsmount *mnt);
46347 +char *gr_to_filename1(const struct dentry *dentry,
46348 + const struct vfsmount *mnt);
46349 +char *gr_to_filename2(const struct dentry *dentry,
46350 + const struct vfsmount *mnt);
46351 +char *gr_to_filename3(const struct dentry *dentry,
46352 + const struct vfsmount *mnt);
46354 +extern int grsec_enable_harden_ptrace;
46355 +extern int grsec_enable_link;
46356 +extern int grsec_enable_fifo;
46357 +extern int grsec_enable_execve;
46358 +extern int grsec_enable_shm;
46359 +extern int grsec_enable_execlog;
46360 +extern int grsec_enable_signal;
46361 +extern int grsec_enable_audit_ptrace;
46362 +extern int grsec_enable_forkfail;
46363 +extern int grsec_enable_time;
46364 +extern int grsec_enable_rofs;
46365 +extern int grsec_enable_chroot_shmat;
46366 +extern int grsec_enable_chroot_findtask;
46367 +extern int grsec_enable_chroot_mount;
46368 +extern int grsec_enable_chroot_double;
46369 +extern int grsec_enable_chroot_pivot;
46370 +extern int grsec_enable_chroot_chdir;
46371 +extern int grsec_enable_chroot_chmod;
46372 +extern int grsec_enable_chroot_mknod;
46373 +extern int grsec_enable_chroot_fchdir;
46374 +extern int grsec_enable_chroot_nice;
46375 +extern int grsec_enable_chroot_execlog;
46376 +extern int grsec_enable_chroot_caps;
46377 +extern int grsec_enable_chroot_sysctl;
46378 +extern int grsec_enable_chroot_unix;
46379 +extern int grsec_enable_tpe;
46380 +extern int grsec_tpe_gid;
46381 +extern int grsec_enable_tpe_all;
46382 +extern int grsec_enable_tpe_invert;
46383 +extern int grsec_enable_socket_all;
46384 +extern int grsec_socket_all_gid;
46385 +extern int grsec_enable_socket_client;
46386 +extern int grsec_socket_client_gid;
46387 +extern int grsec_enable_socket_server;
46388 +extern int grsec_socket_server_gid;
46389 +extern int grsec_audit_gid;
46390 +extern int grsec_enable_group;
46391 +extern int grsec_enable_audit_textrel;
46392 +extern int grsec_enable_log_rwxmaps;
46393 +extern int grsec_enable_mount;
46394 +extern int grsec_enable_chdir;
46395 +extern int grsec_resource_logging;
46396 +extern int grsec_enable_blackhole;
46397 +extern int grsec_lastack_retries;
46398 +extern int grsec_lock;
46400 +extern spinlock_t grsec_alert_lock;
46401 +extern unsigned long grsec_alert_wtime;
46402 +extern unsigned long grsec_alert_fyet;
46404 +extern spinlock_t grsec_audit_lock;
46406 +extern rwlock_t grsec_exec_file_lock;
46408 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
46409 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
46410 + (tsk)->exec_file->f_vfsmnt) : "/")
46412 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
46413 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
46414 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46416 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
46417 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
46418 + (tsk)->exec_file->f_vfsmnt) : "/")
46420 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
46421 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
46422 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46424 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
46426 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
46428 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
46429 + (task)->pid, (cred)->uid, \
46430 + (cred)->euid, (cred)->gid, (cred)->egid, \
46431 + gr_parent_task_fullpath(task), \
46432 + (task)->real_parent->comm, (task)->real_parent->pid, \
46433 + (pcred)->uid, (pcred)->euid, \
46434 + (pcred)->gid, (pcred)->egid
46436 +#define GR_CHROOT_CAPS {{ \
46437 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
46438 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
46439 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
46440 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
46441 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
46442 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
46444 +#define security_learn(normal_msg,args...) \
46446 + read_lock(&grsec_exec_file_lock); \
46447 + gr_add_learn_entry(normal_msg "\n", ## args); \
46448 + read_unlock(&grsec_exec_file_lock); \
46454 + GR_DONT_AUDIT_GOOD
46465 + GR_SYSCTL_HIDDEN,
46468 + GR_ONE_INT_TWO_STR,
46473 + GR_FIVE_INT_TWO_STR,
46479 + GR_FILENAME_TWO_INT,
46480 + GR_FILENAME_TWO_INT_STR,
46493 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
46494 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
46495 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
46496 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
46497 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
46498 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
46499 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
46500 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
46501 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
46502 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
46503 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
46504 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
46505 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
46506 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
46507 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
46508 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
46509 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
46510 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
46511 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
46512 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
46513 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
46514 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
46515 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
46516 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
46517 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
46518 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
46519 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
46520 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
46521 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
46522 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
46523 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
46524 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
46525 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
46527 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
46532 diff -urNp linux-2.6.36.2/include/linux/grmsg.h linux-2.6.36.2/include/linux/grmsg.h
46533 --- linux-2.6.36.2/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
46534 +++ linux-2.6.36.2/include/linux/grmsg.h 2010-12-09 20:24:06.000000000 -0500
46536 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
46537 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
46538 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
46539 +#define GR_STOPMOD_MSG "denied modification of module state by "
46540 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
46541 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
46542 +#define GR_IOPERM_MSG "denied use of ioperm() by "
46543 +#define GR_IOPL_MSG "denied use of iopl() by "
46544 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
46545 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
46546 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
46547 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
46548 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
46549 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
46550 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
46551 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
46552 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
46553 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
46554 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
46555 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
46556 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
46557 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
46558 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
46559 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
46560 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
46561 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
46562 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
46563 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
46564 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
46565 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
46566 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
46567 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
46568 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
46569 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
46570 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
46571 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
46572 +#define GR_NPROC_MSG "denied overstep of process limit by "
46573 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
46574 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
46575 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
46576 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
46577 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
46578 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
46579 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
46580 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
46581 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
46582 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
46583 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
46584 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
46585 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
46586 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
46587 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
46588 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
46589 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
46590 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
46591 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
46592 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
46593 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
46594 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
46595 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
46596 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
46597 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
46598 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
46599 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
46600 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
46601 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
46602 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
46603 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
46604 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
46605 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
46606 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
46607 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
46608 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
46609 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
46610 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
46611 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
46612 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
46613 +#define GR_NICE_CHROOT_MSG "denied priority change by "
46614 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
46615 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
46616 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
46617 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
46618 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
46619 +#define GR_TIME_MSG "time set by "
46620 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
46621 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
46622 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
46623 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
46624 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
46625 +#define GR_BIND_MSG "denied bind() by "
46626 +#define GR_CONNECT_MSG "denied connect() by "
46627 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
46628 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
46629 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
46630 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
46631 +#define GR_CAP_ACL_MSG "use of %s denied for "
46632 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
46633 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
46634 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
46635 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
46636 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
46637 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
46638 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
46639 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
46640 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
46641 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
46642 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
46643 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
46644 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
46645 +#define GR_VM86_MSG "denied use of vm86 by "
46646 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
46647 diff -urNp linux-2.6.36.2/include/linux/grsecurity.h linux-2.6.36.2/include/linux/grsecurity.h
46648 --- linux-2.6.36.2/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
46649 +++ linux-2.6.36.2/include/linux/grsecurity.h 2010-12-09 20:24:06.000000000 -0500
46651 +#ifndef GR_SECURITY_H
46652 +#define GR_SECURITY_H
46653 +#include <linux/fs.h>
46654 +#include <linux/fs_struct.h>
46655 +#include <linux/binfmts.h>
46656 +#include <linux/gracl.h>
46658 +/* notify of brain-dead configs */
46659 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
46660 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
46662 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46663 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46665 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46666 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46668 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
46669 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
46671 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
46672 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
46675 +void gr_handle_brute_attach(struct task_struct *p);
46676 +void gr_handle_brute_check(void);
46678 +char gr_roletype_to_char(void);
46680 +int gr_acl_enable_at_secure(void);
46682 +int gr_check_user_change(int real, int effective, int fs);
46683 +int gr_check_group_change(int real, int effective, int fs);
46685 +void gr_del_task_from_ip_table(struct task_struct *p);
46687 +int gr_pid_is_chrooted(struct task_struct *p);
46688 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
46689 +int gr_handle_chroot_nice(void);
46690 +int gr_handle_chroot_sysctl(const int op);
46691 +int gr_handle_chroot_setpriority(struct task_struct *p,
46692 + const int niceval);
46693 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
46694 +int gr_handle_chroot_chroot(const struct dentry *dentry,
46695 + const struct vfsmount *mnt);
46696 +int gr_handle_chroot_caps(struct path *path);
46697 +void gr_handle_chroot_chdir(struct path *path);
46698 +int gr_handle_chroot_chmod(const struct dentry *dentry,
46699 + const struct vfsmount *mnt, const int mode);
46700 +int gr_handle_chroot_mknod(const struct dentry *dentry,
46701 + const struct vfsmount *mnt, const int mode);
46702 +int gr_handle_chroot_mount(const struct dentry *dentry,
46703 + const struct vfsmount *mnt,
46704 + const char *dev_name);
46705 +int gr_handle_chroot_pivot(void);
46706 +int gr_handle_chroot_unix(struct pid *pid);
46708 +int gr_handle_rawio(const struct inode *inode);
46709 +int gr_handle_nproc(void);
46711 +void gr_handle_ioperm(void);
46712 +void gr_handle_iopl(void);
46714 +int gr_tpe_allow(const struct file *file);
46716 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
46717 +void gr_clear_chroot_entries(struct task_struct *task);
46719 +void gr_log_forkfail(const int retval);
46720 +void gr_log_timechange(void);
46721 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
46722 +void gr_log_chdir(const struct dentry *dentry,
46723 + const struct vfsmount *mnt);
46724 +void gr_log_chroot_exec(const struct dentry *dentry,
46725 + const struct vfsmount *mnt);
46726 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
46727 +void gr_log_remount(const char *devname, const int retval);
46728 +void gr_log_unmount(const char *devname, const int retval);
46729 +void gr_log_mount(const char *from, const char *to, const int retval);
46730 +void gr_log_textrel(struct vm_area_struct *vma);
46731 +void gr_log_rwxmmap(struct file *file);
46732 +void gr_log_rwxmprotect(struct file *file);
46734 +int gr_handle_follow_link(const struct inode *parent,
46735 + const struct inode *inode,
46736 + const struct dentry *dentry,
46737 + const struct vfsmount *mnt);
46738 +int gr_handle_fifo(const struct dentry *dentry,
46739 + const struct vfsmount *mnt,
46740 + const struct dentry *dir, const int flag,
46741 + const int acc_mode);
46742 +int gr_handle_hardlink(const struct dentry *dentry,
46743 + const struct vfsmount *mnt,
46744 + struct inode *inode,
46745 + const int mode, const char *to);
46747 +int gr_is_capable(const int cap);
46748 +int gr_is_capable_nolog(const int cap);
46749 +void gr_learn_resource(const struct task_struct *task, const int limit,
46750 + const unsigned long wanted, const int gt);
46751 +void gr_copy_label(struct task_struct *tsk);
46752 +void gr_handle_crash(struct task_struct *task, const int sig);
46753 +int gr_handle_signal(const struct task_struct *p, const int sig);
46754 +int gr_check_crash_uid(const uid_t uid);
46755 +int gr_check_protected_task(const struct task_struct *task);
46756 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
46757 +int gr_acl_handle_mmap(const struct file *file,
46758 + const unsigned long prot);
46759 +int gr_acl_handle_mprotect(const struct file *file,
46760 + const unsigned long prot);
46761 +int gr_check_hidden_task(const struct task_struct *tsk);
46762 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
46763 + const struct vfsmount *mnt);
46764 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
46765 + const struct vfsmount *mnt);
46766 +__u32 gr_acl_handle_access(const struct dentry *dentry,
46767 + const struct vfsmount *mnt, const int fmode);
46768 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
46769 + const struct vfsmount *mnt, mode_t mode);
46770 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
46771 + const struct vfsmount *mnt, mode_t mode);
46772 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
46773 + const struct vfsmount *mnt);
46774 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
46775 + const struct vfsmount *mnt);
46776 +int gr_handle_ptrace(struct task_struct *task, const long request);
46777 +int gr_handle_proc_ptrace(struct task_struct *task);
46778 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
46779 + const struct vfsmount *mnt);
46780 +int gr_check_crash_exec(const struct file *filp);
46781 +int gr_acl_is_enabled(void);
46782 +void gr_set_kernel_label(struct task_struct *task);
46783 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
46784 + const gid_t gid);
46785 +int gr_set_proc_label(const struct dentry *dentry,
46786 + const struct vfsmount *mnt,
46787 + const int unsafe_share);
46788 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
46789 + const struct vfsmount *mnt);
46790 +__u32 gr_acl_handle_open(const struct dentry *dentry,
46791 + const struct vfsmount *mnt, const int fmode);
46792 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
46793 + const struct dentry *p_dentry,
46794 + const struct vfsmount *p_mnt, const int fmode,
46795 + const int imode);
46796 +void gr_handle_create(const struct dentry *dentry,
46797 + const struct vfsmount *mnt);
46798 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
46799 + const struct dentry *parent_dentry,
46800 + const struct vfsmount *parent_mnt,
46802 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
46803 + const struct dentry *parent_dentry,
46804 + const struct vfsmount *parent_mnt);
46805 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
46806 + const struct vfsmount *mnt);
46807 +void gr_handle_delete(const ino_t ino, const dev_t dev);
46808 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
46809 + const struct vfsmount *mnt);
46810 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
46811 + const struct dentry *parent_dentry,
46812 + const struct vfsmount *parent_mnt,
46813 + const char *from);
46814 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
46815 + const struct dentry *parent_dentry,
46816 + const struct vfsmount *parent_mnt,
46817 + const struct dentry *old_dentry,
46818 + const struct vfsmount *old_mnt, const char *to);
46819 +int gr_acl_handle_rename(struct dentry *new_dentry,
46820 + struct dentry *parent_dentry,
46821 + const struct vfsmount *parent_mnt,
46822 + struct dentry *old_dentry,
46823 + struct inode *old_parent_inode,
46824 + struct vfsmount *old_mnt, const char *newname);
46825 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
46826 + struct dentry *old_dentry,
46827 + struct dentry *new_dentry,
46828 + struct vfsmount *mnt, const __u8 replace);
46829 +__u32 gr_check_link(const struct dentry *new_dentry,
46830 + const struct dentry *parent_dentry,
46831 + const struct vfsmount *parent_mnt,
46832 + const struct dentry *old_dentry,
46833 + const struct vfsmount *old_mnt);
46834 +int gr_acl_handle_filldir(const struct file *file, const char *name,
46835 + const unsigned int namelen, const ino_t ino);
46837 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
46838 + const struct vfsmount *mnt);
46839 +void gr_acl_handle_exit(void);
46840 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
46841 +int gr_acl_handle_procpidmem(const struct task_struct *task);
46842 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
46843 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
46844 +void gr_audit_ptrace(struct task_struct *task);
46846 +#ifdef CONFIG_GRKERNSEC
46847 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
46848 +void gr_log_nonroot_mod_load(const char *modname);
46849 +void gr_handle_vm86(void);
46850 +void gr_handle_mem_write(void);
46851 +void gr_handle_kmem_write(void);
46852 +void gr_handle_open_port(void);
46853 +int gr_handle_mem_mmap(const unsigned long offset,
46854 + struct vm_area_struct *vma);
46856 +extern int grsec_enable_dmesg;
46857 +extern int grsec_disable_privio;
46861 diff -urNp linux-2.6.36.2/include/linux/grsock.h linux-2.6.36.2/include/linux/grsock.h
46862 --- linux-2.6.36.2/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
46863 +++ linux-2.6.36.2/include/linux/grsock.h 2010-12-09 20:24:06.000000000 -0500
46865 +#ifndef __GRSOCK_H
46866 +#define __GRSOCK_H
46868 +extern void gr_attach_curr_ip(const struct sock *sk);
46869 +extern int gr_handle_sock_all(const int family, const int type,
46870 + const int protocol);
46871 +extern int gr_handle_sock_server(const struct sockaddr *sck);
46872 +extern int gr_handle_sock_server_other(const struct sock *sck);
46873 +extern int gr_handle_sock_client(const struct sockaddr *sck);
46874 +extern int gr_search_connect(struct socket * sock,
46875 + struct sockaddr_in * addr);
46876 +extern int gr_search_bind(struct socket * sock,
46877 + struct sockaddr_in * addr);
46878 +extern int gr_search_listen(struct socket * sock);
46879 +extern int gr_search_accept(struct socket * sock);
46880 +extern int gr_search_socket(const int domain, const int type,
46881 + const int protocol);
46884 diff -urNp linux-2.6.36.2/include/linux/highmem.h linux-2.6.36.2/include/linux/highmem.h
46885 --- linux-2.6.36.2/include/linux/highmem.h 2010-10-20 16:30:22.000000000 -0400
46886 +++ linux-2.6.36.2/include/linux/highmem.h 2010-12-09 20:24:06.000000000 -0500
46887 @@ -155,6 +155,18 @@ static inline void clear_highpage(struct
46888 kunmap_atomic(kaddr, KM_USER0);
46891 +static inline void sanitize_highpage(struct page *page)
46894 + unsigned long flags;
46896 + local_irq_save(flags);
46897 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
46898 + clear_page(kaddr);
46899 + kunmap_atomic(kaddr, KM_CLEARPAGE);
46900 + local_irq_restore(flags);
46903 static inline void zero_user_segments(struct page *page,
46904 unsigned start1, unsigned end1,
46905 unsigned start2, unsigned end2)
46906 diff -urNp linux-2.6.36.2/include/linux/init.h linux-2.6.36.2/include/linux/init.h
46907 --- linux-2.6.36.2/include/linux/init.h 2010-10-20 16:30:22.000000000 -0400
46908 +++ linux-2.6.36.2/include/linux/init.h 2010-12-09 20:24:06.000000000 -0500
46909 @@ -286,13 +286,13 @@ void __init parse_early_options(char *cm
46911 /* Each module must use one module_init(). */
46912 #define module_init(initfn) \
46913 - static inline initcall_t __inittest(void) \
46914 + static inline __used initcall_t __inittest(void) \
46915 { return initfn; } \
46916 int init_module(void) __attribute__((alias(#initfn)));
46918 /* This is only required if you want to be unloadable. */
46919 #define module_exit(exitfn) \
46920 - static inline exitcall_t __exittest(void) \
46921 + static inline __used exitcall_t __exittest(void) \
46922 { return exitfn; } \
46923 void cleanup_module(void) __attribute__((alias(#exitfn)));
46925 diff -urNp linux-2.6.36.2/include/linux/interrupt.h linux-2.6.36.2/include/linux/interrupt.h
46926 --- linux-2.6.36.2/include/linux/interrupt.h 2010-10-20 16:30:22.000000000 -0400
46927 +++ linux-2.6.36.2/include/linux/interrupt.h 2010-12-09 20:24:06.000000000 -0500
46928 @@ -392,7 +392,7 @@ enum
46929 /* map softirq index to softirq name. update 'softirq_to_name' in
46930 * kernel/softirq.c when adding a new softirq.
46932 -extern char *softirq_to_name[NR_SOFTIRQS];
46933 +extern const char * const softirq_to_name[NR_SOFTIRQS];
46935 /* softirq mask and active fields moved to irq_cpustat_t in
46936 * asm/hardirq.h to get better cache usage. KAO
46937 @@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
46939 struct softirq_action
46941 - void (*action)(struct softirq_action *);
46942 + void (*action)(void);
46945 asmlinkage void do_softirq(void);
46946 asmlinkage void __do_softirq(void);
46947 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
46948 +extern void open_softirq(int nr, void (*action)(void));
46949 extern void softirq_init(void);
46950 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
46951 extern void raise_softirq_irqoff(unsigned int nr);
46952 diff -urNp linux-2.6.36.2/include/linux/jbd2.h linux-2.6.36.2/include/linux/jbd2.h
46953 --- linux-2.6.36.2/include/linux/jbd2.h 2010-10-20 16:30:22.000000000 -0400
46954 +++ linux-2.6.36.2/include/linux/jbd2.h 2010-12-09 20:24:06.000000000 -0500
46955 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
46959 -#define jbd_debug(f, a...) /**/
46960 +#define jbd_debug(f, a...) do {} while (0)
46963 extern void *jbd2_alloc(size_t size, gfp_t flags);
46964 diff -urNp linux-2.6.36.2/include/linux/jbd.h linux-2.6.36.2/include/linux/jbd.h
46965 --- linux-2.6.36.2/include/linux/jbd.h 2010-10-20 16:30:22.000000000 -0400
46966 +++ linux-2.6.36.2/include/linux/jbd.h 2010-12-09 20:24:06.000000000 -0500
46967 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
46971 -#define jbd_debug(f, a...) /**/
46972 +#define jbd_debug(f, a...) do {} while (0)
46975 static inline void *jbd_alloc(size_t size, gfp_t flags)
46976 diff -urNp linux-2.6.36.2/include/linux/kallsyms.h linux-2.6.36.2/include/linux/kallsyms.h
46977 --- linux-2.6.36.2/include/linux/kallsyms.h 2010-10-20 16:30:22.000000000 -0400
46978 +++ linux-2.6.36.2/include/linux/kallsyms.h 2010-12-09 20:24:06.000000000 -0500
46983 -#ifdef CONFIG_KALLSYMS
46984 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
46985 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
46986 /* Lookup the address for a symbol. Returns 0 if not found. */
46987 unsigned long kallsyms_lookup_name(const char *name);
46989 @@ -92,6 +93,14 @@ static inline int lookup_symbol_attrs(un
46990 /* Stupid that this does nothing, but I didn't create this mess. */
46991 #define __print_symbol(fmt, addr)
46992 #endif /*CONFIG_KALLSYMS*/
46993 +#else /* when included by kallsyms.c or vsnprintf.c, with HIDESYM enabled */
46994 +extern void __print_symbol(const char *fmt, unsigned long address);
46995 +extern int sprint_symbol(char *buffer, unsigned long address);
46996 +const char *kallsyms_lookup(unsigned long addr,
46997 + unsigned long *symbolsize,
46998 + unsigned long *offset,
46999 + char **modname, char *namebuf);
47002 /* This macro allows us to keep printk typechecking */
47003 static void __check_printsym_format(const char *fmt, ...)
47004 diff -urNp linux-2.6.36.2/include/linux/kgdb.h linux-2.6.36.2/include/linux/kgdb.h
47005 --- linux-2.6.36.2/include/linux/kgdb.h 2010-10-20 16:30:22.000000000 -0400
47006 +++ linux-2.6.36.2/include/linux/kgdb.h 2010-12-09 20:24:06.000000000 -0500
47007 @@ -276,22 +276,22 @@ struct kgdb_arch {
47011 - int (*read_char) (void);
47012 - void (*write_char) (u8);
47013 - void (*flush) (void);
47014 - int (*init) (void);
47015 - void (*pre_exception) (void);
47016 - void (*post_exception) (void);
47017 + int (* const read_char) (void);
47018 + void (* const write_char) (u8);
47019 + void (* const flush) (void);
47020 + int (* const init) (void);
47021 + void (* const pre_exception) (void);
47022 + void (* const post_exception) (void);
47026 -extern struct kgdb_arch arch_kgdb_ops;
47027 +extern const struct kgdb_arch arch_kgdb_ops;
47029 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
47031 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
47032 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
47033 -extern struct kgdb_io *dbg_io_ops;
47034 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
47035 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
47036 +extern const struct kgdb_io *dbg_io_ops;
47038 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
47039 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
47040 diff -urNp linux-2.6.36.2/include/linux/kvm_host.h linux-2.6.36.2/include/linux/kvm_host.h
47041 --- linux-2.6.36.2/include/linux/kvm_host.h 2010-10-20 16:30:22.000000000 -0400
47042 +++ linux-2.6.36.2/include/linux/kvm_host.h 2010-12-09 20:24:06.000000000 -0500
47043 @@ -245,7 +245,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
47044 void vcpu_load(struct kvm_vcpu *vcpu);
47045 void vcpu_put(struct kvm_vcpu *vcpu);
47047 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
47048 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
47049 struct module *module);
47050 void kvm_exit(void);
47052 @@ -369,7 +369,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
47053 struct kvm_guest_debug *dbg);
47054 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
47056 -int kvm_arch_init(void *opaque);
47057 +int kvm_arch_init(const void *opaque);
47058 void kvm_arch_exit(void);
47060 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
47061 diff -urNp linux-2.6.36.2/include/linux/libata.h linux-2.6.36.2/include/linux/libata.h
47062 --- linux-2.6.36.2/include/linux/libata.h 2010-10-20 16:30:22.000000000 -0400
47063 +++ linux-2.6.36.2/include/linux/libata.h 2010-12-09 20:24:06.000000000 -0500
47064 @@ -64,11 +64,11 @@
47065 #ifdef ATA_VERBOSE_DEBUG
47066 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
47068 -#define VPRINTK(fmt, args...)
47069 +#define VPRINTK(fmt, args...) do {} while (0)
47070 #endif /* ATA_VERBOSE_DEBUG */
47072 -#define DPRINTK(fmt, args...)
47073 -#define VPRINTK(fmt, args...)
47074 +#define DPRINTK(fmt, args...) do {} while (0)
47075 +#define VPRINTK(fmt, args...) do {} while (0)
47076 #endif /* ATA_DEBUG */
47078 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
47079 @@ -524,11 +524,11 @@ struct ata_ioports {
47083 - struct device *dev;
47084 + struct device *dev;
47085 void __iomem * const *iomap;
47086 unsigned int n_ports;
47087 void *private_data;
47088 - struct ata_port_operations *ops;
47089 + const struct ata_port_operations *ops;
47090 unsigned long flags;
47091 #ifdef CONFIG_ATA_ACPI
47092 acpi_handle acpi_handle;
47093 @@ -710,7 +710,7 @@ struct ata_link {
47096 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
47097 - struct ata_port_operations *ops;
47098 + const struct ata_port_operations *ops;
47100 /* Flags owned by the EH context. Only EH should touch these once the
47102 @@ -897,7 +897,7 @@ struct ata_port_info {
47103 unsigned long pio_mask;
47104 unsigned long mwdma_mask;
47105 unsigned long udma_mask;
47106 - struct ata_port_operations *port_ops;
47107 + const struct ata_port_operations *port_ops;
47108 void *private_data;
47111 @@ -921,7 +921,7 @@ extern const unsigned long sata_deb_timi
47112 extern const unsigned long sata_deb_timing_hotplug[];
47113 extern const unsigned long sata_deb_timing_long[];
47115 -extern struct ata_port_operations ata_dummy_port_ops;
47116 +extern const struct ata_port_operations ata_dummy_port_ops;
47117 extern const struct ata_port_info ata_dummy_port_info;
47119 static inline const unsigned long *
47120 @@ -965,7 +965,7 @@ extern int ata_host_activate(struct ata_
47121 struct scsi_host_template *sht);
47122 extern void ata_host_detach(struct ata_host *host);
47123 extern void ata_host_init(struct ata_host *, struct device *,
47124 - unsigned long, struct ata_port_operations *);
47125 + unsigned long, const struct ata_port_operations *);
47126 extern int ata_scsi_detect(struct scsi_host_template *sht);
47127 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
47128 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
47129 diff -urNp linux-2.6.36.2/include/linux/lockd/bind.h linux-2.6.36.2/include/linux/lockd/bind.h
47130 --- linux-2.6.36.2/include/linux/lockd/bind.h 2010-10-20 16:30:22.000000000 -0400
47131 +++ linux-2.6.36.2/include/linux/lockd/bind.h 2010-12-09 20:24:06.000000000 -0500
47132 @@ -23,13 +23,13 @@ struct svc_rqst;
47133 * This is the set of functions for lockd->nfsd communication
47135 struct nlmsvc_binding {
47136 - __be32 (*fopen)(struct svc_rqst *,
47137 + __be32 (* const fopen)(struct svc_rqst *,
47140 - void (*fclose)(struct file *);
47141 + void (* const fclose)(struct file *);
47144 -extern struct nlmsvc_binding * nlmsvc_ops;
47145 +extern const struct nlmsvc_binding * nlmsvc_ops;
47148 * Similar to nfs_client_initdata, but without the NFS-specific
47149 diff -urNp linux-2.6.36.2/include/linux/mm.h linux-2.6.36.2/include/linux/mm.h
47150 --- linux-2.6.36.2/include/linux/mm.h 2010-10-20 16:30:22.000000000 -0400
47151 +++ linux-2.6.36.2/include/linux/mm.h 2010-12-09 20:24:06.000000000 -0500
47152 @@ -107,7 +107,14 @@ extern unsigned int kobjsize(const void
47154 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
47155 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
47157 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
47158 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
47159 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
47161 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
47164 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
47165 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
47167 @@ -1021,6 +1028,15 @@ struct shrinker {
47168 extern void register_shrinker(struct shrinker *);
47169 extern void unregister_shrinker(struct shrinker *);
47172 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
47174 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47176 + return __pgprot(0);
47180 int vma_wants_writenotify(struct vm_area_struct *vma);
47182 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
47183 @@ -1297,6 +1313,7 @@ out:
47186 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
47187 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
47189 extern unsigned long do_brk(unsigned long, unsigned long);
47191 @@ -1353,6 +1370,10 @@ extern struct vm_area_struct * find_vma(
47192 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
47193 struct vm_area_struct **pprev);
47195 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
47196 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
47197 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
47199 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
47200 NULL if none. Assume start_addr < end_addr. */
47201 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
47202 @@ -1369,15 +1390,6 @@ static inline unsigned long vma_pages(st
47203 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
47207 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
47209 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47211 - return __pgprot(0);
47215 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
47216 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
47217 unsigned long pfn, unsigned long size, pgprot_t);
47218 @@ -1484,7 +1496,7 @@ extern int unpoison_memory(unsigned long
47219 extern int sysctl_memory_failure_early_kill;
47220 extern int sysctl_memory_failure_recovery;
47221 extern void shake_page(struct page *p, int access);
47222 -extern atomic_long_t mce_bad_pages;
47223 +extern atomic_long_unchecked_t mce_bad_pages;
47224 extern int soft_offline_page(struct page *page, int flags);
47225 #ifdef CONFIG_MEMORY_FAILURE
47226 int is_hwpoison_address(unsigned long addr);
47227 @@ -1497,5 +1509,11 @@ static inline int is_hwpoison_address(un
47229 extern void dump_page(struct page *page);
47231 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
47232 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
47234 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
47237 #endif /* __KERNEL__ */
47238 #endif /* _LINUX_MM_H */
47239 diff -urNp linux-2.6.36.2/include/linux/mm_types.h linux-2.6.36.2/include/linux/mm_types.h
47240 --- linux-2.6.36.2/include/linux/mm_types.h 2010-10-20 16:30:22.000000000 -0400
47241 +++ linux-2.6.36.2/include/linux/mm_types.h 2010-12-09 20:24:06.000000000 -0500
47242 @@ -183,6 +183,8 @@ struct vm_area_struct {
47244 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
47247 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
47250 struct core_thread {
47251 @@ -310,6 +312,24 @@ struct mm_struct {
47252 #ifdef CONFIG_MMU_NOTIFIER
47253 struct mmu_notifier_mm *mmu_notifier_mm;
47256 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47257 + unsigned long pax_flags;
47260 +#ifdef CONFIG_PAX_DLRESOLVE
47261 + unsigned long call_dl_resolve;
47264 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
47265 + unsigned long call_syscall;
47268 +#ifdef CONFIG_PAX_ASLR
47269 + unsigned long delta_mmap; /* randomized offset */
47270 + unsigned long delta_stack; /* randomized offset */
47275 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
47276 diff -urNp linux-2.6.36.2/include/linux/mmu_notifier.h linux-2.6.36.2/include/linux/mmu_notifier.h
47277 --- linux-2.6.36.2/include/linux/mmu_notifier.h 2010-10-20 16:30:22.000000000 -0400
47278 +++ linux-2.6.36.2/include/linux/mmu_notifier.h 2010-12-09 20:24:06.000000000 -0500
47279 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
47281 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
47285 struct vm_area_struct *___vma = __vma; \
47286 unsigned long ___address = __address; \
47287 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
47288 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
47289 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
47294 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
47295 diff -urNp linux-2.6.36.2/include/linux/mmzone.h linux-2.6.36.2/include/linux/mmzone.h
47296 --- linux-2.6.36.2/include/linux/mmzone.h 2010-10-20 16:30:22.000000000 -0400
47297 +++ linux-2.6.36.2/include/linux/mmzone.h 2010-12-09 20:24:05.000000000 -0500
47298 @@ -352,7 +352,7 @@ struct zone {
47299 unsigned long flags; /* zone flags, see below */
47301 /* Zone statistics */
47302 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47303 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47306 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
47307 diff -urNp linux-2.6.36.2/include/linux/mod_devicetable.h linux-2.6.36.2/include/linux/mod_devicetable.h
47308 --- linux-2.6.36.2/include/linux/mod_devicetable.h 2010-10-20 16:30:22.000000000 -0400
47309 +++ linux-2.6.36.2/include/linux/mod_devicetable.h 2010-12-09 20:24:05.000000000 -0500
47311 typedef unsigned long kernel_ulong_t;
47314 -#define PCI_ANY_ID (~0)
47315 +#define PCI_ANY_ID ((__u16)~0)
47317 struct pci_device_id {
47318 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
47319 @@ -131,7 +131,7 @@ struct usb_device_id {
47320 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
47321 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
47323 -#define HID_ANY_ID (~0)
47324 +#define HID_ANY_ID (~0U)
47326 struct hid_device_id {
47328 diff -urNp linux-2.6.36.2/include/linux/module.h linux-2.6.36.2/include/linux/module.h
47329 --- linux-2.6.36.2/include/linux/module.h 2010-10-20 16:30:22.000000000 -0400
47330 +++ linux-2.6.36.2/include/linux/module.h 2010-12-09 20:24:06.000000000 -0500
47331 @@ -297,16 +297,16 @@ struct module
47334 /* If this is non-NULL, vfree after init() returns */
47335 - void *module_init;
47336 + void *module_init_rx, *module_init_rw;
47338 /* Here is the actual code + data, vfree'd on unload. */
47339 - void *module_core;
47340 + void *module_core_rx, *module_core_rw;
47342 /* Here are the sizes of the init and core sections */
47343 - unsigned int init_size, core_size;
47344 + unsigned int init_size_rw, core_size_rw;
47346 /* The size of the executable code in each section. */
47347 - unsigned int init_text_size, core_text_size;
47348 + unsigned int init_size_rx, core_size_rx;
47350 /* Arch-specific module values */
47351 struct mod_arch_specific arch;
47352 @@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
47353 bool is_module_percpu_address(unsigned long addr);
47354 bool is_module_text_address(unsigned long addr);
47356 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
47359 +#ifdef CONFIG_PAX_KERNEXEC
47360 + if (ktla_ktva(addr) >= (unsigned long)start &&
47361 + ktla_ktva(addr) < (unsigned long)start + size)
47365 + return ((void *)addr >= start && (void *)addr < start + size);
47368 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
47370 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
47373 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
47375 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
47378 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
47380 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
47383 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
47385 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
47388 static inline int within_module_core(unsigned long addr, struct module *mod)
47390 - return (unsigned long)mod->module_core <= addr &&
47391 - addr < (unsigned long)mod->module_core + mod->core_size;
47392 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
47395 static inline int within_module_init(unsigned long addr, struct module *mod)
47397 - return (unsigned long)mod->module_init <= addr &&
47398 - addr < (unsigned long)mod->module_init + mod->init_size;
47399 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
47402 /* Search for module by name: must hold module_mutex. */
47403 diff -urNp linux-2.6.36.2/include/linux/moduleloader.h linux-2.6.36.2/include/linux/moduleloader.h
47404 --- linux-2.6.36.2/include/linux/moduleloader.h 2010-10-20 16:30:22.000000000 -0400
47405 +++ linux-2.6.36.2/include/linux/moduleloader.h 2010-12-09 20:24:06.000000000 -0500
47406 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
47407 sections. Returns NULL on failure. */
47408 void *module_alloc(unsigned long size);
47410 +#ifdef CONFIG_PAX_KERNEXEC
47411 +void *module_alloc_exec(unsigned long size);
47413 +#define module_alloc_exec(x) module_alloc(x)
47416 /* Free memory returned from module_alloc. */
47417 void module_free(struct module *mod, void *module_region);
47419 +#ifdef CONFIG_PAX_KERNEXEC
47420 +void module_free_exec(struct module *mod, void *module_region);
47422 +#define module_free_exec(x, y) module_free((x), (y))
47425 /* Apply the given relocation to the (simplified) ELF. Return -error
47427 int apply_relocate(Elf_Shdr *sechdrs,
47428 diff -urNp linux-2.6.36.2/include/linux/moduleparam.h linux-2.6.36.2/include/linux/moduleparam.h
47429 --- linux-2.6.36.2/include/linux/moduleparam.h 2010-10-20 16:30:22.000000000 -0400
47430 +++ linux-2.6.36.2/include/linux/moduleparam.h 2010-12-09 20:24:06.000000000 -0500
47431 @@ -253,7 +253,7 @@ static inline void __kernel_param_unlock
47432 * @len is usually just sizeof(string).
47434 #define module_param_string(name, string, len, perm) \
47435 - static const struct kparam_string __param_string_##name \
47436 + static const struct kparam_string __param_string_##name __used \
47437 = { len, string }; \
47438 __module_param_call(MODULE_PARAM_PREFIX, name, \
47439 ¶m_ops_string, \
47440 @@ -368,7 +368,7 @@ extern int param_get_invbool(char *buffe
47441 * module_param_named() for why this might be necessary.
47443 #define module_param_array_named(name, array, type, nump, perm) \
47444 - static const struct kparam_array __param_arr_##name \
47445 + static const struct kparam_array __param_arr_##name __used \
47446 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
47447 sizeof(array[0]), array }; \
47448 __module_param_call(MODULE_PARAM_PREFIX, name, \
47449 diff -urNp linux-2.6.36.2/include/linux/namei.h linux-2.6.36.2/include/linux/namei.h
47450 --- linux-2.6.36.2/include/linux/namei.h 2010-10-20 16:30:22.000000000 -0400
47451 +++ linux-2.6.36.2/include/linux/namei.h 2010-12-09 20:24:06.000000000 -0500
47452 @@ -22,7 +22,7 @@ struct nameidata {
47453 unsigned int flags;
47456 - char *saved_names[MAX_NESTED_LINKS + 1];
47457 + const char *saved_names[MAX_NESTED_LINKS + 1];
47461 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
47462 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
47463 extern void unlock_rename(struct dentry *, struct dentry *);
47465 -static inline void nd_set_link(struct nameidata *nd, char *path)
47466 +static inline void nd_set_link(struct nameidata *nd, const char *path)
47468 nd->saved_names[nd->depth] = path;
47471 -static inline char *nd_get_link(struct nameidata *nd)
47472 +static inline const char *nd_get_link(const struct nameidata *nd)
47474 return nd->saved_names[nd->depth];
47476 diff -urNp linux-2.6.36.2/include/linux/netfilter/xt_gradm.h linux-2.6.36.2/include/linux/netfilter/xt_gradm.h
47477 --- linux-2.6.36.2/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
47478 +++ linux-2.6.36.2/include/linux/netfilter/xt_gradm.h 2010-12-09 20:24:05.000000000 -0500
47480 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
47481 +#define _LINUX_NETFILTER_XT_GRADM_H 1
47483 +struct xt_gradm_mtinfo {
47489 diff -urNp linux-2.6.36.2/include/linux/oprofile.h linux-2.6.36.2/include/linux/oprofile.h
47490 --- linux-2.6.36.2/include/linux/oprofile.h 2010-10-20 16:30:22.000000000 -0400
47491 +++ linux-2.6.36.2/include/linux/oprofile.h 2010-12-09 20:24:06.000000000 -0500
47492 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
47493 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
47494 char const * name, ulong * val);
47496 -/** Create a file for read-only access to an atomic_t. */
47497 +/** Create a file for read-only access to an atomic_unchecked_t. */
47498 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
47499 - char const * name, atomic_t * val);
47500 + char const * name, atomic_unchecked_t * val);
47502 /** create a directory */
47503 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
47504 diff -urNp linux-2.6.36.2/include/linux/pipe_fs_i.h linux-2.6.36.2/include/linux/pipe_fs_i.h
47505 --- linux-2.6.36.2/include/linux/pipe_fs_i.h 2010-12-09 20:53:48.000000000 -0500
47506 +++ linux-2.6.36.2/include/linux/pipe_fs_i.h 2010-12-09 20:54:39.000000000 -0500
47507 @@ -45,9 +45,9 @@ struct pipe_buffer {
47508 struct pipe_inode_info {
47509 wait_queue_head_t wait;
47510 unsigned int nrbufs, curbuf, buffers;
47511 - unsigned int readers;
47512 - unsigned int writers;
47513 - unsigned int waiting_writers;
47514 + atomic_t readers;
47515 + atomic_t writers;
47516 + atomic_t waiting_writers;
47517 unsigned int r_counter;
47518 unsigned int w_counter;
47519 struct page *tmp_page;
47520 diff -urNp linux-2.6.36.2/include/linux/poison.h linux-2.6.36.2/include/linux/poison.h
47521 --- linux-2.6.36.2/include/linux/poison.h 2010-10-20 16:30:22.000000000 -0400
47522 +++ linux-2.6.36.2/include/linux/poison.h 2010-12-09 20:24:05.000000000 -0500
47524 * under normal circumstances, used to verify that nobody uses
47525 * non-initialized list entries.
47527 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
47528 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
47529 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
47530 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
47532 /********** include/linux/timer.h **********/
47534 diff -urNp linux-2.6.36.2/include/linux/proc_fs.h linux-2.6.36.2/include/linux/proc_fs.h
47535 --- linux-2.6.36.2/include/linux/proc_fs.h 2010-10-20 16:30:22.000000000 -0400
47536 +++ linux-2.6.36.2/include/linux/proc_fs.h 2010-12-09 20:24:06.000000000 -0500
47537 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
47538 return proc_create_data(name, mode, parent, proc_fops, NULL);
47541 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
47542 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
47544 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47545 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
47546 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47547 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
47549 + return proc_create_data(name, mode, parent, proc_fops, NULL);
47554 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
47555 mode_t mode, struct proc_dir_entry *base,
47556 read_proc_t *read_proc, void * data)
47557 diff -urNp linux-2.6.36.2/include/linux/random.h linux-2.6.36.2/include/linux/random.h
47558 --- linux-2.6.36.2/include/linux/random.h 2010-10-20 16:30:22.000000000 -0400
47559 +++ linux-2.6.36.2/include/linux/random.h 2010-12-09 20:24:06.000000000 -0500
47560 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
47562 u32 prandom32(struct rnd_state *);
47564 +static inline unsigned long pax_get_random_long(void)
47566 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
47570 * Handle minimum values for seeds
47572 static inline u32 __seed(u32 x, u32 m)
47574 - return (x < m) ? x + m : x;
47575 + return (x <= m) ? x + m + 1 : x;
47579 diff -urNp linux-2.6.36.2/include/linux/reiserfs_fs.h linux-2.6.36.2/include/linux/reiserfs_fs.h
47580 --- linux-2.6.36.2/include/linux/reiserfs_fs.h 2010-10-20 16:30:22.000000000 -0400
47581 +++ linux-2.6.36.2/include/linux/reiserfs_fs.h 2010-12-09 20:24:05.000000000 -0500
47582 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
47583 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
47585 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
47586 -#define get_generation(s) atomic_read (&fs_generation(s))
47587 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
47588 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
47589 #define __fs_changed(gen,s) (gen != get_generation (s))
47590 #define fs_changed(gen,s) \
47591 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
47594 struct item_operations {
47595 - int (*bytes_number) (struct item_head * ih, int block_size);
47596 - void (*decrement_key) (struct cpu_key *);
47597 - int (*is_left_mergeable) (struct reiserfs_key * ih,
47598 + int (* const bytes_number) (struct item_head * ih, int block_size);
47599 + void (* const decrement_key) (struct cpu_key *);
47600 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
47601 unsigned long bsize);
47602 - void (*print_item) (struct item_head *, char *item);
47603 - void (*check_item) (struct item_head *, char *item);
47604 + void (* const print_item) (struct item_head *, char *item);
47605 + void (* const check_item) (struct item_head *, char *item);
47607 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47608 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47609 int is_affected, int insert_size);
47610 - int (*check_left) (struct virtual_item * vi, int free,
47611 + int (* const check_left) (struct virtual_item * vi, int free,
47612 int start_skip, int end_skip);
47613 - int (*check_right) (struct virtual_item * vi, int free);
47614 - int (*part_size) (struct virtual_item * vi, int from, int to);
47615 - int (*unit_num) (struct virtual_item * vi);
47616 - void (*print_vi) (struct virtual_item * vi);
47617 + int (* const check_right) (struct virtual_item * vi, int free);
47618 + int (* const part_size) (struct virtual_item * vi, int from, int to);
47619 + int (* const unit_num) (struct virtual_item * vi);
47620 + void (* const print_vi) (struct virtual_item * vi);
47623 -extern struct item_operations *item_ops[TYPE_ANY + 1];
47624 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
47626 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
47627 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
47628 diff -urNp linux-2.6.36.2/include/linux/reiserfs_fs_sb.h linux-2.6.36.2/include/linux/reiserfs_fs_sb.h
47629 --- linux-2.6.36.2/include/linux/reiserfs_fs_sb.h 2010-10-20 16:30:22.000000000 -0400
47630 +++ linux-2.6.36.2/include/linux/reiserfs_fs_sb.h 2010-12-09 20:24:05.000000000 -0500
47631 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
47632 /* Comment? -Hans */
47633 wait_queue_head_t s_wait;
47634 /* To be obsoleted soon by per buffer seals.. -Hans */
47635 - atomic_t s_generation_counter; // increased by one every time the
47636 + atomic_unchecked_t s_generation_counter; // increased by one every time the
47637 // tree gets re-balanced
47638 unsigned long s_properties; /* File system properties. Currently holds
47639 on-disk FS format */
47640 diff -urNp linux-2.6.36.2/include/linux/rmap.h linux-2.6.36.2/include/linux/rmap.h
47641 --- linux-2.6.36.2/include/linux/rmap.h 2010-10-20 16:30:22.000000000 -0400
47642 +++ linux-2.6.36.2/include/linux/rmap.h 2010-12-09 20:24:05.000000000 -0500
47643 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
47644 void anon_vma_init(void); /* create anon_vma_cachep */
47645 int anon_vma_prepare(struct vm_area_struct *);
47646 void unlink_anon_vmas(struct vm_area_struct *);
47647 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
47648 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
47649 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
47650 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
47651 void __anon_vma_link(struct vm_area_struct *);
47652 void anon_vma_free(struct anon_vma *);
47654 diff -urNp linux-2.6.36.2/include/linux/sched.h linux-2.6.36.2/include/linux/sched.h
47655 --- linux-2.6.36.2/include/linux/sched.h 2010-10-20 16:30:22.000000000 -0400
47656 +++ linux-2.6.36.2/include/linux/sched.h 2010-12-09 20:24:06.000000000 -0500
47657 @@ -100,6 +100,7 @@ struct robust_list_head;
47660 struct perf_event_context;
47661 +struct linux_binprm;
47664 * List of flags we want to share for kernel threads,
47665 @@ -374,10 +375,12 @@ struct user_namespace;
47666 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
47668 extern int sysctl_max_map_count;
47669 +extern unsigned long sysctl_heap_stack_gap;
47671 #include <linux/aio.h>
47674 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
47675 extern void arch_pick_mmap_layout(struct mm_struct *mm);
47676 extern unsigned long
47677 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
47678 @@ -621,6 +624,16 @@ struct signal_struct {
47679 struct tty_audit_buf *tty_audit_buf;
47682 +#ifdef CONFIG_GRKERNSEC
47689 + u8 used_accept:1;
47692 int oom_adj; /* OOM kill score adjustment (bit shift) */
47693 int oom_score_adj; /* OOM kill score adjustment */
47695 @@ -1162,7 +1175,7 @@ struct rcu_node;
47697 struct task_struct {
47698 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
47700 + struct thread_info *stack;
47702 unsigned int flags; /* per process flags, defined below */
47703 unsigned int ptrace;
47704 @@ -1270,8 +1283,8 @@ struct task_struct {
47705 struct list_head thread_group;
47707 struct completion *vfork_done; /* for vfork() */
47708 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
47709 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47710 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
47711 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47713 cputime_t utime, stime, utimescaled, stimescaled;
47715 @@ -1287,16 +1300,6 @@ struct task_struct {
47716 struct task_cputime cputime_expires;
47717 struct list_head cpu_timers[3];
47719 -/* process credentials */
47720 - const struct cred *real_cred; /* objective and real subjective task
47721 - * credentials (COW) */
47722 - const struct cred *cred; /* effective (overridable) subjective task
47723 - * credentials (COW) */
47724 - struct mutex cred_guard_mutex; /* guard against foreign influences on
47725 - * credential calculations
47726 - * (notably. ptrace) */
47727 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47729 char comm[TASK_COMM_LEN]; /* executable name excluding path
47730 - access with [gs]et_task_comm (which lock
47731 it with task_lock())
47732 @@ -1380,6 +1383,15 @@ struct task_struct {
47733 int softirqs_enabled;
47734 int softirq_context;
47737 +/* process credentials */
47738 + const struct cred *real_cred; /* objective and real subjective task
47739 + * credentials (COW) */
47740 + struct mutex cred_guard_mutex; /* guard against foreign influences on
47741 + * credential calculations
47742 + * (notably. ptrace) */
47743 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47745 #ifdef CONFIG_LOCKDEP
47746 # define MAX_LOCK_DEPTH 48UL
47747 u64 curr_chain_key;
47748 @@ -1400,6 +1412,9 @@ struct task_struct {
47750 struct backing_dev_info *backing_dev_info;
47752 + const struct cred *cred; /* effective (overridable) subjective task
47753 + * credentials (COW) */
47755 struct io_context *io_context;
47757 unsigned long ptrace_message;
47758 @@ -1465,6 +1480,20 @@ struct task_struct {
47759 unsigned long default_timer_slack_ns;
47761 struct list_head *scm_work_list;
47763 +#ifdef CONFIG_GRKERNSEC
47765 + struct dentry *gr_chroot_dentry;
47766 + struct acl_subject_label *acl;
47767 + struct acl_role_label *role;
47768 + struct file *exec_file;
47773 + u8 gr_is_chrooted;
47776 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
47777 /* Index of current stored address in ret_stack */
47778 int curr_ret_stack;
47779 @@ -1496,6 +1525,52 @@ struct task_struct {
47783 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
47784 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
47785 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
47786 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
47787 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
47788 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
47790 +#ifdef CONFIG_PAX_SOFTMODE
47791 +extern unsigned int pax_softmode;
47794 +extern int pax_check_flags(unsigned long *);
47796 +/* if tsk != current then task_lock must be held on it */
47797 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47798 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
47800 + if (likely(tsk->mm))
47801 + return tsk->mm->pax_flags;
47806 +/* if tsk != current then task_lock must be held on it */
47807 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
47809 + if (likely(tsk->mm)) {
47810 + tsk->mm->pax_flags = flags;
47817 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
47818 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
47819 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
47820 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
47823 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
47824 +void pax_report_insns(void *pc, void *sp);
47825 +void pax_report_refcount_overflow(struct pt_regs *regs);
47826 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
47827 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
47829 /* Future-safe accessor for struct task_struct's cpus_allowed. */
47830 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
47832 @@ -2103,7 +2178,7 @@ extern void __cleanup_sighand(struct sig
47833 extern void exit_itimers(struct signal_struct *);
47834 extern void flush_itimer_signals(void);
47836 -extern NORET_TYPE void do_group_exit(int);
47837 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
47839 extern void daemonize(const char *, ...);
47840 extern int allow_signal(int);
47841 @@ -2221,8 +2296,8 @@ static inline void unlock_task_sighand(s
47843 #ifndef __HAVE_THREAD_FUNCTIONS
47845 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
47846 -#define task_stack_page(task) ((task)->stack)
47847 +#define task_thread_info(task) ((task)->stack)
47848 +#define task_stack_page(task) ((void *)(task)->stack)
47850 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
47852 @@ -2237,13 +2312,17 @@ static inline unsigned long *end_of_stac
47856 -static inline int object_is_on_stack(void *obj)
47857 +static inline int object_starts_on_stack(void *obj)
47859 - void *stack = task_stack_page(current);
47860 + const void *stack = task_stack_page(current);
47862 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
47865 +#ifdef CONFIG_PAX_USERCOPY
47866 +extern int object_is_on_stack(const void *obj, unsigned long len);
47869 extern void thread_info_cache_init(void);
47871 #ifdef CONFIG_DEBUG_STACK_USAGE
47872 diff -urNp linux-2.6.36.2/include/linux/screen_info.h linux-2.6.36.2/include/linux/screen_info.h
47873 --- linux-2.6.36.2/include/linux/screen_info.h 2010-10-20 16:30:22.000000000 -0400
47874 +++ linux-2.6.36.2/include/linux/screen_info.h 2010-12-09 20:24:06.000000000 -0500
47875 @@ -43,7 +43,8 @@ struct screen_info {
47876 __u16 pages; /* 0x32 */
47877 __u16 vesa_attributes; /* 0x34 */
47878 __u32 capabilities; /* 0x36 */
47879 - __u8 _reserved[6]; /* 0x3a */
47880 + __u16 vesapm_size; /* 0x3a */
47881 + __u8 _reserved[4]; /* 0x3c */
47882 } __attribute__((packed));
47884 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
47885 diff -urNp linux-2.6.36.2/include/linux/security.h linux-2.6.36.2/include/linux/security.h
47886 --- linux-2.6.36.2/include/linux/security.h 2010-10-20 16:30:22.000000000 -0400
47887 +++ linux-2.6.36.2/include/linux/security.h 2010-12-09 20:24:06.000000000 -0500
47889 #include <linux/key.h>
47890 #include <linux/xfrm.h>
47891 #include <linux/slab.h>
47892 +#include <linux/grsecurity.h>
47893 #include <net/flow.h>
47895 /* Maximum number of letters for an LSM name string */
47896 diff -urNp linux-2.6.36.2/include/linux/shm.h linux-2.6.36.2/include/linux/shm.h
47897 --- linux-2.6.36.2/include/linux/shm.h 2010-10-20 16:30:22.000000000 -0400
47898 +++ linux-2.6.36.2/include/linux/shm.h 2010-12-09 20:24:06.000000000 -0500
47899 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
47902 struct user_struct *mlock_user;
47903 +#ifdef CONFIG_GRKERNSEC
47904 + time_t shm_createtime;
47909 /* shm_mode upper byte flags */
47910 diff -urNp linux-2.6.36.2/include/linux/skbuff.h linux-2.6.36.2/include/linux/skbuff.h
47911 --- linux-2.6.36.2/include/linux/skbuff.h 2010-10-20 16:30:22.000000000 -0400
47912 +++ linux-2.6.36.2/include/linux/skbuff.h 2010-12-09 20:24:06.000000000 -0500
47913 @@ -591,7 +591,7 @@ static inline union skb_shared_tx *skb_t
47915 static inline int skb_queue_empty(const struct sk_buff_head *list)
47917 - return list->next == (struct sk_buff *)list;
47918 + return list->next == (const struct sk_buff *)list;
47922 @@ -604,7 +604,7 @@ static inline int skb_queue_empty(const
47923 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
47924 const struct sk_buff *skb)
47926 - return (skb->next == (struct sk_buff *) list);
47927 + return (skb->next == (const struct sk_buff *) list);
47931 @@ -617,7 +617,7 @@ static inline bool skb_queue_is_last(con
47932 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
47933 const struct sk_buff *skb)
47935 - return (skb->prev == (struct sk_buff *) list);
47936 + return (skb->prev == (const struct sk_buff *) list);
47940 diff -urNp linux-2.6.36.2/include/linux/slab.h linux-2.6.36.2/include/linux/slab.h
47941 --- linux-2.6.36.2/include/linux/slab.h 2010-10-20 16:30:22.000000000 -0400
47942 +++ linux-2.6.36.2/include/linux/slab.h 2010-12-09 20:24:06.000000000 -0500
47945 #include <linux/gfp.h>
47946 #include <linux/types.h>
47947 +#include <linux/err.h>
47950 * Flags to pass to kmem_cache_create().
47951 @@ -87,10 +88,13 @@
47952 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
47953 * Both make kfree a no-op.
47955 -#define ZERO_SIZE_PTR ((void *)16)
47956 +#define ZERO_SIZE_PTR \
47958 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
47959 + (void *)(-MAX_ERRNO-1L); \
47962 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
47963 - (unsigned long)ZERO_SIZE_PTR)
47964 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
47967 * struct kmem_cache related prototypes
47968 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
47969 void kfree(const void *);
47970 void kzfree(const void *);
47971 size_t ksize(const void *);
47972 +void check_object_size(const void *ptr, unsigned long n, bool to);
47975 * Allocator specific definitions. These are mainly used to establish optimized
47976 @@ -336,4 +341,37 @@ static inline void *kzalloc_node(size_t
47978 void __init kmem_cache_init_late(void);
47980 +#define kmalloc(x, y) \
47982 + void *___retval; \
47983 + intoverflow_t ___x = (intoverflow_t)x; \
47984 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
47985 + ___retval = NULL; \
47987 + ___retval = kmalloc((size_t)___x, (y)); \
47991 +#define kmalloc_node(x, y, z) \
47993 + void *___retval; \
47994 + intoverflow_t ___x = (intoverflow_t)x; \
47995 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
47996 + ___retval = NULL; \
47998 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
48002 +#define kzalloc(x, y) \
48004 + void *___retval; \
48005 + intoverflow_t ___x = (intoverflow_t)x; \
48006 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
48007 + ___retval = NULL; \
48009 + ___retval = kzalloc((size_t)___x, (y)); \
48013 #endif /* _LINUX_SLAB_H */
48014 diff -urNp linux-2.6.36.2/include/linux/slub_def.h linux-2.6.36.2/include/linux/slub_def.h
48015 --- linux-2.6.36.2/include/linux/slub_def.h 2010-10-20 16:30:22.000000000 -0400
48016 +++ linux-2.6.36.2/include/linux/slub_def.h 2010-12-09 20:24:06.000000000 -0500
48017 @@ -80,7 +80,7 @@ struct kmem_cache {
48018 struct kmem_cache_order_objects max;
48019 struct kmem_cache_order_objects min;
48020 gfp_t allocflags; /* gfp flags to use on each alloc */
48021 - int refcount; /* Refcount for slab cache destroy */
48022 + atomic_t refcount; /* Refcount for slab cache destroy */
48023 void (*ctor)(void *);
48024 int inuse; /* Offset to metadata */
48025 int align; /* Alignment */
48026 diff -urNp linux-2.6.36.2/include/linux/sonet.h linux-2.6.36.2/include/linux/sonet.h
48027 --- linux-2.6.36.2/include/linux/sonet.h 2010-10-20 16:30:22.000000000 -0400
48028 +++ linux-2.6.36.2/include/linux/sonet.h 2010-12-09 20:24:05.000000000 -0500
48029 @@ -61,7 +61,7 @@ struct sonet_stats {
48030 #include <asm/atomic.h>
48032 struct k_sonet_stats {
48033 -#define __HANDLE_ITEM(i) atomic_t i
48034 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
48036 #undef __HANDLE_ITEM
48038 diff -urNp linux-2.6.36.2/include/linux/sunrpc/clnt.h linux-2.6.36.2/include/linux/sunrpc/clnt.h
48039 --- linux-2.6.36.2/include/linux/sunrpc/clnt.h 2010-10-20 16:30:22.000000000 -0400
48040 +++ linux-2.6.36.2/include/linux/sunrpc/clnt.h 2010-12-09 20:24:06.000000000 -0500
48041 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
48043 switch (sap->sa_family) {
48045 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
48046 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
48048 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
48049 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
48053 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
48054 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
48055 const struct sockaddr *src)
48057 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
48058 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
48059 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
48061 dsin->sin_family = ssin->sin_family;
48062 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
48063 if (sa->sa_family != AF_INET6)
48066 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
48067 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
48070 #endif /* __KERNEL__ */
48071 diff -urNp linux-2.6.36.2/include/linux/suspend.h linux-2.6.36.2/include/linux/suspend.h
48072 --- linux-2.6.36.2/include/linux/suspend.h 2010-10-20 16:30:22.000000000 -0400
48073 +++ linux-2.6.36.2/include/linux/suspend.h 2010-12-09 20:24:06.000000000 -0500
48074 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
48075 * which require special recovery actions in that situation.
48077 struct platform_suspend_ops {
48078 - int (*valid)(suspend_state_t state);
48079 - int (*begin)(suspend_state_t state);
48080 - int (*prepare)(void);
48081 - int (*prepare_late)(void);
48082 - int (*enter)(suspend_state_t state);
48083 - void (*wake)(void);
48084 - void (*finish)(void);
48085 - void (*end)(void);
48086 - void (*recover)(void);
48087 + int (* const valid)(suspend_state_t state);
48088 + int (* const begin)(suspend_state_t state);
48089 + int (* const prepare)(void);
48090 + int (* const prepare_late)(void);
48091 + int (* const enter)(suspend_state_t state);
48092 + void (* const wake)(void);
48093 + void (* const finish)(void);
48094 + void (* const end)(void);
48095 + void (* const recover)(void);
48098 #ifdef CONFIG_SUSPEND
48099 @@ -122,7 +122,7 @@ struct platform_suspend_ops {
48100 * suspend_set_ops - set platform dependent suspend operations
48101 * @ops: The new suspend operations to set.
48103 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
48104 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
48105 extern int suspend_valid_only_mem(suspend_state_t state);
48108 @@ -147,7 +147,7 @@ extern int pm_suspend(suspend_state_t st
48109 #else /* !CONFIG_SUSPEND */
48110 #define suspend_valid_only_mem NULL
48112 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
48113 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
48114 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
48115 #endif /* !CONFIG_SUSPEND */
48117 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
48118 * platforms which require special recovery actions in that situation.
48120 struct platform_hibernation_ops {
48121 - int (*begin)(void);
48122 - void (*end)(void);
48123 - int (*pre_snapshot)(void);
48124 - void (*finish)(void);
48125 - int (*prepare)(void);
48126 - int (*enter)(void);
48127 - void (*leave)(void);
48128 - int (*pre_restore)(void);
48129 - void (*restore_cleanup)(void);
48130 - void (*recover)(void);
48131 + int (* const begin)(void);
48132 + void (* const end)(void);
48133 + int (* const pre_snapshot)(void);
48134 + void (* const finish)(void);
48135 + int (* const prepare)(void);
48136 + int (* const enter)(void);
48137 + void (* const leave)(void);
48138 + int (* const pre_restore)(void);
48139 + void (* const restore_cleanup)(void);
48140 + void (* const recover)(void);
48143 #ifdef CONFIG_HIBERNATION
48144 @@ -245,7 +245,7 @@ extern void swsusp_set_page_free(struct
48145 extern void swsusp_unset_page_free(struct page *);
48146 extern unsigned long get_safe_page(gfp_t gfp_mask);
48148 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
48149 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
48150 extern int hibernate(void);
48151 extern bool system_entering_hibernation(void);
48152 #else /* CONFIG_HIBERNATION */
48153 @@ -253,7 +253,7 @@ static inline int swsusp_page_is_forbidd
48154 static inline void swsusp_set_page_free(struct page *p) {}
48155 static inline void swsusp_unset_page_free(struct page *p) {}
48157 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
48158 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
48159 static inline int hibernate(void) { return -ENOSYS; }
48160 static inline bool system_entering_hibernation(void) { return false; }
48161 #endif /* CONFIG_HIBERNATION */
48162 diff -urNp linux-2.6.36.2/include/linux/sysctl.h linux-2.6.36.2/include/linux/sysctl.h
48163 --- linux-2.6.36.2/include/linux/sysctl.h 2010-10-20 16:30:22.000000000 -0400
48164 +++ linux-2.6.36.2/include/linux/sysctl.h 2010-12-09 20:24:05.000000000 -0500
48165 @@ -155,7 +155,11 @@ enum
48166 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
48170 +#ifdef CONFIG_PAX_SOFTMODE
48172 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
48176 /* CTL_VM names: */
48178 @@ -966,6 +970,8 @@ typedef int proc_handler (struct ctl_tab
48180 extern int proc_dostring(struct ctl_table *, int,
48181 void __user *, size_t *, loff_t *);
48182 +extern int proc_dostring_modpriv(struct ctl_table *, int,
48183 + void __user *, size_t *, loff_t *);
48184 extern int proc_dointvec(struct ctl_table *, int,
48185 void __user *, size_t *, loff_t *);
48186 extern int proc_dointvec_minmax(struct ctl_table *, int,
48187 diff -urNp linux-2.6.36.2/include/linux/sysfs.h linux-2.6.36.2/include/linux/sysfs.h
48188 --- linux-2.6.36.2/include/linux/sysfs.h 2010-10-20 16:30:22.000000000 -0400
48189 +++ linux-2.6.36.2/include/linux/sysfs.h 2010-12-09 20:24:06.000000000 -0500
48190 @@ -110,8 +110,8 @@ struct bin_attribute {
48191 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
48194 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
48195 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
48196 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
48197 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
48200 struct sysfs_dirent;
48201 diff -urNp linux-2.6.36.2/include/linux/thread_info.h linux-2.6.36.2/include/linux/thread_info.h
48202 --- linux-2.6.36.2/include/linux/thread_info.h 2010-10-20 16:30:22.000000000 -0400
48203 +++ linux-2.6.36.2/include/linux/thread_info.h 2010-12-09 20:24:06.000000000 -0500
48204 @@ -23,7 +23,7 @@ struct restart_block {
48206 /* For futex_wait and futex_wait_requeue_pi */
48209 + u32 __user *uaddr;
48213 diff -urNp linux-2.6.36.2/include/linux/tty.h linux-2.6.36.2/include/linux/tty.h
48214 --- linux-2.6.36.2/include/linux/tty.h 2010-12-09 20:53:48.000000000 -0500
48215 +++ linux-2.6.36.2/include/linux/tty.h 2010-12-09 20:54:40.000000000 -0500
48217 #include <linux/tty_driver.h>
48218 #include <linux/tty_ldisc.h>
48219 #include <linux/mutex.h>
48220 +#include <linux/poll.h>
48221 #include <linux/smp_lock.h>
48223 #include <asm/system.h>
48224 @@ -464,7 +465,6 @@ extern int tty_perform_flush(struct tty_
48225 extern dev_t tty_devnum(struct tty_struct *tty);
48226 extern void proc_clear_tty(struct task_struct *p);
48227 extern struct tty_struct *get_current_tty(void);
48228 -extern void tty_default_fops(struct file_operations *fops);
48229 extern struct tty_struct *alloc_tty_struct(void);
48230 extern void tty_add_file(struct tty_struct *tty, struct file *file);
48231 extern void free_tty_struct(struct tty_struct *tty);
48232 @@ -527,6 +527,18 @@ extern void tty_ldisc_begin(void);
48233 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
48234 extern void tty_ldisc_enable(struct tty_struct *tty);
48237 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
48238 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
48239 +extern unsigned int tty_poll(struct file *, poll_table *);
48240 +#ifdef CONFIG_COMPAT
48241 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
48242 + unsigned long arg);
48244 +#define tty_compat_ioctl NULL
48246 +extern int tty_release(struct inode *, struct file *);
48247 +extern int tty_fasync(int fd, struct file *filp, int on);
48250 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
48251 diff -urNp linux-2.6.36.2/include/linux/tty_ldisc.h linux-2.6.36.2/include/linux/tty_ldisc.h
48252 --- linux-2.6.36.2/include/linux/tty_ldisc.h 2010-10-20 16:30:22.000000000 -0400
48253 +++ linux-2.6.36.2/include/linux/tty_ldisc.h 2010-12-09 20:24:06.000000000 -0500
48254 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
48256 struct module *owner;
48259 + atomic_t refcount;
48263 diff -urNp linux-2.6.36.2/include/linux/types.h linux-2.6.36.2/include/linux/types.h
48264 --- linux-2.6.36.2/include/linux/types.h 2010-10-20 16:30:22.000000000 -0400
48265 +++ linux-2.6.36.2/include/linux/types.h 2010-12-09 20:24:06.000000000 -0500
48266 @@ -207,10 +207,26 @@ typedef struct {
48270 +#ifdef CONFIG_PAX_REFCOUNT
48273 +} atomic_unchecked_t;
48275 +typedef atomic_t atomic_unchecked_t;
48278 #ifdef CONFIG_64BIT
48283 +#ifdef CONFIG_PAX_REFCOUNT
48286 +} atomic64_unchecked_t;
48288 +typedef atomic64_t atomic64_unchecked_t;
48293 diff -urNp linux-2.6.36.2/include/linux/u64_stats_sync.h linux-2.6.36.2/include/linux/u64_stats_sync.h
48294 --- linux-2.6.36.2/include/linux/u64_stats_sync.h 2010-10-20 16:30:22.000000000 -0400
48295 +++ linux-2.6.36.2/include/linux/u64_stats_sync.h 2010-12-09 20:24:06.000000000 -0500
48296 @@ -67,21 +67,21 @@ struct u64_stats_sync {
48300 -static void inline u64_stats_update_begin(struct u64_stats_sync *syncp)
48301 +static inline void u64_stats_update_begin(struct u64_stats_sync *syncp)
48303 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48304 write_seqcount_begin(&syncp->seq);
48308 -static void inline u64_stats_update_end(struct u64_stats_sync *syncp)
48309 +static inline void u64_stats_update_end(struct u64_stats_sync *syncp)
48311 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48312 write_seqcount_end(&syncp->seq);
48316 -static unsigned int inline u64_stats_fetch_begin(const struct u64_stats_sync *syncp)
48317 +static inline unsigned int u64_stats_fetch_begin(const struct u64_stats_sync *syncp)
48319 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48320 return read_seqcount_begin(&syncp->seq);
48321 @@ -93,7 +93,7 @@ static unsigned int inline u64_stats_fet
48325 -static bool inline u64_stats_fetch_retry(const struct u64_stats_sync *syncp,
48326 +static inline bool u64_stats_fetch_retry(const struct u64_stats_sync *syncp,
48327 unsigned int start)
48329 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48330 @@ -112,7 +112,7 @@ static bool inline u64_stats_fetch_retry
48331 * - UP 32bit must disable BH.
48332 * - 64bit have no problem atomically reading u64 values, irq safe.
48334 -static unsigned int inline u64_stats_fetch_begin_bh(const struct u64_stats_sync *syncp)
48335 +static inline unsigned int u64_stats_fetch_begin_bh(const struct u64_stats_sync *syncp)
48337 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48338 return read_seqcount_begin(&syncp->seq);
48339 @@ -124,7 +124,7 @@ static unsigned int inline u64_stats_fet
48343 -static bool inline u64_stats_fetch_retry_bh(const struct u64_stats_sync *syncp,
48344 +static inline bool u64_stats_fetch_retry_bh(const struct u64_stats_sync *syncp,
48345 unsigned int start)
48347 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48348 diff -urNp linux-2.6.36.2/include/linux/uaccess.h linux-2.6.36.2/include/linux/uaccess.h
48349 --- linux-2.6.36.2/include/linux/uaccess.h 2010-10-20 16:30:22.000000000 -0400
48350 +++ linux-2.6.36.2/include/linux/uaccess.h 2010-12-09 20:24:06.000000000 -0500
48351 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
48353 mm_segment_t old_fs = get_fs(); \
48355 - set_fs(KERNEL_DS); \
48356 pagefault_disable(); \
48357 + set_fs(KERNEL_DS); \
48358 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
48359 - pagefault_enable(); \
48361 + pagefault_enable(); \
48365 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
48366 * Safely read from address @src to the buffer at @dst. If a kernel fault
48367 * happens, handle that and return -EFAULT.
48369 -extern long probe_kernel_read(void *dst, void *src, size_t size);
48370 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
48371 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
48372 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
48375 * probe_kernel_write(): safely attempt to write to a location
48376 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
48377 * Safely write to address @dst from the buffer at @src. If a kernel fault
48378 * happens, handle that and return -EFAULT.
48380 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
48381 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
48382 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
48383 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
48385 #endif /* __LINUX_UACCESS_H__ */
48386 diff -urNp linux-2.6.36.2/include/linux/unaligned/access_ok.h linux-2.6.36.2/include/linux/unaligned/access_ok.h
48387 --- linux-2.6.36.2/include/linux/unaligned/access_ok.h 2010-10-20 16:30:22.000000000 -0400
48388 +++ linux-2.6.36.2/include/linux/unaligned/access_ok.h 2010-12-09 20:24:06.000000000 -0500
48391 static inline u16 get_unaligned_le16(const void *p)
48393 - return le16_to_cpup((__le16 *)p);
48394 + return le16_to_cpup((const __le16 *)p);
48397 static inline u32 get_unaligned_le32(const void *p)
48399 - return le32_to_cpup((__le32 *)p);
48400 + return le32_to_cpup((const __le32 *)p);
48403 static inline u64 get_unaligned_le64(const void *p)
48405 - return le64_to_cpup((__le64 *)p);
48406 + return le64_to_cpup((const __le64 *)p);
48409 static inline u16 get_unaligned_be16(const void *p)
48411 - return be16_to_cpup((__be16 *)p);
48412 + return be16_to_cpup((const __be16 *)p);
48415 static inline u32 get_unaligned_be32(const void *p)
48417 - return be32_to_cpup((__be32 *)p);
48418 + return be32_to_cpup((const __be32 *)p);
48421 static inline u64 get_unaligned_be64(const void *p)
48423 - return be64_to_cpup((__be64 *)p);
48424 + return be64_to_cpup((const __be64 *)p);
48427 static inline void put_unaligned_le16(u16 val, void *p)
48428 diff -urNp linux-2.6.36.2/include/linux/usb/hcd.h linux-2.6.36.2/include/linux/usb/hcd.h
48429 --- linux-2.6.36.2/include/linux/usb/hcd.h 2010-10-20 16:30:22.000000000 -0400
48430 +++ linux-2.6.36.2/include/linux/usb/hcd.h 2010-12-09 20:24:06.000000000 -0500
48431 @@ -578,7 +578,7 @@ struct usb_mon_operations {
48432 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
48435 -extern struct usb_mon_operations *mon_ops;
48436 +extern const struct usb_mon_operations *mon_ops;
48438 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
48440 @@ -600,7 +600,7 @@ static inline void usbmon_urb_complete(s
48441 (*mon_ops->urb_complete)(bus, urb, status);
48444 -int usb_mon_register(struct usb_mon_operations *ops);
48445 +int usb_mon_register(const struct usb_mon_operations *ops);
48446 void usb_mon_deregister(void);
48449 diff -urNp linux-2.6.36.2/include/linux/vmalloc.h linux-2.6.36.2/include/linux/vmalloc.h
48450 --- linux-2.6.36.2/include/linux/vmalloc.h 2010-10-20 16:30:22.000000000 -0400
48451 +++ linux-2.6.36.2/include/linux/vmalloc.h 2010-12-09 20:24:05.000000000 -0500
48452 @@ -15,6 +15,11 @@ extern bool vmap_lazy_unmap;
48453 #define VM_MAP 0x00000004 /* vmap()ed pages */
48454 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
48455 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
48457 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
48458 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
48461 /* bits [20..32] reserved for arch specific ioremap internals */
48464 @@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
48466 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
48468 +#define vmalloc(x) \
48470 + void *___retval; \
48471 + intoverflow_t ___x = (intoverflow_t)x; \
48472 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
48473 + ___retval = NULL; \
48475 + ___retval = vmalloc((unsigned long)___x); \
48479 +#define __vmalloc(x, y, z) \
48481 + void *___retval; \
48482 + intoverflow_t ___x = (intoverflow_t)x; \
48483 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
48484 + ___retval = NULL; \
48486 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
48490 +#define vmalloc_user(x) \
48492 + void *___retval; \
48493 + intoverflow_t ___x = (intoverflow_t)x; \
48494 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
48495 + ___retval = NULL; \
48497 + ___retval = vmalloc_user((unsigned long)___x); \
48501 +#define vmalloc_exec(x) \
48503 + void *___retval; \
48504 + intoverflow_t ___x = (intoverflow_t)x; \
48505 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
48506 + ___retval = NULL; \
48508 + ___retval = vmalloc_exec((unsigned long)___x); \
48512 +#define vmalloc_node(x, y) \
48514 + void *___retval; \
48515 + intoverflow_t ___x = (intoverflow_t)x; \
48516 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
48517 + ___retval = NULL; \
48519 + ___retval = vmalloc_node((unsigned long)___x, (y));\
48523 +#define vmalloc_32(x) \
48525 + void *___retval; \
48526 + intoverflow_t ___x = (intoverflow_t)x; \
48527 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
48528 + ___retval = NULL; \
48530 + ___retval = vmalloc_32((unsigned long)___x); \
48534 +#define vmalloc_32_user(x) \
48536 + void *___retval; \
48537 + intoverflow_t ___x = (intoverflow_t)x; \
48538 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
48539 + ___retval = NULL; \
48541 + ___retval = vmalloc_32_user((unsigned long)___x);\
48545 #endif /* _LINUX_VMALLOC_H */
48546 diff -urNp linux-2.6.36.2/include/linux/vmstat.h linux-2.6.36.2/include/linux/vmstat.h
48547 --- linux-2.6.36.2/include/linux/vmstat.h 2010-10-20 16:30:22.000000000 -0400
48548 +++ linux-2.6.36.2/include/linux/vmstat.h 2010-12-09 20:24:06.000000000 -0500
48549 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
48551 * Zone based page accounting with per cpu differentials.
48553 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48554 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48556 static inline void zone_page_state_add(long x, struct zone *zone,
48557 enum zone_stat_item item)
48559 - atomic_long_add(x, &zone->vm_stat[item]);
48560 - atomic_long_add(x, &vm_stat[item]);
48561 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
48562 + atomic_long_add_unchecked(x, &vm_stat[item]);
48565 static inline unsigned long global_page_state(enum zone_stat_item item)
48567 - long x = atomic_long_read(&vm_stat[item]);
48568 + long x = atomic_long_read_unchecked(&vm_stat[item]);
48572 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
48573 static inline unsigned long zone_page_state(struct zone *zone,
48574 enum zone_stat_item item)
48576 - long x = atomic_long_read(&zone->vm_stat[item]);
48577 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48581 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
48582 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
48583 enum zone_stat_item item)
48585 - long x = atomic_long_read(&zone->vm_stat[item]);
48586 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48590 @@ -268,8 +268,8 @@ static inline void __mod_zone_page_state
48592 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
48594 - atomic_long_inc(&zone->vm_stat[item]);
48595 - atomic_long_inc(&vm_stat[item]);
48596 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
48597 + atomic_long_inc_unchecked(&vm_stat[item]);
48600 static inline void __inc_zone_page_state(struct page *page,
48601 @@ -280,8 +280,8 @@ static inline void __inc_zone_page_state
48603 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
48605 - atomic_long_dec(&zone->vm_stat[item]);
48606 - atomic_long_dec(&vm_stat[item]);
48607 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
48608 + atomic_long_dec_unchecked(&vm_stat[item]);
48611 static inline void __dec_zone_page_state(struct page *page,
48612 diff -urNp linux-2.6.36.2/include/net/inetpeer.h linux-2.6.36.2/include/net/inetpeer.h
48613 --- linux-2.6.36.2/include/net/inetpeer.h 2010-10-20 16:30:22.000000000 -0400
48614 +++ linux-2.6.36.2/include/net/inetpeer.h 2010-12-09 20:24:04.000000000 -0500
48615 @@ -30,8 +30,8 @@ struct inet_peer {
48619 - atomic_t rid; /* Frag reception counter */
48620 - atomic_t ip_id_count; /* IP ID for the next packet */
48621 + atomic_unchecked_t rid; /* Frag reception counter */
48622 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
48624 __u32 tcp_ts_stamp;
48626 @@ -62,7 +62,7 @@ static inline __u16 inet_getid(struct in
48629 inet_peer_refcheck(p);
48630 - return atomic_add_return(more, &p->ip_id_count) - more;
48631 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
48634 #endif /* _NET_INETPEER_H */
48635 diff -urNp linux-2.6.36.2/include/net/irda/ircomm_tty.h linux-2.6.36.2/include/net/irda/ircomm_tty.h
48636 --- linux-2.6.36.2/include/net/irda/ircomm_tty.h 2010-10-20 16:30:22.000000000 -0400
48637 +++ linux-2.6.36.2/include/net/irda/ircomm_tty.h 2010-12-09 20:24:04.000000000 -0500
48638 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
48639 unsigned short close_delay;
48640 unsigned short closing_wait; /* time to wait before closing */
48643 - int blocked_open; /* # of blocked opens */
48644 + atomic_t open_count;
48645 + atomic_t blocked_open; /* # of blocked opens */
48647 /* Protect concurent access to :
48648 * o self->open_count
48649 diff -urNp linux-2.6.36.2/include/net/neighbour.h linux-2.6.36.2/include/net/neighbour.h
48650 --- linux-2.6.36.2/include/net/neighbour.h 2010-10-20 16:30:22.000000000 -0400
48651 +++ linux-2.6.36.2/include/net/neighbour.h 2010-12-09 20:24:04.000000000 -0500
48652 @@ -116,12 +116,12 @@ struct neighbour {
48656 - void (*solicit)(struct neighbour *, struct sk_buff*);
48657 - void (*error_report)(struct neighbour *, struct sk_buff*);
48658 - int (*output)(struct sk_buff*);
48659 - int (*connected_output)(struct sk_buff*);
48660 - int (*hh_output)(struct sk_buff*);
48661 - int (*queue_xmit)(struct sk_buff*);
48662 + void (* const solicit)(struct neighbour *, struct sk_buff*);
48663 + void (* const error_report)(struct neighbour *, struct sk_buff*);
48664 + int (* const output)(struct sk_buff*);
48665 + int (* const connected_output)(struct sk_buff*);
48666 + int (* const hh_output)(struct sk_buff*);
48667 + int (* const queue_xmit)(struct sk_buff*);
48670 struct pneigh_entry {
48671 diff -urNp linux-2.6.36.2/include/net/netlink.h linux-2.6.36.2/include/net/netlink.h
48672 --- linux-2.6.36.2/include/net/netlink.h 2010-10-20 16:30:22.000000000 -0400
48673 +++ linux-2.6.36.2/include/net/netlink.h 2010-12-09 20:24:04.000000000 -0500
48674 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
48675 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
48678 - skb_trim(skb, (unsigned char *) mark - skb->data);
48679 + skb_trim(skb, (const unsigned char *) mark - skb->data);
48683 diff -urNp linux-2.6.36.2/include/net/sctp/sctp.h linux-2.6.36.2/include/net/sctp/sctp.h
48684 --- linux-2.6.36.2/include/net/sctp/sctp.h 2010-10-20 16:30:22.000000000 -0400
48685 +++ linux-2.6.36.2/include/net/sctp/sctp.h 2010-12-09 20:24:05.000000000 -0500
48686 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
48688 #else /* SCTP_DEBUG */
48690 -#define SCTP_DEBUG_PRINTK(whatever...)
48691 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
48692 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
48693 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
48694 #define SCTP_ENABLE_DEBUG
48695 #define SCTP_DISABLE_DEBUG
48696 #define SCTP_ASSERT(expr, str, func)
48697 diff -urNp linux-2.6.36.2/include/net/tcp.h linux-2.6.36.2/include/net/tcp.h
48698 --- linux-2.6.36.2/include/net/tcp.h 2010-10-20 16:30:22.000000000 -0400
48699 +++ linux-2.6.36.2/include/net/tcp.h 2010-12-09 20:24:04.000000000 -0500
48700 @@ -1373,6 +1373,7 @@ enum tcp_seq_states {
48701 struct tcp_seq_afinfo {
48703 sa_family_t family;
48704 + /* cannot be const */
48705 struct file_operations seq_fops;
48706 struct seq_operations seq_ops;
48708 diff -urNp linux-2.6.36.2/include/net/udp.h linux-2.6.36.2/include/net/udp.h
48709 --- linux-2.6.36.2/include/net/udp.h 2010-10-20 16:30:22.000000000 -0400
48710 +++ linux-2.6.36.2/include/net/udp.h 2010-12-09 20:24:05.000000000 -0500
48711 @@ -220,6 +220,7 @@ struct udp_seq_afinfo {
48713 sa_family_t family;
48714 struct udp_table *udp_table;
48715 + /* cannot be const */
48716 struct file_operations seq_fops;
48717 struct seq_operations seq_ops;
48719 diff -urNp linux-2.6.36.2/include/sound/ac97_codec.h linux-2.6.36.2/include/sound/ac97_codec.h
48720 --- linux-2.6.36.2/include/sound/ac97_codec.h 2010-10-20 16:30:22.000000000 -0400
48721 +++ linux-2.6.36.2/include/sound/ac97_codec.h 2010-12-09 20:24:06.000000000 -0500
48722 @@ -419,15 +419,15 @@
48725 struct snd_ac97_build_ops {
48726 - int (*build_3d) (struct snd_ac97 *ac97);
48727 - int (*build_specific) (struct snd_ac97 *ac97);
48728 - int (*build_spdif) (struct snd_ac97 *ac97);
48729 - int (*build_post_spdif) (struct snd_ac97 *ac97);
48730 + int (* const build_3d) (struct snd_ac97 *ac97);
48731 + int (* const build_specific) (struct snd_ac97 *ac97);
48732 + int (* const build_spdif) (struct snd_ac97 *ac97);
48733 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
48735 - void (*suspend) (struct snd_ac97 *ac97);
48736 - void (*resume) (struct snd_ac97 *ac97);
48737 + void (* const suspend) (struct snd_ac97 *ac97);
48738 + void (* const resume) (struct snd_ac97 *ac97);
48740 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48741 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48744 struct snd_ac97_bus_ops {
48745 @@ -477,7 +477,7 @@ struct snd_ac97_template {
48748 /* -- lowlevel (hardware) driver specific -- */
48749 - struct snd_ac97_build_ops * build_ops;
48750 + const struct snd_ac97_build_ops * build_ops;
48751 void *private_data;
48752 void (*private_free) (struct snd_ac97 *ac97);
48754 diff -urNp linux-2.6.36.2/include/trace/events/irq.h linux-2.6.36.2/include/trace/events/irq.h
48755 --- linux-2.6.36.2/include/trace/events/irq.h 2010-10-20 16:30:22.000000000 -0400
48756 +++ linux-2.6.36.2/include/trace/events/irq.h 2010-12-09 20:24:04.000000000 -0500
48759 TRACE_EVENT(irq_handler_entry,
48761 - TP_PROTO(int irq, struct irqaction *action),
48762 + TP_PROTO(int irq, const struct irqaction *action),
48764 TP_ARGS(irq, action),
48766 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
48768 TRACE_EVENT(irq_handler_exit,
48770 - TP_PROTO(int irq, struct irqaction *action, int ret),
48771 + TP_PROTO(int irq, const struct irqaction *action, int ret),
48773 TP_ARGS(irq, action, ret),
48775 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
48777 DECLARE_EVENT_CLASS(softirq,
48779 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
48780 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
48784 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
48786 DEFINE_EVENT(softirq, softirq_entry,
48788 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
48789 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
48793 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
48795 DEFINE_EVENT(softirq, softirq_exit,
48797 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
48798 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
48802 diff -urNp linux-2.6.36.2/include/video/uvesafb.h linux-2.6.36.2/include/video/uvesafb.h
48803 --- linux-2.6.36.2/include/video/uvesafb.h 2010-10-20 16:30:22.000000000 -0400
48804 +++ linux-2.6.36.2/include/video/uvesafb.h 2010-12-09 20:24:07.000000000 -0500
48805 @@ -177,6 +177,7 @@ struct uvesafb_par {
48806 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
48807 u8 pmi_setpal; /* PMI for palette changes */
48808 u16 *pmi_base; /* protected mode interface location */
48809 + u8 *pmi_code; /* protected mode code location */
48812 u8 *vbe_state_orig; /*
48813 diff -urNp linux-2.6.36.2/init/do_mounts.c linux-2.6.36.2/init/do_mounts.c
48814 --- linux-2.6.36.2/init/do_mounts.c 2010-10-20 16:30:22.000000000 -0400
48815 +++ linux-2.6.36.2/init/do_mounts.c 2010-12-09 20:24:09.000000000 -0500
48816 @@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
48818 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
48820 - int err = sys_mount(name, "/root", fs, flags, data);
48821 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
48825 - sys_chdir("/root");
48826 + sys_chdir((__force char __user *)"/root");
48827 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
48828 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
48829 current->fs->pwd.mnt->mnt_sb->s_type->name,
48830 @@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
48831 va_start(args, fmt);
48832 vsprintf(buf, fmt, args);
48834 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
48835 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
48837 sys_ioctl(fd, FDEJECT, 0);
48840 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
48841 - fd = sys_open("/dev/console", O_RDWR, 0);
48842 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
48844 sys_ioctl(fd, TCGETS, (long)&termios);
48845 termios.c_lflag &= ~ICANON;
48846 sys_ioctl(fd, TCSETSF, (long)&termios);
48847 - sys_read(fd, &c, 1);
48848 + sys_read(fd, (char __user *)&c, 1);
48849 termios.c_lflag |= ICANON;
48850 sys_ioctl(fd, TCSETSF, (long)&termios);
48852 @@ -417,6 +417,6 @@ void __init prepare_namespace(void)
48855 devtmpfs_mount("dev");
48856 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48858 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48859 + sys_chroot((__force char __user *)".");
48861 diff -urNp linux-2.6.36.2/init/do_mounts.h linux-2.6.36.2/init/do_mounts.h
48862 --- linux-2.6.36.2/init/do_mounts.h 2010-10-20 16:30:22.000000000 -0400
48863 +++ linux-2.6.36.2/init/do_mounts.h 2010-12-09 20:24:09.000000000 -0500
48864 @@ -15,15 +15,15 @@ extern int root_mountflags;
48866 static inline int create_dev(char *name, dev_t dev)
48868 - sys_unlink(name);
48869 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
48870 + sys_unlink((__force char __user *)name);
48871 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
48874 #if BITS_PER_LONG == 32
48875 static inline u32 bstat(char *name)
48877 struct stat64 stat;
48878 - if (sys_stat64(name, &stat) != 0)
48879 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
48881 if (!S_ISBLK(stat.st_mode))
48883 diff -urNp linux-2.6.36.2/init/do_mounts_initrd.c linux-2.6.36.2/init/do_mounts_initrd.c
48884 --- linux-2.6.36.2/init/do_mounts_initrd.c 2010-10-20 16:30:22.000000000 -0400
48885 +++ linux-2.6.36.2/init/do_mounts_initrd.c 2010-12-09 20:24:09.000000000 -0500
48886 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
48887 create_dev("/dev/root.old", Root_RAM0);
48888 /* mount initrd on rootfs' /root */
48889 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
48890 - sys_mkdir("/old", 0700);
48891 - root_fd = sys_open("/", 0, 0);
48892 - old_fd = sys_open("/old", 0, 0);
48893 + sys_mkdir((__force const char __user *)"/old", 0700);
48894 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
48895 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
48896 /* move initrd over / and chdir/chroot in initrd root */
48897 - sys_chdir("/root");
48898 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48900 + sys_chdir((__force const char __user *)"/root");
48901 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48902 + sys_chroot((__force const char __user *)".");
48905 * In case that a resume from disk is carried out by linuxrc or one of
48906 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
48908 /* move initrd to rootfs' /old */
48909 sys_fchdir(old_fd);
48910 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
48911 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
48912 /* switch root and cwd back to / of rootfs */
48913 sys_fchdir(root_fd);
48915 + sys_chroot((__force const char __user *)".");
48917 sys_close(root_fd);
48919 if (new_decode_dev(real_root_dev) == Root_RAM0) {
48920 - sys_chdir("/old");
48921 + sys_chdir((__force const char __user *)"/old");
48925 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
48928 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
48929 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
48930 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
48934 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
48935 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
48936 if (error == -ENOENT)
48937 printk("/initrd does not exist. Ignored.\n");
48939 printk("failed\n");
48940 printk(KERN_NOTICE "Unmounting old root\n");
48941 - sys_umount("/old", MNT_DETACH);
48942 + sys_umount((__force char __user *)"/old", MNT_DETACH);
48943 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
48946 @@ -116,11 +116,11 @@ int __init initrd_load(void)
48947 * mounted in the normal path.
48949 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
48950 - sys_unlink("/initrd.image");
48951 + sys_unlink((__force const char __user *)"/initrd.image");
48956 - sys_unlink("/initrd.image");
48957 + sys_unlink((__force const char __user *)"/initrd.image");
48960 diff -urNp linux-2.6.36.2/init/do_mounts_md.c linux-2.6.36.2/init/do_mounts_md.c
48961 --- linux-2.6.36.2/init/do_mounts_md.c 2010-10-20 16:30:22.000000000 -0400
48962 +++ linux-2.6.36.2/init/do_mounts_md.c 2010-12-09 20:24:09.000000000 -0500
48963 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
48964 partitioned ? "_d" : "", minor,
48965 md_setup_args[ent].device_names);
48967 - fd = sys_open(name, 0, 0);
48968 + fd = sys_open((__force char __user *)name, 0, 0);
48970 printk(KERN_ERR "md: open failed - cannot start "
48971 "array %s\n", name);
48972 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
48976 - fd = sys_open(name, 0, 0);
48977 + fd = sys_open((__force char __user *)name, 0, 0);
48978 sys_ioctl(fd, BLKRRPART, 0);
48981 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
48983 wait_for_device_probe();
48985 - fd = sys_open("/dev/md0", 0, 0);
48986 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
48988 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
48990 diff -urNp linux-2.6.36.2/init/initramfs.c linux-2.6.36.2/init/initramfs.c
48991 --- linux-2.6.36.2/init/initramfs.c 2010-10-20 16:30:22.000000000 -0400
48992 +++ linux-2.6.36.2/init/initramfs.c 2010-12-09 20:24:09.000000000 -0500
48993 @@ -74,7 +74,7 @@ static void __init free_hash(void)
48997 -static long __init do_utime(char __user *filename, time_t mtime)
48998 +static long __init do_utime(__force char __user *filename, time_t mtime)
49000 struct timespec t[2];
49002 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
49003 struct dir_entry *de, *tmp;
49004 list_for_each_entry_safe(de, tmp, &dir_list, list) {
49005 list_del(&de->list);
49006 - do_utime(de->name, de->mtime);
49007 + do_utime((__force char __user *)de->name, de->mtime);
49011 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
49013 char *old = find_link(major, minor, ino, mode, collected);
49015 - return (sys_link(old, collected) < 0) ? -1 : 1;
49016 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
49020 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
49024 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
49025 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
49026 if (S_ISDIR(st.st_mode))
49028 + sys_rmdir((__force char __user *)path);
49030 - sys_unlink(path);
49031 + sys_unlink((__force char __user *)path);
49035 @@ -305,7 +305,7 @@ static int __init do_name(void)
49036 int openflags = O_WRONLY|O_CREAT;
49038 openflags |= O_TRUNC;
49039 - wfd = sys_open(collected, openflags, mode);
49040 + wfd = sys_open((__force char __user *)collected, openflags, mode);
49043 sys_fchown(wfd, uid, gid);
49044 @@ -317,17 +317,17 @@ static int __init do_name(void)
49047 } else if (S_ISDIR(mode)) {
49048 - sys_mkdir(collected, mode);
49049 - sys_chown(collected, uid, gid);
49050 - sys_chmod(collected, mode);
49051 + sys_mkdir((__force char __user *)collected, mode);
49052 + sys_chown((__force char __user *)collected, uid, gid);
49053 + sys_chmod((__force char __user *)collected, mode);
49054 dir_add(collected, mtime);
49055 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
49056 S_ISFIFO(mode) || S_ISSOCK(mode)) {
49057 if (maybe_link() == 0) {
49058 - sys_mknod(collected, mode, rdev);
49059 - sys_chown(collected, uid, gid);
49060 - sys_chmod(collected, mode);
49061 - do_utime(collected, mtime);
49062 + sys_mknod((__force char __user *)collected, mode, rdev);
49063 + sys_chown((__force char __user *)collected, uid, gid);
49064 + sys_chmod((__force char __user *)collected, mode);
49065 + do_utime((__force char __user *)collected, mtime);
49069 @@ -336,15 +336,15 @@ static int __init do_name(void)
49070 static int __init do_copy(void)
49072 if (count >= body_len) {
49073 - sys_write(wfd, victim, body_len);
49074 + sys_write(wfd, (__force char __user *)victim, body_len);
49076 - do_utime(vcollected, mtime);
49077 + do_utime((__force char __user *)vcollected, mtime);
49083 - sys_write(wfd, victim, count);
49084 + sys_write(wfd, (__force char __user *)victim, count);
49088 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
49090 collected[N_ALIGN(name_len) + body_len] = '\0';
49091 clean_path(collected, 0);
49092 - sys_symlink(collected + N_ALIGN(name_len), collected);
49093 - sys_lchown(collected, uid, gid);
49094 - do_utime(collected, mtime);
49095 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
49096 + sys_lchown((__force char __user *)collected, uid, gid);
49097 + do_utime((__force char __user *)collected, mtime);
49099 next_state = Reset;
49101 diff -urNp linux-2.6.36.2/init/Kconfig linux-2.6.36.2/init/Kconfig
49102 --- linux-2.6.36.2/init/Kconfig 2010-10-20 16:30:22.000000000 -0400
49103 +++ linux-2.6.36.2/init/Kconfig 2010-12-09 20:24:09.000000000 -0500
49104 @@ -1067,7 +1067,7 @@ config SLUB_DEBUG
49107 bool "Disable heap randomization"
49111 Randomizing heap placement makes heap exploits harder, but it
49112 also breaks ancient binaries (including anything libc5 based).
49113 diff -urNp linux-2.6.36.2/init/main.c linux-2.6.36.2/init/main.c
49114 --- linux-2.6.36.2/init/main.c 2010-10-20 16:30:22.000000000 -0400
49115 +++ linux-2.6.36.2/init/main.c 2010-12-09 20:24:09.000000000 -0500
49116 @@ -95,6 +95,7 @@ static inline void mark_rodata_ro(void)
49118 extern void tc_init(void);
49120 +extern void grsecurity_init(void);
49122 enum system_states system_state __read_mostly;
49123 EXPORT_SYMBOL(system_state);
49124 @@ -197,6 +198,45 @@ static int __init set_reset_devices(char
49126 __setup("reset_devices", set_reset_devices);
49128 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
49129 +extern char pax_enter_kernel_user[];
49130 +extern char pax_exit_kernel_user[];
49131 +extern pgdval_t clone_pgd_mask;
49134 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
49135 +static int __init setup_pax_nouderef(char *str)
49137 +#ifdef CONFIG_X86_32
49138 + unsigned int cpu;
49140 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
49141 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
49142 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
49144 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
49146 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
49147 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
49148 + clone_pgd_mask = ~(pgdval_t)0UL;
49153 +early_param("pax_nouderef", setup_pax_nouderef);
49156 +#ifdef CONFIG_PAX_SOFTMODE
49157 +unsigned int pax_softmode;
49159 +static int __init setup_pax_softmode(char *str)
49161 + get_option(&str, &pax_softmode);
49164 +__setup("pax_softmode=", setup_pax_softmode);
49167 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
49168 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
49169 static const char *panic_later, *panic_param;
49170 @@ -743,6 +783,7 @@ int __init_or_module do_one_initcall(ini
49172 int count = preempt_count();
49174 + const char *msg1 = "", *msg2 = "";
49176 if (initcall_debug)
49177 ret = do_one_initcall_debug(fn);
49178 @@ -755,15 +796,15 @@ int __init_or_module do_one_initcall(ini
49179 sprintf(msgbuf, "error code %d ", ret);
49181 if (preempt_count() != count) {
49182 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
49183 + msg1 = " preemption imbalance";
49184 preempt_count() = count;
49186 if (irqs_disabled()) {
49187 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
49188 + msg2 = " disabled interrupts";
49189 local_irq_enable();
49192 - printk("initcall %pF returned with %s\n", fn, msgbuf);
49193 + if (msgbuf[0] || *msg1 || *msg2) {
49194 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
49198 @@ -893,7 +934,7 @@ static int __init kernel_init(void * unu
49201 /* Open the /dev/console on the rootfs, this should never fail */
49202 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
49203 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
49204 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
49207 @@ -906,11 +947,13 @@ static int __init kernel_init(void * unu
49208 if (!ramdisk_execute_command)
49209 ramdisk_execute_command = "/init";
49211 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
49212 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
49213 ramdisk_execute_command = NULL;
49214 prepare_namespace();
49217 + grsecurity_init();
49220 * Ok, we have completed the initial bootup, and
49221 * we're essentially up and running. Get rid of the
49222 diff -urNp linux-2.6.36.2/init/noinitramfs.c linux-2.6.36.2/init/noinitramfs.c
49223 --- linux-2.6.36.2/init/noinitramfs.c 2010-10-20 16:30:22.000000000 -0400
49224 +++ linux-2.6.36.2/init/noinitramfs.c 2010-12-09 20:24:09.000000000 -0500
49225 @@ -29,17 +29,17 @@ static int __init default_rootfs(void)
49229 - err = sys_mkdir("/dev", 0755);
49230 + err = sys_mkdir((const char __user *)"/dev", 0755);
49234 - err = sys_mknod((const char __user *) "/dev/console",
49235 + err = sys_mknod((__force const char __user *) "/dev/console",
49236 S_IFCHR | S_IRUSR | S_IWUSR,
49237 new_encode_dev(MKDEV(5, 1)));
49241 - err = sys_mkdir("/root", 0700);
49242 + err = sys_mkdir((const char __user *)"/root", 0700);
49246 diff -urNp linux-2.6.36.2/ipc/mqueue.c linux-2.6.36.2/ipc/mqueue.c
49247 --- linux-2.6.36.2/ipc/mqueue.c 2010-10-20 16:30:22.000000000 -0400
49248 +++ linux-2.6.36.2/ipc/mqueue.c 2010-12-09 20:24:07.000000000 -0500
49249 @@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
49250 mq_bytes = (mq_msg_tblsz +
49251 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
49253 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
49254 spin_lock(&mq_lock);
49255 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
49256 u->mq_bytes + mq_bytes >
49257 diff -urNp linux-2.6.36.2/ipc/shm.c linux-2.6.36.2/ipc/shm.c
49258 --- linux-2.6.36.2/ipc/shm.c 2010-12-09 20:53:48.000000000 -0500
49259 +++ linux-2.6.36.2/ipc/shm.c 2010-12-09 21:04:35.000000000 -0500
49260 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
49261 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
49264 +#ifdef CONFIG_GRKERNSEC
49265 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49266 + const time_t shm_createtime, const uid_t cuid,
49267 + const int shmid);
49268 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49269 + const time_t shm_createtime);
49272 void shm_init_ns(struct ipc_namespace *ns)
49274 ns->shm_ctlmax = SHMMAX;
49275 @@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
49276 shp->shm_lprid = 0;
49277 shp->shm_atim = shp->shm_dtim = 0;
49278 shp->shm_ctim = get_seconds();
49279 +#ifdef CONFIG_GRKERNSEC
49281 + struct timespec timeval;
49282 + do_posix_clock_monotonic_gettime(&timeval);
49284 + shp->shm_createtime = timeval.tv_sec;
49287 shp->shm_segsz = size;
49288 shp->shm_nattch = 0;
49289 shp->shm_file = file;
49290 @@ -878,9 +894,21 @@ long do_shmat(int shmid, char __user *sh
49294 +#ifdef CONFIG_GRKERNSEC
49295 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
49296 + shp->shm_perm.cuid, shmid) ||
49297 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
49303 path = shp->shm_file->f_path;
49306 +#ifdef CONFIG_GRKERNSEC
49307 + shp->shm_lapid = current->pid;
49309 size = i_size_read(path.dentry->d_inode);
49312 diff -urNp linux-2.6.36.2/kernel/acct.c linux-2.6.36.2/kernel/acct.c
49313 --- linux-2.6.36.2/kernel/acct.c 2010-10-20 16:30:22.000000000 -0400
49314 +++ linux-2.6.36.2/kernel/acct.c 2010-12-09 20:24:43.000000000 -0500
49315 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
49317 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
49318 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
49319 - file->f_op->write(file, (char *)&ac,
49320 + file->f_op->write(file, (__force char __user *)&ac,
49321 sizeof(acct_t), &file->f_pos);
49322 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
49324 diff -urNp linux-2.6.36.2/kernel/capability.c linux-2.6.36.2/kernel/capability.c
49325 --- linux-2.6.36.2/kernel/capability.c 2010-10-20 16:30:22.000000000 -0400
49326 +++ linux-2.6.36.2/kernel/capability.c 2010-12-09 20:24:43.000000000 -0500
49327 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
49328 * before modification is attempted and the application
49331 + if (tocopy > ARRAY_SIZE(kdata))
49334 if (copy_to_user(dataptr, kdata, tocopy
49335 * sizeof(struct __user_cap_data_struct))) {
49337 @@ -306,10 +309,21 @@ int capable(int cap)
49341 - if (security_capable(cap) == 0) {
49342 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
49343 + current->flags |= PF_SUPERPRIV;
49349 +int capable_nolog(int cap)
49351 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
49352 current->flags |= PF_SUPERPRIV;
49358 EXPORT_SYMBOL(capable);
49359 +EXPORT_SYMBOL(capable_nolog);
49360 diff -urNp linux-2.6.36.2/kernel/compat.c linux-2.6.36.2/kernel/compat.c
49361 --- linux-2.6.36.2/kernel/compat.c 2010-10-20 16:30:22.000000000 -0400
49362 +++ linux-2.6.36.2/kernel/compat.c 2010-12-09 20:24:43.000000000 -0500
49365 #include <linux/linkage.h>
49366 #include <linux/compat.h>
49367 +#include <linux/module.h>
49368 #include <linux/errno.h>
49369 #include <linux/time.h>
49370 #include <linux/signal.h>
49371 diff -urNp linux-2.6.36.2/kernel/configs.c linux-2.6.36.2/kernel/configs.c
49372 --- linux-2.6.36.2/kernel/configs.c 2010-10-20 16:30:22.000000000 -0400
49373 +++ linux-2.6.36.2/kernel/configs.c 2010-12-09 20:24:43.000000000 -0500
49374 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
49375 struct proc_dir_entry *entry;
49377 /* create the current config file */
49378 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
49379 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
49380 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
49381 + &ikconfig_file_ops);
49382 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49383 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
49384 + &ikconfig_file_ops);
49387 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
49388 &ikconfig_file_ops);
49394 diff -urNp linux-2.6.36.2/kernel/cred.c linux-2.6.36.2/kernel/cred.c
49395 --- linux-2.6.36.2/kernel/cred.c 2010-10-20 16:30:22.000000000 -0400
49396 +++ linux-2.6.36.2/kernel/cred.c 2010-12-09 20:24:43.000000000 -0500
49397 @@ -485,6 +485,8 @@ int commit_creds(struct cred *new)
49399 get_cred(new); /* we will require a ref for the subj creds too */
49401 + gr_set_role_label(task, new->uid, new->gid);
49403 /* dumpability changes */
49404 if (old->euid != new->euid ||
49405 old->egid != new->egid ||
49406 diff -urNp linux-2.6.36.2/kernel/debug/debug_core.c linux-2.6.36.2/kernel/debug/debug_core.c
49407 --- linux-2.6.36.2/kernel/debug/debug_core.c 2010-10-20 16:30:22.000000000 -0400
49408 +++ linux-2.6.36.2/kernel/debug/debug_core.c 2010-12-09 20:24:43.000000000 -0500
49409 @@ -71,7 +71,7 @@ int kgdb_io_module_registered;
49410 /* Guard for recursive entry */
49411 static int exception_level;
49413 -struct kgdb_io *dbg_io_ops;
49414 +const struct kgdb_io *dbg_io_ops;
49415 static DEFINE_SPINLOCK(kgdb_registration_lock);
49417 /* kgdb console driver is loaded */
49418 @@ -873,7 +873,7 @@ static void kgdb_initial_breakpoint(void
49420 * Register it with the KGDB core.
49422 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
49423 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
49427 @@ -918,7 +918,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
49429 * Unregister it with the KGDB core.
49431 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
49432 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
49434 BUG_ON(kgdb_connected);
49436 diff -urNp linux-2.6.36.2/kernel/debug/kdb/kdb_main.c linux-2.6.36.2/kernel/debug/kdb/kdb_main.c
49437 --- linux-2.6.36.2/kernel/debug/kdb/kdb_main.c 2010-10-20 16:30:22.000000000 -0400
49438 +++ linux-2.6.36.2/kernel/debug/kdb/kdb_main.c 2010-12-09 20:24:43.000000000 -0500
49439 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
49440 list_for_each_entry(mod, kdb_modules, list) {
49442 kdb_printf("%-20s%8u 0x%p ", mod->name,
49443 - mod->core_size, (void *)mod);
49444 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
49445 #ifdef CONFIG_MODULE_UNLOAD
49446 kdb_printf("%4d ", module_refcount(mod));
49448 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
49449 kdb_printf(" (Loading)");
49451 kdb_printf(" (Live)");
49452 - kdb_printf(" 0x%p", mod->module_core);
49453 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49455 #ifdef CONFIG_MODULE_UNLOAD
49457 diff -urNp linux-2.6.36.2/kernel/exit.c linux-2.6.36.2/kernel/exit.c
49458 --- linux-2.6.36.2/kernel/exit.c 2010-12-09 20:53:48.000000000 -0500
49459 +++ linux-2.6.36.2/kernel/exit.c 2010-12-09 21:03:40.000000000 -0500
49461 #include <asm/pgtable.h>
49462 #include <asm/mmu_context.h>
49464 +#ifdef CONFIG_GRKERNSEC
49465 +extern rwlock_t grsec_exec_file_lock;
49468 static void exit_mm(struct task_struct * tsk);
49470 static void __unhash_process(struct task_struct *p, bool group_dead)
49471 @@ -95,6 +99,14 @@ static void __exit_signal(struct task_st
49475 + * This can only happen if the caller is de_thread().
49476 + * FIXME: this is the temporary hack, we should teach
49477 + * posix-cpu-timers to handle this case correctly.
49479 + if (unlikely(has_group_leader_pid(tsk)))
49480 + posix_cpu_timers_exit_group(tsk);
49483 * If there is any task waiting for the group exit
49486 @@ -162,6 +174,8 @@ void release_task(struct task_struct * p
49487 struct task_struct *leader;
49490 + gr_del_task_from_ip_table(p);
49492 tracehook_prepare_release_task(p);
49493 /* don't need to get the RCU readlock here - the process is dead and
49494 * can't be modifying its own credentials. But shut RCU-lockdep up */
49495 @@ -331,11 +345,22 @@ static void reparent_to_kthreadd(void)
49497 write_lock_irq(&tasklist_lock);
49499 +#ifdef CONFIG_GRKERNSEC
49500 + write_lock(&grsec_exec_file_lock);
49501 + if (current->exec_file) {
49502 + fput(current->exec_file);
49503 + current->exec_file = NULL;
49505 + write_unlock(&grsec_exec_file_lock);
49508 ptrace_unlink(current);
49509 /* Reparent to init */
49510 current->real_parent = current->parent = kthreadd_task;
49511 list_move_tail(¤t->sibling, ¤t->real_parent->children);
49513 + gr_set_kernel_label(current);
49515 /* Set the exit signal to SIGCHLD so we signal init on exit */
49516 current->exit_signal = SIGCHLD;
49518 @@ -387,7 +412,7 @@ int allow_signal(int sig)
49519 * know it'll be handled, so that they don't get converted to
49520 * SIGKILL or just silently dropped.
49522 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
49523 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
49524 recalc_sigpending();
49525 spin_unlock_irq(¤t->sighand->siglock);
49527 @@ -423,6 +448,17 @@ void daemonize(const char *name, ...)
49528 vsnprintf(current->comm, sizeof(current->comm), name, args);
49531 +#ifdef CONFIG_GRKERNSEC
49532 + write_lock(&grsec_exec_file_lock);
49533 + if (current->exec_file) {
49534 + fput(current->exec_file);
49535 + current->exec_file = NULL;
49537 + write_unlock(&grsec_exec_file_lock);
49540 + gr_set_kernel_label(current);
49543 * If we were started as result of loading a module, close all of the
49544 * user space pages. We don't need them, and if we didn't close them
49545 @@ -894,17 +930,17 @@ NORET_TYPE void do_exit(long code)
49546 struct task_struct *tsk = current;
49549 - profile_task_exit(tsk);
49551 - WARN_ON(atomic_read(&tsk->fs_excl));
49554 + * Check this first since set_fs() below depends on
49555 + * current_thread_info(), which we better not access when we're in
49556 + * interrupt context. Other than that, we want to do the set_fs()
49557 + * as early as possible.
49559 if (unlikely(in_interrupt()))
49560 panic("Aiee, killing interrupt handler!");
49561 - if (unlikely(!tsk->pid))
49562 - panic("Attempted to kill the idle task!");
49565 - * If do_exit is called because this processes oopsed, it's possible
49566 + * If do_exit is called because this processes Oops'ed, it's possible
49567 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
49568 * continuing. Amongst other possible reasons, this is to prevent
49569 * mm_release()->clear_child_tid() from writing to a user-controlled
49570 @@ -912,6 +948,13 @@ NORET_TYPE void do_exit(long code)
49574 + profile_task_exit(tsk);
49576 + WARN_ON(atomic_read(&tsk->fs_excl));
49578 + if (unlikely(!tsk->pid))
49579 + panic("Attempted to kill the idle task!");
49581 tracehook_report_exit(&code);
49583 validate_creds_for_do_exit(tsk);
49584 @@ -972,6 +1015,9 @@ NORET_TYPE void do_exit(long code)
49585 tsk->exit_code = code;
49586 taskstats_exit(tsk, group_dead);
49588 + gr_acl_handle_psacct(tsk, code);
49589 + gr_acl_handle_exit();
49594 diff -urNp linux-2.6.36.2/kernel/fork.c linux-2.6.36.2/kernel/fork.c
49595 --- linux-2.6.36.2/kernel/fork.c 2010-10-20 16:30:22.000000000 -0400
49596 +++ linux-2.6.36.2/kernel/fork.c 2010-12-09 20:24:43.000000000 -0500
49597 @@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
49598 *stackend = STACK_END_MAGIC; /* for overflow detection */
49600 #ifdef CONFIG_CC_STACKPROTECTOR
49601 - tsk->stack_canary = get_random_int();
49602 + tsk->stack_canary = pax_get_random_long();
49605 /* One for us, one for whoever does the "release_task()" (usually parent) */
49606 @@ -298,13 +298,78 @@ out:
49610 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
49612 + struct vm_area_struct *tmp;
49613 + unsigned long charge;
49614 + struct mempolicy *pol;
49615 + struct file *file;
49618 + if (mpnt->vm_flags & VM_ACCOUNT) {
49619 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49620 + if (security_vm_enough_memory(len))
49624 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49629 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
49630 + pol = mpol_dup(vma_policy(mpnt));
49632 + goto fail_nomem_policy;
49633 + vma_set_policy(tmp, pol);
49634 + if (anon_vma_fork(tmp, mpnt))
49635 + goto fail_nomem_anon_vma_fork;
49636 + tmp->vm_flags &= ~VM_LOCKED;
49637 + tmp->vm_next = tmp->vm_prev = NULL;
49638 + tmp->vm_mirror = NULL;
49639 + file = tmp->vm_file;
49641 + struct inode *inode = file->f_path.dentry->d_inode;
49642 + struct address_space *mapping = file->f_mapping;
49645 + if (tmp->vm_flags & VM_DENYWRITE)
49646 + atomic_dec(&inode->i_writecount);
49647 + spin_lock(&mapping->i_mmap_lock);
49648 + if (tmp->vm_flags & VM_SHARED)
49649 + mapping->i_mmap_writable++;
49650 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
49651 + flush_dcache_mmap_lock(mapping);
49652 + /* insert tmp into the share list, just after mpnt */
49653 + vma_prio_tree_add(tmp, mpnt);
49654 + flush_dcache_mmap_unlock(mapping);
49655 + spin_unlock(&mapping->i_mmap_lock);
49659 + * Clear hugetlb-related page reserves for children. This only
49660 + * affects MAP_PRIVATE mappings. Faults generated by the child
49661 + * are not guaranteed to succeed, even if read-only
49663 + if (is_vm_hugetlb_page(tmp))
49664 + reset_vma_resv_huge_pages(tmp);
49668 +fail_nomem_anon_vma_fork:
49670 +fail_nomem_policy:
49671 + kmem_cache_free(vm_area_cachep, tmp);
49673 + vm_unacct_memory(charge);
49677 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
49679 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
49680 struct rb_node **rb_link, *rb_parent;
49682 - unsigned long charge;
49683 - struct mempolicy *pol;
49685 down_write(&oldmm->mmap_sem);
49686 flush_cache_dup_mm(oldmm);
49687 @@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
49690 mm->mmap_cache = NULL;
49691 - mm->free_area_cache = oldmm->mmap_base;
49692 - mm->cached_hole_size = ~0UL;
49693 + mm->free_area_cache = oldmm->free_area_cache;
49694 + mm->cached_hole_size = oldmm->cached_hole_size;
49696 cpumask_clear(mm_cpumask(mm));
49697 mm->mm_rb = RB_ROOT;
49698 @@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
49701 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
49702 - struct file *file;
49704 if (mpnt->vm_flags & VM_DONTCOPY) {
49705 long pages = vma_pages(mpnt);
49706 mm->total_vm -= pages;
49707 @@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
49712 - if (mpnt->vm_flags & VM_ACCOUNT) {
49713 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49714 - if (security_vm_enough_memory(len))
49718 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49722 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
49723 - pol = mpol_dup(vma_policy(mpnt));
49724 - retval = PTR_ERR(pol);
49726 - goto fail_nomem_policy;
49727 - vma_set_policy(tmp, pol);
49729 - if (anon_vma_fork(tmp, mpnt))
49730 - goto fail_nomem_anon_vma_fork;
49731 - tmp->vm_flags &= ~VM_LOCKED;
49732 - tmp->vm_next = tmp->vm_prev = NULL;
49733 - file = tmp->vm_file;
49735 - struct inode *inode = file->f_path.dentry->d_inode;
49736 - struct address_space *mapping = file->f_mapping;
49739 - if (tmp->vm_flags & VM_DENYWRITE)
49740 - atomic_dec(&inode->i_writecount);
49741 - spin_lock(&mapping->i_mmap_lock);
49742 - if (tmp->vm_flags & VM_SHARED)
49743 - mapping->i_mmap_writable++;
49744 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
49745 - flush_dcache_mmap_lock(mapping);
49746 - /* insert tmp into the share list, just after mpnt */
49747 - vma_prio_tree_add(tmp, mpnt);
49748 - flush_dcache_mmap_unlock(mapping);
49749 - spin_unlock(&mapping->i_mmap_lock);
49750 + tmp = dup_vma(mm, mpnt);
49752 + retval = -ENOMEM;
49757 - * Clear hugetlb-related page reserves for children. This only
49758 - * affects MAP_PRIVATE mappings. Faults generated by the child
49759 - * are not guaranteed to succeed, even if read-only
49761 - if (is_vm_hugetlb_page(tmp))
49762 - reset_vma_resv_huge_pages(tmp);
49765 * Link in the new vma and copy the page table entries.
49768 @@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
49773 +#ifdef CONFIG_PAX_SEGMEXEC
49774 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
49775 + struct vm_area_struct *mpnt_m;
49777 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
49778 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
49780 + if (!mpnt->vm_mirror)
49783 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
49784 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
49785 + mpnt->vm_mirror = mpnt_m;
49787 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
49788 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
49789 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
49790 + mpnt->vm_mirror->vm_mirror = mpnt;
49797 /* a new mm has just been created */
49798 arch_dup_mmap(oldmm, mm);
49800 @@ -417,14 +462,6 @@ out:
49801 flush_tlb_mm(oldmm);
49802 up_write(&oldmm->mmap_sem);
49804 -fail_nomem_anon_vma_fork:
49806 -fail_nomem_policy:
49807 - kmem_cache_free(vm_area_cachep, tmp);
49809 - retval = -ENOMEM;
49810 - vm_unacct_memory(charge);
49814 static inline int mm_alloc_pgd(struct mm_struct * mm)
49815 @@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
49816 spin_unlock(&fs->lock);
49820 + atomic_inc(&fs->users);
49821 spin_unlock(&fs->lock);
49824 tsk->fs = copy_fs_struct(fs);
49827 + gr_set_chroot_entries(tsk, &tsk->fs->root);
49831 @@ -1020,10 +1058,13 @@ static struct task_struct *copy_process(
49833 if (!vx_nproc_avail(1))
49834 goto bad_fork_free;
49836 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
49838 if (atomic_read(&p->real_cred->user->processes) >=
49839 task_rlimit(p, RLIMIT_NPROC)) {
49840 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
49841 - p->real_cred->user != INIT_USER)
49842 + if (p->real_cred->user != INIT_USER &&
49843 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
49844 goto bad_fork_free;
49847 @@ -1177,6 +1218,8 @@ static struct task_struct *copy_process(
49848 goto bad_fork_free_pid;
49851 + gr_copy_label(p);
49853 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
49855 * Clear TID on mm_release()?
49856 @@ -1329,6 +1372,8 @@ bad_fork_cleanup_count:
49860 + gr_log_forkfail(retval);
49862 return ERR_PTR(retval);
49865 @@ -1434,6 +1479,8 @@ long do_fork(unsigned long clone_flags,
49866 if (clone_flags & CLONE_PARENT_SETTID)
49867 put_user(nr, parent_tidptr);
49869 + gr_handle_brute_check();
49871 if (clone_flags & CLONE_VFORK) {
49872 p->vfork_done = &vfork;
49873 init_completion(&vfork);
49874 @@ -1558,7 +1605,7 @@ static int unshare_fs(unsigned long unsh
49877 /* don't need lock here; in the worst case we'll do useless copy */
49878 - if (fs->users == 1)
49879 + if (atomic_read(&fs->users) == 1)
49882 *new_fsp = copy_fs_struct(fs);
49883 @@ -1681,7 +1728,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
49885 spin_lock(&fs->lock);
49886 current->fs = new_fs;
49888 + gr_set_chroot_entries(current, ¤t->fs->root);
49889 + if (atomic_dec_return(&fs->users))
49893 diff -urNp linux-2.6.36.2/kernel/futex.c linux-2.6.36.2/kernel/futex.c
49894 --- linux-2.6.36.2/kernel/futex.c 2010-11-26 18:26:25.000000000 -0500
49895 +++ linux-2.6.36.2/kernel/futex.c 2010-12-09 20:24:42.000000000 -0500
49897 #include <linux/mount.h>
49898 #include <linux/pagemap.h>
49899 #include <linux/syscalls.h>
49900 +#include <linux/ptrace.h>
49901 #include <linux/signal.h>
49902 #include <linux/module.h>
49903 #include <linux/magic.h>
49904 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
49908 +#ifdef CONFIG_PAX_SEGMEXEC
49909 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
49914 * The futex address must be "naturally" aligned.
49916 @@ -1841,7 +1847,7 @@ retry:
49918 restart = ¤t_thread_info()->restart_block;
49919 restart->fn = futex_wait_restart;
49920 - restart->futex.uaddr = (u32 *)uaddr;
49921 + restart->futex.uaddr = uaddr;
49922 restart->futex.val = val;
49923 restart->futex.time = abs_time->tv64;
49924 restart->futex.bitset = bitset;
49925 @@ -2377,7 +2383,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49927 struct robust_list_head __user *head;
49929 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49930 const struct cred *cred = current_cred(), *pcred;
49933 if (!futex_cmpxchg_enabled)
49935 @@ -2393,11 +2401,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49939 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49940 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49943 pcred = __task_cred(p);
49944 if (cred->euid != pcred->euid &&
49945 cred->euid != pcred->uid &&
49946 !capable(CAP_SYS_PTRACE))
49949 head = p->robust_list;
49952 @@ -2459,7 +2472,7 @@ retry:
49954 static inline int fetch_robust_entry(struct robust_list __user **entry,
49955 struct robust_list __user * __user *head,
49957 + unsigned int *pi)
49959 unsigned long uentry;
49961 diff -urNp linux-2.6.36.2/kernel/futex_compat.c linux-2.6.36.2/kernel/futex_compat.c
49962 --- linux-2.6.36.2/kernel/futex_compat.c 2010-10-20 16:30:22.000000000 -0400
49963 +++ linux-2.6.36.2/kernel/futex_compat.c 2010-12-09 20:24:43.000000000 -0500
49965 #include <linux/compat.h>
49966 #include <linux/nsproxy.h>
49967 #include <linux/futex.h>
49968 +#include <linux/ptrace.h>
49970 #include <asm/uaccess.h>
49972 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
49974 struct compat_robust_list_head __user *head;
49976 - const struct cred *cred = current_cred(), *pcred;
49977 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49978 + const struct cred *cred = current_cred();
49979 + const struct cred *pcred;
49982 if (!futex_cmpxchg_enabled)
49984 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
49988 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49989 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49992 pcred = __task_cred(p);
49993 if (cred->euid != pcred->euid &&
49994 cred->euid != pcred->uid &&
49995 !capable(CAP_SYS_PTRACE))
49998 head = p->compat_robust_list;
50001 diff -urNp linux-2.6.36.2/kernel/gcov/base.c linux-2.6.36.2/kernel/gcov/base.c
50002 --- linux-2.6.36.2/kernel/gcov/base.c 2010-10-20 16:30:22.000000000 -0400
50003 +++ linux-2.6.36.2/kernel/gcov/base.c 2010-12-09 20:24:43.000000000 -0500
50004 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
50007 #ifdef CONFIG_MODULES
50008 -static inline int within(void *addr, void *start, unsigned long size)
50010 - return ((addr >= start) && (addr < start + size));
50013 /* Update list and generate events when modules are unloaded. */
50014 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
50016 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
50018 /* Remove entries located in module from linked list. */
50019 for (info = gcov_info_head; info; info = info->next) {
50020 - if (within(info, mod->module_core, mod->core_size)) {
50021 + if (within_module_core_rw((unsigned long)info, mod)) {
50023 prev->next = info->next;
50025 diff -urNp linux-2.6.36.2/kernel/hrtimer.c linux-2.6.36.2/kernel/hrtimer.c
50026 --- linux-2.6.36.2/kernel/hrtimer.c 2010-10-20 16:30:22.000000000 -0400
50027 +++ linux-2.6.36.2/kernel/hrtimer.c 2010-12-09 20:24:43.000000000 -0500
50028 @@ -1401,7 +1401,7 @@ void hrtimer_peek_ahead_timers(void)
50029 local_irq_restore(flags);
50032 -static void run_hrtimer_softirq(struct softirq_action *h)
50033 +static void run_hrtimer_softirq(void)
50035 hrtimer_peek_ahead_timers();
50037 diff -urNp linux-2.6.36.2/kernel/kallsyms.c linux-2.6.36.2/kernel/kallsyms.c
50038 --- linux-2.6.36.2/kernel/kallsyms.c 2010-10-20 16:30:22.000000000 -0400
50039 +++ linux-2.6.36.2/kernel/kallsyms.c 2010-12-09 20:24:43.000000000 -0500
50041 * Changed the compression method from stem compression to "table lookup"
50042 * compression (see scripts/kallsyms.c for a more complete description)
50044 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50045 +#define __INCLUDED_BY_HIDESYM 1
50047 #include <linux/kallsyms.h>
50048 #include <linux/module.h>
50049 #include <linux/init.h>
50050 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
50052 static inline int is_kernel_inittext(unsigned long addr)
50054 + if (system_state != SYSTEM_BOOTING)
50057 if (addr >= (unsigned long)_sinittext
50058 && addr <= (unsigned long)_einittext)
50063 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50064 +#ifdef CONFIG_MODULES
50065 +static inline int is_module_text(unsigned long addr)
50067 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
50070 + addr = ktla_ktva(addr);
50071 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
50074 +static inline int is_module_text(unsigned long addr)
50081 static inline int is_kernel_text(unsigned long addr)
50083 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
50084 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
50086 static inline int is_kernel(unsigned long addr)
50089 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50090 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
50093 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
50095 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
50099 return in_gate_area_no_task(addr);
50102 static int is_ksym_addr(unsigned long addr)
50105 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50106 + if (is_module_text(addr))
50111 return is_kernel(addr);
50113 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
50115 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
50117 - iter->name[0] = '\0';
50118 iter->nameoff = get_symbol_offset(new_pos);
50119 iter->pos = new_pos;
50121 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
50123 struct kallsym_iter *iter = m->private;
50125 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50126 + if (current_uid())
50130 /* Some debugging symbols have no name. Ignore them. */
50131 if (!iter->name[0])
50133 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
50134 struct kallsym_iter *iter;
50137 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
50138 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
50141 reset_iter(iter, 0);
50142 diff -urNp linux-2.6.36.2/kernel/kmod.c linux-2.6.36.2/kernel/kmod.c
50143 --- linux-2.6.36.2/kernel/kmod.c 2010-10-20 16:30:22.000000000 -0400
50144 +++ linux-2.6.36.2/kernel/kmod.c 2010-12-09 20:24:42.000000000 -0500
50145 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
50149 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
50150 + /* we could do a tighter check here, but some distros
50151 + are taking it upon themselves to remove CAP_SYS_MODULE
50152 + from even root-running apps which cause modules to be
50155 + if (current_uid()) {
50156 + gr_log_nonroot_mod_load(module_name);
50161 /* If modprobe needs a service that is in a module, we get a recursive
50162 * loop. Limit the number of running kmod threads to max_threads/2 or
50163 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
50164 diff -urNp linux-2.6.36.2/kernel/kprobes.c linux-2.6.36.2/kernel/kprobes.c
50165 --- linux-2.6.36.2/kernel/kprobes.c 2010-10-20 16:30:22.000000000 -0400
50166 +++ linux-2.6.36.2/kernel/kprobes.c 2010-12-09 20:24:43.000000000 -0500
50167 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
50168 * kernel image and loaded module images reside. This is required
50169 * so x86_64 can correctly handle the %rip-relative fixups.
50171 - kip->insns = module_alloc(PAGE_SIZE);
50172 + kip->insns = module_alloc_exec(PAGE_SIZE);
50176 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
50178 if (!list_is_singular(&kip->list)) {
50179 list_del(&kip->list);
50180 - module_free(NULL, kip->insns);
50181 + module_free_exec(NULL, kip->insns);
50185 @@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
50188 unsigned long offset = 0, size = 0;
50189 - char *modname, namebuf[128];
50190 + char *modname, namebuf[KSYM_NAME_LEN];
50191 const char *symbol_name;
50193 struct kprobe_blackpoint *kb;
50194 @@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
50195 const char *sym = NULL;
50196 unsigned int i = *(loff_t *) v;
50197 unsigned long offset = 0;
50198 - char *modname, namebuf[128];
50199 + char *modname, namebuf[KSYM_NAME_LEN];
50201 head = &kprobe_table[i];
50203 diff -urNp linux-2.6.36.2/kernel/lockdep.c linux-2.6.36.2/kernel/lockdep.c
50204 --- linux-2.6.36.2/kernel/lockdep.c 2010-10-20 16:30:22.000000000 -0400
50205 +++ linux-2.6.36.2/kernel/lockdep.c 2010-12-09 20:24:43.000000000 -0500
50206 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
50207 end = (unsigned long) &_end,
50208 addr = (unsigned long) obj;
50210 +#ifdef CONFIG_PAX_KERNEXEC
50211 + start = ktla_ktva(start);
50217 @@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
50218 if (!static_obj(lock->key)) {
50220 printk("INFO: trying to register non-static key.\n");
50221 + printk("lock:%pS key:%pS.\n", lock, lock->key);
50222 printk("the code is fine but needs lockdep annotation.\n");
50223 printk("turning off the locking correctness validator.\n");
50225 @@ -2760,7 +2765,7 @@ static int __lock_acquire(struct lockdep
50229 - atomic_inc((atomic_t *)&class->ops);
50230 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
50231 if (very_verbose(class)) {
50232 printk("\nacquire class [%p] %s", class->key, class->name);
50233 if (class->name_version > 1)
50234 diff -urNp linux-2.6.36.2/kernel/lockdep_proc.c linux-2.6.36.2/kernel/lockdep_proc.c
50235 --- linux-2.6.36.2/kernel/lockdep_proc.c 2010-10-20 16:30:22.000000000 -0400
50236 +++ linux-2.6.36.2/kernel/lockdep_proc.c 2010-12-09 20:24:43.000000000 -0500
50237 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
50239 static void print_name(struct seq_file *m, struct lock_class *class)
50242 + char str[KSYM_NAME_LEN];
50243 const char *name = class->name;
50246 diff -urNp linux-2.6.36.2/kernel/module.c linux-2.6.36.2/kernel/module.c
50247 --- linux-2.6.36.2/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
50248 +++ linux-2.6.36.2/kernel/module.c 2010-12-09 20:24:43.000000000 -0500
50249 @@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
50251 /* Bounds of module allocation, for speeding __module_address.
50252 * Protected by module_mutex. */
50253 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
50254 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
50255 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
50257 int register_module_notifier(struct notifier_block * nb)
50259 @@ -260,7 +261,7 @@ bool each_symbol(bool (*fn)(const struct
50262 list_for_each_entry_rcu(mod, &modules, list) {
50263 - struct symsearch arr[] = {
50264 + struct symsearch modarr[] = {
50265 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
50266 NOT_GPL_ONLY, false },
50267 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
50268 @@ -282,7 +283,7 @@ bool each_symbol(bool (*fn)(const struct
50272 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
50273 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
50277 @@ -393,7 +394,7 @@ static inline void __percpu *mod_percpu(
50278 static int percpu_modalloc(struct module *mod,
50279 unsigned long size, unsigned long align)
50281 - if (align > PAGE_SIZE) {
50282 + if (align-1 >= PAGE_SIZE) {
50283 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
50284 mod->name, align, PAGE_SIZE);
50286 @@ -1565,15 +1566,18 @@ static void free_module(struct module *m
50287 destroy_params(mod->kp, mod->num_kp);
50289 /* This may be NULL, but that's OK */
50290 - module_free(mod, mod->module_init);
50291 + module_free(mod, mod->module_init_rw);
50292 + module_free_exec(mod, mod->module_init_rx);
50294 percpu_modfree(mod);
50296 /* Free lock-classes: */
50297 - lockdep_free_key_range(mod->module_core, mod->core_size);
50298 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
50299 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
50301 /* Finally, free the core (containing the module structure) */
50302 - module_free(mod, mod->module_core);
50303 + module_free_exec(mod, mod->module_core_rx);
50304 + module_free(mod, mod->module_core_rw);
50307 update_protections(current->mm);
50308 @@ -1666,7 +1670,9 @@ static int simplify_symbols(struct modul
50309 ksym = resolve_symbol_wait(mod, info, name);
50310 /* Ok if resolved. */
50311 if (ksym && !IS_ERR(ksym)) {
50312 + pax_open_kernel();
50313 sym[i].st_value = ksym->value;
50314 + pax_close_kernel();
50318 @@ -1685,7 +1691,9 @@ static int simplify_symbols(struct modul
50319 secbase = (unsigned long)mod_percpu(mod);
50321 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
50322 + pax_open_kernel();
50323 sym[i].st_value += secbase;
50324 + pax_close_kernel();
50328 @@ -1773,11 +1781,12 @@ static void layout_sections(struct modul
50329 || s->sh_entsize != ~0UL
50330 || strstarts(sname, ".init"))
50332 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
50333 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50334 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
50336 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
50337 DEBUGP("\t%s\n", name);
50340 - mod->core_text_size = mod->core_size;
50343 DEBUGP("Init section allocation order:\n");
50344 @@ -1791,12 +1800,13 @@ static void layout_sections(struct modul
50345 || s->sh_entsize != ~0UL
50346 || !strstarts(sname, ".init"))
50348 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
50349 - | INIT_OFFSET_MASK);
50350 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50351 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
50353 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
50354 + s->sh_entsize |= INIT_OFFSET_MASK;
50355 DEBUGP("\t%s\n", sname);
50358 - mod->init_text_size = mod->init_size;
50362 @@ -1964,7 +1974,7 @@ static void layout_symtab(struct module
50364 /* Put symbol section at end of init part of module. */
50365 symsect->sh_flags |= SHF_ALLOC;
50366 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
50367 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
50368 info->index.sym) | INIT_OFFSET_MASK;
50369 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
50371 @@ -1981,19 +1991,19 @@ static void layout_symtab(struct module
50374 /* Append room for core symbols at end of core part. */
50375 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
50376 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
50377 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
50378 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
50380 /* Put string table section at end of init part of module. */
50381 strsect->sh_flags |= SHF_ALLOC;
50382 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
50383 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
50384 info->index.str) | INIT_OFFSET_MASK;
50385 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
50387 /* Append room for core symbols' strings at end of core part. */
50388 - info->stroffs = mod->core_size;
50389 + info->stroffs = mod->core_size_rx;
50390 __set_bit(0, info->strmap);
50391 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
50392 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
50395 static void add_kallsyms(struct module *mod, const struct load_info *info)
50396 @@ -2009,11 +2019,13 @@ static void add_kallsyms(struct module *
50397 /* Make sure we get permanent strtab: don't use info->strtab. */
50398 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
50400 + pax_open_kernel();
50402 /* Set types up while we still have access to sections. */
50403 for (i = 0; i < mod->num_symtab; i++)
50404 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
50406 - mod->core_symtab = dst = mod->module_core + info->symoffs;
50407 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
50410 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
50411 @@ -2026,10 +2038,12 @@ static void add_kallsyms(struct module *
50413 mod->core_num_syms = ndst;
50415 - mod->core_strtab = s = mod->module_core + info->stroffs;
50416 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
50417 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
50418 if (test_bit(i, info->strmap))
50419 *++s = mod->strtab[i];
50421 + pax_close_kernel();
50424 static inline void layout_symtab(struct module *mod, struct load_info *info)
50425 @@ -2058,17 +2072,33 @@ static void dynamic_debug_remove(struct
50426 ddebug_remove_module(debug->modname);
50429 -static void *module_alloc_update_bounds(unsigned long size)
50430 +static void *module_alloc_update_bounds_rw(unsigned long size)
50432 void *ret = module_alloc(size);
50435 mutex_lock(&module_mutex);
50436 /* Update module bounds. */
50437 - if ((unsigned long)ret < module_addr_min)
50438 - module_addr_min = (unsigned long)ret;
50439 - if ((unsigned long)ret + size > module_addr_max)
50440 - module_addr_max = (unsigned long)ret + size;
50441 + if ((unsigned long)ret < module_addr_min_rw)
50442 + module_addr_min_rw = (unsigned long)ret;
50443 + if ((unsigned long)ret + size > module_addr_max_rw)
50444 + module_addr_max_rw = (unsigned long)ret + size;
50445 + mutex_unlock(&module_mutex);
50450 +static void *module_alloc_update_bounds_rx(unsigned long size)
50452 + void *ret = module_alloc_exec(size);
50455 + mutex_lock(&module_mutex);
50456 + /* Update module bounds. */
50457 + if ((unsigned long)ret < module_addr_min_rx)
50458 + module_addr_min_rx = (unsigned long)ret;
50459 + if ((unsigned long)ret + size > module_addr_max_rx)
50460 + module_addr_max_rx = (unsigned long)ret + size;
50461 mutex_unlock(&module_mutex);
50464 @@ -2344,7 +2374,7 @@ static int move_module(struct module *mo
50467 /* Do the allocs. */
50468 - ptr = module_alloc_update_bounds(mod->core_size);
50469 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
50471 * The pointer to this block is stored in the module structure
50472 * which is inside the block. Just mark it as not being a
50473 @@ -2354,23 +2384,50 @@ static int move_module(struct module *mo
50477 - memset(ptr, 0, mod->core_size);
50478 - mod->module_core = ptr;
50479 + memset(ptr, 0, mod->core_size_rw);
50480 + mod->module_core_rw = ptr;
50482 - ptr = module_alloc_update_bounds(mod->init_size);
50483 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
50485 * The pointer to this block is stored in the module structure
50486 * which is inside the block. This block doesn't need to be
50487 * scanned as it contains data and code that will be freed
50488 * after the module is initialized.
50490 - kmemleak_ignore(ptr);
50491 - if (!ptr && mod->init_size) {
50492 - module_free(mod, mod->module_core);
50493 + kmemleak_not_leak(ptr);
50494 + if (!ptr && mod->init_size_rw) {
50495 + module_free(mod, mod->module_core_rw);
50498 + memset(ptr, 0, mod->init_size_rw);
50499 + mod->module_init_rw = ptr;
50501 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
50502 + kmemleak_not_leak(ptr);
50504 + module_free(mod, mod->module_init_rw);
50505 + module_free(mod, mod->module_core_rw);
50508 - memset(ptr, 0, mod->init_size);
50509 - mod->module_init = ptr;
50511 + pax_open_kernel();
50512 + memset(ptr, 0, mod->core_size_rx);
50513 + pax_close_kernel();
50514 + mod->module_core_rx = ptr;
50516 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
50517 + kmemleak_not_leak(ptr);
50518 + if (!ptr && mod->init_size_rx) {
50519 + module_free_exec(mod, mod->module_core_rx);
50520 + module_free(mod, mod->module_init_rw);
50521 + module_free(mod, mod->module_core_rw);
50525 + pax_open_kernel();
50526 + memset(ptr, 0, mod->init_size_rx);
50527 + pax_close_kernel();
50528 + mod->module_init_rx = ptr;
50530 /* Transfer each section which specifies SHF_ALLOC */
50531 DEBUGP("final section addresses:\n");
50532 @@ -2381,16 +2438,45 @@ static int move_module(struct module *mo
50533 if (!(shdr->sh_flags & SHF_ALLOC))
50536 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
50537 - dest = mod->module_init
50538 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50540 - dest = mod->module_core + shdr->sh_entsize;
50541 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
50542 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50543 + dest = mod->module_init_rw
50544 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50546 + dest = mod->module_init_rx
50547 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50549 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50550 + dest = mod->module_core_rw + shdr->sh_entsize;
50552 + dest = mod->module_core_rx + shdr->sh_entsize;
50555 + if (shdr->sh_type != SHT_NOBITS) {
50557 +#ifdef CONFIG_PAX_KERNEXEC
50558 +#ifdef CONFIG_X86_64
50559 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
50560 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
50562 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
50563 + pax_open_kernel();
50564 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50565 + pax_close_kernel();
50569 - if (shdr->sh_type != SHT_NOBITS)
50570 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50572 /* Update sh_addr to point to copy in image. */
50573 - shdr->sh_addr = (unsigned long)dest;
50575 +#ifdef CONFIG_PAX_KERNEXEC
50576 + if (shdr->sh_flags & SHF_EXECINSTR)
50577 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
50581 + shdr->sh_addr = (unsigned long)dest;
50582 DEBUGP("\t0x%lx %s\n",
50583 shdr->sh_addr, info->secstrings + shdr->sh_name);
50585 @@ -2441,12 +2527,12 @@ static void flush_module_icache(const st
50586 * Do it before processing of module parameters, so the module
50587 * can provide parameter accessor functions of its own.
50589 - if (mod->module_init)
50590 - flush_icache_range((unsigned long)mod->module_init,
50591 - (unsigned long)mod->module_init
50592 - + mod->init_size);
50593 - flush_icache_range((unsigned long)mod->module_core,
50594 - (unsigned long)mod->module_core + mod->core_size);
50595 + if (mod->module_init_rx)
50596 + flush_icache_range((unsigned long)mod->module_init_rx,
50597 + (unsigned long)mod->module_init_rx
50598 + + mod->init_size_rx);
50599 + flush_icache_range((unsigned long)mod->module_core_rx,
50600 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
50604 @@ -2518,8 +2604,10 @@ static void module_deallocate(struct mod
50606 kfree(info->strmap);
50607 percpu_modfree(mod);
50608 - module_free(mod, mod->module_init);
50609 - module_free(mod, mod->module_core);
50610 + module_free_exec(mod, mod->module_init_rx);
50611 + module_free_exec(mod, mod->module_core_rx);
50612 + module_free(mod, mod->module_init_rw);
50613 + module_free(mod, mod->module_core_rw);
50616 static int post_relocation(struct module *mod, const struct load_info *info)
50617 @@ -2747,10 +2835,12 @@ SYSCALL_DEFINE3(init_module, void __user
50618 mod->symtab = mod->core_symtab;
50619 mod->strtab = mod->core_strtab;
50621 - module_free(mod, mod->module_init);
50622 - mod->module_init = NULL;
50623 - mod->init_size = 0;
50624 - mod->init_text_size = 0;
50625 + module_free(mod, mod->module_init_rw);
50626 + module_free_exec(mod, mod->module_init_rx);
50627 + mod->module_init_rw = NULL;
50628 + mod->module_init_rx = NULL;
50629 + mod->init_size_rw = 0;
50630 + mod->init_size_rx = 0;
50631 mutex_unlock(&module_mutex);
50634 @@ -2781,10 +2871,16 @@ static const char *get_ksymbol(struct mo
50635 unsigned long nextval;
50637 /* At worse, next value is at end of module */
50638 - if (within_module_init(addr, mod))
50639 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
50640 + if (within_module_init_rx(addr, mod))
50641 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
50642 + else if (within_module_init_rw(addr, mod))
50643 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
50644 + else if (within_module_core_rx(addr, mod))
50645 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
50646 + else if (within_module_core_rw(addr, mod))
50647 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
50649 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
50652 /* Scan for closest preceeding symbol, and next symbol. (ELF
50653 starts real symbols at 1). */
50654 @@ -3030,7 +3126,7 @@ static int m_show(struct seq_file *m, vo
50657 seq_printf(m, "%s %u",
50658 - mod->name, mod->init_size + mod->core_size);
50659 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
50660 print_unload_info(m, mod);
50662 /* Informative for users. */
50663 @@ -3039,7 +3135,7 @@ static int m_show(struct seq_file *m, vo
50664 mod->state == MODULE_STATE_COMING ? "Loading":
50666 /* Used by oprofile and other similar tools. */
50667 - seq_printf(m, " 0x%p", mod->module_core);
50668 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50672 @@ -3075,7 +3171,17 @@ static const struct file_operations proc
50674 static int __init proc_modules_init(void)
50676 +#ifndef CONFIG_GRKERNSEC_HIDESYM
50677 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50678 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50679 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50680 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
50682 proc_create("modules", 0, NULL, &proc_modules_operations);
50685 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50689 module_init(proc_modules_init);
50690 @@ -3134,12 +3240,12 @@ struct module *__module_address(unsigned
50692 struct module *mod;
50694 - if (addr < module_addr_min || addr > module_addr_max)
50695 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
50696 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
50699 list_for_each_entry_rcu(mod, &modules, list)
50700 - if (within_module_core(addr, mod)
50701 - || within_module_init(addr, mod))
50702 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
50706 @@ -3173,11 +3279,20 @@ bool is_module_text_address(unsigned lon
50708 struct module *__module_text_address(unsigned long addr)
50710 - struct module *mod = __module_address(addr);
50711 + struct module *mod;
50713 +#ifdef CONFIG_X86_32
50714 + addr = ktla_ktva(addr);
50717 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
50720 + mod = __module_address(addr);
50723 /* Make sure it's within the text section. */
50724 - if (!within(addr, mod->module_init, mod->init_text_size)
50725 - && !within(addr, mod->module_core, mod->core_text_size))
50726 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
50730 diff -urNp linux-2.6.36.2/kernel/panic.c linux-2.6.36.2/kernel/panic.c
50731 --- linux-2.6.36.2/kernel/panic.c 2010-10-20 16:30:22.000000000 -0400
50732 +++ linux-2.6.36.2/kernel/panic.c 2010-12-09 20:24:43.000000000 -0500
50733 @@ -368,7 +368,7 @@ static void warn_slowpath_common(const c
50736 printk(KERN_WARNING "------------[ cut here ]------------\n");
50737 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
50738 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
50739 board = dmi_get_system_info(DMI_PRODUCT_NAME);
50741 printk(KERN_WARNING "Hardware name: %s\n", board);
50742 @@ -423,7 +423,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
50744 void __stack_chk_fail(void)
50746 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
50748 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
50749 __builtin_return_address(0));
50751 EXPORT_SYMBOL(__stack_chk_fail);
50752 diff -urNp linux-2.6.36.2/kernel/pid.c linux-2.6.36.2/kernel/pid.c
50753 --- linux-2.6.36.2/kernel/pid.c 2010-10-20 16:30:22.000000000 -0400
50754 +++ linux-2.6.36.2/kernel/pid.c 2010-12-09 20:24:42.000000000 -0500
50756 #include <linux/rculist.h>
50757 #include <linux/bootmem.h>
50758 #include <linux/hash.h>
50759 +#include <linux/security.h>
50760 #include <linux/pid_namespace.h>
50761 #include <linux/init_task.h>
50762 #include <linux/syscalls.h>
50763 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
50765 int pid_max = PID_MAX_DEFAULT;
50767 -#define RESERVED_PIDS 300
50768 +#define RESERVED_PIDS 500
50770 int pid_max_min = RESERVED_PIDS + 1;
50771 int pid_max_max = PID_MAX_LIMIT;
50772 @@ -416,7 +417,14 @@ EXPORT_SYMBOL(pid_task);
50774 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
50776 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50777 + struct task_struct *task;
50779 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50781 + if (gr_pid_is_chrooted(task))
50787 struct task_struct *find_task_by_vpid(pid_t vnr)
50788 diff -urNp linux-2.6.36.2/kernel/posix-cpu-timers.c linux-2.6.36.2/kernel/posix-cpu-timers.c
50789 --- linux-2.6.36.2/kernel/posix-cpu-timers.c 2010-10-20 16:30:22.000000000 -0400
50790 +++ linux-2.6.36.2/kernel/posix-cpu-timers.c 2010-12-09 20:24:43.000000000 -0500
50792 #include <linux/posix-timers.h>
50793 #include <linux/errno.h>
50794 #include <linux/math64.h>
50795 +#include <linux/security.h>
50796 #include <asm/uaccess.h>
50797 #include <linux/kernel_stat.h>
50798 #include <trace/events/timer.h>
50799 diff -urNp linux-2.6.36.2/kernel/power/hibernate.c linux-2.6.36.2/kernel/power/hibernate.c
50800 --- linux-2.6.36.2/kernel/power/hibernate.c 2010-12-09 20:53:48.000000000 -0500
50801 +++ linux-2.6.36.2/kernel/power/hibernate.c 2010-12-09 20:54:42.000000000 -0500
50802 @@ -50,14 +50,14 @@ enum {
50804 static int hibernation_mode = HIBERNATION_SHUTDOWN;
50806 -static struct platform_hibernation_ops *hibernation_ops;
50807 +static const struct platform_hibernation_ops *hibernation_ops;
50810 * hibernation_set_ops - set the global hibernate operations
50811 * @ops: the hibernation operations to use in subsequent hibernation transitions
50814 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
50815 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
50817 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
50818 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
50819 diff -urNp linux-2.6.36.2/kernel/power/poweroff.c linux-2.6.36.2/kernel/power/poweroff.c
50820 --- linux-2.6.36.2/kernel/power/poweroff.c 2010-10-20 16:30:22.000000000 -0400
50821 +++ linux-2.6.36.2/kernel/power/poweroff.c 2010-12-09 20:24:42.000000000 -0500
50822 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
50823 .enable_mask = SYSRQ_ENABLE_BOOT,
50826 -static int pm_sysrq_init(void)
50827 +static int __init pm_sysrq_init(void)
50829 register_sysrq_key('o', &sysrq_poweroff_op);
50831 diff -urNp linux-2.6.36.2/kernel/power/process.c linux-2.6.36.2/kernel/power/process.c
50832 --- linux-2.6.36.2/kernel/power/process.c 2010-10-20 16:30:22.000000000 -0400
50833 +++ linux-2.6.36.2/kernel/power/process.c 2010-12-09 20:24:42.000000000 -0500
50834 @@ -40,6 +40,7 @@ static int try_to_freeze_tasks(bool sig_
50835 struct timeval start, end;
50836 u64 elapsed_csecs64;
50837 unsigned int elapsed_csecs;
50838 + bool timedout = false;
50840 do_gettimeofday(&start);
50842 @@ -50,6 +51,8 @@ static int try_to_freeze_tasks(bool sig_
50846 + if (time_after(jiffies, end_time))
50848 read_lock(&tasklist_lock);
50849 do_each_thread(g, p) {
50850 if (frozen(p) || !freezeable(p))
50851 @@ -64,9 +67,13 @@ static int try_to_freeze_tasks(bool sig_
50852 * It is "frozen enough". If the task does wake
50853 * up, it will immediately call try_to_freeze.
50855 - if (!task_is_stopped_or_traced(p) &&
50856 - !freezer_should_skip(p))
50857 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
50860 + printk(KERN_ERR "Task refusing to freeze:\n");
50861 + sched_show_task(p);
50864 } while_each_thread(g, p);
50865 read_unlock(&tasklist_lock);
50867 @@ -75,7 +82,7 @@ static int try_to_freeze_tasks(bool sig_
50871 - if (!todo || time_after(jiffies, end_time))
50872 + if (!todo || timedout)
50876 diff -urNp linux-2.6.36.2/kernel/power/suspend.c linux-2.6.36.2/kernel/power/suspend.c
50877 --- linux-2.6.36.2/kernel/power/suspend.c 2010-12-09 20:53:48.000000000 -0500
50878 +++ linux-2.6.36.2/kernel/power/suspend.c 2010-12-09 20:54:42.000000000 -0500
50879 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
50880 [PM_SUSPEND_MEM] = "mem",
50883 -static struct platform_suspend_ops *suspend_ops;
50884 +static const struct platform_suspend_ops *suspend_ops;
50887 * suspend_set_ops - Set the global suspend method table.
50888 * @ops: Pointer to ops structure.
50890 -void suspend_set_ops(struct platform_suspend_ops *ops)
50891 +void suspend_set_ops(const struct platform_suspend_ops *ops)
50893 mutex_lock(&pm_mutex);
50895 diff -urNp linux-2.6.36.2/kernel/printk.c linux-2.6.36.2/kernel/printk.c
50896 --- linux-2.6.36.2/kernel/printk.c 2010-10-20 16:30:22.000000000 -0400
50897 +++ linux-2.6.36.2/kernel/printk.c 2010-12-09 20:24:43.000000000 -0500
50898 @@ -268,6 +268,11 @@ int do_syslog(int type, char __user *buf
50902 +#ifdef CONFIG_GRKERNSEC_DMESG
50903 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
50907 error = security_syslog(type, from_file);
50910 diff -urNp linux-2.6.36.2/kernel/ptrace.c linux-2.6.36.2/kernel/ptrace.c
50911 --- linux-2.6.36.2/kernel/ptrace.c 2010-10-20 16:30:22.000000000 -0400
50912 +++ linux-2.6.36.2/kernel/ptrace.c 2010-12-09 20:24:42.000000000 -0500
50913 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
50914 cred->gid != tcred->egid ||
50915 cred->gid != tcred->sgid ||
50916 cred->gid != tcred->gid) &&
50917 - !capable(CAP_SYS_PTRACE)) {
50918 + !capable_nolog(CAP_SYS_PTRACE)) {
50922 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
50925 dumpable = get_dumpable(task->mm);
50926 - if (!dumpable && !capable(CAP_SYS_PTRACE))
50927 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
50930 return security_ptrace_access_check(task, mode);
50931 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
50932 goto unlock_tasklist;
50934 task->ptrace = PT_PTRACED;
50935 - if (capable(CAP_SYS_PTRACE))
50936 + if (capable_nolog(CAP_SYS_PTRACE))
50937 task->ptrace |= PT_PTRACE_CAP;
50939 __ptrace_link(task, current);
50940 @@ -367,7 +367,7 @@ int ptrace_readdata(struct task_struct *
50944 - if (copy_to_user(dst, buf, retval))
50945 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
50949 @@ -578,18 +578,18 @@ int ptrace_request(struct task_struct *c
50950 ret = ptrace_setoptions(child, data);
50952 case PTRACE_GETEVENTMSG:
50953 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
50954 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
50957 case PTRACE_GETSIGINFO:
50958 ret = ptrace_getsiginfo(child, &siginfo);
50960 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
50961 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
50965 case PTRACE_SETSIGINFO:
50966 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
50967 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
50971 @@ -709,14 +709,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
50975 + if (gr_handle_ptrace(child, request)) {
50977 + goto out_put_task_struct;
50980 if (request == PTRACE_ATTACH) {
50981 ret = ptrace_attach(child);
50983 * Some architectures need to do book-keeping after
50988 arch_ptrace_attach(child);
50989 + gr_audit_ptrace(child);
50991 goto out_put_task_struct;
50994 diff -urNp linux-2.6.36.2/kernel/rcutree.c linux-2.6.36.2/kernel/rcutree.c
50995 --- linux-2.6.36.2/kernel/rcutree.c 2010-10-20 16:30:22.000000000 -0400
50996 +++ linux-2.6.36.2/kernel/rcutree.c 2010-12-09 20:24:43.000000000 -0500
50997 @@ -1357,7 +1357,7 @@ __rcu_process_callbacks(struct rcu_state
50999 * Do softirq processing for the current CPU.
51001 -static void rcu_process_callbacks(struct softirq_action *unused)
51002 +static void rcu_process_callbacks(void)
51005 * Memory references from any prior RCU read-side critical sections
51006 diff -urNp linux-2.6.36.2/kernel/resource.c linux-2.6.36.2/kernel/resource.c
51007 --- linux-2.6.36.2/kernel/resource.c 2010-10-20 16:30:22.000000000 -0400
51008 +++ linux-2.6.36.2/kernel/resource.c 2010-12-09 20:24:43.000000000 -0500
51009 @@ -133,8 +133,18 @@ static const struct file_operations proc
51011 static int __init ioresources_init(void)
51013 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51014 +#ifdef CONFIG_GRKERNSEC_PROC_USER
51015 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
51016 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
51017 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51018 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
51019 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
51022 proc_create("ioports", 0, NULL, &proc_ioports_operations);
51023 proc_create("iomem", 0, NULL, &proc_iomem_operations);
51027 __initcall(ioresources_init);
51028 diff -urNp linux-2.6.36.2/kernel/rtmutex.c linux-2.6.36.2/kernel/rtmutex.c
51029 --- linux-2.6.36.2/kernel/rtmutex.c 2010-10-20 16:30:22.000000000 -0400
51030 +++ linux-2.6.36.2/kernel/rtmutex.c 2010-12-09 20:24:43.000000000 -0500
51031 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
51033 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
51035 - WARN_ON(!pendowner->pi_blocked_on);
51036 + BUG_ON(!pendowner->pi_blocked_on);
51037 WARN_ON(pendowner->pi_blocked_on != waiter);
51038 WARN_ON(pendowner->pi_blocked_on->lock != lock);
51040 diff -urNp linux-2.6.36.2/kernel/sched.c linux-2.6.36.2/kernel/sched.c
51041 --- linux-2.6.36.2/kernel/sched.c 2010-12-09 20:53:48.000000000 -0500
51042 +++ linux-2.6.36.2/kernel/sched.c 2010-12-09 20:54:42.000000000 -0500
51043 @@ -4436,6 +4436,8 @@ int can_nice(const struct task_struct *p
51044 /* convert nice value [19,-20] to rlimit style value [1,40] */
51045 int nice_rlim = 20 - nice;
51047 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
51049 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
51050 capable(CAP_SYS_NICE));
51052 @@ -4469,7 +4471,8 @@ SYSCALL_DEFINE1(nice, int, increment)
51056 - if (increment < 0 && !can_nice(current, nice))
51057 + if (increment < 0 && (!can_nice(current, nice) ||
51058 + gr_handle_chroot_nice()))
51059 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
51061 retval = security_task_setnice(current, nice);
51062 @@ -4612,6 +4615,7 @@ recheck:
51063 unsigned long rlim_rtprio =
51064 task_rlimit(p, RLIMIT_RTPRIO);
51066 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
51067 /* can't set/change the rt policy */
51068 if (policy != p->policy && !rlim_rtprio)
51070 @@ -6790,7 +6794,7 @@ static void init_sched_groups_power(int
51074 - WARN_ON(!sd || !sd->groups);
51075 + BUG_ON(!sd || !sd->groups);
51077 if (cpu != group_first_cpu(sd->groups))
51079 diff -urNp linux-2.6.36.2/kernel/sched_fair.c linux-2.6.36.2/kernel/sched_fair.c
51080 --- linux-2.6.36.2/kernel/sched_fair.c 2010-10-20 16:30:22.000000000 -0400
51081 +++ linux-2.6.36.2/kernel/sched_fair.c 2010-12-09 20:24:43.000000000 -0500
51082 @@ -3662,7 +3662,7 @@ static void nohz_idle_balance(int this_c
51083 * run_rebalance_domains is triggered when needed from the scheduler tick.
51084 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
51086 -static void run_rebalance_domains(struct softirq_action *h)
51087 +static void run_rebalance_domains(void)
51089 int this_cpu = smp_processor_id();
51090 struct rq *this_rq = cpu_rq(this_cpu);
51091 diff -urNp linux-2.6.36.2/kernel/signal.c linux-2.6.36.2/kernel/signal.c
51092 --- linux-2.6.36.2/kernel/signal.c 2010-10-20 16:30:22.000000000 -0400
51093 +++ linux-2.6.36.2/kernel/signal.c 2010-12-09 20:24:43.000000000 -0500
51094 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
51096 int print_fatal_signals __read_mostly;
51098 -static void __user *sig_handler(struct task_struct *t, int sig)
51099 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
51101 return t->sighand->action[sig - 1].sa.sa_handler;
51104 -static int sig_handler_ignored(void __user *handler, int sig)
51105 +static int sig_handler_ignored(__sighandler_t handler, int sig)
51107 /* Is it explicitly or implicitly ignored? */
51108 return handler == SIG_IGN ||
51109 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
51110 static int sig_task_ignored(struct task_struct *t, int sig,
51111 int from_ancestor_ns)
51113 - void __user *handler;
51114 + __sighandler_t handler;
51116 handler = sig_handler(t, sig);
51118 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
51119 atomic_inc(&user->sigpending);
51122 + if (!override_rlimit)
51123 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
51125 if (override_rlimit ||
51126 atomic_read(&user->sigpending) <=
51127 task_rlimit(t, RLIMIT_SIGPENDING)) {
51128 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
51130 int unhandled_signal(struct task_struct *tsk, int sig)
51132 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
51133 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
51134 if (is_global_init(tsk))
51136 if (handler != SIG_IGN && handler != SIG_DFL)
51137 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
51138 sig, info, t, vx_task_xid(t), t->pid, current->xid);
51142 + if (gr_handle_signal(t, sig))
51146 return security_task_kill(t, info, sig, 0);
51148 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
51149 return send_signal(sig, info, p, 1);
51154 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
51156 return send_signal(sig, info, t, 0);
51157 @@ -1079,6 +1086,9 @@ force_sig_info(int sig, struct siginfo *
51158 ret = specific_send_sig_info(sig, info, t);
51159 spin_unlock_irqrestore(&t->sighand->siglock, flags);
51161 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
51162 + gr_handle_crash(t, sig);
51167 @@ -1136,8 +1146,11 @@ int group_send_sig_info(int sig, struct
51168 ret = check_kill_permission(sig, info, p);
51172 + if (!ret && sig) {
51173 ret = do_send_sig_info(sig, info, p, true);
51175 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
51180 diff -urNp linux-2.6.36.2/kernel/smp.c linux-2.6.36.2/kernel/smp.c
51181 --- linux-2.6.36.2/kernel/smp.c 2010-10-20 16:30:22.000000000 -0400
51182 +++ linux-2.6.36.2/kernel/smp.c 2010-12-09 20:24:42.000000000 -0500
51183 @@ -510,22 +510,22 @@ int smp_call_function(void (*func)(void
51185 EXPORT_SYMBOL(smp_call_function);
51187 -void ipi_call_lock(void)
51188 +void ipi_call_lock(void) __acquires(call_function.lock)
51190 raw_spin_lock(&call_function.lock);
51193 -void ipi_call_unlock(void)
51194 +void ipi_call_unlock(void) __releases(call_function.lock)
51196 raw_spin_unlock(&call_function.lock);
51199 -void ipi_call_lock_irq(void)
51200 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
51202 raw_spin_lock_irq(&call_function.lock);
51205 -void ipi_call_unlock_irq(void)
51206 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
51208 raw_spin_unlock_irq(&call_function.lock);
51210 diff -urNp linux-2.6.36.2/kernel/softirq.c linux-2.6.36.2/kernel/softirq.c
51211 --- linux-2.6.36.2/kernel/softirq.c 2010-10-20 16:30:22.000000000 -0400
51212 +++ linux-2.6.36.2/kernel/softirq.c 2010-12-09 20:24:42.000000000 -0500
51213 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
51215 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
51217 -char *softirq_to_name[NR_SOFTIRQS] = {
51218 +const char * const softirq_to_name[NR_SOFTIRQS] = {
51219 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
51220 "TASKLET", "SCHED", "HRTIMER", "RCU"
51222 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
51224 asmlinkage void __do_softirq(void)
51226 - struct softirq_action *h;
51227 + const struct softirq_action *h;
51229 int max_restart = MAX_SOFTIRQ_RESTART;
51231 @@ -216,7 +216,7 @@ restart:
51232 kstat_incr_softirqs_this_cpu(h - softirq_vec);
51234 trace_softirq_entry(h, softirq_vec);
51237 trace_softirq_exit(h, softirq_vec);
51238 if (unlikely(prev_count != preempt_count())) {
51239 printk(KERN_ERR "huh, entered softirq %td %s %p"
51240 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
51241 local_irq_restore(flags);
51244 -void open_softirq(int nr, void (*action)(struct softirq_action *))
51245 +void open_softirq(int nr, void (*action)(void))
51247 softirq_vec[nr].action = action;
51249 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
51251 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
51253 -static void tasklet_action(struct softirq_action *a)
51254 +static void tasklet_action(void)
51256 struct tasklet_struct *list;
51258 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
51262 -static void tasklet_hi_action(struct softirq_action *a)
51263 +static void tasklet_hi_action(void)
51265 struct tasklet_struct *list;
51267 diff -urNp linux-2.6.36.2/kernel/sys.c linux-2.6.36.2/kernel/sys.c
51268 --- linux-2.6.36.2/kernel/sys.c 2010-10-20 16:30:22.000000000 -0400
51269 +++ linux-2.6.36.2/kernel/sys.c 2010-12-09 20:24:43.000000000 -0500
51270 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
51275 + if (gr_handle_chroot_setpriority(p, niceval)) {
51280 no_nice = security_task_setnice(p, niceval);
51283 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
51287 + if (gr_check_group_change(new->gid, new->egid, -1))
51290 if (rgid != (gid_t) -1 ||
51291 (egid != (gid_t) -1 && egid != old->gid))
51292 new->sgid = new->egid;
51293 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
51294 old = current_cred();
51298 + if (gr_check_group_change(gid, gid, gid))
51301 if (capable(CAP_SETGID))
51302 new->gid = new->egid = new->sgid = new->fsgid = gid;
51303 else if (gid == old->gid || gid == old->sgid)
51304 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
51308 + if (gr_check_user_change(new->uid, new->euid, -1))
51311 if (new->uid != old->uid) {
51312 retval = set_user(new);
51314 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
51315 old = current_cred();
51319 + if (gr_check_crash_uid(uid))
51321 + if (gr_check_user_change(uid, uid, uid))
51324 if (capable(CAP_SETUID)) {
51325 new->suid = new->uid = uid;
51326 if (uid != old->uid) {
51327 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
51331 + if (gr_check_user_change(ruid, euid, -1))
51334 if (ruid != (uid_t) -1) {
51336 if (ruid != old->uid) {
51337 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
51341 + if (gr_check_group_change(rgid, egid, -1))
51344 if (rgid != (gid_t) -1)
51346 if (egid != (gid_t) -1)
51347 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51348 old = current_cred();
51349 old_fsuid = old->fsuid;
51351 + if (gr_check_user_change(-1, -1, uid))
51354 if (uid == old->uid || uid == old->euid ||
51355 uid == old->suid || uid == old->fsuid ||
51356 capable(CAP_SETUID)) {
51357 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51365 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
51366 if (gid == old->gid || gid == old->egid ||
51367 gid == old->sgid || gid == old->fsgid ||
51368 capable(CAP_SETGID)) {
51369 + if (gr_check_group_change(-1, -1, gid))
51372 if (gid != old_fsgid) {
51382 @@ -1607,7 +1643,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
51383 error = get_dumpable(me->mm);
51385 case PR_SET_DUMPABLE:
51386 - if (arg2 < 0 || arg2 > 1) {
51391 diff -urNp linux-2.6.36.2/kernel/sysctl.c linux-2.6.36.2/kernel/sysctl.c
51392 --- linux-2.6.36.2/kernel/sysctl.c 2010-10-20 16:30:22.000000000 -0400
51393 +++ linux-2.6.36.2/kernel/sysctl.c 2010-12-09 20:24:43.000000000 -0500
51397 #if defined(CONFIG_SYSCTL)
51398 +#include <linux/grsecurity.h>
51399 +#include <linux/grinternal.h>
51401 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
51402 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
51404 +extern int gr_handle_chroot_sysctl(const int op);
51406 /* External variables not in a header file. */
51407 extern int sysctl_overcommit_memory;
51408 @@ -190,6 +197,7 @@ static int sysrq_sysctl_handler(ctl_tabl
51412 +extern struct ctl_table grsecurity_table[];
51414 static struct ctl_table root_table[];
51415 static struct ctl_table_root sysctl_table_root;
51416 @@ -219,6 +227,20 @@ extern struct ctl_table epoll_table[];
51417 int sysctl_legacy_va_layout;
51420 +#ifdef CONFIG_PAX_SOFTMODE
51421 +static ctl_table pax_table[] = {
51423 + .procname = "softmode",
51424 + .data = &pax_softmode,
51425 + .maxlen = sizeof(unsigned int),
51427 + .proc_handler = &proc_dointvec,
51434 /* The default sysctl tables: */
51436 static struct ctl_table root_table[] = {
51437 @@ -271,6 +293,22 @@ static int max_extfrag_threshold = 1000;
51440 static struct ctl_table kern_table[] = {
51441 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
51443 + .procname = "grsecurity",
51445 + .child = grsecurity_table,
51449 +#ifdef CONFIG_PAX_SOFTMODE
51451 + .procname = "pax",
51453 + .child = pax_table,
51458 .procname = "sched_child_runs_first",
51459 .data = &sysctl_sched_child_runs_first,
51460 @@ -551,7 +589,7 @@ static struct ctl_table kern_table[] = {
51461 .data = &modprobe_path,
51462 .maxlen = KMOD_PATH_LEN,
51464 - .proc_handler = proc_dostring,
51465 + .proc_handler = proc_dostring_modpriv,
51468 .procname = "modules_disabled",
51469 @@ -1173,6 +1211,13 @@ static struct ctl_table vm_table[] = {
51470 .proc_handler = proc_dointvec_minmax,
51474 + .procname = "heap_stack_gap",
51475 + .data = &sysctl_heap_stack_gap,
51476 + .maxlen = sizeof(sysctl_heap_stack_gap),
51478 + .proc_handler = proc_doulongvec_minmax,
51482 .procname = "nr_trim_pages",
51483 @@ -1688,6 +1733,16 @@ int sysctl_perm(struct ctl_table_root *r
51487 + if (table->parent != NULL && table->parent->procname != NULL &&
51488 + table->procname != NULL &&
51489 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
51491 + if (gr_handle_chroot_sysctl(op))
51493 + error = gr_handle_sysctl(table, op);
51497 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
51500 @@ -2095,6 +2150,16 @@ int proc_dostring(struct ctl_table *tabl
51501 buffer, lenp, ppos);
51504 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51505 + void __user *buffer, size_t *lenp, loff_t *ppos)
51507 + if (write && !capable(CAP_SYS_MODULE))
51510 + return _proc_do_string(table->data, table->maxlen, write,
51511 + buffer, lenp, ppos);
51514 static size_t proc_skip_spaces(char **buf)
51517 @@ -2200,6 +2265,8 @@ static int proc_put_long(void __user **b
51521 + if (len > sizeof(tmp))
51522 + len = sizeof(tmp);
51523 if (copy_to_user(*buf, tmp, len))
51526 @@ -2505,8 +2572,11 @@ static int __do_proc_doulongvec_minmax(v
51529 val = convdiv * (*i) / convmul;
51532 err = proc_put_char(&buffer, &left, '\t');
51536 err = proc_put_long(&buffer, &left, val, false);
51539 @@ -2901,6 +2971,12 @@ int proc_dostring(struct ctl_table *tabl
51543 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51544 + void __user *buffer, size_t *lenp, loff_t *ppos)
51549 int proc_dointvec(struct ctl_table *table, int write,
51550 void __user *buffer, size_t *lenp, loff_t *ppos)
51552 @@ -2957,6 +3033,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
51553 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
51554 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
51555 EXPORT_SYMBOL(proc_dostring);
51556 +EXPORT_SYMBOL(proc_dostring_modpriv);
51557 EXPORT_SYMBOL(proc_doulongvec_minmax);
51558 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
51559 EXPORT_SYMBOL(register_sysctl_table);
51560 diff -urNp linux-2.6.36.2/kernel/sysctl_check.c linux-2.6.36.2/kernel/sysctl_check.c
51561 --- linux-2.6.36.2/kernel/sysctl_check.c 2010-10-20 16:30:22.000000000 -0400
51562 +++ linux-2.6.36.2/kernel/sysctl_check.c 2010-12-09 20:24:43.000000000 -0500
51563 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
51564 set_fail(&fail, table, "Directory with extra2");
51566 if ((table->proc_handler == proc_dostring) ||
51567 + (table->proc_handler == proc_dostring_modpriv) ||
51568 (table->proc_handler == proc_dointvec) ||
51569 (table->proc_handler == proc_dointvec_minmax) ||
51570 (table->proc_handler == proc_dointvec_jiffies) ||
51571 diff -urNp linux-2.6.36.2/kernel/taskstats.c linux-2.6.36.2/kernel/taskstats.c
51572 --- linux-2.6.36.2/kernel/taskstats.c 2010-10-20 16:30:22.000000000 -0400
51573 +++ linux-2.6.36.2/kernel/taskstats.c 2010-12-09 20:24:42.000000000 -0500
51575 #include <linux/cgroup.h>
51576 #include <linux/fs.h>
51577 #include <linux/file.h>
51578 +#include <linux/grsecurity.h>
51579 #include <net/genetlink.h>
51580 #include <asm/atomic.h>
51582 +extern int gr_is_taskstats_denied(int pid);
51585 * Maximum length of a cpumask that can be specified in
51586 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
51587 @@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
51589 cpumask_var_t mask;
51591 + if (gr_is_taskstats_denied(current->pid))
51594 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
51597 diff -urNp linux-2.6.36.2/kernel/time/tick-broadcast.c linux-2.6.36.2/kernel/time/tick-broadcast.c
51598 --- linux-2.6.36.2/kernel/time/tick-broadcast.c 2010-10-20 16:30:22.000000000 -0400
51599 +++ linux-2.6.36.2/kernel/time/tick-broadcast.c 2010-12-09 20:24:43.000000000 -0500
51600 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
51601 * then clear the broadcast bit.
51603 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
51604 - int cpu = smp_processor_id();
51605 + cpu = smp_processor_id();
51607 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
51608 tick_broadcast_clear_oneshot(cpu);
51609 diff -urNp linux-2.6.36.2/kernel/time/timer_list.c linux-2.6.36.2/kernel/time/timer_list.c
51610 --- linux-2.6.36.2/kernel/time/timer_list.c 2010-10-20 16:30:22.000000000 -0400
51611 +++ linux-2.6.36.2/kernel/time/timer_list.c 2010-12-09 20:24:43.000000000 -0500
51612 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
51614 static void print_name_offset(struct seq_file *m, void *sym)
51616 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51617 + SEQ_printf(m, "<%p>", NULL);
51619 char symname[KSYM_NAME_LEN];
51621 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
51622 SEQ_printf(m, "<%p>", sym);
51624 SEQ_printf(m, "%s", symname);
51629 @@ -112,7 +116,11 @@ next_one:
51631 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
51633 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51634 + SEQ_printf(m, " .base: %p\n", NULL);
51636 SEQ_printf(m, " .base: %p\n", base);
51638 SEQ_printf(m, " .index: %d\n",
51640 SEQ_printf(m, " .resolution: %Lu nsecs\n",
51641 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
51643 struct proc_dir_entry *pe;
51645 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51646 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
51648 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
51653 diff -urNp linux-2.6.36.2/kernel/time/timer_stats.c linux-2.6.36.2/kernel/time/timer_stats.c
51654 --- linux-2.6.36.2/kernel/time/timer_stats.c 2010-10-20 16:30:22.000000000 -0400
51655 +++ linux-2.6.36.2/kernel/time/timer_stats.c 2010-12-09 20:24:43.000000000 -0500
51656 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
51658 static void print_name_offset(struct seq_file *m, unsigned long addr)
51660 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51661 + seq_printf(m, "<%p>", NULL);
51663 char symname[KSYM_NAME_LEN];
51665 if (lookup_symbol_name(addr, symname) < 0)
51666 seq_printf(m, "<%p>", (void *)addr);
51668 seq_printf(m, "%s", symname);
51672 static int tstats_show(struct seq_file *m, void *v)
51673 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
51675 struct proc_dir_entry *pe;
51677 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51678 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
51680 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
51685 diff -urNp linux-2.6.36.2/kernel/time.c linux-2.6.36.2/kernel/time.c
51686 --- linux-2.6.36.2/kernel/time.c 2010-10-20 16:30:22.000000000 -0400
51687 +++ linux-2.6.36.2/kernel/time.c 2010-12-09 20:24:43.000000000 -0500
51688 @@ -93,6 +93,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
51691 vx_settimeofday(&tv);
51693 + gr_log_timechange();
51698 @@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
51702 + gr_log_timechange();
51704 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
51707 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
51708 * Avoid unnecessary multiplications/divisions in the
51709 * two most common HZ cases:
51711 -unsigned int inline jiffies_to_msecs(const unsigned long j)
51712 +inline unsigned int jiffies_to_msecs(const unsigned long j)
51714 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
51715 return (MSEC_PER_SEC / HZ) * j;
51716 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
51718 EXPORT_SYMBOL(jiffies_to_msecs);
51720 -unsigned int inline jiffies_to_usecs(const unsigned long j)
51721 +inline unsigned int jiffies_to_usecs(const unsigned long j)
51723 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
51724 return (USEC_PER_SEC / HZ) * j;
51725 diff -urNp linux-2.6.36.2/kernel/timer.c linux-2.6.36.2/kernel/timer.c
51726 --- linux-2.6.36.2/kernel/timer.c 2010-10-20 16:30:22.000000000 -0400
51727 +++ linux-2.6.36.2/kernel/timer.c 2010-12-09 20:24:43.000000000 -0500
51728 @@ -1287,7 +1287,7 @@ void update_process_times(int user_tick)
51730 * This function runs timers and the timer-tq in bottom half context.
51732 -static void run_timer_softirq(struct softirq_action *h)
51733 +static void run_timer_softirq(void)
51735 struct tvec_base *base = __get_cpu_var(tvec_bases);
51737 diff -urNp linux-2.6.36.2/kernel/trace/ftrace.c linux-2.6.36.2/kernel/trace/ftrace.c
51738 --- linux-2.6.36.2/kernel/trace/ftrace.c 2010-10-20 16:30:22.000000000 -0400
51739 +++ linux-2.6.36.2/kernel/trace/ftrace.c 2010-12-09 20:24:42.000000000 -0500
51740 @@ -1108,13 +1108,18 @@ ftrace_code_disable(struct module *mod,
51744 + ret = ftrace_arch_code_modify_prepare();
51745 + FTRACE_WARN_ON(ret);
51749 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
51750 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
51752 ftrace_bug(ret, ip);
51753 rec->flags |= FTRACE_FL_FAILED;
51757 + return ret ? 0 : 1;
51761 diff -urNp linux-2.6.36.2/kernel/trace/ring_buffer.c linux-2.6.36.2/kernel/trace/ring_buffer.c
51762 --- linux-2.6.36.2/kernel/trace/ring_buffer.c 2010-10-20 16:30:22.000000000 -0400
51763 +++ linux-2.6.36.2/kernel/trace/ring_buffer.c 2010-12-09 20:24:42.000000000 -0500
51764 @@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
51765 * the reader page). But if the next page is a header page,
51766 * its flags will be non zero.
51770 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
51771 struct buffer_page *page, struct list_head *list)
51773 diff -urNp linux-2.6.36.2/kernel/trace/trace.c linux-2.6.36.2/kernel/trace/trace.c
51774 --- linux-2.6.36.2/kernel/trace/trace.c 2010-10-20 16:30:22.000000000 -0400
51775 +++ linux-2.6.36.2/kernel/trace/trace.c 2010-12-09 20:24:42.000000000 -0500
51776 @@ -3943,10 +3943,9 @@ static const struct file_operations trac
51780 -static struct dentry *d_tracer;
51782 struct dentry *tracing_init_dentry(void)
51784 + static struct dentry *d_tracer;
51788 @@ -3966,10 +3965,9 @@ struct dentry *tracing_init_dentry(void)
51792 -static struct dentry *d_percpu;
51794 struct dentry *tracing_dentry_percpu(void)
51796 + static struct dentry *d_percpu;
51798 struct dentry *d_tracer;
51800 diff -urNp linux-2.6.36.2/kernel/trace/trace_output.c linux-2.6.36.2/kernel/trace/trace_output.c
51801 --- linux-2.6.36.2/kernel/trace/trace_output.c 2010-10-20 16:30:22.000000000 -0400
51802 +++ linux-2.6.36.2/kernel/trace/trace_output.c 2010-12-09 20:24:42.000000000 -0500
51803 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
51805 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
51807 - p = mangle_path(s->buffer + s->len, p, "\n");
51808 + p = mangle_path(s->buffer + s->len, p, "\n\\");
51810 s->len = p - s->buffer;
51812 diff -urNp linux-2.6.36.2/kernel/trace/trace_stack.c linux-2.6.36.2/kernel/trace/trace_stack.c
51813 --- linux-2.6.36.2/kernel/trace/trace_stack.c 2010-10-20 16:30:22.000000000 -0400
51814 +++ linux-2.6.36.2/kernel/trace/trace_stack.c 2010-12-09 20:24:42.000000000 -0500
51815 @@ -50,7 +50,7 @@ static inline void check_stack(void)
51818 /* we do not handle interrupt stacks yet */
51819 - if (!object_is_on_stack(&this_size))
51820 + if (!object_starts_on_stack(&this_size))
51823 local_irq_save(flags);
51824 diff -urNp linux-2.6.36.2/lib/bug.c linux-2.6.36.2/lib/bug.c
51825 --- linux-2.6.36.2/lib/bug.c 2010-10-20 16:30:22.000000000 -0400
51826 +++ linux-2.6.36.2/lib/bug.c 2010-12-09 20:24:09.000000000 -0500
51827 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
51828 return BUG_TRAP_TYPE_NONE;
51830 bug = find_bug(bugaddr);
51832 + return BUG_TRAP_TYPE_NONE;
51836 diff -urNp linux-2.6.36.2/lib/debugobjects.c linux-2.6.36.2/lib/debugobjects.c
51837 --- linux-2.6.36.2/lib/debugobjects.c 2010-10-20 16:30:22.000000000 -0400
51838 +++ linux-2.6.36.2/lib/debugobjects.c 2010-12-09 20:24:09.000000000 -0500
51839 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
51843 - is_on_stack = object_is_on_stack(addr);
51844 + is_on_stack = object_starts_on_stack(addr);
51845 if (is_on_stack == onstack)
51848 diff -urNp linux-2.6.36.2/lib/dma-debug.c linux-2.6.36.2/lib/dma-debug.c
51849 --- linux-2.6.36.2/lib/dma-debug.c 2010-10-20 16:30:22.000000000 -0400
51850 +++ linux-2.6.36.2/lib/dma-debug.c 2010-12-09 20:24:09.000000000 -0500
51851 @@ -861,7 +861,7 @@ out:
51853 static void check_for_stack(struct device *dev, void *addr)
51855 - if (object_is_on_stack(addr))
51856 + if (object_starts_on_stack(addr))
51857 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
51858 "stack [addr=%p]\n", addr);
51860 diff -urNp linux-2.6.36.2/lib/inflate.c linux-2.6.36.2/lib/inflate.c
51861 --- linux-2.6.36.2/lib/inflate.c 2010-10-20 16:30:22.000000000 -0400
51862 +++ linux-2.6.36.2/lib/inflate.c 2010-12-09 20:24:09.000000000 -0500
51863 @@ -269,7 +269,7 @@ static void free(void *where)
51864 malloc_ptr = free_mem_ptr;
51867 -#define malloc(a) kmalloc(a, GFP_KERNEL)
51868 +#define malloc(a) kmalloc((a), GFP_KERNEL)
51869 #define free(a) kfree(a)
51872 diff -urNp linux-2.6.36.2/lib/Kconfig.debug linux-2.6.36.2/lib/Kconfig.debug
51873 --- linux-2.6.36.2/lib/Kconfig.debug 2010-10-20 16:30:22.000000000 -0400
51874 +++ linux-2.6.36.2/lib/Kconfig.debug 2010-12-09 20:24:09.000000000 -0500
51875 @@ -998,6 +998,7 @@ config LATENCYTOP
51876 depends on DEBUG_KERNEL
51877 depends on STACKTRACE_SUPPORT
51879 + depends on !GRKERNSEC_HIDESYM
51880 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
51882 select KALLSYMS_ALL
51883 diff -urNp linux-2.6.36.2/lib/kref.c linux-2.6.36.2/lib/kref.c
51884 --- linux-2.6.36.2/lib/kref.c 2010-10-20 16:30:22.000000000 -0400
51885 +++ linux-2.6.36.2/lib/kref.c 2010-12-09 20:24:09.000000000 -0500
51886 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
51888 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
51890 - WARN_ON(release == NULL);
51891 + BUG_ON(release == NULL);
51892 WARN_ON(release == (void (*)(struct kref *))kfree);
51894 if (atomic_dec_and_test(&kref->refcount)) {
51895 diff -urNp linux-2.6.36.2/lib/parser.c linux-2.6.36.2/lib/parser.c
51896 --- linux-2.6.36.2/lib/parser.c 2010-10-20 16:30:22.000000000 -0400
51897 +++ linux-2.6.36.2/lib/parser.c 2010-12-09 20:24:09.000000000 -0500
51898 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
51902 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
51903 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
51906 memcpy(buf, s->from, s->to - s->from);
51907 diff -urNp linux-2.6.36.2/lib/radix-tree.c linux-2.6.36.2/lib/radix-tree.c
51908 --- linux-2.6.36.2/lib/radix-tree.c 2010-12-09 20:53:48.000000000 -0500
51909 +++ linux-2.6.36.2/lib/radix-tree.c 2010-12-09 20:54:42.000000000 -0500
51910 @@ -80,7 +80,7 @@ struct radix_tree_preload {
51912 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
51914 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
51915 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
51917 static inline void *ptr_to_indirect(void *ptr)
51919 diff -urNp linux-2.6.36.2/lib/vsprintf.c linux-2.6.36.2/lib/vsprintf.c
51920 --- linux-2.6.36.2/lib/vsprintf.c 2010-10-20 16:30:22.000000000 -0400
51921 +++ linux-2.6.36.2/lib/vsprintf.c 2010-12-09 20:24:09.000000000 -0500
51923 * - scnprintf and vscnprintf
51926 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51927 +#define __INCLUDED_BY_HIDESYM 1
51929 #include <stdarg.h>
51930 #include <linux/module.h>
51931 #include <linux/types.h>
51932 @@ -574,7 +577,7 @@ char *symbol_string(char *buf, char *end
51933 unsigned long value = (unsigned long) ptr;
51934 #ifdef CONFIG_KALLSYMS
51935 char sym[KSYM_SYMBOL_LEN];
51936 - if (ext != 'f' && ext != 's')
51937 + if (ext != 'f' && ext != 's' && ext != 'a')
51938 sprint_symbol(sym, value);
51940 kallsyms_lookup(value, NULL, NULL, NULL, sym);
51941 @@ -947,6 +950,8 @@ char *uuid_string(char *buf, char *end,
51942 * - 'f' For simple symbolic function names without offset
51943 * - 'S' For symbolic direct pointers with offset
51944 * - 's' For symbolic direct pointers without offset
51945 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
51946 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
51947 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
51948 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
51949 * - 'M' For a 6-byte MAC address, it prints the address in the
51950 @@ -989,7 +994,7 @@ char *pointer(const char *fmt, char *buf
51951 struct printf_spec spec)
51954 - return string(buf, end, "(null)", spec);
51955 + return string(buf, end, "(nil)", spec);
51959 @@ -998,6 +1003,13 @@ char *pointer(const char *fmt, char *buf
51963 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51966 + return symbol_string(buf, end, ptr, spec, *fmt);
51970 return symbol_string(buf, end, ptr, spec, *fmt);
51973 @@ -1739,11 +1751,11 @@ int bstr_printf(char *buf, size_t size,
51974 typeof(type) value; \
51975 if (sizeof(type) == 8) { \
51976 args = PTR_ALIGN(args, sizeof(u32)); \
51977 - *(u32 *)&value = *(u32 *)args; \
51978 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
51979 + *(u32 *)&value = *(const u32 *)args; \
51980 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
51982 args = PTR_ALIGN(args, sizeof(type)); \
51983 - value = *(typeof(type) *)args; \
51984 + value = *(const typeof(type) *)args; \
51986 args += sizeof(type); \
51988 @@ -1806,7 +1818,7 @@ int bstr_printf(char *buf, size_t size,
51989 case FORMAT_TYPE_STR: {
51990 const char *str_arg = args;
51991 args += strlen(str_arg) + 1;
51992 - str = string(str, end, (char *)str_arg, spec);
51993 + str = string(str, end, str_arg, spec);
51997 diff -urNp linux-2.6.36.2/localversion-grsec linux-2.6.36.2/localversion-grsec
51998 --- linux-2.6.36.2/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
51999 +++ linux-2.6.36.2/localversion-grsec 2010-12-09 20:24:09.000000000 -0500
52002 diff -urNp linux-2.6.36.2/Makefile linux-2.6.36.2/Makefile
52003 --- linux-2.6.36.2/Makefile 2010-12-09 20:53:45.000000000 -0500
52004 +++ linux-2.6.36.2/Makefile 2010-12-09 20:54:31.000000000 -0500
52005 @@ -229,8 +229,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
52009 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
52010 -HOSTCXXFLAGS = -O2
52011 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
52012 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
52014 # Decide whether to build built-in, modular, or both.
52015 # Normally, just do built-in.
52016 @@ -659,7 +659,7 @@ export mod_strip_cmd
52019 ifeq ($(KBUILD_EXTMOD),)
52020 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
52021 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
52023 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
52024 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
52025 diff -urNp linux-2.6.36.2/mm/bootmem.c linux-2.6.36.2/mm/bootmem.c
52026 --- linux-2.6.36.2/mm/bootmem.c 2010-10-20 16:30:22.000000000 -0400
52027 +++ linux-2.6.36.2/mm/bootmem.c 2010-12-09 20:24:51.000000000 -0500
52028 @@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
52029 unsigned long __init free_all_memory_core_early(int nodeid)
52033 + u64 start, end, startrange, endrange;
52034 unsigned long count = 0;
52035 - struct range *range = NULL;
52036 + struct range *range = NULL, rangerange = { 0, 0 };
52039 nr_range = get_free_all_memory_range(&range, nodeid);
52040 + startrange = __pa(range) >> PAGE_SHIFT;
52041 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
52043 for (i = 0; i < nr_range; i++) {
52044 start = range[i].start;
52045 end = range[i].end;
52046 + if (start <= endrange && startrange < end) {
52047 + BUG_ON(rangerange.start | rangerange.end);
52048 + rangerange = range[i];
52051 count += end - start;
52052 __free_pages_memory(start, end);
52054 + start = rangerange.start;
52055 + end = rangerange.end;
52056 + count += end - start;
52057 + __free_pages_memory(start, end);
52061 diff -urNp linux-2.6.36.2/mm/filemap.c linux-2.6.36.2/mm/filemap.c
52062 --- linux-2.6.36.2/mm/filemap.c 2010-12-09 20:53:48.000000000 -0500
52063 +++ linux-2.6.36.2/mm/filemap.c 2010-12-09 20:54:42.000000000 -0500
52064 @@ -1637,7 +1637,7 @@ int generic_file_mmap(struct file * file
52065 struct address_space *mapping = file->f_mapping;
52067 if (!mapping->a_ops->readpage)
52070 file_accessed(file);
52071 vma->vm_ops = &generic_file_vm_ops;
52072 vma->vm_flags |= VM_CAN_NONLINEAR;
52073 @@ -2033,6 +2033,7 @@ inline int generic_write_checks(struct f
52074 *pos = i_size_read(inode);
52076 if (limit != RLIM_INFINITY) {
52077 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
52078 if (*pos >= limit) {
52079 send_sig(SIGXFSZ, current, 0);
52081 diff -urNp linux-2.6.36.2/mm/fremap.c linux-2.6.36.2/mm/fremap.c
52082 --- linux-2.6.36.2/mm/fremap.c 2010-10-20 16:30:22.000000000 -0400
52083 +++ linux-2.6.36.2/mm/fremap.c 2010-12-09 20:24:51.000000000 -0500
52084 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52086 vma = find_vma(mm, start);
52088 +#ifdef CONFIG_PAX_SEGMEXEC
52089 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
52094 * Make sure the vma is shared, that it supports prefaulting,
52095 * and that the remapped range is valid and fully within
52096 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52098 * drop PG_Mlocked flag for over-mapped range
52100 - unsigned int saved_flags = vma->vm_flags;
52101 + unsigned long saved_flags = vma->vm_flags;
52102 munlock_vma_pages_range(vma, start, start + size);
52103 vma->vm_flags = saved_flags;
52105 diff -urNp linux-2.6.36.2/mm/highmem.c linux-2.6.36.2/mm/highmem.c
52106 --- linux-2.6.36.2/mm/highmem.c 2010-10-20 16:30:22.000000000 -0400
52107 +++ linux-2.6.36.2/mm/highmem.c 2010-12-09 20:24:51.000000000 -0500
52108 @@ -117,9 +117,10 @@ static void flush_all_zero_pkmaps(void)
52109 * So no dangers, even with speculative execution.
52111 page = pte_page(pkmap_page_table[i]);
52112 + pax_open_kernel();
52113 pte_clear(&init_mm, (unsigned long)page_address(page),
52114 &pkmap_page_table[i]);
52116 + pax_close_kernel();
52117 set_page_address(page, NULL);
52120 @@ -178,9 +179,11 @@ start:
52123 vaddr = PKMAP_ADDR(last_pkmap_nr);
52125 + pax_open_kernel();
52126 set_pte_at(&init_mm, vaddr,
52127 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
52129 + pax_close_kernel();
52130 pkmap_count[last_pkmap_nr] = 1;
52131 set_page_address(page, (void *)vaddr);
52133 diff -urNp linux-2.6.36.2/mm/hugetlb.c linux-2.6.36.2/mm/hugetlb.c
52134 --- linux-2.6.36.2/mm/hugetlb.c 2010-12-09 20:53:48.000000000 -0500
52135 +++ linux-2.6.36.2/mm/hugetlb.c 2010-12-09 20:54:42.000000000 -0500
52136 @@ -2305,6 +2305,27 @@ static int unmap_ref_private(struct mm_s
52140 +#ifdef CONFIG_PAX_SEGMEXEC
52141 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
52143 + struct mm_struct *mm = vma->vm_mm;
52144 + struct vm_area_struct *vma_m;
52145 + unsigned long address_m;
52148 + vma_m = pax_find_mirror_vma(vma);
52152 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52153 + address_m = address + SEGMEXEC_TASK_SIZE;
52154 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
52155 + get_page(page_m);
52156 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
52157 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
52162 * Hugetlb_cow() should be called with page lock of the original hugepage held.
52164 @@ -2405,6 +2426,11 @@ retry_avoidcopy:
52165 make_huge_pte(vma, new_page, 1));
52166 page_remove_rmap(old_page);
52167 hugepage_add_new_anon_rmap(new_page, vma, address);
52169 +#ifdef CONFIG_PAX_SEGMEXEC
52170 + pax_mirror_huge_pte(vma, address, new_page);
52173 /* Make the old page be freed below */
52174 new_page = old_page;
52175 mmu_notifier_invalidate_range_end(mm,
52176 @@ -2558,6 +2584,10 @@ retry:
52177 && (vma->vm_flags & VM_SHARED)));
52178 set_huge_pte_at(mm, address, ptep, new_pte);
52180 +#ifdef CONFIG_PAX_SEGMEXEC
52181 + pax_mirror_huge_pte(vma, address, page);
52184 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
52185 /* Optimization, do the COW without a second fault */
52186 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
52187 @@ -2587,6 +2617,10 @@ int hugetlb_fault(struct mm_struct *mm,
52188 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
52189 struct hstate *h = hstate_vma(vma);
52191 +#ifdef CONFIG_PAX_SEGMEXEC
52192 + struct vm_area_struct *vma_m;
52195 ptep = huge_pte_offset(mm, address);
52197 entry = huge_ptep_get(ptep);
52198 @@ -2594,6 +2628,26 @@ int hugetlb_fault(struct mm_struct *mm,
52199 return VM_FAULT_HWPOISON;
52202 +#ifdef CONFIG_PAX_SEGMEXEC
52203 + vma_m = pax_find_mirror_vma(vma);
52205 + unsigned long address_m;
52207 + if (vma->vm_start > vma_m->vm_start) {
52208 + address_m = address;
52209 + address -= SEGMEXEC_TASK_SIZE;
52211 + h = hstate_vma(vma);
52213 + address_m = address + SEGMEXEC_TASK_SIZE;
52215 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
52216 + return VM_FAULT_OOM;
52217 + address_m &= HPAGE_MASK;
52218 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
52222 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
52224 return VM_FAULT_OOM;
52225 diff -urNp linux-2.6.36.2/mm/Kconfig linux-2.6.36.2/mm/Kconfig
52226 --- linux-2.6.36.2/mm/Kconfig 2010-10-20 16:30:22.000000000 -0400
52227 +++ linux-2.6.36.2/mm/Kconfig 2010-12-09 20:24:51.000000000 -0500
52228 @@ -240,7 +240,7 @@ config KSM
52229 config DEFAULT_MMAP_MIN_ADDR
52230 int "Low address space to protect from user allocation"
52235 This is the portion of low virtual memory which should be protected
52236 from userspace allocation. Keeping a user from writing to low pages
52237 diff -urNp linux-2.6.36.2/mm/kmemleak.c linux-2.6.36.2/mm/kmemleak.c
52238 --- linux-2.6.36.2/mm/kmemleak.c 2010-10-20 16:30:22.000000000 -0400
52239 +++ linux-2.6.36.2/mm/kmemleak.c 2010-12-09 20:24:51.000000000 -0500
52240 @@ -355,7 +355,7 @@ static void print_unreferenced(struct se
52242 for (i = 0; i < object->trace_len; i++) {
52243 void *ptr = (void *)object->trace[i];
52244 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
52245 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
52249 diff -urNp linux-2.6.36.2/mm/maccess.c linux-2.6.36.2/mm/maccess.c
52250 --- linux-2.6.36.2/mm/maccess.c 2010-10-20 16:30:22.000000000 -0400
52251 +++ linux-2.6.36.2/mm/maccess.c 2010-12-09 20:24:51.000000000 -0500
52252 @@ -15,10 +15,10 @@
52253 * happens, handle that and return -EFAULT.
52256 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
52257 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
52258 __attribute__((alias("__probe_kernel_read")));
52260 -long __probe_kernel_read(void *dst, void *src, size_t size)
52261 +long __probe_kernel_read(void *dst, const void *src, size_t size)
52264 mm_segment_t old_fs = get_fs();
52265 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
52266 * Safely write to address @dst from the buffer at @src. If a kernel fault
52267 * happens, handle that and return -EFAULT.
52269 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
52270 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
52271 __attribute__((alias("__probe_kernel_write")));
52273 -long __probe_kernel_write(void *dst, void *src, size_t size)
52274 +long __probe_kernel_write(void *dst, const void *src, size_t size)
52277 mm_segment_t old_fs = get_fs();
52278 diff -urNp linux-2.6.36.2/mm/madvise.c linux-2.6.36.2/mm/madvise.c
52279 --- linux-2.6.36.2/mm/madvise.c 2010-10-20 16:30:22.000000000 -0400
52280 +++ linux-2.6.36.2/mm/madvise.c 2010-12-09 20:24:51.000000000 -0500
52281 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
52283 unsigned long new_flags = vma->vm_flags;
52285 +#ifdef CONFIG_PAX_SEGMEXEC
52286 + struct vm_area_struct *vma_m;
52289 switch (behavior) {
52291 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
52292 @@ -104,6 +108,13 @@ success:
52294 * vm_flags is protected by the mmap_sem held in write mode.
52297 +#ifdef CONFIG_PAX_SEGMEXEC
52298 + vma_m = pax_find_mirror_vma(vma);
52300 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
52303 vma->vm_flags = new_flags;
52306 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
52307 struct vm_area_struct ** prev,
52308 unsigned long start, unsigned long end)
52311 +#ifdef CONFIG_PAX_SEGMEXEC
52312 + struct vm_area_struct *vma_m;
52316 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
52318 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
52319 zap_page_range(vma, start, end - start, &details);
52321 zap_page_range(vma, start, end - start, NULL);
52323 +#ifdef CONFIG_PAX_SEGMEXEC
52324 + vma_m = pax_find_mirror_vma(vma);
52326 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
52327 + struct zap_details details = {
52328 + .nonlinear_vma = vma_m,
52329 + .last_index = ULONG_MAX,
52331 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
52333 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
52340 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
52344 +#ifdef CONFIG_PAX_SEGMEXEC
52345 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52346 + if (end > SEGMEXEC_TASK_SIZE)
52351 + if (end > TASK_SIZE)
52357 diff -urNp linux-2.6.36.2/mm/memory.c linux-2.6.36.2/mm/memory.c
52358 --- linux-2.6.36.2/mm/memory.c 2010-10-20 16:30:22.000000000 -0400
52359 +++ linux-2.6.36.2/mm/memory.c 2010-12-09 20:24:51.000000000 -0500
52360 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
52363 pmd = pmd_offset(pud, start);
52365 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
52367 pmd_free_tlb(tlb, pmd, start);
52372 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
52373 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
52374 if (end - 1 > ceiling - 1)
52377 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
52378 pud = pud_offset(pgd, start);
52380 pud_free_tlb(tlb, pud, start);
52386 @@ -1361,10 +1368,10 @@ int __get_user_pages(struct task_struct
52387 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
52391 + while (nr_pages) {
52392 struct vm_area_struct *vma;
52394 - vma = find_extend_vma(mm, start);
52395 + vma = find_vma(mm, start);
52396 if (!vma && in_gate_area(tsk, start)) {
52397 unsigned long pg = start & PAGE_MASK;
52398 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
52399 @@ -1416,7 +1423,7 @@ int __get_user_pages(struct task_struct
52404 + if (!vma || start < vma->vm_start ||
52405 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
52406 !(vm_flags & vma->vm_flags))
52407 return i ? : -EFAULT;
52408 @@ -1491,7 +1498,7 @@ int __get_user_pages(struct task_struct
52409 start += PAGE_SIZE;
52411 } while (nr_pages && start < vma->vm_end);
52412 - } while (nr_pages);
52417 @@ -1636,6 +1643,10 @@ static int insert_page(struct vm_area_st
52418 page_add_file_rmap(page);
52419 set_pte_at(mm, addr, pte, mk_pte(page, prot));
52421 +#ifdef CONFIG_PAX_SEGMEXEC
52422 + pax_mirror_file_pte(vma, addr, page, ptl);
52426 pte_unmap_unlock(pte, ptl);
52428 @@ -1670,10 +1681,22 @@ out:
52429 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
52433 +#ifdef CONFIG_PAX_SEGMEXEC
52434 + struct vm_area_struct *vma_m;
52437 if (addr < vma->vm_start || addr >= vma->vm_end)
52439 if (!page_count(page))
52442 +#ifdef CONFIG_PAX_SEGMEXEC
52443 + vma_m = pax_find_mirror_vma(vma);
52445 + vma_m->vm_flags |= VM_INSERTPAGE;
52448 vma->vm_flags |= VM_INSERTPAGE;
52449 return insert_page(vma, addr, page, vma->vm_page_prot);
52451 @@ -1759,6 +1782,7 @@ int vm_insert_mixed(struct vm_area_struc
52454 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
52455 + BUG_ON(vma->vm_mirror);
52457 if (addr < vma->vm_start || addr >= vma->vm_end)
52459 @@ -2086,6 +2110,186 @@ static inline void cow_user_page(struct
52460 copy_user_highpage(dst, src, va, vma);
52463 +#ifdef CONFIG_PAX_SEGMEXEC
52464 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
52466 + struct mm_struct *mm = vma->vm_mm;
52468 + pte_t *pte, entry;
52470 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
52472 + if (!pte_present(entry)) {
52473 + if (!pte_none(entry)) {
52474 + BUG_ON(pte_file(entry));
52475 + free_swap_and_cache(pte_to_swp_entry(entry));
52476 + pte_clear_not_present_full(mm, address, pte, 0);
52479 + struct page *page;
52481 + flush_cache_page(vma, address, pte_pfn(entry));
52482 + entry = ptep_clear_flush(vma, address, pte);
52483 + BUG_ON(pte_dirty(entry));
52484 + page = vm_normal_page(vma, address, entry);
52486 + update_hiwater_rss(mm);
52487 + if (PageAnon(page))
52488 + dec_mm_counter_fast(mm, MM_ANONPAGES);
52490 + dec_mm_counter_fast(mm, MM_FILEPAGES);
52491 + page_remove_rmap(page);
52492 + page_cache_release(page);
52495 + pte_unmap_unlock(pte, ptl);
52498 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
52500 + * the ptl of the lower mapped page is held on entry and is not released on exit
52501 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
52503 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52505 + struct mm_struct *mm = vma->vm_mm;
52506 + unsigned long address_m;
52507 + spinlock_t *ptl_m;
52508 + struct vm_area_struct *vma_m;
52510 + pte_t *pte_m, entry_m;
52512 + BUG_ON(!page_m || !PageAnon(page_m));
52514 + vma_m = pax_find_mirror_vma(vma);
52518 + BUG_ON(!PageLocked(page_m));
52519 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52520 + address_m = address + SEGMEXEC_TASK_SIZE;
52521 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52522 + pte_m = pte_offset_map_nested(pmd_m, address_m);
52523 + ptl_m = pte_lockptr(mm, pmd_m);
52524 + if (ptl != ptl_m) {
52525 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52526 + if (!pte_none(*pte_m))
52530 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52531 + page_cache_get(page_m);
52532 + page_add_anon_rmap(page_m, vma_m, address_m);
52533 + inc_mm_counter_fast(mm, MM_ANONPAGES);
52534 + set_pte_at(mm, address_m, pte_m, entry_m);
52535 + update_mmu_cache(vma_m, address_m, entry_m);
52537 + if (ptl != ptl_m)
52538 + spin_unlock(ptl_m);
52539 + pte_unmap_nested(pte_m);
52540 + unlock_page(page_m);
52543 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52545 + struct mm_struct *mm = vma->vm_mm;
52546 + unsigned long address_m;
52547 + spinlock_t *ptl_m;
52548 + struct vm_area_struct *vma_m;
52550 + pte_t *pte_m, entry_m;
52552 + BUG_ON(!page_m || PageAnon(page_m));
52554 + vma_m = pax_find_mirror_vma(vma);
52558 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52559 + address_m = address + SEGMEXEC_TASK_SIZE;
52560 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52561 + pte_m = pte_offset_map_nested(pmd_m, address_m);
52562 + ptl_m = pte_lockptr(mm, pmd_m);
52563 + if (ptl != ptl_m) {
52564 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52565 + if (!pte_none(*pte_m))
52569 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52570 + page_cache_get(page_m);
52571 + page_add_file_rmap(page_m);
52572 + inc_mm_counter_fast(mm, MM_FILEPAGES);
52573 + set_pte_at(mm, address_m, pte_m, entry_m);
52574 + update_mmu_cache(vma_m, address_m, entry_m);
52576 + if (ptl != ptl_m)
52577 + spin_unlock(ptl_m);
52578 + pte_unmap_nested(pte_m);
52581 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
52583 + struct mm_struct *mm = vma->vm_mm;
52584 + unsigned long address_m;
52585 + spinlock_t *ptl_m;
52586 + struct vm_area_struct *vma_m;
52588 + pte_t *pte_m, entry_m;
52590 + vma_m = pax_find_mirror_vma(vma);
52594 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52595 + address_m = address + SEGMEXEC_TASK_SIZE;
52596 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52597 + pte_m = pte_offset_map_nested(pmd_m, address_m);
52598 + ptl_m = pte_lockptr(mm, pmd_m);
52599 + if (ptl != ptl_m) {
52600 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52601 + if (!pte_none(*pte_m))
52605 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
52606 + set_pte_at(mm, address_m, pte_m, entry_m);
52608 + if (ptl != ptl_m)
52609 + spin_unlock(ptl_m);
52610 + pte_unmap_nested(pte_m);
52613 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
52615 + struct page *page_m;
52618 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
52622 + page_m = vm_normal_page(vma, address, entry);
52624 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
52625 + else if (PageAnon(page_m)) {
52626 + if (pax_find_mirror_vma(vma)) {
52627 + pte_unmap_unlock(pte, ptl);
52628 + lock_page(page_m);
52629 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
52630 + if (pte_same(entry, *pte))
52631 + pax_mirror_anon_pte(vma, address, page_m, ptl);
52633 + unlock_page(page_m);
52636 + pax_mirror_file_pte(vma, address, page_m, ptl);
52639 + pte_unmap_unlock(pte, ptl);
52644 * This routine handles present pages, when users try to write
52645 * to a shared page. It is done by copying the page to a new address
52646 @@ -2272,6 +2476,12 @@ gotten:
52648 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52649 if (likely(pte_same(*page_table, orig_pte))) {
52651 +#ifdef CONFIG_PAX_SEGMEXEC
52652 + if (pax_find_mirror_vma(vma))
52653 + BUG_ON(!trylock_page(new_page));
52657 if (!PageAnon(old_page)) {
52658 dec_mm_counter_fast(mm, MM_FILEPAGES);
52659 @@ -2323,6 +2533,10 @@ gotten:
52660 page_remove_rmap(old_page);
52663 +#ifdef CONFIG_PAX_SEGMEXEC
52664 + pax_mirror_anon_pte(vma, address, new_page, ptl);
52667 /* Free the old page.. */
52668 new_page = old_page;
52669 ret |= VM_FAULT_WRITE;
52670 @@ -2749,19 +2963,12 @@ static int do_swap_page(struct mm_struct
52672 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
52673 try_to_free_swap(page);
52675 +#ifdef CONFIG_PAX_SEGMEXEC
52676 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
52682 - * Hold the lock to avoid the swap entry to be reused
52683 - * until we take the PT lock for the pte_same() check
52684 - * (to avoid false positives from pte_same). For
52685 - * further safety release the lock after the swap_free
52686 - * so that the swap count won't change under a
52687 - * parallel locked swapcache.
52689 - unlock_page(swapcache);
52690 - page_cache_release(swapcache);
52693 if (flags & FAULT_FLAG_WRITE) {
52694 ret |= do_wp_page(mm, vma, address, page_table, pmd, ptl, pte);
52695 @@ -2772,6 +2979,11 @@ static int do_swap_page(struct mm_struct
52697 /* No need to invalidate - it was non-present before */
52698 update_mmu_cache(vma, address, page_table);
52700 +#ifdef CONFIG_PAX_SEGMEXEC
52701 + pax_mirror_anon_pte(vma, address, page, ptl);
52705 pte_unmap_unlock(page_table, ptl);
52707 @@ -2783,48 +2995,10 @@ out_page:
52710 page_cache_release(page);
52712 - unlock_page(swapcache);
52713 - page_cache_release(swapcache);
52719 - * This is like a special single-page "expand_{down|up}wards()",
52720 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
52721 - * doesn't hit another vma.
52723 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
52725 - address &= PAGE_MASK;
52726 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
52727 - struct vm_area_struct *prev = vma->vm_prev;
52730 - * Is there a mapping abutting this one below?
52732 - * That's only ok if it's the same stack mapping
52733 - * that has gotten split..
52735 - if (prev && prev->vm_end == address)
52736 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
52738 - expand_stack(vma, address - PAGE_SIZE);
52740 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
52741 - struct vm_area_struct *next = vma->vm_next;
52743 - /* As VM_GROWSDOWN but s/below/above/ */
52744 - if (next && next->vm_start == address + PAGE_SIZE)
52745 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
52747 - expand_upwards(vma, address + PAGE_SIZE);
52753 * We enter with non-exclusive mmap_sem (to exclude vma changes,
52754 * but allow concurrent faults), and pte mapped but not yet locked.
52755 * We return with mmap_sem still held, but pte unmapped and unlocked.
52756 @@ -2833,27 +3007,23 @@ static int do_anonymous_page(struct mm_s
52757 unsigned long address, pte_t *page_table, pmd_t *pmd,
52758 unsigned int flags)
52760 - struct page *page;
52761 + struct page *page = NULL;
52765 - pte_unmap(page_table);
52767 - /* Check if we need to add a guard page to the stack */
52768 - if (check_stack_guard_page(vma, address) < 0)
52769 - return VM_FAULT_SIGBUS;
52771 - /* Use the zero-page for reads */
52772 if (!(flags & FAULT_FLAG_WRITE)) {
52773 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
52774 vma->vm_page_prot));
52775 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52776 + ptl = pte_lockptr(mm, pmd);
52778 if (!pte_none(*page_table))
52783 /* Allocate our own private page. */
52784 + pte_unmap(page_table);
52786 if (unlikely(anon_vma_prepare(vma)))
52788 page = alloc_zeroed_user_highpage_movable(vma, address);
52789 @@ -2872,6 +3042,11 @@ static int do_anonymous_page(struct mm_s
52790 if (!pte_none(*page_table))
52793 +#ifdef CONFIG_PAX_SEGMEXEC
52794 + if (pax_find_mirror_vma(vma))
52795 + BUG_ON(!trylock_page(page));
52798 inc_mm_counter_fast(mm, MM_ANONPAGES);
52799 page_add_new_anon_rmap(page, vma, address);
52801 @@ -2879,6 +3054,12 @@ setpte:
52803 /* No need to invalidate - it was non-present before */
52804 update_mmu_cache(vma, address, page_table);
52806 +#ifdef CONFIG_PAX_SEGMEXEC
52808 + pax_mirror_anon_pte(vma, address, page, ptl);
52812 pte_unmap_unlock(page_table, ptl);
52814 @@ -3021,6 +3202,12 @@ static int __do_fault(struct mm_struct *
52816 /* Only go through if we didn't race with anybody else... */
52817 if (likely(pte_same(*page_table, orig_pte))) {
52819 +#ifdef CONFIG_PAX_SEGMEXEC
52820 + if (anon && pax_find_mirror_vma(vma))
52821 + BUG_ON(!trylock_page(page));
52824 flush_icache_page(vma, page);
52825 entry = mk_pte(page, vma->vm_page_prot);
52826 if (flags & FAULT_FLAG_WRITE)
52827 @@ -3040,6 +3227,14 @@ static int __do_fault(struct mm_struct *
52829 /* no need to invalidate: a not-present page won't be cached */
52830 update_mmu_cache(vma, address, page_table);
52832 +#ifdef CONFIG_PAX_SEGMEXEC
52834 + pax_mirror_anon_pte(vma, address, page, ptl);
52836 + pax_mirror_file_pte(vma, address, page, ptl);
52841 mem_cgroup_uncharge_page(page);
52842 @@ -3187,6 +3382,12 @@ static inline int handle_pte_fault(struc
52843 if (flags & FAULT_FLAG_WRITE)
52844 flush_tlb_page(vma, address);
52847 +#ifdef CONFIG_PAX_SEGMEXEC
52848 + pax_mirror_pte(vma, address, pte, pmd, ptl);
52853 pte_unmap_unlock(pte, ptl);
52855 @@ -3203,6 +3404,10 @@ int handle_mm_fault(struct mm_struct *mm
52859 +#ifdef CONFIG_PAX_SEGMEXEC
52860 + struct vm_area_struct *vma_m;
52863 __set_current_state(TASK_RUNNING);
52865 count_vm_event(PGFAULT);
52866 @@ -3213,6 +3418,34 @@ int handle_mm_fault(struct mm_struct *mm
52867 if (unlikely(is_vm_hugetlb_page(vma)))
52868 return hugetlb_fault(mm, vma, address, flags);
52870 +#ifdef CONFIG_PAX_SEGMEXEC
52871 + vma_m = pax_find_mirror_vma(vma);
52873 + unsigned long address_m;
52878 + if (vma->vm_start > vma_m->vm_start) {
52879 + address_m = address;
52880 + address -= SEGMEXEC_TASK_SIZE;
52883 + address_m = address + SEGMEXEC_TASK_SIZE;
52885 + pgd_m = pgd_offset(mm, address_m);
52886 + pud_m = pud_alloc(mm, pgd_m, address_m);
52888 + return VM_FAULT_OOM;
52889 + pmd_m = pmd_alloc(mm, pud_m, address_m);
52891 + return VM_FAULT_OOM;
52892 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
52893 + return VM_FAULT_OOM;
52894 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
52898 pgd = pgd_offset(mm, address);
52899 pud = pud_alloc(mm, pgd, address);
52901 @@ -3310,7 +3543,7 @@ static int __init gate_vma_init(void)
52902 gate_vma.vm_start = FIXADDR_USER_START;
52903 gate_vma.vm_end = FIXADDR_USER_END;
52904 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
52905 - gate_vma.vm_page_prot = __P101;
52906 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
52908 * Make sure the vDSO gets into every core dump.
52909 * Dumping its contents makes post-mortem fully interpretable later
52910 diff -urNp linux-2.6.36.2/mm/memory-failure.c linux-2.6.36.2/mm/memory-failure.c
52911 --- linux-2.6.36.2/mm/memory-failure.c 2010-10-20 16:30:22.000000000 -0400
52912 +++ linux-2.6.36.2/mm/memory-failure.c 2010-12-09 20:24:51.000000000 -0500
52913 @@ -53,7 +53,7 @@ int sysctl_memory_failure_early_kill __r
52915 int sysctl_memory_failure_recovery __read_mostly = 1;
52917 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52918 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52920 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
52922 @@ -975,7 +975,7 @@ int __memory_failure(unsigned long pfn,
52925 nr_pages = 1 << compound_order(hpage);
52926 - atomic_long_add(nr_pages, &mce_bad_pages);
52927 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
52930 * We need/can do nothing about count=0 pages.
52931 @@ -1039,7 +1039,7 @@ int __memory_failure(unsigned long pfn,
52933 if (hwpoison_filter(p)) {
52934 if (TestClearPageHWPoison(p))
52935 - atomic_long_sub(nr_pages, &mce_bad_pages);
52936 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52937 unlock_page(hpage);
52940 @@ -1155,7 +1155,7 @@ int unpoison_memory(unsigned long pfn)
52942 if (!get_page_unless_zero(page)) {
52943 if (TestClearPageHWPoison(p))
52944 - atomic_long_sub(nr_pages, &mce_bad_pages);
52945 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52946 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
52949 @@ -1169,7 +1169,7 @@ int unpoison_memory(unsigned long pfn)
52951 if (TestClearPageHWPoison(page)) {
52952 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
52953 - atomic_long_sub(nr_pages, &mce_bad_pages);
52954 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52958 @@ -1352,7 +1352,7 @@ int soft_offline_page(struct page *page,
52962 - atomic_long_add(1, &mce_bad_pages);
52963 + atomic_long_add_unchecked(1, &mce_bad_pages);
52964 SetPageHWPoison(page);
52965 /* keep elevated page count for bad page */
52967 diff -urNp linux-2.6.36.2/mm/mempolicy.c linux-2.6.36.2/mm/mempolicy.c
52968 --- linux-2.6.36.2/mm/mempolicy.c 2010-12-09 20:53:48.000000000 -0500
52969 +++ linux-2.6.36.2/mm/mempolicy.c 2010-12-09 20:54:42.000000000 -0500
52970 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
52971 unsigned long vmstart;
52972 unsigned long vmend;
52974 +#ifdef CONFIG_PAX_SEGMEXEC
52975 + struct vm_area_struct *vma_m;
52978 vma = find_vma_prev(mm, start, &prev);
52979 if (!vma || vma->vm_start > start)
52981 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
52982 err = policy_vma(vma, new_pol);
52986 +#ifdef CONFIG_PAX_SEGMEXEC
52987 + vma_m = pax_find_mirror_vma(vma);
52989 + err = policy_vma(vma_m, new_pol);
52998 @@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
53003 +#ifdef CONFIG_PAX_SEGMEXEC
53004 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
53005 + if (end > SEGMEXEC_TASK_SIZE)
53010 + if (end > TASK_SIZE)
53016 @@ -1312,6 +1337,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
53020 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53021 + if (mm != current->mm &&
53022 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
53029 * Check if this process has the right to modify the specified
53030 * process. The right exists if the process has administrative
53031 @@ -1321,8 +1354,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
53033 tcred = __task_cred(task);
53034 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
53035 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
53036 - !capable(CAP_SYS_NICE)) {
53037 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53041 @@ -2620,7 +2652,7 @@ int show_numa_map(struct seq_file *m, vo
53044 seq_printf(m, " file=");
53045 - seq_path(m, &file->f_path, "\n\t= ");
53046 + seq_path(m, &file->f_path, "\n\t\\= ");
53047 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
53048 seq_printf(m, " heap");
53049 } else if (vma->vm_start <= mm->start_stack &&
53050 diff -urNp linux-2.6.36.2/mm/migrate.c linux-2.6.36.2/mm/migrate.c
53051 --- linux-2.6.36.2/mm/migrate.c 2010-10-20 16:30:22.000000000 -0400
53052 +++ linux-2.6.36.2/mm/migrate.c 2010-12-09 20:24:51.000000000 -0500
53053 @@ -1098,6 +1098,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53057 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53058 + if (mm != current->mm &&
53059 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
53066 * Check if this process has the right to modify the specified
53067 * process. The right exists if the process has administrative
53068 @@ -1107,8 +1115,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53070 tcred = __task_cred(task);
53071 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
53072 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
53073 - !capable(CAP_SYS_NICE)) {
53074 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53078 diff -urNp linux-2.6.36.2/mm/mlock.c linux-2.6.36.2/mm/mlock.c
53079 --- linux-2.6.36.2/mm/mlock.c 2010-10-20 16:30:22.000000000 -0400
53080 +++ linux-2.6.36.2/mm/mlock.c 2010-12-09 20:24:51.000000000 -0500
53082 #include <linux/pagemap.h>
53083 #include <linux/mempolicy.h>
53084 #include <linux/syscalls.h>
53085 +#include <linux/security.h>
53086 #include <linux/sched.h>
53087 #include <linux/module.h>
53088 #include <linux/rmap.h>
53089 @@ -135,13 +136,6 @@ void munlock_vma_page(struct page *page)
53093 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
53095 - return (vma->vm_flags & VM_GROWSDOWN) &&
53096 - (vma->vm_start == addr) &&
53097 - !vma_stack_continue(vma->vm_prev, addr);
53101 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
53103 @@ -174,12 +168,6 @@ static long __mlock_vma_pages_range(stru
53104 if (vma->vm_flags & VM_WRITE)
53105 gup_flags |= FOLL_WRITE;
53107 - /* We don't try to access the guard page of a stack vma */
53108 - if (stack_guard_page(vma, start)) {
53109 - addr += PAGE_SIZE;
53113 while (nr_pages > 0) {
53116 @@ -445,6 +433,9 @@ static int do_mlock(unsigned long start,
53120 + if (end > TASK_SIZE)
53123 vma = find_vma_prev(current->mm, start, &prev);
53124 if (!vma || vma->vm_start > start)
53126 @@ -455,6 +446,11 @@ static int do_mlock(unsigned long start,
53127 for (nstart = start ; ; ) {
53128 unsigned int newflags;
53130 +#ifdef CONFIG_PAX_SEGMEXEC
53131 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53135 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
53137 newflags = vma->vm_flags | VM_LOCKED;
53138 @@ -504,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
53139 lock_limit >>= PAGE_SHIFT;
53141 /* check against resource limits */
53142 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
53143 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
53144 error = do_mlock(start, len, 1);
53145 up_write(¤t->mm->mmap_sem);
53146 @@ -525,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
53147 static int do_mlockall(int flags)
53149 struct vm_area_struct * vma, * prev = NULL;
53150 - unsigned int def_flags = 0;
53152 if (flags & MCL_FUTURE)
53153 - def_flags = VM_LOCKED;
53154 - current->mm->def_flags = def_flags;
53155 + current->mm->def_flags |= VM_LOCKED;
53157 + current->mm->def_flags &= ~VM_LOCKED;
53158 if (flags == MCL_FUTURE)
53161 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
53162 - unsigned int newflags;
53163 + unsigned long newflags;
53165 +#ifdef CONFIG_PAX_SEGMEXEC
53166 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53170 + BUG_ON(vma->vm_end > TASK_SIZE);
53171 newflags = vma->vm_flags | VM_LOCKED;
53172 if (!(flags & MCL_CURRENT))
53173 newflags &= ~VM_LOCKED;
53174 @@ -567,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
53175 lock_limit >>= PAGE_SHIFT;
53178 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
53179 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
53180 capable(CAP_IPC_LOCK))
53181 ret = do_mlockall(flags);
53182 diff -urNp linux-2.6.36.2/mm/mmap.c linux-2.6.36.2/mm/mmap.c
53183 --- linux-2.6.36.2/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
53184 +++ linux-2.6.36.2/mm/mmap.c 2010-12-09 20:24:51.000000000 -0500
53186 #define arch_rebalance_pgtables(addr, len) (addr)
53189 +static inline void verify_mm_writelocked(struct mm_struct *mm)
53191 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
53192 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
53193 + up_read(&mm->mmap_sem);
53199 static void unmap_region(struct mm_struct *mm,
53200 struct vm_area_struct *vma, struct vm_area_struct *prev,
53201 unsigned long start, unsigned long end);
53202 @@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
53203 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
53206 -pgprot_t protection_map[16] = {
53207 +pgprot_t protection_map[16] __read_only = {
53208 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
53209 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
53212 pgprot_t vm_get_page_prot(unsigned long vm_flags)
53214 - return __pgprot(pgprot_val(protection_map[vm_flags &
53215 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
53216 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
53217 pgprot_val(arch_vm_get_page_prot(vm_flags)));
53219 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53220 + if (!(__supported_pte_mask & _PAGE_NX) &&
53221 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
53222 + (vm_flags & (VM_READ | VM_WRITE)))
53223 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
53228 EXPORT_SYMBOL(vm_get_page_prot);
53230 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
53231 int sysctl_overcommit_ratio = 50; /* default is 50% */
53232 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
53233 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
53234 struct percpu_counter vm_committed_as;
53237 @@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
53238 struct vm_area_struct *next = vma->vm_next;
53241 + BUG_ON(vma->vm_mirror);
53242 if (vma->vm_ops && vma->vm_ops->close)
53243 vma->vm_ops->close(vma);
53244 if (vma->vm_file) {
53245 @@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
53246 * not page aligned -Ram Gupta
53248 rlim = rlimit(RLIMIT_DATA);
53249 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
53250 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
53251 (mm->end_data - mm->start_data) > rlim)
53253 @@ -707,6 +729,12 @@ static int
53254 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
53255 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53258 +#ifdef CONFIG_PAX_SEGMEXEC
53259 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
53263 if (is_mergeable_vma(vma, file, vm_flags) &&
53264 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53265 if (vma->vm_pgoff == vm_pgoff)
53266 @@ -726,6 +754,12 @@ static int
53267 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
53268 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53271 +#ifdef CONFIG_PAX_SEGMEXEC
53272 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
53276 if (is_mergeable_vma(vma, file, vm_flags) &&
53277 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53279 @@ -768,13 +802,20 @@ can_vma_merge_after(struct vm_area_struc
53280 struct vm_area_struct *vma_merge(struct mm_struct *mm,
53281 struct vm_area_struct *prev, unsigned long addr,
53282 unsigned long end, unsigned long vm_flags,
53283 - struct anon_vma *anon_vma, struct file *file,
53284 + struct anon_vma *anon_vma, struct file *file,
53285 pgoff_t pgoff, struct mempolicy *policy)
53287 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
53288 struct vm_area_struct *area, *next;
53291 +#ifdef CONFIG_PAX_SEGMEXEC
53292 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
53293 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
53295 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
53299 * We later require that vma->vm_flags == vm_flags,
53300 * so this tests vma->vm_flags & VM_SPECIAL, too.
53301 @@ -790,6 +831,15 @@ struct vm_area_struct *vma_merge(struct
53302 if (next && next->vm_end == end) /* cases 6, 7, 8 */
53303 next = next->vm_next;
53305 +#ifdef CONFIG_PAX_SEGMEXEC
53307 + prev_m = pax_find_mirror_vma(prev);
53309 + area_m = pax_find_mirror_vma(area);
53311 + next_m = pax_find_mirror_vma(next);
53315 * Can it merge with the predecessor?
53317 @@ -809,9 +859,24 @@ struct vm_area_struct *vma_merge(struct
53319 err = vma_adjust(prev, prev->vm_start,
53320 next->vm_end, prev->vm_pgoff, NULL);
53321 - } else /* cases 2, 5, 7 */
53323 +#ifdef CONFIG_PAX_SEGMEXEC
53324 + if (!err && prev_m)
53325 + err = vma_adjust(prev_m, prev_m->vm_start,
53326 + next_m->vm_end, prev_m->vm_pgoff, NULL);
53329 + } else { /* cases 2, 5, 7 */
53330 err = vma_adjust(prev, prev->vm_start,
53331 end, prev->vm_pgoff, NULL);
53333 +#ifdef CONFIG_PAX_SEGMEXEC
53334 + if (!err && prev_m)
53335 + err = vma_adjust(prev_m, prev_m->vm_start,
53336 + end_m, prev_m->vm_pgoff, NULL);
53343 @@ -824,12 +889,27 @@ struct vm_area_struct *vma_merge(struct
53344 mpol_equal(policy, vma_policy(next)) &&
53345 can_vma_merge_before(next, vm_flags,
53346 anon_vma, file, pgoff+pglen)) {
53347 - if (prev && addr < prev->vm_end) /* case 4 */
53348 + if (prev && addr < prev->vm_end) { /* case 4 */
53349 err = vma_adjust(prev, prev->vm_start,
53350 addr, prev->vm_pgoff, NULL);
53351 - else /* cases 3, 8 */
53353 +#ifdef CONFIG_PAX_SEGMEXEC
53354 + if (!err && prev_m)
53355 + err = vma_adjust(prev_m, prev_m->vm_start,
53356 + addr_m, prev_m->vm_pgoff, NULL);
53359 + } else { /* cases 3, 8 */
53360 err = vma_adjust(area, addr, next->vm_end,
53361 next->vm_pgoff - pglen, NULL);
53363 +#ifdef CONFIG_PAX_SEGMEXEC
53364 + if (!err && area_m)
53365 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
53366 + next_m->vm_pgoff - pglen, NULL);
53373 @@ -944,14 +1024,11 @@ none:
53374 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
53375 struct file *file, long pages)
53377 - const unsigned long stack_flags
53378 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
53381 mm->shared_vm += pages;
53382 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
53383 mm->exec_vm += pages;
53384 - } else if (flags & stack_flags)
53385 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
53386 mm->stack_vm += pages;
53387 if (flags & (VM_RESERVED|VM_IO))
53388 mm->reserved_vm += pages;
53389 @@ -978,7 +1055,7 @@ unsigned long do_mmap_pgoff(struct file
53390 * (the exception is when the underlying filesystem is noexec
53391 * mounted, in which case we dont add PROT_EXEC.)
53393 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
53394 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
53395 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
53398 @@ -1004,7 +1081,7 @@ unsigned long do_mmap_pgoff(struct file
53399 /* Obtain the address to map to. we verify (or select) it and ensure
53400 * that it represents a valid section of the address space.
53402 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
53403 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
53404 if (addr & ~PAGE_MASK)
53407 @@ -1015,6 +1092,31 @@ unsigned long do_mmap_pgoff(struct file
53408 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
53409 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
53411 +#ifdef CONFIG_PAX_MPROTECT
53412 + if (mm->pax_flags & MF_PAX_MPROTECT) {
53413 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
53414 + gr_log_rwxmmap(file);
53416 +#ifdef CONFIG_PAX_EMUPLT
53417 + vm_flags &= ~VM_EXEC;
53424 + if (!(vm_flags & VM_EXEC))
53425 + vm_flags &= ~VM_MAYEXEC;
53427 + vm_flags &= ~VM_MAYWRITE;
53431 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53432 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
53433 + vm_flags &= ~VM_PAGEEXEC;
53436 if (flags & MAP_LOCKED)
53437 if (!can_do_mlock())
53439 @@ -1026,6 +1128,7 @@ unsigned long do_mmap_pgoff(struct file
53440 locked += mm->locked_vm;
53441 lock_limit = rlimit(RLIMIT_MEMLOCK);
53442 lock_limit >>= PAGE_SHIFT;
53443 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53444 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
53447 @@ -1096,6 +1199,9 @@ unsigned long do_mmap_pgoff(struct file
53451 + if (!gr_acl_handle_mmap(file, prot))
53454 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
53456 EXPORT_SYMBOL(do_mmap_pgoff);
53457 @@ -1172,10 +1278,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
53459 int vma_wants_writenotify(struct vm_area_struct *vma)
53461 - unsigned int vm_flags = vma->vm_flags;
53462 + unsigned long vm_flags = vma->vm_flags;
53464 /* If it was private or non-writable, the write bit is already clear */
53465 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
53466 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
53469 /* The backer wishes to know when pages are first written to? */
53470 @@ -1224,14 +1330,24 @@ unsigned long mmap_region(struct file *f
53471 unsigned long charged = 0;
53472 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
53474 +#ifdef CONFIG_PAX_SEGMEXEC
53475 + struct vm_area_struct *vma_m = NULL;
53479 + * mm->mmap_sem is required to protect against another thread
53480 + * changing the mappings in case we sleep.
53482 + verify_mm_writelocked(mm);
53484 /* Clear old maps */
53487 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53488 if (vma && vma->vm_start < addr + len) {
53489 if (do_munmap(mm, addr, len))
53491 - goto munmap_back;
53492 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53493 + BUG_ON(vma && vma->vm_start < addr + len);
53496 /* Check against address space limit. */
53497 @@ -1280,6 +1396,16 @@ munmap_back:
53501 +#ifdef CONFIG_PAX_SEGMEXEC
53502 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
53503 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53512 vma->vm_start = addr;
53513 vma->vm_end = addr + len;
53514 @@ -1303,6 +1429,19 @@ munmap_back:
53515 error = file->f_op->mmap(file, vma);
53517 goto unmap_and_free_vma;
53519 +#ifdef CONFIG_PAX_SEGMEXEC
53520 + if (vma_m && (vm_flags & VM_EXECUTABLE))
53521 + added_exe_file_vma(mm);
53524 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53525 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
53526 + vma->vm_flags |= VM_PAGEEXEC;
53527 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53531 if (vm_flags & VM_EXECUTABLE)
53532 added_exe_file_vma(mm);
53534 @@ -1338,6 +1477,11 @@ munmap_back:
53535 vma_link(mm, vma, prev, rb_link, rb_parent);
53536 file = vma->vm_file;
53538 +#ifdef CONFIG_PAX_SEGMEXEC
53540 + BUG_ON(pax_mirror_vma(vma_m, vma));
53543 /* Once vma denies write, undo our temporary denial count */
53544 if (correct_wcount)
53545 atomic_inc(&inode->i_writecount);
53546 @@ -1346,6 +1490,7 @@ out:
53548 mm->total_vm += len >> PAGE_SHIFT;
53549 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
53550 + track_exec_limit(mm, addr, addr + len, vm_flags);
53551 if (vm_flags & VM_LOCKED) {
53552 if (!mlock_vma_pages_range(vma, addr, addr + len))
53553 mm->locked_vm += (len >> PAGE_SHIFT);
53554 @@ -1363,6 +1508,12 @@ unmap_and_free_vma:
53555 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
53559 +#ifdef CONFIG_PAX_SEGMEXEC
53561 + kmem_cache_free(vm_area_cachep, vma_m);
53564 kmem_cache_free(vm_area_cachep, vma);
53567 @@ -1370,6 +1521,33 @@ unacct_error:
53571 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
53574 +#ifdef CONFIG_STACK_GROWSUP
53575 + if (addr > sysctl_heap_stack_gap)
53576 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
53578 + vma = find_vma(current->mm, 0);
53579 + if (vma && (vma->vm_flags & VM_GROWSUP))
53585 + if (addr + len > vma->vm_start)
53588 + if (vma->vm_flags & VM_GROWSDOWN)
53589 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
53590 +#ifdef CONFIG_STACK_GROWSUP
53591 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
53592 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
53598 /* Get an address range which is currently unmapped.
53599 * For shmat() with addr=0.
53601 @@ -1396,18 +1574,23 @@ arch_get_unmapped_area(struct file *filp
53602 if (flags & MAP_FIXED)
53605 +#ifdef CONFIG_PAX_RANDMMAP
53606 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53610 addr = PAGE_ALIGN(addr);
53611 - vma = find_vma(mm, addr);
53612 - if (TASK_SIZE - len >= addr &&
53613 - (!vma || addr + len <= vma->vm_start))
53615 + if (TASK_SIZE - len >= addr) {
53616 + vma = find_vma(mm, addr);
53617 + if (check_heap_stack_gap(vma, addr, len))
53621 if (len > mm->cached_hole_size) {
53622 - start_addr = addr = mm->free_area_cache;
53623 + start_addr = addr = mm->free_area_cache;
53625 - start_addr = addr = TASK_UNMAPPED_BASE;
53626 - mm->cached_hole_size = 0;
53627 + start_addr = addr = mm->mmap_base;
53628 + mm->cached_hole_size = 0;
53632 @@ -1418,34 +1601,40 @@ full_search:
53633 * Start a new search - just in case we missed
53636 - if (start_addr != TASK_UNMAPPED_BASE) {
53637 - addr = TASK_UNMAPPED_BASE;
53638 - start_addr = addr;
53639 + if (start_addr != mm->mmap_base) {
53640 + start_addr = addr = mm->mmap_base;
53641 mm->cached_hole_size = 0;
53646 - if (!vma || addr + len <= vma->vm_start) {
53648 - * Remember the place where we stopped the search:
53650 - mm->free_area_cache = addr + len;
53653 + if (check_heap_stack_gap(vma, addr, len))
53655 if (addr + mm->cached_hole_size < vma->vm_start)
53656 mm->cached_hole_size = vma->vm_start - addr;
53657 addr = vma->vm_end;
53661 + * Remember the place where we stopped the search:
53663 + mm->free_area_cache = addr + len;
53668 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
53671 +#ifdef CONFIG_PAX_SEGMEXEC
53672 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53677 * Is this a new hole at the lowest possible address?
53679 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
53680 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
53681 mm->free_area_cache = addr;
53682 mm->cached_hole_size = ~0UL;
53684 @@ -1463,7 +1652,7 @@ arch_get_unmapped_area_topdown(struct fi
53686 struct vm_area_struct *vma;
53687 struct mm_struct *mm = current->mm;
53688 - unsigned long addr = addr0;
53689 + unsigned long base = mm->mmap_base, addr = addr0;
53691 /* requested length too big for entire address space */
53692 if (len > TASK_SIZE)
53693 @@ -1472,13 +1661,18 @@ arch_get_unmapped_area_topdown(struct fi
53694 if (flags & MAP_FIXED)
53697 +#ifdef CONFIG_PAX_RANDMMAP
53698 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53701 /* requesting a specific address */
53703 addr = PAGE_ALIGN(addr);
53704 - vma = find_vma(mm, addr);
53705 - if (TASK_SIZE - len >= addr &&
53706 - (!vma || addr + len <= vma->vm_start))
53708 + if (TASK_SIZE - len >= addr) {
53709 + vma = find_vma(mm, addr);
53710 + if (check_heap_stack_gap(vma, addr, len))
53715 /* check if free_area_cache is useful for us */
53716 @@ -1493,7 +1687,7 @@ arch_get_unmapped_area_topdown(struct fi
53717 /* make sure it can fit in the remaining address space */
53719 vma = find_vma(mm, addr-len);
53720 - if (!vma || addr <= vma->vm_start)
53721 + if (check_heap_stack_gap(vma, addr - len, len))
53722 /* remember the address as a hint for next time */
53723 return (mm->free_area_cache = addr-len);
53725 @@ -1510,7 +1704,7 @@ arch_get_unmapped_area_topdown(struct fi
53726 * return with success:
53728 vma = find_vma(mm, addr);
53729 - if (!vma || addr+len <= vma->vm_start)
53730 + if (check_heap_stack_gap(vma, addr, len))
53731 /* remember the address as a hint for next time */
53732 return (mm->free_area_cache = addr);
53734 @@ -1529,13 +1723,21 @@ bottomup:
53735 * can happen with large stack limits and large mmap()
53738 + mm->mmap_base = TASK_UNMAPPED_BASE;
53740 +#ifdef CONFIG_PAX_RANDMMAP
53741 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53742 + mm->mmap_base += mm->delta_mmap;
53745 + mm->free_area_cache = mm->mmap_base;
53746 mm->cached_hole_size = ~0UL;
53747 - mm->free_area_cache = TASK_UNMAPPED_BASE;
53748 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
53750 * Restore the topdown base:
53752 - mm->free_area_cache = mm->mmap_base;
53753 + mm->mmap_base = base;
53754 + mm->free_area_cache = base;
53755 mm->cached_hole_size = ~0UL;
53758 @@ -1544,6 +1746,12 @@ bottomup:
53760 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
53763 +#ifdef CONFIG_PAX_SEGMEXEC
53764 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53769 * Is this a new hole at the highest possible address?
53771 @@ -1551,8 +1759,10 @@ void arch_unmap_area_topdown(struct mm_s
53772 mm->free_area_cache = addr;
53774 /* dont allow allocations above current base */
53775 - if (mm->free_area_cache > mm->mmap_base)
53776 + if (mm->free_area_cache > mm->mmap_base) {
53777 mm->free_area_cache = mm->mmap_base;
53778 + mm->cached_hole_size = ~0UL;
53783 @@ -1660,6 +1870,28 @@ out:
53784 return prev ? prev->vm_next : vma;
53787 +#ifdef CONFIG_PAX_SEGMEXEC
53788 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
53790 + struct vm_area_struct *vma_m;
53792 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
53793 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
53794 + BUG_ON(vma->vm_mirror);
53797 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
53798 + vma_m = vma->vm_mirror;
53799 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
53800 + BUG_ON(vma->vm_file != vma_m->vm_file);
53801 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
53802 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
53803 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
53804 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
53810 * Verify that the stack growth is acceptable and
53811 * update accounting. This is shared with both the
53812 @@ -1676,6 +1908,7 @@ static int acct_stack_growth(struct vm_a
53815 /* Stack limit test */
53816 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
53817 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
53820 @@ -1686,6 +1919,7 @@ static int acct_stack_growth(struct vm_a
53821 locked = mm->locked_vm + grow;
53822 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
53823 limit >>= PAGE_SHIFT;
53824 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53825 if (locked > limit && !capable(CAP_IPC_LOCK))
53828 @@ -1716,37 +1950,48 @@ static int acct_stack_growth(struct vm_a
53829 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
53830 * vma is the last one with address > vma->vm_end. Have to extend vma.
53832 +#ifndef CONFIG_IA64
53835 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
53840 if (!(vma->vm_flags & VM_GROWSUP))
53843 + /* Also guard against wrapping around to address 0. */
53844 + if (address < PAGE_ALIGN(address+1))
53845 + address = PAGE_ALIGN(address+1);
53850 * We must make sure the anon_vma is allocated
53851 * so that the anon_vma locking is not a noop.
53853 if (unlikely(anon_vma_prepare(vma)))
53855 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
53856 + if (locknext && anon_vma_prepare(vma->vm_next))
53858 vma_lock_anon_vma(vma);
53860 + vma_lock_anon_vma(vma->vm_next);
53863 * vma->vm_start/vm_end cannot change under us because the caller
53864 * is required to hold the mmap_sem in read mode. We need the
53865 - * anon_vma lock to serialize against concurrent expand_stacks.
53866 - * Also guard against wrapping around to address 0.
53867 + * anon_vma locks to serialize against concurrent expand_stacks
53868 + * and expand_upwards.
53870 - if (address < PAGE_ALIGN(address+4))
53871 - address = PAGE_ALIGN(address+4);
53873 - vma_unlock_anon_vma(vma);
53878 /* Somebody else might have raced and expanded it already */
53879 - if (address > vma->vm_end) {
53880 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
53882 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
53883 unsigned long size, grow;
53885 size = address - vma->vm_start;
53886 @@ -1758,6 +2003,8 @@ int expand_upwards(struct vm_area_struct
53887 perf_event_mmap(vma);
53891 + vma_unlock_anon_vma(vma->vm_next);
53892 vma_unlock_anon_vma(vma);
53895 @@ -1770,6 +2017,8 @@ static int expand_downwards(struct vm_ar
53896 unsigned long address)
53899 + bool lockprev = false;
53900 + struct vm_area_struct *prev;
53903 * We must make sure the anon_vma is allocated
53904 @@ -1783,6 +2032,15 @@ static int expand_downwards(struct vm_ar
53908 + prev = vma->vm_prev;
53909 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
53910 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
53912 + if (lockprev && anon_vma_prepare(prev))
53915 + vma_lock_anon_vma(prev);
53917 vma_lock_anon_vma(vma);
53920 @@ -1792,9 +2050,17 @@ static int expand_downwards(struct vm_ar
53923 /* Somebody else might have raced and expanded it already */
53924 - if (address < vma->vm_start) {
53925 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
53927 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
53928 unsigned long size, grow;
53930 +#ifdef CONFIG_PAX_SEGMEXEC
53931 + struct vm_area_struct *vma_m;
53933 + vma_m = pax_find_mirror_vma(vma);
53936 size = vma->vm_end - address;
53937 grow = (vma->vm_start - address) >> PAGE_SHIFT;
53939 @@ -1802,10 +2068,21 @@ static int expand_downwards(struct vm_ar
53941 vma->vm_start = address;
53942 vma->vm_pgoff -= grow;
53943 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
53945 +#ifdef CONFIG_PAX_SEGMEXEC
53947 + vma_m->vm_start -= grow << PAGE_SHIFT;
53948 + vma_m->vm_pgoff -= grow;
53952 perf_event_mmap(vma);
53955 vma_unlock_anon_vma(vma);
53957 + vma_unlock_anon_vma(prev);
53961 @@ -1879,6 +2156,13 @@ static void remove_vma_list(struct mm_st
53963 long nrpages = vma_pages(vma);
53965 +#ifdef CONFIG_PAX_SEGMEXEC
53966 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
53967 + vma = remove_vma(vma);
53972 mm->total_vm -= nrpages;
53973 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
53974 vma = remove_vma(vma);
53975 @@ -1924,6 +2208,16 @@ detach_vmas_to_be_unmapped(struct mm_str
53976 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
53977 vma->vm_prev = NULL;
53980 +#ifdef CONFIG_PAX_SEGMEXEC
53981 + if (vma->vm_mirror) {
53982 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
53983 + vma->vm_mirror->vm_mirror = NULL;
53984 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
53985 + vma->vm_mirror = NULL;
53989 rb_erase(&vma->vm_rb, &mm->mm_rb);
53992 @@ -1952,14 +2246,33 @@ static int __split_vma(struct mm_struct
53993 struct vm_area_struct *new;
53996 +#ifdef CONFIG_PAX_SEGMEXEC
53997 + struct vm_area_struct *vma_m, *new_m = NULL;
53998 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
54001 if (is_vm_hugetlb_page(vma) && (addr &
54002 ~(huge_page_mask(hstate_vma(vma)))))
54005 +#ifdef CONFIG_PAX_SEGMEXEC
54006 + vma_m = pax_find_mirror_vma(vma);
54009 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
54013 +#ifdef CONFIG_PAX_SEGMEXEC
54015 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
54017 + kmem_cache_free(vm_area_cachep, new);
54023 /* most fields are the same, copy all, and then fixup */
54026 @@ -1972,6 +2285,22 @@ static int __split_vma(struct mm_struct
54027 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
54030 +#ifdef CONFIG_PAX_SEGMEXEC
54033 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
54034 + new_m->vm_mirror = new;
54035 + new->vm_mirror = new_m;
54038 + new_m->vm_end = addr_m;
54040 + new_m->vm_start = addr_m;
54041 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
54046 pol = mpol_dup(vma_policy(vma));
54048 err = PTR_ERR(pol);
54049 @@ -1997,6 +2326,42 @@ static int __split_vma(struct mm_struct
54051 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
54053 +#ifdef CONFIG_PAX_SEGMEXEC
54054 + if (!err && vma_m) {
54055 + if (anon_vma_clone(new_m, vma_m))
54056 + goto out_free_mpol;
54059 + vma_set_policy(new_m, pol);
54061 + if (new_m->vm_file) {
54062 + get_file(new_m->vm_file);
54063 + if (vma_m->vm_flags & VM_EXECUTABLE)
54064 + added_exe_file_vma(mm);
54067 + if (new_m->vm_ops && new_m->vm_ops->open)
54068 + new_m->vm_ops->open(new_m);
54071 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
54072 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
54074 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
54077 + if (new_m->vm_ops && new_m->vm_ops->close)
54078 + new_m->vm_ops->close(new_m);
54079 + if (new_m->vm_file) {
54080 + if (vma_m->vm_flags & VM_EXECUTABLE)
54081 + removed_exe_file_vma(mm);
54082 + fput(new_m->vm_file);
54092 @@ -2009,10 +2374,18 @@ static int __split_vma(struct mm_struct
54093 removed_exe_file_vma(mm);
54094 fput(new->vm_file);
54096 - unlink_anon_vmas(new);
54101 +#ifdef CONFIG_PAX_SEGMEXEC
54103 + unlink_anon_vmas(new_m);
54104 + kmem_cache_free(vm_area_cachep, new_m);
54108 + unlink_anon_vmas(new);
54109 kmem_cache_free(vm_area_cachep, new);
54112 @@ -2025,6 +2398,15 @@ static int __split_vma(struct mm_struct
54113 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
54114 unsigned long addr, int new_below)
54117 +#ifdef CONFIG_PAX_SEGMEXEC
54118 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
54119 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
54120 + if (mm->map_count >= sysctl_max_map_count-1)
54125 if (mm->map_count >= sysctl_max_map_count)
54128 @@ -2036,11 +2418,30 @@ int split_vma(struct mm_struct *mm, stru
54129 * work. This now handles partial unmappings.
54130 * Jeremy Fitzhardinge <jeremy@goop.org>
54132 +#ifdef CONFIG_PAX_SEGMEXEC
54133 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54135 + int ret = __do_munmap(mm, start, len);
54136 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
54139 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
54142 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54144 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54148 struct vm_area_struct *vma, *prev, *last;
54151 + * mm->mmap_sem is required to protect against another thread
54152 + * changing the mappings in case we sleep.
54154 + verify_mm_writelocked(mm);
54156 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
54159 @@ -2114,6 +2515,8 @@ int do_munmap(struct mm_struct *mm, unsi
54160 /* Fix up all other VM information */
54161 remove_vma_list(mm, vma);
54163 + track_exec_limit(mm, start, end, 0UL);
54168 @@ -2126,22 +2529,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
54170 profile_munmap(addr);
54172 +#ifdef CONFIG_PAX_SEGMEXEC
54173 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
54174 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
54178 down_write(&mm->mmap_sem);
54179 ret = do_munmap(mm, addr, len);
54180 up_write(&mm->mmap_sem);
54184 -static inline void verify_mm_writelocked(struct mm_struct *mm)
54186 -#ifdef CONFIG_DEBUG_VM
54187 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
54189 - up_read(&mm->mmap_sem);
54195 * this is really a simplified "do_mmap". it only handles
54196 * anonymous maps. eventually we may be able to do some
54197 @@ -2155,6 +2554,7 @@ unsigned long do_brk(unsigned long addr,
54198 struct rb_node ** rb_link, * rb_parent;
54199 pgoff_t pgoff = addr >> PAGE_SHIFT;
54201 + unsigned long charged;
54203 len = PAGE_ALIGN(len);
54205 @@ -2166,16 +2566,30 @@ unsigned long do_brk(unsigned long addr,
54207 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
54209 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
54210 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
54211 + flags &= ~VM_EXEC;
54213 +#ifdef CONFIG_PAX_MPROTECT
54214 + if (mm->pax_flags & MF_PAX_MPROTECT)
54215 + flags &= ~VM_MAYEXEC;
54221 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
54222 if (error & ~PAGE_MASK)
54225 + charged = len >> PAGE_SHIFT;
54228 * mlock MCL_FUTURE?
54230 if (mm->def_flags & VM_LOCKED) {
54231 unsigned long locked, lock_limit;
54232 - locked = len >> PAGE_SHIFT;
54233 + locked = charged;
54234 locked += mm->locked_vm;
54235 lock_limit = rlimit(RLIMIT_MEMLOCK);
54236 lock_limit >>= PAGE_SHIFT;
54237 @@ -2192,22 +2606,22 @@ unsigned long do_brk(unsigned long addr,
54239 * Clear old maps. this also does some error checking for us
54242 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54243 if (vma && vma->vm_start < addr + len) {
54244 if (do_munmap(mm, addr, len))
54246 - goto munmap_back;
54247 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54248 + BUG_ON(vma && vma->vm_start < addr + len);
54251 /* Check against address space limits *after* clearing old maps... */
54252 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
54253 + if (!may_expand_vm(mm, charged))
54256 if (mm->map_count > sysctl_max_map_count)
54259 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
54260 + if (security_vm_enough_memory(charged))
54263 /* Can we just expand an old private anonymous mapping? */
54264 @@ -2221,7 +2635,7 @@ unsigned long do_brk(unsigned long addr,
54266 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54268 - vm_unacct_memory(len >> PAGE_SHIFT);
54269 + vm_unacct_memory(charged);
54273 @@ -2235,11 +2649,12 @@ unsigned long do_brk(unsigned long addr,
54274 vma_link(mm, vma, prev, rb_link, rb_parent);
54276 perf_event_mmap(vma);
54277 - mm->total_vm += len >> PAGE_SHIFT;
54278 + mm->total_vm += charged;
54279 if (flags & VM_LOCKED) {
54280 if (!mlock_vma_pages_range(vma, addr, addr + len))
54281 - mm->locked_vm += (len >> PAGE_SHIFT);
54282 + mm->locked_vm += charged;
54284 + track_exec_limit(mm, addr, addr + len, flags);
54288 @@ -2286,8 +2701,10 @@ void exit_mmap(struct mm_struct *mm)
54289 * Walk the list again, actually closing and freeing it,
54290 * with preemption enabled, without holding any MM locks.
54294 + vma->vm_mirror = NULL;
54295 vma = remove_vma(vma);
54298 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
54300 @@ -2301,6 +2718,13 @@ int insert_vm_struct(struct mm_struct *
54301 struct vm_area_struct * __vma, * prev;
54302 struct rb_node ** rb_link, * rb_parent;
54304 +#ifdef CONFIG_PAX_SEGMEXEC
54305 + struct vm_area_struct *vma_m = NULL;
54308 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
54312 * The vm_pgoff of a purely anonymous vma should be irrelevant
54313 * until its first write fault, when page's anon_vma and index
54314 @@ -2323,7 +2747,22 @@ int insert_vm_struct(struct mm_struct *
54315 if ((vma->vm_flags & VM_ACCOUNT) &&
54316 security_vm_enough_memory_mm(mm, vma_pages(vma)))
54319 +#ifdef CONFIG_PAX_SEGMEXEC
54320 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
54321 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54327 vma_link(mm, vma, prev, rb_link, rb_parent);
54329 +#ifdef CONFIG_PAX_SEGMEXEC
54331 + BUG_ON(pax_mirror_vma(vma_m, vma));
54337 @@ -2341,6 +2780,8 @@ struct vm_area_struct *copy_vma(struct v
54338 struct rb_node **rb_link, *rb_parent;
54339 struct mempolicy *pol;
54341 + BUG_ON(vma->vm_mirror);
54344 * If anonymous vma has not yet been faulted, update new pgoff
54345 * to match new location, to increase its chance of merging.
54346 @@ -2390,6 +2831,39 @@ struct vm_area_struct *copy_vma(struct v
54347 kmem_cache_free(vm_area_cachep, new_vma);
54351 +#ifdef CONFIG_PAX_SEGMEXEC
54352 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
54354 + struct vm_area_struct *prev_m;
54355 + struct rb_node **rb_link_m, *rb_parent_m;
54356 + struct mempolicy *pol_m;
54358 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
54359 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
54360 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
54362 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
54363 + if (anon_vma_clone(vma_m, vma))
54365 + pol_m = vma_policy(vma_m);
54367 + vma_set_policy(vma_m, pol_m);
54368 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
54369 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
54370 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
54371 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
54372 + if (vma_m->vm_file)
54373 + get_file(vma_m->vm_file);
54374 + if (vma_m->vm_ops && vma_m->vm_ops->open)
54375 + vma_m->vm_ops->open(vma_m);
54376 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
54377 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
54378 + vma_m->vm_mirror = vma;
54379 + vma->vm_mirror = vma_m;
54385 * Return true if the calling process may expand its vm space by the passed
54386 @@ -2401,7 +2875,7 @@ int may_expand_vm(struct mm_struct *mm,
54389 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
54391 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
54392 if (cur + npages > lim)
54395 @@ -2471,12 +2945,28 @@ int install_special_mapping(struct mm_st
54396 vma->vm_start = addr;
54397 vma->vm_end = addr + len;
54399 +#ifdef CONFIG_PAX_MPROTECT
54400 + if (mm->pax_flags & MF_PAX_MPROTECT) {
54401 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
54403 + if (!(vm_flags & VM_EXEC))
54404 + vm_flags &= ~VM_MAYEXEC;
54406 + vm_flags &= ~VM_MAYWRITE;
54410 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
54411 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
54413 vma->vm_ops = &special_mapping_vmops;
54414 vma->vm_private_data = pages;
54416 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1)) {
54417 + kmem_cache_free(vm_area_cachep, vma);
54421 if (unlikely(insert_vm_struct(mm, vma))) {
54422 kmem_cache_free(vm_area_cachep, vma);
54424 diff -urNp linux-2.6.36.2/mm/mprotect.c linux-2.6.36.2/mm/mprotect.c
54425 --- linux-2.6.36.2/mm/mprotect.c 2010-12-09 20:53:48.000000000 -0500
54426 +++ linux-2.6.36.2/mm/mprotect.c 2010-12-09 20:59:26.000000000 -0500
54427 @@ -23,10 +23,16 @@
54428 #include <linux/mmu_notifier.h>
54429 #include <linux/migrate.h>
54430 #include <linux/perf_event.h>
54432 +#ifdef CONFIG_PAX_MPROTECT
54433 +#include <linux/elf.h>
54436 #include <asm/uaccess.h>
54437 #include <asm/pgtable.h>
54438 #include <asm/cacheflush.h>
54439 #include <asm/tlbflush.h>
54440 +#include <asm/mmu_context.h>
54442 #ifndef pgprot_modify
54443 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
54444 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
54445 flush_tlb_range(vma, start, end);
54448 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54449 +/* called while holding the mmap semaphor for writing except stack expansion */
54450 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
54452 + unsigned long oldlimit, newlimit = 0UL;
54454 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
54457 + spin_lock(&mm->page_table_lock);
54458 + oldlimit = mm->context.user_cs_limit;
54459 + if ((prot & VM_EXEC) && oldlimit < end)
54460 + /* USER_CS limit moved up */
54462 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
54463 + /* USER_CS limit moved down */
54464 + newlimit = start;
54467 + mm->context.user_cs_limit = newlimit;
54471 + cpus_clear(mm->context.cpu_user_cs_mask);
54472 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
54475 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
54477 + spin_unlock(&mm->page_table_lock);
54478 + if (newlimit == end) {
54479 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
54481 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
54482 + if (is_vm_hugetlb_page(vma))
54483 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
54485 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
54491 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
54492 unsigned long start, unsigned long end, unsigned long newflags)
54493 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
54495 int dirty_accountable = 0;
54497 +#ifdef CONFIG_PAX_SEGMEXEC
54498 + struct vm_area_struct *vma_m = NULL;
54499 + unsigned long start_m, end_m;
54501 + start_m = start + SEGMEXEC_TASK_SIZE;
54502 + end_m = end + SEGMEXEC_TASK_SIZE;
54505 if (newflags == oldflags) {
54510 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
54511 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
54513 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
54516 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
54521 * If we make a private mapping writable we increase our commit;
54522 * but (without finer accounting) cannot reduce our commit if we
54523 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
54527 +#ifdef CONFIG_PAX_SEGMEXEC
54528 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
54529 + if (start != vma->vm_start) {
54530 + error = split_vma(mm, vma, start, 1);
54533 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
54534 + *pprev = (*pprev)->vm_next;
54537 + if (end != vma->vm_end) {
54538 + error = split_vma(mm, vma, end, 0);
54543 + if (pax_find_mirror_vma(vma)) {
54544 + error = __do_munmap(mm, start_m, end_m - start_m);
54548 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54553 + vma->vm_flags = newflags;
54554 + error = pax_mirror_vma(vma_m, vma);
54556 + vma->vm_flags = oldflags;
54564 * First try to merge with previous and/or next vma.
54566 @@ -194,9 +296,21 @@ success:
54567 * vm_flags and vm_page_prot are protected by the mmap_sem
54568 * held in write mode.
54571 +#ifdef CONFIG_PAX_SEGMEXEC
54572 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
54573 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
54576 vma->vm_flags = newflags;
54578 +#ifdef CONFIG_PAX_MPROTECT
54579 + if (mm->binfmt && mm->binfmt->handle_mprotect)
54580 + mm->binfmt->handle_mprotect(vma, newflags);
54583 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
54584 - vm_get_page_prot(newflags));
54585 + vm_get_page_prot(vma->vm_flags));
54587 if (vma_wants_writenotify(vma)) {
54588 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
54589 @@ -238,6 +352,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54594 +#ifdef CONFIG_PAX_SEGMEXEC
54595 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
54596 + if (end > SEGMEXEC_TASK_SIZE)
54601 + if (end > TASK_SIZE)
54604 if (!arch_validate_prot(prot))
54607 @@ -245,7 +370,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54609 * Does the application expect PROT_READ to imply PROT_EXEC:
54611 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
54612 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
54615 vm_flags = calc_vm_prot_bits(prot);
54616 @@ -277,6 +402,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54617 if (start > vma->vm_start)
54620 +#ifdef CONFIG_PAX_MPROTECT
54621 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
54622 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
54625 for (nstart = start ; ; ) {
54626 unsigned long newflags;
54628 @@ -286,6 +416,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54630 /* newflags >> 4 shift VM_MAY% in place of VM_% */
54631 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
54632 + if (prot & (PROT_WRITE | PROT_EXEC))
54633 + gr_log_rwxmprotect(vma->vm_file);
54639 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
54643 @@ -300,6 +438,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54644 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
54648 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
54652 if (nstart < prev->vm_end)
54653 diff -urNp linux-2.6.36.2/mm/mremap.c linux-2.6.36.2/mm/mremap.c
54654 --- linux-2.6.36.2/mm/mremap.c 2010-10-20 16:30:22.000000000 -0400
54655 +++ linux-2.6.36.2/mm/mremap.c 2010-12-09 20:24:51.000000000 -0500
54656 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
54658 pte = ptep_clear_flush(vma, old_addr, old_pte);
54659 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
54661 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54662 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
54663 + pte = pte_exprotect(pte);
54666 set_pte_at(mm, new_addr, new_pte, pte);
54669 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
54670 if (is_vm_hugetlb_page(vma))
54673 +#ifdef CONFIG_PAX_SEGMEXEC
54674 + if (pax_find_mirror_vma(vma))
54678 /* We can't remap across vm area boundaries */
54679 if (old_len > vma->vm_end - addr)
54681 @@ -321,20 +332,25 @@ static unsigned long mremap_to(unsigned
54682 unsigned long ret = -EINVAL;
54683 unsigned long charged = 0;
54684 unsigned long map_flags;
54685 + unsigned long pax_task_size = TASK_SIZE;
54687 if (new_addr & ~PAGE_MASK)
54690 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
54691 +#ifdef CONFIG_PAX_SEGMEXEC
54692 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54693 + pax_task_size = SEGMEXEC_TASK_SIZE;
54696 + pax_task_size -= PAGE_SIZE;
54698 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
54701 /* Check if the location we're moving into overlaps the
54702 * old location at all, and fail if it does.
54704 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
54707 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
54708 + if (addr + old_len > new_addr && new_addr + new_len > addr)
54711 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54712 @@ -406,6 +422,7 @@ unsigned long do_mremap(unsigned long ad
54713 struct vm_area_struct *vma;
54714 unsigned long ret = -EINVAL;
54715 unsigned long charged = 0;
54716 + unsigned long pax_task_size = TASK_SIZE;
54718 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
54720 @@ -424,6 +441,17 @@ unsigned long do_mremap(unsigned long ad
54724 +#ifdef CONFIG_PAX_SEGMEXEC
54725 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54726 + pax_task_size = SEGMEXEC_TASK_SIZE;
54729 + pax_task_size -= PAGE_SIZE;
54731 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
54732 + old_len > pax_task_size || addr > pax_task_size-old_len)
54735 if (flags & MREMAP_FIXED) {
54736 if (flags & MREMAP_MAYMOVE)
54737 ret = mremap_to(addr, old_len, new_addr, new_len);
54738 @@ -473,6 +501,7 @@ unsigned long do_mremap(unsigned long ad
54742 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
54746 @@ -499,7 +528,13 @@ unsigned long do_mremap(unsigned long ad
54747 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54751 + map_flags = vma->vm_flags;
54752 ret = move_vma(vma, addr, old_len, new_len, new_addr);
54753 + if (!(ret & ~PAGE_MASK)) {
54754 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
54755 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
54759 if (ret & ~PAGE_MASK)
54760 diff -urNp linux-2.6.36.2/mm/nommu.c linux-2.6.36.2/mm/nommu.c
54761 --- linux-2.6.36.2/mm/nommu.c 2010-12-09 20:53:48.000000000 -0500
54762 +++ linux-2.6.36.2/mm/nommu.c 2010-12-09 20:54:42.000000000 -0500
54763 @@ -62,7 +62,6 @@ int sysctl_overcommit_memory = OVERCOMMI
54764 int sysctl_overcommit_ratio = 50; /* default is 50% */
54765 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
54766 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
54767 -int heap_stack_gap = 0;
54769 atomic_long_t mmap_pages_allocated;
54771 @@ -757,15 +756,6 @@ struct vm_area_struct *find_vma(struct m
54772 EXPORT_SYMBOL(find_vma);
54776 - * - we don't extend stack VMAs under NOMMU conditions
54778 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
54780 - return find_vma(mm, addr);
54784 * expand a stack to a given address
54785 * - not supported under NOMMU conditions
54787 @@ -1486,6 +1476,7 @@ int split_vma(struct mm_struct *mm, stru
54789 /* most fields are the same, copy all, and then fixup */
54791 + INIT_LIST_HEAD(&new->anon_vma_chain);
54792 *region = *vma->vm_region;
54793 new->vm_region = region;
54795 diff -urNp linux-2.6.36.2/mm/page_alloc.c linux-2.6.36.2/mm/page_alloc.c
54796 --- linux-2.6.36.2/mm/page_alloc.c 2010-12-09 20:53:48.000000000 -0500
54797 +++ linux-2.6.36.2/mm/page_alloc.c 2010-12-09 20:54:42.000000000 -0500
54798 @@ -647,6 +647,10 @@ static bool free_pages_prepare(struct pa
54802 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54803 + unsigned long index = 1UL << order;
54806 trace_mm_page_free_direct(page, order);
54807 kmemcheck_free_shadow(page, order);
54809 @@ -665,6 +669,12 @@ static bool free_pages_prepare(struct pa
54810 debug_check_no_obj_freed(page_address(page),
54811 PAGE_SIZE << order);
54814 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54815 + for (; index; --index)
54816 + sanitize_highpage(page + index - 1);
54819 arch_free_page(page, order);
54820 kernel_map_pages(page, 1 << order, 0);
54822 @@ -779,8 +789,10 @@ static int prep_new_page(struct page *pa
54823 arch_alloc_page(page, order);
54824 kernel_map_pages(page, 1 << order, 1);
54826 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
54827 if (gfp_flags & __GFP_ZERO)
54828 prep_zero_page(page, order, gfp_flags);
54831 if (order && (gfp_flags & __GFP_COMP))
54832 prep_compound_page(page, order);
54833 @@ -4002,7 +4014,7 @@ static void __init setup_usemap(struct p
54834 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
54837 -static void inline setup_usemap(struct pglist_data *pgdat,
54838 +static inline void setup_usemap(struct pglist_data *pgdat,
54839 struct zone *zone, unsigned long zonesize) {}
54840 #endif /* CONFIG_SPARSEMEM */
54842 diff -urNp linux-2.6.36.2/mm/percpu.c linux-2.6.36.2/mm/percpu.c
54843 --- linux-2.6.36.2/mm/percpu.c 2010-10-20 16:30:22.000000000 -0400
54844 +++ linux-2.6.36.2/mm/percpu.c 2010-12-09 20:24:51.000000000 -0500
54845 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
54846 static unsigned int pcpu_last_unit_cpu __read_mostly;
54848 /* the address of the first chunk which starts with the kernel static area */
54849 -void *pcpu_base_addr __read_mostly;
54850 +void *pcpu_base_addr __read_only;
54851 EXPORT_SYMBOL_GPL(pcpu_base_addr);
54853 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
54854 diff -urNp linux-2.6.36.2/mm/rmap.c linux-2.6.36.2/mm/rmap.c
54855 --- linux-2.6.36.2/mm/rmap.c 2010-10-20 16:30:22.000000000 -0400
54856 +++ linux-2.6.36.2/mm/rmap.c 2010-12-09 20:24:51.000000000 -0500
54857 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
54858 struct anon_vma *anon_vma = vma->anon_vma;
54859 struct anon_vma_chain *avc;
54861 +#ifdef CONFIG_PAX_SEGMEXEC
54862 + struct anon_vma_chain *avc_m = NULL;
54866 if (unlikely(!anon_vma)) {
54867 struct mm_struct *mm = vma->vm_mm;
54868 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
54872 +#ifdef CONFIG_PAX_SEGMEXEC
54873 + avc_m = anon_vma_chain_alloc();
54875 + goto out_enomem_free_avc;
54878 anon_vma = find_mergeable_anon_vma(vma);
54881 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
54882 /* page_table_lock to protect against threads */
54883 spin_lock(&mm->page_table_lock);
54884 if (likely(!vma->anon_vma)) {
54886 +#ifdef CONFIG_PAX_SEGMEXEC
54887 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
54890 + BUG_ON(vma_m->anon_vma);
54891 + vma_m->anon_vma = anon_vma;
54892 + avc_m->anon_vma = anon_vma;
54893 + avc_m->vma = vma;
54894 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
54895 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
54900 vma->anon_vma = anon_vma;
54901 avc->anon_vma = anon_vma;
54903 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
54905 if (unlikely(allocated))
54906 anon_vma_free(allocated);
54908 +#ifdef CONFIG_PAX_SEGMEXEC
54909 + if (unlikely(avc_m))
54910 + anon_vma_chain_free(avc_m);
54914 anon_vma_chain_free(avc);
54918 out_enomem_free_avc:
54920 +#ifdef CONFIG_PAX_SEGMEXEC
54922 + anon_vma_chain_free(avc_m);
54925 anon_vma_chain_free(avc);
54928 @@ -185,7 +222,7 @@ static void anon_vma_chain_link(struct v
54929 * Attach the anon_vmas from src to dst.
54930 * Returns 0 on success, -ENOMEM on failure.
54932 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
54933 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
54935 struct anon_vma_chain *avc, *pavc;
54937 @@ -207,7 +244,7 @@ int anon_vma_clone(struct vm_area_struct
54938 * the corresponding VMA in the parent process is attached to.
54939 * Returns 0 on success, non-zero on failure.
54941 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
54942 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
54944 struct anon_vma_chain *avc;
54945 struct anon_vma *anon_vma;
54946 diff -urNp linux-2.6.36.2/mm/shmem.c linux-2.6.36.2/mm/shmem.c
54947 --- linux-2.6.36.2/mm/shmem.c 2010-10-20 16:30:22.000000000 -0400
54948 +++ linux-2.6.36.2/mm/shmem.c 2010-12-09 20:24:51.000000000 -0500
54950 #include <linux/percpu_counter.h>
54951 #include <linux/swap.h>
54953 -static struct vfsmount *shm_mnt;
54954 +struct vfsmount *shm_mnt;
54956 #ifdef CONFIG_SHMEM
54958 diff -urNp linux-2.6.36.2/mm/slab.c linux-2.6.36.2/mm/slab.c
54959 --- linux-2.6.36.2/mm/slab.c 2010-10-20 16:30:22.000000000 -0400
54960 +++ linux-2.6.36.2/mm/slab.c 2010-12-09 20:24:51.000000000 -0500
54961 @@ -284,7 +284,7 @@ struct kmem_list3 {
54962 * Need this for bootstrapping a per node allocator.
54964 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
54965 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
54966 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
54967 #define CACHE_CACHE 0
54968 #define SIZE_AC MAX_NUMNODES
54969 #define SIZE_L3 (2 * MAX_NUMNODES)
54970 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
54971 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
54973 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
54974 - const struct slab *slab, void *obj)
54975 + const struct slab *slab, const void *obj)
54977 u32 offset = (obj - slab->s_mem);
54978 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
54979 @@ -560,14 +560,14 @@ struct cache_names {
54980 static struct cache_names __initdata cache_names[] = {
54981 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
54982 #include <linux/kmalloc_sizes.h>
54988 static struct arraycache_init initarray_cache __initdata =
54989 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54990 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54991 static struct arraycache_init initarray_generic =
54992 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54993 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54995 /* internal cache of cache description objs */
54996 static struct kmem_cache cache_cache = {
54997 @@ -4557,15 +4557,66 @@ static const struct file_operations proc
54999 static int __init slab_proc_init(void)
55001 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
55002 + mode_t gr_mode = S_IRUGO;
55004 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55005 + gr_mode = S_IRUSR;
55008 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
55009 #ifdef CONFIG_DEBUG_SLAB_LEAK
55010 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
55011 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
55015 module_init(slab_proc_init);
55018 +void check_object_size(const void *ptr, unsigned long n, bool to)
55021 +#ifdef CONFIG_PAX_USERCOPY
55022 + struct kmem_cache *cachep;
55023 + struct slab *slabp;
55024 + struct page *page;
55025 + unsigned int objnr;
55026 + unsigned long offset;
55031 + if (ZERO_OR_NULL_PTR(ptr))
55034 + if (!virt_addr_valid(ptr))
55037 + page = virt_to_head_page(ptr);
55039 + if (!PageSlab(page)) {
55040 + if (object_is_on_stack(ptr, n) == -1)
55045 + cachep = page_get_cache(page);
55046 + slabp = page_get_slab(page);
55047 + objnr = obj_to_index(cachep, slabp, ptr);
55048 + BUG_ON(objnr >= cachep->num);
55049 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
55050 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
55055 + pax_report_leak_to_user(ptr, n);
55057 + pax_report_overflow_from_user(ptr, n);
55061 +EXPORT_SYMBOL(check_object_size);
55064 * ksize - get the actual amount of memory allocated for a given object
55065 * @objp: Pointer to the object
55066 diff -urNp linux-2.6.36.2/mm/slob.c linux-2.6.36.2/mm/slob.c
55067 --- linux-2.6.36.2/mm/slob.c 2010-10-20 16:30:22.000000000 -0400
55068 +++ linux-2.6.36.2/mm/slob.c 2010-12-09 20:24:51.000000000 -0500
55070 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
55071 * alloc_pages() directly, allocating compound pages so the page order
55072 * does not have to be separately tracked, and also stores the exact
55073 - * allocation size in page->private so that it can be used to accurately
55074 + * allocation size in slob_page->size so that it can be used to accurately
55075 * provide ksize(). These objects are detected in kfree() because slob_page()
55076 * is false for them.
55081 #include <linux/kernel.h>
55082 +#include <linux/sched.h>
55083 #include <linux/slab.h>
55084 #include <linux/mm.h>
55085 #include <linux/swap.h> /* struct reclaim_state */
55086 @@ -102,7 +103,8 @@ struct slob_page {
55087 unsigned long flags; /* mandatory */
55088 atomic_t _count; /* mandatory */
55089 slobidx_t units; /* free units left in page */
55090 - unsigned long pad[2];
55091 + unsigned long pad[1];
55092 + unsigned long size; /* size when >=PAGE_SIZE */
55093 slob_t *free; /* first free slob_t in page */
55094 struct list_head list; /* linked list of free pages */
55096 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
55098 static inline int is_slob_page(struct slob_page *sp)
55100 - return PageSlab((struct page *)sp);
55101 + return PageSlab((struct page *)sp) && !sp->size;
55104 static inline void set_slob_page(struct slob_page *sp)
55105 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
55107 static inline struct slob_page *slob_page(const void *addr)
55109 - return (struct slob_page *)virt_to_page(addr);
55110 + return (struct slob_page *)virt_to_head_page(addr);
55114 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
55116 * Return the size of a slob block.
55118 -static slobidx_t slob_units(slob_t *s)
55119 +static slobidx_t slob_units(const slob_t *s)
55123 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
55125 * Return the next free slob block pointer after this one.
55127 -static slob_t *slob_next(slob_t *s)
55128 +static slob_t *slob_next(const slob_t *s)
55130 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
55132 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
55134 * Returns true if s is the last free block in its page.
55136 -static int slob_last(slob_t *s)
55137 +static int slob_last(const slob_t *s)
55139 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
55141 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
55145 + set_slob_page(page);
55146 return page_address(page);
55149 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
55153 - set_slob_page(sp);
55155 spin_lock_irqsave(&slob_lock, flags);
55156 sp->units = SLOB_UNITS(PAGE_SIZE);
55159 INIT_LIST_HEAD(&sp->list);
55160 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
55161 set_slob_page_free(sp, slob_list);
55162 @@ -476,10 +479,9 @@ out:
55163 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
55166 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55167 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
55170 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55174 lockdep_trace_alloc(gfp);
55175 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
55180 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
55181 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
55182 + m[0].units = size;
55183 + m[1].units = align;
55184 ret = (void *)m + align;
55186 trace_kmalloc_node(_RET_IP_, ret,
55187 @@ -502,9 +507,9 @@ void *__kmalloc_node(size_t size, gfp_t
55189 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
55191 - struct page *page;
55192 - page = virt_to_page(ret);
55193 - page->private = size;
55194 + struct slob_page *sp;
55195 + sp = slob_page(ret);
55199 trace_kmalloc_node(_RET_IP_, ret,
55200 @@ -514,6 +519,13 @@ void *__kmalloc_node(size_t size, gfp_t
55201 kmemleak_alloc(ret, size, 1, gfp);
55205 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55207 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55209 + return __kmalloc_node_align(size, gfp, node, align);
55211 EXPORT_SYMBOL(__kmalloc_node);
55213 void kfree(const void *block)
55214 @@ -529,13 +541,84 @@ void kfree(const void *block)
55215 sp = slob_page(block);
55216 if (is_slob_page(sp)) {
55217 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55218 - unsigned int *m = (unsigned int *)(block - align);
55219 - slob_free(m, *m + align);
55221 + slob_t *m = (slob_t *)(block - align);
55222 + slob_free(m, m[0].units + align);
55224 + clear_slob_page(sp);
55225 + free_slob_page(sp);
55227 put_page(&sp->page);
55230 EXPORT_SYMBOL(kfree);
55232 +void check_object_size(const void *ptr, unsigned long n, bool to)
55235 +#ifdef CONFIG_PAX_USERCOPY
55236 + struct slob_page *sp;
55237 + const slob_t *free;
55238 + const void *base;
55243 + if (ZERO_OR_NULL_PTR(ptr))
55246 + if (!virt_addr_valid(ptr))
55249 + sp = slob_page(ptr);
55250 + if (!PageSlab((struct page*)sp)) {
55251 + if (object_is_on_stack(ptr, n) == -1)
55257 + base = page_address(&sp->page);
55258 + if (base <= ptr && n <= sp->size - (ptr - base))
55263 + /* some tricky double walking to find the chunk */
55264 + base = (void *)((unsigned long)ptr & PAGE_MASK);
55267 + while (!slob_last(free) && (void *)free <= ptr) {
55268 + base = free + slob_units(free);
55269 + free = slob_next(free);
55272 + while (base < (void *)free) {
55273 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
55274 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
55277 + if (ptr < base + align)
55280 + offset = ptr - base - align;
55281 + if (offset < m) {
55282 + if (n <= m - offset)
55291 + pax_report_leak_to_user(ptr, n);
55293 + pax_report_overflow_from_user(ptr, n);
55297 +EXPORT_SYMBOL(check_object_size);
55299 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
55300 size_t ksize(const void *block)
55302 @@ -548,10 +631,10 @@ size_t ksize(const void *block)
55303 sp = slob_page(block);
55304 if (is_slob_page(sp)) {
55305 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55306 - unsigned int *m = (unsigned int *)(block - align);
55307 - return SLOB_UNITS(*m) * SLOB_UNIT;
55308 + slob_t *m = (slob_t *)(block - align);
55309 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
55311 - return sp->page.private;
55314 EXPORT_SYMBOL(ksize);
55316 @@ -606,17 +689,25 @@ void *kmem_cache_alloc_node(struct kmem_
55320 +#ifdef CONFIG_PAX_USERCOPY
55321 + b = __kmalloc_node_align(c->size, flags, node, c->align);
55323 if (c->size < PAGE_SIZE) {
55324 b = slob_alloc(c->size, flags, c->align, node);
55325 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55326 SLOB_UNITS(c->size) * SLOB_UNIT,
55329 + struct slob_page *sp;
55331 b = slob_new_pages(flags, get_order(c->size), node);
55332 + sp = slob_page(b);
55333 + sp->size = c->size;
55334 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55335 PAGE_SIZE << get_order(c->size),
55342 @@ -628,10 +719,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
55344 static void __kmem_cache_free(void *b, int size)
55346 - if (size < PAGE_SIZE)
55347 + struct slob_page *sp = slob_page(b);
55349 + if (is_slob_page(sp))
55350 slob_free(b, size);
55353 + clear_slob_page(sp);
55354 + free_slob_page(sp);
55356 slob_free_pages(b, get_order(size));
55360 static void kmem_rcu_free(struct rcu_head *head)
55361 @@ -644,14 +741,23 @@ static void kmem_rcu_free(struct rcu_hea
55363 void kmem_cache_free(struct kmem_cache *c, void *b)
55365 + int size = c->size;
55367 +#ifdef CONFIG_PAX_USERCOPY
55368 + if (size + c->align < PAGE_SIZE) {
55369 + size += c->align;
55374 kmemleak_free_recursive(b, c->flags);
55375 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
55376 struct slob_rcu *slob_rcu;
55377 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
55378 - slob_rcu->size = c->size;
55379 + slob_rcu = b + (size - sizeof(struct slob_rcu));
55380 + slob_rcu->size = size;
55381 call_rcu(&slob_rcu->head, kmem_rcu_free);
55383 - __kmem_cache_free(b, c->size);
55384 + __kmem_cache_free(b, size);
55387 trace_kmem_cache_free(_RET_IP_, b);
55388 diff -urNp linux-2.6.36.2/mm/slub.c linux-2.6.36.2/mm/slub.c
55389 --- linux-2.6.36.2/mm/slub.c 2010-10-20 16:30:22.000000000 -0400
55390 +++ linux-2.6.36.2/mm/slub.c 2010-12-09 20:24:51.000000000 -0500
55391 @@ -392,7 +392,7 @@ static void print_track(const char *s, s
55395 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
55396 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
55397 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
55400 @@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
55402 page = virt_to_head_page(x);
55404 + BUG_ON(!PageSlab(page));
55406 slab_free(s, page, x, _RET_IP_);
55408 trace_kmem_cache_free(_RET_IP_, x);
55409 @@ -1917,7 +1919,7 @@ static int slub_min_objects;
55410 * Merge control. If this is set then no merging of slab caches will occur.
55411 * (Could be removed. This was introduced to pacify the merge skeptics.)
55413 -static int slub_nomerge;
55414 +static int slub_nomerge = 1;
55417 * Calculate the order of allocation given an slab object size.
55418 @@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
55419 * list to avoid pounding the page allocator excessively.
55421 set_min_partial(s, ilog2(s->size));
55423 + atomic_set(&s->refcount, 1);
55425 s->remote_node_defrag_ratio = 1000;
55427 @@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
55428 void kmem_cache_destroy(struct kmem_cache *s)
55430 down_write(&slub_lock);
55432 - if (!s->refcount) {
55433 + if (atomic_dec_and_test(&s->refcount)) {
55434 list_del(&s->list);
55435 if (kmem_cache_close(s)) {
55436 printk(KERN_ERR "SLUB %s: %s called for cache that "
55437 @@ -2779,6 +2780,46 @@ void *__kmalloc_node(size_t size, gfp_t
55438 EXPORT_SYMBOL(__kmalloc_node);
55441 +void check_object_size(const void *ptr, unsigned long n, bool to)
55444 +#ifdef CONFIG_PAX_USERCOPY
55445 + struct page *page;
55446 + struct kmem_cache *s;
55447 + unsigned long offset;
55452 + if (ZERO_OR_NULL_PTR(ptr))
55455 + if (!virt_addr_valid(ptr))
55458 + page = get_object_page(ptr);
55461 + if (object_is_on_stack(ptr, n) == -1)
55467 + offset = (ptr - page_address(page)) % s->size;
55468 + if (offset <= s->objsize && n <= s->objsize - offset)
55473 + pax_report_leak_to_user(ptr, n);
55475 + pax_report_overflow_from_user(ptr, n);
55479 +EXPORT_SYMBOL(check_object_size);
55481 size_t ksize(const void *object)
55484 @@ -3048,7 +3089,7 @@ void __init kmem_cache_init(void)
55486 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
55487 sizeof(struct kmem_cache_node), GFP_NOWAIT);
55488 - kmalloc_caches[0].refcount = -1;
55489 + atomic_set(&kmalloc_caches[0].refcount, -1);
55492 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
55493 @@ -3160,7 +3201,7 @@ static int slab_unmergeable(struct kmem_
55495 * We may have set a slab to be unmergeable during bootstrap.
55497 - if (s->refcount < 0)
55498 + if (atomic_read(&s->refcount) < 0)
55502 @@ -3218,7 +3259,7 @@ struct kmem_cache *kmem_cache_create(con
55503 down_write(&slub_lock);
55504 s = find_mergeable(size, align, flags, name, ctor);
55507 + atomic_inc(&s->refcount);
55509 * Adjust the object sizes so that we clear
55510 * the complete object on kzalloc.
55511 @@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
55512 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
55514 if (sysfs_slab_alias(s, name)) {
55516 + atomic_dec(&s->refcount);
55519 up_write(&slub_lock);
55520 @@ -3941,7 +3982,7 @@ SLAB_ATTR_RO(ctor);
55522 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
55524 - return sprintf(buf, "%d\n", s->refcount - 1);
55525 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
55527 SLAB_ATTR_RO(aliases);
55529 @@ -4673,7 +4714,13 @@ static const struct file_operations proc
55531 static int __init slab_proc_init(void)
55533 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
55534 + mode_t gr_mode = S_IRUGO;
55536 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55537 + gr_mode = S_IRUSR;
55540 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
55543 module_init(slab_proc_init);
55544 diff -urNp linux-2.6.36.2/mm/util.c linux-2.6.36.2/mm/util.c
55545 --- linux-2.6.36.2/mm/util.c 2010-10-20 16:30:22.000000000 -0400
55546 +++ linux-2.6.36.2/mm/util.c 2010-12-09 20:24:51.000000000 -0500
55547 @@ -240,6 +240,12 @@ EXPORT_SYMBOL(strndup_user);
55548 void arch_pick_mmap_layout(struct mm_struct *mm)
55550 mm->mmap_base = TASK_UNMAPPED_BASE;
55552 +#ifdef CONFIG_PAX_RANDMMAP
55553 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55554 + mm->mmap_base += mm->delta_mmap;
55557 mm->get_unmapped_area = arch_get_unmapped_area;
55558 mm->unmap_area = arch_unmap_area;
55560 diff -urNp linux-2.6.36.2/mm/vmalloc.c linux-2.6.36.2/mm/vmalloc.c
55561 --- linux-2.6.36.2/mm/vmalloc.c 2010-11-26 18:26:25.000000000 -0500
55562 +++ linux-2.6.36.2/mm/vmalloc.c 2010-12-09 20:24:51.000000000 -0500
55563 @@ -41,8 +41,19 @@ static void vunmap_pte_range(pmd_t *pmd,
55565 pte = pte_offset_kernel(pmd, addr);
55567 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55568 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55570 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55571 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
55572 + BUG_ON(!pte_exec(*pte));
55573 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
55579 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55580 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55582 } while (pte++, addr += PAGE_SIZE, addr != end);
55585 @@ -93,6 +104,7 @@ static int vmap_pte_range(pmd_t *pmd, un
55586 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
55589 + int ret = -ENOMEM;
55592 * nr is a running index into the array which helps higher level
55593 @@ -102,17 +114,30 @@ static int vmap_pte_range(pmd_t *pmd, un
55594 pte = pte_alloc_kernel(pmd, addr);
55598 + pax_open_kernel();
55600 struct page *page = pages[*nr];
55602 - if (WARN_ON(!pte_none(*pte)))
55604 - if (WARN_ON(!page))
55606 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55607 + if (pgprot_val(prot) & _PAGE_NX)
55610 + if (WARN_ON(!pte_none(*pte))) {
55614 + if (WARN_ON(!page)) {
55618 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
55620 } while (pte++, addr += PAGE_SIZE, addr != end);
55624 + pax_close_kernel();
55628 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
55629 @@ -193,11 +218,20 @@ int is_vmalloc_or_module_addr(const void
55630 * and fall back on vmalloc() if that fails. Others
55631 * just put it in the vmalloc space.
55633 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
55634 +#ifdef CONFIG_MODULES
55635 +#ifdef MODULES_VADDR
55636 unsigned long addr = (unsigned long)x;
55637 if (addr >= MODULES_VADDR && addr < MODULES_END)
55641 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55642 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
55648 return is_vmalloc_addr(x);
55651 @@ -218,8 +252,14 @@ struct page *vmalloc_to_page(const void
55653 if (!pgd_none(*pgd)) {
55654 pud_t *pud = pud_offset(pgd, addr);
55656 + if (!pud_large(*pud))
55658 if (!pud_none(*pud)) {
55659 pmd_t *pmd = pmd_offset(pud, addr);
55661 + if (!pmd_large(*pmd))
55663 if (!pmd_none(*pmd)) {
55666 @@ -293,13 +333,13 @@ static void __insert_vmap_area(struct vm
55667 struct rb_node *tmp;
55670 - struct vmap_area *tmp;
55671 + struct vmap_area *varea;
55674 - tmp = rb_entry(parent, struct vmap_area, rb_node);
55675 - if (va->va_start < tmp->va_end)
55676 + varea = rb_entry(parent, struct vmap_area, rb_node);
55677 + if (va->va_start < varea->va_end)
55678 p = &(*p)->rb_left;
55679 - else if (va->va_end > tmp->va_start)
55680 + else if (va->va_end > varea->va_start)
55681 p = &(*p)->rb_right;
55684 @@ -1237,6 +1277,16 @@ static struct vm_struct *__get_vm_area_n
55685 struct vm_struct *area;
55687 BUG_ON(in_interrupt());
55689 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55690 + if (flags & VM_KERNEXEC) {
55691 + if (start != VMALLOC_START || end != VMALLOC_END)
55693 + start = (unsigned long)MODULES_EXEC_VADDR;
55694 + end = (unsigned long)MODULES_EXEC_END;
55698 if (flags & VM_IOREMAP) {
55699 int bit = fls(size);
55701 @@ -1462,6 +1512,11 @@ void *vmap(struct page **pages, unsigned
55702 if (count > totalram_pages)
55705 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55706 + if (!(pgprot_val(prot) & _PAGE_NX))
55707 + flags |= VM_KERNEXEC;
55710 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
55711 __builtin_return_address(0));
55713 @@ -1571,6 +1626,13 @@ static void *__vmalloc_node(unsigned lon
55714 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
55717 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55718 + if (!(pgprot_val(prot) & _PAGE_NX))
55719 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
55720 + node, gfp_mask, caller);
55724 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
55725 VMALLOC_END, node, gfp_mask, caller);
55727 @@ -1589,6 +1651,7 @@ static void *__vmalloc_node(unsigned lon
55732 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
55734 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
55735 @@ -1605,6 +1668,7 @@ EXPORT_SYMBOL(__vmalloc);
55736 * For tight control over page level allocator and protection flags
55737 * use __vmalloc() instead.
55740 void *vmalloc(unsigned long size)
55742 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
55743 @@ -1619,6 +1683,7 @@ EXPORT_SYMBOL(vmalloc);
55744 * The resulting memory area is zeroed so it can be mapped to userspace
55745 * without leaking data.
55747 +#undef vmalloc_user
55748 void *vmalloc_user(unsigned long size)
55750 struct vm_struct *area;
55751 @@ -1646,6 +1711,7 @@ EXPORT_SYMBOL(vmalloc_user);
55752 * For tight control over page level allocator and protection flags
55753 * use __vmalloc() instead.
55755 +#undef vmalloc_node
55756 void *vmalloc_node(unsigned long size, int node)
55758 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
55759 @@ -1668,10 +1734,10 @@ EXPORT_SYMBOL(vmalloc_node);
55760 * For tight control over page level allocator and protection flags
55761 * use __vmalloc() instead.
55764 +#undef vmalloc_exec
55765 void *vmalloc_exec(unsigned long size)
55767 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
55768 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
55769 -1, __builtin_return_address(0));
55772 @@ -1690,6 +1756,7 @@ void *vmalloc_exec(unsigned long size)
55773 * Allocate enough 32bit PA addressable pages to cover @size from the
55774 * page level allocator and map them into contiguous kernel virtual space.
55777 void *vmalloc_32(unsigned long size)
55779 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
55780 @@ -1704,6 +1771,7 @@ EXPORT_SYMBOL(vmalloc_32);
55781 * The resulting memory area is 32bit addressable and zeroed so it can be
55782 * mapped to userspace without leaking data.
55784 +#undef vmalloc_32_user
55785 void *vmalloc_32_user(unsigned long size)
55787 struct vm_struct *area;
55788 @@ -1968,6 +2036,8 @@ int remap_vmalloc_range(struct vm_area_s
55789 unsigned long uaddr = vma->vm_start;
55790 unsigned long usize = vma->vm_end - vma->vm_start;
55792 + BUG_ON(vma->vm_mirror);
55794 if ((PAGE_SIZE-1) & (unsigned long)addr)
55797 diff -urNp linux-2.6.36.2/mm/vmstat.c linux-2.6.36.2/mm/vmstat.c
55798 --- linux-2.6.36.2/mm/vmstat.c 2010-10-20 16:30:22.000000000 -0400
55799 +++ linux-2.6.36.2/mm/vmstat.c 2010-12-09 20:24:51.000000000 -0500
55800 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
55802 * vm_stat contains the global counters
55804 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55805 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55806 EXPORT_SYMBOL(vm_stat);
55809 @@ -328,7 +328,7 @@ void refresh_cpu_vm_stats(int cpu)
55810 v = p->vm_stat_diff[i];
55811 p->vm_stat_diff[i] = 0;
55812 local_irq_restore(flags);
55813 - atomic_long_add(v, &zone->vm_stat[i]);
55814 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
55815 global_diff[i] += v;
55817 /* 3 seconds idle till flush */
55818 @@ -366,7 +366,7 @@ void refresh_cpu_vm_stats(int cpu)
55820 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
55821 if (global_diff[i])
55822 - atomic_long_add(global_diff[i], &vm_stat[i]);
55823 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
55827 @@ -1050,10 +1050,16 @@ static int __init setup_vmstat(void)
55828 start_cpu_timer(cpu);
55830 #ifdef CONFIG_PROC_FS
55831 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
55832 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
55833 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
55834 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
55836 + mode_t gr_mode = S_IRUGO;
55837 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55838 + gr_mode = S_IRUSR;
55840 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
55841 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
55842 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
55843 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
55848 diff -urNp linux-2.6.36.2/net/8021q/vlan.c linux-2.6.36.2/net/8021q/vlan.c
55849 --- linux-2.6.36.2/net/8021q/vlan.c 2010-10-20 16:30:22.000000000 -0400
55850 +++ linux-2.6.36.2/net/8021q/vlan.c 2010-12-09 20:24:36.000000000 -0500
55851 @@ -627,8 +627,7 @@ static int vlan_ioctl_handler(struct net
55853 if (!capable(CAP_NET_ADMIN))
55855 - if ((args.u.name_type >= 0) &&
55856 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
55857 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
55858 struct vlan_net *vn;
55860 vn = net_generic(net, vlan_net_id);
55861 diff -urNp linux-2.6.36.2/net/atm/atm_misc.c linux-2.6.36.2/net/atm/atm_misc.c
55862 --- linux-2.6.36.2/net/atm/atm_misc.c 2010-10-20 16:30:22.000000000 -0400
55863 +++ linux-2.6.36.2/net/atm/atm_misc.c 2010-12-09 20:24:35.000000000 -0500
55864 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
55865 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
55867 atm_return(vcc, truesize);
55868 - atomic_inc(&vcc->stats->rx_drop);
55869 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55872 EXPORT_SYMBOL(atm_charge);
55873 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
55876 atm_return(vcc, guess);
55877 - atomic_inc(&vcc->stats->rx_drop);
55878 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55881 EXPORT_SYMBOL(atm_alloc_charge);
55882 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
55884 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55886 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55887 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55889 #undef __HANDLE_ITEM
55891 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
55893 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55895 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55896 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
55898 #undef __HANDLE_ITEM
55900 diff -urNp linux-2.6.36.2/net/atm/proc.c linux-2.6.36.2/net/atm/proc.c
55901 --- linux-2.6.36.2/net/atm/proc.c 2010-10-20 16:30:22.000000000 -0400
55902 +++ linux-2.6.36.2/net/atm/proc.c 2010-12-09 20:24:35.000000000 -0500
55903 @@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
55904 const struct k_atm_aal_stats *stats)
55906 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
55907 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
55908 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
55909 - atomic_read(&stats->rx_drop));
55910 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
55911 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
55912 + atomic_read_unchecked(&stats->rx_drop));
55915 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
55916 @@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
55918 struct sock *sk = sk_atm(vcc);
55920 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55921 + seq_printf(seq, "%p ", NULL);
55923 seq_printf(seq, "%p ", vcc);
55927 seq_printf(seq, "Unassigned ");
55929 diff -urNp linux-2.6.36.2/net/atm/resources.c linux-2.6.36.2/net/atm/resources.c
55930 --- linux-2.6.36.2/net/atm/resources.c 2010-10-20 16:30:22.000000000 -0400
55931 +++ linux-2.6.36.2/net/atm/resources.c 2010-12-09 20:24:35.000000000 -0500
55932 @@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
55933 static void copy_aal_stats(struct k_atm_aal_stats *from,
55934 struct atm_aal_stats *to)
55936 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55937 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55939 #undef __HANDLE_ITEM
55941 @@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
55942 static void subtract_aal_stats(struct k_atm_aal_stats *from,
55943 struct atm_aal_stats *to)
55945 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55946 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
55948 #undef __HANDLE_ITEM
55950 diff -urNp linux-2.6.36.2/net/ax25/af_ax25.c linux-2.6.36.2/net/ax25/af_ax25.c
55951 --- linux-2.6.36.2/net/ax25/af_ax25.c 2010-10-20 16:30:22.000000000 -0400
55952 +++ linux-2.6.36.2/net/ax25/af_ax25.c 2010-12-09 20:24:32.000000000 -0500
55953 @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *s
55957 + memset(fsa, 0, sizeof(*fsa));
55959 ax25 = ax25_sk(sk);
55961 @@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *s
55963 fsa->fsa_ax25.sax25_family = AF_AX25;
55964 fsa->fsa_ax25.sax25_call = ax25->dest_addr;
55965 - fsa->fsa_ax25.sax25_ndigis = 0;
55967 if (ax25->digipeat != NULL) {
55968 ndigi = ax25->digipeat->ndigi;
55969 diff -urNp linux-2.6.36.2/net/bridge/br_multicast.c linux-2.6.36.2/net/bridge/br_multicast.c
55970 --- linux-2.6.36.2/net/bridge/br_multicast.c 2010-10-20 16:30:22.000000000 -0400
55971 +++ linux-2.6.36.2/net/bridge/br_multicast.c 2010-12-09 20:24:32.000000000 -0500
55972 @@ -1461,7 +1461,7 @@ static int br_multicast_ipv6_rcv(struct
55973 nexthdr = ip6h->nexthdr;
55974 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
55976 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
55977 + if (nexthdr != IPPROTO_ICMPV6)
55980 /* Okay, we found ICMPv6 header */
55981 diff -urNp linux-2.6.36.2/net/bridge/br_stp_if.c linux-2.6.36.2/net/bridge/br_stp_if.c
55982 --- linux-2.6.36.2/net/bridge/br_stp_if.c 2010-10-20 16:30:22.000000000 -0400
55983 +++ linux-2.6.36.2/net/bridge/br_stp_if.c 2010-12-09 20:24:32.000000000 -0500
55984 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
55985 char *envp[] = { NULL };
55987 if (br->stp_enabled == BR_USER_STP) {
55988 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
55989 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
55990 br_info(br, "userspace STP stopped, return code %d\n", r);
55992 /* To start timers on any ports left in blocking */
55993 diff -urNp linux-2.6.36.2/net/bridge/netfilter/ebtables.c linux-2.6.36.2/net/bridge/netfilter/ebtables.c
55994 --- linux-2.6.36.2/net/bridge/netfilter/ebtables.c 2010-10-20 16:30:22.000000000 -0400
55995 +++ linux-2.6.36.2/net/bridge/netfilter/ebtables.c 2010-12-09 20:24:32.000000000 -0500
55996 @@ -1504,7 +1504,7 @@ static int do_ebt_get_ctl(struct sock *s
55997 tmp.valid_hooks = t->table->valid_hooks;
55999 mutex_unlock(&ebt_mutex);
56000 - if (copy_to_user(user, &tmp, *len) != 0){
56001 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
56002 BUGPRINT("c2u Didn't work\n");
56005 diff -urNp linux-2.6.36.2/net/core/dev.c linux-2.6.36.2/net/core/dev.c
56006 --- linux-2.6.36.2/net/core/dev.c 2010-12-09 20:53:48.000000000 -0500
56007 +++ linux-2.6.36.2/net/core/dev.c 2010-12-09 20:54:42.000000000 -0500
56008 @@ -2554,7 +2554,7 @@ int netif_rx_ni(struct sk_buff *skb)
56010 EXPORT_SYMBOL(netif_rx_ni);
56012 -static void net_tx_action(struct softirq_action *h)
56013 +static void net_tx_action(void)
56015 struct softnet_data *sd = &__get_cpu_var(softnet_data);
56017 @@ -3492,7 +3492,7 @@ void netif_napi_del(struct napi_struct *
56019 EXPORT_SYMBOL(netif_napi_del);
56021 -static void net_rx_action(struct softirq_action *h)
56022 +static void net_rx_action(void)
56024 struct softnet_data *sd = &__get_cpu_var(softnet_data);
56025 unsigned long time_limit = jiffies + 2;
56026 diff -urNp linux-2.6.36.2/net/core/net-sysfs.c linux-2.6.36.2/net/core/net-sysfs.c
56027 --- linux-2.6.36.2/net/core/net-sysfs.c 2010-10-20 16:30:22.000000000 -0400
56028 +++ linux-2.6.36.2/net/core/net-sysfs.c 2010-12-09 20:24:35.000000000 -0500
56029 @@ -515,7 +515,7 @@ static ssize_t rx_queue_attr_store(struc
56030 return attribute->store(queue, attribute, buf, count);
56033 -static struct sysfs_ops rx_queue_sysfs_ops = {
56034 +static const struct sysfs_ops rx_queue_sysfs_ops = {
56035 .show = rx_queue_attr_show,
56036 .store = rx_queue_attr_store,
56038 diff -urNp linux-2.6.36.2/net/core/sock.c linux-2.6.36.2/net/core/sock.c
56039 --- linux-2.6.36.2/net/core/sock.c 2010-10-20 16:30:22.000000000 -0400
56040 +++ linux-2.6.36.2/net/core/sock.c 2010-12-09 20:24:35.000000000 -0500
56041 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
56045 - if (copy_to_user(optval, address, len))
56046 + if (len > sizeof(address) || copy_to_user(optval, address, len))
56050 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
56054 - if (copy_to_user(optval, &v, len))
56055 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
56058 if (put_user(len, optlen))
56059 diff -urNp linux-2.6.36.2/net/dccp/ccids/ccid3.c linux-2.6.36.2/net/dccp/ccids/ccid3.c
56060 --- linux-2.6.36.2/net/dccp/ccids/ccid3.c 2010-10-20 16:30:22.000000000 -0400
56061 +++ linux-2.6.36.2/net/dccp/ccids/ccid3.c 2010-12-09 20:24:34.000000000 -0500
56063 static int ccid3_debug;
56064 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
56066 -#define ccid3_pr_debug(format, a...)
56067 +#define ccid3_pr_debug(format, a...) do {} while (0)
56071 diff -urNp linux-2.6.36.2/net/dccp/dccp.h linux-2.6.36.2/net/dccp/dccp.h
56072 --- linux-2.6.36.2/net/dccp/dccp.h 2010-10-20 16:30:22.000000000 -0400
56073 +++ linux-2.6.36.2/net/dccp/dccp.h 2010-12-09 20:24:34.000000000 -0500
56074 @@ -44,9 +44,9 @@ extern int dccp_debug;
56075 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
56076 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
56078 -#define dccp_pr_debug(format, a...)
56079 -#define dccp_pr_debug_cat(format, a...)
56080 -#define dccp_debug(format, a...)
56081 +#define dccp_pr_debug(format, a...) do {} while (0)
56082 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
56083 +#define dccp_debug(format, a...) do {} while (0)
56086 extern struct inet_hashinfo dccp_hashinfo;
56087 diff -urNp linux-2.6.36.2/net/decnet/sysctl_net_decnet.c linux-2.6.36.2/net/decnet/sysctl_net_decnet.c
56088 --- linux-2.6.36.2/net/decnet/sysctl_net_decnet.c 2010-10-20 16:30:22.000000000 -0400
56089 +++ linux-2.6.36.2/net/decnet/sysctl_net_decnet.c 2010-12-09 20:24:35.000000000 -0500
56090 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
56092 if (len > *lenp) len = *lenp;
56094 - if (copy_to_user(buffer, addr, len))
56095 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
56099 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
56101 if (len > *lenp) len = *lenp;
56103 - if (copy_to_user(buffer, devname, len))
56104 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
56108 diff -urNp linux-2.6.36.2/net/econet/Kconfig linux-2.6.36.2/net/econet/Kconfig
56109 --- linux-2.6.36.2/net/econet/Kconfig 2010-10-20 16:30:22.000000000 -0400
56110 +++ linux-2.6.36.2/net/econet/Kconfig 2010-12-09 20:24:33.000000000 -0500
56114 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
56115 - depends on EXPERIMENTAL && INET
56116 + depends on EXPERIMENTAL && INET && BROKEN
56118 Econet is a fairly old and slow networking protocol mainly used by
56119 Acorn computers to access file and print servers. It uses native
56120 diff -urNp linux-2.6.36.2/net/ipv4/inet_diag.c linux-2.6.36.2/net/ipv4/inet_diag.c
56121 --- linux-2.6.36.2/net/ipv4/inet_diag.c 2010-10-20 16:30:22.000000000 -0400
56122 +++ linux-2.6.36.2/net/ipv4/inet_diag.c 2010-12-09 20:24:33.000000000 -0500
56123 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
56124 r->idiag_retrans = 0;
56126 r->id.idiag_if = sk->sk_bound_dev_if;
56128 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56129 + r->id.idiag_cookie[0] = 0;
56130 + r->id.idiag_cookie[1] = 0;
56132 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
56133 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
56136 r->id.idiag_sport = inet->inet_sport;
56137 r->id.idiag_dport = inet->inet_dport;
56138 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
56139 r->idiag_family = tw->tw_family;
56140 r->idiag_retrans = 0;
56141 r->id.idiag_if = tw->tw_bound_dev_if;
56143 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56144 + r->id.idiag_cookie[0] = 0;
56145 + r->id.idiag_cookie[1] = 0;
56147 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
56148 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
56151 r->id.idiag_sport = tw->tw_sport;
56152 r->id.idiag_dport = tw->tw_dport;
56153 r->id.idiag_src[0] = tw->tw_rcv_saddr;
56154 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
56158 +#ifndef CONFIG_GRKERNSEC_HIDESYM
56160 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
56161 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
56162 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
56163 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
56168 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
56169 @@ -578,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
56170 r->idiag_retrans = req->retrans;
56172 r->id.idiag_if = sk->sk_bound_dev_if;
56174 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56175 + r->id.idiag_cookie[0] = 0;
56176 + r->id.idiag_cookie[1] = 0;
56178 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
56179 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
56182 tmo = req->expires - jiffies;
56184 diff -urNp linux-2.6.36.2/net/ipv4/inet_hashtables.c linux-2.6.36.2/net/ipv4/inet_hashtables.c
56185 --- linux-2.6.36.2/net/ipv4/inet_hashtables.c 2010-10-20 16:30:22.000000000 -0400
56186 +++ linux-2.6.36.2/net/ipv4/inet_hashtables.c 2010-12-09 20:24:33.000000000 -0500
56187 @@ -18,11 +18,14 @@
56188 #include <linux/sched.h>
56189 #include <linux/slab.h>
56190 #include <linux/wait.h>
56191 +#include <linux/security.h>
56193 #include <net/inet_connection_sock.h>
56194 #include <net/inet_hashtables.h>
56195 #include <net/route.h>
56196 #include <net/ip.h>
56198 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
56201 * Allocate and initialize a new local port bind bucket.
56202 * The bindhash mutex for snum's hash chain must be held here.
56203 @@ -506,6 +509,8 @@ ok:
56204 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
56205 spin_unlock(&head->lock);
56207 + gr_update_task_in_ip_table(current, inet_sk(sk));
56210 inet_twsk_deschedule(tw, death_row);
56212 diff -urNp linux-2.6.36.2/net/ipv4/inetpeer.c linux-2.6.36.2/net/ipv4/inetpeer.c
56213 --- linux-2.6.36.2/net/ipv4/inetpeer.c 2010-10-20 16:30:22.000000000 -0400
56214 +++ linux-2.6.36.2/net/ipv4/inetpeer.c 2010-12-09 20:24:33.000000000 -0500
56215 @@ -447,8 +447,8 @@ struct inet_peer *inet_getpeer(__be32 da
56217 p->v4daddr = daddr;
56218 atomic_set(&p->refcnt, 1);
56219 - atomic_set(&p->rid, 0);
56220 - atomic_set(&p->ip_id_count, secure_ip_id(daddr));
56221 + atomic_set_unchecked(&p->rid, 0);
56222 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr));
56223 p->tcp_ts_stamp = 0;
56224 INIT_LIST_HEAD(&p->unused);
56226 diff -urNp linux-2.6.36.2/net/ipv4/ip_fragment.c linux-2.6.36.2/net/ipv4/ip_fragment.c
56227 --- linux-2.6.36.2/net/ipv4/ip_fragment.c 2010-10-20 16:30:22.000000000 -0400
56228 +++ linux-2.6.36.2/net/ipv4/ip_fragment.c 2010-12-09 20:24:33.000000000 -0500
56229 @@ -279,7 +279,7 @@ static inline int ip_frag_too_far(struct
56233 - end = atomic_inc_return(&peer->rid);
56234 + end = atomic_inc_return_unchecked(&peer->rid);
56237 rc = qp->q.fragments && (end - start) > max;
56238 diff -urNp linux-2.6.36.2/net/ipv4/netfilter/arp_tables.c linux-2.6.36.2/net/ipv4/netfilter/arp_tables.c
56239 --- linux-2.6.36.2/net/ipv4/netfilter/arp_tables.c 2010-10-20 16:30:22.000000000 -0400
56240 +++ linux-2.6.36.2/net/ipv4/netfilter/arp_tables.c 2010-12-09 20:24:33.000000000 -0500
56241 @@ -927,6 +927,7 @@ static int get_info(struct net *net, voi
56245 + memset(&info, 0, sizeof(info));
56246 info.valid_hooks = t->valid_hooks;
56247 memcpy(info.hook_entry, private->hook_entry,
56248 sizeof(info.hook_entry));
56249 diff -urNp linux-2.6.36.2/net/ipv4/netfilter/ip_tables.c linux-2.6.36.2/net/ipv4/netfilter/ip_tables.c
56250 --- linux-2.6.36.2/net/ipv4/netfilter/ip_tables.c 2010-10-20 16:30:22.000000000 -0400
56251 +++ linux-2.6.36.2/net/ipv4/netfilter/ip_tables.c 2010-12-09 20:24:33.000000000 -0500
56252 @@ -1124,6 +1124,7 @@ static int get_info(struct net *net, voi
56256 + memset(&info, 0, sizeof(info));
56257 info.valid_hooks = t->valid_hooks;
56258 memcpy(info.hook_entry, private->hook_entry,
56259 sizeof(info.hook_entry));
56260 diff -urNp linux-2.6.36.2/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.36.2/net/ipv4/netfilter/nf_nat_snmp_basic.c
56261 --- linux-2.6.36.2/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-10-20 16:30:22.000000000 -0400
56262 +++ linux-2.6.36.2/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-12-09 20:24:33.000000000 -0500
56263 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
56267 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
56268 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
56269 if (*octets == NULL) {
56270 if (net_ratelimit())
56271 pr_notice("OOM in bsalg (%d)\n", __LINE__);
56272 diff -urNp linux-2.6.36.2/net/ipv4/route.c linux-2.6.36.2/net/ipv4/route.c
56273 --- linux-2.6.36.2/net/ipv4/route.c 2010-10-20 16:30:22.000000000 -0400
56274 +++ linux-2.6.36.2/net/ipv4/route.c 2010-12-09 20:24:33.000000000 -0500
56275 @@ -2890,7 +2890,7 @@ static int rt_fill_info(struct net *net,
56276 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
56278 inet_peer_refcheck(rt->peer);
56279 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
56280 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
56281 if (rt->peer->tcp_ts_stamp) {
56282 ts = rt->peer->tcp_ts;
56283 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
56284 diff -urNp linux-2.6.36.2/net/ipv4/tcp.c linux-2.6.36.2/net/ipv4/tcp.c
56285 --- linux-2.6.36.2/net/ipv4/tcp.c 2010-10-20 16:30:22.000000000 -0400
56286 +++ linux-2.6.36.2/net/ipv4/tcp.c 2010-12-09 20:24:33.000000000 -0500
56287 @@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock
56288 /* Values greater than interface MTU won't take effect. However
56289 * at the point when this call is done we typically don't yet
56290 * know which interface is going to be used */
56291 - if (val < 8 || val > MAX_TCP_WINDOW) {
56292 + if (val < 64 || val > MAX_TCP_WINDOW) {
56296 diff -urNp linux-2.6.36.2/net/ipv4/tcp_ipv4.c linux-2.6.36.2/net/ipv4/tcp_ipv4.c
56297 --- linux-2.6.36.2/net/ipv4/tcp_ipv4.c 2010-10-20 16:30:22.000000000 -0400
56298 +++ linux-2.6.36.2/net/ipv4/tcp_ipv4.c 2010-12-09 20:24:33.000000000 -0500
56299 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
56300 int sysctl_tcp_low_latency __read_mostly;
56301 EXPORT_SYMBOL(sysctl_tcp_low_latency);
56303 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56304 +extern int grsec_enable_blackhole;
56307 #ifdef CONFIG_TCP_MD5SIG
56308 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
56309 @@ -1597,6 +1600,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
56313 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56314 + if (!grsec_enable_blackhole)
56316 tcp_v4_send_reset(rsk, skb);
56319 @@ -1659,12 +1665,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
56320 TCP_SKB_CB(skb)->sacked = 0;
56322 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56325 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56328 goto no_tcp_socket;
56332 - if (sk->sk_state == TCP_TIME_WAIT)
56333 + if (sk->sk_state == TCP_TIME_WAIT) {
56334 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56340 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
56341 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56342 @@ -1714,6 +1727,10 @@ no_tcp_socket:
56344 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56346 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56347 + if (!grsec_enable_blackhole || (ret == 1 &&
56348 + (skb->dev->flags & IFF_LOOPBACK)))
56350 tcp_v4_send_reset(NULL, skb);
56353 @@ -2400,7 +2417,11 @@ static void get_openreq4(struct sock *sk
56354 0, /* non standard timer */
56355 0, /* open_requests have no inode */
56356 atomic_read(&sk->sk_refcnt),
56357 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56365 @@ -2450,7 +2471,12 @@ static void get_tcp4_sock(struct sock *s
56367 icsk->icsk_probes_out,
56369 - atomic_read(&sk->sk_refcnt), sk,
56370 + atomic_read(&sk->sk_refcnt),
56371 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56376 jiffies_to_clock_t(icsk->icsk_rto),
56377 jiffies_to_clock_t(icsk->icsk_ack.ato),
56378 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
56379 @@ -2478,7 +2504,13 @@ static void get_timewait4_sock(struct in
56380 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
56381 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
56382 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56383 - atomic_read(&tw->tw_refcnt), tw, len);
56384 + atomic_read(&tw->tw_refcnt),
56385 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56394 diff -urNp linux-2.6.36.2/net/ipv4/tcp_minisocks.c linux-2.6.36.2/net/ipv4/tcp_minisocks.c
56395 --- linux-2.6.36.2/net/ipv4/tcp_minisocks.c 2010-10-20 16:30:22.000000000 -0400
56396 +++ linux-2.6.36.2/net/ipv4/tcp_minisocks.c 2010-12-09 20:24:33.000000000 -0500
56398 #include <net/inet_common.h>
56399 #include <net/xfrm.h>
56401 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56402 +extern int grsec_enable_blackhole;
56405 int sysctl_tcp_syncookies __read_mostly = 1;
56406 EXPORT_SYMBOL(sysctl_tcp_syncookies);
56408 @@ -700,6 +704,10 @@ listen_overflow:
56411 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
56413 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56414 + if (!grsec_enable_blackhole)
56416 if (!(flg & TCP_FLAG_RST))
56417 req->rsk_ops->send_reset(sk, skb);
56419 diff -urNp linux-2.6.36.2/net/ipv4/tcp_probe.c linux-2.6.36.2/net/ipv4/tcp_probe.c
56420 --- linux-2.6.36.2/net/ipv4/tcp_probe.c 2010-10-20 16:30:22.000000000 -0400
56421 +++ linux-2.6.36.2/net/ipv4/tcp_probe.c 2010-12-09 20:24:33.000000000 -0500
56422 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
56423 if (cnt + width >= len)
56426 - if (copy_to_user(buf + cnt, tbuf, width))
56427 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
56431 diff -urNp linux-2.6.36.2/net/ipv4/tcp_timer.c linux-2.6.36.2/net/ipv4/tcp_timer.c
56432 --- linux-2.6.36.2/net/ipv4/tcp_timer.c 2010-10-20 16:30:22.000000000 -0400
56433 +++ linux-2.6.36.2/net/ipv4/tcp_timer.c 2010-12-09 20:24:33.000000000 -0500
56435 #include <linux/gfp.h>
56436 #include <net/tcp.h>
56438 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56439 +extern int grsec_lastack_retries;
56442 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
56443 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
56444 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
56445 @@ -198,6 +202,13 @@ static int tcp_write_timeout(struct sock
56449 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56450 + if ((sk->sk_state == TCP_LAST_ACK) &&
56451 + (grsec_lastack_retries > 0) &&
56452 + (grsec_lastack_retries < retry_until))
56453 + retry_until = grsec_lastack_retries;
56456 if (retransmits_timed_out(sk, retry_until, syn_set)) {
56457 /* Has it gone just too far? */
56459 diff -urNp linux-2.6.36.2/net/ipv4/udp.c linux-2.6.36.2/net/ipv4/udp.c
56460 --- linux-2.6.36.2/net/ipv4/udp.c 2010-10-20 16:30:22.000000000 -0400
56461 +++ linux-2.6.36.2/net/ipv4/udp.c 2010-12-09 20:24:33.000000000 -0500
56463 #include <linux/types.h>
56464 #include <linux/fcntl.h>
56465 #include <linux/module.h>
56466 +#include <linux/security.h>
56467 #include <linux/socket.h>
56468 #include <linux/sockios.h>
56469 #include <linux/igmp.h>
56470 @@ -107,6 +108,10 @@
56471 #include <net/xfrm.h>
56472 #include "udp_impl.h"
56474 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56475 +extern int grsec_enable_blackhole;
56478 struct udp_table udp_table __read_mostly;
56479 EXPORT_SYMBOL(udp_table);
56481 @@ -564,6 +569,9 @@ found:
56485 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
56486 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
56489 * This routine is called by the ICMP module when it gets some
56490 * sort of error condition. If err < 0 then the socket should
56491 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
56492 dport = usin->sin_port;
56496 + err = gr_search_udp_sendmsg(sk, usin);
56500 if (sk->sk_state != TCP_ESTABLISHED)
56501 return -EDESTADDRREQ;
56503 + err = gr_search_udp_sendmsg(sk, NULL);
56507 daddr = inet->inet_daddr;
56508 dport = inet->inet_dport;
56509 /* Open fast path for connected socket.
56510 @@ -1141,6 +1158,10 @@ try_again:
56514 + err = gr_search_udp_recvmsg(sk, skb);
56518 ulen = skb->len - sizeof(struct udphdr);
56521 @@ -1625,6 +1646,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
56524 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
56525 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56526 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56528 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
56531 @@ -2051,7 +2075,12 @@ static void udp4_format_sock(struct sock
56532 sk_wmem_alloc_get(sp),
56533 sk_rmem_alloc_get(sp),
56534 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
56535 - atomic_read(&sp->sk_refcnt), sp,
56536 + atomic_read(&sp->sk_refcnt),
56537 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56542 atomic_read(&sp->sk_drops), len);
56545 diff -urNp linux-2.6.36.2/net/ipv6/exthdrs.c linux-2.6.36.2/net/ipv6/exthdrs.c
56546 --- linux-2.6.36.2/net/ipv6/exthdrs.c 2010-10-20 16:30:22.000000000 -0400
56547 +++ linux-2.6.36.2/net/ipv6/exthdrs.c 2010-12-09 20:24:36.000000000 -0500
56548 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
56549 .type = IPV6_TLV_JUMBO,
56550 .func = ipv6_hop_jumbo,
56556 int ipv6_parse_hopopts(struct sk_buff *skb)
56557 diff -urNp linux-2.6.36.2/net/ipv6/netfilter/ip6_tables.c linux-2.6.36.2/net/ipv6/netfilter/ip6_tables.c
56558 --- linux-2.6.36.2/net/ipv6/netfilter/ip6_tables.c 2010-10-20 16:30:22.000000000 -0400
56559 +++ linux-2.6.36.2/net/ipv6/netfilter/ip6_tables.c 2010-12-09 20:24:36.000000000 -0500
56560 @@ -1137,6 +1137,7 @@ static int get_info(struct net *net, voi
56564 + memset(&info, 0, sizeof(info));
56565 info.valid_hooks = t->valid_hooks;
56566 memcpy(info.hook_entry, private->hook_entry,
56567 sizeof(info.hook_entry));
56568 diff -urNp linux-2.6.36.2/net/ipv6/raw.c linux-2.6.36.2/net/ipv6/raw.c
56569 --- linux-2.6.36.2/net/ipv6/raw.c 2010-10-20 16:30:22.000000000 -0400
56570 +++ linux-2.6.36.2/net/ipv6/raw.c 2010-12-09 20:24:36.000000000 -0500
56571 @@ -601,7 +601,7 @@ out:
56575 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
56576 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
56577 struct flowi *fl, struct dst_entry **dstp,
56578 unsigned int flags)
56580 @@ -1243,7 +1243,13 @@ static void raw6_sock_seq_show(struct se
56584 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
56585 + atomic_read(&sp->sk_refcnt),
56586 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56591 + atomic_read(&sp->sk_drops));
56594 static int raw6_seq_show(struct seq_file *seq, void *v)
56595 diff -urNp linux-2.6.36.2/net/ipv6/tcp_ipv6.c linux-2.6.36.2/net/ipv6/tcp_ipv6.c
56596 --- linux-2.6.36.2/net/ipv6/tcp_ipv6.c 2010-10-20 16:30:22.000000000 -0400
56597 +++ linux-2.6.36.2/net/ipv6/tcp_ipv6.c 2010-12-09 20:24:35.000000000 -0500
56598 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
56602 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56603 +extern int grsec_enable_blackhole;
56606 static void tcp_v6_hash(struct sock *sk)
56608 if (sk->sk_state != TCP_CLOSE) {
56609 @@ -1627,6 +1631,9 @@ static int tcp_v6_do_rcv(struct sock *sk
56613 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56614 + if (!grsec_enable_blackhole)
56616 tcp_v6_send_reset(sk, skb);
56619 @@ -1706,12 +1713,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
56620 TCP_SKB_CB(skb)->sacked = 0;
56622 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56625 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56628 goto no_tcp_socket;
56632 - if (sk->sk_state == TCP_TIME_WAIT)
56633 + if (sk->sk_state == TCP_TIME_WAIT) {
56634 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56640 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
56641 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56642 @@ -1759,6 +1774,10 @@ no_tcp_socket:
56644 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56646 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56647 + if (!grsec_enable_blackhole || (ret == 1 &&
56648 + (skb->dev->flags & IFF_LOOPBACK)))
56650 tcp_v6_send_reset(NULL, skb);
56653 @@ -1987,7 +2006,13 @@ static void get_openreq6(struct seq_file
56655 0, /* non standard timer */
56656 0, /* open_requests have no inode */
56659 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56667 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
56668 @@ -2037,7 +2062,12 @@ static void get_tcp6_sock(struct seq_fil
56670 icsk->icsk_probes_out,
56672 - atomic_read(&sp->sk_refcnt), sp,
56673 + atomic_read(&sp->sk_refcnt),
56674 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56679 jiffies_to_clock_t(icsk->icsk_rto),
56680 jiffies_to_clock_t(icsk->icsk_ack.ato),
56681 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
56682 @@ -2072,7 +2102,13 @@ static void get_timewait6_sock(struct se
56683 dest->s6_addr32[2], dest->s6_addr32[3], destp,
56684 tw->tw_substate, 0, 0,
56685 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56686 - atomic_read(&tw->tw_refcnt), tw);
56687 + atomic_read(&tw->tw_refcnt),
56688 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56696 static int tcp6_seq_show(struct seq_file *seq, void *v)
56697 diff -urNp linux-2.6.36.2/net/ipv6/udp.c linux-2.6.36.2/net/ipv6/udp.c
56698 --- linux-2.6.36.2/net/ipv6/udp.c 2010-10-20 16:30:22.000000000 -0400
56699 +++ linux-2.6.36.2/net/ipv6/udp.c 2010-12-09 20:24:36.000000000 -0500
56701 #include <linux/seq_file.h>
56702 #include "udp_impl.h"
56704 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56705 +extern int grsec_enable_blackhole;
56708 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
56710 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
56711 @@ -765,6 +769,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
56712 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
56713 proto == IPPROTO_UDPLITE);
56715 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56716 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56718 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
56721 @@ -1399,7 +1406,12 @@ static void udp6_sock_seq_show(struct se
56725 - atomic_read(&sp->sk_refcnt), sp,
56726 + atomic_read(&sp->sk_refcnt),
56727 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56732 atomic_read(&sp->sk_drops));
56735 diff -urNp linux-2.6.36.2/net/irda/ircomm/ircomm_tty.c linux-2.6.36.2/net/irda/ircomm/ircomm_tty.c
56736 --- linux-2.6.36.2/net/irda/ircomm/ircomm_tty.c 2010-10-20 16:30:22.000000000 -0400
56737 +++ linux-2.6.36.2/net/irda/ircomm/ircomm_tty.c 2010-12-09 20:24:34.000000000 -0500
56738 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
56739 add_wait_queue(&self->open_wait, &wait);
56741 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
56742 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56743 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
56745 /* As far as I can see, we protect open_count - Jean II */
56746 spin_lock_irqsave(&self->spinlock, flags);
56747 if (!tty_hung_up_p(filp)) {
56749 - self->open_count--;
56750 + atomic_dec(&self->open_count);
56752 spin_unlock_irqrestore(&self->spinlock, flags);
56753 - self->blocked_open++;
56754 + atomic_inc(&self->blocked_open);
56757 if (tty->termios->c_cflag & CBAUD) {
56758 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
56761 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
56762 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56763 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
56767 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
56769 /* ++ is not atomic, so this should be protected - Jean II */
56770 spin_lock_irqsave(&self->spinlock, flags);
56771 - self->open_count++;
56772 + atomic_inc(&self->open_count);
56773 spin_unlock_irqrestore(&self->spinlock, flags);
56775 - self->blocked_open--;
56776 + atomic_dec(&self->blocked_open);
56778 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
56779 - __FILE__,__LINE__, tty->driver->name, self->open_count);
56780 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
56783 self->flags |= ASYNC_NORMAL_ACTIVE;
56784 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
56786 /* ++ is not atomic, so this should be protected - Jean II */
56787 spin_lock_irqsave(&self->spinlock, flags);
56788 - self->open_count++;
56789 + atomic_inc(&self->open_count);
56791 tty->driver_data = self;
56793 spin_unlock_irqrestore(&self->spinlock, flags);
56795 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
56796 - self->line, self->open_count);
56797 + self->line, atomic_read(&self->open_count));
56799 /* Not really used by us, but lets do it anyway */
56800 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
56801 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
56805 - if ((tty->count == 1) && (self->open_count != 1)) {
56806 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
56808 * Uh, oh. tty->count is 1, which means that the tty
56809 * structure will be freed. state->count should always
56810 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
56812 IRDA_DEBUG(0, "%s(), bad serial port count; "
56813 "tty->count is 1, state->count is %d\n", __func__ ,
56814 - self->open_count);
56815 - self->open_count = 1;
56816 + atomic_read(&self->open_count));
56817 + atomic_set(&self->open_count, 1);
56820 - if (--self->open_count < 0) {
56821 + if (atomic_dec_return(&self->open_count) < 0) {
56822 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
56823 - __func__, self->line, self->open_count);
56824 - self->open_count = 0;
56825 + __func__, self->line, atomic_read(&self->open_count));
56826 + atomic_set(&self->open_count, 0);
56828 - if (self->open_count) {
56829 + if (atomic_read(&self->open_count)) {
56830 spin_unlock_irqrestore(&self->spinlock, flags);
56832 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
56833 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
56837 - if (self->blocked_open) {
56838 + if (atomic_read(&self->blocked_open)) {
56839 if (self->close_delay)
56840 schedule_timeout_interruptible(self->close_delay);
56841 wake_up_interruptible(&self->open_wait);
56842 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
56843 spin_lock_irqsave(&self->spinlock, flags);
56844 self->flags &= ~ASYNC_NORMAL_ACTIVE;
56846 - self->open_count = 0;
56847 + atomic_set(&self->open_count, 0);
56848 spin_unlock_irqrestore(&self->spinlock, flags);
56850 wake_up_interruptible(&self->open_wait);
56851 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
56854 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
56855 - seq_printf(m, "Open count: %d\n", self->open_count);
56856 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
56857 seq_printf(m, "Max data size: %d\n", self->max_data_size);
56858 seq_printf(m, "Max header size: %d\n", self->max_header_size);
56860 diff -urNp linux-2.6.36.2/net/key/af_key.c linux-2.6.36.2/net/key/af_key.c
56861 --- linux-2.6.36.2/net/key/af_key.c 2010-10-20 16:30:22.000000000 -0400
56862 +++ linux-2.6.36.2/net/key/af_key.c 2010-12-09 20:24:34.000000000 -0500
56863 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
56864 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
56866 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
56867 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56872 atomic_read(&s->sk_refcnt),
56873 sk_rmem_alloc_get(s),
56874 sk_wmem_alloc_get(s),
56875 diff -urNp linux-2.6.36.2/net/mac80211/ieee80211_i.h linux-2.6.36.2/net/mac80211/ieee80211_i.h
56876 --- linux-2.6.36.2/net/mac80211/ieee80211_i.h 2010-12-09 20:53:49.000000000 -0500
56877 +++ linux-2.6.36.2/net/mac80211/ieee80211_i.h 2010-12-09 20:54:43.000000000 -0500
56878 @@ -650,7 +650,7 @@ struct ieee80211_local {
56879 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
56880 spinlock_t queue_stop_reason_lock;
56883 + atomic_t open_count;
56884 int monitors, cooked_mntrs;
56885 /* number of interfaces with corresponding FIF_ flags */
56886 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
56887 diff -urNp linux-2.6.36.2/net/mac80211/iface.c linux-2.6.36.2/net/mac80211/iface.c
56888 --- linux-2.6.36.2/net/mac80211/iface.c 2010-10-20 16:30:22.000000000 -0400
56889 +++ linux-2.6.36.2/net/mac80211/iface.c 2010-12-09 20:24:35.000000000 -0500
56890 @@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
56894 - if (local->open_count == 0) {
56895 + if (atomic_read(&local->open_count) == 0) {
56896 res = drv_start(local);
56899 @@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
56900 * Validate the MAC address for this device.
56902 if (!is_valid_ether_addr(dev->dev_addr)) {
56903 - if (!local->open_count)
56904 + if (!atomic_read(&local->open_count))
56906 return -EADDRNOTAVAIL;
56908 @@ -309,7 +309,7 @@ static int ieee80211_open(struct net_dev
56910 hw_reconf_flags |= __ieee80211_recalc_idle(local);
56912 - local->open_count++;
56913 + atomic_inc(&local->open_count);
56914 if (hw_reconf_flags) {
56915 ieee80211_hw_config(local, hw_reconf_flags);
56917 @@ -328,7 +328,7 @@ static int ieee80211_open(struct net_dev
56919 drv_remove_interface(local, &sdata->vif);
56921 - if (!local->open_count)
56922 + if (!atomic_read(&local->open_count))
56926 @@ -418,7 +418,7 @@ static int ieee80211_stop(struct net_dev
56927 WARN_ON(!list_empty(&sdata->u.ap.vlans));
56930 - local->open_count--;
56931 + atomic_dec(&local->open_count);
56933 switch (sdata->vif.type) {
56934 case NL80211_IFTYPE_AP_VLAN:
56935 @@ -518,7 +518,7 @@ static int ieee80211_stop(struct net_dev
56937 ieee80211_recalc_ps(local, -1);
56939 - if (local->open_count == 0) {
56940 + if (atomic_read(&local->open_count) == 0) {
56941 ieee80211_clear_tx_pending(local);
56942 ieee80211_stop_device(local);
56944 diff -urNp linux-2.6.36.2/net/mac80211/main.c linux-2.6.36.2/net/mac80211/main.c
56945 --- linux-2.6.36.2/net/mac80211/main.c 2010-12-09 20:53:49.000000000 -0500
56946 +++ linux-2.6.36.2/net/mac80211/main.c 2010-12-09 20:54:43.000000000 -0500
56947 @@ -153,7 +153,7 @@ int ieee80211_hw_config(struct ieee80211
56948 local->hw.conf.power_level = power;
56951 - if (changed && local->open_count) {
56952 + if (changed && atomic_read(&local->open_count)) {
56953 ret = drv_config(local, changed);
56956 diff -urNp linux-2.6.36.2/net/mac80211/pm.c linux-2.6.36.2/net/mac80211/pm.c
56957 --- linux-2.6.36.2/net/mac80211/pm.c 2010-10-20 16:30:22.000000000 -0400
56958 +++ linux-2.6.36.2/net/mac80211/pm.c 2010-12-09 20:24:35.000000000 -0500
56959 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
56962 /* stop hardware - this must stop RX */
56963 - if (local->open_count)
56964 + if (atomic_read(&local->open_count))
56965 ieee80211_stop_device(local);
56967 local->suspended = true;
56968 diff -urNp linux-2.6.36.2/net/mac80211/rate.c linux-2.6.36.2/net/mac80211/rate.c
56969 --- linux-2.6.36.2/net/mac80211/rate.c 2010-12-09 20:53:49.000000000 -0500
56970 +++ linux-2.6.36.2/net/mac80211/rate.c 2010-12-09 20:54:43.000000000 -0500
56971 @@ -360,7 +360,7 @@ int ieee80211_init_rate_ctrl_alg(struct
56975 - if (local->open_count)
56976 + if (atomic_read(&local->open_count))
56979 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
56980 diff -urNp linux-2.6.36.2/net/mac80211/rc80211_pid_debugfs.c linux-2.6.36.2/net/mac80211/rc80211_pid_debugfs.c
56981 --- linux-2.6.36.2/net/mac80211/rc80211_pid_debugfs.c 2010-10-20 16:30:22.000000000 -0400
56982 +++ linux-2.6.36.2/net/mac80211/rc80211_pid_debugfs.c 2010-12-09 20:24:35.000000000 -0500
56983 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
56985 spin_unlock_irqrestore(&events->lock, status);
56987 - if (copy_to_user(buf, pb, p))
56988 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
56992 diff -urNp linux-2.6.36.2/net/mac80211/tx.c linux-2.6.36.2/net/mac80211/tx.c
56993 --- linux-2.6.36.2/net/mac80211/tx.c 2010-10-20 16:30:22.000000000 -0400
56994 +++ linux-2.6.36.2/net/mac80211/tx.c 2010-12-09 20:24:35.000000000 -0500
56995 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
56996 return cpu_to_le16(dur);
56999 -static int inline is_ieee80211_device(struct ieee80211_local *local,
57000 +static inline int is_ieee80211_device(struct ieee80211_local *local,
57001 struct net_device *dev)
57003 return local == wdev_priv(dev->ieee80211_ptr);
57004 diff -urNp linux-2.6.36.2/net/mac80211/util.c linux-2.6.36.2/net/mac80211/util.c
57005 --- linux-2.6.36.2/net/mac80211/util.c 2010-10-20 16:30:22.000000000 -0400
57006 +++ linux-2.6.36.2/net/mac80211/util.c 2010-12-09 20:24:35.000000000 -0500
57007 @@ -1101,7 +1101,7 @@ int ieee80211_reconfig(struct ieee80211_
57008 local->resuming = true;
57010 /* restart hardware */
57011 - if (local->open_count) {
57012 + if (atomic_read(&local->open_count)) {
57014 * Upon resume hardware can sometimes be goofy due to
57015 * various platform / driver / bus issues, so restarting
57016 diff -urNp linux-2.6.36.2/net/netfilter/Kconfig linux-2.6.36.2/net/netfilter/Kconfig
57017 --- linux-2.6.36.2/net/netfilter/Kconfig 2010-10-20 16:30:22.000000000 -0400
57018 +++ linux-2.6.36.2/net/netfilter/Kconfig 2010-12-09 20:24:32.000000000 -0500
57019 @@ -708,6 +708,16 @@ config NETFILTER_XT_MATCH_ESP
57021 To compile it as a module, choose M here. If unsure, say N.
57023 +config NETFILTER_XT_MATCH_GRADM
57024 + tristate '"gradm" match support'
57025 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
57026 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
57028 + The gradm match allows to match on grsecurity RBAC being enabled.
57029 + It is useful when iptables rules are applied early on bootup to
57030 + prevent connections to the machine (except from a trusted host)
57031 + while the RBAC system is disabled.
57033 config NETFILTER_XT_MATCH_HASHLIMIT
57034 tristate '"hashlimit" match support'
57035 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
57036 diff -urNp linux-2.6.36.2/net/netfilter/Makefile linux-2.6.36.2/net/netfilter/Makefile
57037 --- linux-2.6.36.2/net/netfilter/Makefile 2010-10-20 16:30:22.000000000 -0400
57038 +++ linux-2.6.36.2/net/netfilter/Makefile 2010-12-09 20:24:32.000000000 -0500
57039 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
57040 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
57041 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
57042 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
57043 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
57044 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
57045 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
57046 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
57047 diff -urNp linux-2.6.36.2/net/netfilter/nf_conntrack_netlink.c linux-2.6.36.2/net/netfilter/nf_conntrack_netlink.c
57048 --- linux-2.6.36.2/net/netfilter/nf_conntrack_netlink.c 2010-10-20 16:30:22.000000000 -0400
57049 +++ linux-2.6.36.2/net/netfilter/nf_conntrack_netlink.c 2010-12-09 20:24:32.000000000 -0500
57050 @@ -733,7 +733,7 @@ static const struct nla_policy tuple_nla
57052 ctnetlink_parse_tuple(const struct nlattr * const cda[],
57053 struct nf_conntrack_tuple *tuple,
57054 - enum ctattr_tuple type, u_int8_t l3num)
57055 + enum ctattr_type type, u_int8_t l3num)
57057 struct nlattr *tb[CTA_TUPLE_MAX+1];
57059 diff -urNp linux-2.6.36.2/net/netfilter/xt_gradm.c linux-2.6.36.2/net/netfilter/xt_gradm.c
57060 --- linux-2.6.36.2/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
57061 +++ linux-2.6.36.2/net/netfilter/xt_gradm.c 2010-12-09 20:24:32.000000000 -0500
57064 + * gradm match for netfilter
57065 + * Copyright © Zbigniew Krzystolik, 2010
57067 + * This program is free software; you can redistribute it and/or modify
57068 + * it under the terms of the GNU General Public License; either version
57069 + * 2 or 3 as published by the Free Software Foundation.
57071 +#include <linux/module.h>
57072 +#include <linux/moduleparam.h>
57073 +#include <linux/skbuff.h>
57074 +#include <linux/netfilter/x_tables.h>
57075 +#include <linux/grsecurity.h>
57076 +#include <linux/netfilter/xt_gradm.h>
57079 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
57081 + const struct xt_gradm_mtinfo *info = par->matchinfo;
57082 + bool retval = false;
57083 + if (gr_acl_is_enabled())
57085 + return retval ^ info->invflags;
57088 +static struct xt_match gradm_mt_reg __read_mostly = {
57091 + .family = NFPROTO_UNSPEC,
57092 + .match = gradm_mt,
57093 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
57094 + .me = THIS_MODULE,
57097 +static int __init gradm_mt_init(void)
57099 + return xt_register_match(&gradm_mt_reg);
57102 +static void __exit gradm_mt_exit(void)
57104 + xt_unregister_match(&gradm_mt_reg);
57107 +module_init(gradm_mt_init);
57108 +module_exit(gradm_mt_exit);
57109 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
57110 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
57111 +MODULE_LICENSE("GPL");
57112 +MODULE_ALIAS("ipt_gradm");
57113 +MODULE_ALIAS("ip6t_gradm");
57114 diff -urNp linux-2.6.36.2/net/netlink/af_netlink.c linux-2.6.36.2/net/netlink/af_netlink.c
57115 --- linux-2.6.36.2/net/netlink/af_netlink.c 2010-10-20 16:30:22.000000000 -0400
57116 +++ linux-2.6.36.2/net/netlink/af_netlink.c 2010-12-09 20:24:34.000000000 -0500
57117 @@ -2007,13 +2007,21 @@ static int netlink_seq_show(struct seq_f
57118 struct netlink_sock *nlk = nlk_sk(s);
57120 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
57121 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57128 nlk->groups ? (u32)nlk->groups[0] : 0,
57129 sk_rmem_alloc_get(s),
57130 sk_wmem_alloc_get(s),
57131 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57136 atomic_read(&s->sk_refcnt),
57137 atomic_read(&s->sk_drops),
57139 diff -urNp linux-2.6.36.2/net/netrom/af_netrom.c linux-2.6.36.2/net/netrom/af_netrom.c
57140 --- linux-2.6.36.2/net/netrom/af_netrom.c 2010-10-20 16:30:22.000000000 -0400
57141 +++ linux-2.6.36.2/net/netrom/af_netrom.c 2010-12-09 20:24:34.000000000 -0500
57142 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
57143 struct sock *sk = sock->sk;
57144 struct nr_sock *nr = nr_sk(sk);
57146 + memset(sax, 0, sizeof(*sax));
57149 if (sk->sk_state != TCP_ESTABLISHED) {
57150 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
57151 *uaddr_len = sizeof(struct full_sockaddr_ax25);
57153 sax->fsa_ax25.sax25_family = AF_NETROM;
57154 - sax->fsa_ax25.sax25_ndigis = 0;
57155 sax->fsa_ax25.sax25_call = nr->source_addr;
57156 *uaddr_len = sizeof(struct sockaddr_ax25);
57158 diff -urNp linux-2.6.36.2/net/packet/af_packet.c linux-2.6.36.2/net/packet/af_packet.c
57159 --- linux-2.6.36.2/net/packet/af_packet.c 2010-10-20 16:30:22.000000000 -0400
57160 +++ linux-2.6.36.2/net/packet/af_packet.c 2010-12-09 20:24:35.000000000 -0500
57161 @@ -1610,8 +1610,9 @@ static int packet_recvmsg(struct kiocb *
57164 vnet_hdr_len = sizeof(vnet_hdr);
57165 - if ((len -= vnet_hdr_len) < 0)
57166 + if (len < vnet_hdr_len)
57168 + len -= vnet_hdr_len;
57170 if (skb_is_gso(skb)) {
57171 struct skb_shared_info *sinfo = skb_shinfo(skb);
57172 @@ -1719,7 +1720,7 @@ static int packet_getname_spkt(struct so
57174 dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
57176 - strlcpy(uaddr->sa_data, dev->name, 15);
57177 + strncpy(uaddr->sa_data, dev->name, 14);
57179 memset(uaddr->sa_data, 0, 14);
57181 @@ -1742,6 +1743,7 @@ static int packet_getname(struct socket
57182 sll->sll_family = AF_PACKET;
57183 sll->sll_ifindex = po->ifindex;
57184 sll->sll_protocol = po->num;
57185 + sll->sll_pkttype = 0;
57187 dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
57189 @@ -2120,7 +2122,7 @@ static int packet_getsockopt(struct sock
57190 case PACKET_HDRLEN:
57191 if (len > sizeof(int))
57193 - if (copy_from_user(&val, optval, len))
57194 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
57198 @@ -2158,7 +2160,7 @@ static int packet_getsockopt(struct sock
57200 if (put_user(len, optlen))
57202 - if (copy_to_user(optval, data, len))
57203 + if (len > sizeof(st) || copy_to_user(optval, data, len))
57207 @@ -2637,7 +2639,11 @@ static int packet_seq_show(struct seq_fi
57210 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
57211 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57216 atomic_read(&s->sk_refcnt),
57219 diff -urNp linux-2.6.36.2/net/phonet/af_phonet.c linux-2.6.36.2/net/phonet/af_phonet.c
57220 --- linux-2.6.36.2/net/phonet/af_phonet.c 2010-10-20 16:30:22.000000000 -0400
57221 +++ linux-2.6.36.2/net/phonet/af_phonet.c 2010-12-09 20:24:32.000000000 -0500
57222 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
57224 struct phonet_protocol *pp;
57226 - if (protocol >= PHONET_NPROTO)
57227 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57231 @@ -446,7 +446,7 @@ int __init_or_module phonet_proto_regist
57235 - if (protocol >= PHONET_NPROTO)
57236 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57239 err = proto_register(pp->prot, 1);
57240 diff -urNp linux-2.6.36.2/net/phonet/socket.c linux-2.6.36.2/net/phonet/socket.c
57241 --- linux-2.6.36.2/net/phonet/socket.c 2010-10-20 16:30:22.000000000 -0400
57242 +++ linux-2.6.36.2/net/phonet/socket.c 2010-12-09 20:24:32.000000000 -0500
57243 @@ -535,7 +535,12 @@ static int pn_sock_seq_show(struct seq_f
57245 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
57246 sock_i_uid(sk), sock_i_ino(sk),
57247 - atomic_read(&sk->sk_refcnt), sk,
57248 + atomic_read(&sk->sk_refcnt),
57249 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57254 atomic_read(&sk->sk_drops), &len);
57256 seq_printf(seq, "%*s\n", 127 - len, "");
57257 diff -urNp linux-2.6.36.2/net/sctp/proc.c linux-2.6.36.2/net/sctp/proc.c
57258 --- linux-2.6.36.2/net/sctp/proc.c 2010-10-20 16:30:22.000000000 -0400
57259 +++ linux-2.6.36.2/net/sctp/proc.c 2010-12-09 20:24:36.000000000 -0500
57260 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
57261 sctp_for_each_hentry(epb, node, &head->chain) {
57264 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
57265 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
57266 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57271 sctp_sk(sk)->type, sk->sk_state, hash,
57272 epb->bind_addr.port,
57273 sock_i_uid(sk), sock_i_ino(sk));
57274 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
57276 "%8p %8p %-3d %-3d %-2d %-4d "
57277 "%4d %8d %8d %7d %5lu %-5d %5d ",
57278 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
57279 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57284 + sctp_sk(sk)->type, sk->sk_state,
57285 assoc->state, hash,
57287 assoc->sndbuf_used,
57288 diff -urNp linux-2.6.36.2/net/sctp/socket.c linux-2.6.36.2/net/sctp/socket.c
57289 --- linux-2.6.36.2/net/sctp/socket.c 2010-10-20 16:30:22.000000000 -0400
57290 +++ linux-2.6.36.2/net/sctp/socket.c 2010-12-09 20:24:36.000000000 -0500
57291 @@ -1494,7 +1494,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
57292 struct sctp_sndrcvinfo *sinfo;
57293 struct sctp_initmsg *sinit;
57294 sctp_assoc_t associd = 0;
57295 - sctp_cmsgs_t cmsgs = { NULL };
57296 + sctp_cmsgs_t cmsgs = { NULL, NULL };
57298 sctp_scope_t scope;
57300 @@ -4398,7 +4398,7 @@ static int sctp_getsockopt_peer_addrs(st
57301 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
57302 if (space_left < addrlen)
57304 - if (copy_to_user(to, &temp, addrlen))
57305 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
57309 diff -urNp linux-2.6.36.2/net/socket.c linux-2.6.36.2/net/socket.c
57310 --- linux-2.6.36.2/net/socket.c 2010-12-09 20:53:49.000000000 -0500
57311 +++ linux-2.6.36.2/net/socket.c 2010-12-09 20:54:43.000000000 -0500
57313 #include <linux/nsproxy.h>
57314 #include <linux/magic.h>
57315 #include <linux/slab.h>
57316 +#include <linux/in.h>
57318 #include <asm/uaccess.h>
57319 #include <asm/unistd.h>
57320 @@ -105,6 +106,8 @@
57321 #include <linux/sockios.h>
57322 #include <linux/atalk.h>
57324 +#include <linux/grsock.h>
57326 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
57327 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
57328 unsigned long nr_segs, loff_t pos);
57329 @@ -313,7 +316,7 @@ static int sockfs_get_sb(struct file_sys
57333 -static struct vfsmount *sock_mnt __read_mostly;
57334 +struct vfsmount *sock_mnt __read_mostly;
57336 static struct file_system_type sock_fs_type = {
57338 @@ -1158,6 +1161,8 @@ static int __sock_create(struct net *net
57339 return -EAFNOSUPPORT;
57340 if (type < 0 || type >= SOCK_MAX)
57342 + if (protocol < 0)
57347 @@ -1289,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
57348 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
57349 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
57351 + if(!gr_search_socket(family, type, protocol)) {
57352 + retval = -EACCES;
57356 + if (gr_handle_sock_all(family, type, protocol)) {
57357 + retval = -EACCES;
57361 retval = sock_create(family, type, protocol, &sock);
57364 @@ -1401,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57366 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
57368 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
57372 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
57376 err = security_socket_bind(sock,
57377 (struct sockaddr *)&address,
57379 @@ -1409,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57380 (struct sockaddr *)
57381 &address, addrlen);
57384 fput_light(sock->file, fput_needed);
57387 @@ -1432,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
57388 if ((unsigned)backlog > somaxconn)
57389 backlog = somaxconn;
57391 + if (gr_handle_sock_server_other(sock->sk)) {
57396 + err = gr_search_listen(sock);
57400 err = security_socket_listen(sock, backlog);
57402 err = sock->ops->listen(sock, backlog);
57405 fput_light(sock->file, fput_needed);
57408 @@ -1479,6 +1513,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57409 newsock->type = sock->type;
57410 newsock->ops = sock->ops;
57412 + if (gr_handle_sock_server_other(sock->sk)) {
57414 + sock_release(newsock);
57418 + err = gr_search_accept(sock);
57420 + sock_release(newsock);
57425 * We don't need try_module_get here, as the listening socket (sock)
57426 * has the protocol module (sock->ops->owner) held.
57427 @@ -1517,6 +1563,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57428 fd_install(newfd, newfile);
57431 + gr_attach_curr_ip(newsock->sk);
57434 fput_light(sock->file, fput_needed);
57436 @@ -1549,6 +1597,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57439 struct socket *sock;
57440 + struct sockaddr *sck;
57441 struct sockaddr_storage address;
57442 int err, fput_needed;
57444 @@ -1559,6 +1608,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57448 + sck = (struct sockaddr *)&address;
57450 + if (gr_handle_sock_client(sck)) {
57455 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
57460 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
57462 diff -urNp linux-2.6.36.2/net/sunrpc/sched.c linux-2.6.36.2/net/sunrpc/sched.c
57463 --- linux-2.6.36.2/net/sunrpc/sched.c 2010-10-20 16:30:22.000000000 -0400
57464 +++ linux-2.6.36.2/net/sunrpc/sched.c 2010-12-09 20:24:33.000000000 -0500
57465 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
57467 static void rpc_task_set_debuginfo(struct rpc_task *task)
57469 - static atomic_t rpc_pid;
57470 + static atomic_unchecked_t rpc_pid;
57472 - task->tk_pid = atomic_inc_return(&rpc_pid);
57473 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
57476 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
57477 diff -urNp linux-2.6.36.2/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.36.2/net/sunrpc/xprtrdma/svc_rdma.c
57478 --- linux-2.6.36.2/net/sunrpc/xprtrdma/svc_rdma.c 2010-10-20 16:30:22.000000000 -0400
57479 +++ linux-2.6.36.2/net/sunrpc/xprtrdma/svc_rdma.c 2010-12-09 20:24:33.000000000 -0500
57480 @@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
57484 - if (len && copy_to_user(buffer, str_buf, len))
57485 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
57489 diff -urNp linux-2.6.36.2/net/sysctl_net.c linux-2.6.36.2/net/sysctl_net.c
57490 --- linux-2.6.36.2/net/sysctl_net.c 2010-10-20 16:30:22.000000000 -0400
57491 +++ linux-2.6.36.2/net/sysctl_net.c 2010-12-09 20:24:32.000000000 -0500
57492 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
57493 struct ctl_table *table)
57495 /* Allow network administrator to have same access as root. */
57496 - if (capable(CAP_NET_ADMIN)) {
57497 + if (capable_nolog(CAP_NET_ADMIN)) {
57498 int mode = (table->mode >> 6) & 7;
57499 return (mode << 6) | (mode << 3) | mode;
57501 diff -urNp linux-2.6.36.2/net/tipc/socket.c linux-2.6.36.2/net/tipc/socket.c
57502 --- linux-2.6.36.2/net/tipc/socket.c 2010-10-20 16:30:22.000000000 -0400
57503 +++ linux-2.6.36.2/net/tipc/socket.c 2010-12-09 20:24:35.000000000 -0500
57504 @@ -395,6 +395,7 @@ static int get_name(struct socket *sock,
57505 struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
57506 struct tipc_sock *tsock = tipc_sk(sock->sk);
57508 + memset(addr, 0, sizeof(*addr));
57510 if ((sock->state != SS_CONNECTED) &&
57511 ((peer != 2) || (sock->state != SS_DISCONNECTING)))
57512 @@ -1451,8 +1452,9 @@ static int connect(struct socket *sock,
57517 - ; /* leave "res" unchanged */
57519 + /* leave "res" unchanged */
57521 sock->state = SS_DISCONNECTING;
57524 diff -urNp linux-2.6.36.2/net/unix/af_unix.c linux-2.6.36.2/net/unix/af_unix.c
57525 --- linux-2.6.36.2/net/unix/af_unix.c 2010-10-20 16:30:22.000000000 -0400
57526 +++ linux-2.6.36.2/net/unix/af_unix.c 2010-12-09 20:24:33.000000000 -0500
57527 @@ -764,6 +764,12 @@ static struct sock *unix_find_other(stru
57528 err = -ECONNREFUSED;
57529 if (!S_ISSOCK(inode->i_mode))
57532 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
57537 u = unix_find_socket_byinode(inode);
57540 @@ -784,6 +790,13 @@ static struct sock *unix_find_other(stru
57542 struct dentry *dentry;
57543 dentry = unix_sk(u)->dentry;
57545 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
57552 touch_atime(unix_sk(u)->mnt, dentry);
57554 @@ -869,11 +882,18 @@ static int unix_bind(struct socket *sock
57555 err = security_path_mknod(&nd.path, dentry, mode, 0);
57557 goto out_mknod_drop_write;
57558 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
57560 + goto out_mknod_drop_write;
57562 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
57563 out_mknod_drop_write:
57564 mnt_drop_write(nd.path.mnt);
57566 goto out_mknod_dput;
57568 + gr_handle_create(dentry, nd.path.mnt);
57570 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
57571 dput(nd.path.dentry);
57572 nd.path.dentry = dentry;
57573 @@ -891,6 +911,11 @@ out_mknod_drop_write:
57577 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57578 + put_pid(sk->sk_peer_pid);
57579 + sk->sk_peer_pid = get_pid(task_tgid(current));
57582 list = &unix_socket_table[addr->hash];
57584 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
57585 @@ -2195,7 +2220,11 @@ static int unix_seq_show(struct seq_file
57586 unix_state_lock(s);
57588 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
57589 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57594 atomic_read(&s->sk_refcnt),
57596 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
57597 diff -urNp linux-2.6.36.2/net/wireless/reg.c linux-2.6.36.2/net/wireless/reg.c
57598 --- linux-2.6.36.2/net/wireless/reg.c 2010-12-09 20:53:49.000000000 -0500
57599 +++ linux-2.6.36.2/net/wireless/reg.c 2010-12-09 20:54:43.000000000 -0500
57601 printk(KERN_DEBUG format , ## args); \
57604 -#define REG_DBG_PRINT(args...)
57605 +#define REG_DBG_PRINT(args...) do {} while (0)
57608 /* Receipt of information from last regulatory request */
57609 diff -urNp linux-2.6.36.2/net/wireless/wext-core.c linux-2.6.36.2/net/wireless/wext-core.c
57610 --- linux-2.6.36.2/net/wireless/wext-core.c 2010-10-20 16:30:22.000000000 -0400
57611 +++ linux-2.6.36.2/net/wireless/wext-core.c 2010-12-09 20:24:35.000000000 -0500
57612 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
57615 /* Support for very large requests */
57616 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
57617 - (user_length > descr->max_tokens)) {
57618 + if (user_length > descr->max_tokens) {
57619 /* Allow userspace to GET more than max so
57620 * we can support any size GET requests.
57621 * There is still a limit : -ENOMEM.
57622 @@ -782,22 +781,6 @@ static int ioctl_standard_iw_point(struc
57626 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
57628 - * If this is a GET, but not NOMAX, it means that the extra
57629 - * data is not bounded by userspace, but by max_tokens. Thus
57630 - * set the length to max_tokens. This matches the extra data
57632 - * The driver should fill it with the number of tokens it
57633 - * provided, and it may check iwp->length rather than having
57634 - * knowledge of max_tokens. If the driver doesn't change the
57635 - * iwp->length, this ioctl just copies back max_token tokens
57636 - * filled with zeroes. Hopefully the driver isn't claiming
57637 - * them to be valid data.
57639 - iwp->length = descr->max_tokens;
57642 err = handler(dev, info, (union iwreq_data *) iwp, extra);
57644 iwp->length += essid_compat;
57645 diff -urNp linux-2.6.36.2/net/x25/x25_facilities.c linux-2.6.36.2/net/x25/x25_facilities.c
57646 --- linux-2.6.36.2/net/x25/x25_facilities.c 2010-12-09 20:53:49.000000000 -0500
57647 +++ linux-2.6.36.2/net/x25/x25_facilities.c 2010-12-09 20:24:34.000000000 -0500
57648 @@ -157,7 +157,8 @@ int x25_parse_facilities(struct sk_buff
57651 printk(KERN_DEBUG "X.25: unknown facility %02X,"
57652 - "length %d\n", p[0], p[1]);
57653 + "length %d, values %02X, %02X\n",
57654 + p[0], p[1], p[2], p[3]);
57658 diff -urNp linux-2.6.36.2/net/xfrm/xfrm_policy.c linux-2.6.36.2/net/xfrm/xfrm_policy.c
57659 --- linux-2.6.36.2/net/xfrm/xfrm_policy.c 2010-10-20 16:30:22.000000000 -0400
57660 +++ linux-2.6.36.2/net/xfrm/xfrm_policy.c 2010-12-09 20:24:34.000000000 -0500
57661 @@ -1501,7 +1501,7 @@ free_dst:
57667 xfrm_dst_alloc_copy(void **target, void *src, int size)
57670 @@ -1513,7 +1513,7 @@ xfrm_dst_alloc_copy(void **target, void
57676 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
57678 #ifdef CONFIG_XFRM_SUB_POLICY
57679 @@ -1525,7 +1525,7 @@ xfrm_dst_update_parent(struct dst_entry
57685 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
57687 #ifdef CONFIG_XFRM_SUB_POLICY
57688 diff -urNp linux-2.6.36.2/scripts/basic/fixdep.c linux-2.6.36.2/scripts/basic/fixdep.c
57689 --- linux-2.6.36.2/scripts/basic/fixdep.c 2010-10-20 16:30:22.000000000 -0400
57690 +++ linux-2.6.36.2/scripts/basic/fixdep.c 2010-12-09 20:24:51.000000000 -0500
57691 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
57693 static void parse_config_file(char *map, size_t len)
57695 - int *end = (int *) (map + len);
57696 + unsigned int *end = (unsigned int *) (map + len);
57697 /* start at +1, so that p can never be < map */
57698 - int *m = (int *) map + 1;
57699 + unsigned int *m = (unsigned int *) map + 1;
57702 for (; m < end; m++) {
57703 @@ -371,7 +371,7 @@ static void print_deps(void)
57704 static void traps(void)
57706 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
57707 - int *p = (int *)test;
57708 + unsigned int *p = (unsigned int *)test;
57710 if (*p != INT_CONF) {
57711 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
57712 diff -urNp linux-2.6.36.2/scripts/kallsyms.c linux-2.6.36.2/scripts/kallsyms.c
57713 --- linux-2.6.36.2/scripts/kallsyms.c 2010-10-20 16:30:22.000000000 -0400
57714 +++ linux-2.6.36.2/scripts/kallsyms.c 2010-12-09 20:24:51.000000000 -0500
57715 @@ -43,10 +43,10 @@ struct text_range {
57717 static unsigned long long _text;
57718 static struct text_range text_ranges[] = {
57719 - { "_stext", "_etext" },
57720 - { "_sinittext", "_einittext" },
57721 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
57722 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
57723 + { "_stext", "_etext", 0, 0 },
57724 + { "_sinittext", "_einittext", 0, 0 },
57725 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
57726 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
57728 #define text_range_text (&text_ranges[0])
57729 #define text_range_inittext (&text_ranges[1])
57730 diff -urNp linux-2.6.36.2/scripts/mod/file2alias.c linux-2.6.36.2/scripts/mod/file2alias.c
57731 --- linux-2.6.36.2/scripts/mod/file2alias.c 2010-10-20 16:30:22.000000000 -0400
57732 +++ linux-2.6.36.2/scripts/mod/file2alias.c 2010-12-09 20:24:51.000000000 -0500
57733 @@ -72,7 +72,7 @@ static void device_id_check(const char *
57734 unsigned long size, unsigned long id_size,
57740 if (size % id_size || size < id_size) {
57741 if (cross_build != 0)
57742 @@ -102,7 +102,7 @@ static void device_id_check(const char *
57743 /* USB is special because the bcdDevice can be matched against a numeric range */
57744 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
57745 static void do_usb_entry(struct usb_device_id *id,
57746 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
57747 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
57748 unsigned char range_lo, unsigned char range_hi,
57749 unsigned char max, struct module *mod)
57751 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
57752 for (i = 0; i < count; i++) {
57753 const char *id = (char *)devs[i].id;
57754 char acpi_id[sizeof(devs[0].id)];
57758 buf_printf(&mod->dev_table_buf,
57759 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57760 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
57762 for (j = 0; j < PNP_MAX_DEVICES; j++) {
57763 const char *id = (char *)card->devs[j].id;
57765 + unsigned int i2, j2;
57769 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
57770 /* add an individual alias for every device entry */
57772 char acpi_id[sizeof(card->devs[0].id)];
57776 buf_printf(&mod->dev_table_buf,
57777 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57778 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
57779 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
57783 + unsigned int i, j;
57785 sprintf(alias, "dmi*");
57787 diff -urNp linux-2.6.36.2/scripts/mod/modpost.c linux-2.6.36.2/scripts/mod/modpost.c
57788 --- linux-2.6.36.2/scripts/mod/modpost.c 2010-10-20 16:30:22.000000000 -0400
57789 +++ linux-2.6.36.2/scripts/mod/modpost.c 2010-12-09 20:24:51.000000000 -0500
57790 @@ -895,6 +895,7 @@ enum mismatch {
57791 ANY_INIT_TO_ANY_EXIT,
57792 ANY_EXIT_TO_ANY_INIT,
57793 EXPORT_TO_INIT_EXIT,
57797 struct sectioncheck {
57798 @@ -1003,6 +1004,12 @@ const struct sectioncheck sectioncheck[]
57799 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
57800 .mismatch = EXPORT_TO_INIT_EXIT,
57801 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
57803 +/* Do not reference code from writable data */
57805 + .fromsec = { DATA_SECTIONS, NULL },
57806 + .tosec = { TEXT_SECTIONS, NULL },
57807 + .mismatch = DATA_TO_TEXT
57811 @@ -1125,10 +1132,10 @@ static Elf_Sym *find_elf_symbol(struct e
57813 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
57815 - if (sym->st_value == addr)
57817 /* Find a symbol nearby - addr are maybe negative */
57818 d = sym->st_value - addr;
57822 d = addr - sym->st_value;
57823 if (d < distance) {
57824 @@ -1397,6 +1404,14 @@ static void report_sec_mismatch(const ch
57825 tosym, prl_to, prl_to, tosym);
57828 + case DATA_TO_TEXT:
57831 + "The variable %s references\n"
57832 + "the %s %s%s%s\n",
57833 + fromsym, to, sec2annotation(tosec), tosym, to_p);
57837 fprintf(stderr, "\n");
57839 @@ -1720,7 +1735,7 @@ void __attribute__((format(printf, 2, 3)
57843 -void buf_write(struct buffer *buf, const char *s, int len)
57844 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
57846 if (buf->size - buf->pos < len) {
57847 buf->size += len + SZ;
57848 @@ -1932,7 +1947,7 @@ static void write_if_changed(struct buff
57849 if (fstat(fileno(file), &st) < 0)
57852 - if (st.st_size != b->pos)
57853 + if (st.st_size != (off_t)b->pos)
57856 tmp = NOFAIL(malloc(b->pos));
57857 diff -urNp linux-2.6.36.2/scripts/mod/modpost.h linux-2.6.36.2/scripts/mod/modpost.h
57858 --- linux-2.6.36.2/scripts/mod/modpost.h 2010-10-20 16:30:22.000000000 -0400
57859 +++ linux-2.6.36.2/scripts/mod/modpost.h 2010-12-09 20:24:51.000000000 -0500
57860 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
57866 + unsigned int pos;
57867 + unsigned int size;
57870 void __attribute__((format(printf, 2, 3)))
57871 buf_printf(struct buffer *buf, const char *fmt, ...);
57874 -buf_write(struct buffer *buf, const char *s, int len);
57875 +buf_write(struct buffer *buf, const char *s, unsigned int len);
57878 struct module *next;
57879 diff -urNp linux-2.6.36.2/scripts/mod/sumversion.c linux-2.6.36.2/scripts/mod/sumversion.c
57880 --- linux-2.6.36.2/scripts/mod/sumversion.c 2010-10-20 16:30:22.000000000 -0400
57881 +++ linux-2.6.36.2/scripts/mod/sumversion.c 2010-12-09 20:24:51.000000000 -0500
57882 @@ -455,7 +455,7 @@ static void write_version(const char *fi
57886 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
57887 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
57888 warn("writing sum in %s failed: %s\n",
57889 filename, strerror(errno));
57891 diff -urNp linux-2.6.36.2/scripts/pnmtologo.c linux-2.6.36.2/scripts/pnmtologo.c
57892 --- linux-2.6.36.2/scripts/pnmtologo.c 2010-10-20 16:30:22.000000000 -0400
57893 +++ linux-2.6.36.2/scripts/pnmtologo.c 2010-12-09 20:24:51.000000000 -0500
57894 @@ -237,14 +237,14 @@ static void write_header(void)
57895 fprintf(out, " * Linux logo %s\n", logoname);
57896 fputs(" */\n\n", out);
57897 fputs("#include <linux/linux_logo.h>\n\n", out);
57898 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
57899 + fprintf(out, "static unsigned char %s_data[] = {\n",
57903 static void write_footer(void)
57905 fputs("\n};\n\n", out);
57906 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
57907 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
57908 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
57909 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
57910 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
57911 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
57912 fputs("\n};\n\n", out);
57914 /* write logo clut */
57915 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
57916 + fprintf(out, "static unsigned char %s_clut[] = {\n",
57919 for (i = 0; i < logo_clutsize; i++) {
57920 diff -urNp linux-2.6.36.2/security/apparmor/lsm.c linux-2.6.36.2/security/apparmor/lsm.c
57921 --- linux-2.6.36.2/security/apparmor/lsm.c 2010-10-20 16:30:22.000000000 -0400
57922 +++ linux-2.6.36.2/security/apparmor/lsm.c 2010-12-09 20:24:07.000000000 -0500
57923 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
57927 -static struct security_operations apparmor_ops = {
57928 +static struct security_operations apparmor_ops __read_only = {
57929 .name = "apparmor",
57931 .ptrace_access_check = apparmor_ptrace_access_check,
57932 diff -urNp linux-2.6.36.2/security/commoncap.c linux-2.6.36.2/security/commoncap.c
57933 --- linux-2.6.36.2/security/commoncap.c 2010-10-20 16:30:22.000000000 -0400
57934 +++ linux-2.6.36.2/security/commoncap.c 2010-12-09 20:24:07.000000000 -0500
57936 #include <linux/securebits.h>
57937 #include <linux/syslog.h>
57938 #include <linux/vs_context.h>
57939 +#include <net/sock.h>
57942 * If a non-root user executes a setuid-root binary in
57943 @@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
57947 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
57949 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
57951 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
57952 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
57956 @@ -535,6 +538,9 @@ int cap_bprm_secureexec(struct linux_bin
57958 const struct cred *cred = current_cred();
57960 + if (gr_acl_enable_at_secure())
57963 if (cred->uid != 0) {
57964 if (bprm->cap_effective)
57966 diff -urNp linux-2.6.36.2/security/integrity/ima/ima_api.c linux-2.6.36.2/security/integrity/ima/ima_api.c
57967 --- linux-2.6.36.2/security/integrity/ima/ima_api.c 2010-10-20 16:30:22.000000000 -0400
57968 +++ linux-2.6.36.2/security/integrity/ima/ima_api.c 2010-12-09 20:24:07.000000000 -0500
57969 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
57972 /* can overflow, only indicator */
57973 - atomic_long_inc(&ima_htable.violations);
57974 + atomic_long_inc_unchecked(&ima_htable.violations);
57976 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
57978 diff -urNp linux-2.6.36.2/security/integrity/ima/ima_fs.c linux-2.6.36.2/security/integrity/ima/ima_fs.c
57979 --- linux-2.6.36.2/security/integrity/ima/ima_fs.c 2010-10-20 16:30:22.000000000 -0400
57980 +++ linux-2.6.36.2/security/integrity/ima/ima_fs.c 2010-12-09 20:24:07.000000000 -0500
57981 @@ -28,12 +28,12 @@
57982 static int valid_policy = 1;
57983 #define TMPBUFLEN 12
57984 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
57985 - loff_t *ppos, atomic_long_t *val)
57986 + loff_t *ppos, atomic_long_unchecked_t *val)
57988 char tmpbuf[TMPBUFLEN];
57991 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
57992 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
57993 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
57996 diff -urNp linux-2.6.36.2/security/integrity/ima/ima.h linux-2.6.36.2/security/integrity/ima/ima.h
57997 --- linux-2.6.36.2/security/integrity/ima/ima.h 2010-10-20 16:30:22.000000000 -0400
57998 +++ linux-2.6.36.2/security/integrity/ima/ima.h 2010-12-09 20:24:07.000000000 -0500
57999 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
58000 extern spinlock_t ima_queue_lock;
58002 struct ima_h_table {
58003 - atomic_long_t len; /* number of stored measurements in the list */
58004 - atomic_long_t violations;
58005 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
58006 + atomic_long_unchecked_t violations;
58007 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
58009 extern struct ima_h_table ima_htable;
58010 diff -urNp linux-2.6.36.2/security/integrity/ima/ima_queue.c linux-2.6.36.2/security/integrity/ima/ima_queue.c
58011 --- linux-2.6.36.2/security/integrity/ima/ima_queue.c 2010-10-20 16:30:22.000000000 -0400
58012 +++ linux-2.6.36.2/security/integrity/ima/ima_queue.c 2010-12-09 20:24:07.000000000 -0500
58013 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
58014 INIT_LIST_HEAD(&qe->later);
58015 list_add_tail_rcu(&qe->later, &ima_measurements);
58017 - atomic_long_inc(&ima_htable.len);
58018 + atomic_long_inc_unchecked(&ima_htable.len);
58019 key = ima_hash_key(entry->digest);
58020 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
58022 diff -urNp linux-2.6.36.2/security/Kconfig linux-2.6.36.2/security/Kconfig
58023 --- linux-2.6.36.2/security/Kconfig 2010-10-20 16:30:22.000000000 -0400
58024 +++ linux-2.6.36.2/security/Kconfig 2010-12-09 20:24:07.000000000 -0500
58027 menu "Security options"
58029 +source grsecurity/Kconfig
58033 + config PAX_PER_CPU_PGD
58036 + config TASK_SIZE_MAX_SHIFT
58038 + depends on X86_64
58039 + default 47 if !PAX_PER_CPU_PGD
58040 + default 42 if PAX_PER_CPU_PGD
58042 + config PAX_ENABLE_PAE
58044 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
58047 + bool "Enable various PaX features"
58048 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
58050 + This allows you to enable various PaX features. PaX adds
58051 + intrusion prevention mechanisms to the kernel that reduce
58052 + the risks posed by exploitable memory corruption bugs.
58054 +menu "PaX Control"
58057 +config PAX_SOFTMODE
58058 + bool 'Support soft mode'
58059 + select PAX_PT_PAX_FLAGS
58061 + Enabling this option will allow you to run PaX in soft mode, that
58062 + is, PaX features will not be enforced by default, only on executables
58063 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
58064 + is the only way to mark executables for soft mode use.
58066 + Soft mode can be activated by using the "pax_softmode=1" kernel command
58067 + line option on boot. Furthermore you can control various PaX features
58068 + at runtime via the entries in /proc/sys/kernel/pax.
58071 + bool 'Use legacy ELF header marking'
58073 + Enabling this option will allow you to control PaX features on
58074 + a per executable basis via the 'chpax' utility available at
58075 + http://pax.grsecurity.net/. The control flags will be read from
58076 + an otherwise reserved part of the ELF header. This marking has
58077 + numerous drawbacks (no support for soft-mode, toolchain does not
58078 + know about the non-standard use of the ELF header) therefore it
58079 + has been deprecated in favour of PT_PAX_FLAGS support.
58081 + If you have applications not marked by the PT_PAX_FLAGS ELF
58082 + program header then you MUST enable this option otherwise they
58083 + will not get any protection.
58085 + Note that if you enable PT_PAX_FLAGS marking support as well,
58086 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
58088 +config PAX_PT_PAX_FLAGS
58089 + bool 'Use ELF program header marking'
58091 + Enabling this option will allow you to control PaX features on
58092 + a per executable basis via the 'paxctl' utility available at
58093 + http://pax.grsecurity.net/. The control flags will be read from
58094 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
58095 + has the benefits of supporting both soft mode and being fully
58096 + integrated into the toolchain (the binutils patch is available
58097 + from http://pax.grsecurity.net).
58099 + If you have applications not marked by the PT_PAX_FLAGS ELF
58100 + program header then you MUST enable the EI_PAX marking support
58101 + otherwise they will not get any protection.
58103 + Note that if you enable the legacy EI_PAX marking support as well,
58104 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
58107 + prompt 'MAC system integration'
58108 + default PAX_HAVE_ACL_FLAGS
58110 + Mandatory Access Control systems have the option of controlling
58111 + PaX flags on a per executable basis, choose the method supported
58112 + by your particular system.
58114 + - "none": if your MAC system does not interact with PaX,
58115 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
58116 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
58118 + NOTE: this option is for developers/integrators only.
58120 + config PAX_NO_ACL_FLAGS
58123 + config PAX_HAVE_ACL_FLAGS
58126 + config PAX_HOOK_ACL_FLAGS
58132 +menu "Non-executable pages"
58136 + bool "Enforce non-executable pages"
58137 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
58139 + By design some architectures do not allow for protecting memory
58140 + pages against execution or even if they do, Linux does not make
58141 + use of this feature. In practice this means that if a page is
58142 + readable (such as the stack or heap) it is also executable.
58144 + There is a well known exploit technique that makes use of this
58145 + fact and a common programming mistake where an attacker can
58146 + introduce code of his choice somewhere in the attacked program's
58147 + memory (typically the stack or the heap) and then execute it.
58149 + If the attacked program was running with different (typically
58150 + higher) privileges than that of the attacker, then he can elevate
58151 + his own privilege level (e.g. get a root shell, write to files for
58152 + which he does not have write access to, etc).
58154 + Enabling this option will let you choose from various features
58155 + that prevent the injection and execution of 'foreign' code in
58158 + This will also break programs that rely on the old behaviour and
58159 + expect that dynamically allocated memory via the malloc() family
58160 + of functions is executable (which it is not). Notable examples
58161 + are the XFree86 4.x server, the java runtime and wine.
58163 +config PAX_PAGEEXEC
58164 + bool "Paging based non-executable pages"
58165 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
58166 + select S390_SWITCH_AMODE if S390
58167 + select S390_EXEC_PROTECT if S390
58169 + This implementation is based on the paging feature of the CPU.
58170 + On i386 without hardware non-executable bit support there is a
58171 + variable but usually low performance impact, however on Intel's
58172 + P4 core based CPUs it is very high so you should not enable this
58173 + for kernels meant to be used on such CPUs.
58175 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
58176 + with hardware non-executable bit support there is no performance
58177 + impact, on ppc the impact is negligible.
58179 + Note that several architectures require various emulations due to
58180 + badly designed userland ABIs, this will cause a performance impact
58181 + but will disappear as soon as userland is fixed. For example, ppc
58182 + userland MUST have been built with secure-plt by a recent toolchain.
58184 +config PAX_SEGMEXEC
58185 + bool "Segmentation based non-executable pages"
58186 + depends on PAX_NOEXEC && X86_32
58188 + This implementation is based on the segmentation feature of the
58189 + CPU and has a very small performance impact, however applications
58190 + will be limited to a 1.5 GB address space instead of the normal
58193 +config PAX_EMUTRAMP
58194 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
58195 + default y if PARISC
58197 + There are some programs and libraries that for one reason or
58198 + another attempt to execute special small code snippets from
58199 + non-executable memory pages. Most notable examples are the
58200 + signal handler return code generated by the kernel itself and
58201 + the GCC trampolines.
58203 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
58204 + such programs will no longer work under your kernel.
58206 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
58207 + utilities to enable trampoline emulation for the affected programs
58208 + yet still have the protection provided by the non-executable pages.
58210 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
58211 + your system will not even boot.
58213 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
58214 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
58215 + for the affected files.
58217 + NOTE: enabling this feature *may* open up a loophole in the
58218 + protection provided by non-executable pages that an attacker
58219 + could abuse. Therefore the best solution is to not have any
58220 + files on your system that would require this option. This can
58221 + be achieved by not using libc5 (which relies on the kernel
58222 + signal handler return code) and not using or rewriting programs
58223 + that make use of the nested function implementation of GCC.
58224 + Skilled users can just fix GCC itself so that it implements
58225 + nested function calls in a way that does not interfere with PaX.
58227 +config PAX_EMUSIGRT
58228 + bool "Automatically emulate sigreturn trampolines"
58229 + depends on PAX_EMUTRAMP && PARISC
58232 + Enabling this option will have the kernel automatically detect
58233 + and emulate signal return trampolines executing on the stack
58234 + that would otherwise lead to task termination.
58236 + This solution is intended as a temporary one for users with
58237 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
58238 + Modula-3 runtime, etc) or executables linked to such, basically
58239 + everything that does not specify its own SA_RESTORER function in
58240 + normal executable memory like glibc 2.1+ does.
58242 + On parisc you MUST enable this option, otherwise your system will
58245 + NOTE: this feature cannot be disabled on a per executable basis
58246 + and since it *does* open up a loophole in the protection provided
58247 + by non-executable pages, the best solution is to not have any
58248 + files on your system that would require this option.
58250 +config PAX_MPROTECT
58251 + bool "Restrict mprotect()"
58252 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
58254 + Enabling this option will prevent programs from
58255 + - changing the executable status of memory pages that were
58256 + not originally created as executable,
58257 + - making read-only executable pages writable again,
58258 + - creating executable pages from anonymous memory,
58259 + - making read-only-after-relocations (RELRO) data pages writable again.
58261 + You should say Y here to complete the protection provided by
58262 + the enforcement of non-executable pages.
58264 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58265 + this feature on a per file basis.
58267 +config PAX_ELFRELOCS
58268 + bool "Allow ELF text relocations (read help)"
58269 + depends on PAX_MPROTECT
58272 + Non-executable pages and mprotect() restrictions are effective
58273 + in preventing the introduction of new executable code into an
58274 + attacked task's address space. There remain only two venues
58275 + for this kind of attack: if the attacker can execute already
58276 + existing code in the attacked task then he can either have it
58277 + create and mmap() a file containing his code or have it mmap()
58278 + an already existing ELF library that does not have position
58279 + independent code in it and use mprotect() on it to make it
58280 + writable and copy his code there. While protecting against
58281 + the former approach is beyond PaX, the latter can be prevented
58282 + by having only PIC ELF libraries on one's system (which do not
58283 + need to relocate their code). If you are sure this is your case,
58284 + as is the case with all modern Linux distributions, then leave
58285 + this option disabled. You should say 'n' here.
58287 +config PAX_ETEXECRELOCS
58288 + bool "Allow ELF ET_EXEC text relocations"
58289 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
58290 + select PAX_ELFRELOCS
58293 + On some architectures there are incorrectly created applications
58294 + that require text relocations and would not work without enabling
58295 + this option. If you are an alpha, ia64 or parisc user, you should
58296 + enable this option and disable it once you have made sure that
58297 + none of your applications need it.
58300 + bool "Automatically emulate ELF PLT"
58301 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
58304 + Enabling this option will have the kernel automatically detect
58305 + and emulate the Procedure Linkage Table entries in ELF files.
58306 + On some architectures such entries are in writable memory, and
58307 + become non-executable leading to task termination. Therefore
58308 + it is mandatory that you enable this option on alpha, parisc,
58309 + sparc and sparc64, otherwise your system would not even boot.
58311 + NOTE: this feature *does* open up a loophole in the protection
58312 + provided by the non-executable pages, therefore the proper
58313 + solution is to modify the toolchain to produce a PLT that does
58314 + not need to be writable.
58316 +config PAX_DLRESOLVE
58317 + bool 'Emulate old glibc resolver stub'
58318 + depends on PAX_EMUPLT && SPARC
58321 + This option is needed if userland has an old glibc (before 2.4)
58322 + that puts a 'save' instruction into the runtime generated resolver
58323 + stub that needs special emulation.
58325 +config PAX_KERNEXEC
58326 + bool "Enforce non-executable kernel pages"
58327 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
58328 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
58330 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
58331 + that is, enabling this option will make it harder to inject
58332 + and execute 'foreign' code in kernel memory itself.
58334 +config PAX_KERNEXEC_MODULE_TEXT
58335 + int "Minimum amount of memory reserved for module code"
58337 + depends on PAX_KERNEXEC && X86_32 && MODULES
58339 + Due to implementation details the kernel must reserve a fixed
58340 + amount of memory for module code at compile time that cannot be
58341 + changed at runtime. Here you can specify the minimum amount
58342 + in MB that will be reserved. Due to the same implementation
58343 + details this size will always be rounded up to the next 2/4 MB
58344 + boundary (depends on PAE) so the actually available memory for
58345 + module code will usually be more than this minimum.
58347 + The default 4 MB should be enough for most users but if you have
58348 + an excessive number of modules (e.g., most distribution configs
58349 + compile many drivers as modules) or use huge modules such as
58350 + nvidia's kernel driver, you will need to adjust this amount.
58351 + A good rule of thumb is to look at your currently loaded kernel
58352 + modules and add up their sizes.
58356 +menu "Address Space Layout Randomization"
58360 + bool "Address Space Layout Randomization"
58361 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
58363 + Many if not most exploit techniques rely on the knowledge of
58364 + certain addresses in the attacked program. The following options
58365 + will allow the kernel to apply a certain amount of randomization
58366 + to specific parts of the program thereby forcing an attacker to
58367 + guess them in most cases. Any failed guess will most likely crash
58368 + the attacked program which allows the kernel to detect such attempts
58369 + and react on them. PaX itself provides no reaction mechanisms,
58370 + instead it is strongly encouraged that you make use of Nergal's
58371 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
58372 + (http://www.grsecurity.net/) built-in crash detection features or
58373 + develop one yourself.
58375 + By saying Y here you can choose to randomize the following areas:
58376 + - top of the task's kernel stack
58377 + - top of the task's userland stack
58378 + - base address for mmap() requests that do not specify one
58379 + (this includes all libraries)
58380 + - base address of the main executable
58382 + It is strongly recommended to say Y here as address space layout
58383 + randomization has negligible impact on performance yet it provides
58384 + a very effective protection.
58386 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58387 + this feature on a per file basis.
58389 +config PAX_RANDKSTACK
58390 + bool "Randomize kernel stack base"
58391 + depends on PAX_ASLR && X86_TSC && X86_32
58393 + By saying Y here the kernel will randomize every task's kernel
58394 + stack on every system call. This will not only force an attacker
58395 + to guess it but also prevent him from making use of possible
58396 + leaked information about it.
58398 + Since the kernel stack is a rather scarce resource, randomization
58399 + may cause unexpected stack overflows, therefore you should very
58400 + carefully test your system. Note that once enabled in the kernel
58401 + configuration, this feature cannot be disabled on a per file basis.
58403 +config PAX_RANDUSTACK
58404 + bool "Randomize user stack base"
58405 + depends on PAX_ASLR
58407 + By saying Y here the kernel will randomize every task's userland
58408 + stack. The randomization is done in two steps where the second
58409 + one may apply a big amount of shift to the top of the stack and
58410 + cause problems for programs that want to use lots of memory (more
58411 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
58412 + For this reason the second step can be controlled by 'chpax' or
58413 + 'paxctl' on a per file basis.
58415 +config PAX_RANDMMAP
58416 + bool "Randomize mmap() base"
58417 + depends on PAX_ASLR
58419 + By saying Y here the kernel will use a randomized base address for
58420 + mmap() requests that do not specify one themselves. As a result
58421 + all dynamically loaded libraries will appear at random addresses
58422 + and therefore be harder to exploit by a technique where an attacker
58423 + attempts to execute library code for his purposes (e.g. spawn a
58424 + shell from an exploited program that is running at an elevated
58425 + privilege level).
58427 + Furthermore, if a program is relinked as a dynamic ELF file, its
58428 + base address will be randomized as well, completing the full
58429 + randomization of the address space layout. Attacking such programs
58430 + becomes a guess game. You can find an example of doing this at
58431 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
58432 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
58434 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
58435 + feature on a per file basis.
58439 +menu "Miscellaneous hardening features"
58441 +config PAX_MEMORY_SANITIZE
58442 + bool "Sanitize all freed memory"
58444 + By saying Y here the kernel will erase memory pages as soon as they
58445 + are freed. This in turn reduces the lifetime of data stored in the
58446 + pages, making it less likely that sensitive information such as
58447 + passwords, cryptographic secrets, etc stay in memory for too long.
58449 + This is especially useful for programs whose runtime is short, long
58450 + lived processes and the kernel itself benefit from this as long as
58451 + they operate on whole memory pages and ensure timely freeing of pages
58452 + that may hold sensitive information.
58454 + The tradeoff is performance impact, on a single CPU system kernel
58455 + compilation sees a 3% slowdown, other systems and workloads may vary
58456 + and you are advised to test this feature on your expected workload
58457 + before deploying it.
58459 + Note that this feature does not protect data stored in live pages,
58460 + e.g., process memory swapped to disk may stay there for a long time.
58462 +config PAX_MEMORY_UDEREF
58463 + bool "Prevent invalid userland pointer dereference"
58464 + depends on X86 && !UML_X86 && !XEN
58465 + select PAX_PER_CPU_PGD if X86_64
58467 + By saying Y here the kernel will be prevented from dereferencing
58468 + userland pointers in contexts where the kernel expects only kernel
58469 + pointers. This is both a useful runtime debugging feature and a
58470 + security measure that prevents exploiting a class of kernel bugs.
58472 + The tradeoff is that some virtualization solutions may experience
58473 + a huge slowdown and therefore you should not enable this feature
58474 + for kernels meant to run in such environments. Whether a given VM
58475 + solution is affected or not is best determined by simply trying it
58476 + out, the performance impact will be obvious right on boot as this
58477 + mechanism engages from very early on. A good rule of thumb is that
58478 + VMs running on CPUs without hardware virtualization support (i.e.,
58479 + the majority of IA-32 CPUs) will likely experience the slowdown.
58481 +config PAX_REFCOUNT
58482 + bool "Prevent various kernel object reference counter overflows"
58483 + depends on GRKERNSEC && (X86 || SPARC64)
58485 + By saying Y here the kernel will detect and prevent overflowing
58486 + various (but not all) kinds of object reference counters. Such
58487 + overflows can normally occur due to bugs only and are often, if
58488 + not always, exploitable.
58490 + The tradeoff is that data structures protected by an overflowed
58491 + refcount will never be freed and therefore will leak memory. Note
58492 + that this leak also happens even without this protection but in
58493 + that case the overflow can eventually trigger the freeing of the
58494 + data structure while it is still being used elsewhere, resulting
58495 + in the exploitable situation that this feature prevents.
58497 + Since this has a negligible performance impact, you should enable
58500 +config PAX_USERCOPY
58501 + bool "Bounds check heap object copies between kernel and userland"
58502 + depends on X86 || PPC || SPARC
58503 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
58505 + By saying Y here the kernel will enforce the size of heap objects
58506 + when they are copied in either direction between the kernel and
58507 + userland, even if only a part of the heap object is copied.
58509 + Specifically, this checking prevents information leaking from the
58510 + kernel heap during kernel to userland copies (if the kernel heap
58511 + object is otherwise fully initialized) and prevents kernel heap
58512 + overflows during userland to kernel copies.
58514 + Note that the current implementation provides the strictest checks
58515 + for the SLUB allocator.
58517 + If frame pointers are enabled on x86, this option will also
58518 + restrict copies into and out of the kernel stack to local variables
58519 + within a single frame.
58521 + Since this has a negligible performance impact, you should enable
58529 bool "Enable access key retention support"
58531 @@ -124,7 +623,7 @@ config INTEL_TXT
58532 config LSM_MMAP_MIN_ADDR
58533 int "Low address space for LSM to protect from user allocation"
58534 depends on SECURITY && SECURITY_SELINUX
58538 This is the portion of low virtual memory which should be protected
58539 from userspace allocation. Keeping a user from writing to low pages
58540 diff -urNp linux-2.6.36.2/security/min_addr.c linux-2.6.36.2/security/min_addr.c
58541 --- linux-2.6.36.2/security/min_addr.c 2010-10-20 16:30:22.000000000 -0400
58542 +++ linux-2.6.36.2/security/min_addr.c 2010-12-09 20:24:07.000000000 -0500
58543 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
58545 static void update_mmap_min_addr(void)
58548 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
58549 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
58550 mmap_min_addr = dac_mmap_min_addr;
58551 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
58553 mmap_min_addr = dac_mmap_min_addr;
58559 diff -urNp linux-2.6.36.2/security/security.c linux-2.6.36.2/security/security.c
58560 --- linux-2.6.36.2/security/security.c 2010-10-20 16:30:22.000000000 -0400
58561 +++ linux-2.6.36.2/security/security.c 2010-12-09 20:24:07.000000000 -0500
58562 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
58563 /* things that live in capability.c */
58564 extern void __init security_fixup_ops(struct security_operations *ops);
58566 -static struct security_operations *security_ops;
58567 -static struct security_operations default_security_ops = {
58568 +static struct security_operations *security_ops __read_only;
58569 +static struct security_operations default_security_ops __read_only = {
58573 @@ -67,7 +67,9 @@ int __init security_init(void)
58575 void reset_security_ops(void)
58577 + pax_open_kernel();
58578 security_ops = &default_security_ops;
58579 + pax_close_kernel();
58582 /* Save user chosen LSM */
58583 diff -urNp linux-2.6.36.2/security/selinux/hooks.c linux-2.6.36.2/security/selinux/hooks.c
58584 --- linux-2.6.36.2/security/selinux/hooks.c 2010-10-20 16:30:22.000000000 -0400
58585 +++ linux-2.6.36.2/security/selinux/hooks.c 2010-12-09 20:24:07.000000000 -0500
58587 #define NUM_SEL_MNT_OPTS 5
58589 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
58590 -extern struct security_operations *security_ops;
58592 /* SECMARK reference count */
58593 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
58594 @@ -5371,7 +5370,7 @@ static int selinux_key_getsecurity(struc
58598 -static struct security_operations selinux_ops = {
58599 +static struct security_operations selinux_ops __read_only = {
58602 .ptrace_access_check = selinux_ptrace_access_check,
58603 diff -urNp linux-2.6.36.2/security/smack/smack_lsm.c linux-2.6.36.2/security/smack/smack_lsm.c
58604 --- linux-2.6.36.2/security/smack/smack_lsm.c 2010-10-20 16:30:22.000000000 -0400
58605 +++ linux-2.6.36.2/security/smack/smack_lsm.c 2010-12-09 20:24:07.000000000 -0500
58606 @@ -3056,7 +3056,7 @@ static int smack_inode_getsecctx(struct
58610 -struct security_operations smack_ops = {
58611 +struct security_operations smack_ops __read_only = {
58614 .ptrace_access_check = smack_ptrace_access_check,
58615 diff -urNp linux-2.6.36.2/security/tomoyo/tomoyo.c linux-2.6.36.2/security/tomoyo/tomoyo.c
58616 --- linux-2.6.36.2/security/tomoyo/tomoyo.c 2010-10-20 16:30:22.000000000 -0400
58617 +++ linux-2.6.36.2/security/tomoyo/tomoyo.c 2010-12-09 20:24:07.000000000 -0500
58618 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
58619 * tomoyo_security_ops is a "struct security_operations" which is used for
58620 * registering TOMOYO.
58622 -static struct security_operations tomoyo_security_ops = {
58623 +static struct security_operations tomoyo_security_ops __read_only = {
58625 .cred_alloc_blank = tomoyo_cred_alloc_blank,
58626 .cred_prepare = tomoyo_cred_prepare,
58627 diff -urNp linux-2.6.36.2/sound/aoa/codecs/onyx.c linux-2.6.36.2/sound/aoa/codecs/onyx.c
58628 --- linux-2.6.36.2/sound/aoa/codecs/onyx.c 2010-10-20 16:30:22.000000000 -0400
58629 +++ linux-2.6.36.2/sound/aoa/codecs/onyx.c 2010-12-09 20:24:45.000000000 -0500
58630 @@ -54,7 +54,7 @@ struct onyx {
58635 + atomic_t open_count;
58636 struct codec_info *codec_info;
58638 /* mutex serializes concurrent access to the device
58639 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
58640 struct onyx *onyx = cii->codec_data;
58642 mutex_lock(&onyx->mutex);
58643 - onyx->open_count++;
58644 + atomic_inc(&onyx->open_count);
58645 mutex_unlock(&onyx->mutex);
58648 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
58649 struct onyx *onyx = cii->codec_data;
58651 mutex_lock(&onyx->mutex);
58652 - onyx->open_count--;
58653 - if (!onyx->open_count)
58654 + if (atomic_dec_and_test(&onyx->open_count))
58655 onyx->spdif_locked = onyx->analog_locked = 0;
58656 mutex_unlock(&onyx->mutex);
58658 diff -urNp linux-2.6.36.2/sound/core/oss/pcm_oss.c linux-2.6.36.2/sound/core/oss/pcm_oss.c
58659 --- linux-2.6.36.2/sound/core/oss/pcm_oss.c 2010-12-09 20:53:49.000000000 -0500
58660 +++ linux-2.6.36.2/sound/core/oss/pcm_oss.c 2010-12-09 20:54:46.000000000 -0500
58661 @@ -2969,8 +2969,8 @@ static void snd_pcm_oss_proc_done(struct
58664 #else /* !CONFIG_SND_VERBOSE_PROCFS */
58665 -#define snd_pcm_oss_proc_init(pcm)
58666 -#define snd_pcm_oss_proc_done(pcm)
58667 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
58668 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
58669 #endif /* CONFIG_SND_VERBOSE_PROCFS */
58672 diff -urNp linux-2.6.36.2/sound/core/seq/seq_lock.h linux-2.6.36.2/sound/core/seq/seq_lock.h
58673 --- linux-2.6.36.2/sound/core/seq/seq_lock.h 2010-10-20 16:30:22.000000000 -0400
58674 +++ linux-2.6.36.2/sound/core/seq/seq_lock.h 2010-12-09 20:24:46.000000000 -0500
58675 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
58676 #else /* SMP || CONFIG_SND_DEBUG */
58678 typedef spinlock_t snd_use_lock_t; /* dummy */
58679 -#define snd_use_lock_init(lockp) /**/
58680 -#define snd_use_lock_use(lockp) /**/
58681 -#define snd_use_lock_free(lockp) /**/
58682 -#define snd_use_lock_sync(lockp) /**/
58683 +#define snd_use_lock_init(lockp) do {} while (0)
58684 +#define snd_use_lock_use(lockp) do {} while (0)
58685 +#define snd_use_lock_free(lockp) do {} while (0)
58686 +#define snd_use_lock_sync(lockp) do {} while (0)
58688 #endif /* SMP || CONFIG_SND_DEBUG */
58690 diff -urNp linux-2.6.36.2/sound/drivers/mts64.c linux-2.6.36.2/sound/drivers/mts64.c
58691 --- linux-2.6.36.2/sound/drivers/mts64.c 2010-10-20 16:30:22.000000000 -0400
58692 +++ linux-2.6.36.2/sound/drivers/mts64.c 2010-12-09 20:24:45.000000000 -0500
58693 @@ -66,7 +66,7 @@ struct mts64 {
58694 struct pardevice *pardev;
58695 int pardev_claimed;
58698 + atomic_t open_count;
58699 int current_midi_output_port;
58700 int current_midi_input_port;
58701 u8 mode[MTS64_NUM_INPUT_PORTS];
58702 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
58704 struct mts64 *mts = substream->rmidi->private_data;
58706 - if (mts->open_count == 0) {
58707 + if (atomic_read(&mts->open_count) == 0) {
58708 /* We don't need a spinlock here, because this is just called
58709 if the device has not been opened before.
58710 So there aren't any IRQs from the device */
58711 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
58715 - ++(mts->open_count);
58716 + atomic_inc(&mts->open_count);
58720 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
58721 struct mts64 *mts = substream->rmidi->private_data;
58722 unsigned long flags;
58724 - --(mts->open_count);
58725 - if (mts->open_count == 0) {
58726 + if (atomic_dec_return(&mts->open_count) == 0) {
58727 /* We need the spinlock_irqsave here because we can still
58728 have IRQs at this point */
58729 spin_lock_irqsave(&mts->lock, flags);
58730 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
58734 - } else if (mts->open_count < 0)
58735 - mts->open_count = 0;
58736 + } else if (atomic_read(&mts->open_count) < 0)
58737 + atomic_set(&mts->open_count, 0);
58741 diff -urNp linux-2.6.36.2/sound/drivers/portman2x4.c linux-2.6.36.2/sound/drivers/portman2x4.c
58742 --- linux-2.6.36.2/sound/drivers/portman2x4.c 2010-10-20 16:30:22.000000000 -0400
58743 +++ linux-2.6.36.2/sound/drivers/portman2x4.c 2010-12-09 20:24:45.000000000 -0500
58744 @@ -84,7 +84,7 @@ struct portman {
58745 struct pardevice *pardev;
58746 int pardev_claimed;
58749 + atomic_t open_count;
58750 int mode[PORTMAN_NUM_INPUT_PORTS];
58751 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
58753 diff -urNp linux-2.6.36.2/sound/oss/sb_audio.c linux-2.6.36.2/sound/oss/sb_audio.c
58754 --- linux-2.6.36.2/sound/oss/sb_audio.c 2010-10-20 16:30:22.000000000 -0400
58755 +++ linux-2.6.36.2/sound/oss/sb_audio.c 2010-12-09 20:24:45.000000000 -0500
58756 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
58757 buf16 = (signed short *)(localbuf + localoffs);
58760 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58761 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58762 if (copy_from_user(lbuf8,
58763 userbuf+useroffs + p,
58765 diff -urNp linux-2.6.36.2/sound/pci/ac97/ac97_codec.c linux-2.6.36.2/sound/pci/ac97/ac97_codec.c
58766 --- linux-2.6.36.2/sound/pci/ac97/ac97_codec.c 2010-10-20 16:30:22.000000000 -0400
58767 +++ linux-2.6.36.2/sound/pci/ac97/ac97_codec.c 2010-12-09 20:24:45.000000000 -0500
58768 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
58771 /* build_ops to do nothing */
58772 -static struct snd_ac97_build_ops null_build_ops;
58773 +static const struct snd_ac97_build_ops null_build_ops;
58775 #ifdef CONFIG_SND_AC97_POWER_SAVE
58776 static void do_update_power(struct work_struct *work)
58777 diff -urNp linux-2.6.36.2/sound/pci/ac97/ac97_patch.c linux-2.6.36.2/sound/pci/ac97/ac97_patch.c
58778 --- linux-2.6.36.2/sound/pci/ac97/ac97_patch.c 2010-10-20 16:30:22.000000000 -0400
58779 +++ linux-2.6.36.2/sound/pci/ac97/ac97_patch.c 2010-12-09 20:24:44.000000000 -0500
58780 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
58784 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58785 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58786 .build_spdif = patch_yamaha_ymf743_build_spdif,
58787 .build_3d = patch_yamaha_ymf7x3_3d,
58789 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
58793 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58794 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58795 .build_3d = patch_yamaha_ymf7x3_3d,
58796 .build_post_spdif = patch_yamaha_ymf753_post_spdif
58798 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
58802 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58803 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58804 .build_specific = patch_wolfson_wm9703_specific,
58807 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
58811 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58812 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58813 .build_specific = patch_wolfson_wm9704_specific,
58816 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
58820 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58821 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58822 .build_specific = patch_wolfson_wm9711_specific,
58825 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
58829 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58830 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58831 .build_specific = patch_wolfson_wm9713_specific,
58832 .build_3d = patch_wolfson_wm9713_3d,
58834 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
58838 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58839 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58840 .build_3d = patch_sigmatel_stac9700_3d,
58841 .build_specific = patch_sigmatel_stac97xx_specific
58843 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
58844 return patch_sigmatel_stac97xx_specific(ac97);
58847 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58848 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58849 .build_3d = patch_sigmatel_stac9708_3d,
58850 .build_specific = patch_sigmatel_stac9708_specific
58852 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
58856 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58857 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58858 .build_3d = patch_sigmatel_stac9700_3d,
58859 .build_specific = patch_sigmatel_stac9758_specific
58861 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
58865 -static struct snd_ac97_build_ops patch_cirrus_ops = {
58866 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
58867 .build_spdif = patch_cirrus_build_spdif
58870 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
58874 -static struct snd_ac97_build_ops patch_conexant_ops = {
58875 +static const struct snd_ac97_build_ops patch_conexant_ops = {
58876 .build_spdif = patch_conexant_build_spdif
58879 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
58880 { AC97_VIDEO, 0x9f1f },
58881 { AC97_AUX, 0x9f1f },
58882 { AC97_PCM, 0x9f1f },
58883 - { } /* terminator */
58884 + { 0, 0 } /* terminator */
58887 static int patch_ad1819(struct snd_ac97 * ac97)
58888 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
58892 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
58893 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
58895 .resume = ad18xx_resume
58897 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
58901 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
58902 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
58903 .build_specific = &patch_ad1885_specific,
58905 .resume = ad18xx_resume
58906 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
58910 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
58911 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
58912 .build_specific = &patch_ad1886_specific,
58914 .resume = ad18xx_resume
58915 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
58916 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58919 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58920 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58921 .build_post_spdif = patch_ad198x_post_spdif,
58922 .build_specific = patch_ad1981a_specific,
58924 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
58925 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58928 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58929 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58930 .build_post_spdif = patch_ad198x_post_spdif,
58931 .build_specific = patch_ad1981b_specific,
58933 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
58934 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
58937 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
58938 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
58939 .build_post_spdif = patch_ad198x_post_spdif,
58940 .build_specific = patch_ad1888_specific,
58942 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
58943 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
58946 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
58947 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
58948 .build_post_spdif = patch_ad198x_post_spdif,
58949 .build_specific = patch_ad1980_specific,
58951 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
58952 ARRAY_SIZE(snd_ac97_ad1985_controls));
58955 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
58956 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
58957 .build_post_spdif = patch_ad198x_post_spdif,
58958 .build_specific = patch_ad1985_specific,
58960 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
58961 ARRAY_SIZE(snd_ac97_ad1985_controls));
58964 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
58965 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
58966 .build_post_spdif = patch_ad198x_post_spdif,
58967 .build_specific = patch_ad1986_specific,
58969 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
58973 -static struct snd_ac97_build_ops patch_alc650_ops = {
58974 +static const struct snd_ac97_build_ops patch_alc650_ops = {
58975 .build_specific = patch_alc650_specific,
58976 .update_jacks = alc650_update_jacks
58978 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
58982 -static struct snd_ac97_build_ops patch_alc655_ops = {
58983 +static const struct snd_ac97_build_ops patch_alc655_ops = {
58984 .build_specific = patch_alc655_specific,
58985 .update_jacks = alc655_update_jacks
58987 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
58991 -static struct snd_ac97_build_ops patch_alc850_ops = {
58992 +static const struct snd_ac97_build_ops patch_alc850_ops = {
58993 .build_specific = patch_alc850_specific,
58994 .update_jacks = alc850_update_jacks
58996 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
58997 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
59000 -static struct snd_ac97_build_ops patch_cm9738_ops = {
59001 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
59002 .build_specific = patch_cm9738_specific,
59003 .update_jacks = cm9738_update_jacks
59005 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
59006 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
59009 -static struct snd_ac97_build_ops patch_cm9739_ops = {
59010 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
59011 .build_specific = patch_cm9739_specific,
59012 .build_post_spdif = patch_cm9739_post_spdif,
59013 .update_jacks = cm9739_update_jacks
59014 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
59015 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
59018 -static struct snd_ac97_build_ops patch_cm9761_ops = {
59019 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
59020 .build_specific = patch_cm9761_specific,
59021 .build_post_spdif = patch_cm9761_post_spdif,
59022 .update_jacks = cm9761_update_jacks
59023 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
59024 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
59027 -static struct snd_ac97_build_ops patch_cm9780_ops = {
59028 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
59029 .build_specific = patch_cm9780_specific,
59030 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
59032 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
59036 -static struct snd_ac97_build_ops patch_vt1616_ops = {
59037 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
59038 .build_specific = patch_vt1616_specific
59041 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
59045 -static struct snd_ac97_build_ops patch_it2646_ops = {
59046 +static const struct snd_ac97_build_ops patch_it2646_ops = {
59047 .build_specific = patch_it2646_specific,
59048 .update_jacks = it2646_update_jacks
59050 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
59054 -static struct snd_ac97_build_ops patch_si3036_ops = {
59055 +static const struct snd_ac97_build_ops patch_si3036_ops = {
59056 .build_specific = patch_si3036_specific,
59059 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
59060 { AC97_AUX, 0x1f1f },
59061 { AC97_PCM, 0x1f1f },
59062 { AC97_REC_GAIN, 0x0f0f },
59063 - { } /* terminator */
59064 + { 0, 0 } /* terminator */
59067 static int patch_lm4550(struct snd_ac97 *ac97)
59068 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
59072 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
59073 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
59074 .build_specific = patch_ucb1400_specific,
59077 diff -urNp linux-2.6.36.2/sound/pci/ens1370.c linux-2.6.36.2/sound/pci/ens1370.c
59078 --- linux-2.6.36.2/sound/pci/ens1370.c 2010-10-20 16:30:22.000000000 -0400
59079 +++ linux-2.6.36.2/sound/pci/ens1370.c 2010-12-09 20:24:44.000000000 -0500
59080 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
59081 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
59082 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
59085 + { 0, 0, 0, 0, 0, 0, 0 }
59088 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
59089 diff -urNp linux-2.6.36.2/sound/pci/hda/patch_hdmi.c linux-2.6.36.2/sound/pci/hda/patch_hdmi.c
59090 --- linux-2.6.36.2/sound/pci/hda/patch_hdmi.c 2010-10-20 16:30:22.000000000 -0400
59091 +++ linux-2.6.36.2/sound/pci/hda/patch_hdmi.c 2010-12-09 20:24:44.000000000 -0500
59092 @@ -671,10 +671,10 @@ static void hdmi_non_intrinsic_event(str
59107 diff -urNp linux-2.6.36.2/sound/pci/intel8x0.c linux-2.6.36.2/sound/pci/intel8x0.c
59108 --- linux-2.6.36.2/sound/pci/intel8x0.c 2010-12-09 20:53:49.000000000 -0500
59109 +++ linux-2.6.36.2/sound/pci/intel8x0.c 2010-12-09 20:54:46.000000000 -0500
59110 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
59111 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
59112 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
59113 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59115 + { 0, 0, 0, 0, 0, 0, 0 }
59118 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
59119 @@ -2141,7 +2141,7 @@ static struct ac97_quirk ac97_quirks[] _
59120 .type = AC97_TUNE_HP_ONLY
59123 - { } /* terminator */
59124 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
59127 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
59128 diff -urNp linux-2.6.36.2/sound/pci/intel8x0m.c linux-2.6.36.2/sound/pci/intel8x0m.c
59129 --- linux-2.6.36.2/sound/pci/intel8x0m.c 2010-10-20 16:30:22.000000000 -0400
59130 +++ linux-2.6.36.2/sound/pci/intel8x0m.c 2010-12-09 20:24:44.000000000 -0500
59131 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
59132 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
59133 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59136 + { 0, 0, 0, 0, 0, 0, 0 }
59139 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
59140 @@ -1264,7 +1264,7 @@ static struct shortname_table {
59141 { 0x5455, "ALi M5455" },
59142 { 0x746d, "AMD AMD8111" },
59148 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
59149 diff -urNp linux-2.6.36.2/usr/gen_init_cpio.c linux-2.6.36.2/usr/gen_init_cpio.c
59150 --- linux-2.6.36.2/usr/gen_init_cpio.c 2010-10-20 16:30:22.000000000 -0400
59151 +++ linux-2.6.36.2/usr/gen_init_cpio.c 2010-12-09 20:24:52.000000000 -0500
59152 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
59161 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
59162 *env_var = *expanded = '\0';
59163 strncat(env_var, start + 2, end - start - 2);
59164 strncat(expanded, new_location, start - new_location);
59165 - strncat(expanded, getenv(env_var), PATH_MAX);
59166 - strncat(expanded, end + 1, PATH_MAX);
59167 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
59168 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
59169 strncpy(new_location, expanded, PATH_MAX);
59170 + new_location[PATH_MAX] = 0;
59174 diff -urNp linux-2.6.36.2/virt/kvm/kvm_main.c linux-2.6.36.2/virt/kvm/kvm_main.c
59175 --- linux-2.6.36.2/virt/kvm/kvm_main.c 2010-10-20 16:30:22.000000000 -0400
59176 +++ linux-2.6.36.2/virt/kvm/kvm_main.c 2010-12-09 20:25:15.000000000 -0500
59177 @@ -1300,6 +1300,7 @@ static int kvm_vcpu_release(struct inode
59181 +/* cannot be const */
59182 static struct file_operations kvm_vcpu_fops = {
59183 .release = kvm_vcpu_release,
59184 .unlocked_ioctl = kvm_vcpu_ioctl,
59185 @@ -1767,6 +1768,7 @@ static int kvm_vm_mmap(struct file *file
59189 +/* cannot be const */
59190 static struct file_operations kvm_vm_fops = {
59191 .release = kvm_vm_release,
59192 .unlocked_ioctl = kvm_vm_ioctl,
59193 @@ -1864,6 +1866,7 @@ out:
59197 +/* cannot be const */
59198 static struct file_operations kvm_chardev_ops = {
59199 .unlocked_ioctl = kvm_dev_ioctl,
59200 .compat_ioctl = kvm_dev_ioctl,
59201 @@ -1873,6 +1876,9 @@ static struct miscdevice kvm_dev = {
59210 static void hardware_enable(void *junk)
59211 @@ -1974,7 +1980,7 @@ asmlinkage void kvm_handle_fault_on_rebo
59212 /* spin while reset goes on */
59213 local_irq_enable();
59218 /* Fault while not rebooting. We want the trace. */
59220 @@ -2208,7 +2214,7 @@ static void kvm_sched_out(struct preempt
59221 kvm_arch_vcpu_put(vcpu);
59224 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59225 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59226 struct module *module)