1 diff -urNp linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3 +++ linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.35.4/arch/alpha/include/asm/elf.h linux-2.6.35.4/arch/alpha/include/asm/elf.h
17 --- linux-2.6.35.4/arch/alpha/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
18 +++ linux-2.6.35.4/arch/alpha/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.35.4/arch/alpha/include/asm/pgtable.h linux-2.6.35.4/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.35.4/arch/alpha/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
35 +++ linux-2.6.35.4/arch/alpha/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.35.4/arch/alpha/kernel/module.c linux-2.6.35.4/arch/alpha/kernel/module.c
55 --- linux-2.6.35.4/arch/alpha/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
56 +++ linux-2.6.35.4/arch/alpha/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.35.4/arch/alpha/kernel/osf_sys.c linux-2.6.35.4/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.35.4/arch/alpha/kernel/osf_sys.c 2010-08-26 19:47:12.000000000 -0400
68 +++ linux-2.6.35.4/arch/alpha/kernel/osf_sys.c 2010-09-17 20:12:09.000000000 -0400
69 @@ -1170,7 +1170,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1206,6 +1206,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1213,8 +1217,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c 2010-08-26 19:47:12.000000000 -0400
102 +++ linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c 2010-09-17 20:12:09.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.35.4/arch/alpha/kernel/pci-noop.c linux-2.6.35.4/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.35.4/arch/alpha/kernel/pci-noop.c 2010-08-26 19:47:12.000000000 -0400
121 +++ linux-2.6.35.4/arch/alpha/kernel/pci-noop.c 2010-09-17 20:12:09.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.35.4/arch/alpha/mm/fault.c linux-2.6.35.4/arch/alpha/mm/fault.c
141 --- linux-2.6.35.4/arch/alpha/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
142 +++ linux-2.6.35.4/arch/alpha/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.35.4/arch/arm/include/asm/elf.h linux-2.6.35.4/arch/arm/include/asm/elf.h
300 --- linux-2.6.35.4/arch/arm/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
301 +++ linux-2.6.35.4/arch/arm/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
302 @@ -111,7 +111,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 diff -urNp linux-2.6.35.4/arch/arm/include/asm/kmap_types.h linux-2.6.35.4/arch/arm/include/asm/kmap_types.h
319 --- linux-2.6.35.4/arch/arm/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
320 +++ linux-2.6.35.4/arch/arm/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
321 @@ -21,6 +21,7 @@ enum km_type {
329 diff -urNp linux-2.6.35.4/arch/arm/include/asm/uaccess.h linux-2.6.35.4/arch/arm/include/asm/uaccess.h
330 --- linux-2.6.35.4/arch/arm/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
331 +++ linux-2.6.35.4/arch/arm/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
332 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
334 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
339 if (access_ok(VERIFY_READ, from, n))
340 n = __copy_from_user(to, from, n);
341 else /* security hole - plug it */
342 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
344 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
349 if (access_ok(VERIFY_WRITE, to, n))
350 n = __copy_to_user(to, from, n);
352 diff -urNp linux-2.6.35.4/arch/arm/kernel/kgdb.c linux-2.6.35.4/arch/arm/kernel/kgdb.c
353 --- linux-2.6.35.4/arch/arm/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
354 +++ linux-2.6.35.4/arch/arm/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
355 @@ -208,7 +208,7 @@ void kgdb_arch_exit(void)
356 * and we handle the normal undef case within the do_undefinstr
359 -struct kgdb_arch arch_kgdb_ops = {
360 +const struct kgdb_arch arch_kgdb_ops = {
362 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
363 #else /* ! __ARMEB__ */
364 diff -urNp linux-2.6.35.4/arch/arm/mach-at91/pm.c linux-2.6.35.4/arch/arm/mach-at91/pm.c
365 --- linux-2.6.35.4/arch/arm/mach-at91/pm.c 2010-08-26 19:47:12.000000000 -0400
366 +++ linux-2.6.35.4/arch/arm/mach-at91/pm.c 2010-09-17 20:12:09.000000000 -0400
367 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
371 -static struct platform_suspend_ops at91_pm_ops ={
372 +static const struct platform_suspend_ops at91_pm_ops ={
373 .valid = at91_pm_valid_state,
374 .begin = at91_pm_begin,
375 .enter = at91_pm_enter,
376 diff -urNp linux-2.6.35.4/arch/arm/mach-davinci/pm.c linux-2.6.35.4/arch/arm/mach-davinci/pm.c
377 --- linux-2.6.35.4/arch/arm/mach-davinci/pm.c 2010-08-26 19:47:12.000000000 -0400
378 +++ linux-2.6.35.4/arch/arm/mach-davinci/pm.c 2010-09-17 20:12:09.000000000 -0400
379 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
383 -static struct platform_suspend_ops davinci_pm_ops = {
384 +static const struct platform_suspend_ops davinci_pm_ops = {
385 .enter = davinci_pm_enter,
386 .valid = suspend_valid_only_mem,
388 diff -urNp linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c
389 --- linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c 2010-08-26 19:47:12.000000000 -0400
390 +++ linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c 2010-09-17 20:12:09.000000000 -0400
391 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
395 +/* cannot be const, see msm_init_last_radio_log */
396 static struct file_operations last_radio_log_fops = {
397 .read = last_radio_log_read
399 diff -urNp linux-2.6.35.4/arch/arm/mach-omap1/pm.c linux-2.6.35.4/arch/arm/mach-omap1/pm.c
400 --- linux-2.6.35.4/arch/arm/mach-omap1/pm.c 2010-08-26 19:47:12.000000000 -0400
401 +++ linux-2.6.35.4/arch/arm/mach-omap1/pm.c 2010-09-17 20:12:09.000000000 -0400
402 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
406 -static struct platform_suspend_ops omap_pm_ops ={
407 +static const struct platform_suspend_ops omap_pm_ops ={
408 .prepare = omap_pm_prepare,
409 .enter = omap_pm_enter,
410 .finish = omap_pm_finish,
411 diff -urNp linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c
412 --- linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c 2010-08-26 19:47:12.000000000 -0400
413 +++ linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c 2010-09-17 20:12:09.000000000 -0400
414 @@ -325,7 +325,7 @@ static void omap2_pm_finish(void)
418 -static struct platform_suspend_ops omap_pm_ops = {
419 +static const struct platform_suspend_ops omap_pm_ops = {
420 .prepare = omap2_pm_prepare,
421 .enter = omap2_pm_enter,
422 .finish = omap2_pm_finish,
423 diff -urNp linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c
424 --- linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c 2010-08-26 19:47:12.000000000 -0400
425 +++ linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c 2010-09-17 20:12:09.000000000 -0400
426 @@ -669,7 +669,7 @@ static void omap3_pm_end(void)
430 -static struct platform_suspend_ops omap_pm_ops = {
431 +static const struct platform_suspend_ops omap_pm_ops = {
432 .begin = omap3_pm_begin,
434 .prepare = omap3_pm_prepare,
435 diff -urNp linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c
436 --- linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c 2010-08-26 19:47:12.000000000 -0400
437 +++ linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c 2010-09-17 20:12:09.000000000 -0400
438 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
439 (state == PM_SUSPEND_MEM);
442 -static struct platform_suspend_ops pnx4008_pm_ops = {
443 +static const struct platform_suspend_ops pnx4008_pm_ops = {
444 .enter = pnx4008_pm_enter,
445 .valid = pnx4008_pm_valid,
447 diff -urNp linux-2.6.35.4/arch/arm/mach-pxa/pm.c linux-2.6.35.4/arch/arm/mach-pxa/pm.c
448 --- linux-2.6.35.4/arch/arm/mach-pxa/pm.c 2010-08-26 19:47:12.000000000 -0400
449 +++ linux-2.6.35.4/arch/arm/mach-pxa/pm.c 2010-09-17 20:12:09.000000000 -0400
450 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
451 pxa_cpu_pm_fns->finish();
454 -static struct platform_suspend_ops pxa_pm_ops = {
455 +static const struct platform_suspend_ops pxa_pm_ops = {
456 .valid = pxa_pm_valid,
457 .enter = pxa_pm_enter,
458 .prepare = pxa_pm_prepare,
459 diff -urNp linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c
460 --- linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c 2010-08-26 19:47:12.000000000 -0400
461 +++ linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c 2010-09-17 20:12:09.000000000 -0400
462 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
466 -static struct platform_suspend_ops sharpsl_pm_ops = {
467 +static const struct platform_suspend_ops sharpsl_pm_ops = {
468 .prepare = pxa_pm_prepare,
469 .finish = pxa_pm_finish,
470 .enter = corgi_pxa_pm_enter,
471 diff -urNp linux-2.6.35.4/arch/arm/mach-sa1100/pm.c linux-2.6.35.4/arch/arm/mach-sa1100/pm.c
472 --- linux-2.6.35.4/arch/arm/mach-sa1100/pm.c 2010-08-26 19:47:12.000000000 -0400
473 +++ linux-2.6.35.4/arch/arm/mach-sa1100/pm.c 2010-09-17 20:12:09.000000000 -0400
474 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
475 return virt_to_phys(sp);
478 -static struct platform_suspend_ops sa11x0_pm_ops = {
479 +static const struct platform_suspend_ops sa11x0_pm_ops = {
480 .enter = sa11x0_pm_enter,
481 .valid = suspend_valid_only_mem,
483 diff -urNp linux-2.6.35.4/arch/arm/mm/fault.c linux-2.6.35.4/arch/arm/mm/fault.c
484 --- linux-2.6.35.4/arch/arm/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
485 +++ linux-2.6.35.4/arch/arm/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
486 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
490 +#ifdef CONFIG_PAX_PAGEEXEC
491 + if (fsr & FSR_LNX_PF) {
492 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
493 + do_group_exit(SIGKILL);
497 tsk->thread.address = addr;
498 tsk->thread.error_code = fsr;
499 tsk->thread.trap_no = 14;
500 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
502 #endif /* CONFIG_MMU */
504 +#ifdef CONFIG_PAX_PAGEEXEC
505 +void pax_report_insns(void *pc, void *sp)
509 + printk(KERN_ERR "PAX: bytes at PC: ");
510 + for (i = 0; i < 20; i++) {
512 + if (get_user(c, (__force unsigned char __user *)pc+i))
513 + printk(KERN_CONT "?? ");
515 + printk(KERN_CONT "%02x ", c);
519 + printk(KERN_ERR "PAX: bytes at SP-4: ");
520 + for (i = -1; i < 20; i++) {
522 + if (get_user(c, (__force unsigned long __user *)sp+i))
523 + printk(KERN_CONT "???????? ");
525 + printk(KERN_CONT "%08lx ", c);
532 * First Level Translation Fault Handler
534 diff -urNp linux-2.6.35.4/arch/arm/mm/mmap.c linux-2.6.35.4/arch/arm/mm/mmap.c
535 --- linux-2.6.35.4/arch/arm/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
536 +++ linux-2.6.35.4/arch/arm/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
537 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
541 +#ifdef CONFIG_PAX_RANDMMAP
542 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
547 addr = COLOUR_ALIGN(addr, pgoff);
548 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
549 addr = PAGE_ALIGN(addr);
551 vma = find_vma(mm, addr);
552 - if (TASK_SIZE - len >= addr &&
553 - (!vma || addr + len <= vma->vm_start))
554 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
557 if (len > mm->cached_hole_size) {
558 - start_addr = addr = mm->free_area_cache;
559 + start_addr = addr = mm->free_area_cache;
561 - start_addr = addr = TASK_UNMAPPED_BASE;
562 - mm->cached_hole_size = 0;
563 + start_addr = addr = mm->mmap_base;
564 + mm->cached_hole_size = 0;
568 @@ -94,14 +97,14 @@ full_search:
569 * Start a new search - just in case we missed
572 - if (start_addr != TASK_UNMAPPED_BASE) {
573 - start_addr = addr = TASK_UNMAPPED_BASE;
574 + if (start_addr != mm->mmap_base) {
575 + start_addr = addr = mm->mmap_base;
576 mm->cached_hole_size = 0;
581 - if (!vma || addr + len <= vma->vm_start) {
582 + if (check_heap_stack_gap(vma, addr, len)) {
584 * Remember the place where we stopped the search:
586 diff -urNp linux-2.6.35.4/arch/arm/plat-samsung/pm.c linux-2.6.35.4/arch/arm/plat-samsung/pm.c
587 --- linux-2.6.35.4/arch/arm/plat-samsung/pm.c 2010-08-26 19:47:12.000000000 -0400
588 +++ linux-2.6.35.4/arch/arm/plat-samsung/pm.c 2010-09-17 20:12:09.000000000 -0400
589 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
590 s3c_pm_check_cleanup();
593 -static struct platform_suspend_ops s3c_pm_ops = {
594 +static const struct platform_suspend_ops s3c_pm_ops = {
595 .enter = s3c_pm_enter,
596 .prepare = s3c_pm_prepare,
597 .finish = s3c_pm_finish,
598 diff -urNp linux-2.6.35.4/arch/avr32/include/asm/elf.h linux-2.6.35.4/arch/avr32/include/asm/elf.h
599 --- linux-2.6.35.4/arch/avr32/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
600 +++ linux-2.6.35.4/arch/avr32/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
601 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
602 the loader. We need to make sure that it is out of the way of the program
603 that it will "exec", and that there is sufficient room for the brk. */
605 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
606 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
608 +#ifdef CONFIG_PAX_ASLR
609 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
611 +#define PAX_DELTA_MMAP_LEN 15
612 +#define PAX_DELTA_STACK_LEN 15
615 /* This yields a mask that user programs can use to figure out what
616 instruction set this CPU supports. This could be done in user space,
617 diff -urNp linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h
618 --- linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
619 +++ linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
620 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
630 diff -urNp linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c
631 --- linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c 2010-08-26 19:47:12.000000000 -0400
632 +++ linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c 2010-09-17 20:12:09.000000000 -0400
633 @@ -176,7 +176,7 @@ out:
637 -static struct platform_suspend_ops avr32_pm_ops = {
638 +static const struct platform_suspend_ops avr32_pm_ops = {
639 .valid = avr32_pm_valid_state,
640 .enter = avr32_pm_enter,
642 diff -urNp linux-2.6.35.4/arch/avr32/mm/fault.c linux-2.6.35.4/arch/avr32/mm/fault.c
643 --- linux-2.6.35.4/arch/avr32/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
644 +++ linux-2.6.35.4/arch/avr32/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
645 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
647 int exception_trace = 1;
649 +#ifdef CONFIG_PAX_PAGEEXEC
650 +void pax_report_insns(void *pc, void *sp)
654 + printk(KERN_ERR "PAX: bytes at PC: ");
655 + for (i = 0; i < 20; i++) {
657 + if (get_user(c, (unsigned char *)pc+i))
658 + printk(KERN_CONT "???????? ");
660 + printk(KERN_CONT "%02x ", c);
667 * This routine handles page faults. It determines the address and the
668 * problem, and then passes it off to one of the appropriate routines.
669 @@ -157,6 +174,16 @@ bad_area:
670 up_read(&mm->mmap_sem);
672 if (user_mode(regs)) {
674 +#ifdef CONFIG_PAX_PAGEEXEC
675 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
676 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
677 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
678 + do_group_exit(SIGKILL);
683 if (exception_trace && printk_ratelimit())
684 printk("%s%s[%d]: segfault at %08lx pc %08lx "
685 "sp %08lx ecr %lu\n",
686 diff -urNp linux-2.6.35.4/arch/blackfin/kernel/kgdb.c linux-2.6.35.4/arch/blackfin/kernel/kgdb.c
687 --- linux-2.6.35.4/arch/blackfin/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
688 +++ linux-2.6.35.4/arch/blackfin/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
689 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
690 return -1; /* this means that we do not want to exit from the handler */
693 -struct kgdb_arch arch_kgdb_ops = {
694 +const struct kgdb_arch arch_kgdb_ops = {
695 .gdb_bpt_instr = {0xa1},
697 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
698 diff -urNp linux-2.6.35.4/arch/blackfin/mach-common/pm.c linux-2.6.35.4/arch/blackfin/mach-common/pm.c
699 --- linux-2.6.35.4/arch/blackfin/mach-common/pm.c 2010-08-26 19:47:12.000000000 -0400
700 +++ linux-2.6.35.4/arch/blackfin/mach-common/pm.c 2010-09-17 20:12:09.000000000 -0400
701 @@ -232,7 +232,7 @@ static int bfin_pm_enter(suspend_state_t
705 -struct platform_suspend_ops bfin_pm_ops = {
706 +const struct platform_suspend_ops bfin_pm_ops = {
707 .enter = bfin_pm_enter,
708 .valid = bfin_pm_valid,
710 diff -urNp linux-2.6.35.4/arch/blackfin/mm/maccess.c linux-2.6.35.4/arch/blackfin/mm/maccess.c
711 --- linux-2.6.35.4/arch/blackfin/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
712 +++ linux-2.6.35.4/arch/blackfin/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
713 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
714 return bfin_mem_access_type(addr, size);
717 -long probe_kernel_read(void *dst, void *src, size_t size)
718 +long probe_kernel_read(void *dst, const void *src, size_t size)
720 unsigned long lsrc = (unsigned long)src;
722 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
726 -long probe_kernel_write(void *dst, void *src, size_t size)
727 +long probe_kernel_write(void *dst, const void *src, size_t size)
729 unsigned long ldst = (unsigned long)dst;
731 diff -urNp linux-2.6.35.4/arch/frv/include/asm/kmap_types.h linux-2.6.35.4/arch/frv/include/asm/kmap_types.h
732 --- linux-2.6.35.4/arch/frv/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
733 +++ linux-2.6.35.4/arch/frv/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
734 @@ -23,6 +23,7 @@ enum km_type {
742 diff -urNp linux-2.6.35.4/arch/frv/mm/elf-fdpic.c linux-2.6.35.4/arch/frv/mm/elf-fdpic.c
743 --- linux-2.6.35.4/arch/frv/mm/elf-fdpic.c 2010-08-26 19:47:12.000000000 -0400
744 +++ linux-2.6.35.4/arch/frv/mm/elf-fdpic.c 2010-09-17 20:12:09.000000000 -0400
745 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
747 addr = PAGE_ALIGN(addr);
748 vma = find_vma(current->mm, addr);
749 - if (TASK_SIZE - len >= addr &&
750 - (!vma || addr + len <= vma->vm_start))
751 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
755 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
756 for (; vma; vma = vma->vm_next) {
759 - if (addr + len <= vma->vm_start)
760 + if (check_heap_stack_gap(vma, addr, len))
764 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
765 for (; vma; vma = vma->vm_next) {
768 - if (addr + len <= vma->vm_start)
769 + if (check_heap_stack_gap(vma, addr, len))
773 diff -urNp linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c
774 --- linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c 2010-08-26 19:47:12.000000000 -0400
775 +++ linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c 2010-09-17 20:12:09.000000000 -0400
777 #include <linux/swiotlb.h>
778 #include <asm/machvec.h>
780 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
781 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
783 /* swiotlb declarations & definitions: */
784 extern int swiotlb_late_init_with_default_size (size_t size);
785 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
786 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
789 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
790 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
792 if (use_swiotlb(dev))
793 return &swiotlb_dma_ops;
794 diff -urNp linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c
795 --- linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c 2010-08-26 19:47:12.000000000 -0400
796 +++ linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c 2010-09-17 20:12:09.000000000 -0400
797 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
801 -extern struct dma_map_ops swiotlb_dma_ops;
802 +extern const struct dma_map_ops swiotlb_dma_ops;
806 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
808 __setup("sbapagesize=",sba_page_override);
810 -struct dma_map_ops sba_dma_ops = {
811 +const struct dma_map_ops sba_dma_ops = {
812 .alloc_coherent = sba_alloc_coherent,
813 .free_coherent = sba_free_coherent,
814 .map_page = sba_map_page,
815 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h
816 --- linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
817 +++ linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
820 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
822 -extern struct dma_map_ops *dma_ops;
823 +extern const struct dma_map_ops *dma_ops;
824 extern struct ia64_machine_vector ia64_mv;
825 extern void set_iommu_machvec(void);
827 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
828 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
829 dma_addr_t *daddr, gfp_t gfp)
831 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
832 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
835 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
836 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
837 static inline void dma_free_coherent(struct device *dev, size_t size,
838 void *caddr, dma_addr_t daddr)
840 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
841 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
842 debug_dma_free_coherent(dev, size, caddr, daddr);
843 ops->free_coherent(dev, size, caddr, daddr);
845 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
847 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
849 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
850 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
851 return ops->mapping_error(dev, daddr);
854 static inline int dma_supported(struct device *dev, u64 mask)
856 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
857 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
858 return ops->dma_supported(dev, mask);
861 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/elf.h linux-2.6.35.4/arch/ia64/include/asm/elf.h
862 --- linux-2.6.35.4/arch/ia64/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
863 +++ linux-2.6.35.4/arch/ia64/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
866 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
868 +#ifdef CONFIG_PAX_ASLR
869 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
871 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
872 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
875 #define PT_IA_64_UNWIND 0x70000001
877 /* IA-64 relocations: */
878 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/machvec.h linux-2.6.35.4/arch/ia64/include/asm/machvec.h
879 --- linux-2.6.35.4/arch/ia64/include/asm/machvec.h 2010-08-26 19:47:12.000000000 -0400
880 +++ linux-2.6.35.4/arch/ia64/include/asm/machvec.h 2010-09-17 20:12:09.000000000 -0400
881 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
882 /* DMA-mapping interface: */
883 typedef void ia64_mv_dma_init (void);
884 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
885 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
886 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
889 * WARNING: The legacy I/O space is _architected_. Platforms are
890 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
891 # endif /* CONFIG_IA64_GENERIC */
893 extern void swiotlb_dma_init(void);
894 -extern struct dma_map_ops *dma_get_ops(struct device *);
895 +extern const struct dma_map_ops *dma_get_ops(struct device *);
898 * Define default versions so we can extend machvec for new platforms without having
899 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/pgtable.h linux-2.6.35.4/arch/ia64/include/asm/pgtable.h
900 --- linux-2.6.35.4/arch/ia64/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
901 +++ linux-2.6.35.4/arch/ia64/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
903 * David Mosberger-Tang <davidm@hpl.hp.com>
907 +#include <linux/const.h>
908 #include <asm/mman.h>
909 #include <asm/page.h>
910 #include <asm/processor.h>
912 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
913 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
914 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
916 +#ifdef CONFIG_PAX_PAGEEXEC
917 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
918 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
919 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
921 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
922 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
923 +# define PAGE_COPY_NOEXEC PAGE_COPY
926 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
927 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
928 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
929 diff -urNp linux-2.6.35.4/arch/ia64/include/asm/uaccess.h linux-2.6.35.4/arch/ia64/include/asm/uaccess.h
930 --- linux-2.6.35.4/arch/ia64/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
931 +++ linux-2.6.35.4/arch/ia64/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
932 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
933 const void *__cu_from = (from); \
934 long __cu_len = (n); \
936 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
937 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
938 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
941 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
942 long __cu_len = (n); \
944 __chk_user_ptr(__cu_from); \
945 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
946 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
947 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
950 diff -urNp linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c
951 --- linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c 2010-08-26 19:47:12.000000000 -0400
952 +++ linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c 2010-09-17 20:12:09.000000000 -0400
954 /* Set this to 1 if there is a HW IOMMU in the system */
955 int iommu_detected __read_mostly;
957 -struct dma_map_ops *dma_ops;
958 +const struct dma_map_ops *dma_ops;
959 EXPORT_SYMBOL(dma_ops);
961 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
962 @@ -16,7 +16,7 @@ static int __init dma_init(void)
964 fs_initcall(dma_init);
966 -struct dma_map_ops *dma_get_ops(struct device *dev)
967 +const struct dma_map_ops *dma_get_ops(struct device *dev)
971 diff -urNp linux-2.6.35.4/arch/ia64/kernel/module.c linux-2.6.35.4/arch/ia64/kernel/module.c
972 --- linux-2.6.35.4/arch/ia64/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
973 +++ linux-2.6.35.4/arch/ia64/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
974 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
976 module_free (struct module *mod, void *module_region)
978 - if (mod && mod->arch.init_unw_table &&
979 - module_region == mod->module_init) {
980 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
981 unw_remove_unwind_table(mod->arch.init_unw_table);
982 mod->arch.init_unw_table = NULL;
984 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
988 +in_init_rx (const struct module *mod, uint64_t addr)
990 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
994 +in_init_rw (const struct module *mod, uint64_t addr)
996 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1000 in_init (const struct module *mod, uint64_t addr)
1002 - return addr - (uint64_t) mod->module_init < mod->init_size;
1003 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1007 +in_core_rx (const struct module *mod, uint64_t addr)
1009 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1013 +in_core_rw (const struct module *mod, uint64_t addr)
1015 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1019 in_core (const struct module *mod, uint64_t addr)
1021 - return addr - (uint64_t) mod->module_core < mod->core_size;
1022 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1026 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1030 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1031 + if (in_init_rx(mod, val))
1032 + val -= (uint64_t) mod->module_init_rx;
1033 + else if (in_init_rw(mod, val))
1034 + val -= (uint64_t) mod->module_init_rw;
1035 + else if (in_core_rx(mod, val))
1036 + val -= (uint64_t) mod->module_core_rx;
1037 + else if (in_core_rw(mod, val))
1038 + val -= (uint64_t) mod->module_core_rw;
1042 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1043 * addresses have been selected...
1046 - if (mod->core_size > MAX_LTOFF)
1047 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1049 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1050 * at the end of the module.
1052 - gp = mod->core_size - MAX_LTOFF / 2;
1053 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1055 - gp = mod->core_size / 2;
1056 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1057 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1058 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1060 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1062 diff -urNp linux-2.6.35.4/arch/ia64/kernel/pci-dma.c linux-2.6.35.4/arch/ia64/kernel/pci-dma.c
1063 --- linux-2.6.35.4/arch/ia64/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
1064 +++ linux-2.6.35.4/arch/ia64/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
1065 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1066 .dma_mask = &fallback_dev.coherent_dma_mask,
1069 -extern struct dma_map_ops intel_dma_ops;
1070 +extern const struct dma_map_ops intel_dma_ops;
1072 static int __init pci_iommu_init(void)
1074 diff -urNp linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c
1075 --- linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
1076 +++ linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
1077 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1078 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1081 -struct dma_map_ops swiotlb_dma_ops = {
1082 +const struct dma_map_ops swiotlb_dma_ops = {
1083 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1084 .free_coherent = swiotlb_free_coherent,
1085 .map_page = swiotlb_map_page,
1086 diff -urNp linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c
1087 --- linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c 2010-08-26 19:47:12.000000000 -0400
1088 +++ linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c 2010-09-17 20:12:09.000000000 -0400
1089 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1090 if (REGION_NUMBER(addr) == RGN_HPAGE)
1094 +#ifdef CONFIG_PAX_RANDMMAP
1095 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1096 + addr = mm->free_area_cache;
1101 addr = mm->free_area_cache;
1103 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1104 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1105 /* At this point: (!vma || addr < vma->vm_end). */
1106 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1107 - if (start_addr != TASK_UNMAPPED_BASE) {
1108 + if (start_addr != mm->mmap_base) {
1109 /* Start a new search --- just in case we missed some holes. */
1110 - addr = TASK_UNMAPPED_BASE;
1111 + addr = mm->mmap_base;
1116 - if (!vma || addr + len <= vma->vm_start) {
1117 + if (check_heap_stack_gap(vma, addr, len)) {
1118 /* Remember the address where we stopped this search: */
1119 mm->free_area_cache = addr + len;
1121 diff -urNp linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S
1122 --- linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
1123 +++ linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
1124 @@ -196,7 +196,7 @@ SECTIONS
1126 . = ALIGN(PERCPU_PAGE_SIZE);
1127 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1128 - __phys_per_cpu_start = __per_cpu_load;
1129 + __phys_per_cpu_start = per_cpu_load;
1130 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1131 * into percpu page size
1133 diff -urNp linux-2.6.35.4/arch/ia64/mm/fault.c linux-2.6.35.4/arch/ia64/mm/fault.c
1134 --- linux-2.6.35.4/arch/ia64/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1135 +++ linux-2.6.35.4/arch/ia64/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1136 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1137 return pte_present(pte);
1140 +#ifdef CONFIG_PAX_PAGEEXEC
1141 +void pax_report_insns(void *pc, void *sp)
1145 + printk(KERN_ERR "PAX: bytes at PC: ");
1146 + for (i = 0; i < 8; i++) {
1148 + if (get_user(c, (unsigned int *)pc+i))
1149 + printk(KERN_CONT "???????? ");
1151 + printk(KERN_CONT "%08x ", c);
1158 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1160 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1161 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1162 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1164 - if ((vma->vm_flags & mask) != mask)
1165 + if ((vma->vm_flags & mask) != mask) {
1167 +#ifdef CONFIG_PAX_PAGEEXEC
1168 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1169 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1172 + up_read(&mm->mmap_sem);
1173 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1174 + do_group_exit(SIGKILL);
1183 * If for any reason at all we couldn't handle the fault, make
1184 * sure we exit gracefully rather than endlessly redo the
1185 diff -urNp linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c
1186 --- linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
1187 +++ linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
1188 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1189 /* At this point: (!vmm || addr < vmm->vm_end). */
1190 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1192 - if (!vmm || (addr + len) <= vmm->vm_start)
1193 + if (check_heap_stack_gap(vmm, addr, len))
1195 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1197 diff -urNp linux-2.6.35.4/arch/ia64/mm/init.c linux-2.6.35.4/arch/ia64/mm/init.c
1198 --- linux-2.6.35.4/arch/ia64/mm/init.c 2010-08-26 19:47:12.000000000 -0400
1199 +++ linux-2.6.35.4/arch/ia64/mm/init.c 2010-09-17 20:12:09.000000000 -0400
1200 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1201 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1202 vma->vm_end = vma->vm_start + PAGE_SIZE;
1203 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1205 +#ifdef CONFIG_PAX_PAGEEXEC
1206 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1207 + vma->vm_flags &= ~VM_EXEC;
1209 +#ifdef CONFIG_PAX_MPROTECT
1210 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1211 + vma->vm_flags &= ~VM_MAYEXEC;
1217 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1218 down_write(¤t->mm->mmap_sem);
1219 if (insert_vm_struct(current->mm, vma)) {
1220 diff -urNp linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c
1221 --- linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c 2010-08-26 19:47:12.000000000 -0400
1222 +++ linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c 2010-09-17 20:12:09.000000000 -0400
1223 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1227 -static struct dma_map_ops sn_dma_ops = {
1228 +static const struct dma_map_ops sn_dma_ops = {
1229 .alloc_coherent = sn_dma_alloc_coherent,
1230 .free_coherent = sn_dma_free_coherent,
1231 .map_page = sn_dma_map_page,
1232 diff -urNp linux-2.6.35.4/arch/m32r/lib/usercopy.c linux-2.6.35.4/arch/m32r/lib/usercopy.c
1233 --- linux-2.6.35.4/arch/m32r/lib/usercopy.c 2010-08-26 19:47:12.000000000 -0400
1234 +++ linux-2.6.35.4/arch/m32r/lib/usercopy.c 2010-09-17 20:12:09.000000000 -0400
1237 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1243 if (access_ok(VERIFY_WRITE, to, n))
1244 __copy_user(to,from,n);
1245 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1247 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1253 if (access_ok(VERIFY_READ, from, n))
1254 __copy_user_zeroing(to,from,n);
1255 diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/device.h linux-2.6.35.4/arch/microblaze/include/asm/device.h
1256 --- linux-2.6.35.4/arch/microblaze/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1257 +++ linux-2.6.35.4/arch/microblaze/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1258 @@ -13,7 +13,7 @@ struct device_node;
1260 struct dev_archdata {
1261 /* DMA operations on that device */
1262 - struct dma_map_ops *dma_ops;
1263 + const struct dma_map_ops *dma_ops;
1267 diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h
1268 --- linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1269 +++ linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1270 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1271 return 0xfffffffful;
1274 -extern struct dma_map_ops *dma_ops;
1275 +extern const struct dma_map_ops *dma_ops;
1278 * Available generic sets of operations
1280 -extern struct dma_map_ops dma_direct_ops;
1281 +extern const struct dma_map_ops dma_direct_ops;
1283 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1284 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1286 /* We don't handle the NULL dev case for ISA for now. We could
1287 * do it via an out of line call but it is not needed for now. The
1288 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1289 return dev->archdata.dma_ops;
1292 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1293 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1295 dev->archdata.dma_ops = ops;
1298 static inline int dma_supported(struct device *dev, u64 mask)
1300 - struct dma_map_ops *ops = get_dma_ops(dev);
1301 + const struct dma_map_ops *ops = get_dma_ops(dev);
1305 @@ -87,7 +87,7 @@ static inline int dma_supported(struct d
1307 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1309 - struct dma_map_ops *ops = get_dma_ops(dev);
1310 + const struct dma_map_ops *ops = get_dma_ops(dev);
1312 if (unlikely(ops == NULL))
1314 @@ -103,7 +103,7 @@ static inline int dma_set_mask(struct de
1316 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1318 - struct dma_map_ops *ops = get_dma_ops(dev);
1319 + const struct dma_map_ops *ops = get_dma_ops(dev);
1320 if (ops->mapping_error)
1321 return ops->mapping_error(dev, dma_addr);
1323 @@ -117,7 +117,7 @@ static inline int dma_mapping_error(stru
1324 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1325 dma_addr_t *dma_handle, gfp_t flag)
1327 - struct dma_map_ops *ops = get_dma_ops(dev);
1328 + const struct dma_map_ops *ops = get_dma_ops(dev);
1332 @@ -131,7 +131,7 @@ static inline void *dma_alloc_coherent(s
1333 static inline void dma_free_coherent(struct device *dev, size_t size,
1334 void *cpu_addr, dma_addr_t dma_handle)
1336 - struct dma_map_ops *ops = get_dma_ops(dev);
1337 + const struct dma_map_ops *ops = get_dma_ops(dev);
1340 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1341 diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/pci.h linux-2.6.35.4/arch/microblaze/include/asm/pci.h
1342 --- linux-2.6.35.4/arch/microblaze/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
1343 +++ linux-2.6.35.4/arch/microblaze/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
1344 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1348 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1349 -extern struct dma_map_ops *get_pci_dma_ops(void);
1350 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1351 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1352 #else /* CONFIG_PCI */
1353 #define set_pci_dma_ops(d)
1354 #define get_pci_dma_ops() NULL
1355 diff -urNp linux-2.6.35.4/arch/microblaze/kernel/dma.c linux-2.6.35.4/arch/microblaze/kernel/dma.c
1356 --- linux-2.6.35.4/arch/microblaze/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
1357 +++ linux-2.6.35.4/arch/microblaze/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
1358 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1359 __dma_sync_page(dma_address, 0 , size, direction);
1362 -struct dma_map_ops dma_direct_ops = {
1363 +const struct dma_map_ops dma_direct_ops = {
1364 .alloc_coherent = dma_direct_alloc_coherent,
1365 .free_coherent = dma_direct_free_coherent,
1366 .map_sg = dma_direct_map_sg,
1367 diff -urNp linux-2.6.35.4/arch/microblaze/pci/pci-common.c linux-2.6.35.4/arch/microblaze/pci/pci-common.c
1368 --- linux-2.6.35.4/arch/microblaze/pci/pci-common.c 2010-08-26 19:47:12.000000000 -0400
1369 +++ linux-2.6.35.4/arch/microblaze/pci/pci-common.c 2010-09-17 20:12:09.000000000 -0400
1370 @@ -46,14 +46,14 @@ resource_size_t isa_mem_base;
1371 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1372 unsigned int pci_flags;
1374 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1375 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1377 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1378 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1380 pci_dma_ops = dma_ops;
1383 -struct dma_map_ops *get_pci_dma_ops(void)
1384 +const struct dma_map_ops *get_pci_dma_ops(void)
1388 diff -urNp linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c
1389 --- linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c 2010-08-26 19:47:12.000000000 -0400
1390 +++ linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c 2010-09-17 20:12:09.000000000 -0400
1391 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1395 -static struct platform_suspend_ops db1x_pm_ops = {
1396 +static const struct platform_suspend_ops db1x_pm_ops = {
1397 .valid = suspend_valid_only_mem,
1398 .begin = db1x_pm_begin,
1399 .enter = db1x_pm_enter,
1400 diff -urNp linux-2.6.35.4/arch/mips/include/asm/elf.h linux-2.6.35.4/arch/mips/include/asm/elf.h
1401 --- linux-2.6.35.4/arch/mips/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1402 +++ linux-2.6.35.4/arch/mips/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1403 @@ -368,6 +368,13 @@ extern const char *__elf_platform;
1404 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1407 +#ifdef CONFIG_PAX_ASLR
1408 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1410 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1411 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1414 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1415 struct linux_binprm;
1416 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1417 diff -urNp linux-2.6.35.4/arch/mips/include/asm/page.h linux-2.6.35.4/arch/mips/include/asm/page.h
1418 --- linux-2.6.35.4/arch/mips/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
1419 +++ linux-2.6.35.4/arch/mips/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
1420 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1421 #ifdef CONFIG_CPU_MIPS32
1422 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1423 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1424 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1425 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1427 typedef struct { unsigned long long pte; } pte_t;
1428 #define pte_val(x) ((x).pte)
1429 diff -urNp linux-2.6.35.4/arch/mips/include/asm/system.h linux-2.6.35.4/arch/mips/include/asm/system.h
1430 --- linux-2.6.35.4/arch/mips/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
1431 +++ linux-2.6.35.4/arch/mips/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
1432 @@ -234,6 +234,6 @@ extern void per_cpu_trap_init(void);
1434 #define __ARCH_WANT_UNLOCKED_CTXSW
1436 -extern unsigned long arch_align_stack(unsigned long sp);
1437 +#define arch_align_stack(x) ((x) & ALMASK)
1439 #endif /* _ASM_SYSTEM_H */
1440 diff -urNp linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c
1441 --- linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c 2010-08-26 19:47:12.000000000 -0400
1442 +++ linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c 2010-09-17 20:12:09.000000000 -0400
1443 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1444 #undef ELF_ET_DYN_BASE
1445 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1447 +#ifdef CONFIG_PAX_ASLR
1448 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1450 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1451 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1454 #include <asm/processor.h>
1455 #include <linux/module.h>
1456 #include <linux/elfcore.h>
1457 diff -urNp linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c
1458 --- linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c 2010-08-26 19:47:12.000000000 -0400
1459 +++ linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c 2010-09-17 20:12:09.000000000 -0400
1460 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1461 #undef ELF_ET_DYN_BASE
1462 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1464 +#ifdef CONFIG_PAX_ASLR
1465 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1467 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1468 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471 #include <asm/processor.h>
1474 diff -urNp linux-2.6.35.4/arch/mips/kernel/kgdb.c linux-2.6.35.4/arch/mips/kernel/kgdb.c
1475 --- linux-2.6.35.4/arch/mips/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
1476 +++ linux-2.6.35.4/arch/mips/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
1477 @@ -270,6 +270,7 @@ int kgdb_arch_handle_exception(int vecto
1481 +/* cannot be const, see kgdb_arch_init */
1482 struct kgdb_arch arch_kgdb_ops;
1485 diff -urNp linux-2.6.35.4/arch/mips/kernel/process.c linux-2.6.35.4/arch/mips/kernel/process.c
1486 --- linux-2.6.35.4/arch/mips/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
1487 +++ linux-2.6.35.4/arch/mips/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
1488 @@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
1494 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1495 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1497 -unsigned long arch_align_stack(unsigned long sp)
1499 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1500 - sp -= get_random_int() & ~PAGE_MASK;
1502 - return sp & ALMASK;
1504 diff -urNp linux-2.6.35.4/arch/mips/kernel/syscall.c linux-2.6.35.4/arch/mips/kernel/syscall.c
1505 --- linux-2.6.35.4/arch/mips/kernel/syscall.c 2010-08-26 19:47:12.000000000 -0400
1506 +++ linux-2.6.35.4/arch/mips/kernel/syscall.c 2010-09-17 20:12:09.000000000 -0400
1507 @@ -106,17 +106,21 @@ unsigned long arch_get_unmapped_area(str
1509 if (filp || (flags & MAP_SHARED))
1512 +#ifdef CONFIG_PAX_RANDMMAP
1513 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1518 addr = COLOUR_ALIGN(addr, pgoff);
1520 addr = PAGE_ALIGN(addr);
1521 vmm = find_vma(current->mm, addr);
1522 - if (task_size - len >= addr &&
1523 - (!vmm || addr + len <= vmm->vm_start))
1524 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1527 - addr = TASK_UNMAPPED_BASE;
1528 + addr = current->mm->mmap_base;
1530 addr = COLOUR_ALIGN(addr, pgoff);
1532 @@ -126,7 +130,7 @@ unsigned long arch_get_unmapped_area(str
1533 /* At this point: (!vmm || addr < vmm->vm_end). */
1534 if (task_size - len < addr)
1536 - if (!vmm || addr + len <= vmm->vm_start)
1537 + if (check_heap_stack_gap(vmm, addr, len))
1541 diff -urNp linux-2.6.35.4/arch/mips/loongson/common/pm.c linux-2.6.35.4/arch/mips/loongson/common/pm.c
1542 --- linux-2.6.35.4/arch/mips/loongson/common/pm.c 2010-08-26 19:47:12.000000000 -0400
1543 +++ linux-2.6.35.4/arch/mips/loongson/common/pm.c 2010-09-17 20:12:09.000000000 -0400
1544 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1548 -static struct platform_suspend_ops loongson_pm_ops = {
1549 +static const struct platform_suspend_ops loongson_pm_ops = {
1550 .valid = loongson_pm_valid_state,
1551 .enter = loongson_pm_enter,
1553 diff -urNp linux-2.6.35.4/arch/mips/mm/fault.c linux-2.6.35.4/arch/mips/mm/fault.c
1554 --- linux-2.6.35.4/arch/mips/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1555 +++ linux-2.6.35.4/arch/mips/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1557 #include <asm/ptrace.h>
1558 #include <asm/highmem.h> /* For VMALLOC_END */
1560 +#ifdef CONFIG_PAX_PAGEEXEC
1561 +void pax_report_insns(void *pc)
1565 + printk(KERN_ERR "PAX: bytes at PC: ");
1566 + for (i = 0; i < 5; i++) {
1568 + if (get_user(c, (unsigned int *)pc+i))
1569 + printk(KERN_CONT "???????? ");
1571 + printk(KERN_CONT "%08x ", c);
1578 * This routine handles page faults. It determines the address,
1579 * and the problem, and then passes it off to one of the appropriate
1580 diff -urNp linux-2.6.35.4/arch/parisc/include/asm/elf.h linux-2.6.35.4/arch/parisc/include/asm/elf.h
1581 --- linux-2.6.35.4/arch/parisc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1582 +++ linux-2.6.35.4/arch/parisc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1583 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1585 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1587 +#ifdef CONFIG_PAX_ASLR
1588 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1590 +#define PAX_DELTA_MMAP_LEN 16
1591 +#define PAX_DELTA_STACK_LEN 16
1594 /* This yields a mask that user programs can use to figure out what
1595 instruction set this CPU supports. This could be done in user space,
1596 but it's not easy, and we've already done it here. */
1597 diff -urNp linux-2.6.35.4/arch/parisc/include/asm/pgtable.h linux-2.6.35.4/arch/parisc/include/asm/pgtable.h
1598 --- linux-2.6.35.4/arch/parisc/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
1599 +++ linux-2.6.35.4/arch/parisc/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
1600 @@ -207,6 +207,17 @@
1601 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1602 #define PAGE_COPY PAGE_EXECREAD
1603 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1605 +#ifdef CONFIG_PAX_PAGEEXEC
1606 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1607 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1608 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1610 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1611 +# define PAGE_COPY_NOEXEC PAGE_COPY
1612 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1615 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1616 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1617 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1618 diff -urNp linux-2.6.35.4/arch/parisc/kernel/module.c linux-2.6.35.4/arch/parisc/kernel/module.c
1619 --- linux-2.6.35.4/arch/parisc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
1620 +++ linux-2.6.35.4/arch/parisc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
1623 /* three functions to determine where in the module core
1624 * or init pieces the location is */
1625 +static inline int in_init_rx(struct module *me, void *loc)
1627 + return (loc >= me->module_init_rx &&
1628 + loc < (me->module_init_rx + me->init_size_rx));
1631 +static inline int in_init_rw(struct module *me, void *loc)
1633 + return (loc >= me->module_init_rw &&
1634 + loc < (me->module_init_rw + me->init_size_rw));
1637 static inline int in_init(struct module *me, void *loc)
1639 - return (loc >= me->module_init &&
1640 - loc <= (me->module_init + me->init_size));
1641 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1644 +static inline int in_core_rx(struct module *me, void *loc)
1646 + return (loc >= me->module_core_rx &&
1647 + loc < (me->module_core_rx + me->core_size_rx));
1650 +static inline int in_core_rw(struct module *me, void *loc)
1652 + return (loc >= me->module_core_rw &&
1653 + loc < (me->module_core_rw + me->core_size_rw));
1656 static inline int in_core(struct module *me, void *loc)
1658 - return (loc >= me->module_core &&
1659 - loc <= (me->module_core + me->core_size));
1660 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1663 static inline int in_local(struct module *me, void *loc)
1664 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1667 /* align things a bit */
1668 - me->core_size = ALIGN(me->core_size, 16);
1669 - me->arch.got_offset = me->core_size;
1670 - me->core_size += gots * sizeof(struct got_entry);
1672 - me->core_size = ALIGN(me->core_size, 16);
1673 - me->arch.fdesc_offset = me->core_size;
1674 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1675 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1676 + me->arch.got_offset = me->core_size_rw;
1677 + me->core_size_rw += gots * sizeof(struct got_entry);
1679 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1680 + me->arch.fdesc_offset = me->core_size_rw;
1681 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1683 me->arch.got_max = gots;
1684 me->arch.fdesc_max = fdescs;
1685 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1689 - got = me->module_core + me->arch.got_offset;
1690 + got = me->module_core_rw + me->arch.got_offset;
1691 for (i = 0; got[i].addr; i++)
1692 if (got[i].addr == value)
1694 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1696 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1698 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1699 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1702 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1703 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1705 /* Create new one */
1706 fdesc->addr = value;
1707 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1708 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1709 return (Elf_Addr)fdesc;
1711 #endif /* CONFIG_64BIT */
1712 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1714 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1715 end = table + sechdrs[me->arch.unwind_section].sh_size;
1716 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1717 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1719 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1720 me->arch.unwind_section, table, end, gp);
1721 diff -urNp linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c
1722 --- linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c 2010-08-26 19:47:12.000000000 -0400
1723 +++ linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c 2010-09-17 20:12:09.000000000 -0400
1724 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1725 /* At this point: (!vma || addr < vma->vm_end). */
1726 if (TASK_SIZE - len < addr)
1728 - if (!vma || addr + len <= vma->vm_start)
1729 + if (check_heap_stack_gap(vma, addr, len))
1733 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1734 /* At this point: (!vma || addr < vma->vm_end). */
1735 if (TASK_SIZE - len < addr)
1737 - if (!vma || addr + len <= vma->vm_start)
1738 + if (check_heap_stack_gap(vma, addr, len))
1740 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1741 if (addr < vma->vm_end) /* handle wraparound */
1742 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1743 if (flags & MAP_FIXED)
1746 - addr = TASK_UNMAPPED_BASE;
1747 + addr = current->mm->mmap_base;
1750 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1751 diff -urNp linux-2.6.35.4/arch/parisc/kernel/traps.c linux-2.6.35.4/arch/parisc/kernel/traps.c
1752 --- linux-2.6.35.4/arch/parisc/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
1753 +++ linux-2.6.35.4/arch/parisc/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
1754 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1756 down_read(¤t->mm->mmap_sem);
1757 vma = find_vma(current->mm,regs->iaoq[0]);
1758 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1759 - && (vma->vm_flags & VM_EXEC)) {
1761 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1762 fault_address = regs->iaoq[0];
1763 fault_space = regs->iasq[0];
1765 diff -urNp linux-2.6.35.4/arch/parisc/mm/fault.c linux-2.6.35.4/arch/parisc/mm/fault.c
1766 --- linux-2.6.35.4/arch/parisc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1767 +++ linux-2.6.35.4/arch/parisc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1769 #include <linux/sched.h>
1770 #include <linux/interrupt.h>
1771 #include <linux/module.h>
1772 +#include <linux/unistd.h>
1774 #include <asm/uaccess.h>
1775 #include <asm/traps.h>
1776 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1777 static unsigned long
1778 parisc_acctyp(unsigned long code, unsigned int inst)
1780 - if (code == 6 || code == 16)
1781 + if (code == 6 || code == 7 || code == 16)
1784 switch (inst & 0xf0000000) {
1785 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1789 +#ifdef CONFIG_PAX_PAGEEXEC
1791 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1793 + * returns 1 when task should be killed
1794 + * 2 when rt_sigreturn trampoline was detected
1795 + * 3 when unpatched PLT trampoline was detected
1797 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1800 +#ifdef CONFIG_PAX_EMUPLT
1803 + do { /* PaX: unpatched PLT emulation */
1804 + unsigned int bl, depwi;
1806 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1807 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1812 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1813 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1815 + err = get_user(ldw, (unsigned int *)addr);
1816 + err |= get_user(bv, (unsigned int *)(addr+4));
1817 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1822 + if (ldw == 0x0E801096U &&
1823 + bv == 0xEAC0C000U &&
1824 + ldw2 == 0x0E881095U)
1826 + unsigned int resolver, map;
1828 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1829 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1833 + regs->gr[20] = instruction_pointer(regs)+8;
1834 + regs->gr[21] = map;
1835 + regs->gr[22] = resolver;
1836 + regs->iaoq[0] = resolver | 3UL;
1837 + regs->iaoq[1] = regs->iaoq[0] + 4;
1844 +#ifdef CONFIG_PAX_EMUTRAMP
1846 +#ifndef CONFIG_PAX_EMUSIGRT
1847 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1851 + do { /* PaX: rt_sigreturn emulation */
1852 + unsigned int ldi1, ldi2, bel, nop;
1854 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1855 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1856 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1857 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1862 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1863 + ldi2 == 0x3414015AU &&
1864 + bel == 0xE4008200U &&
1865 + nop == 0x08000240U)
1867 + regs->gr[25] = (ldi1 & 2) >> 1;
1868 + regs->gr[20] = __NR_rt_sigreturn;
1869 + regs->gr[31] = regs->iaoq[1] + 16;
1870 + regs->sr[0] = regs->iasq[1];
1871 + regs->iaoq[0] = 0x100UL;
1872 + regs->iaoq[1] = regs->iaoq[0] + 4;
1873 + regs->iasq[0] = regs->sr[2];
1874 + regs->iasq[1] = regs->sr[2];
1883 +void pax_report_insns(void *pc, void *sp)
1887 + printk(KERN_ERR "PAX: bytes at PC: ");
1888 + for (i = 0; i < 5; i++) {
1890 + if (get_user(c, (unsigned int *)pc+i))
1891 + printk(KERN_CONT "???????? ");
1893 + printk(KERN_CONT "%08x ", c);
1899 int fixup_exception(struct pt_regs *regs)
1901 const struct exception_table_entry *fix;
1902 @@ -192,8 +303,33 @@ good_area:
1904 acc_type = parisc_acctyp(code,regs->iir);
1906 - if ((vma->vm_flags & acc_type) != acc_type)
1907 + if ((vma->vm_flags & acc_type) != acc_type) {
1909 +#ifdef CONFIG_PAX_PAGEEXEC
1910 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1911 + (address & ~3UL) == instruction_pointer(regs))
1913 + up_read(&mm->mmap_sem);
1914 + switch (pax_handle_fetch_fault(regs)) {
1916 +#ifdef CONFIG_PAX_EMUPLT
1921 +#ifdef CONFIG_PAX_EMUTRAMP
1927 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1928 + do_group_exit(SIGKILL);
1936 * If for any reason at all we couldn't handle the fault, make
1937 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/device.h linux-2.6.35.4/arch/powerpc/include/asm/device.h
1938 --- linux-2.6.35.4/arch/powerpc/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1939 +++ linux-2.6.35.4/arch/powerpc/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1940 @@ -11,7 +11,7 @@ struct device_node;
1942 struct dev_archdata {
1943 /* DMA operations on that device */
1944 - struct dma_map_ops *dma_ops;
1945 + const struct dma_map_ops *dma_ops;
1948 * When an iommu is in use, dma_data is used as a ptr to the base of the
1949 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h
1950 --- linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1951 +++ linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1952 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
1954 * Available generic sets of operations
1956 +/* cannot be const */
1958 extern struct dma_map_ops dma_iommu_ops;
1960 -extern struct dma_map_ops dma_direct_ops;
1961 +extern const struct dma_map_ops dma_direct_ops;
1963 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1964 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1966 /* We don't handle the NULL dev case for ISA for now. We could
1967 * do it via an out of line call but it is not needed for now. The
1968 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
1969 return dev->archdata.dma_ops;
1972 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1973 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1975 dev->archdata.dma_ops = ops;
1977 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
1979 static inline int dma_supported(struct device *dev, u64 mask)
1981 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1982 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1984 if (unlikely(dma_ops == NULL))
1986 @@ -129,7 +130,7 @@ static inline int dma_supported(struct d
1988 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1990 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1991 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1993 if (unlikely(dma_ops == NULL))
1995 @@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
1996 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1997 dma_addr_t *dma_handle, gfp_t flag)
1999 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2000 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2004 @@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
2005 static inline void dma_free_coherent(struct device *dev, size_t size,
2006 void *cpu_addr, dma_addr_t dma_handle)
2008 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2009 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2013 @@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
2015 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2017 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2018 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2020 if (dma_ops->mapping_error)
2021 return dma_ops->mapping_error(dev, dma_addr);
2022 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/elf.h linux-2.6.35.4/arch/powerpc/include/asm/elf.h
2023 --- linux-2.6.35.4/arch/powerpc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2024 +++ linux-2.6.35.4/arch/powerpc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2025 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2026 the loader. We need to make sure that it is out of the way of the program
2027 that it will "exec", and that there is sufficient room for the brk. */
2029 -extern unsigned long randomize_et_dyn(unsigned long base);
2030 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2031 +#define ELF_ET_DYN_BASE (0x20000000)
2033 +#ifdef CONFIG_PAX_ASLR
2034 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2036 +#ifdef __powerpc64__
2037 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2038 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2040 +#define PAX_DELTA_MMAP_LEN 15
2041 +#define PAX_DELTA_STACK_LEN 15
2046 * Our registers are always unsigned longs, whether we're a 32 bit
2047 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2048 (0x7ff >> (PAGE_SHIFT - 12)) : \
2049 (0x3ffff >> (PAGE_SHIFT - 12)))
2051 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2052 -#define arch_randomize_brk arch_randomize_brk
2054 #endif /* __KERNEL__ */
2057 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/iommu.h linux-2.6.35.4/arch/powerpc/include/asm/iommu.h
2058 --- linux-2.6.35.4/arch/powerpc/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
2059 +++ linux-2.6.35.4/arch/powerpc/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
2060 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2061 extern void iommu_init_early_dart(void);
2062 extern void iommu_init_early_pasemi(void);
2065 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2068 extern void pci_iommu_init(void);
2069 extern void pci_direct_iommu_init(void);
2070 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h
2071 --- linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
2072 +++ linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
2073 @@ -27,6 +27,7 @@ enum km_type {
2081 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/page_64.h linux-2.6.35.4/arch/powerpc/include/asm/page_64.h
2082 --- linux-2.6.35.4/arch/powerpc/include/asm/page_64.h 2010-08-26 19:47:12.000000000 -0400
2083 +++ linux-2.6.35.4/arch/powerpc/include/asm/page_64.h 2010-09-17 20:12:09.000000000 -0400
2084 @@ -172,15 +172,18 @@ do { \
2085 * stack by default, so in the absense of a PT_GNU_STACK program header
2086 * we turn execute permission off.
2088 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2089 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2090 +#define VM_STACK_DEFAULT_FLAGS32 \
2091 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2092 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2094 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2095 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2097 +#ifndef CONFIG_PAX_PAGEEXEC
2098 #define VM_STACK_DEFAULT_FLAGS \
2099 (test_thread_flag(TIF_32BIT) ? \
2100 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2103 #include <asm-generic/getorder.h>
2105 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/page.h linux-2.6.35.4/arch/powerpc/include/asm/page.h
2106 --- linux-2.6.35.4/arch/powerpc/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
2107 +++ linux-2.6.35.4/arch/powerpc/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
2108 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2109 * and needs to be executable. This means the whole heap ends
2110 * up being executable.
2112 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2113 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2114 +#define VM_DATA_DEFAULT_FLAGS32 \
2115 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2116 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2118 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2119 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2120 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2121 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2124 +#define ktla_ktva(addr) (addr)
2125 +#define ktva_ktla(addr) (addr)
2127 #ifndef __ASSEMBLY__
2129 #undef STRICT_MM_TYPECHECKS
2130 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/pci.h linux-2.6.35.4/arch/powerpc/include/asm/pci.h
2131 --- linux-2.6.35.4/arch/powerpc/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
2132 +++ linux-2.6.35.4/arch/powerpc/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
2133 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2137 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2138 -extern struct dma_map_ops *get_pci_dma_ops(void);
2139 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2140 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2141 #else /* CONFIG_PCI */
2142 #define set_pci_dma_ops(d)
2143 #define get_pci_dma_ops() NULL
2144 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h
2145 --- linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h 2010-08-26 19:47:12.000000000 -0400
2146 +++ linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h 2010-09-17 20:12:09.000000000 -0400
2148 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2149 #define _PAGE_USER 0x004 /* usermode access allowed */
2150 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2151 +#define _PAGE_EXEC _PAGE_GUARDED
2152 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2153 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2154 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2155 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/reg.h linux-2.6.35.4/arch/powerpc/include/asm/reg.h
2156 --- linux-2.6.35.4/arch/powerpc/include/asm/reg.h 2010-08-26 19:47:12.000000000 -0400
2157 +++ linux-2.6.35.4/arch/powerpc/include/asm/reg.h 2010-09-17 20:12:09.000000000 -0400
2159 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2160 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2161 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2162 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2163 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2164 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2165 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2166 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h
2167 --- linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h 2010-08-26 19:47:12.000000000 -0400
2168 +++ linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h 2010-09-17 20:12:09.000000000 -0400
2171 #include <linux/swiotlb.h>
2173 -extern struct dma_map_ops swiotlb_dma_ops;
2174 +extern const struct dma_map_ops swiotlb_dma_ops;
2176 static inline void dma_mark_clean(void *addr, size_t size) {}
2178 diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h
2179 --- linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
2180 +++ linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
2182 #define VERIFY_READ 0
2183 #define VERIFY_WRITE 1
2185 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2188 * The fs value determines whether argument validity checking should be
2189 * performed or not. If get_fs() == USER_DS, checking is performed, with
2190 @@ -327,52 +329,6 @@ do { \
2191 extern unsigned long __copy_tofrom_user(void __user *to,
2192 const void __user *from, unsigned long size);
2194 -#ifndef __powerpc64__
2196 -static inline unsigned long copy_from_user(void *to,
2197 - const void __user *from, unsigned long n)
2199 - unsigned long over;
2201 - if (access_ok(VERIFY_READ, from, n))
2202 - return __copy_tofrom_user((__force void __user *)to, from, n);
2203 - if ((unsigned long)from < TASK_SIZE) {
2204 - over = (unsigned long)from + n - TASK_SIZE;
2205 - return __copy_tofrom_user((__force void __user *)to, from,
2211 -static inline unsigned long copy_to_user(void __user *to,
2212 - const void *from, unsigned long n)
2214 - unsigned long over;
2216 - if (access_ok(VERIFY_WRITE, to, n))
2217 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2218 - if ((unsigned long)to < TASK_SIZE) {
2219 - over = (unsigned long)to + n - TASK_SIZE;
2220 - return __copy_tofrom_user(to, (__force void __user *)from,
2226 -#else /* __powerpc64__ */
2228 -#define __copy_in_user(to, from, size) \
2229 - __copy_tofrom_user((to), (from), (size))
2231 -extern unsigned long copy_from_user(void *to, const void __user *from,
2233 -extern unsigned long copy_to_user(void __user *to, const void *from,
2235 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2238 -#endif /* __powerpc64__ */
2240 static inline unsigned long __copy_from_user_inatomic(void *to,
2241 const void __user *from, unsigned long n)
2243 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2248 + if (!__builtin_constant_p(n))
2249 + check_object_size(to, n, false);
2251 return __copy_tofrom_user((__force void __user *)to, from, n);
2254 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2259 + if (!__builtin_constant_p(n))
2260 + check_object_size(from, n, true);
2262 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2265 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2266 return __copy_to_user_inatomic(to, from, size);
2269 +#ifndef __powerpc64__
2271 +static inline unsigned long __must_check copy_from_user(void *to,
2272 + const void __user *from, unsigned long n)
2274 + unsigned long over;
2279 + if (access_ok(VERIFY_READ, from, n)) {
2280 + if (!__builtin_constant_p(n))
2281 + check_object_size(to, n, false);
2282 + return __copy_tofrom_user((__force void __user *)to, from, n);
2284 + if ((unsigned long)from < TASK_SIZE) {
2285 + over = (unsigned long)from + n - TASK_SIZE;
2286 + if (!__builtin_constant_p(n - over))
2287 + check_object_size(to, n - over, false);
2288 + return __copy_tofrom_user((__force void __user *)to, from,
2294 +static inline unsigned long __must_check copy_to_user(void __user *to,
2295 + const void *from, unsigned long n)
2297 + unsigned long over;
2302 + if (access_ok(VERIFY_WRITE, to, n)) {
2303 + if (!__builtin_constant_p(n))
2304 + check_object_size(from, n, true);
2305 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2307 + if ((unsigned long)to < TASK_SIZE) {
2308 + over = (unsigned long)to + n - TASK_SIZE;
2309 + if (!__builtin_constant_p(n))
2310 + check_object_size(from, n - over, true);
2311 + return __copy_tofrom_user(to, (__force void __user *)from,
2317 +#else /* __powerpc64__ */
2319 +#define __copy_in_user(to, from, size) \
2320 + __copy_tofrom_user((to), (from), (size))
2322 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2324 + if ((long)n < 0 || n > INT_MAX)
2327 + if (!__builtin_constant_p(n))
2328 + check_object_size(to, n, false);
2330 + if (likely(access_ok(VERIFY_READ, from, n)))
2331 + n = __copy_from_user(to, from, n);
2337 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2339 + if ((long)n < 0 || n > INT_MAX)
2342 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2343 + if (!__builtin_constant_p(n))
2344 + check_object_size(from, n, true);
2345 + n = __copy_to_user(to, from, n);
2350 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2353 +#endif /* __powerpc64__ */
2355 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2357 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2358 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma.c linux-2.6.35.4/arch/powerpc/kernel/dma.c
2359 --- linux-2.6.35.4/arch/powerpc/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
2360 +++ linux-2.6.35.4/arch/powerpc/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
2361 @@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2365 -struct dma_map_ops dma_direct_ops = {
2366 +const struct dma_map_ops dma_direct_ops = {
2367 .alloc_coherent = dma_direct_alloc_coherent,
2368 .free_coherent = dma_direct_free_coherent,
2369 .map_sg = dma_direct_map_sg,
2370 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c
2371 --- linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c 2010-08-26 19:47:12.000000000 -0400
2372 +++ linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c 2010-09-17 20:12:09.000000000 -0400
2373 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2376 /* We support DMA to/from any memory page via the iommu */
2377 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2378 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2380 struct iommu_table *tbl = get_iommu_table_base(dev);
2382 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c
2383 --- linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
2384 +++ linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
2385 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2386 * map_page, and unmap_page on highmem, use normal dma_ops
2387 * for everything else.
2389 -struct dma_map_ops swiotlb_dma_ops = {
2390 +const struct dma_map_ops swiotlb_dma_ops = {
2391 .alloc_coherent = dma_direct_alloc_coherent,
2392 .free_coherent = dma_direct_free_coherent,
2393 .map_sg = swiotlb_map_sg_attrs,
2394 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S
2395 --- linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S 2010-08-26 19:47:12.000000000 -0400
2396 +++ linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S 2010-09-17 20:12:09.000000000 -0400
2397 @@ -455,6 +455,7 @@ storage_fault_common:
2400 addi r3,r1,STACK_FRAME_OVERHEAD
2404 ld r14,PACA_EXGEN+EX_R14(r13)
2405 @@ -464,8 +465,7 @@ storage_fault_common:
2408 b .ret_from_except_lite
2412 addi r3,r1,STACK_FRAME_OVERHEAD
2415 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S
2416 --- linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S 2010-08-26 19:47:12.000000000 -0400
2417 +++ linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S 2010-09-17 20:12:09.000000000 -0400
2418 @@ -840,10 +840,10 @@ handle_page_fault:
2421 addi r3,r1,STACK_FRAME_OVERHEAD
2428 addi r3,r1,STACK_FRAME_OVERHEAD
2430 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c
2431 --- linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c 2010-08-26 19:47:12.000000000 -0400
2432 +++ linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c 2010-09-17 20:12:09.000000000 -0400
2433 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2437 -static struct dma_map_ops ibmebus_dma_ops = {
2438 +static const struct dma_map_ops ibmebus_dma_ops = {
2439 .alloc_coherent = ibmebus_alloc_coherent,
2440 .free_coherent = ibmebus_free_coherent,
2441 .map_sg = ibmebus_map_sg,
2442 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/kgdb.c linux-2.6.35.4/arch/powerpc/kernel/kgdb.c
2443 --- linux-2.6.35.4/arch/powerpc/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
2444 +++ linux-2.6.35.4/arch/powerpc/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
2445 @@ -128,7 +128,7 @@ static int kgdb_handle_breakpoint(struct
2446 if (kgdb_handle_exception(1, SIGTRAP, 0, regs) != 0)
2449 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2450 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2454 @@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
2458 -struct kgdb_arch arch_kgdb_ops = {
2459 +const struct kgdb_arch arch_kgdb_ops = {
2460 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2463 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/module_32.c linux-2.6.35.4/arch/powerpc/kernel/module_32.c
2464 --- linux-2.6.35.4/arch/powerpc/kernel/module_32.c 2010-08-26 19:47:12.000000000 -0400
2465 +++ linux-2.6.35.4/arch/powerpc/kernel/module_32.c 2010-09-17 20:12:09.000000000 -0400
2466 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2467 me->arch.core_plt_section = i;
2469 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2470 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2471 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2475 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2477 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2478 /* Init, or core PLT? */
2479 - if (location >= mod->module_core
2480 - && location < mod->module_core + mod->core_size)
2481 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2482 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2483 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2485 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2486 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2487 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2489 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2493 /* Find this entry, or if that fails, the next avail. entry */
2494 while (entry->jump[0]) {
2495 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/module.c linux-2.6.35.4/arch/powerpc/kernel/module.c
2496 --- linux-2.6.35.4/arch/powerpc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
2497 +++ linux-2.6.35.4/arch/powerpc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
2500 LIST_HEAD(module_bug_list);
2502 +#ifdef CONFIG_PAX_KERNEXEC
2503 void *module_alloc(unsigned long size)
2508 + return vmalloc(size);
2511 +void *module_alloc_exec(unsigned long size)
2513 +void *module_alloc(unsigned long size)
2520 return vmalloc_exec(size);
2523 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2524 vfree(module_region);
2527 +#ifdef CONFIG_PAX_KERNEXEC
2528 +void module_free_exec(struct module *mod, void *module_region)
2530 + module_free(mod, module_region);
2534 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2535 const Elf_Shdr *sechdrs,
2537 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/pci-common.c linux-2.6.35.4/arch/powerpc/kernel/pci-common.c
2538 --- linux-2.6.35.4/arch/powerpc/kernel/pci-common.c 2010-08-26 19:47:12.000000000 -0400
2539 +++ linux-2.6.35.4/arch/powerpc/kernel/pci-common.c 2010-09-17 20:12:09.000000000 -0400
2540 @@ -51,14 +51,14 @@ resource_size_t isa_mem_base;
2541 unsigned int ppc_pci_flags = 0;
2544 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2545 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2547 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2548 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2550 pci_dma_ops = dma_ops;
2553 -struct dma_map_ops *get_pci_dma_ops(void)
2554 +const struct dma_map_ops *get_pci_dma_ops(void)
2558 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/process.c linux-2.6.35.4/arch/powerpc/kernel/process.c
2559 --- linux-2.6.35.4/arch/powerpc/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
2560 +++ linux-2.6.35.4/arch/powerpc/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
2561 @@ -1215,51 +1215,3 @@ unsigned long arch_align_stack(unsigned
2562 sp -= get_random_int() & ~PAGE_MASK;
2566 -static inline unsigned long brk_rnd(void)
2568 - unsigned long rnd = 0;
2570 - /* 8MB for 32bit, 1GB for 64bit */
2571 - if (is_32bit_task())
2572 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2574 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2576 - return rnd << PAGE_SHIFT;
2579 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2581 - unsigned long base = mm->brk;
2582 - unsigned long ret;
2584 -#ifdef CONFIG_PPC_STD_MMU_64
2586 - * If we are using 1TB segments and we are allowed to randomise
2587 - * the heap, we can put it above 1TB so it is backed by a 1TB
2588 - * segment. Otherwise the heap will be in the bottom 1TB
2589 - * which always uses 256MB segments and this may result in a
2590 - * performance penalty.
2592 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2593 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2596 - ret = PAGE_ALIGN(base + brk_rnd());
2598 - if (ret < mm->brk)
2604 -unsigned long randomize_et_dyn(unsigned long base)
2606 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2613 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/signal_32.c linux-2.6.35.4/arch/powerpc/kernel/signal_32.c
2614 --- linux-2.6.35.4/arch/powerpc/kernel/signal_32.c 2010-08-26 19:47:12.000000000 -0400
2615 +++ linux-2.6.35.4/arch/powerpc/kernel/signal_32.c 2010-09-17 20:12:09.000000000 -0400
2616 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2617 /* Save user registers on the stack */
2618 frame = &rt_sf->uc.uc_mcontext;
2620 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2621 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2622 if (save_user_regs(regs, frame, 0, 1))
2624 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2625 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/signal_64.c linux-2.6.35.4/arch/powerpc/kernel/signal_64.c
2626 --- linux-2.6.35.4/arch/powerpc/kernel/signal_64.c 2010-08-26 19:47:12.000000000 -0400
2627 +++ linux-2.6.35.4/arch/powerpc/kernel/signal_64.c 2010-09-17 20:12:09.000000000 -0400
2628 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2629 current->thread.fpscr.val = 0;
2631 /* Set up to return from userspace. */
2632 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2633 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2634 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2636 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2637 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/vdso.c linux-2.6.35.4/arch/powerpc/kernel/vdso.c
2638 --- linux-2.6.35.4/arch/powerpc/kernel/vdso.c 2010-08-26 19:47:12.000000000 -0400
2639 +++ linux-2.6.35.4/arch/powerpc/kernel/vdso.c 2010-09-17 20:12:09.000000000 -0400
2641 #include <asm/firmware.h>
2642 #include <asm/vdso.h>
2643 #include <asm/vdso_datapage.h>
2644 +#include <asm/mman.h>
2648 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2649 vdso_base = VDSO32_MBASE;
2652 - current->mm->context.vdso_base = 0;
2653 + current->mm->context.vdso_base = ~0UL;
2655 /* vDSO has a problem and was disabled, just don't "enable" it for the
2657 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2658 vdso_base = get_unmapped_area(NULL, vdso_base,
2659 (vdso_pages << PAGE_SHIFT) +
2660 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2662 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2663 if (IS_ERR_VALUE(vdso_base)) {
2666 diff -urNp linux-2.6.35.4/arch/powerpc/kernel/vio.c linux-2.6.35.4/arch/powerpc/kernel/vio.c
2667 --- linux-2.6.35.4/arch/powerpc/kernel/vio.c 2010-08-26 19:47:12.000000000 -0400
2668 +++ linux-2.6.35.4/arch/powerpc/kernel/vio.c 2010-09-17 20:12:09.000000000 -0400
2669 @@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
2670 vio_cmo_dealloc(viodev, alloc_size);
2673 -struct dma_map_ops vio_dma_mapping_ops = {
2674 +static const struct dma_map_ops vio_dma_mapping_ops = {
2675 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2676 .free_coherent = vio_dma_iommu_free_coherent,
2677 .map_sg = vio_dma_iommu_map_sg,
2678 .unmap_sg = vio_dma_iommu_unmap_sg,
2679 + .dma_supported = dma_iommu_dma_supported,
2680 .map_page = vio_dma_iommu_map_page,
2681 .unmap_page = vio_dma_iommu_unmap_page,
2683 @@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
2685 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2687 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2688 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2691 diff -urNp linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c
2692 --- linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
2693 +++ linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
2695 #include <linux/module.h>
2696 #include <asm/uaccess.h>
2698 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2700 - if (likely(access_ok(VERIFY_READ, from, n)))
2701 - n = __copy_from_user(to, from, n);
2707 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2709 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2710 - n = __copy_to_user(to, from, n);
2714 unsigned long copy_in_user(void __user *to, const void __user *from,
2717 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2721 -EXPORT_SYMBOL(copy_from_user);
2722 -EXPORT_SYMBOL(copy_to_user);
2723 EXPORT_SYMBOL(copy_in_user);
2725 diff -urNp linux-2.6.35.4/arch/powerpc/mm/fault.c linux-2.6.35.4/arch/powerpc/mm/fault.c
2726 --- linux-2.6.35.4/arch/powerpc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
2727 +++ linux-2.6.35.4/arch/powerpc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
2729 #include <linux/kprobes.h>
2730 #include <linux/kdebug.h>
2731 #include <linux/perf_event.h>
2732 +#include <linux/slab.h>
2733 +#include <linux/pagemap.h>
2734 +#include <linux/compiler.h>
2735 +#include <linux/unistd.h>
2737 #include <asm/firmware.h>
2738 #include <asm/page.h>
2740 #include <asm/tlbflush.h>
2741 #include <asm/siginfo.h>
2742 #include <mm/mmu_decl.h>
2743 +#include <asm/ptrace.h>
2745 #ifdef CONFIG_KPROBES
2746 static inline int notify_page_fault(struct pt_regs *regs)
2747 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2751 +#ifdef CONFIG_PAX_PAGEEXEC
2753 + * PaX: decide what to do with offenders (regs->nip = fault address)
2755 + * returns 1 when task should be killed
2757 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2762 +void pax_report_insns(void *pc, void *sp)
2766 + printk(KERN_ERR "PAX: bytes at PC: ");
2767 + for (i = 0; i < 5; i++) {
2769 + if (get_user(c, (unsigned int __user *)pc+i))
2770 + printk(KERN_CONT "???????? ");
2772 + printk(KERN_CONT "%08x ", c);
2779 * Check whether the instruction at regs->nip is a store using
2780 * an update addressing form which will update r1.
2781 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2782 * indicate errors in DSISR but can validly be set in SRR1.
2785 - error_code &= 0x48200000;
2786 + error_code &= 0x58200000;
2788 is_write = error_code & DSISR_ISSTORE;
2790 @@ -257,7 +289,7 @@ good_area:
2791 * "undefined". Of those that can be set, this is the only
2792 * one which seems bad.
2794 - if (error_code & 0x10000000)
2795 + if (error_code & DSISR_GUARDED)
2796 /* Guarded storage error. */
2798 #endif /* CONFIG_8xx */
2799 @@ -272,7 +304,7 @@ good_area:
2800 * processors use the same I/D cache coherency mechanism
2803 - if (error_code & DSISR_PROTFAULT)
2804 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2806 #endif /* CONFIG_PPC_STD_MMU */
2808 @@ -341,6 +373,23 @@ bad_area:
2809 bad_area_nosemaphore:
2810 /* User mode accesses cause a SIGSEGV */
2811 if (user_mode(regs)) {
2813 +#ifdef CONFIG_PAX_PAGEEXEC
2814 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2815 +#ifdef CONFIG_PPC_STD_MMU
2816 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2818 + if (is_exec && regs->nip == address) {
2820 + switch (pax_handle_fetch_fault(regs)) {
2823 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2824 + do_group_exit(SIGKILL);
2829 _exception(SIGSEGV, regs, code, address);
2832 diff -urNp linux-2.6.35.4/arch/powerpc/mm/mmap_64.c linux-2.6.35.4/arch/powerpc/mm/mmap_64.c
2833 --- linux-2.6.35.4/arch/powerpc/mm/mmap_64.c 2010-08-26 19:47:12.000000000 -0400
2834 +++ linux-2.6.35.4/arch/powerpc/mm/mmap_64.c 2010-09-17 20:12:09.000000000 -0400
2835 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2837 if (mmap_is_legacy()) {
2838 mm->mmap_base = TASK_UNMAPPED_BASE;
2840 +#ifdef CONFIG_PAX_RANDMMAP
2841 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2842 + mm->mmap_base += mm->delta_mmap;
2845 mm->get_unmapped_area = arch_get_unmapped_area;
2846 mm->unmap_area = arch_unmap_area;
2848 mm->mmap_base = mmap_base();
2850 +#ifdef CONFIG_PAX_RANDMMAP
2851 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2852 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2855 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2856 mm->unmap_area = arch_unmap_area_topdown;
2858 diff -urNp linux-2.6.35.4/arch/powerpc/mm/slice.c linux-2.6.35.4/arch/powerpc/mm/slice.c
2859 --- linux-2.6.35.4/arch/powerpc/mm/slice.c 2010-08-26 19:47:12.000000000 -0400
2860 +++ linux-2.6.35.4/arch/powerpc/mm/slice.c 2010-09-17 20:12:09.000000000 -0400
2861 @@ -98,10 +98,9 @@ static int slice_area_is_free(struct mm_
2862 if ((mm->task_size - len) < addr)
2864 vma = find_vma(mm, addr);
2865 - return (!vma || (addr + len) <= vma->vm_start);
2866 + return check_heap_stack_gap(vma, addr, len);
2869 -static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2871 return !slice_area_is_free(mm, slice << SLICE_LOW_SHIFT,
2872 1ul << SLICE_LOW_SHIFT);
2873 @@ -256,7 +255,7 @@ full_search:
2874 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2877 - if (!vma || addr + len <= vma->vm_start) {
2878 + if (check_heap_stack_gap(vma, addr, len)) {
2880 * Remember the place where we stopped the search:
2882 @@ -336,7 +335,7 @@ static unsigned long slice_find_area_top
2883 * return with success:
2885 vma = find_vma(mm, addr);
2886 - if (!vma || (addr + len) <= vma->vm_start) {
2887 + if (check_heap_stack_gap(vma, addr, len)) {
2888 /* remember the address as a hint for next time */
2890 mm->free_area_cache = addr;
2891 @@ -426,6 +425,11 @@ unsigned long slice_get_unmapped_area(un
2892 if (fixed && addr > (mm->task_size - len))
2895 +#ifdef CONFIG_PAX_RANDMMAP
2896 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2900 /* If hint, make sure it matches our alignment restrictions */
2901 if (!fixed && addr) {
2902 addr = _ALIGN_UP(addr, 1ul << pshift);
2903 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c
2904 --- linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-08-26 19:47:12.000000000 -0400
2905 +++ linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-09-17 20:12:09.000000000 -0400
2906 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2907 lite5200_pm_target_state = PM_SUSPEND_ON;
2910 -static struct platform_suspend_ops lite5200_pm_ops = {
2911 +static const struct platform_suspend_ops lite5200_pm_ops = {
2912 .valid = lite5200_pm_valid,
2913 .begin = lite5200_pm_begin,
2914 .prepare = lite5200_pm_prepare,
2915 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2916 --- linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-08-26 19:47:12.000000000 -0400
2917 +++ linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-09-17 20:12:09.000000000 -0400
2918 @@ -189,7 +189,7 @@ void mpc52xx_pm_finish(void)
2922 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2923 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2924 .valid = mpc52xx_pm_valid,
2925 .prepare = mpc52xx_pm_prepare,
2926 .enter = mpc52xx_pm_enter,
2927 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c
2928 --- linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c 2010-08-26 19:47:12.000000000 -0400
2929 +++ linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c 2010-09-17 20:12:09.000000000 -0400
2930 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2934 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2935 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2936 .valid = mpc83xx_suspend_valid,
2937 .begin = mpc83xx_suspend_begin,
2938 .enter = mpc83xx_suspend_enter,
2939 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c
2940 --- linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c 2010-08-26 19:47:12.000000000 -0400
2941 +++ linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c 2010-09-17 20:12:09.000000000 -0400
2942 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2944 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2946 -struct dma_map_ops dma_iommu_fixed_ops = {
2947 +const struct dma_map_ops dma_iommu_fixed_ops = {
2948 .alloc_coherent = dma_fixed_alloc_coherent,
2949 .free_coherent = dma_fixed_free_coherent,
2950 .map_sg = dma_fixed_map_sg,
2951 diff -urNp linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c
2952 --- linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c 2010-08-26 19:47:12.000000000 -0400
2953 +++ linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c 2010-09-17 20:12:09.000000000 -0400
2954 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
2955 return mask >= DMA_BIT_MASK(32);
2958 -static struct dma_map_ops ps3_sb_dma_ops = {
2959 +static const struct dma_map_ops ps3_sb_dma_ops = {
2960 .alloc_coherent = ps3_alloc_coherent,
2961 .free_coherent = ps3_free_coherent,
2962 .map_sg = ps3_sb_map_sg,
2963 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2964 .unmap_page = ps3_unmap_page,
2967 -static struct dma_map_ops ps3_ioc0_dma_ops = {
2968 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
2969 .alloc_coherent = ps3_alloc_coherent,
2970 .free_coherent = ps3_free_coherent,
2971 .map_sg = ps3_ioc0_map_sg,
2972 diff -urNp linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c
2973 --- linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c 2010-08-26 19:47:12.000000000 -0400
2974 +++ linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c 2010-09-17 20:12:09.000000000 -0400
2975 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
2979 -static struct platform_suspend_ops pmc_suspend_ops = {
2980 +static const struct platform_suspend_ops pmc_suspend_ops = {
2981 .valid = pmc_suspend_valid,
2982 .enter = pmc_suspend_enter,
2984 diff -urNp linux-2.6.35.4/arch/s390/include/asm/elf.h linux-2.6.35.4/arch/s390/include/asm/elf.h
2985 --- linux-2.6.35.4/arch/s390/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2986 +++ linux-2.6.35.4/arch/s390/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2987 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
2988 that it will "exec", and that there is sufficient room for the brk. */
2989 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2991 +#ifdef CONFIG_PAX_ASLR
2992 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2994 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2995 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2998 /* This yields a mask that user programs can use to figure out what
2999 instruction set this CPU supports. */
3001 diff -urNp linux-2.6.35.4/arch/s390/include/asm/uaccess.h linux-2.6.35.4/arch/s390/include/asm/uaccess.h
3002 --- linux-2.6.35.4/arch/s390/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3003 +++ linux-2.6.35.4/arch/s390/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3004 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3005 copy_to_user(void __user *to, const void *from, unsigned long n)
3012 if (access_ok(VERIFY_WRITE, to, n))
3013 n = __copy_to_user(to, from, n);
3015 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3016 static inline unsigned long __must_check
3017 __copy_from_user(void *to, const void __user *from, unsigned long n)
3022 if (__builtin_constant_p(n) && (n <= 256))
3023 return uaccess.copy_from_user_small(n, from, to);
3025 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3026 unsigned int sz = __compiletime_object_size(to);
3033 if (unlikely(sz != -1 && sz < n)) {
3034 copy_from_user_overflow();
3036 diff -urNp linux-2.6.35.4/arch/s390/Kconfig linux-2.6.35.4/arch/s390/Kconfig
3037 --- linux-2.6.35.4/arch/s390/Kconfig 2010-08-26 19:47:12.000000000 -0400
3038 +++ linux-2.6.35.4/arch/s390/Kconfig 2010-09-17 20:12:09.000000000 -0400
3039 @@ -230,13 +230,12 @@ config AUDIT_ARCH
3041 config S390_EXEC_PROTECT
3042 bool "Data execute protection"
3045 This option allows to enable a buffer overflow protection for user
3046 - space programs and it also selects the addressing mode option above.
3047 - The kernel parameter noexec=on will enable this feature and also
3048 - switch the addressing modes, default is disabled. Enabling this (via
3049 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3050 - will reduce system performance.
3052 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3053 + reduce system performance.
3055 comment "Code generation options"
3057 diff -urNp linux-2.6.35.4/arch/s390/kernel/module.c linux-2.6.35.4/arch/s390/kernel/module.c
3058 --- linux-2.6.35.4/arch/s390/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
3059 +++ linux-2.6.35.4/arch/s390/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
3060 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3062 /* Increase core size by size of got & plt and set start
3063 offsets for got and plt. */
3064 - me->core_size = ALIGN(me->core_size, 4);
3065 - me->arch.got_offset = me->core_size;
3066 - me->core_size += me->arch.got_size;
3067 - me->arch.plt_offset = me->core_size;
3068 - me->core_size += me->arch.plt_size;
3069 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3070 + me->arch.got_offset = me->core_size_rw;
3071 + me->core_size_rw += me->arch.got_size;
3072 + me->arch.plt_offset = me->core_size_rx;
3073 + me->core_size_rx += me->arch.plt_size;
3077 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3078 if (info->got_initialized == 0) {
3081 - gotent = me->module_core + me->arch.got_offset +
3082 + gotent = me->module_core_rw + me->arch.got_offset +
3085 info->got_initialized = 1;
3086 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3087 else if (r_type == R_390_GOTENT ||
3088 r_type == R_390_GOTPLTENT)
3089 *(unsigned int *) loc =
3090 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3091 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3092 else if (r_type == R_390_GOT64 ||
3093 r_type == R_390_GOTPLT64)
3094 *(unsigned long *) loc = val;
3095 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3096 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3097 if (info->plt_initialized == 0) {
3099 - ip = me->module_core + me->arch.plt_offset +
3100 + ip = me->module_core_rx + me->arch.plt_offset +
3102 #ifndef CONFIG_64BIT
3103 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3104 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3105 val - loc + 0xffffUL < 0x1ffffeUL) ||
3106 (r_type == R_390_PLT32DBL &&
3107 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3108 - val = (Elf_Addr) me->module_core +
3109 + val = (Elf_Addr) me->module_core_rx +
3110 me->arch.plt_offset +
3112 val += rela->r_addend - loc;
3113 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3114 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3115 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3116 val = val + rela->r_addend -
3117 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3118 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3119 if (r_type == R_390_GOTOFF16)
3120 *(unsigned short *) loc = val;
3121 else if (r_type == R_390_GOTOFF32)
3122 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3124 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3125 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3126 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3127 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3128 rela->r_addend - loc;
3129 if (r_type == R_390_GOTPC)
3130 *(unsigned int *) loc = val;
3131 diff -urNp linux-2.6.35.4/arch/s390/kernel/setup.c linux-2.6.35.4/arch/s390/kernel/setup.c
3132 --- linux-2.6.35.4/arch/s390/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
3133 +++ linux-2.6.35.4/arch/s390/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
3134 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3136 early_param("mem", early_parse_mem);
3138 -unsigned int user_mode = HOME_SPACE_MODE;
3139 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3140 EXPORT_SYMBOL_GPL(user_mode);
3142 static int set_amode_and_uaccess(unsigned long user_amode,
3143 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3148 - * Switch kernel/user addressing modes?
3150 -static int __init early_parse_switch_amode(char *p)
3152 - if (user_mode != SECONDARY_SPACE_MODE)
3153 - user_mode = PRIMARY_SPACE_MODE;
3156 -early_param("switch_amode", early_parse_switch_amode);
3158 static int __init early_parse_user_mode(char *p)
3160 if (p && strcmp(p, "primary") == 0)
3161 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3163 early_param("user_mode", early_parse_user_mode);
3165 -#ifdef CONFIG_S390_EXEC_PROTECT
3167 - * Enable execute protection?
3169 -static int __init early_parse_noexec(char *p)
3171 - if (!strncmp(p, "off", 3))
3173 - user_mode = SECONDARY_SPACE_MODE;
3176 -early_param("noexec", early_parse_noexec);
3177 -#endif /* CONFIG_S390_EXEC_PROTECT */
3179 static void setup_addressing_mode(void)
3181 if (user_mode == SECONDARY_SPACE_MODE) {
3182 diff -urNp linux-2.6.35.4/arch/s390/mm/maccess.c linux-2.6.35.4/arch/s390/mm/maccess.c
3183 --- linux-2.6.35.4/arch/s390/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
3184 +++ linux-2.6.35.4/arch/s390/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
3185 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3186 return rc ? rc : count;
3189 -long probe_kernel_write(void *dst, void *src, size_t size)
3190 +long probe_kernel_write(void *dst, const void *src, size_t size)
3194 diff -urNp linux-2.6.35.4/arch/s390/mm/mmap.c linux-2.6.35.4/arch/s390/mm/mmap.c
3195 --- linux-2.6.35.4/arch/s390/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3196 +++ linux-2.6.35.4/arch/s390/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3197 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3199 if (mmap_is_legacy()) {
3200 mm->mmap_base = TASK_UNMAPPED_BASE;
3202 +#ifdef CONFIG_PAX_RANDMMAP
3203 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3204 + mm->mmap_base += mm->delta_mmap;
3207 mm->get_unmapped_area = arch_get_unmapped_area;
3208 mm->unmap_area = arch_unmap_area;
3210 mm->mmap_base = mmap_base();
3212 +#ifdef CONFIG_PAX_RANDMMAP
3213 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3214 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3217 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3218 mm->unmap_area = arch_unmap_area_topdown;
3220 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3222 if (mmap_is_legacy()) {
3223 mm->mmap_base = TASK_UNMAPPED_BASE;
3225 +#ifdef CONFIG_PAX_RANDMMAP
3226 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3227 + mm->mmap_base += mm->delta_mmap;
3230 mm->get_unmapped_area = s390_get_unmapped_area;
3231 mm->unmap_area = arch_unmap_area;
3233 mm->mmap_base = mmap_base();
3235 +#ifdef CONFIG_PAX_RANDMMAP
3236 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3237 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3240 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3241 mm->unmap_area = arch_unmap_area_topdown;
3243 diff -urNp linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c
3244 --- linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c 2010-08-26 19:47:12.000000000 -0400
3245 +++ linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c 2010-09-17 20:12:09.000000000 -0400
3246 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3250 -static struct platform_suspend_ops hp6x0_pm_ops = {
3251 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3252 .enter = hp6x0_pm_enter,
3253 .valid = suspend_valid_only_mem,
3255 diff -urNp linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h
3256 --- linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3257 +++ linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3259 #ifndef __ASM_SH_DMA_MAPPING_H
3260 #define __ASM_SH_DMA_MAPPING_H
3262 -extern struct dma_map_ops *dma_ops;
3263 +extern const struct dma_map_ops *dma_ops;
3264 extern void no_iommu_init(void);
3266 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3267 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3271 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3273 static inline int dma_supported(struct device *dev, u64 mask)
3275 - struct dma_map_ops *ops = get_dma_ops(dev);
3276 + const struct dma_map_ops *ops = get_dma_ops(dev);
3278 if (ops->dma_supported)
3279 return ops->dma_supported(dev, mask);
3280 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3282 static inline int dma_set_mask(struct device *dev, u64 mask)
3284 - struct dma_map_ops *ops = get_dma_ops(dev);
3285 + const struct dma_map_ops *ops = get_dma_ops(dev);
3287 if (!dev->dma_mask || !dma_supported(dev, mask))
3289 @@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
3291 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3293 - struct dma_map_ops *ops = get_dma_ops(dev);
3294 + const struct dma_map_ops *ops = get_dma_ops(dev);
3296 if (ops->mapping_error)
3297 return ops->mapping_error(dev, dma_addr);
3298 @@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
3299 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3300 dma_addr_t *dma_handle, gfp_t gfp)
3302 - struct dma_map_ops *ops = get_dma_ops(dev);
3303 + const struct dma_map_ops *ops = get_dma_ops(dev);
3306 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3307 @@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3308 static inline void dma_free_coherent(struct device *dev, size_t size,
3309 void *vaddr, dma_addr_t dma_handle)
3311 - struct dma_map_ops *ops = get_dma_ops(dev);
3312 + const struct dma_map_ops *ops = get_dma_ops(dev);
3314 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3316 diff -urNp linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c
3317 --- linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c 2010-08-26 19:47:12.000000000 -0400
3318 +++ linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c 2010-09-17 20:12:09.000000000 -0400
3319 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3323 -static struct platform_suspend_ops sh_pm_ops = {
3324 +static const struct platform_suspend_ops sh_pm_ops = {
3325 .enter = sh_pm_enter,
3326 .valid = suspend_valid_only_mem,
3328 diff -urNp linux-2.6.35.4/arch/sh/kernel/dma-nommu.c linux-2.6.35.4/arch/sh/kernel/dma-nommu.c
3329 --- linux-2.6.35.4/arch/sh/kernel/dma-nommu.c 2010-08-26 19:47:12.000000000 -0400
3330 +++ linux-2.6.35.4/arch/sh/kernel/dma-nommu.c 2010-09-17 20:12:09.000000000 -0400
3331 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3335 -struct dma_map_ops nommu_dma_ops = {
3336 +const struct dma_map_ops nommu_dma_ops = {
3337 .alloc_coherent = dma_generic_alloc_coherent,
3338 .free_coherent = dma_generic_free_coherent,
3339 .map_page = nommu_map_page,
3340 diff -urNp linux-2.6.35.4/arch/sh/kernel/kgdb.c linux-2.6.35.4/arch/sh/kernel/kgdb.c
3341 --- linux-2.6.35.4/arch/sh/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
3342 +++ linux-2.6.35.4/arch/sh/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
3343 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3344 unregister_die_notifier(&kgdb_notifier);
3347 -struct kgdb_arch arch_kgdb_ops = {
3348 +const struct kgdb_arch arch_kgdb_ops = {
3349 /* Breakpoint instruction: trapa #0x3c */
3350 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3351 .gdb_bpt_instr = { 0x3c, 0xc3 },
3352 diff -urNp linux-2.6.35.4/arch/sh/mm/consistent.c linux-2.6.35.4/arch/sh/mm/consistent.c
3353 --- linux-2.6.35.4/arch/sh/mm/consistent.c 2010-08-26 19:47:12.000000000 -0400
3354 +++ linux-2.6.35.4/arch/sh/mm/consistent.c 2010-09-17 20:12:09.000000000 -0400
3357 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3359 -struct dma_map_ops *dma_ops;
3360 +const struct dma_map_ops *dma_ops;
3361 EXPORT_SYMBOL(dma_ops);
3363 static int __init dma_init(void)
3364 diff -urNp linux-2.6.35.4/arch/sh/mm/mmap.c linux-2.6.35.4/arch/sh/mm/mmap.c
3365 --- linux-2.6.35.4/arch/sh/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3366 +++ linux-2.6.35.4/arch/sh/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3367 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3368 addr = PAGE_ALIGN(addr);
3370 vma = find_vma(mm, addr);
3371 - if (TASK_SIZE - len >= addr &&
3372 - (!vma || addr + len <= vma->vm_start))
3373 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3377 @@ -106,7 +105,7 @@ full_search:
3381 - if (likely(!vma || addr + len <= vma->vm_start)) {
3382 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3384 * Remember the place where we stopped the search:
3386 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3387 addr = PAGE_ALIGN(addr);
3389 vma = find_vma(mm, addr);
3390 - if (TASK_SIZE - len >= addr &&
3391 - (!vma || addr + len <= vma->vm_start))
3392 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3396 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3397 /* make sure it can fit in the remaining address space */
3398 if (likely(addr > len)) {
3399 vma = find_vma(mm, addr-len);
3400 - if (!vma || addr <= vma->vm_start) {
3401 + if (check_heap_stack_gap(vma, addr - len, len)) {
3402 /* remember the address as a hint for next time */
3403 return (mm->free_area_cache = addr-len);
3405 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3406 * return with success:
3408 vma = find_vma(mm, addr);
3409 - if (likely(!vma || addr+len <= vma->vm_start)) {
3410 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3411 /* remember the address as a hint for next time */
3412 return (mm->free_area_cache = addr);
3414 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h
3415 --- linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h 2010-08-26 19:47:12.000000000 -0400
3416 +++ linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h 2010-09-17 20:12:09.000000000 -0400
3418 #define ATOMIC64_INIT(i) { (i) }
3420 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3421 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3423 + return v->counter;
3425 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3426 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3428 + return v->counter;
3431 #define atomic_set(v, i) (((v)->counter) = i)
3432 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3436 #define atomic64_set(v, i) (((v)->counter) = i)
3437 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3442 extern void atomic_add(int, atomic_t *);
3443 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3444 extern void atomic64_add(long, atomic64_t *);
3445 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3446 extern void atomic_sub(int, atomic_t *);
3447 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3448 extern void atomic64_sub(long, atomic64_t *);
3449 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3451 extern int atomic_add_ret(int, atomic_t *);
3452 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3453 extern long atomic64_add_ret(long, atomic64_t *);
3454 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3455 extern int atomic_sub_ret(int, atomic_t *);
3456 extern long atomic64_sub_ret(long, atomic64_t *);
3458 @@ -33,7 +55,15 @@ extern long atomic64_sub_ret(long, atomi
3459 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3461 #define atomic_inc_return(v) atomic_add_ret(1, v)
3462 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3464 + return atomic_add_ret_unchecked(1, v);
3466 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3467 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3469 + return atomic64_add_ret_unchecked(1, v);
3472 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3473 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3474 @@ -59,10 +89,26 @@ extern long atomic64_sub_ret(long, atomi
3475 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3477 #define atomic_inc(v) atomic_add(1, v)
3478 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3480 + atomic_add_unchecked(1, v);
3482 #define atomic64_inc(v) atomic64_add(1, v)
3483 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3485 + atomic64_add_unchecked(1, v);
3488 #define atomic_dec(v) atomic_sub(1, v)
3489 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3491 + atomic_sub_unchecked(1, v);
3493 #define atomic64_dec(v) atomic64_sub(1, v)
3494 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3496 + atomic64_sub_unchecked(1, v);
3499 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3500 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3501 @@ -72,17 +118,28 @@ extern long atomic64_sub_ret(long, atomi
3503 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3509 - if (unlikely(c == (u)))
3510 + if (unlikely(c == u))
3512 - old = atomic_cmpxchg((v), c, c + (a));
3514 + asm volatile("addcc %2, %0, %0\n"
3516 +#ifdef CONFIG_PAX_REFCOUNT
3521 + : "0" (c), "ir" (a)
3524 + old = atomic_cmpxchg(v, c, new);
3525 if (likely(old == c))
3533 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3534 @@ -93,17 +150,28 @@ static inline int atomic_add_unless(atom
3536 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3540 c = atomic64_read(v);
3542 - if (unlikely(c == (u)))
3543 + if (unlikely(c == u))
3545 - old = atomic64_cmpxchg((v), c, c + (a));
3547 + asm volatile("addcc %2, %0, %0\n"
3549 +#ifdef CONFIG_PAX_REFCOUNT
3554 + : "0" (c), "ir" (a)
3557 + old = atomic64_cmpxchg(v, c, new);
3558 if (likely(old == c))
3566 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3567 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h
3568 --- linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3569 +++ linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3570 @@ -13,10 +13,10 @@ extern int dma_supported(struct device *
3571 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3572 #define dma_is_consistent(d, h) (1)
3574 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3575 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3576 extern struct bus_type pci_bus_type;
3578 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3579 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3581 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3582 if (dev->bus == &pci_bus_type)
3583 @@ -30,7 +30,7 @@ static inline struct dma_map_ops *get_dm
3584 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3585 dma_addr_t *dma_handle, gfp_t flag)
3587 - struct dma_map_ops *ops = get_dma_ops(dev);
3588 + const struct dma_map_ops *ops = get_dma_ops(dev);
3591 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3592 @@ -41,7 +41,7 @@ static inline void *dma_alloc_coherent(s
3593 static inline void dma_free_coherent(struct device *dev, size_t size,
3594 void *cpu_addr, dma_addr_t dma_handle)
3596 - struct dma_map_ops *ops = get_dma_ops(dev);
3597 + const struct dma_map_ops *ops = get_dma_ops(dev);
3599 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3600 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3601 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/elf_32.h linux-2.6.35.4/arch/sparc/include/asm/elf_32.h
3602 --- linux-2.6.35.4/arch/sparc/include/asm/elf_32.h 2010-08-26 19:47:12.000000000 -0400
3603 +++ linux-2.6.35.4/arch/sparc/include/asm/elf_32.h 2010-09-17 20:12:09.000000000 -0400
3604 @@ -114,6 +114,13 @@ typedef struct {
3606 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3608 +#ifdef CONFIG_PAX_ASLR
3609 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3611 +#define PAX_DELTA_MMAP_LEN 16
3612 +#define PAX_DELTA_STACK_LEN 16
3615 /* This yields a mask that user programs can use to figure out what
3616 instruction set this cpu supports. This can NOT be done in userspace
3618 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/elf_64.h linux-2.6.35.4/arch/sparc/include/asm/elf_64.h
3619 --- linux-2.6.35.4/arch/sparc/include/asm/elf_64.h 2010-08-26 19:47:12.000000000 -0400
3620 +++ linux-2.6.35.4/arch/sparc/include/asm/elf_64.h 2010-09-17 20:12:09.000000000 -0400
3621 @@ -162,6 +162,12 @@ typedef struct {
3622 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3623 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3625 +#ifdef CONFIG_PAX_ASLR
3626 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3628 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3629 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3632 /* This yields a mask that user programs can use to figure out what
3633 instruction set this cpu supports. */
3634 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h
3635 --- linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
3636 +++ linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
3637 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3638 BTFIXUPDEF_INT(page_none)
3639 BTFIXUPDEF_INT(page_copy)
3640 BTFIXUPDEF_INT(page_readonly)
3642 +#ifdef CONFIG_PAX_PAGEEXEC
3643 +BTFIXUPDEF_INT(page_shared_noexec)
3644 +BTFIXUPDEF_INT(page_copy_noexec)
3645 +BTFIXUPDEF_INT(page_readonly_noexec)
3648 BTFIXUPDEF_INT(page_kernel)
3650 #define PMD_SHIFT SUN4C_PMD_SHIFT
3651 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3652 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3653 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3655 +#ifdef CONFIG_PAX_PAGEEXEC
3656 +extern pgprot_t PAGE_SHARED_NOEXEC;
3657 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3658 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3660 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3661 +# define PAGE_COPY_NOEXEC PAGE_COPY
3662 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3665 extern unsigned long page_kernel;
3668 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h
3669 --- linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h 2010-08-26 19:47:12.000000000 -0400
3670 +++ linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h 2010-09-17 20:12:09.000000000 -0400
3671 @@ -115,6 +115,13 @@
3672 SRMMU_EXEC | SRMMU_REF)
3673 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3674 SRMMU_EXEC | SRMMU_REF)
3676 +#ifdef CONFIG_PAX_PAGEEXEC
3677 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3678 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3679 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3682 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3683 SRMMU_DIRTY | SRMMU_REF)
3685 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h
3686 --- linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h 2010-08-26 19:47:12.000000000 -0400
3687 +++ linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h 2010-09-17 20:12:09.000000000 -0400
3688 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3689 __asm__ __volatile__ (
3690 "1: ldsw [%2], %0\n"
3692 -"4: add %0, 1, %1\n"
3693 +"4: addcc %0, 1, %1\n"
3695 +#ifdef CONFIG_PAX_REFCOUNT
3699 " cas [%2], %0, %1\n"
3701 " bne,pn %%icc, 1b\n"
3702 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3704 : "=&r" (tmp1), "=&r" (tmp2)
3707 + : "memory", "cc");
3710 static int inline arch_read_trylock(arch_rwlock_t *lock)
3711 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3712 "1: ldsw [%2], %0\n"
3713 " brlz,a,pn %0, 2f\n"
3716 +" addcc %0, 1, %1\n"
3718 +#ifdef CONFIG_PAX_REFCOUNT
3722 " cas [%2], %0, %1\n"
3724 " bne,pn %%icc, 1b\n"
3725 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3727 __asm__ __volatile__(
3728 "1: lduw [%2], %0\n"
3730 +" subcc %0, 1, %1\n"
3732 +#ifdef CONFIG_PAX_REFCOUNT
3736 " cas [%2], %0, %1\n"
3738 " bne,pn %%xcc, 1b\n"
3739 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h
3740 --- linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
3741 +++ linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
3742 @@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
3744 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3746 - if (n && __access_ok((unsigned long) to, n))
3750 + if (n && __access_ok((unsigned long) to, n)) {
3751 + if (!__builtin_constant_p(n))
3752 + check_object_size(from, n, true);
3753 return __copy_user(to, (__force void __user *) from, n);
3759 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3764 + if (!__builtin_constant_p(n))
3765 + check_object_size(from, n, true);
3767 return __copy_user(to, (__force void __user *) from, n);
3770 @@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
3772 int sz = __compiletime_object_size(to);
3777 if (unlikely(sz != -1 && sz < n)) {
3778 copy_from_user_overflow();
3782 - if (n && __access_ok((unsigned long) from, n))
3783 + if (n && __access_ok((unsigned long) from, n)) {
3784 + if (!__builtin_constant_p(n))
3785 + check_object_size(to, n, false);
3786 return __copy_user((__force void __user *) to, from, n);
3792 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3797 return __copy_user((__force void __user *) to, from, n);
3800 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h
3801 --- linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
3802 +++ linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h 2010-09-17 20:12:09.000000000 -0400
3804 #include <linux/compiler.h>
3805 #include <linux/string.h>
3806 #include <linux/thread_info.h>
3807 +#include <linux/kernel.h>
3808 #include <asm/asi.h>
3809 #include <asm/system.h>
3810 #include <asm/spitfire.h>
3811 @@ -224,6 +225,12 @@ copy_from_user(void *to, const void __us
3812 int sz = __compiletime_object_size(to);
3813 unsigned long ret = size;
3815 + if ((long)size < 0 || size > INT_MAX)
3818 + if (!__builtin_constant_p(size))
3819 + check_object_size(to, size, false);
3821 if (likely(sz == -1 || sz >= size)) {
3822 ret = ___copy_from_user(to, from, size);
3824 @@ -243,8 +250,15 @@ extern unsigned long copy_to_user_fixup(
3825 static inline unsigned long __must_check
3826 copy_to_user(void __user *to, const void *from, unsigned long size)
3828 - unsigned long ret = ___copy_to_user(to, from, size);
3829 + unsigned long ret;
3831 + if ((long)size < 0 || size > INT_MAX)
3834 + if (!__builtin_constant_p(size))
3835 + check_object_size(from, size, true);
3837 + ret = ___copy_to_user(to, from, size);
3839 ret = copy_to_user_fixup(to, from, size);
3841 diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess.h linux-2.6.35.4/arch/sparc/include/asm/uaccess.h
3842 --- linux-2.6.35.4/arch/sparc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3843 +++ linux-2.6.35.4/arch/sparc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3845 #ifndef ___ASM_SPARC_UACCESS_H
3846 #define ___ASM_SPARC_UACCESS_H
3849 +#ifndef __ASSEMBLY__
3850 +#include <linux/types.h>
3851 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3855 #if defined(__sparc__) && defined(__arch64__)
3856 #include <asm/uaccess_64.h>
3858 diff -urNp linux-2.6.35.4/arch/sparc/kernel/iommu.c linux-2.6.35.4/arch/sparc/kernel/iommu.c
3859 --- linux-2.6.35.4/arch/sparc/kernel/iommu.c 2010-08-26 19:47:12.000000000 -0400
3860 +++ linux-2.6.35.4/arch/sparc/kernel/iommu.c 2010-09-17 20:12:09.000000000 -0400
3861 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3862 spin_unlock_irqrestore(&iommu->lock, flags);
3865 -static struct dma_map_ops sun4u_dma_ops = {
3866 +static const struct dma_map_ops sun4u_dma_ops = {
3867 .alloc_coherent = dma_4u_alloc_coherent,
3868 .free_coherent = dma_4u_free_coherent,
3869 .map_page = dma_4u_map_page,
3870 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
3871 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3874 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3875 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3876 EXPORT_SYMBOL(dma_ops);
3878 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3879 diff -urNp linux-2.6.35.4/arch/sparc/kernel/ioport.c linux-2.6.35.4/arch/sparc/kernel/ioport.c
3880 --- linux-2.6.35.4/arch/sparc/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
3881 +++ linux-2.6.35.4/arch/sparc/kernel/ioport.c 2010-09-17 20:12:09.000000000 -0400
3882 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3886 -struct dma_map_ops sbus_dma_ops = {
3887 +const struct dma_map_ops sbus_dma_ops = {
3888 .alloc_coherent = sbus_alloc_coherent,
3889 .free_coherent = sbus_free_coherent,
3890 .map_page = sbus_map_page,
3891 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3892 .sync_sg_for_device = sbus_sync_sg_for_device,
3895 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
3896 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3897 EXPORT_SYMBOL(dma_ops);
3899 static int __init sparc_register_ioport(void)
3900 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3904 -struct dma_map_ops pci32_dma_ops = {
3905 +const struct dma_map_ops pci32_dma_ops = {
3906 .alloc_coherent = pci32_alloc_coherent,
3907 .free_coherent = pci32_free_coherent,
3908 .map_page = pci32_map_page,
3909 diff -urNp linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c
3910 --- linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c 2010-08-26 19:47:12.000000000 -0400
3911 +++ linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c 2010-09-17 20:12:09.000000000 -0400
3912 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3913 regs->npc = regs->pc + 4;
3916 -struct kgdb_arch arch_kgdb_ops = {
3917 +const struct kgdb_arch arch_kgdb_ops = {
3918 /* Breakpoint instruction: ta 0x7d */
3919 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3921 diff -urNp linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c
3922 --- linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c 2010-08-26 19:47:12.000000000 -0400
3923 +++ linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c 2010-09-17 20:12:09.000000000 -0400
3924 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3925 regs->tnpc = regs->tpc + 4;
3928 -struct kgdb_arch arch_kgdb_ops = {
3929 +const struct kgdb_arch arch_kgdb_ops = {
3930 /* Breakpoint instruction: ta 0x72 */
3931 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3933 diff -urNp linux-2.6.35.4/arch/sparc/kernel/Makefile linux-2.6.35.4/arch/sparc/kernel/Makefile
3934 --- linux-2.6.35.4/arch/sparc/kernel/Makefile 2010-08-26 19:47:12.000000000 -0400
3935 +++ linux-2.6.35.4/arch/sparc/kernel/Makefile 2010-09-17 20:12:09.000000000 -0400
3940 -ccflags-y := -Werror
3941 +#ccflags-y := -Werror
3943 extra-y := head_$(BITS).o
3944 extra-y += init_task.o
3945 diff -urNp linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c
3946 --- linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c 2010-08-26 19:47:12.000000000 -0400
3947 +++ linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c 2010-09-17 20:12:09.000000000 -0400
3948 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3949 spin_unlock_irqrestore(&iommu->lock, flags);
3952 -static struct dma_map_ops sun4v_dma_ops = {
3953 +static const struct dma_map_ops sun4v_dma_ops = {
3954 .alloc_coherent = dma_4v_alloc_coherent,
3955 .free_coherent = dma_4v_free_coherent,
3956 .map_page = dma_4v_map_page,
3957 diff -urNp linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c
3958 --- linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c 2010-08-26 19:47:12.000000000 -0400
3959 +++ linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c 2010-09-17 20:12:09.000000000 -0400
3960 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
3961 if (ARCH_SUN4C && len > 0x20000000)
3964 - addr = TASK_UNMAPPED_BASE;
3965 + addr = current->mm->mmap_base;
3967 if (flags & MAP_SHARED)
3968 addr = COLOUR_ALIGN(addr);
3969 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
3971 if (TASK_SIZE - PAGE_SIZE - len < addr)
3973 - if (!vmm || addr + len <= vmm->vm_start)
3974 + if (check_heap_stack_gap(vmm, addr, len))
3977 if (flags & MAP_SHARED)
3978 diff -urNp linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c
3979 --- linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c 2010-08-26 19:47:12.000000000 -0400
3980 +++ linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c 2010-09-17 20:12:09.000000000 -0400
3981 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3982 /* We do not accept a shared mapping if it would violate
3983 * cache aliasing constraints.
3985 - if ((flags & MAP_SHARED) &&
3986 + if ((filp || (flags & MAP_SHARED)) &&
3987 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3990 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
3991 if (filp || (flags & MAP_SHARED))
3994 +#ifdef CONFIG_PAX_RANDMMAP
3995 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4000 addr = COLOUR_ALIGN(addr, pgoff);
4001 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4002 addr = PAGE_ALIGN(addr);
4004 vma = find_vma(mm, addr);
4005 - if (task_size - len >= addr &&
4006 - (!vma || addr + len <= vma->vm_start))
4007 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4011 if (len > mm->cached_hole_size) {
4012 - start_addr = addr = mm->free_area_cache;
4013 + start_addr = addr = mm->free_area_cache;
4015 - start_addr = addr = TASK_UNMAPPED_BASE;
4016 + start_addr = addr = mm->mmap_base;
4017 mm->cached_hole_size = 0;
4020 @@ -174,14 +177,14 @@ full_search:
4021 vma = find_vma(mm, VA_EXCLUDE_END);
4023 if (unlikely(task_size < addr)) {
4024 - if (start_addr != TASK_UNMAPPED_BASE) {
4025 - start_addr = addr = TASK_UNMAPPED_BASE;
4026 + if (start_addr != mm->mmap_base) {
4027 + start_addr = addr = mm->mmap_base;
4028 mm->cached_hole_size = 0;
4033 - if (likely(!vma || addr + len <= vma->vm_start)) {
4034 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4036 * Remember the place where we stopped the search:
4038 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4039 /* We do not accept a shared mapping if it would violate
4040 * cache aliasing constraints.
4042 - if ((flags & MAP_SHARED) &&
4043 + if ((filp || (flags & MAP_SHARED)) &&
4044 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4047 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4048 addr = PAGE_ALIGN(addr);
4050 vma = find_vma(mm, addr);
4051 - if (task_size - len >= addr &&
4052 - (!vma || addr + len <= vma->vm_start))
4053 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4057 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4058 /* make sure it can fit in the remaining address space */
4059 if (likely(addr > len)) {
4060 vma = find_vma(mm, addr-len);
4061 - if (!vma || addr <= vma->vm_start) {
4062 + if (check_heap_stack_gap(vma, addr - len, len)) {
4063 /* remember the address as a hint for next time */
4064 return (mm->free_area_cache = addr-len);
4066 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4067 * return with success:
4069 vma = find_vma(mm, addr);
4070 - if (likely(!vma || addr+len <= vma->vm_start)) {
4071 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4072 /* remember the address as a hint for next time */
4073 return (mm->free_area_cache = addr);
4075 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4076 gap == RLIM_INFINITY ||
4077 sysctl_legacy_va_layout) {
4078 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4080 +#ifdef CONFIG_PAX_RANDMMAP
4081 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4082 + mm->mmap_base += mm->delta_mmap;
4085 mm->get_unmapped_area = arch_get_unmapped_area;
4086 mm->unmap_area = arch_unmap_area;
4088 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4089 gap = (task_size / 6 * 5);
4091 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4093 +#ifdef CONFIG_PAX_RANDMMAP
4094 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4095 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4098 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4099 mm->unmap_area = arch_unmap_area_topdown;
4101 diff -urNp linux-2.6.35.4/arch/sparc/kernel/traps_64.c linux-2.6.35.4/arch/sparc/kernel/traps_64.c
4102 --- linux-2.6.35.4/arch/sparc/kernel/traps_64.c 2010-08-26 19:47:12.000000000 -0400
4103 +++ linux-2.6.35.4/arch/sparc/kernel/traps_64.c 2010-09-17 20:12:09.000000000 -0400
4104 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4107 if (regs->tstate & TSTATE_PRIV) {
4109 +#ifdef CONFIG_PAX_REFCOUNT
4111 + pax_report_refcount_overflow(regs);
4114 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4115 die_if_kernel(buffer, regs);
4117 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4118 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4123 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4124 0, lvl, SIGTRAP) == NOTIFY_STOP)
4127 +#ifdef CONFIG_PAX_REFCOUNT
4129 + pax_report_refcount_overflow(regs);
4132 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4134 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4135 diff -urNp linux-2.6.35.4/arch/sparc/lib/atomic_64.S linux-2.6.35.4/arch/sparc/lib/atomic_64.S
4136 --- linux-2.6.35.4/arch/sparc/lib/atomic_64.S 2010-08-26 19:47:12.000000000 -0400
4137 +++ linux-2.6.35.4/arch/sparc/lib/atomic_64.S 2010-09-17 20:12:37.000000000 -0400
4139 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4143 + addcc %g1, %o0, %g7
4145 +#ifdef CONFIG_PAX_REFCOUNT
4152 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4153 2: BACKOFF_SPIN(%o2, %o3, 1b)
4154 .size atomic_add, .-atomic_add
4156 + .globl atomic_add_unchecked
4157 + .type atomic_add_unchecked,#function
4158 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4159 + BACKOFF_SETUP(%o2)
4162 + cas [%o1], %g1, %g7
4168 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4169 + .size atomic_add_unchecked, .-atomic_add_unchecked
4172 .type atomic_sub,#function
4173 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4177 + subcc %g1, %o0, %g7
4179 +#ifdef CONFIG_PAX_REFCOUNT
4186 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4187 2: BACKOFF_SPIN(%o2, %o3, 1b)
4188 .size atomic_sub, .-atomic_sub
4190 + .globl atomic_sub_unchecked
4191 + .type atomic_sub_unchecked,#function
4192 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4193 + BACKOFF_SETUP(%o2)
4196 + cas [%o1], %g1, %g7
4202 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4203 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4205 .globl atomic_add_ret
4206 .type atomic_add_ret,#function
4207 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4211 + addcc %g1, %o0, %g7
4213 +#ifdef CONFIG_PAX_REFCOUNT
4220 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4221 2: BACKOFF_SPIN(%o2, %o3, 1b)
4222 .size atomic_add_ret, .-atomic_add_ret
4224 + .globl atomic_add_ret_unchecked
4225 + .type atomic_add_ret_unchecked,#function
4226 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4227 + BACKOFF_SETUP(%o2)
4229 + addcc %g1, %o0, %g7
4230 + cas [%o1], %g1, %g7
4237 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4238 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4240 .globl atomic_sub_ret
4241 .type atomic_sub_ret,#function
4242 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4246 + subcc %g1, %o0, %g7
4248 +#ifdef CONFIG_PAX_REFCOUNT
4255 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4256 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4260 + addcc %g1, %o0, %g7
4262 +#ifdef CONFIG_PAX_REFCOUNT
4266 casx [%o1], %g1, %g7
4269 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4270 2: BACKOFF_SPIN(%o2, %o3, 1b)
4271 .size atomic64_add, .-atomic64_add
4273 + .globl atomic64_add_unchecked
4274 + .type atomic64_add_unchecked,#function
4275 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4276 + BACKOFF_SETUP(%o2)
4278 + addcc %g1, %o0, %g7
4279 + casx [%o1], %g1, %g7
4285 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4286 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4289 .type atomic64_sub,#function
4290 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4294 + subcc %g1, %o0, %g7
4296 +#ifdef CONFIG_PAX_REFCOUNT
4300 casx [%o1], %g1, %g7
4303 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4304 2: BACKOFF_SPIN(%o2, %o3, 1b)
4305 .size atomic64_sub, .-atomic64_sub
4307 + .globl atomic64_sub_unchecked
4308 + .type atomic64_sub_unchecked,#function
4309 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4310 + BACKOFF_SETUP(%o2)
4312 + subcc %g1, %o0, %g7
4313 + casx [%o1], %g1, %g7
4319 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4320 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4322 .globl atomic64_add_ret
4323 .type atomic64_add_ret,#function
4324 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4328 + addcc %g1, %o0, %g7
4330 +#ifdef CONFIG_PAX_REFCOUNT
4334 casx [%o1], %g1, %g7
4337 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4338 2: BACKOFF_SPIN(%o2, %o3, 1b)
4339 .size atomic64_add_ret, .-atomic64_add_ret
4341 + .globl atomic64_add_ret_unchecked
4342 + .type atomic64_add_ret_unchecked,#function
4343 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4344 + BACKOFF_SETUP(%o2)
4346 + addcc %g1, %o0, %g7
4347 + casx [%o1], %g1, %g7
4354 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4355 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4357 .globl atomic64_sub_ret
4358 .type atomic64_sub_ret,#function
4359 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4363 + subcc %g1, %o0, %g7
4365 +#ifdef CONFIG_PAX_REFCOUNT
4369 casx [%o1], %g1, %g7
4372 diff -urNp linux-2.6.35.4/arch/sparc/lib/ksyms.c linux-2.6.35.4/arch/sparc/lib/ksyms.c
4373 --- linux-2.6.35.4/arch/sparc/lib/ksyms.c 2010-08-26 19:47:12.000000000 -0400
4374 +++ linux-2.6.35.4/arch/sparc/lib/ksyms.c 2010-09-17 20:12:09.000000000 -0400
4375 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4377 /* Atomic counter implementation. */
4378 EXPORT_SYMBOL(atomic_add);
4379 +EXPORT_SYMBOL(atomic_add_unchecked);
4380 EXPORT_SYMBOL(atomic_add_ret);
4381 EXPORT_SYMBOL(atomic_sub);
4382 +EXPORT_SYMBOL(atomic_sub_unchecked);
4383 EXPORT_SYMBOL(atomic_sub_ret);
4384 EXPORT_SYMBOL(atomic64_add);
4385 +EXPORT_SYMBOL(atomic64_add_unchecked);
4386 EXPORT_SYMBOL(atomic64_add_ret);
4387 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4388 EXPORT_SYMBOL(atomic64_sub);
4389 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4390 EXPORT_SYMBOL(atomic64_sub_ret);
4392 /* Atomic bit operations. */
4393 diff -urNp linux-2.6.35.4/arch/sparc/lib/rwsem_64.S linux-2.6.35.4/arch/sparc/lib/rwsem_64.S
4394 --- linux-2.6.35.4/arch/sparc/lib/rwsem_64.S 2010-08-26 19:47:12.000000000 -0400
4395 +++ linux-2.6.35.4/arch/sparc/lib/rwsem_64.S 2010-09-17 20:12:09.000000000 -0400
4403 +#ifdef CONFIG_PAX_REFCOUNT
4410 @@ -33,7 +38,12 @@ __down_read:
4411 .globl __down_read_trylock
4412 __down_read_trylock:
4417 +#ifdef CONFIG_PAX_REFCOUNT
4424 @@ -51,7 +61,12 @@ __down_write:
4425 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4429 + addcc %g3, %g1, %g7
4431 +#ifdef CONFIG_PAX_REFCOUNT
4438 @@ -77,7 +92,12 @@ __down_write_trylock:
4443 + addcc %g3, %g1, %g7
4445 +#ifdef CONFIG_PAX_REFCOUNT
4452 @@ -90,7 +110,12 @@ __down_write_trylock:
4459 +#ifdef CONFIG_PAX_REFCOUNT
4466 @@ -118,7 +143,12 @@ __up_write:
4467 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4471 + subcc %g3, %g1, %g7
4473 +#ifdef CONFIG_PAX_REFCOUNT
4480 @@ -143,7 +173,12 @@ __downgrade_write:
4481 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4485 + subcc %g3, %g1, %g7
4487 +#ifdef CONFIG_PAX_REFCOUNT
4494 diff -urNp linux-2.6.35.4/arch/sparc/Makefile linux-2.6.35.4/arch/sparc/Makefile
4495 --- linux-2.6.35.4/arch/sparc/Makefile 2010-08-26 19:47:12.000000000 -0400
4496 +++ linux-2.6.35.4/arch/sparc/Makefile 2010-09-17 20:12:37.000000000 -0400
4497 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4498 # Export what is needed by arch/sparc/boot/Makefile
4499 export VMLINUX_INIT VMLINUX_MAIN
4500 VMLINUX_INIT := $(head-y) $(init-y)
4501 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4502 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4503 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4504 VMLINUX_MAIN += $(drivers-y) $(net-y)
4506 diff -urNp linux-2.6.35.4/arch/sparc/mm/fault_32.c linux-2.6.35.4/arch/sparc/mm/fault_32.c
4507 --- linux-2.6.35.4/arch/sparc/mm/fault_32.c 2010-08-26 19:47:12.000000000 -0400
4508 +++ linux-2.6.35.4/arch/sparc/mm/fault_32.c 2010-09-17 20:12:09.000000000 -0400
4510 #include <linux/interrupt.h>
4511 #include <linux/module.h>
4512 #include <linux/kdebug.h>
4513 +#include <linux/slab.h>
4514 +#include <linux/pagemap.h>
4515 +#include <linux/compiler.h>
4517 #include <asm/system.h>
4518 #include <asm/page.h>
4519 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4520 return safe_compute_effective_address(regs, insn);
4523 +#ifdef CONFIG_PAX_PAGEEXEC
4524 +#ifdef CONFIG_PAX_DLRESOLVE
4525 +static void pax_emuplt_close(struct vm_area_struct *vma)
4527 + vma->vm_mm->call_dl_resolve = 0UL;
4530 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4532 + unsigned int *kaddr;
4534 + vmf->page = alloc_page(GFP_HIGHUSER);
4536 + return VM_FAULT_OOM;
4538 + kaddr = kmap(vmf->page);
4539 + memset(kaddr, 0, PAGE_SIZE);
4540 + kaddr[0] = 0x9DE3BFA8U; /* save */
4541 + flush_dcache_page(vmf->page);
4542 + kunmap(vmf->page);
4543 + return VM_FAULT_MAJOR;
4546 +static const struct vm_operations_struct pax_vm_ops = {
4547 + .close = pax_emuplt_close,
4548 + .fault = pax_emuplt_fault
4551 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4555 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4556 + vma->vm_mm = current->mm;
4557 + vma->vm_start = addr;
4558 + vma->vm_end = addr + PAGE_SIZE;
4559 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4560 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4561 + vma->vm_ops = &pax_vm_ops;
4563 + ret = insert_vm_struct(current->mm, vma);
4567 + ++current->mm->total_vm;
4573 + * PaX: decide what to do with offenders (regs->pc = fault address)
4575 + * returns 1 when task should be killed
4576 + * 2 when patched PLT trampoline was detected
4577 + * 3 when unpatched PLT trampoline was detected
4579 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4582 +#ifdef CONFIG_PAX_EMUPLT
4585 + do { /* PaX: patched PLT emulation #1 */
4586 + unsigned int sethi1, sethi2, jmpl;
4588 + err = get_user(sethi1, (unsigned int *)regs->pc);
4589 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4590 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4595 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4596 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4597 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4599 + unsigned int addr;
4601 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4602 + addr = regs->u_regs[UREG_G1];
4603 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4605 + regs->npc = addr+4;
4610 + { /* PaX: patched PLT emulation #2 */
4613 + err = get_user(ba, (unsigned int *)regs->pc);
4615 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4616 + unsigned int addr;
4618 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4620 + regs->npc = addr+4;
4625 + do { /* PaX: patched PLT emulation #3 */
4626 + unsigned int sethi, jmpl, nop;
4628 + err = get_user(sethi, (unsigned int *)regs->pc);
4629 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4630 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4635 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4636 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4637 + nop == 0x01000000U)
4639 + unsigned int addr;
4641 + addr = (sethi & 0x003FFFFFU) << 10;
4642 + regs->u_regs[UREG_G1] = addr;
4643 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4645 + regs->npc = addr+4;
4650 + do { /* PaX: unpatched PLT emulation step 1 */
4651 + unsigned int sethi, ba, nop;
4653 + err = get_user(sethi, (unsigned int *)regs->pc);
4654 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4655 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4660 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4661 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4662 + nop == 0x01000000U)
4664 + unsigned int addr, save, call;
4666 + if ((ba & 0xFFC00000U) == 0x30800000U)
4667 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4669 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4671 + err = get_user(save, (unsigned int *)addr);
4672 + err |= get_user(call, (unsigned int *)(addr+4));
4673 + err |= get_user(nop, (unsigned int *)(addr+8));
4677 +#ifdef CONFIG_PAX_DLRESOLVE
4678 + if (save == 0x9DE3BFA8U &&
4679 + (call & 0xC0000000U) == 0x40000000U &&
4680 + nop == 0x01000000U)
4682 + struct vm_area_struct *vma;
4683 + unsigned long call_dl_resolve;
4685 + down_read(¤t->mm->mmap_sem);
4686 + call_dl_resolve = current->mm->call_dl_resolve;
4687 + up_read(¤t->mm->mmap_sem);
4688 + if (likely(call_dl_resolve))
4691 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4693 + down_write(¤t->mm->mmap_sem);
4694 + if (current->mm->call_dl_resolve) {
4695 + call_dl_resolve = current->mm->call_dl_resolve;
4696 + up_write(¤t->mm->mmap_sem);
4698 + kmem_cache_free(vm_area_cachep, vma);
4702 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4703 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4704 + up_write(¤t->mm->mmap_sem);
4706 + kmem_cache_free(vm_area_cachep, vma);
4710 + if (pax_insert_vma(vma, call_dl_resolve)) {
4711 + up_write(¤t->mm->mmap_sem);
4712 + kmem_cache_free(vm_area_cachep, vma);
4716 + current->mm->call_dl_resolve = call_dl_resolve;
4717 + up_write(¤t->mm->mmap_sem);
4720 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4721 + regs->pc = call_dl_resolve;
4722 + regs->npc = addr+4;
4727 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4728 + if ((save & 0xFFC00000U) == 0x05000000U &&
4729 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4730 + nop == 0x01000000U)
4732 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4733 + regs->u_regs[UREG_G2] = addr + 4;
4734 + addr = (save & 0x003FFFFFU) << 10;
4735 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4737 + regs->npc = addr+4;
4743 + do { /* PaX: unpatched PLT emulation step 2 */
4744 + unsigned int save, call, nop;
4746 + err = get_user(save, (unsigned int *)(regs->pc-4));
4747 + err |= get_user(call, (unsigned int *)regs->pc);
4748 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4752 + if (save == 0x9DE3BFA8U &&
4753 + (call & 0xC0000000U) == 0x40000000U &&
4754 + nop == 0x01000000U)
4756 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4758 + regs->u_regs[UREG_RETPC] = regs->pc;
4759 + regs->pc = dl_resolve;
4760 + regs->npc = dl_resolve+4;
4769 +void pax_report_insns(void *pc, void *sp)
4773 + printk(KERN_ERR "PAX: bytes at PC: ");
4774 + for (i = 0; i < 8; i++) {
4776 + if (get_user(c, (unsigned int *)pc+i))
4777 + printk(KERN_CONT "???????? ");
4779 + printk(KERN_CONT "%08x ", c);
4785 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4788 @@ -282,6 +547,24 @@ good_area:
4789 if(!(vma->vm_flags & VM_WRITE))
4793 +#ifdef CONFIG_PAX_PAGEEXEC
4794 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4795 + up_read(&mm->mmap_sem);
4796 + switch (pax_handle_fetch_fault(regs)) {
4798 +#ifdef CONFIG_PAX_EMUPLT
4805 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4806 + do_group_exit(SIGKILL);
4810 /* Allow reads even for write-only mappings */
4811 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4813 diff -urNp linux-2.6.35.4/arch/sparc/mm/fault_64.c linux-2.6.35.4/arch/sparc/mm/fault_64.c
4814 --- linux-2.6.35.4/arch/sparc/mm/fault_64.c 2010-08-26 19:47:12.000000000 -0400
4815 +++ linux-2.6.35.4/arch/sparc/mm/fault_64.c 2010-09-17 20:12:09.000000000 -0400
4817 #include <linux/kprobes.h>
4818 #include <linux/kdebug.h>
4819 #include <linux/percpu.h>
4820 +#include <linux/slab.h>
4821 +#include <linux/pagemap.h>
4822 +#include <linux/compiler.h>
4824 #include <asm/page.h>
4825 #include <asm/pgtable.h>
4826 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4830 +#ifdef CONFIG_PAX_PAGEEXEC
4831 +#ifdef CONFIG_PAX_DLRESOLVE
4832 +static void pax_emuplt_close(struct vm_area_struct *vma)
4834 + vma->vm_mm->call_dl_resolve = 0UL;
4837 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4839 + unsigned int *kaddr;
4841 + vmf->page = alloc_page(GFP_HIGHUSER);
4843 + return VM_FAULT_OOM;
4845 + kaddr = kmap(vmf->page);
4846 + memset(kaddr, 0, PAGE_SIZE);
4847 + kaddr[0] = 0x9DE3BFA8U; /* save */
4848 + flush_dcache_page(vmf->page);
4849 + kunmap(vmf->page);
4850 + return VM_FAULT_MAJOR;
4853 +static const struct vm_operations_struct pax_vm_ops = {
4854 + .close = pax_emuplt_close,
4855 + .fault = pax_emuplt_fault
4858 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4862 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4863 + vma->vm_mm = current->mm;
4864 + vma->vm_start = addr;
4865 + vma->vm_end = addr + PAGE_SIZE;
4866 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4867 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4868 + vma->vm_ops = &pax_vm_ops;
4870 + ret = insert_vm_struct(current->mm, vma);
4874 + ++current->mm->total_vm;
4880 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4882 + * returns 1 when task should be killed
4883 + * 2 when patched PLT trampoline was detected
4884 + * 3 when unpatched PLT trampoline was detected
4886 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4889 +#ifdef CONFIG_PAX_EMUPLT
4892 + do { /* PaX: patched PLT emulation #1 */
4893 + unsigned int sethi1, sethi2, jmpl;
4895 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4896 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4897 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4902 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4903 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4904 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4906 + unsigned long addr;
4908 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4909 + addr = regs->u_regs[UREG_G1];
4910 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4912 + if (test_thread_flag(TIF_32BIT))
4913 + addr &= 0xFFFFFFFFUL;
4916 + regs->tnpc = addr+4;
4921 + { /* PaX: patched PLT emulation #2 */
4924 + err = get_user(ba, (unsigned int *)regs->tpc);
4926 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4927 + unsigned long addr;
4929 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4931 + if (test_thread_flag(TIF_32BIT))
4932 + addr &= 0xFFFFFFFFUL;
4935 + regs->tnpc = addr+4;
4940 + do { /* PaX: patched PLT emulation #3 */
4941 + unsigned int sethi, jmpl, nop;
4943 + err = get_user(sethi, (unsigned int *)regs->tpc);
4944 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4945 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4950 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4951 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4952 + nop == 0x01000000U)
4954 + unsigned long addr;
4956 + addr = (sethi & 0x003FFFFFU) << 10;
4957 + regs->u_regs[UREG_G1] = addr;
4958 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4960 + if (test_thread_flag(TIF_32BIT))
4961 + addr &= 0xFFFFFFFFUL;
4964 + regs->tnpc = addr+4;
4969 + do { /* PaX: patched PLT emulation #4 */
4970 + unsigned int sethi, mov1, call, mov2;
4972 + err = get_user(sethi, (unsigned int *)regs->tpc);
4973 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4974 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4975 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4980 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4981 + mov1 == 0x8210000FU &&
4982 + (call & 0xC0000000U) == 0x40000000U &&
4983 + mov2 == 0x9E100001U)
4985 + unsigned long addr;
4987 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4988 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4990 + if (test_thread_flag(TIF_32BIT))
4991 + addr &= 0xFFFFFFFFUL;
4994 + regs->tnpc = addr+4;
4999 + do { /* PaX: patched PLT emulation #5 */
5000 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5002 + err = get_user(sethi, (unsigned int *)regs->tpc);
5003 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5004 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5005 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5006 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5007 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5008 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5009 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5014 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5015 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5016 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5017 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5018 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5019 + sllx == 0x83287020U &&
5020 + jmpl == 0x81C04005U &&
5021 + nop == 0x01000000U)
5023 + unsigned long addr;
5025 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5026 + regs->u_regs[UREG_G1] <<= 32;
5027 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5028 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5030 + regs->tnpc = addr+4;
5035 + do { /* PaX: patched PLT emulation #6 */
5036 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5038 + err = get_user(sethi, (unsigned int *)regs->tpc);
5039 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5040 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5041 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5042 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5043 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5044 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5049 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5050 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5051 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5052 + sllx == 0x83287020U &&
5053 + (or & 0xFFFFE000U) == 0x8A116000U &&
5054 + jmpl == 0x81C04005U &&
5055 + nop == 0x01000000U)
5057 + unsigned long addr;
5059 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5060 + regs->u_regs[UREG_G1] <<= 32;
5061 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5062 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5064 + regs->tnpc = addr+4;
5069 + do { /* PaX: unpatched PLT emulation step 1 */
5070 + unsigned int sethi, ba, nop;
5072 + err = get_user(sethi, (unsigned int *)regs->tpc);
5073 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5074 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5079 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5080 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5081 + nop == 0x01000000U)
5083 + unsigned long addr;
5084 + unsigned int save, call;
5085 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5087 + if ((ba & 0xFFC00000U) == 0x30800000U)
5088 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5090 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5092 + if (test_thread_flag(TIF_32BIT))
5093 + addr &= 0xFFFFFFFFUL;
5095 + err = get_user(save, (unsigned int *)addr);
5096 + err |= get_user(call, (unsigned int *)(addr+4));
5097 + err |= get_user(nop, (unsigned int *)(addr+8));
5101 +#ifdef CONFIG_PAX_DLRESOLVE
5102 + if (save == 0x9DE3BFA8U &&
5103 + (call & 0xC0000000U) == 0x40000000U &&
5104 + nop == 0x01000000U)
5106 + struct vm_area_struct *vma;
5107 + unsigned long call_dl_resolve;
5109 + down_read(¤t->mm->mmap_sem);
5110 + call_dl_resolve = current->mm->call_dl_resolve;
5111 + up_read(¤t->mm->mmap_sem);
5112 + if (likely(call_dl_resolve))
5115 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5117 + down_write(¤t->mm->mmap_sem);
5118 + if (current->mm->call_dl_resolve) {
5119 + call_dl_resolve = current->mm->call_dl_resolve;
5120 + up_write(¤t->mm->mmap_sem);
5122 + kmem_cache_free(vm_area_cachep, vma);
5126 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5127 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5128 + up_write(¤t->mm->mmap_sem);
5130 + kmem_cache_free(vm_area_cachep, vma);
5134 + if (pax_insert_vma(vma, call_dl_resolve)) {
5135 + up_write(¤t->mm->mmap_sem);
5136 + kmem_cache_free(vm_area_cachep, vma);
5140 + current->mm->call_dl_resolve = call_dl_resolve;
5141 + up_write(¤t->mm->mmap_sem);
5144 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5145 + regs->tpc = call_dl_resolve;
5146 + regs->tnpc = addr+4;
5151 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5152 + if ((save & 0xFFC00000U) == 0x05000000U &&
5153 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5154 + nop == 0x01000000U)
5156 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5157 + regs->u_regs[UREG_G2] = addr + 4;
5158 + addr = (save & 0x003FFFFFU) << 10;
5159 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5161 + if (test_thread_flag(TIF_32BIT))
5162 + addr &= 0xFFFFFFFFUL;
5165 + regs->tnpc = addr+4;
5169 + /* PaX: 64-bit PLT stub */
5170 + err = get_user(sethi1, (unsigned int *)addr);
5171 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5172 + err |= get_user(or1, (unsigned int *)(addr+8));
5173 + err |= get_user(or2, (unsigned int *)(addr+12));
5174 + err |= get_user(sllx, (unsigned int *)(addr+16));
5175 + err |= get_user(add, (unsigned int *)(addr+20));
5176 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5177 + err |= get_user(nop, (unsigned int *)(addr+28));
5181 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5182 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5183 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5184 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5185 + sllx == 0x89293020U &&
5186 + add == 0x8A010005U &&
5187 + jmpl == 0x89C14000U &&
5188 + nop == 0x01000000U)
5190 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5191 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5192 + regs->u_regs[UREG_G4] <<= 32;
5193 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5194 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5195 + regs->u_regs[UREG_G4] = addr + 24;
5196 + addr = regs->u_regs[UREG_G5];
5198 + regs->tnpc = addr+4;
5204 +#ifdef CONFIG_PAX_DLRESOLVE
5205 + do { /* PaX: unpatched PLT emulation step 2 */
5206 + unsigned int save, call, nop;
5208 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5209 + err |= get_user(call, (unsigned int *)regs->tpc);
5210 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5214 + if (save == 0x9DE3BFA8U &&
5215 + (call & 0xC0000000U) == 0x40000000U &&
5216 + nop == 0x01000000U)
5218 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5220 + if (test_thread_flag(TIF_32BIT))
5221 + dl_resolve &= 0xFFFFFFFFUL;
5223 + regs->u_regs[UREG_RETPC] = regs->tpc;
5224 + regs->tpc = dl_resolve;
5225 + regs->tnpc = dl_resolve+4;
5231 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5232 + unsigned int sethi, ba, nop;
5234 + err = get_user(sethi, (unsigned int *)regs->tpc);
5235 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5236 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5241 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5242 + (ba & 0xFFF00000U) == 0x30600000U &&
5243 + nop == 0x01000000U)
5245 + unsigned long addr;
5247 + addr = (sethi & 0x003FFFFFU) << 10;
5248 + regs->u_regs[UREG_G1] = addr;
5249 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5251 + if (test_thread_flag(TIF_32BIT))
5252 + addr &= 0xFFFFFFFFUL;
5255 + regs->tnpc = addr+4;
5265 +void pax_report_insns(void *pc, void *sp)
5269 + printk(KERN_ERR "PAX: bytes at PC: ");
5270 + for (i = 0; i < 8; i++) {
5272 + if (get_user(c, (unsigned int *)pc+i))
5273 + printk(KERN_CONT "???????? ");
5275 + printk(KERN_CONT "%08x ", c);
5281 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5283 struct mm_struct *mm = current->mm;
5284 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5288 +#ifdef CONFIG_PAX_PAGEEXEC
5289 + /* PaX: detect ITLB misses on non-exec pages */
5290 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5291 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5293 + if (address != regs->tpc)
5296 + up_read(&mm->mmap_sem);
5297 + switch (pax_handle_fetch_fault(regs)) {
5299 +#ifdef CONFIG_PAX_EMUPLT
5306 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5307 + do_group_exit(SIGKILL);
5311 /* Pure DTLB misses do not tell us whether the fault causing
5312 * load/store/atomic was a write or not, it only says that there
5313 * was no match. So in such a case we (carefully) read the
5314 diff -urNp linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c
5315 --- linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
5316 +++ linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
5317 @@ -68,7 +68,7 @@ full_search:
5321 - if (likely(!vma || addr + len <= vma->vm_start)) {
5322 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5324 * Remember the place where we stopped the search:
5326 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5327 /* make sure it can fit in the remaining address space */
5328 if (likely(addr > len)) {
5329 vma = find_vma(mm, addr-len);
5330 - if (!vma || addr <= vma->vm_start) {
5331 + if (check_heap_stack_gap(vma, addr - len, len)) {
5332 /* remember the address as a hint for next time */
5333 return (mm->free_area_cache = addr-len);
5335 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5336 * return with success:
5338 vma = find_vma(mm, addr);
5339 - if (likely(!vma || addr+len <= vma->vm_start)) {
5340 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5341 /* remember the address as a hint for next time */
5342 return (mm->free_area_cache = addr);
5344 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5346 addr = ALIGN(addr, HPAGE_SIZE);
5347 vma = find_vma(mm, addr);
5348 - if (task_size - len >= addr &&
5349 - (!vma || addr + len <= vma->vm_start))
5350 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5353 if (mm->get_unmapped_area == arch_get_unmapped_area)
5354 diff -urNp linux-2.6.35.4/arch/sparc/mm/init_32.c linux-2.6.35.4/arch/sparc/mm/init_32.c
5355 --- linux-2.6.35.4/arch/sparc/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
5356 +++ linux-2.6.35.4/arch/sparc/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
5357 @@ -318,6 +318,9 @@ extern void device_scan(void);
5358 pgprot_t PAGE_SHARED __read_mostly;
5359 EXPORT_SYMBOL(PAGE_SHARED);
5361 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5362 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5364 void __init paging_init(void)
5366 switch(sparc_cpu_model) {
5367 @@ -346,17 +349,17 @@ void __init paging_init(void)
5369 /* Initialize the protection map with non-constant, MMU dependent values. */
5370 protection_map[0] = PAGE_NONE;
5371 - protection_map[1] = PAGE_READONLY;
5372 - protection_map[2] = PAGE_COPY;
5373 - protection_map[3] = PAGE_COPY;
5374 + protection_map[1] = PAGE_READONLY_NOEXEC;
5375 + protection_map[2] = PAGE_COPY_NOEXEC;
5376 + protection_map[3] = PAGE_COPY_NOEXEC;
5377 protection_map[4] = PAGE_READONLY;
5378 protection_map[5] = PAGE_READONLY;
5379 protection_map[6] = PAGE_COPY;
5380 protection_map[7] = PAGE_COPY;
5381 protection_map[8] = PAGE_NONE;
5382 - protection_map[9] = PAGE_READONLY;
5383 - protection_map[10] = PAGE_SHARED;
5384 - protection_map[11] = PAGE_SHARED;
5385 + protection_map[9] = PAGE_READONLY_NOEXEC;
5386 + protection_map[10] = PAGE_SHARED_NOEXEC;
5387 + protection_map[11] = PAGE_SHARED_NOEXEC;
5388 protection_map[12] = PAGE_READONLY;
5389 protection_map[13] = PAGE_READONLY;
5390 protection_map[14] = PAGE_SHARED;
5391 diff -urNp linux-2.6.35.4/arch/sparc/mm/Makefile linux-2.6.35.4/arch/sparc/mm/Makefile
5392 --- linux-2.6.35.4/arch/sparc/mm/Makefile 2010-08-26 19:47:12.000000000 -0400
5393 +++ linux-2.6.35.4/arch/sparc/mm/Makefile 2010-09-17 20:12:09.000000000 -0400
5398 -ccflags-y := -Werror
5399 +#ccflags-y := -Werror
5401 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5402 obj-y += fault_$(BITS).o
5403 diff -urNp linux-2.6.35.4/arch/sparc/mm/srmmu.c linux-2.6.35.4/arch/sparc/mm/srmmu.c
5404 --- linux-2.6.35.4/arch/sparc/mm/srmmu.c 2010-08-26 19:47:12.000000000 -0400
5405 +++ linux-2.6.35.4/arch/sparc/mm/srmmu.c 2010-09-17 20:12:09.000000000 -0400
5406 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
5407 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5408 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5409 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5411 +#ifdef CONFIG_PAX_PAGEEXEC
5412 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5413 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5414 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5417 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5418 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5420 diff -urNp linux-2.6.35.4/arch/um/include/asm/kmap_types.h linux-2.6.35.4/arch/um/include/asm/kmap_types.h
5421 --- linux-2.6.35.4/arch/um/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
5422 +++ linux-2.6.35.4/arch/um/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
5423 @@ -23,6 +23,7 @@ enum km_type {
5431 diff -urNp linux-2.6.35.4/arch/um/include/asm/page.h linux-2.6.35.4/arch/um/include/asm/page.h
5432 --- linux-2.6.35.4/arch/um/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
5433 +++ linux-2.6.35.4/arch/um/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
5435 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5436 #define PAGE_MASK (~(PAGE_SIZE-1))
5438 +#define ktla_ktva(addr) (addr)
5439 +#define ktva_ktla(addr) (addr)
5441 #ifndef __ASSEMBLY__
5444 diff -urNp linux-2.6.35.4/arch/um/sys-i386/syscalls.c linux-2.6.35.4/arch/um/sys-i386/syscalls.c
5445 --- linux-2.6.35.4/arch/um/sys-i386/syscalls.c 2010-08-26 19:47:12.000000000 -0400
5446 +++ linux-2.6.35.4/arch/um/sys-i386/syscalls.c 2010-09-17 20:12:09.000000000 -0400
5448 #include "asm/uaccess.h"
5449 #include "asm/unistd.h"
5451 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5453 + unsigned long pax_task_size = TASK_SIZE;
5455 +#ifdef CONFIG_PAX_SEGMEXEC
5456 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5457 + pax_task_size = SEGMEXEC_TASK_SIZE;
5460 + if (len > pax_task_size || addr > pax_task_size - len)
5467 * The prototype on i386 is:
5469 diff -urNp linux-2.6.35.4/arch/x86/boot/bitops.h linux-2.6.35.4/arch/x86/boot/bitops.h
5470 --- linux-2.6.35.4/arch/x86/boot/bitops.h 2010-08-26 19:47:12.000000000 -0400
5471 +++ linux-2.6.35.4/arch/x86/boot/bitops.h 2010-09-17 20:12:09.000000000 -0400
5472 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5474 const u32 *p = (const u32 *)addr;
5476 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5477 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5481 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5483 static inline void set_bit(int nr, void *addr)
5485 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5486 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5489 #endif /* BOOT_BITOPS_H */
5490 diff -urNp linux-2.6.35.4/arch/x86/boot/boot.h linux-2.6.35.4/arch/x86/boot/boot.h
5491 --- linux-2.6.35.4/arch/x86/boot/boot.h 2010-08-26 19:47:12.000000000 -0400
5492 +++ linux-2.6.35.4/arch/x86/boot/boot.h 2010-09-17 20:12:09.000000000 -0400
5493 @@ -82,7 +82,7 @@ static inline void io_delay(void)
5494 static inline u16 ds(void)
5497 - asm("movw %%ds,%0" : "=rm" (seg));
5498 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5502 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
5503 static inline int memcmp(const void *s1, const void *s2, size_t len)
5506 - asm("repe; cmpsb; setnz %0"
5507 + asm volatile("repe; cmpsb; setnz %0"
5508 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5511 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/head_32.S linux-2.6.35.4/arch/x86/boot/compressed/head_32.S
5512 --- linux-2.6.35.4/arch/x86/boot/compressed/head_32.S 2010-08-26 19:47:12.000000000 -0400
5513 +++ linux-2.6.35.4/arch/x86/boot/compressed/head_32.S 2010-09-17 20:12:09.000000000 -0400
5514 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5518 - movl $LOAD_PHYSICAL_ADDR, %ebx
5519 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5522 /* Target address to relocate to for decompression */
5523 @@ -149,7 +149,7 @@ relocated:
5524 * and where it was actually loaded.
5527 - subl $LOAD_PHYSICAL_ADDR, %ebx
5528 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5529 jz 2f /* Nothing to be done if loaded at compiled addr. */
5531 * Process relocations.
5532 @@ -157,8 +157,7 @@ relocated:
5539 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5542 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/head_64.S linux-2.6.35.4/arch/x86/boot/compressed/head_64.S
5543 --- linux-2.6.35.4/arch/x86/boot/compressed/head_64.S 2010-08-26 19:47:12.000000000 -0400
5544 +++ linux-2.6.35.4/arch/x86/boot/compressed/head_64.S 2010-09-17 20:12:09.000000000 -0400
5545 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5549 - movl $LOAD_PHYSICAL_ADDR, %ebx
5550 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5553 /* Target address to relocate to for decompression */
5554 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5558 - movq $LOAD_PHYSICAL_ADDR, %rbp
5559 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5562 /* Target address to relocate to for decompression */
5563 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/misc.c linux-2.6.35.4/arch/x86/boot/compressed/misc.c
5564 --- linux-2.6.35.4/arch/x86/boot/compressed/misc.c 2010-08-26 19:47:12.000000000 -0400
5565 +++ linux-2.6.35.4/arch/x86/boot/compressed/misc.c 2010-09-17 20:12:09.000000000 -0400
5566 @@ -285,7 +285,7 @@ static void parse_elf(void *output)
5568 #ifdef CONFIG_RELOCATABLE
5570 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5571 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5573 dest = (void *)(phdr->p_paddr);
5575 @@ -332,7 +332,7 @@ asmlinkage void decompress_kernel(void *
5576 error("Destination address too large");
5578 #ifndef CONFIG_RELOCATABLE
5579 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5580 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5581 error("Wrong destination address");
5584 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c
5585 --- linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c 2010-08-26 19:47:12.000000000 -0400
5586 +++ linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c 2010-09-17 20:12:09.000000000 -0400
5587 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5589 offs = (olen > ilen) ? olen - ilen : 0;
5590 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5591 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5592 + offs += 64*1024; /* Add 64K bytes slack */
5593 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5595 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5596 diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/relocs.c linux-2.6.35.4/arch/x86/boot/compressed/relocs.c
5597 --- linux-2.6.35.4/arch/x86/boot/compressed/relocs.c 2010-08-26 19:47:12.000000000 -0400
5598 +++ linux-2.6.35.4/arch/x86/boot/compressed/relocs.c 2010-09-17 20:12:09.000000000 -0400
5601 static void die(char *fmt, ...);
5603 +#include "../../../../include/generated/autoconf.h"
5605 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5606 static Elf32_Ehdr ehdr;
5607 +static Elf32_Phdr *phdr;
5608 static unsigned long reloc_count, reloc_idx;
5609 static unsigned long *relocs;
5611 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5615 +static void read_phdrs(FILE *fp)
5619 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5621 + die("Unable to allocate %d program headers\n",
5624 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5625 + die("Seek to %d failed: %s\n",
5626 + ehdr.e_phoff, strerror(errno));
5628 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5629 + die("Cannot read ELF program headers: %s\n",
5632 + for(i = 0; i < ehdr.e_phnum; i++) {
5633 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5634 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5635 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5636 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5637 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5638 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5639 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5640 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5645 static void read_shdrs(FILE *fp)
5651 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5652 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5654 static void read_strtabs(FILE *fp)
5658 for (i = 0; i < ehdr.e_shnum; i++) {
5659 struct section *sec = &secs[i];
5660 if (sec->shdr.sh_type != SHT_STRTAB) {
5661 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5663 static void read_symtabs(FILE *fp)
5667 for (i = 0; i < ehdr.e_shnum; i++) {
5668 struct section *sec = &secs[i];
5669 if (sec->shdr.sh_type != SHT_SYMTAB) {
5670 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5672 static void read_relocs(FILE *fp)
5678 for (i = 0; i < ehdr.e_shnum; i++) {
5679 struct section *sec = &secs[i];
5680 if (sec->shdr.sh_type != SHT_REL) {
5681 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5682 die("Cannot read symbol table: %s\n",
5686 + for (j = 0; j < ehdr.e_phnum; j++) {
5687 + if (phdr[j].p_type != PT_LOAD )
5689 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5691 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5694 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5695 Elf32_Rel *rel = &sec->reltab[j];
5696 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5697 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5698 rel->r_info = elf32_to_cpu(rel->r_info);
5701 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5703 static void print_absolute_symbols(void)
5707 printf("Absolute symbols\n");
5708 printf(" Num: Value Size Type Bind Visibility Name\n");
5709 for (i = 0; i < ehdr.e_shnum; i++) {
5710 struct section *sec = &secs[i];
5712 Elf32_Sym *sh_symtab;
5716 if (sec->shdr.sh_type != SHT_SYMTAB) {
5718 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5720 static void print_absolute_relocs(void)
5722 - int i, printed = 0;
5723 + unsigned int i, printed = 0;
5725 for (i = 0; i < ehdr.e_shnum; i++) {
5726 struct section *sec = &secs[i];
5727 struct section *sec_applies, *sec_symtab;
5729 Elf32_Sym *sh_symtab;
5732 if (sec->shdr.sh_type != SHT_REL) {
5735 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5737 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5741 /* Walk through the relocations */
5742 for (i = 0; i < ehdr.e_shnum; i++) {
5744 Elf32_Sym *sh_symtab;
5745 struct section *sec_applies, *sec_symtab;
5748 struct section *sec = &secs[i];
5750 if (sec->shdr.sh_type != SHT_REL) {
5751 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5752 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5755 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5756 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5759 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5760 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5761 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5763 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5765 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5767 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5774 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5776 static void emit_relocs(int as_text)
5780 /* Count how many relocations I have and allocate space for them. */
5782 walk_relocs(count_reloc);
5783 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5784 fname, strerror(errno));
5791 diff -urNp linux-2.6.35.4/arch/x86/boot/cpucheck.c linux-2.6.35.4/arch/x86/boot/cpucheck.c
5792 --- linux-2.6.35.4/arch/x86/boot/cpucheck.c 2010-08-26 19:47:12.000000000 -0400
5793 +++ linux-2.6.35.4/arch/x86/boot/cpucheck.c 2010-09-17 20:12:09.000000000 -0400
5794 @@ -74,7 +74,7 @@ static int has_fpu(void)
5795 u16 fcw = -1, fsw = -1;
5798 - asm("movl %%cr0,%0" : "=r" (cr0));
5799 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5800 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5801 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5802 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5803 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5808 + asm volatile("pushfl ; "
5812 @@ -115,7 +115,7 @@ static void get_flags(void)
5813 set_bit(X86_FEATURE_FPU, cpu.flags);
5815 if (has_eflag(X86_EFLAGS_ID)) {
5817 + asm volatile("cpuid"
5818 : "=a" (max_intel_level),
5819 "=b" (cpu_vendor[0]),
5820 "=d" (cpu_vendor[1]),
5821 @@ -124,7 +124,7 @@ static void get_flags(void)
5823 if (max_intel_level >= 0x00000001 &&
5824 max_intel_level <= 0x0000ffff) {
5826 + asm volatile("cpuid"
5828 "=c" (cpu.flags[4]),
5830 @@ -136,7 +136,7 @@ static void get_flags(void)
5831 cpu.model += ((tfms >> 16) & 0xf) << 4;
5835 + asm volatile("cpuid"
5836 : "=a" (max_amd_level)
5838 : "ebx", "ecx", "edx");
5839 @@ -144,7 +144,7 @@ static void get_flags(void)
5840 if (max_amd_level >= 0x80000001 &&
5841 max_amd_level <= 0x8000ffff) {
5842 u32 eax = 0x80000001;
5844 + asm volatile("cpuid"
5846 "=c" (cpu.flags[6]),
5848 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5849 u32 ecx = MSR_K7_HWCR;
5852 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5853 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5855 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5856 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5858 get_flags(); /* Make sure it really did something */
5859 err = check_flags();
5860 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5861 u32 ecx = MSR_VIA_FCR;
5864 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5865 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5866 eax |= (1<<1)|(1<<7);
5867 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5868 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5870 set_bit(X86_FEATURE_CX8, cpu.flags);
5871 err = check_flags();
5872 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5876 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5877 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5879 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5880 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5881 + asm volatile("cpuid"
5882 : "+a" (level), "=d" (cpu.flags[0])
5884 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5885 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5887 err = check_flags();
5889 diff -urNp linux-2.6.35.4/arch/x86/boot/header.S linux-2.6.35.4/arch/x86/boot/header.S
5890 --- linux-2.6.35.4/arch/x86/boot/header.S 2010-08-26 19:47:12.000000000 -0400
5891 +++ linux-2.6.35.4/arch/x86/boot/header.S 2010-09-17 20:12:09.000000000 -0400
5892 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5893 # single linked list of
5896 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5897 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5899 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5900 #define VO_INIT_SIZE (VO__end - VO__text)
5901 diff -urNp linux-2.6.35.4/arch/x86/boot/memory.c linux-2.6.35.4/arch/x86/boot/memory.c
5902 --- linux-2.6.35.4/arch/x86/boot/memory.c 2010-08-26 19:47:12.000000000 -0400
5903 +++ linux-2.6.35.4/arch/x86/boot/memory.c 2010-09-17 20:12:09.000000000 -0400
5906 static int detect_memory_e820(void)
5909 + unsigned int count = 0;
5910 struct biosregs ireg, oreg;
5911 struct e820entry *desc = boot_params.e820_map;
5912 static struct e820entry buf; /* static so it is zeroed */
5913 diff -urNp linux-2.6.35.4/arch/x86/boot/video.c linux-2.6.35.4/arch/x86/boot/video.c
5914 --- linux-2.6.35.4/arch/x86/boot/video.c 2010-08-26 19:47:12.000000000 -0400
5915 +++ linux-2.6.35.4/arch/x86/boot/video.c 2010-09-17 20:12:09.000000000 -0400
5916 @@ -96,7 +96,7 @@ static void store_mode_params(void)
5917 static unsigned int get_entry(void)
5921 + unsigned int i, len = 0;
5925 diff -urNp linux-2.6.35.4/arch/x86/boot/video-vesa.c linux-2.6.35.4/arch/x86/boot/video-vesa.c
5926 --- linux-2.6.35.4/arch/x86/boot/video-vesa.c 2010-08-26 19:47:12.000000000 -0400
5927 +++ linux-2.6.35.4/arch/x86/boot/video-vesa.c 2010-09-17 20:12:09.000000000 -0400
5928 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5930 boot_params.screen_info.vesapm_seg = oreg.es;
5931 boot_params.screen_info.vesapm_off = oreg.di;
5932 + boot_params.screen_info.vesapm_size = oreg.cx;
5936 diff -urNp linux-2.6.35.4/arch/x86/ia32/ia32entry.S linux-2.6.35.4/arch/x86/ia32/ia32entry.S
5937 --- linux-2.6.35.4/arch/x86/ia32/ia32entry.S 2010-08-26 19:47:12.000000000 -0400
5938 +++ linux-2.6.35.4/arch/x86/ia32/ia32entry.S 2010-09-17 20:12:37.000000000 -0400
5940 #include <asm/thread_info.h>
5941 #include <asm/segment.h>
5942 #include <asm/irqflags.h>
5943 +#include <asm/pgtable.h>
5944 #include <linux/linkage.h>
5946 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
5947 @@ -114,6 +121,11 @@ ENTRY(ia32_sysenter_target)
5949 movq PER_CPU_VAR(kernel_stack), %rsp
5950 addq $(KERNEL_STACK_OFFSET),%rsp
5952 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5953 + call pax_enter_kernel_user
5957 * No need to follow this irqs on/off section: the syscall
5958 * disabled irqs, here we enable it straight after entry:
5959 @@ -144,6 +156,12 @@ ENTRY(ia32_sysenter_target)
5961 /* no need to do an access_ok check here because rbp has been
5962 32bit zero extended */
5964 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5965 + mov $PAX_USER_SHADOW_BASE,%r10
5970 .section __ex_table,"a"
5971 .quad 1b,ia32_badarg
5972 @@ -166,6 +184,11 @@ sysenter_dispatch:
5973 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
5975 sysexit_from_sys_call:
5977 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5978 + call pax_exit_kernel_user
5981 andl $~TS_COMPAT,TI_status(%r10)
5982 /* clear IF, that popfq doesn't enable interrupts early */
5983 andl $~0x200,EFLAGS-R11(%rsp)
5984 @@ -284,6 +307,11 @@ ENTRY(ia32_cstar_target)
5987 movq PER_CPU_VAR(kernel_stack),%rsp
5989 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5990 + call pax_enter_kernel_user
5994 * No need to follow this irqs on/off section: the syscall
5995 * disabled irqs and here we enable it straight after entry:
5996 @@ -305,6 +333,12 @@ ENTRY(ia32_cstar_target)
5997 /* no need to do an access_ok check here because r8 has been
5998 32bit zero extended */
5999 /* hardware stack frame is complete now */
6001 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6002 + mov $PAX_USER_SHADOW_BASE,%r10
6007 .section __ex_table,"a"
6008 .quad 1b,ia32_badarg
6009 @@ -327,6 +361,11 @@ cstar_dispatch:
6010 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6012 sysretl_from_sys_call:
6014 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6015 + call pax_exit_kernel_user
6018 andl $~TS_COMPAT,TI_status(%r10)
6019 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6020 movl RIP-ARGOFFSET(%rsp),%ecx
6021 @@ -409,6 +448,11 @@ ENTRY(ia32_syscall)
6022 CFI_REL_OFFSET rip,RIP-RIP
6023 PARAVIRT_ADJUST_EXCEPTION_FRAME
6026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6027 + call pax_enter_kernel_user
6031 * No need to follow this irqs on/off section: the syscall
6032 * disabled irqs and here we enable it straight after entry:
6033 diff -urNp linux-2.6.35.4/arch/x86/ia32/ia32_signal.c linux-2.6.35.4/arch/x86/ia32/ia32_signal.c
6034 --- linux-2.6.35.4/arch/x86/ia32/ia32_signal.c 2010-08-26 19:47:12.000000000 -0400
6035 +++ linux-2.6.35.4/arch/x86/ia32/ia32_signal.c 2010-09-17 20:12:09.000000000 -0400
6036 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6038 /* Align the stack pointer according to the i386 ABI,
6039 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6040 - sp = ((sp + 4) & -16ul) - 4;
6041 + sp = ((sp - 12) & -16ul) - 4;
6042 return (void __user *) sp;
6045 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6047 __NR_ia32_rt_sigreturn,
6053 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6054 diff -urNp linux-2.6.35.4/arch/x86/include/asm/alternative.h linux-2.6.35.4/arch/x86/include/asm/alternative.h
6055 --- linux-2.6.35.4/arch/x86/include/asm/alternative.h 2010-08-26 19:47:12.000000000 -0400
6056 +++ linux-2.6.35.4/arch/x86/include/asm/alternative.h 2010-09-17 20:12:09.000000000 -0400
6057 @@ -91,7 +91,7 @@ static inline int alternatives_text_rese
6058 " .byte 664f-663f\n" /* replacementlen */ \
6059 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6061 - ".section .altinstr_replacement, \"ax\"\n" \
6062 + ".section .altinstr_replacement, \"a\"\n" \
6063 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6066 diff -urNp linux-2.6.35.4/arch/x86/include/asm/apm.h linux-2.6.35.4/arch/x86/include/asm/apm.h
6067 --- linux-2.6.35.4/arch/x86/include/asm/apm.h 2010-08-26 19:47:12.000000000 -0400
6068 +++ linux-2.6.35.4/arch/x86/include/asm/apm.h 2010-09-17 20:12:09.000000000 -0400
6069 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6070 __asm__ __volatile__(APM_DO_ZERO_SEGS
6073 - "lcall *%%cs:apm_bios_entry\n\t"
6074 + "lcall *%%ss:apm_bios_entry\n\t"
6078 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6079 __asm__ __volatile__(APM_DO_ZERO_SEGS
6082 - "lcall *%%cs:apm_bios_entry\n\t"
6083 + "lcall *%%ss:apm_bios_entry\n\t"
6087 diff -urNp linux-2.6.35.4/arch/x86/include/asm/asm.h linux-2.6.35.4/arch/x86/include/asm/asm.h
6088 --- linux-2.6.35.4/arch/x86/include/asm/asm.h 2010-08-26 19:47:12.000000000 -0400
6089 +++ linux-2.6.35.4/arch/x86/include/asm/asm.h 2010-09-17 20:12:09.000000000 -0400
6091 #define _ASM_SI __ASM_REG(si)
6092 #define _ASM_DI __ASM_REG(di)
6094 +#ifdef CONFIG_X86_32
6095 +#define _ASM_INTO "into"
6097 +#define _ASM_INTO "int $4"
6100 /* Exception table entry */
6102 # define _ASM_EXTABLE(from,to) \
6103 diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h
6104 --- linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h 2010-08-26 19:47:12.000000000 -0400
6105 +++ linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h 2010-09-17 20:12:09.000000000 -0400
6106 @@ -12,6 +12,14 @@ typedef struct {
6107 u64 __aligned(8) counter;
6110 +#ifdef CONFIG_PAX_REFCOUNT
6112 + u64 __aligned(8) counter;
6113 +} atomic64_unchecked_t;
6115 +typedef atomic64_t atomic64_unchecked_t;
6118 #define ATOMIC64_INIT(val) { (val) }
6120 #ifdef CONFIG_X86_CMPXCHG64
6121 diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h
6122 --- linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h 2010-08-26 19:47:12.000000000 -0400
6123 +++ linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h 2010-09-17 20:12:09.000000000 -0400
6124 @@ -22,6 +22,18 @@ static inline long atomic64_read(const a
6128 + * atomic64_read_unchecked - read atomic64 variable
6129 + * @v: pointer of type atomic64_unchecked_t
6131 + * Atomically reads the value of @v.
6132 + * Doesn't imply a read memory barrier.
6134 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6136 + return v->counter;
6140 * atomic64_set - set atomic64 variable
6141 * @v: pointer to type atomic64_t
6142 * @i: required value
6143 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6147 + * atomic64_set_unchecked - set atomic64 variable
6148 + * @v: pointer to type atomic64_unchecked_t
6149 + * @i: required value
6151 + * Atomically sets the value of @v to @i.
6153 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6159 * atomic64_add - add integer to atomic64 variable
6160 * @i: integer value to add
6161 * @v: pointer to type atomic64_t
6162 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6164 static inline void atomic64_add(long i, atomic64_t *v)
6166 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6168 +#ifdef CONFIG_PAX_REFCOUNT
6170 + LOCK_PREFIX "subq %1,%0\n"
6172 + _ASM_EXTABLE(0b, 0b)
6175 + : "=m" (v->counter)
6176 + : "er" (i), "m" (v->counter));
6180 + * atomic64_add_unchecked - add integer to atomic64 variable
6181 + * @i: integer value to add
6182 + * @v: pointer to type atomic64_unchecked_t
6184 + * Atomically adds @i to @v.
6186 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6188 asm volatile(LOCK_PREFIX "addq %1,%0"
6190 : "er" (i), "m" (v->counter));
6191 @@ -56,7 +102,15 @@ static inline void atomic64_add(long i,
6193 static inline void atomic64_sub(long i, atomic64_t *v)
6195 - asm volatile(LOCK_PREFIX "subq %1,%0"
6196 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6198 +#ifdef CONFIG_PAX_REFCOUNT
6200 + LOCK_PREFIX "addq %1,%0\n"
6202 + _ASM_EXTABLE(0b, 0b)
6206 : "er" (i), "m" (v->counter));
6208 @@ -74,7 +128,16 @@ static inline int atomic64_sub_and_test(
6212 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6213 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6215 +#ifdef CONFIG_PAX_REFCOUNT
6217 + LOCK_PREFIX "addq %2,%0\n"
6219 + _ASM_EXTABLE(0b, 0b)
6223 : "=m" (v->counter), "=qm" (c)
6224 : "er" (i), "m" (v->counter) : "memory");
6226 @@ -88,6 +151,31 @@ static inline int atomic64_sub_and_test(
6228 static inline void atomic64_inc(atomic64_t *v)
6230 + asm volatile(LOCK_PREFIX "incq %0\n"
6232 +#ifdef CONFIG_PAX_REFCOUNT
6235 + ".pushsection .fixup,\"ax\"\n"
6237 + LOCK_PREFIX "decq %0\n"
6240 + _ASM_EXTABLE(0b, 1b)
6243 + : "=m" (v->counter)
6244 + : "m" (v->counter));
6248 + * atomic64_inc_unchecked - increment atomic64 variable
6249 + * @v: pointer to type atomic64_unchecked_t
6251 + * Atomically increments @v by 1.
6253 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6255 asm volatile(LOCK_PREFIX "incq %0"
6257 : "m" (v->counter));
6258 @@ -101,7 +189,32 @@ static inline void atomic64_inc(atomic64
6260 static inline void atomic64_dec(atomic64_t *v)
6262 - asm volatile(LOCK_PREFIX "decq %0"
6263 + asm volatile(LOCK_PREFIX "decq %0\n"
6265 +#ifdef CONFIG_PAX_REFCOUNT
6268 + ".pushsection .fixup,\"ax\"\n"
6270 + LOCK_PREFIX "incq %0\n"
6273 + _ASM_EXTABLE(0b, 1b)
6276 + : "=m" (v->counter)
6277 + : "m" (v->counter));
6281 + * atomic64_dec_unchecked - decrement atomic64 variable
6282 + * @v: pointer to type atomic64_t
6284 + * Atomically decrements @v by 1.
6286 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6288 + asm volatile(LOCK_PREFIX "decq %0\n"
6290 : "m" (v->counter));
6292 @@ -118,7 +231,20 @@ static inline int atomic64_dec_and_test(
6296 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6297 + asm volatile(LOCK_PREFIX "decq %0\n"
6299 +#ifdef CONFIG_PAX_REFCOUNT
6302 + ".pushsection .fixup,\"ax\"\n"
6304 + LOCK_PREFIX "incq %0\n"
6307 + _ASM_EXTABLE(0b, 1b)
6311 : "=m" (v->counter), "=qm" (c)
6312 : "m" (v->counter) : "memory");
6314 @@ -136,7 +262,20 @@ static inline int atomic64_inc_and_test(
6318 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6319 + asm volatile(LOCK_PREFIX "incq %0\n"
6321 +#ifdef CONFIG_PAX_REFCOUNT
6324 + ".pushsection .fixup,\"ax\"\n"
6326 + LOCK_PREFIX "decq %0\n"
6329 + _ASM_EXTABLE(0b, 1b)
6333 : "=m" (v->counter), "=qm" (c)
6334 : "m" (v->counter) : "memory");
6336 @@ -155,7 +294,16 @@ static inline int atomic64_add_negative(
6340 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6341 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6343 +#ifdef CONFIG_PAX_REFCOUNT
6345 + LOCK_PREFIX "subq %2,%0\n"
6347 + _ASM_EXTABLE(0b, 0b)
6351 : "=m" (v->counter), "=qm" (c)
6352 : "er" (i), "m" (v->counter) : "memory");
6354 @@ -171,7 +319,31 @@ static inline int atomic64_add_negative(
6355 static inline long atomic64_add_return(long i, atomic64_t *v)
6358 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6359 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6361 +#ifdef CONFIG_PAX_REFCOUNT
6365 + _ASM_EXTABLE(0b, 0b)
6368 + : "+r" (i), "+m" (v->counter)
6374 + * atomic64_add_return_unchecked - add and return
6375 + * @i: integer value to add
6376 + * @v: pointer to type atomic64_unchecked_t
6378 + * Atomically adds @i to @v and returns @i + @v
6380 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6383 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6384 : "+r" (i), "+m" (v->counter)
6387 @@ -183,6 +355,10 @@ static inline long atomic64_sub_return(l
6390 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6391 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6393 + return atomic64_add_return_unchecked(1, v);
6395 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6397 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6398 @@ -206,17 +382,29 @@ static inline long atomic64_xchg(atomic6
6400 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6404 c = atomic64_read(v);
6406 - if (unlikely(c == (u)))
6407 + if (unlikely(c == u))
6409 - old = atomic64_cmpxchg((v), c, c + (a));
6411 + asm volatile("add %2,%0\n"
6413 +#ifdef CONFIG_PAX_REFCOUNT
6416 + _ASM_EXTABLE(0b, 0b)
6420 + : "0" (c), "ir" (a));
6422 + old = atomic64_cmpxchg(v, c, new);
6423 if (likely(old == c))
6431 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6432 diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic.h linux-2.6.35.4/arch/x86/include/asm/atomic.h
6433 --- linux-2.6.35.4/arch/x86/include/asm/atomic.h 2010-08-26 19:47:12.000000000 -0400
6434 +++ linux-2.6.35.4/arch/x86/include/asm/atomic.h 2010-09-17 20:12:09.000000000 -0400
6435 @@ -26,6 +26,17 @@ static inline int atomic_read(const atom
6439 + * atomic_read_unchecked - read atomic variable
6440 + * @v: pointer of type atomic_unchecked_t
6442 + * Atomically reads the value of @v.
6444 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6446 + return v->counter;
6450 * atomic_set - set atomic variable
6451 * @v: pointer of type atomic_t
6452 * @i: required value
6453 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6457 + * atomic_set_unchecked - set atomic variable
6458 + * @v: pointer of type atomic_unchecked_t
6459 + * @i: required value
6461 + * Atomically sets the value of @v to @i.
6463 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6469 * atomic_add - add integer to atomic variable
6470 * @i: integer value to add
6471 * @v: pointer of type atomic_t
6472 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6474 static inline void atomic_add(int i, atomic_t *v)
6476 - asm volatile(LOCK_PREFIX "addl %1,%0"
6477 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6479 +#ifdef CONFIG_PAX_REFCOUNT
6481 + LOCK_PREFIX "subl %1,%0\n"
6482 + _ASM_INTO "\n0:\n"
6483 + _ASM_EXTABLE(0b, 0b)
6486 + : "+m" (v->counter)
6491 + * atomic_add_unchecked - add integer to atomic variable
6492 + * @i: integer value to add
6493 + * @v: pointer of type atomic_unchecked_t
6495 + * Atomically adds @i to @v.
6497 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6499 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6503 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6505 static inline void atomic_sub(int i, atomic_t *v)
6507 - asm volatile(LOCK_PREFIX "subl %1,%0"
6508 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6510 +#ifdef CONFIG_PAX_REFCOUNT
6512 + LOCK_PREFIX "addl %1,%0\n"
6513 + _ASM_INTO "\n0:\n"
6514 + _ASM_EXTABLE(0b, 0b)
6517 + : "+m" (v->counter)
6522 + * atomic_sub_unchecked - subtract integer from atomic variable
6523 + * @i: integer value to subtract
6524 + * @v: pointer of type atomic_t
6526 + * Atomically subtracts @i from @v.
6528 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6530 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6534 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6538 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6539 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6541 +#ifdef CONFIG_PAX_REFCOUNT
6543 + LOCK_PREFIX "addl %2,%0\n"
6544 + _ASM_INTO "\n0:\n"
6545 + _ASM_EXTABLE(0b, 0b)
6549 : "+m" (v->counter), "=qm" (c)
6550 : "ir" (i) : "memory");
6552 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6554 static inline void atomic_inc(atomic_t *v)
6556 - asm volatile(LOCK_PREFIX "incl %0"
6557 + asm volatile(LOCK_PREFIX "incl %0\n"
6559 +#ifdef CONFIG_PAX_REFCOUNT
6561 + LOCK_PREFIX "decl %0\n"
6562 + _ASM_INTO "\n0:\n"
6563 + _ASM_EXTABLE(0b, 0b)
6566 + : "+m" (v->counter));
6570 + * atomic_inc_unchecked - increment atomic variable
6571 + * @v: pointer of type atomic_unchecked_t
6573 + * Atomically increments @v by 1.
6575 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6577 + asm volatile(LOCK_PREFIX "incl %0\n"
6578 : "+m" (v->counter));
6581 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6583 static inline void atomic_dec(atomic_t *v)
6585 - asm volatile(LOCK_PREFIX "decl %0"
6586 + asm volatile(LOCK_PREFIX "decl %0\n"
6588 +#ifdef CONFIG_PAX_REFCOUNT
6590 + LOCK_PREFIX "incl %0\n"
6591 + _ASM_INTO "\n0:\n"
6592 + _ASM_EXTABLE(0b, 0b)
6595 + : "+m" (v->counter));
6599 + * atomic_dec_unchecked - decrement atomic variable
6600 + * @v: pointer of type atomic_t
6602 + * Atomically decrements @v by 1.
6604 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6606 + asm volatile(LOCK_PREFIX "decl %0\n"
6607 : "+m" (v->counter));
6610 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6614 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6615 + asm volatile(LOCK_PREFIX "decl %0\n"
6617 +#ifdef CONFIG_PAX_REFCOUNT
6619 + LOCK_PREFIX "incl %0\n"
6620 + _ASM_INTO "\n0:\n"
6621 + _ASM_EXTABLE(0b, 0b)
6625 : "+m" (v->counter), "=qm" (c)
6628 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
6632 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6633 + asm volatile(LOCK_PREFIX "incl %0\n"
6635 +#ifdef CONFIG_PAX_REFCOUNT
6637 + LOCK_PREFIX "decl %0\n"
6638 + _ASM_INTO "\n0:\n"
6639 + _ASM_EXTABLE(0b, 0b)
6643 : "+m" (v->counter), "=qm" (c)
6646 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
6650 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6651 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6653 +#ifdef CONFIG_PAX_REFCOUNT
6655 + LOCK_PREFIX "subl %2,%0\n"
6656 + _ASM_INTO "\n0:\n"
6657 + _ASM_EXTABLE(0b, 0b)
6661 : "+m" (v->counter), "=qm" (c)
6662 : "ir" (i) : "memory");
6664 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
6666 /* Modern 486+ processor */
6668 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6670 +#ifdef CONFIG_PAX_REFCOUNT
6673 + _ASM_INTO "\n0:\n"
6674 + _ASM_EXTABLE(0b, 0b)
6677 + : "+r" (i), "+m" (v->counter)
6682 +no_xadd: /* Legacy 386 processor */
6683 + local_irq_save(flags);
6684 + __i = atomic_read(v);
6685 + atomic_set(v, i + __i);
6686 + local_irq_restore(flags);
6692 + * atomic_add_return_unchecked - add integer and return
6693 + * @v: pointer of type atomic_unchecked_t
6694 + * @i: integer value to add
6696 + * Atomically adds @i to @v and returns @i + @v
6698 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6702 + unsigned long flags;
6703 + if (unlikely(boot_cpu_data.x86 <= 3))
6706 + /* Modern 486+ processor */
6708 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6709 : "+r" (i), "+m" (v->counter)
6711 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
6714 #define atomic_inc_return(v) (atomic_add_return(1, v))
6715 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6717 + return atomic_add_return_unchecked(1, v);
6719 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6721 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6722 @@ -231,17 +418,29 @@ static inline int atomic_xchg(atomic_t *
6724 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6730 - if (unlikely(c == (u)))
6731 + if (unlikely(c == u))
6733 - old = atomic_cmpxchg((v), c, c + (a));
6735 + asm volatile("addl %2,%0\n"
6737 +#ifdef CONFIG_PAX_REFCOUNT
6739 + _ASM_INTO "\n0:\n"
6740 + _ASM_EXTABLE(0b, 0b)
6744 + : "0" (c), "ir" (a));
6746 + old = atomic_cmpxchg(v, c, new);
6747 if (likely(old == c))
6755 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6756 diff -urNp linux-2.6.35.4/arch/x86/include/asm/boot.h linux-2.6.35.4/arch/x86/include/asm/boot.h
6757 --- linux-2.6.35.4/arch/x86/include/asm/boot.h 2010-08-26 19:47:12.000000000 -0400
6758 +++ linux-2.6.35.4/arch/x86/include/asm/boot.h 2010-09-17 20:12:09.000000000 -0400
6760 #include <asm/pgtable_types.h>
6762 /* Physical address where kernel should be loaded. */
6763 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6764 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6765 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6766 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6768 +#ifndef __ASSEMBLY__
6769 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6770 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6773 /* Minimum kernel alignment, as a power of two */
6774 #ifdef CONFIG_X86_64
6775 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6776 diff -urNp linux-2.6.35.4/arch/x86/include/asm/cacheflush.h linux-2.6.35.4/arch/x86/include/asm/cacheflush.h
6777 --- linux-2.6.35.4/arch/x86/include/asm/cacheflush.h 2010-08-26 19:47:12.000000000 -0400
6778 +++ linux-2.6.35.4/arch/x86/include/asm/cacheflush.h 2010-09-17 20:12:09.000000000 -0400
6779 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
6780 unsigned long pg_flags = pg->flags & _PGMT_MASK;
6782 if (pg_flags == _PGMT_DEFAULT)
6785 else if (pg_flags == _PGMT_WC)
6786 return _PAGE_CACHE_WC;
6787 else if (pg_flags == _PGMT_UC_MINUS)
6788 diff -urNp linux-2.6.35.4/arch/x86/include/asm/cache.h linux-2.6.35.4/arch/x86/include/asm/cache.h
6789 --- linux-2.6.35.4/arch/x86/include/asm/cache.h 2010-08-26 19:47:12.000000000 -0400
6790 +++ linux-2.6.35.4/arch/x86/include/asm/cache.h 2010-09-17 20:12:09.000000000 -0400
6792 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6794 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
6795 +#define __read_only __attribute__((__section__(".data..read_only")))
6797 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6798 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6799 diff -urNp linux-2.6.35.4/arch/x86/include/asm/checksum_32.h linux-2.6.35.4/arch/x86/include/asm/checksum_32.h
6800 --- linux-2.6.35.4/arch/x86/include/asm/checksum_32.h 2010-08-26 19:47:12.000000000 -0400
6801 +++ linux-2.6.35.4/arch/x86/include/asm/checksum_32.h 2010-09-17 20:12:09.000000000 -0400
6802 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6803 int len, __wsum sum,
6804 int *src_err_ptr, int *dst_err_ptr);
6806 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6807 + int len, __wsum sum,
6808 + int *src_err_ptr, int *dst_err_ptr);
6810 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6811 + int len, __wsum sum,
6812 + int *src_err_ptr, int *dst_err_ptr);
6815 * Note: when you get a NULL pointer exception here this means someone
6816 * passed in an incorrect kernel address to one of these functions.
6817 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6821 - return csum_partial_copy_generic((__force void *)src, dst,
6822 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
6823 len, sum, err_ptr, NULL);
6826 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6829 if (access_ok(VERIFY_WRITE, dst, len))
6830 - return csum_partial_copy_generic(src, (__force void *)dst,
6831 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6832 len, sum, NULL, err_ptr);
6835 diff -urNp linux-2.6.35.4/arch/x86/include/asm/cpufeature.h linux-2.6.35.4/arch/x86/include/asm/cpufeature.h
6836 --- linux-2.6.35.4/arch/x86/include/asm/cpufeature.h 2010-08-26 19:47:12.000000000 -0400
6837 +++ linux-2.6.35.4/arch/x86/include/asm/cpufeature.h 2010-09-17 20:12:09.000000000 -0400
6838 @@ -323,7 +323,7 @@ static __always_inline __pure bool __sta
6839 " .byte 4f - 3f\n" /* replacement len */
6840 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* padding */
6842 - ".section .altinstr_replacement,\"ax\"\n"
6843 + ".section .altinstr_replacement,\"a\"\n"
6847 diff -urNp linux-2.6.35.4/arch/x86/include/asm/desc.h linux-2.6.35.4/arch/x86/include/asm/desc.h
6848 --- linux-2.6.35.4/arch/x86/include/asm/desc.h 2010-08-26 19:47:12.000000000 -0400
6849 +++ linux-2.6.35.4/arch/x86/include/asm/desc.h 2010-09-17 20:12:09.000000000 -0400
6851 #include <asm/desc_defs.h>
6852 #include <asm/ldt.h>
6853 #include <asm/mmu.h>
6854 +#include <asm/pgtable.h>
6855 #include <linux/smp.h>
6857 static inline void fill_ldt(struct desc_struct *desc,
6858 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
6859 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6860 desc->type = (info->read_exec_only ^ 1) << 1;
6861 desc->type |= info->contents << 2;
6862 + desc->type |= info->seg_not_present ^ 1;
6865 desc->p = info->seg_not_present ^ 1;
6866 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
6869 extern struct desc_ptr idt_descr;
6870 -extern gate_desc idt_table[];
6873 - struct desc_struct gdt[GDT_ENTRIES];
6874 -} __attribute__((aligned(PAGE_SIZE)));
6875 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6876 +extern gate_desc idt_table[256];
6878 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6879 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6881 - return per_cpu(gdt_page, cpu).gdt;
6882 + return cpu_gdt_table[cpu];
6885 #ifdef CONFIG_X86_64
6886 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
6887 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6888 const gate_desc *gate)
6890 + pax_open_kernel();
6891 memcpy(&idt[entry], gate, sizeof(*gate));
6892 + pax_close_kernel();
6895 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6898 + pax_open_kernel();
6899 memcpy(&ldt[entry], desc, 8);
6900 + pax_close_kernel();
6903 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6904 const void *desc, int type)
6910 size = sizeof(tss_desc);
6911 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
6912 size = sizeof(struct desc_struct);
6916 + pax_open_kernel();
6917 memcpy(&gdt[entry], desc, size);
6918 + pax_close_kernel();
6921 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
6922 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
6924 static inline void native_load_tr_desc(void)
6926 + pax_open_kernel();
6927 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
6928 + pax_close_kernel();
6931 static inline void native_load_gdt(const struct desc_ptr *dtr)
6932 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
6934 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6936 + pax_open_kernel();
6937 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6938 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
6939 + pax_close_kernel();
6942 #define _LDT_empty(info) \
6943 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
6944 desc->limit = (limit >> 16) & 0xf;
6947 -static inline void _set_gate(int gate, unsigned type, void *addr,
6948 +static inline void _set_gate(int gate, unsigned type, const void *addr,
6949 unsigned dpl, unsigned ist, unsigned seg)
6952 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
6953 * Pentium F0 0F bugfix can have resulted in the mapped
6954 * IDT being write-protected.
6956 -static inline void set_intr_gate(unsigned int n, void *addr)
6957 +static inline void set_intr_gate(unsigned int n, const void *addr)
6959 BUG_ON((unsigned)n > 0xFF);
6960 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
6961 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
6963 * This routine sets up an interrupt gate at directory privilege level 3.
6965 -static inline void set_system_intr_gate(unsigned int n, void *addr)
6966 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
6968 BUG_ON((unsigned)n > 0xFF);
6969 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
6972 -static inline void set_system_trap_gate(unsigned int n, void *addr)
6973 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
6975 BUG_ON((unsigned)n > 0xFF);
6976 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
6979 -static inline void set_trap_gate(unsigned int n, void *addr)
6980 +static inline void set_trap_gate(unsigned int n, const void *addr)
6982 BUG_ON((unsigned)n > 0xFF);
6983 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
6984 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
6985 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
6987 BUG_ON((unsigned)n > 0xFF);
6988 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
6989 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
6992 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
6993 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
6995 BUG_ON((unsigned)n > 0xFF);
6996 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
6999 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7000 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7002 BUG_ON((unsigned)n > 0xFF);
7003 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7006 +#ifdef CONFIG_X86_32
7007 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7009 + struct desc_struct d;
7011 + if (likely(limit))
7012 + limit = (limit - 1UL) >> PAGE_SHIFT;
7013 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7014 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7018 #endif /* _ASM_X86_DESC_H */
7019 diff -urNp linux-2.6.35.4/arch/x86/include/asm/device.h linux-2.6.35.4/arch/x86/include/asm/device.h
7020 --- linux-2.6.35.4/arch/x86/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
7021 +++ linux-2.6.35.4/arch/x86/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
7022 @@ -6,7 +6,7 @@ struct dev_archdata {
7025 #ifdef CONFIG_X86_64
7026 -struct dma_map_ops *dma_ops;
7027 + const struct dma_map_ops *dma_ops;
7029 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7030 void *iommu; /* hook for IOMMU specific extension */
7031 diff -urNp linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h
7032 --- linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
7033 +++ linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
7034 @@ -26,9 +26,9 @@ extern int iommu_merge;
7035 extern struct device x86_dma_fallback_dev;
7036 extern int panic_on_overflow;
7038 -extern struct dma_map_ops *dma_ops;
7039 +extern const struct dma_map_ops *dma_ops;
7041 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7042 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7044 #ifdef CONFIG_X86_32
7046 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7047 /* Make sure we keep the same behaviour */
7048 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7050 - struct dma_map_ops *ops = get_dma_ops(dev);
7051 + const struct dma_map_ops *ops = get_dma_ops(dev);
7052 if (ops->mapping_error)
7053 return ops->mapping_error(dev, dma_addr);
7055 @@ -123,7 +123,7 @@ static inline void *
7056 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7059 - struct dma_map_ops *ops = get_dma_ops(dev);
7060 + const struct dma_map_ops *ops = get_dma_ops(dev);
7063 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7064 @@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
7065 static inline void dma_free_coherent(struct device *dev, size_t size,
7066 void *vaddr, dma_addr_t bus)
7068 - struct dma_map_ops *ops = get_dma_ops(dev);
7069 + const struct dma_map_ops *ops = get_dma_ops(dev);
7071 WARN_ON(irqs_disabled()); /* for portability */
7073 diff -urNp linux-2.6.35.4/arch/x86/include/asm/e820.h linux-2.6.35.4/arch/x86/include/asm/e820.h
7074 --- linux-2.6.35.4/arch/x86/include/asm/e820.h 2010-08-26 19:47:12.000000000 -0400
7075 +++ linux-2.6.35.4/arch/x86/include/asm/e820.h 2010-09-17 20:12:09.000000000 -0400
7076 @@ -69,7 +69,7 @@ struct e820map {
7077 #define ISA_START_ADDRESS 0xa0000
7078 #define ISA_END_ADDRESS 0x100000
7080 -#define BIOS_BEGIN 0x000a0000
7081 +#define BIOS_BEGIN 0x000c0000
7082 #define BIOS_END 0x00100000
7085 diff -urNp linux-2.6.35.4/arch/x86/include/asm/elf.h linux-2.6.35.4/arch/x86/include/asm/elf.h
7086 --- linux-2.6.35.4/arch/x86/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
7087 +++ linux-2.6.35.4/arch/x86/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
7088 @@ -237,7 +237,25 @@ extern int force_personality32;
7089 the loader. We need to make sure that it is out of the way of the program
7090 that it will "exec", and that there is sufficient room for the brk. */
7092 +#ifdef CONFIG_PAX_SEGMEXEC
7093 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7095 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7098 +#ifdef CONFIG_PAX_ASLR
7099 +#ifdef CONFIG_X86_32
7100 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7102 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7103 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7105 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7107 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7108 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7112 /* This yields a mask that user programs can use to figure out what
7113 instruction set this CPU supports. This could be done in user space,
7114 @@ -291,8 +309,7 @@ do { \
7115 #define ARCH_DLINFO \
7118 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7119 - (unsigned long)current->mm->context.vdso); \
7120 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7123 #define AT_SYSINFO 32
7124 @@ -303,7 +320,7 @@ do { \
7126 #endif /* !CONFIG_X86_32 */
7128 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7129 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7131 #define VDSO_ENTRY \
7132 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7133 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7134 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7135 #define compat_arch_setup_additional_pages syscall32_setup_pages
7137 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7138 -#define arch_randomize_brk arch_randomize_brk
7140 #endif /* _ASM_X86_ELF_H */
7141 diff -urNp linux-2.6.35.4/arch/x86/include/asm/futex.h linux-2.6.35.4/arch/x86/include/asm/futex.h
7142 --- linux-2.6.35.4/arch/x86/include/asm/futex.h 2010-08-26 19:47:12.000000000 -0400
7143 +++ linux-2.6.35.4/arch/x86/include/asm/futex.h 2010-09-17 20:12:09.000000000 -0400
7145 #include <asm/processor.h>
7146 #include <asm/system.h>
7148 +#ifdef CONFIG_X86_32
7149 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7151 + "movw\t%w6, %%ds\n" \
7152 + "1:\t" insn "\n" \
7153 + "2:\tpushl\t%%ss\n" \
7154 + "\tpopl\t%%ds\n" \
7155 + "\t.section .fixup,\"ax\"\n" \
7156 + "3:\tmov\t%3, %1\n" \
7159 + _ASM_EXTABLE(1b, 3b) \
7160 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7161 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7163 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7164 + asm volatile("movw\t%w7, %%es\n" \
7165 + "1:\tmovl\t%%es:%2, %0\n" \
7166 + "\tmovl\t%0, %3\n" \
7168 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7170 + "3:\tpushl\t%%ss\n" \
7171 + "\tpopl\t%%es\n" \
7172 + "\t.section .fixup,\"ax\"\n" \
7173 + "4:\tmov\t%5, %1\n" \
7176 + _ASM_EXTABLE(1b, 4b) \
7177 + _ASM_EXTABLE(2b, 4b) \
7178 + : "=&a" (oldval), "=&r" (ret), \
7179 + "+m" (*uaddr), "=&r" (tem) \
7180 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7182 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7183 + typecheck(u32 *, uaddr); \
7184 asm volatile("1:\t" insn "\n" \
7185 "2:\t.section .fixup,\"ax\"\n" \
7186 "3:\tmov\t%3, %1\n" \
7189 _ASM_EXTABLE(1b, 3b) \
7190 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7191 + : "=r" (oldval), "=r" (ret), \
7192 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7193 : "i" (-EFAULT), "0" (oparg), "1" (0))
7195 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7196 + typecheck(u32 *, uaddr); \
7197 asm volatile("1:\tmovl %2, %0\n" \
7198 "\tmovl\t%0, %3\n" \
7201 _ASM_EXTABLE(1b, 4b) \
7202 _ASM_EXTABLE(2b, 4b) \
7203 : "=&a" (oldval), "=&r" (ret), \
7204 - "+m" (*uaddr), "=&r" (tem) \
7205 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7207 : "r" (oparg), "i" (-EFAULT), "1" (0))
7210 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7211 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7213 int op = (encoded_op >> 28) & 7;
7214 int cmp = (encoded_op >> 24) & 15;
7215 @@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
7219 +#ifdef CONFIG_X86_32
7220 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7222 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7226 +#ifdef CONFIG_X86_32
7227 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7230 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7235 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
7236 @@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
7240 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7241 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7245 @@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7249 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7250 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7253 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7254 - "2:\t.section .fixup, \"ax\"\n"
7256 +#ifdef CONFIG_X86_32
7257 + "\tmovw %w5, %%ds\n"
7258 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
7259 + "2:\tpushl %%ss\n"
7262 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7265 + "\t.section .fixup, \"ax\"\n"
7269 _ASM_EXTABLE(1b, 3b)
7270 +#ifdef CONFIG_X86_32
7271 : "=a" (oldval), "+m" (*uaddr)
7272 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7274 + : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
7275 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7280 diff -urNp linux-2.6.35.4/arch/x86/include/asm/i387.h linux-2.6.35.4/arch/x86/include/asm/i387.h
7281 --- linux-2.6.35.4/arch/x86/include/asm/i387.h 2010-08-26 19:47:12.000000000 -0400
7282 +++ linux-2.6.35.4/arch/x86/include/asm/i387.h 2010-09-17 20:12:09.000000000 -0400
7283 @@ -77,6 +77,11 @@ static inline int fxrstor_checking(struc
7287 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7288 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7289 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7292 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7294 ".section .fixup,\"ax\"\n"
7295 @@ -127,6 +132,11 @@ static inline int fxsave_user(struct i38
7299 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7300 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7301 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7304 asm volatile("1: rex64/fxsave (%[fx])\n\t"
7306 ".section .fixup,\"ax\"\n"
7307 @@ -220,13 +230,8 @@ static inline int fxrstor_checking(struc
7310 /* We need a safe address that is cheap to find and that is already
7311 - in L1 during context switch. The best choices are unfortunately
7312 - different for UP and SMP */
7314 -#define safe_address (__per_cpu_offset[0])
7316 -#define safe_address (kstat_cpu(0).cpustat.user)
7318 + in L1 during context switch. */
7319 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7322 * These must be called with preempt disabled
7323 diff -urNp linux-2.6.35.4/arch/x86/include/asm/io.h linux-2.6.35.4/arch/x86/include/asm/io.h
7324 --- linux-2.6.35.4/arch/x86/include/asm/io.h 2010-08-26 19:47:12.000000000 -0400
7325 +++ linux-2.6.35.4/arch/x86/include/asm/io.h 2010-09-17 20:12:09.000000000 -0400
7326 @@ -213,6 +213,17 @@ extern void iounmap(volatile void __iome
7328 #include <linux/vmalloc.h>
7330 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7331 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7333 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7336 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7338 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7342 * Convert a virtual cached pointer to an uncached pointer
7344 diff -urNp linux-2.6.35.4/arch/x86/include/asm/iommu.h linux-2.6.35.4/arch/x86/include/asm/iommu.h
7345 --- linux-2.6.35.4/arch/x86/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
7346 +++ linux-2.6.35.4/arch/x86/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
7348 #ifndef _ASM_X86_IOMMU_H
7349 #define _ASM_X86_IOMMU_H
7351 -extern struct dma_map_ops nommu_dma_ops;
7352 +extern const struct dma_map_ops nommu_dma_ops;
7353 extern int force_iommu, no_iommu;
7354 extern int iommu_detected;
7355 extern int iommu_pass_through;
7356 diff -urNp linux-2.6.35.4/arch/x86/include/asm/irqflags.h linux-2.6.35.4/arch/x86/include/asm/irqflags.h
7357 --- linux-2.6.35.4/arch/x86/include/asm/irqflags.h 2010-08-26 19:47:12.000000000 -0400
7358 +++ linux-2.6.35.4/arch/x86/include/asm/irqflags.h 2010-09-17 20:12:09.000000000 -0400
7359 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
7363 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7364 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7365 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7366 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7369 #define INTERRUPT_RETURN iret
7370 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7371 diff -urNp linux-2.6.35.4/arch/x86/include/asm/kvm_host.h linux-2.6.35.4/arch/x86/include/asm/kvm_host.h
7372 --- linux-2.6.35.4/arch/x86/include/asm/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
7373 +++ linux-2.6.35.4/arch/x86/include/asm/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
7374 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
7375 const struct trace_print_flags *exit_reasons_str;
7378 -extern struct kvm_x86_ops *kvm_x86_ops;
7379 +extern const struct kvm_x86_ops *kvm_x86_ops;
7381 int kvm_mmu_module_init(void);
7382 void kvm_mmu_module_exit(void);
7383 diff -urNp linux-2.6.35.4/arch/x86/include/asm/local.h linux-2.6.35.4/arch/x86/include/asm/local.h
7384 --- linux-2.6.35.4/arch/x86/include/asm/local.h 2010-08-26 19:47:12.000000000 -0400
7385 +++ linux-2.6.35.4/arch/x86/include/asm/local.h 2010-09-17 20:12:09.000000000 -0400
7386 @@ -18,26 +18,90 @@ typedef struct {
7388 static inline void local_inc(local_t *l)
7390 - asm volatile(_ASM_INC "%0"
7391 + asm volatile(_ASM_INC "%0\n"
7393 +#ifdef CONFIG_PAX_REFCOUNT
7394 +#ifdef CONFIG_X86_32
7400 + ".pushsection .fixup,\"ax\"\n"
7405 + _ASM_EXTABLE(0b, 1b)
7408 : "+m" (l->a.counter));
7411 static inline void local_dec(local_t *l)
7413 - asm volatile(_ASM_DEC "%0"
7414 + asm volatile(_ASM_DEC "%0\n"
7416 +#ifdef CONFIG_PAX_REFCOUNT
7417 +#ifdef CONFIG_X86_32
7423 + ".pushsection .fixup,\"ax\"\n"
7428 + _ASM_EXTABLE(0b, 1b)
7431 : "+m" (l->a.counter));
7434 static inline void local_add(long i, local_t *l)
7436 - asm volatile(_ASM_ADD "%1,%0"
7437 + asm volatile(_ASM_ADD "%1,%0\n"
7439 +#ifdef CONFIG_PAX_REFCOUNT
7440 +#ifdef CONFIG_X86_32
7446 + ".pushsection .fixup,\"ax\"\n"
7448 + _ASM_SUB "%1,%0\n"
7451 + _ASM_EXTABLE(0b, 1b)
7454 : "+m" (l->a.counter)
7458 static inline void local_sub(long i, local_t *l)
7460 - asm volatile(_ASM_SUB "%1,%0"
7461 + asm volatile(_ASM_SUB "%1,%0\n"
7463 +#ifdef CONFIG_PAX_REFCOUNT
7464 +#ifdef CONFIG_X86_32
7470 + ".pushsection .fixup,\"ax\"\n"
7472 + _ASM_ADD "%1,%0\n"
7475 + _ASM_EXTABLE(0b, 1b)
7478 : "+m" (l->a.counter)
7481 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7485 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7486 + asm volatile(_ASM_SUB "%2,%0\n"
7488 +#ifdef CONFIG_PAX_REFCOUNT
7489 +#ifdef CONFIG_X86_32
7495 + ".pushsection .fixup,\"ax\"\n"
7497 + _ASM_ADD "%2,%0\n"
7500 + _ASM_EXTABLE(0b, 1b)
7504 : "+m" (l->a.counter), "=qm" (c)
7505 : "ir" (i) : "memory");
7507 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7511 - asm volatile(_ASM_DEC "%0; sete %1"
7512 + asm volatile(_ASM_DEC "%0\n"
7514 +#ifdef CONFIG_PAX_REFCOUNT
7515 +#ifdef CONFIG_X86_32
7521 + ".pushsection .fixup,\"ax\"\n"
7526 + _ASM_EXTABLE(0b, 1b)
7530 : "+m" (l->a.counter), "=qm" (c)
7533 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7537 - asm volatile(_ASM_INC "%0; sete %1"
7538 + asm volatile(_ASM_INC "%0\n"
7540 +#ifdef CONFIG_PAX_REFCOUNT
7541 +#ifdef CONFIG_X86_32
7547 + ".pushsection .fixup,\"ax\"\n"
7552 + _ASM_EXTABLE(0b, 1b)
7556 : "+m" (l->a.counter), "=qm" (c)
7559 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7563 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7564 + asm volatile(_ASM_ADD "%2,%0\n"
7566 +#ifdef CONFIG_PAX_REFCOUNT
7567 +#ifdef CONFIG_X86_32
7573 + ".pushsection .fixup,\"ax\"\n"
7575 + _ASM_SUB "%2,%0\n"
7578 + _ASM_EXTABLE(0b, 1b)
7582 : "+m" (l->a.counter), "=qm" (c)
7583 : "ir" (i) : "memory");
7585 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7587 /* Modern 486+ processor */
7589 - asm volatile(_ASM_XADD "%0, %1;"
7590 + asm volatile(_ASM_XADD "%0, %1\n"
7592 +#ifdef CONFIG_PAX_REFCOUNT
7593 +#ifdef CONFIG_X86_32
7599 + ".pushsection .fixup,\"ax\"\n"
7601 + _ASM_MOV "%0,%1\n"
7604 + _ASM_EXTABLE(0b, 1b)
7607 : "+r" (i), "+m" (l->a.counter)
7610 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h
7611 --- linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h 2010-08-26 19:47:12.000000000 -0400
7612 +++ linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h 2010-09-17 20:12:09.000000000 -0400
7613 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7615 #define lock_cmos_prefix(reg) do {} while (0)
7616 #define lock_cmos_suffix(reg) do {} while (0)
7617 -#define lock_cmos(reg)
7618 -#define unlock_cmos()
7619 +#define lock_cmos(reg) do {} while (0)
7620 +#define unlock_cmos() do {} while (0)
7621 #define do_i_have_lock_cmos() 0
7622 #define current_lock_cmos_reg() 0
7624 diff -urNp linux-2.6.35.4/arch/x86/include/asm/microcode.h linux-2.6.35.4/arch/x86/include/asm/microcode.h
7625 --- linux-2.6.35.4/arch/x86/include/asm/microcode.h 2010-08-26 19:47:12.000000000 -0400
7626 +++ linux-2.6.35.4/arch/x86/include/asm/microcode.h 2010-09-17 20:12:09.000000000 -0400
7627 @@ -12,13 +12,13 @@ struct device;
7628 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7630 struct microcode_ops {
7631 - enum ucode_state (*request_microcode_user) (int cpu,
7632 + enum ucode_state (* const request_microcode_user) (int cpu,
7633 const void __user *buf, size_t size);
7635 - enum ucode_state (*request_microcode_fw) (int cpu,
7636 + enum ucode_state (* const request_microcode_fw) (int cpu,
7637 struct device *device);
7639 - void (*microcode_fini_cpu) (int cpu);
7640 + void (* const microcode_fini_cpu) (int cpu);
7643 * The generic 'microcode_core' part guarantees that
7644 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7645 extern struct ucode_cpu_info ucode_cpu_info[];
7647 #ifdef CONFIG_MICROCODE_INTEL
7648 -extern struct microcode_ops * __init init_intel_microcode(void);
7649 +extern const struct microcode_ops * __init init_intel_microcode(void);
7651 -static inline struct microcode_ops * __init init_intel_microcode(void)
7652 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7656 #endif /* CONFIG_MICROCODE_INTEL */
7658 #ifdef CONFIG_MICROCODE_AMD
7659 -extern struct microcode_ops * __init init_amd_microcode(void);
7660 +extern const struct microcode_ops * __init init_amd_microcode(void);
7662 -static inline struct microcode_ops * __init init_amd_microcode(void)
7663 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7667 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mman.h linux-2.6.35.4/arch/x86/include/asm/mman.h
7668 --- linux-2.6.35.4/arch/x86/include/asm/mman.h 2010-08-26 19:47:12.000000000 -0400
7669 +++ linux-2.6.35.4/arch/x86/include/asm/mman.h 2010-09-17 20:12:09.000000000 -0400
7672 #include <asm-generic/mman.h>
7675 +#ifndef __ASSEMBLY__
7676 +#ifdef CONFIG_X86_32
7677 +#define arch_mmap_check i386_mmap_check
7678 +int i386_mmap_check(unsigned long addr, unsigned long len,
7679 + unsigned long flags);
7684 #endif /* _ASM_X86_MMAN_H */
7685 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mmu_context.h linux-2.6.35.4/arch/x86/include/asm/mmu_context.h
7686 --- linux-2.6.35.4/arch/x86/include/asm/mmu_context.h 2010-08-26 19:47:12.000000000 -0400
7687 +++ linux-2.6.35.4/arch/x86/include/asm/mmu_context.h 2010-09-17 20:12:09.000000000 -0400
7688 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
7690 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7693 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7697 + pax_open_kernel();
7698 + pgd = get_cpu_pgd(smp_processor_id());
7699 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7700 + if (paravirt_enabled())
7701 + set_pgd(pgd+i, native_make_pgd(0));
7703 + pgd[i] = native_make_pgd(0);
7704 + pax_close_kernel();
7708 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7709 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7710 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
7711 struct task_struct *tsk)
7713 unsigned cpu = smp_processor_id();
7714 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7715 + int tlbstate = TLBSTATE_OK;
7718 if (likely(prev != next)) {
7719 /* stop flush ipis for the previous mm */
7720 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7722 +#ifdef CONFIG_X86_32
7723 + tlbstate = percpu_read(cpu_tlbstate.state);
7725 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7726 percpu_write(cpu_tlbstate.active_mm, next);
7728 cpumask_set_cpu(cpu, mm_cpumask(next));
7730 /* Re-load page tables */
7731 +#ifdef CONFIG_PAX_PER_CPU_PGD
7732 + pax_open_kernel();
7733 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7734 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7735 + pax_close_kernel();
7736 + load_cr3(get_cpu_pgd(cpu));
7738 load_cr3(next->pgd);
7742 * load the LDT, if the LDT is different:
7744 if (unlikely(prev->context.ldt != next->context.ldt))
7745 load_LDT_nolock(&next->context);
7748 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7749 + if (!(__supported_pte_mask & _PAGE_NX)) {
7750 + smp_mb__before_clear_bit();
7751 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7752 + smp_mb__after_clear_bit();
7753 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7757 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7758 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7759 + prev->context.user_cs_limit != next->context.user_cs_limit))
7760 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7762 + else if (unlikely(tlbstate != TLBSTATE_OK))
7763 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7770 +#ifdef CONFIG_PAX_PER_CPU_PGD
7771 + pax_open_kernel();
7772 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7773 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7774 + pax_close_kernel();
7775 + load_cr3(get_cpu_pgd(cpu));
7779 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7780 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7782 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
7783 * tlb flush IPI delivery. We must reload CR3
7784 * to make sure to use no freed page tables.
7787 +#ifndef CONFIG_PAX_PER_CPU_PGD
7788 load_cr3(next->pgd);
7791 load_LDT_nolock(&next->context);
7793 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7794 + if (!(__supported_pte_mask & _PAGE_NX))
7795 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7798 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7799 +#ifdef CONFIG_PAX_PAGEEXEC
7800 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7802 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7811 #define activate_mm(prev, next) \
7812 diff -urNp linux-2.6.35.4/arch/x86/include/asm/mmu.h linux-2.6.35.4/arch/x86/include/asm/mmu.h
7813 --- linux-2.6.35.4/arch/x86/include/asm/mmu.h 2010-08-26 19:47:12.000000000 -0400
7814 +++ linux-2.6.35.4/arch/x86/include/asm/mmu.h 2010-09-17 20:12:09.000000000 -0400
7816 * we put the segment information here.
7820 + struct desc_struct *ldt;
7824 + unsigned long vdso;
7826 +#ifdef CONFIG_X86_32
7827 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7828 + unsigned long user_cs_base;
7829 + unsigned long user_cs_limit;
7831 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7832 + cpumask_t cpu_user_cs_mask;
7841 diff -urNp linux-2.6.35.4/arch/x86/include/asm/module.h linux-2.6.35.4/arch/x86/include/asm/module.h
7842 --- linux-2.6.35.4/arch/x86/include/asm/module.h 2010-08-26 19:47:12.000000000 -0400
7843 +++ linux-2.6.35.4/arch/x86/include/asm/module.h 2010-09-17 20:12:37.000000000 -0400
7845 #error unknown processor family
7848 +#ifdef CONFIG_PAX_MEMORY_UDEREF
7849 +#define MODULE_PAX_UDEREF "UDEREF "
7851 +#define MODULE_PAX_UDEREF ""
7854 #ifdef CONFIG_X86_32
7855 # ifdef CONFIG_4KSTACKS
7856 # define MODULE_STACKSIZE "4KSTACKS "
7858 # define MODULE_STACKSIZE ""
7860 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7861 +# ifdef CONFIG_PAX_KERNEXEC
7862 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
7864 +# define MODULE_PAX_KERNEXEC ""
7866 +# ifdef CONFIG_GRKERNSEC
7867 +# define MODULE_GRSEC "GRSECURITY "
7869 +# define MODULE_GRSEC ""
7871 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
7873 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
7876 #endif /* _ASM_X86_MODULE_H */
7877 diff -urNp linux-2.6.35.4/arch/x86/include/asm/page_32_types.h linux-2.6.35.4/arch/x86/include/asm/page_32_types.h
7878 --- linux-2.6.35.4/arch/x86/include/asm/page_32_types.h 2010-08-26 19:47:12.000000000 -0400
7879 +++ linux-2.6.35.4/arch/x86/include/asm/page_32_types.h 2010-09-17 20:12:09.000000000 -0400
7882 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7884 +#ifdef CONFIG_PAX_PAGEEXEC
7885 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7888 #ifdef CONFIG_4KSTACKS
7889 #define THREAD_ORDER 0
7891 diff -urNp linux-2.6.35.4/arch/x86/include/asm/paravirt.h linux-2.6.35.4/arch/x86/include/asm/paravirt.h
7892 --- linux-2.6.35.4/arch/x86/include/asm/paravirt.h 2010-08-26 19:47:12.000000000 -0400
7893 +++ linux-2.6.35.4/arch/x86/include/asm/paravirt.h 2010-09-17 20:12:09.000000000 -0400
7894 @@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
7895 pv_mmu_ops.set_fixmap(idx, phys, flags);
7898 +#ifdef CONFIG_PAX_KERNEXEC
7899 +static inline unsigned long pax_open_kernel(void)
7901 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
7904 +static inline unsigned long pax_close_kernel(void)
7906 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
7909 +static inline unsigned long pax_open_kernel(void) { return 0; }
7910 +static inline unsigned long pax_close_kernel(void) { return 0; }
7913 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7915 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7916 @@ -936,7 +951,7 @@ extern void default_banner(void);
7918 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7919 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7920 -#define PARA_INDIRECT(addr) *%cs:addr
7921 +#define PARA_INDIRECT(addr) *%ss:addr
7924 #define INTERRUPT_RETURN \
7925 @@ -1013,6 +1028,21 @@ extern void default_banner(void);
7926 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
7928 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7930 +#define GET_CR0_INTO_RDI \
7931 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7934 +#define SET_RDI_INTO_CR0 \
7935 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
7937 +#define GET_CR3_INTO_RDI \
7938 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
7941 +#define SET_RDI_INTO_CR3 \
7942 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
7944 #endif /* CONFIG_X86_32 */
7946 #endif /* __ASSEMBLY__ */
7947 diff -urNp linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h
7948 --- linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h 2010-08-26 19:47:12.000000000 -0400
7949 +++ linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h 2010-09-17 20:12:09.000000000 -0400
7950 @@ -312,6 +312,12 @@ struct pv_mmu_ops {
7951 an mfn. We can tell which is which from the index. */
7952 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7953 phys_addr_t phys, pgprot_t flags);
7955 +#ifdef CONFIG_PAX_KERNEXEC
7956 + unsigned long (*pax_open_kernel)(void);
7957 + unsigned long (*pax_close_kernel)(void);
7962 struct arch_spinlock;
7963 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pci_x86.h linux-2.6.35.4/arch/x86/include/asm/pci_x86.h
7964 --- linux-2.6.35.4/arch/x86/include/asm/pci_x86.h 2010-08-26 19:47:12.000000000 -0400
7965 +++ linux-2.6.35.4/arch/x86/include/asm/pci_x86.h 2010-09-17 20:12:09.000000000 -0400
7966 @@ -91,16 +91,16 @@ extern int (*pcibios_enable_irq)(struct
7967 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
7969 struct pci_raw_ops {
7970 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7971 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7972 int reg, int len, u32 *val);
7973 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7974 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7975 int reg, int len, u32 val);
7978 -extern struct pci_raw_ops *raw_pci_ops;
7979 -extern struct pci_raw_ops *raw_pci_ext_ops;
7980 +extern const struct pci_raw_ops *raw_pci_ops;
7981 +extern const struct pci_raw_ops *raw_pci_ext_ops;
7983 -extern struct pci_raw_ops pci_direct_conf1;
7984 +extern const struct pci_raw_ops pci_direct_conf1;
7985 extern bool port_cf9_safe;
7987 /* arch_initcall level */
7988 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgalloc.h linux-2.6.35.4/arch/x86/include/asm/pgalloc.h
7989 --- linux-2.6.35.4/arch/x86/include/asm/pgalloc.h 2010-08-26 19:47:12.000000000 -0400
7990 +++ linux-2.6.35.4/arch/x86/include/asm/pgalloc.h 2010-09-17 20:12:09.000000000 -0400
7991 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
7992 pmd_t *pmd, pte_t *pte)
7994 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7995 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
7998 +static inline void pmd_populate_user(struct mm_struct *mm,
7999 + pmd_t *pmd, pte_t *pte)
8001 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8002 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8005 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h
8006 --- linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h 2010-08-26 19:47:12.000000000 -0400
8007 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h 2010-09-17 20:12:09.000000000 -0400
8008 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8010 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8012 + pax_open_kernel();
8014 + pax_close_kernel();
8017 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8018 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h
8019 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
8020 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
8023 struct vm_area_struct;
8025 -extern pgd_t swapper_pg_dir[1024];
8027 static inline void pgtable_cache_init(void) { }
8028 static inline void check_pgt_cache(void) { }
8029 void paging_init(void);
8030 @@ -47,6 +45,11 @@ extern void set_pmd_pfn(unsigned long, u
8031 # include <asm/pgtable-2level.h>
8034 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8035 +#ifdef CONFIG_X86_PAE
8036 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8039 #if defined(CONFIG_HIGHPTE)
8041 (in_nmi() ? KM_NMI_PTE : \
8042 @@ -71,7 +74,9 @@ extern void set_pmd_pfn(unsigned long, u
8043 /* Clear a kernel PTE and flush it from the TLB */
8044 #define kpte_clear_flush(ptep, vaddr) \
8046 + pax_open_kernel(); \
8047 pte_clear(&init_mm, (vaddr), (ptep)); \
8048 + pax_close_kernel(); \
8049 __flush_tlb_one((vaddr)); \
8052 @@ -83,6 +88,9 @@ do { \
8054 #endif /* !__ASSEMBLY__ */
8056 +#define HAVE_ARCH_UNMAPPED_AREA
8057 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8060 * kern_addr_valid() is (1) for FLATMEM and (0) for
8061 * SPARSEMEM and DISCONTIGMEM
8062 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h
8063 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h 2010-08-26 19:47:12.000000000 -0400
8064 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h 2010-09-17 20:12:09.000000000 -0400
8067 #ifdef CONFIG_X86_PAE
8068 # include <asm/pgtable-3level_types.h>
8069 -# define PMD_SIZE (1UL << PMD_SHIFT)
8070 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8071 # define PMD_MASK (~(PMD_SIZE - 1))
8073 # include <asm/pgtable-2level_types.h>
8074 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8075 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8078 +#ifdef CONFIG_PAX_KERNEXEC
8079 +#ifndef __ASSEMBLY__
8080 +extern unsigned char MODULES_EXEC_VADDR[];
8081 +extern unsigned char MODULES_EXEC_END[];
8083 +#include <asm/boot.h>
8084 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8085 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8087 +#define ktla_ktva(addr) (addr)
8088 +#define ktva_ktla(addr) (addr)
8091 #define MODULES_VADDR VMALLOC_START
8092 #define MODULES_END VMALLOC_END
8093 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8094 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h
8095 --- linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h 2010-08-26 19:47:12.000000000 -0400
8096 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h 2010-09-17 20:12:09.000000000 -0400
8097 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8099 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8101 + pax_open_kernel();
8102 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8103 + pax_close_kernel();
8106 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8108 + pax_open_kernel();
8109 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8110 + pax_close_kernel();
8114 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h
8115 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h 2010-08-26 19:47:12.000000000 -0400
8116 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h 2010-09-17 20:12:09.000000000 -0400
8119 extern pud_t level3_kernel_pgt[512];
8120 extern pud_t level3_ident_pgt[512];
8121 +extern pud_t level3_vmalloc_pgt[512];
8122 +extern pud_t level3_vmemmap_pgt[512];
8123 +extern pud_t level2_vmemmap_pgt[512];
8124 extern pmd_t level2_kernel_pgt[512];
8125 extern pmd_t level2_fixmap_pgt[512];
8126 -extern pmd_t level2_ident_pgt[512];
8127 -extern pgd_t init_level4_pgt[];
8128 +extern pmd_t level2_ident_pgt[512*2];
8129 +extern pgd_t init_level4_pgt[512];
8131 #define swapper_pg_dir init_level4_pgt
8133 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8135 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8137 + pax_open_kernel();
8139 + pax_close_kernel();
8142 static inline void native_pmd_clear(pmd_t *pmd)
8143 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8145 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8147 + pax_open_kernel();
8149 + pax_close_kernel();
8152 static inline void native_pgd_clear(pgd_t *pgd)
8153 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h
8154 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h 2010-08-26 19:47:12.000000000 -0400
8155 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h 2010-09-17 20:12:09.000000000 -0400
8156 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8157 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8158 #define MODULES_END _AC(0xffffffffff000000, UL)
8159 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8160 +#define MODULES_EXEC_VADDR MODULES_VADDR
8161 +#define MODULES_EXEC_END MODULES_END
8163 +#define ktla_ktva(addr) (addr)
8164 +#define ktva_ktla(addr) (addr)
8166 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8167 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable.h linux-2.6.35.4/arch/x86/include/asm/pgtable.h
8168 --- linux-2.6.35.4/arch/x86/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
8169 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
8170 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8172 #define arch_end_context_switch(prev) do {} while(0)
8174 +#define pax_open_kernel() native_pax_open_kernel()
8175 +#define pax_close_kernel() native_pax_close_kernel()
8176 #endif /* CONFIG_PARAVIRT */
8178 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8179 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8181 +#ifdef CONFIG_PAX_KERNEXEC
8182 +static inline unsigned long native_pax_open_kernel(void)
8184 + unsigned long cr0;
8186 + preempt_disable();
8188 + cr0 = read_cr0() ^ X86_CR0_WP;
8189 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8191 + return cr0 ^ X86_CR0_WP;
8194 +static inline unsigned long native_pax_close_kernel(void)
8196 + unsigned long cr0;
8198 + cr0 = read_cr0() ^ X86_CR0_WP;
8199 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8202 + preempt_enable_no_resched();
8203 + return cr0 ^ X86_CR0_WP;
8206 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8207 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8211 * The following only work if pte_present() is true.
8212 * Undefined behaviour if not..
8214 +static inline int pte_user(pte_t pte)
8216 + return pte_val(pte) & _PAGE_USER;
8219 static inline int pte_dirty(pte_t pte)
8221 return pte_flags(pte) & _PAGE_DIRTY;
8222 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
8223 return pte_clear_flags(pte, _PAGE_RW);
8226 +static inline pte_t pte_mkread(pte_t pte)
8228 + return __pte(pte_val(pte) | _PAGE_USER);
8231 static inline pte_t pte_mkexec(pte_t pte)
8233 - return pte_clear_flags(pte, _PAGE_NX);
8234 +#ifdef CONFIG_X86_PAE
8235 + if (__supported_pte_mask & _PAGE_NX)
8236 + return pte_clear_flags(pte, _PAGE_NX);
8239 + return pte_set_flags(pte, _PAGE_USER);
8242 +static inline pte_t pte_exprotect(pte_t pte)
8244 +#ifdef CONFIG_X86_PAE
8245 + if (__supported_pte_mask & _PAGE_NX)
8246 + return pte_set_flags(pte, _PAGE_NX);
8249 + return pte_clear_flags(pte, _PAGE_USER);
8252 static inline pte_t pte_mkdirty(pte_t pte)
8253 @@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8256 #ifndef __ASSEMBLY__
8258 +#ifdef CONFIG_PAX_PER_CPU_PGD
8259 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8260 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8262 + return cpu_pgd[cpu];
8266 #include <linux/mm_types.h>
8268 static inline int pte_none(pte_t pte)
8269 @@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
8271 static inline int pgd_bad(pgd_t pgd)
8273 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8274 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8277 static inline int pgd_none(pgd_t pgd)
8278 @@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8279 * pgd_offset() returns a (pgd_t *)
8280 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8282 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8283 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8285 +#ifdef CONFIG_PAX_PER_CPU_PGD
8286 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8290 * a shortcut which implies the use of the kernel's pgd, instead
8292 @@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8293 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8294 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8296 +#ifdef CONFIG_X86_32
8297 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8299 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8300 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8302 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8303 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8305 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8310 #ifndef __ASSEMBLY__
8312 extern int direct_gbpages;
8313 @@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
8314 * dst and src can be on the same page, but the range must not overlap,
8315 * and must not cross a page boundary.
8317 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8318 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8320 - memcpy(dst, src, count * sizeof(pgd_t));
8321 + pax_open_kernel();
8324 + pax_close_kernel();
8327 +#ifdef CONFIG_PAX_PER_CPU_PGD
8328 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8331 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8332 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8334 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8337 #include <asm-generic/pgtable.h>
8338 #endif /* __ASSEMBLY__ */
8339 diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h
8340 --- linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h 2010-08-26 19:47:12.000000000 -0400
8341 +++ linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h 2010-09-17 20:12:09.000000000 -0400
8343 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8344 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8345 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8346 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8347 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8348 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8349 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8350 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8351 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8352 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8353 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8354 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8356 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8358 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8359 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8360 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8361 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8362 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8363 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8364 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8367 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8368 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8370 +#elif defined(CONFIG_KMEMCHECK)
8371 #define _PAGE_NX (_AT(pteval_t, 0))
8373 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8376 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8378 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8381 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8382 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8384 #define __PAGE_KERNEL_EXEC \
8385 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8386 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8388 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8389 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8390 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8391 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8392 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8393 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8394 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8395 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8396 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8397 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8399 * bits are combined, this will alow user to access the high address mapped
8400 * VDSO in the presence of CONFIG_COMPAT_VDSO
8402 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8403 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8404 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8405 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8406 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8409 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8411 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8415 +#if PAGETABLE_LEVELS == 3
8416 +#include <asm-generic/pgtable-nopud.h>
8419 +#if PAGETABLE_LEVELS == 2
8420 +#include <asm-generic/pgtable-nopmd.h>
8423 +#ifndef __ASSEMBLY__
8424 #if PAGETABLE_LEVELS > 3
8425 typedef struct { pudval_t pud; } pud_t;
8427 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8431 -#include <asm-generic/pgtable-nopud.h>
8433 static inline pudval_t native_pud_val(pud_t pud)
8435 return native_pgd_val(pud.pgd);
8436 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8440 -#include <asm-generic/pgtable-nopmd.h>
8442 static inline pmdval_t native_pmd_val(pmd_t pmd)
8444 return native_pgd_val(pmd.pud.pgd);
8445 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8447 extern pteval_t __supported_pte_mask;
8448 extern void set_nx(void);
8449 -extern int nx_enabled;
8451 #define pgprot_writecombine pgprot_writecombine
8452 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8453 diff -urNp linux-2.6.35.4/arch/x86/include/asm/processor.h linux-2.6.35.4/arch/x86/include/asm/processor.h
8454 --- linux-2.6.35.4/arch/x86/include/asm/processor.h 2010-08-26 19:47:12.000000000 -0400
8455 +++ linux-2.6.35.4/arch/x86/include/asm/processor.h 2010-09-17 20:12:09.000000000 -0400
8456 @@ -269,7 +269,7 @@ struct tss_struct {
8458 } ____cacheline_aligned;
8460 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8461 +extern struct tss_struct init_tss[NR_CPUS];
8464 * Save the original ist values for checking stack pointers during debugging
8465 @@ -884,8 +884,15 @@ static inline void spin_lock_prefetch(co
8467 #define TASK_SIZE PAGE_OFFSET
8468 #define TASK_SIZE_MAX TASK_SIZE
8470 +#ifdef CONFIG_PAX_SEGMEXEC
8471 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8472 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8474 #define STACK_TOP TASK_SIZE
8475 -#define STACK_TOP_MAX STACK_TOP
8478 +#define STACK_TOP_MAX TASK_SIZE
8480 #define INIT_THREAD { \
8481 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8482 @@ -902,7 +909,7 @@ static inline void spin_lock_prefetch(co
8484 #define INIT_TSS { \
8486 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8487 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8488 .ss0 = __KERNEL_DS, \
8489 .ss1 = __KERNEL_CS, \
8490 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8491 @@ -913,11 +920,7 @@ static inline void spin_lock_prefetch(co
8492 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8494 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8495 -#define KSTK_TOP(info) \
8497 - unsigned long *__ptr = (unsigned long *)(info); \
8498 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8500 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8503 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8504 @@ -932,7 +935,7 @@ extern unsigned long thread_saved_pc(str
8505 #define task_pt_regs(task) \
8507 struct pt_regs *__regs__; \
8508 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8509 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8513 @@ -942,13 +945,13 @@ extern unsigned long thread_saved_pc(str
8515 * User space process size. 47bits minus one guard page.
8517 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8518 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8520 /* This decides where the kernel will search for a free chunk of vm
8521 * space during mmap's.
8523 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8524 - 0xc0000000 : 0xFFFFe000)
8525 + 0xc0000000 : 0xFFFFf000)
8527 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8528 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8529 @@ -985,6 +988,10 @@ extern void start_thread(struct pt_regs
8531 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8533 +#ifdef CONFIG_PAX_SEGMEXEC
8534 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8537 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8539 /* Get/set a process' ability to use the timestamp counter instruction */
8540 diff -urNp linux-2.6.35.4/arch/x86/include/asm/ptrace.h linux-2.6.35.4/arch/x86/include/asm/ptrace.h
8541 --- linux-2.6.35.4/arch/x86/include/asm/ptrace.h 2010-08-26 19:47:12.000000000 -0400
8542 +++ linux-2.6.35.4/arch/x86/include/asm/ptrace.h 2010-09-17 20:12:09.000000000 -0400
8543 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8547 - * user_mode_vm(regs) determines whether a register set came from user mode.
8548 + * user_mode(regs) determines whether a register set came from user mode.
8549 * This is true if V8086 mode was enabled OR if the register set was from
8550 * protected mode with RPL-3 CS value. This tricky test checks that with
8551 * one comparison. Many places in the kernel can bypass this full check
8552 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8553 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8556 -static inline int user_mode(struct pt_regs *regs)
8557 +static inline int user_mode_novm(struct pt_regs *regs)
8559 #ifdef CONFIG_X86_32
8560 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8562 - return !!(regs->cs & 3);
8563 + return !!(regs->cs & SEGMENT_RPL_MASK);
8567 -static inline int user_mode_vm(struct pt_regs *regs)
8568 +static inline int user_mode(struct pt_regs *regs)
8570 #ifdef CONFIG_X86_32
8571 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8574 - return user_mode(regs);
8575 + return user_mode_novm(regs);
8579 diff -urNp linux-2.6.35.4/arch/x86/include/asm/reboot.h linux-2.6.35.4/arch/x86/include/asm/reboot.h
8580 --- linux-2.6.35.4/arch/x86/include/asm/reboot.h 2010-08-26 19:47:12.000000000 -0400
8581 +++ linux-2.6.35.4/arch/x86/include/asm/reboot.h 2010-09-17 20:12:09.000000000 -0400
8582 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8584 void native_machine_crash_shutdown(struct pt_regs *regs);
8585 void native_machine_shutdown(void);
8586 -void machine_real_restart(const unsigned char *code, int length);
8587 +void machine_real_restart(const unsigned char *code, unsigned int length);
8589 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8590 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8591 diff -urNp linux-2.6.35.4/arch/x86/include/asm/rwsem.h linux-2.6.35.4/arch/x86/include/asm/rwsem.h
8592 --- linux-2.6.35.4/arch/x86/include/asm/rwsem.h 2010-08-26 19:47:12.000000000 -0400
8593 +++ linux-2.6.35.4/arch/x86/include/asm/rwsem.h 2010-09-17 20:12:09.000000000 -0400
8594 @@ -118,10 +118,26 @@ static inline void __down_read(struct rw
8596 asm volatile("# beginning down_read\n\t"
8597 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8599 +#ifdef CONFIG_PAX_REFCOUNT
8600 +#ifdef CONFIG_X86_32
8606 + ".pushsection .fixup,\"ax\"\n"
8608 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8611 + _ASM_EXTABLE(0b, 1b)
8614 /* adds 0x00000001, returns the old value */
8617 " call call_rwsem_down_read_failed\n"
8620 "# ending down_read\n\t"
8623 @@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
8624 rwsem_count_t result, tmp;
8625 asm volatile("# beginning __down_read_trylock\n\t"
8633 +#ifdef CONFIG_PAX_REFCOUNT
8634 +#ifdef CONFIG_X86_32
8640 + ".pushsection .fixup,\"ax\"\n"
8645 + _ASM_EXTABLE(0b, 1b)
8649 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8654 "# ending __down_read_trylock\n\t"
8655 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8656 : "i" (RWSEM_ACTIVE_READ_BIAS)
8657 @@ -160,12 +192,28 @@ static inline void __down_write_nested(s
8658 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8659 asm volatile("# beginning down_write\n\t"
8660 LOCK_PREFIX " xadd %1,(%2)\n\t"
8662 +#ifdef CONFIG_PAX_REFCOUNT
8663 +#ifdef CONFIG_X86_32
8669 + ".pushsection .fixup,\"ax\"\n"
8674 + _ASM_EXTABLE(0b, 1b)
8677 /* subtract 0x0000ffff, returns the old value */
8679 /* was the count 0 before? */
8682 " call call_rwsem_down_write_failed\n"
8685 "# ending down_write"
8686 : "+m" (sem->count), "=d" (tmp)
8687 : "a" (sem), "1" (tmp)
8688 @@ -198,10 +246,26 @@ static inline void __up_read(struct rw_s
8689 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
8690 asm volatile("# beginning __up_read\n\t"
8691 LOCK_PREFIX " xadd %1,(%2)\n\t"
8693 +#ifdef CONFIG_PAX_REFCOUNT
8694 +#ifdef CONFIG_X86_32
8700 + ".pushsection .fixup,\"ax\"\n"
8705 + _ASM_EXTABLE(0b, 1b)
8708 /* subtracts 1, returns the old value */
8711 " call call_rwsem_wake\n"
8714 "# ending __up_read\n"
8715 : "+m" (sem->count), "=d" (tmp)
8716 : "a" (sem), "1" (tmp)
8717 @@ -216,11 +280,27 @@ static inline void __up_write(struct rw_
8719 asm volatile("# beginning __up_write\n\t"
8720 LOCK_PREFIX " xadd %1,(%2)\n\t"
8722 +#ifdef CONFIG_PAX_REFCOUNT
8723 +#ifdef CONFIG_X86_32
8729 + ".pushsection .fixup,\"ax\"\n"
8734 + _ASM_EXTABLE(0b, 1b)
8737 /* tries to transition
8738 0xffff0001 -> 0x00000000 */
8741 " call call_rwsem_wake\n"
8744 "# ending __up_write\n"
8745 : "+m" (sem->count), "=d" (tmp)
8746 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
8747 @@ -234,13 +314,29 @@ static inline void __downgrade_write(str
8749 asm volatile("# beginning __downgrade_write\n\t"
8750 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8752 +#ifdef CONFIG_PAX_REFCOUNT
8753 +#ifdef CONFIG_X86_32
8759 + ".pushsection .fixup,\"ax\"\n"
8761 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8764 + _ASM_EXTABLE(0b, 1b)
8768 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8769 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8773 " call call_rwsem_downgrade_wake\n"
8776 "# ending __downgrade_write\n"
8778 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
8779 @@ -253,7 +349,23 @@ static inline void __downgrade_write(str
8780 static inline void rwsem_atomic_add(rwsem_count_t delta,
8781 struct rw_semaphore *sem)
8783 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8784 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8786 +#ifdef CONFIG_PAX_REFCOUNT
8787 +#ifdef CONFIG_X86_32
8793 + ".pushsection .fixup,\"ax\"\n"
8795 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
8798 + _ASM_EXTABLE(0b, 1b)
8804 @@ -266,7 +378,23 @@ static inline rwsem_count_t rwsem_atomic
8806 rwsem_count_t tmp = delta;
8808 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8809 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8811 +#ifdef CONFIG_PAX_REFCOUNT
8812 +#ifdef CONFIG_X86_32
8818 + ".pushsection .fixup,\"ax\"\n"
8823 + _ASM_EXTABLE(0b, 1b)
8826 : "+r" (tmp), "+m" (sem->count)
8829 diff -urNp linux-2.6.35.4/arch/x86/include/asm/segment.h linux-2.6.35.4/arch/x86/include/asm/segment.h
8830 --- linux-2.6.35.4/arch/x86/include/asm/segment.h 2010-08-26 19:47:12.000000000 -0400
8831 +++ linux-2.6.35.4/arch/x86/include/asm/segment.h 2010-09-17 20:12:09.000000000 -0400
8833 * 26 - ESPFIX small SS
8834 * 27 - per-cpu [ offset to per-cpu data area ]
8835 * 28 - stack_canary-20 [ for stack protector ]
8838 + * 29 - PCI BIOS CS
8839 + * 30 - PCI BIOS DS
8840 * 31 - TSS for double fault handler
8842 #define GDT_ENTRY_TLS_MIN 6
8845 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8847 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8849 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8851 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8853 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8854 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8856 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8857 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8859 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8861 @@ -102,6 +104,12 @@
8862 #define __KERNEL_STACK_CANARY 0
8865 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8866 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8868 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8869 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8871 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8877 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8878 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8879 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8884 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8885 #define __USER32_DS __USER_DS
8887 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8889 #define GDT_ENTRY_TSS 8 /* needs two entries */
8890 #define GDT_ENTRY_LDT 10 /* needs two entries */
8891 #define GDT_ENTRY_TLS_MIN 12
8895 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8896 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8897 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8898 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8899 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8900 diff -urNp linux-2.6.35.4/arch/x86/include/asm/spinlock.h linux-2.6.35.4/arch/x86/include/asm/spinlock.h
8901 --- linux-2.6.35.4/arch/x86/include/asm/spinlock.h 2010-08-26 19:47:12.000000000 -0400
8902 +++ linux-2.6.35.4/arch/x86/include/asm/spinlock.h 2010-09-17 20:12:09.000000000 -0400
8903 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
8904 static inline void arch_read_lock(arch_rwlock_t *rw)
8906 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8908 - "call __read_lock_failed\n\t"
8910 +#ifdef CONFIG_PAX_REFCOUNT
8911 +#ifdef CONFIG_X86_32
8917 + ".pushsection .fixup,\"ax\"\n"
8919 + LOCK_PREFIX " addl $1,(%0)\n"
8922 + _ASM_EXTABLE(0b, 1b)
8926 + "call __read_lock_failed\n\t"
8928 ::LOCK_PTR_REG (rw) : "memory");
8931 static inline void arch_write_lock(arch_rwlock_t *rw)
8933 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8935 - "call __write_lock_failed\n\t"
8937 +#ifdef CONFIG_PAX_REFCOUNT
8938 +#ifdef CONFIG_X86_32
8944 + ".pushsection .fixup,\"ax\"\n"
8946 + LOCK_PREFIX " addl %1,(%0)\n"
8949 + _ASM_EXTABLE(0b, 1b)
8953 + "call __write_lock_failed\n\t"
8955 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
8958 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
8960 static inline void arch_read_unlock(arch_rwlock_t *rw)
8962 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
8963 + asm volatile(LOCK_PREFIX "incl %0\n"
8965 +#ifdef CONFIG_PAX_REFCOUNT
8966 +#ifdef CONFIG_X86_32
8972 + ".pushsection .fixup,\"ax\"\n"
8974 + LOCK_PREFIX "decl %0\n"
8977 + _ASM_EXTABLE(0b, 1b)
8980 + :"+m" (rw->lock) : : "memory");
8983 static inline void arch_write_unlock(arch_rwlock_t *rw)
8985 - asm volatile(LOCK_PREFIX "addl %1, %0"
8986 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
8988 +#ifdef CONFIG_PAX_REFCOUNT
8989 +#ifdef CONFIG_X86_32
8995 + ".pushsection .fixup,\"ax\"\n"
8997 + LOCK_PREFIX "subl %1,%0\n"
9000 + _ASM_EXTABLE(0b, 1b)
9003 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9006 diff -urNp linux-2.6.35.4/arch/x86/include/asm/system.h linux-2.6.35.4/arch/x86/include/asm/system.h
9007 --- linux-2.6.35.4/arch/x86/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
9008 +++ linux-2.6.35.4/arch/x86/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
9009 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9011 unsigned long __limit;
9012 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9013 - return __limit + 1;
9017 static inline void native_clts(void)
9018 @@ -342,7 +342,7 @@ void enable_hlt(void);
9020 void cpu_idle_wait(void);
9022 -extern unsigned long arch_align_stack(unsigned long sp);
9023 +#define arch_align_stack(x) ((x) & ~0xfUL)
9024 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9026 void default_idle(void);
9027 diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h
9028 --- linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
9029 +++ linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
9030 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9031 static __always_inline unsigned long __must_check
9032 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9037 if (__builtin_constant_p(n)) {
9040 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9044 + if (!__builtin_constant_p(n))
9045 + check_object_size(from, n, true);
9046 return __copy_to_user_ll(to, from, n);
9049 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9050 static __always_inline unsigned long
9051 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9056 /* Avoid zeroing the tail if the copy fails..
9057 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9058 * but as the zeroing behaviour is only significant when n is not
9059 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9060 __copy_from_user(void *to, const void __user *from, unsigned long n)
9067 if (__builtin_constant_p(n)) {
9070 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9074 + if (!__builtin_constant_p(n))
9075 + check_object_size(to, n, false);
9076 return __copy_from_user_ll(to, from, n);
9079 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9080 const void __user *from, unsigned long n)
9087 if (__builtin_constant_p(n)) {
9090 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9091 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9094 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9099 -unsigned long __must_check copy_to_user(void __user *to,
9100 - const void *from, unsigned long n);
9101 -unsigned long __must_check _copy_from_user(void *to,
9102 - const void __user *from,
9104 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9107 +extern void copy_to_user_overflow(void)
9108 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9109 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9111 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9115 extern void copy_from_user_overflow(void)
9116 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9117 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9121 -static inline unsigned long __must_check copy_from_user(void *to,
9122 - const void __user *from,
9125 + * copy_to_user: - Copy a block of data into user space.
9126 + * @to: Destination address, in user space.
9127 + * @from: Source address, in kernel space.
9128 + * @n: Number of bytes to copy.
9130 + * Context: User context only. This function may sleep.
9132 + * Copy data from kernel space to user space.
9134 + * Returns number of bytes that could not be copied.
9135 + * On success, this will be zero.
9137 +static inline unsigned long __must_check
9138 +copy_to_user(void __user *to, const void *from, unsigned long n)
9140 + int sz = __compiletime_object_size(from);
9142 + if (unlikely(sz != -1 && sz < n))
9143 + copy_to_user_overflow();
9144 + else if (access_ok(VERIFY_WRITE, to, n))
9145 + n = __copy_to_user(to, from, n);
9150 + * copy_from_user: - Copy a block of data from user space.
9151 + * @to: Destination address, in kernel space.
9152 + * @from: Source address, in user space.
9153 + * @n: Number of bytes to copy.
9155 + * Context: User context only. This function may sleep.
9157 + * Copy data from user space to kernel space.
9159 + * Returns number of bytes that could not be copied.
9160 + * On success, this will be zero.
9162 + * If some data could not be copied, this function will pad the copied
9163 + * data to the requested size using zero bytes.
9165 +static inline unsigned long __must_check
9166 +copy_from_user(void *to, const void __user *from, unsigned long n)
9168 int sz = __compiletime_object_size(to);
9170 - if (likely(sz == -1 || sz >= n))
9171 - n = _copy_from_user(to, from, n);
9173 + if (unlikely(sz != -1 && sz < n))
9174 copy_from_user_overflow();
9176 + else if (access_ok(VERIFY_READ, from, n))
9177 + n = __copy_from_user(to, from, n);
9178 + else if ((long)n > 0) {
9179 + if (!__builtin_constant_p(n))
9180 + check_object_size(to, n, false);
9186 diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h
9187 --- linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
9188 +++ linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h 2010-09-17 20:12:37.000000000 -0400
9190 #include <asm/alternative.h>
9191 #include <asm/cpufeature.h>
9192 #include <asm/page.h>
9193 +#include <asm/pgtable.h>
9195 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9197 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9200 * Copy To/From Userspace
9201 @@ -37,26 +42,26 @@ copy_user_generic(void *to, const void *
9205 -__must_check unsigned long
9206 -_copy_to_user(void __user *to, const void *from, unsigned len);
9207 -__must_check unsigned long
9208 -_copy_from_user(void *to, const void __user *from, unsigned len);
9209 +static __always_inline __must_check unsigned long
9210 +__copy_to_user(void __user *to, const void *from, unsigned len);
9211 +static __always_inline __must_check unsigned long
9212 +__copy_from_user(void *to, const void __user *from, unsigned len);
9213 __must_check unsigned long
9214 copy_in_user(void __user *to, const void __user *from, unsigned len);
9216 static inline unsigned long __must_check copy_from_user(void *to,
9217 const void __user *from,
9221 - int sz = __compiletime_object_size(to);
9224 - if (likely(sz == -1 || sz >= n))
9225 - n = _copy_from_user(to, from, n);
9226 -#ifdef CONFIG_DEBUG_VM
9228 - WARN(1, "Buffer overflow detected!\n");
9231 + if (access_ok(VERIFY_READ, from, n))
9232 + n = __copy_from_user(to, from, n);
9233 + else if ((int)n > 0) {
9234 + if (!__builtin_constant_p(n))
9235 + check_object_size(to, n, false);
9241 @@ -65,17 +70,35 @@ int copy_to_user(void __user *dst, const
9245 - return _copy_to_user(dst, src, size);
9246 + if (access_ok(VERIFY_WRITE, dst, size))
9247 + size = __copy_to_user(dst, src, size);
9251 static __always_inline __must_check
9252 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9253 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9256 + int sz = __compiletime_object_size(dst);
9260 - if (!__builtin_constant_p(size))
9262 + if ((int)size < 0)
9265 + if (unlikely(sz != -1 && sz < size)) {
9266 +#ifdef CONFIG_DEBUG_VM
9267 + WARN(1, "Buffer overflow detected!\n");
9272 + if (!__builtin_constant_p(size)) {
9273 + check_object_size(dst, size, false);
9274 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9275 + src += PAX_USER_SHADOW_BASE;
9276 return copy_user_generic(dst, (__force void *)src, size);
9279 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9280 ret, "b", "b", "=q", 1);
9281 @@ -108,18 +131,36 @@ int __copy_from_user(void *dst, const vo
9282 ret, "q", "", "=r", 8);
9285 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9286 + src += PAX_USER_SHADOW_BASE;
9287 return copy_user_generic(dst, (__force void *)src, size);
9291 static __always_inline __must_check
9292 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9293 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9296 + int sz = __compiletime_object_size(src);
9300 - if (!__builtin_constant_p(size))
9302 + if ((int)size < 0)
9305 + if (unlikely(sz != -1 && sz < size)) {
9306 +#ifdef CONFIG_DEBUG_VM
9307 + WARN(1, "Buffer overflow detected!\n");
9312 + if (!__builtin_constant_p(size)) {
9313 + check_object_size(src, size, true);
9314 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9315 + dst += PAX_USER_SHADOW_BASE;
9316 return copy_user_generic((__force void *)dst, src, size);
9319 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9320 ret, "b", "b", "iq", 1);
9321 @@ -152,19 +193,30 @@ int __copy_to_user(void __user *dst, con
9322 ret, "q", "", "er", 8);
9325 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9326 + dst += PAX_USER_SHADOW_BASE;
9327 return copy_user_generic((__force void *)dst, src, size);
9331 static __always_inline __must_check
9332 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9333 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9339 - if (!__builtin_constant_p(size))
9341 + if ((int)size < 0)
9344 + if (!__builtin_constant_p(size)) {
9345 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9346 + src += PAX_USER_SHADOW_BASE;
9347 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9348 + dst += PAX_USER_SHADOW_BASE;
9349 return copy_user_generic((__force void *)dst,
9350 (__force void *)src, size);
9355 @@ -204,6 +256,10 @@ int __copy_in_user(void __user *dst, con
9359 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9360 + src += PAX_USER_SHADOW_BASE;
9361 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9362 + dst += PAX_USER_SHADOW_BASE;
9363 return copy_user_generic((__force void *)dst,
9364 (__force void *)src, size);
9366 @@ -222,33 +278,45 @@ __must_check unsigned long __clear_user(
9367 static __must_check __always_inline int
9368 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9370 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9371 + src += PAX_USER_SHADOW_BASE;
9372 return copy_user_generic(dst, (__force const void *)src, size);
9375 -static __must_check __always_inline int
9376 +static __must_check __always_inline unsigned long
9377 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9379 + if ((int)size < 0)
9382 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9383 + dst += PAX_USER_SHADOW_BASE;
9384 return copy_user_generic((__force void *)dst, src, size);
9387 -extern long __copy_user_nocache(void *dst, const void __user *src,
9388 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9389 unsigned size, int zerorest);
9392 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9393 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9397 + if ((int)size < 0)
9400 return __copy_user_nocache(dst, src, size, 1);
9404 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9405 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9408 + if ((int)size < 0)
9411 return __copy_user_nocache(dst, src, size, 0);
9415 +extern unsigned long
9416 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9418 #endif /* _ASM_X86_UACCESS_64_H */
9419 diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess.h linux-2.6.35.4/arch/x86/include/asm/uaccess.h
9420 --- linux-2.6.35.4/arch/x86/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
9421 +++ linux-2.6.35.4/arch/x86/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
9423 #include <linux/thread_info.h>
9424 #include <linux/prefetch.h>
9425 #include <linux/string.h>
9426 +#include <linux/sched.h>
9427 #include <asm/asm.h>
9428 #include <asm/page.h>
9430 #define VERIFY_READ 0
9431 #define VERIFY_WRITE 1
9433 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9436 * The fs value determines whether argument validity checking should be
9437 * performed or not. If get_fs() == USER_DS, checking is performed, with
9440 #define get_ds() (KERNEL_DS)
9441 #define get_fs() (current_thread_info()->addr_limit)
9442 +#ifdef CONFIG_X86_32
9443 +void __set_fs(mm_segment_t x, int cpu);
9444 +void set_fs(mm_segment_t x);
9446 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9449 #define segment_eq(a, b) ((a).seg == (b).seg)
9452 * checks that the pointer is in the user space range - after calling
9453 * this function, memory access functions may still return -EFAULT.
9455 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9456 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9457 +#define access_ok(type, addr, size) \
9459 + long __size = size; \
9460 + unsigned long __addr = (unsigned long)addr; \
9461 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9462 + unsigned long __end_ao = __addr + __size - 1; \
9463 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9464 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9465 + while(__addr_ao <= __end_ao) { \
9467 + __addr_ao += PAGE_SIZE; \
9468 + if (__size > PAGE_SIZE) \
9470 + if (__get_user(__c_ao, (char __user *)__addr)) \
9472 + if (type != VERIFY_WRITE) { \
9473 + __addr = __addr_ao; \
9476 + if (__put_user(__c_ao, (char __user *)__addr)) \
9478 + __addr = __addr_ao; \
9485 * The exception table consists of pairs of addresses: the first is the
9486 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
9487 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9488 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9491 +#ifdef CONFIG_X86_32
9492 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
9493 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
9495 +#define _ASM_LOAD_USER_DS(ds)
9496 +#define _ASM_LOAD_KERNEL_DS
9499 #ifdef CONFIG_X86_32
9500 #define __put_user_asm_u64(x, addr, err, errret) \
9501 - asm volatile("1: movl %%eax,0(%2)\n" \
9502 - "2: movl %%edx,4(%2)\n" \
9503 + asm volatile(_ASM_LOAD_USER_DS(5) \
9504 + "1: movl %%eax,%%ds:0(%2)\n" \
9505 + "2: movl %%edx,%%ds:4(%2)\n" \
9507 + _ASM_LOAD_KERNEL_DS \
9508 ".section .fixup,\"ax\"\n" \
9511 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
9512 _ASM_EXTABLE(1b, 4b) \
9513 _ASM_EXTABLE(2b, 4b) \
9515 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
9516 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
9519 #define __put_user_asm_ex_u64(x, addr) \
9520 - asm volatile("1: movl %%eax,0(%1)\n" \
9521 - "2: movl %%edx,4(%1)\n" \
9522 + asm volatile(_ASM_LOAD_USER_DS(2) \
9523 + "1: movl %%eax,%%ds:0(%1)\n" \
9524 + "2: movl %%edx,%%ds:4(%1)\n" \
9526 + _ASM_LOAD_KERNEL_DS \
9527 _ASM_EXTABLE(1b, 2b - 1b) \
9528 _ASM_EXTABLE(2b, 3b - 2b) \
9529 - : : "A" (x), "r" (addr))
9530 + : : "A" (x), "r" (addr), "r"(__USER_DS))
9532 #define __put_user_x8(x, ptr, __ret_pu) \
9533 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
9534 @@ -374,16 +419,18 @@ do { \
9537 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9538 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9539 + asm volatile(_ASM_LOAD_USER_DS(5) \
9540 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
9542 + _ASM_LOAD_KERNEL_DS \
9543 ".section .fixup,\"ax\"\n" \
9545 " xor"itype" %"rtype"1,%"rtype"1\n" \
9548 _ASM_EXTABLE(1b, 3b) \
9549 - : "=r" (err), ltype(x) \
9550 - : "m" (__m(addr)), "i" (errret), "0" (err))
9551 + : "=r" (err), ltype (x) \
9552 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
9554 #define __get_user_size_ex(x, ptr, size) \
9556 @@ -407,10 +454,12 @@ do { \
9559 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9560 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9561 + asm volatile(_ASM_LOAD_USER_DS(2) \
9562 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
9564 + _ASM_LOAD_KERNEL_DS \
9565 _ASM_EXTABLE(1b, 2b - 1b) \
9566 - : ltype(x) : "m" (__m(addr)))
9567 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
9569 #define __put_user_nocheck(x, ptr, size) \
9571 @@ -424,13 +473,24 @@ do { \
9573 unsigned long __gu_val; \
9574 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9575 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9576 + (x) = (__typeof__(*(ptr)))__gu_val; \
9580 /* FIXME: this hack is definitely wrong -AK */
9581 struct __large_struct { unsigned long buf[100]; };
9582 -#define __m(x) (*(struct __large_struct __user *)(x))
9583 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9586 + unsigned long ____x = (unsigned long)(x); \
9587 + if (____x < PAX_USER_SHADOW_BASE) \
9588 + ____x += PAX_USER_SHADOW_BASE; \
9589 + (void __user *)____x; \
9592 +#define ____m(x) (x)
9594 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9597 * Tell gcc we read from memory instead of writing: this is because
9598 @@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
9601 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9602 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9603 + asm volatile(_ASM_LOAD_USER_DS(5) \
9604 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
9606 + _ASM_LOAD_KERNEL_DS \
9607 ".section .fixup,\"ax\"\n" \
9611 _ASM_EXTABLE(1b, 3b) \
9613 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9614 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
9617 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9618 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9619 + asm volatile(_ASM_LOAD_USER_DS(2) \
9620 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
9622 + _ASM_LOAD_KERNEL_DS \
9623 _ASM_EXTABLE(1b, 2b - 1b) \
9624 - : : ltype(x), "m" (__m(addr)))
9625 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
9628 * uaccess_try and catch
9629 @@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
9630 #define get_user_ex(x, ptr) do { \
9631 unsigned long __gue_val; \
9632 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9633 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9634 + (x) = (__typeof__(*(ptr)))__gue_val; \
9637 #ifdef CONFIG_X86_WP_WORKS_OK
9638 @@ -567,6 +632,7 @@ extern struct movsl_mask {
9640 #define ARCH_HAS_NOCACHE_UACCESS 1
9642 +#define ARCH_HAS_SORT_EXTABLE
9643 #ifdef CONFIG_X86_32
9644 # include "uaccess_32.h"
9646 diff -urNp linux-2.6.35.4/arch/x86/include/asm/vgtod.h linux-2.6.35.4/arch/x86/include/asm/vgtod.h
9647 --- linux-2.6.35.4/arch/x86/include/asm/vgtod.h 2010-08-26 19:47:12.000000000 -0400
9648 +++ linux-2.6.35.4/arch/x86/include/asm/vgtod.h 2010-09-17 20:12:09.000000000 -0400
9649 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
9651 struct timezone sys_tz;
9652 struct { /* extract of a clocksource struct */
9654 cycle_t (*vread)(void);
9657 diff -urNp linux-2.6.35.4/arch/x86/include/asm/vmi.h linux-2.6.35.4/arch/x86/include/asm/vmi.h
9658 --- linux-2.6.35.4/arch/x86/include/asm/vmi.h 2010-08-26 19:47:12.000000000 -0400
9659 +++ linux-2.6.35.4/arch/x86/include/asm/vmi.h 2010-09-17 20:12:09.000000000 -0400
9660 @@ -191,6 +191,7 @@ struct vrom_header {
9661 u8 reserved[96]; /* Reserved for headers */
9662 char vmi_init[8]; /* VMI_Init jump point */
9663 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
9664 + char rom_data[8048]; /* rest of the option ROM */
9665 } __attribute__((packed));
9668 diff -urNp linux-2.6.35.4/arch/x86/include/asm/vsyscall.h linux-2.6.35.4/arch/x86/include/asm/vsyscall.h
9669 --- linux-2.6.35.4/arch/x86/include/asm/vsyscall.h 2010-08-26 19:47:12.000000000 -0400
9670 +++ linux-2.6.35.4/arch/x86/include/asm/vsyscall.h 2010-09-17 20:12:09.000000000 -0400
9671 @@ -15,9 +15,10 @@ enum vsyscall_num {
9674 #include <linux/seqlock.h>
9675 +#include <linux/getcpu.h>
9676 +#include <linux/time.h>
9678 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9679 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9681 /* Definitions for CONFIG_GENERIC_TIME definitions */
9682 #define __section_vsyscall_gtod_data __attribute__ \
9683 @@ -31,7 +32,6 @@ enum vsyscall_num {
9684 #define VGETCPU_LSL 2
9686 extern int __vgetcpu_mode;
9687 -extern volatile unsigned long __jiffies;
9689 /* kernel space (writeable) */
9690 extern int vgetcpu_mode;
9691 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9693 extern void map_vsyscall(void);
9695 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9696 +extern time_t vtime(time_t *t);
9697 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9698 #endif /* __KERNEL__ */
9700 #endif /* _ASM_X86_VSYSCALL_H */
9701 diff -urNp linux-2.6.35.4/arch/x86/include/asm/xsave.h linux-2.6.35.4/arch/x86/include/asm/xsave.h
9702 --- linux-2.6.35.4/arch/x86/include/asm/xsave.h 2010-08-26 19:47:12.000000000 -0400
9703 +++ linux-2.6.35.4/arch/x86/include/asm/xsave.h 2010-09-17 20:12:09.000000000 -0400
9704 @@ -59,6 +59,12 @@ static inline int fpu_xrstor_checking(st
9705 static inline int xsave_user(struct xsave_struct __user *buf)
9709 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9710 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
9711 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
9714 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
9716 ".section .fixup,\"ax\"\n"
9717 @@ -85,6 +91,11 @@ static inline int xrestore_user(struct x
9719 u32 hmask = mask >> 32;
9721 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9722 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
9723 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
9726 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
9728 ".section .fixup,\"ax\"\n"
9729 diff -urNp linux-2.6.35.4/arch/x86/Kconfig linux-2.6.35.4/arch/x86/Kconfig
9730 --- linux-2.6.35.4/arch/x86/Kconfig 2010-08-26 19:47:12.000000000 -0400
9731 +++ linux-2.6.35.4/arch/x86/Kconfig 2010-09-17 20:12:37.000000000 -0400
9732 @@ -1038,7 +1038,7 @@ choice
9736 - depends on !X86_NUMAQ
9737 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9739 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
9740 However, the address space of 32-bit x86 processors is only 4
9741 @@ -1075,7 +1075,7 @@ config NOHIGHMEM
9745 - depends on !X86_NUMAQ
9746 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9748 Select this if you have a 32-bit processor and between 1 and 4
9749 gigabytes of physical RAM.
9750 @@ -1129,7 +1129,7 @@ config PAGE_OFFSET
9752 default 0xB0000000 if VMSPLIT_3G_OPT
9753 default 0x80000000 if VMSPLIT_2G
9754 - default 0x78000000 if VMSPLIT_2G_OPT
9755 + default 0x70000000 if VMSPLIT_2G_OPT
9756 default 0x40000000 if VMSPLIT_1G
9759 @@ -1461,7 +1461,7 @@ config ARCH_USES_PG_UNCACHED
9762 bool "EFI runtime service support"
9764 + depends on ACPI && !PAX_KERNEXEC
9766 This enables the kernel to use EFI runtime services that are
9767 available (such as the EFI variable services).
9768 @@ -1548,6 +1548,7 @@ config KEXEC_JUMP
9769 config PHYSICAL_START
9770 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9772 + range 0x400000 0x40000000
9774 This gives the physical address where the kernel is loaded.
9776 @@ -1611,6 +1612,7 @@ config X86_NEED_RELOCS
9777 config PHYSICAL_ALIGN
9778 hex "Alignment value to which kernel should be aligned" if X86_32
9780 + range 0x400000 0x1000000 if PAX_KERNEXEC
9781 range 0x2000 0x1000000
9783 This value puts the alignment restrictions on physical address
9784 @@ -1642,9 +1644,10 @@ config HOTPLUG_CPU
9785 Say N if you want to disable CPU hotplug.
9790 prompt "Compat VDSO support"
9791 depends on X86_32 || IA32_EMULATION
9792 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9794 Map the 32-bit VDSO to the predictable old-style address too.
9796 diff -urNp linux-2.6.35.4/arch/x86/Kconfig.cpu linux-2.6.35.4/arch/x86/Kconfig.cpu
9797 --- linux-2.6.35.4/arch/x86/Kconfig.cpu 2010-08-26 19:47:12.000000000 -0400
9798 +++ linux-2.6.35.4/arch/x86/Kconfig.cpu 2010-09-17 20:12:09.000000000 -0400
9799 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9803 - depends on M586MMX || M586TSC || M586 || M486 || M386
9804 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9808 @@ -360,7 +360,7 @@ config X86_POPAD_OK
9810 config X86_ALIGNMENT_16
9812 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9813 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9815 config X86_INTEL_USERCOPY
9817 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
9821 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9822 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9824 config X86_MINIMUM_CPU_FAMILY
9826 diff -urNp linux-2.6.35.4/arch/x86/Kconfig.debug linux-2.6.35.4/arch/x86/Kconfig.debug
9827 --- linux-2.6.35.4/arch/x86/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
9828 +++ linux-2.6.35.4/arch/x86/Kconfig.debug 2010-09-17 20:12:09.000000000 -0400
9829 @@ -97,7 +97,7 @@ config X86_PTDUMP
9831 bool "Write protect kernel read-only data structures"
9833 - depends on DEBUG_KERNEL
9834 + depends on DEBUG_KERNEL && BROKEN
9836 Mark the kernel read-only data as write-protected in the pagetables,
9837 in order to catch accidental (and incorrect) writes to such const
9838 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/boot.c linux-2.6.35.4/arch/x86/kernel/acpi/boot.c
9839 --- linux-2.6.35.4/arch/x86/kernel/acpi/boot.c 2010-08-26 19:47:12.000000000 -0400
9840 +++ linux-2.6.35.4/arch/x86/kernel/acpi/boot.c 2010-09-17 20:12:09.000000000 -0400
9841 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
9842 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
9846 + { NULL, NULL, {{0, {0}}}, NULL}
9850 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S
9851 --- linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S 2010-08-26 19:47:12.000000000 -0400
9852 +++ linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S 2010-09-17 20:12:09.000000000 -0400
9853 @@ -104,7 +104,7 @@ _start:
9857 - movl $0xc0000080, %ecx
9858 + mov $MSR_EFER, %ecx
9862 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c
9863 --- linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
9864 +++ linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
9866 #include <linux/cpumask.h>
9867 #include <asm/segment.h>
9868 #include <asm/desc.h>
9869 +#include <asm/e820.h>
9871 #include "realmode/wakeup.h"
9874 -unsigned long acpi_wakeup_address;
9875 +unsigned long acpi_wakeup_address = 0x2000;
9876 unsigned long acpi_realmode_flags;
9878 /* address in low memory of the wakeup routine. */
9879 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
9880 header->trampoline_segment = setup_trampoline() >> 4;
9882 stack_start.sp = temp_stack + sizeof(temp_stack);
9884 + pax_open_kernel();
9885 early_gdt_descr.address =
9886 (unsigned long)get_cpu_gdt_table(smp_processor_id());
9887 + pax_close_kernel();
9889 initial_gs = per_cpu_offset(smp_processor_id());
9891 initial_code = (unsigned long)wakeup_long64;
9892 diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S
9893 --- linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S 2010-08-26 19:47:12.000000000 -0400
9894 +++ linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S 2010-09-17 20:12:09.000000000 -0400
9895 @@ -30,13 +30,11 @@ wakeup_pmode_return:
9896 # and restore the stack ... but you need gdt for this to work
9897 movl saved_context_esp, %esp
9899 - movl %cs:saved_magic, %eax
9900 - cmpl $0x12345678, %eax
9901 + cmpl $0x12345678, saved_magic
9904 # jump to place where we left off
9905 - movl saved_eip, %eax
9911 diff -urNp linux-2.6.35.4/arch/x86/kernel/alternative.c linux-2.6.35.4/arch/x86/kernel/alternative.c
9912 --- linux-2.6.35.4/arch/x86/kernel/alternative.c 2010-08-26 19:47:12.000000000 -0400
9913 +++ linux-2.6.35.4/arch/x86/kernel/alternative.c 2010-09-17 20:12:09.000000000 -0400
9914 @@ -247,7 +247,7 @@ static void alternatives_smp_lock(const
9915 if (!*poff || ptr < text || ptr >= text_end)
9917 /* turn DS segment override prefix into lock prefix */
9919 + if (*ktla_ktva(ptr) == 0x3e)
9920 text_poke(ptr, ((unsigned char []){0xf0}), 1);
9922 mutex_unlock(&text_mutex);
9923 @@ -268,7 +268,7 @@ static void alternatives_smp_unlock(cons
9924 if (!*poff || ptr < text || ptr >= text_end)
9926 /* turn lock prefix into DS segment override prefix */
9928 + if (*ktla_ktva(ptr) == 0xf0)
9929 text_poke(ptr, ((unsigned char []){0x3E}), 1);
9931 mutex_unlock(&text_mutex);
9932 @@ -436,7 +436,7 @@ void __init_or_module apply_paravirt(str
9934 BUG_ON(p->len > MAX_PATCH_LEN);
9935 /* prep the buffer with the original instructions */
9936 - memcpy(insnbuf, p->instr, p->len);
9937 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9938 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9939 (unsigned long)p->instr, p->len);
9941 @@ -504,7 +504,7 @@ void __init alternative_instructions(voi
9943 free_init_pages("SMP alternatives",
9944 (unsigned long)__smp_locks,
9945 - (unsigned long)__smp_locks_end);
9946 + PAGE_ALIGN((unsigned long)__smp_locks_end));
9950 @@ -521,13 +521,17 @@ void __init alternative_instructions(voi
9951 * instructions. And on the local CPU you need to be protected again NMI or MCE
9952 * handlers seeing an inconsistent instruction while you patch.
9954 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9955 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
9958 unsigned long flags;
9959 local_irq_save(flags);
9960 - memcpy(addr, opcode, len);
9962 + pax_open_kernel();
9963 + memcpy(ktla_ktva(addr), opcode, len);
9965 + pax_close_kernel();
9967 local_irq_restore(flags);
9968 /* Could also do a CLFLUSH here to speed up CPU recovery; but
9969 that causes hangs on some VIA CPUs. */
9970 @@ -549,36 +553,22 @@ static void *__init_or_module text_poke_
9972 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
9974 - unsigned long flags;
9976 + unsigned char *vaddr = ktla_ktva(addr);
9977 struct page *pages[2];
9981 if (!core_kernel_text((unsigned long)addr)) {
9982 - pages[0] = vmalloc_to_page(addr);
9983 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
9984 + pages[0] = vmalloc_to_page(vaddr);
9985 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
9987 - pages[0] = virt_to_page(addr);
9988 + pages[0] = virt_to_page(vaddr);
9989 WARN_ON(!PageReserved(pages[0]));
9990 - pages[1] = virt_to_page(addr + PAGE_SIZE);
9991 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
9994 - local_irq_save(flags);
9995 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
9997 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
9998 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
9999 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10000 - clear_fixmap(FIX_TEXT_POKE0);
10002 - clear_fixmap(FIX_TEXT_POKE1);
10003 - local_flush_tlb();
10005 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10006 - that causes hangs on some VIA CPUs. */
10007 + text_poke_early(addr, opcode, len);
10008 for (i = 0; i < len; i++)
10009 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10010 - local_irq_restore(flags);
10011 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
10015 diff -urNp linux-2.6.35.4/arch/x86/kernel/amd_iommu.c linux-2.6.35.4/arch/x86/kernel/amd_iommu.c
10016 --- linux-2.6.35.4/arch/x86/kernel/amd_iommu.c 2010-08-26 19:47:12.000000000 -0400
10017 +++ linux-2.6.35.4/arch/x86/kernel/amd_iommu.c 2010-09-17 20:12:09.000000000 -0400
10018 @@ -2284,7 +2284,7 @@ static void prealloc_protection_domains(
10022 -static struct dma_map_ops amd_iommu_dma_ops = {
10023 +static const struct dma_map_ops amd_iommu_dma_ops = {
10024 .alloc_coherent = alloc_coherent,
10025 .free_coherent = free_coherent,
10026 .map_page = map_page,
10027 diff -urNp linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c
10028 --- linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c 2010-08-26 19:47:12.000000000 -0400
10029 +++ linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c 2010-09-17 20:12:09.000000000 -0400
10030 @@ -691,7 +691,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10031 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10033 if (!ioapic_entries)
10037 for (apic = 0; apic < nr_ioapics; apic++) {
10038 ioapic_entries[apic] =
10039 @@ -708,7 +708,7 @@ nomem:
10040 kfree(ioapic_entries[apic]);
10041 kfree(ioapic_entries);
10048 @@ -1118,7 +1118,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10050 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10052 -void lock_vector_lock(void)
10053 +void lock_vector_lock(void) __acquires(vector_lock)
10055 /* Used to the online set of cpus does not change
10056 * during assign_irq_vector.
10057 @@ -1126,7 +1126,7 @@ void lock_vector_lock(void)
10058 raw_spin_lock(&vector_lock);
10061 -void unlock_vector_lock(void)
10062 +void unlock_vector_lock(void) __releases(vector_lock)
10064 raw_spin_unlock(&vector_lock);
10066 diff -urNp linux-2.6.35.4/arch/x86/kernel/apm_32.c linux-2.6.35.4/arch/x86/kernel/apm_32.c
10067 --- linux-2.6.35.4/arch/x86/kernel/apm_32.c 2010-08-26 19:47:12.000000000 -0400
10068 +++ linux-2.6.35.4/arch/x86/kernel/apm_32.c 2010-09-17 20:12:09.000000000 -0400
10069 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10070 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10071 * even though they are called in protected mode.
10073 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10074 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10075 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10077 static const char driver_version[] = "1.16ac"; /* no spaces */
10078 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10080 gdt = get_cpu_gdt_table(cpu);
10081 save_desc_40 = gdt[0x40 / 8];
10083 + pax_open_kernel();
10084 gdt[0x40 / 8] = bad_bios_desc;
10085 + pax_close_kernel();
10087 apm_irq_save(flags);
10089 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10091 APM_DO_RESTORE_SEGS;
10092 apm_irq_restore(flags);
10094 + pax_open_kernel();
10095 gdt[0x40 / 8] = save_desc_40;
10096 + pax_close_kernel();
10100 return call->eax & 0xff;
10101 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10103 gdt = get_cpu_gdt_table(cpu);
10104 save_desc_40 = gdt[0x40 / 8];
10106 + pax_open_kernel();
10107 gdt[0x40 / 8] = bad_bios_desc;
10108 + pax_close_kernel();
10110 apm_irq_save(flags);
10112 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10114 APM_DO_RESTORE_SEGS;
10115 apm_irq_restore(flags);
10117 + pax_open_kernel();
10118 gdt[0x40 / 8] = save_desc_40;
10119 + pax_close_kernel();
10124 @@ -975,7 +989,7 @@ recalc:
10126 static void apm_power_off(void)
10128 - unsigned char po_bios_call[] = {
10129 + const unsigned char po_bios_call[] = {
10130 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10131 0x8e, 0xd0, /* movw ax,ss */
10132 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10133 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
10134 static struct miscdevice apm_device = {
10145 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
10146 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10150 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10154 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
10155 * code to that CPU.
10157 gdt = get_cpu_gdt_table(0);
10159 + pax_open_kernel();
10160 set_desc_base(&gdt[APM_CS >> 3],
10161 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10162 set_desc_base(&gdt[APM_CS_16 >> 3],
10163 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10164 set_desc_base(&gdt[APM_DS >> 3],
10165 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10166 + pax_close_kernel();
10168 proc_create("apm", 0, NULL, &apm_file_ops);
10170 diff -urNp linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c
10171 --- linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c 2010-08-26 19:47:12.000000000 -0400
10172 +++ linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c 2010-09-17 20:12:09.000000000 -0400
10173 @@ -115,6 +115,11 @@ void foo(void)
10174 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10175 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10176 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10178 +#ifdef CONFIG_PAX_KERNEXEC
10179 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10185 diff -urNp linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c
10186 --- linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c 2010-08-26 19:47:12.000000000 -0400
10187 +++ linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c 2010-09-17 20:12:09.000000000 -0400
10188 @@ -63,6 +63,18 @@ int main(void)
10189 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10190 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10191 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10193 +#ifdef CONFIG_PAX_KERNEXEC
10194 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10195 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10198 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10199 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10200 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10201 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10207 @@ -115,6 +127,7 @@ int main(void)
10211 + DEFINE(TSS_size, sizeof(struct tss_struct));
10212 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10214 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10215 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/common.c linux-2.6.35.4/arch/x86/kernel/cpu/common.c
10216 --- linux-2.6.35.4/arch/x86/kernel/cpu/common.c 2010-08-26 19:47:12.000000000 -0400
10217 +++ linux-2.6.35.4/arch/x86/kernel/cpu/common.c 2010-09-17 20:12:09.000000000 -0400
10218 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10220 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10222 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10223 -#ifdef CONFIG_X86_64
10225 - * We need valid kernel segments for data and code in long mode too
10226 - * IRET will check the segment types kkeil 2000/10/28
10227 - * Also sysret mandates a special GDT layout
10229 - * TLS descriptors are currently at a different place compared to i386.
10230 - * Hopefully nobody expects them at a fixed place (Wine?)
10232 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10233 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10234 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10235 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10236 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10237 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10239 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10240 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10241 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10242 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10244 - * Segments used for calling PnP BIOS have byte granularity.
10245 - * They code segments and data segments have fixed 64k limits,
10246 - * the transfer segment sizes are set at run time.
10248 - /* 32-bit code */
10249 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10250 - /* 16-bit code */
10251 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10252 - /* 16-bit data */
10253 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10254 - /* 16-bit data */
10255 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10256 - /* 16-bit data */
10257 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10259 - * The APM segments have byte granularity and their bases
10260 - * are set at run time. All have 64k limits.
10262 - /* 32-bit code */
10263 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10264 - /* 16-bit code */
10265 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10267 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10269 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10270 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10271 - GDT_STACK_CANARY_INIT
10274 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10276 static int __init x86_xsave_setup(char *s)
10278 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10279 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
10281 struct desc_ptr gdt_descr;
10283 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10284 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10285 gdt_descr.size = GDT_SIZE - 1;
10286 load_gdt(&gdt_descr);
10287 /* Reload the per-cpu base */
10288 @@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
10289 /* Filter out anything that depends on CPUID levels we don't have */
10290 filter_cpuid_features(c, true);
10292 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10293 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10296 /* If the model name is still unset, do table lookup. */
10297 if (!c->x86_model_id[0]) {
10299 @@ -1117,7 +1067,7 @@ void __cpuinit cpu_init(void)
10302 cpu = stack_smp_processor_id();
10303 - t = &per_cpu(init_tss, cpu);
10304 + t = init_tss + cpu;
10305 oist = &per_cpu(orig_ist, cpu);
10308 @@ -1143,7 +1093,7 @@ void __cpuinit cpu_init(void)
10309 switch_to_new_gdt(cpu);
10310 loadsegment(fs, 0);
10312 - load_idt((const struct desc_ptr *)&idt_descr);
10313 + load_idt(&idt_descr);
10315 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10317 @@ -1205,7 +1155,7 @@ void __cpuinit cpu_init(void)
10319 int cpu = smp_processor_id();
10320 struct task_struct *curr = current;
10321 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10322 + struct tss_struct *t = init_tss + cpu;
10323 struct thread_struct *thread = &curr->thread;
10325 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10326 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10327 --- linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-08-26 19:47:12.000000000 -0400
10328 +++ linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-09-17 20:12:09.000000000 -0400
10329 @@ -484,7 +484,7 @@ static const struct dmi_system_id sw_any
10330 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10334 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10337 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10338 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10339 --- linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-08-26 19:47:12.000000000 -0400
10340 +++ linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-09-17 20:12:09.000000000 -0400
10341 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10342 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10343 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10346 + { NULL, NULL, 0, NULL}
10350 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/intel.c linux-2.6.35.4/arch/x86/kernel/cpu/intel.c
10351 --- linux-2.6.35.4/arch/x86/kernel/cpu/intel.c 2010-08-26 19:47:12.000000000 -0400
10352 +++ linux-2.6.35.4/arch/x86/kernel/cpu/intel.c 2010-09-17 20:12:09.000000000 -0400
10353 @@ -160,7 +160,7 @@ static void __cpuinit trap_init_f00f_bug
10354 * Update the IDT descriptor and reload the IDT so that
10355 * it uses the read-only mapped virtual address.
10357 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10358 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10359 load_idt(&idt_descr);
10362 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/Makefile linux-2.6.35.4/arch/x86/kernel/cpu/Makefile
10363 --- linux-2.6.35.4/arch/x86/kernel/cpu/Makefile 2010-08-26 19:47:12.000000000 -0400
10364 +++ linux-2.6.35.4/arch/x86/kernel/cpu/Makefile 2010-09-17 20:12:09.000000000 -0400
10365 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10366 CFLAGS_REMOVE_perf_event.o = -pg
10369 -# Make sure load_percpu_segment has no stackprotector
10370 -nostackp := $(call cc-option, -fno-stack-protector)
10371 -CFLAGS_common.o := $(nostackp)
10373 obj-y := intel_cacheinfo.o addon_cpuid_features.o
10374 obj-y += proc.o capflags.o powerflags.o common.o
10375 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10376 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c
10377 --- linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c 2010-08-26 19:47:12.000000000 -0400
10378 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c 2010-09-17 20:12:09.000000000 -0400
10379 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10380 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10383 - if (m->cs == __KERNEL_CS)
10384 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10385 print_symbol("{%s}", m->ip);
10388 @@ -1471,14 +1471,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10391 static DEFINE_SPINLOCK(mce_state_lock);
10392 -static int open_count; /* #times opened */
10393 +static atomic_t open_count; /* #times opened */
10394 static int open_exclu; /* already open exclusive? */
10396 static int mce_open(struct inode *inode, struct file *file)
10398 spin_lock(&mce_state_lock);
10400 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10401 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10402 spin_unlock(&mce_state_lock);
10405 @@ -1486,7 +1486,7 @@ static int mce_open(struct inode *inode,
10407 if (file->f_flags & O_EXCL)
10410 + atomic_inc(&open_count);
10412 spin_unlock(&mce_state_lock);
10414 @@ -1497,7 +1497,7 @@ static int mce_release(struct inode *ino
10416 spin_lock(&mce_state_lock);
10419 + atomic_dec(&open_count);
10422 spin_unlock(&mce_state_lock);
10423 @@ -1683,6 +1683,7 @@ static struct miscdevice mce_log_device
10427 + {NULL, NULL}, NULL, NULL
10431 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c
10432 --- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c 2010-08-26 19:47:12.000000000 -0400
10433 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c 2010-09-17 20:12:09.000000000 -0400
10434 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10435 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10436 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10437 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10442 static unsigned long smp_changes_mask;
10443 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c
10444 --- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c 2010-08-26 19:47:12.000000000 -0400
10445 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c 2010-09-17 20:12:09.000000000 -0400
10446 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10447 u64 size_or_mask, size_and_mask;
10448 static bool mtrr_aps_delayed_init;
10450 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10451 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10453 const struct mtrr_ops *mtrr_if;
10455 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h
10456 --- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-08-26 19:47:12.000000000 -0400
10457 +++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-09-17 20:12:09.000000000 -0400
10458 @@ -12,19 +12,19 @@
10459 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10463 - u32 use_intel_if;
10464 - void (*set)(unsigned int reg, unsigned long base,
10465 + const u32 vendor;
10466 + const u32 use_intel_if;
10467 + void (* const set)(unsigned int reg, unsigned long base,
10468 unsigned long size, mtrr_type type);
10469 - void (*set_all)(void);
10470 + void (* const set_all)(void);
10472 - void (*get)(unsigned int reg, unsigned long *base,
10473 + void (* const get)(unsigned int reg, unsigned long *base,
10474 unsigned long *size, mtrr_type *type);
10475 - int (*get_free_region)(unsigned long base, unsigned long size,
10476 + int (* const get_free_region)(unsigned long base, unsigned long size,
10478 - int (*validate_add_page)(unsigned long base, unsigned long size,
10479 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10480 unsigned int type);
10481 - int (*have_wrcomb)(void);
10482 + int (* const have_wrcomb)(void);
10485 extern int generic_get_free_region(unsigned long base, unsigned long size,
10486 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c
10487 --- linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-08-26 19:47:12.000000000 -0400
10488 +++ linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-09-17 20:12:09.000000000 -0400
10489 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10491 /* Interface defining a CPU specific perfctr watchdog */
10493 - int (*reserve)(void);
10494 - void (*unreserve)(void);
10495 - int (*setup)(unsigned nmi_hz);
10496 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10497 - void (*stop)(void);
10498 + int (* const reserve)(void);
10499 + void (* const unreserve)(void);
10500 + int (* const setup)(unsigned nmi_hz);
10501 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10502 + void (* const stop)(void);
10506 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10507 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10508 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10510 +/* cannot be const, see probe_nmi_watchdog */
10511 static struct wd_ops intel_arch_wd_ops;
10513 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10514 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10518 +/* cannot be const */
10519 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10520 .reserve = single_msr_reserve,
10521 .unreserve = single_msr_unreserve,
10522 diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c
10523 --- linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c 2010-08-26 19:47:12.000000000 -0400
10524 +++ linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c 2010-09-17 20:12:09.000000000 -0400
10525 @@ -1685,7 +1685,7 @@ perf_callchain_user(struct pt_regs *regs
10528 callchain_store(entry, frame.return_address);
10529 - fp = frame.next_frame;
10530 + fp = (__force const void __user *)frame.next_frame;
10534 diff -urNp linux-2.6.35.4/arch/x86/kernel/crash.c linux-2.6.35.4/arch/x86/kernel/crash.c
10535 --- linux-2.6.35.4/arch/x86/kernel/crash.c 2010-08-26 19:47:12.000000000 -0400
10536 +++ linux-2.6.35.4/arch/x86/kernel/crash.c 2010-09-17 20:12:09.000000000 -0400
10537 @@ -40,7 +40,7 @@ static void kdump_nmi_callback(int cpu,
10540 #ifdef CONFIG_X86_32
10541 - if (!user_mode_vm(regs)) {
10542 + if (!user_mode(regs)) {
10543 crash_fixup_ss_esp(&fixed_regs, regs);
10544 regs = &fixed_regs;
10546 diff -urNp linux-2.6.35.4/arch/x86/kernel/doublefault_32.c linux-2.6.35.4/arch/x86/kernel/doublefault_32.c
10547 --- linux-2.6.35.4/arch/x86/kernel/doublefault_32.c 2010-08-26 19:47:12.000000000 -0400
10548 +++ linux-2.6.35.4/arch/x86/kernel/doublefault_32.c 2010-09-17 20:12:09.000000000 -0400
10551 #define DOUBLEFAULT_STACKSIZE (1024)
10552 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10553 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10554 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10556 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10558 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10559 unsigned long gdt, tss;
10561 store_gdt(&gdt_desc);
10562 - gdt = gdt_desc.address;
10563 + gdt = (unsigned long)gdt_desc.address;
10565 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10567 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10568 /* 0x2 bit is always set */
10569 .flags = X86_EFLAGS_SF | 0x2,
10572 + .es = __KERNEL_DS,
10576 + .ds = __KERNEL_DS,
10577 .fs = __KERNEL_PERCPU,
10579 .__cr3 = __pa_nodebug(swapper_pg_dir),
10580 diff -urNp linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c
10581 --- linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c 2010-08-26 19:47:12.000000000 -0400
10582 +++ linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c 2010-09-17 20:12:09.000000000 -0400
10583 @@ -107,11 +107,12 @@ void show_registers(struct pt_regs *regs
10584 * When in-kernel, we also print out the stack and code at the
10585 * time of the fault..
10587 - if (!user_mode_vm(regs)) {
10588 + if (!user_mode(regs)) {
10589 unsigned int code_prologue = code_bytes * 43 / 64;
10590 unsigned int code_len = code_bytes;
10593 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10595 printk(KERN_EMERG "Stack:\n");
10596 show_stack_log_lvl(NULL, regs, ®s->sp,
10597 @@ -119,10 +120,10 @@ void show_registers(struct pt_regs *regs
10599 printk(KERN_EMERG "Code: ");
10601 - ip = (u8 *)regs->ip - code_prologue;
10602 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10603 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10604 /* try starting at IP */
10605 - ip = (u8 *)regs->ip;
10606 + ip = (u8 *)regs->ip + cs_base;
10607 code_len = code_len - code_prologue + 1;
10609 for (i = 0; i < code_len; i++, ip++) {
10610 @@ -131,7 +132,7 @@ void show_registers(struct pt_regs *regs
10611 printk(" Bad EIP value.");
10614 - if (ip == (u8 *)regs->ip)
10615 + if (ip == (u8 *)regs->ip + cs_base)
10616 printk("<%02x> ", c);
10618 printk("%02x ", c);
10619 @@ -144,6 +145,7 @@ int is_valid_bugaddr(unsigned long ip)
10621 unsigned short ud2;
10623 + ip = ktla_ktva(ip);
10624 if (ip < PAGE_OFFSET)
10626 if (probe_kernel_address((unsigned short *)ip, ud2))
10627 diff -urNp linux-2.6.35.4/arch/x86/kernel/dumpstack.c linux-2.6.35.4/arch/x86/kernel/dumpstack.c
10628 --- linux-2.6.35.4/arch/x86/kernel/dumpstack.c 2010-08-26 19:47:12.000000000 -0400
10629 +++ linux-2.6.35.4/arch/x86/kernel/dumpstack.c 2010-09-17 20:12:09.000000000 -0400
10630 @@ -207,7 +207,7 @@ void dump_stack(void)
10633 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
10634 - current->pid, current->comm, current->xid, print_tainted(),
10635 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
10636 init_utsname()->release,
10637 (int)strcspn(init_utsname()->version, " "),
10638 init_utsname()->version);
10639 @@ -263,7 +263,7 @@ void __kprobes oops_end(unsigned long fl
10640 panic("Fatal exception in interrupt");
10642 panic("Fatal exception");
10644 + do_group_exit(signr);
10647 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
10648 @@ -290,7 +290,7 @@ int __kprobes __die(const char *str, str
10650 show_registers(regs);
10651 #ifdef CONFIG_X86_32
10652 - if (user_mode_vm(regs)) {
10653 + if (user_mode(regs)) {
10655 ss = regs->ss & 0xffff;
10657 @@ -318,7 +318,7 @@ void die(const char *str, struct pt_regs
10658 unsigned long flags = oops_begin();
10661 - if (!user_mode_vm(regs))
10662 + if (!user_mode(regs))
10663 report_bug(regs->ip, regs);
10665 if (__die(str, regs, err))
10666 diff -urNp linux-2.6.35.4/arch/x86/kernel/efi_32.c linux-2.6.35.4/arch/x86/kernel/efi_32.c
10667 --- linux-2.6.35.4/arch/x86/kernel/efi_32.c 2010-08-26 19:47:12.000000000 -0400
10668 +++ linux-2.6.35.4/arch/x86/kernel/efi_32.c 2010-09-17 20:12:09.000000000 -0400
10669 @@ -38,70 +38,38 @@
10672 static unsigned long efi_rt_eflags;
10673 -static pgd_t efi_bak_pg_dir_pointer[2];
10674 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10676 -void efi_call_phys_prelog(void)
10677 +void __init efi_call_phys_prelog(void)
10679 - unsigned long cr4;
10680 - unsigned long temp;
10681 struct desc_ptr gdt_descr;
10683 local_irq_save(efi_rt_eflags);
10686 - * If I don't have PAE, I should just duplicate two entries in page
10687 - * directory. If I have PAE, I just need to duplicate one entry in
10688 - * page directory.
10690 - cr4 = read_cr4_safe();
10692 - if (cr4 & X86_CR4_PAE) {
10693 - efi_bak_pg_dir_pointer[0].pgd =
10694 - swapper_pg_dir[pgd_index(0)].pgd;
10695 - swapper_pg_dir[0].pgd =
10696 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10698 - efi_bak_pg_dir_pointer[0].pgd =
10699 - swapper_pg_dir[pgd_index(0)].pgd;
10700 - efi_bak_pg_dir_pointer[1].pgd =
10701 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10702 - swapper_pg_dir[pgd_index(0)].pgd =
10703 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10704 - temp = PAGE_OFFSET + 0x400000;
10705 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10706 - swapper_pg_dir[pgd_index(temp)].pgd;
10708 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10709 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10710 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10713 * After the lock is released, the original page table is restored.
10717 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10718 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10719 gdt_descr.size = GDT_SIZE - 1;
10720 load_gdt(&gdt_descr);
10723 -void efi_call_phys_epilog(void)
10724 +void __init efi_call_phys_epilog(void)
10726 - unsigned long cr4;
10727 struct desc_ptr gdt_descr;
10729 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10730 + gdt_descr.address = get_cpu_gdt_table(0);
10731 gdt_descr.size = GDT_SIZE - 1;
10732 load_gdt(&gdt_descr);
10734 - cr4 = read_cr4_safe();
10736 - if (cr4 & X86_CR4_PAE) {
10737 - swapper_pg_dir[pgd_index(0)].pgd =
10738 - efi_bak_pg_dir_pointer[0].pgd;
10740 - swapper_pg_dir[pgd_index(0)].pgd =
10741 - efi_bak_pg_dir_pointer[0].pgd;
10742 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10743 - efi_bak_pg_dir_pointer[1].pgd;
10745 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10748 * After the lock is released, the original page table is restored.
10749 diff -urNp linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S
10750 --- linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S 2010-08-26 19:47:12.000000000 -0400
10751 +++ linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S 2010-09-17 20:12:09.000000000 -0400
10755 #include <linux/linkage.h>
10756 +#include <linux/init.h>
10757 #include <asm/page_types.h>
10761 * service functions will comply with gcc calling convention, too.
10766 ENTRY(efi_call_phys)
10768 * 0. The function can only be called in Linux kernel. So CS has been
10769 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10770 * The mapping of lower virtual memory has been created in prelog and
10774 - subl $__PAGE_OFFSET, %edx
10776 + jmp 1f-__PAGE_OFFSET
10780 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10781 * parameter 2, ..., param n. To make things easy, we save the return
10782 * address of efi_call_phys in a global variable.
10785 - movl %edx, saved_return_addr
10786 - /* get the function pointer into ECX*/
10788 - movl %ecx, efi_rt_function_ptr
10790 - subl $__PAGE_OFFSET, %edx
10792 + popl (saved_return_addr)
10793 + popl (efi_rt_function_ptr)
10796 * 3. Clear PG bit in %CR0.
10797 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10799 * 5. Call the physical function.
10802 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
10806 * 6. After EFI runtime service returns, control will return to
10807 * following instruction. We'd better readjust stack pointer first.
10808 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10810 orl $0x80000000, %edx
10816 * 8. Now restore the virtual mode from flat mode by
10817 * adding EIP with PAGE_OFFSET.
10821 + jmp 1f+__PAGE_OFFSET
10825 * 9. Balance the stack. And because EAX contain the return value,
10826 * we'd better not clobber it.
10828 - leal efi_rt_function_ptr, %edx
10829 - movl (%edx), %ecx
10831 + pushl (efi_rt_function_ptr)
10834 - * 10. Push the saved return address onto the stack and return.
10835 + * 10. Return to the saved return address.
10837 - leal saved_return_addr, %edx
10838 - movl (%edx), %ecx
10841 + jmpl *(saved_return_addr)
10842 ENDPROC(efi_call_phys)
10849 efi_rt_function_ptr:
10850 diff -urNp linux-2.6.35.4/arch/x86/kernel/entry_32.S linux-2.6.35.4/arch/x86/kernel/entry_32.S
10851 --- linux-2.6.35.4/arch/x86/kernel/entry_32.S 2010-08-26 19:47:12.000000000 -0400
10852 +++ linux-2.6.35.4/arch/x86/kernel/entry_32.S 2010-09-17 20:12:09.000000000 -0400
10853 @@ -192,7 +192,67 @@
10855 #endif /* CONFIG_X86_32_LAZY_GS */
10858 +.macro PAX_EXIT_KERNEL
10859 +#ifdef CONFIG_PAX_KERNEXEC
10860 +#ifdef CONFIG_PARAVIRT
10861 + push %eax; push %ecx;
10864 + cmp $__KERNEXEC_KERNEL_CS, %esi
10866 +#ifdef CONFIG_PARAVIRT
10867 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
10873 + ljmp $__KERNEL_CS, $1f
10875 +#ifdef CONFIG_PARAVIRT
10877 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
10882 +#ifdef CONFIG_PARAVIRT
10883 + pop %ecx; pop %eax
10888 +.macro PAX_ENTER_KERNEL
10889 +#ifdef CONFIG_PAX_KERNEXEC
10890 +#ifdef CONFIG_PARAVIRT
10891 + push %eax; push %ecx;
10892 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
10900 + cmp $__KERNEL_CS, %esi
10902 + ljmp $__KERNEL_CS, $3f
10903 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
10905 +#ifdef CONFIG_PARAVIRT
10907 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10912 +#ifdef CONFIG_PARAVIRT
10913 + pop %ecx; pop %eax
10918 +.macro __SAVE_ALL _DS
10922 @@ -225,7 +285,7 @@
10924 CFI_ADJUST_CFA_OFFSET 4
10925 CFI_REL_OFFSET ebx, 0
10926 - movl $(__USER_DS), %edx
10930 movl $(__KERNEL_PERCPU), %edx
10931 @@ -233,6 +293,15 @@
10936 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
10937 + __SAVE_ALL __KERNEL_DS
10940 + __SAVE_ALL __USER_DS
10944 .macro RESTORE_INT_REGS
10946 CFI_ADJUST_CFA_OFFSET -4
10947 @@ -357,7 +426,15 @@ check_userspace:
10948 movb PT_CS(%esp), %al
10949 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10950 cmpl $USER_RPL, %eax
10952 +#ifdef CONFIG_PAX_KERNEXEC
10953 + jae resume_userspace
10956 + jmp resume_kernel
10958 jb resume_kernel # not returning to v8086 or userspace
10961 ENTRY(resume_userspace)
10963 @@ -423,10 +500,9 @@ sysenter_past_esp:
10964 /*CFI_REL_OFFSET cs, 0*/
10966 * Push current_thread_info()->sysenter_return to the stack.
10967 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
10968 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
10970 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
10971 + GET_THREAD_INFO(%ebp)
10972 + pushl TI_sysenter_return(%ebp)
10973 CFI_ADJUST_CFA_OFFSET 4
10974 CFI_REL_OFFSET eip, 0
10976 @@ -439,9 +515,19 @@ sysenter_past_esp:
10977 * Load the potential sixth argument from user stack.
10978 * Careful about security.
10980 + movl PT_OLDESP(%esp),%ebp
10982 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10983 + mov PT_OLDSS(%esp),%ds
10984 +1: movl %ds:(%ebp),%ebp
10988 cmpl $__PAGE_OFFSET-3,%ebp
10990 1: movl (%ebp),%ebp
10993 movl %ebp,PT_EBP(%esp)
10994 .section __ex_table,"a"
10996 @@ -464,12 +550,23 @@ sysenter_do_call:
10997 testl $_TIF_ALLWORK_MASK, %ecx
11001 +#ifdef CONFIG_PAX_RANDKSTACK
11003 + CFI_ADJUST_CFA_OFFSET 4
11004 + call pax_randomize_kstack
11006 + CFI_ADJUST_CFA_OFFSET -4
11009 /* if something modifies registers it must also disable sysexit */
11010 movl PT_EIP(%esp), %edx
11011 movl PT_OLDESP(%esp), %ecx
11014 1: mov PT_FS(%esp), %fs
11015 +2: mov PT_DS(%esp), %ds
11016 +3: mov PT_ES(%esp), %es
11018 ENABLE_INTERRUPTS_SYSEXIT
11020 @@ -513,11 +610,17 @@ sysexit_audit:
11023 .pushsection .fixup,"ax"
11024 -2: movl $0,PT_FS(%esp)
11025 +4: movl $0,PT_FS(%esp)
11027 +5: movl $0,PT_DS(%esp)
11029 +6: movl $0,PT_ES(%esp)
11031 .section __ex_table,"a"
11039 ENDPROC(ia32_sysenter_target)
11040 @@ -551,6 +654,10 @@ syscall_exit:
11041 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11042 jne syscall_exit_work
11044 +#ifdef CONFIG_PAX_RANDKSTACK
11045 + call pax_randomize_kstack
11050 restore_all_notrace:
11051 @@ -615,7 +722,13 @@ ldt_ss:
11052 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11053 mov %dx, %ax /* eax: new kernel esp */
11054 sub %eax, %edx /* offset (low word is 0) */
11055 - PER_CPU(gdt_page, %ebx)
11057 + movl PER_CPU_VAR(cpu_number), %ebx
11058 + shll $PAGE_SHIFT_asm, %ebx
11059 + addl $cpu_gdt_table, %ebx
11061 + movl $cpu_gdt_table, %ebx
11064 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
11065 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
11066 @@ -655,25 +768,19 @@ work_resched:
11068 work_notifysig: # deal with pending signals and
11069 # notify-resume requests
11072 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11074 - jne work_notifysig_v86 # returning to kernel-space or
11075 + jz 1f # returning to kernel-space or
11078 - call do_notify_resume
11079 - jmp resume_userspace_sig
11082 -work_notifysig_v86:
11083 pushl %ecx # save ti_flags for do_notify_resume
11084 CFI_ADJUST_CFA_OFFSET 4
11085 call save_v86_state # %eax contains pt_regs pointer
11087 CFI_ADJUST_CFA_OFFSET -4
11094 call do_notify_resume
11095 @@ -708,6 +815,10 @@ END(syscall_exit_work)
11097 RING0_INT_FRAME # can't unwind into user space anyway
11099 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11103 GET_THREAD_INFO(%ebp)
11104 movl $-EFAULT,PT_EAX(%esp)
11105 jmp resume_userspace
11106 @@ -791,7 +902,13 @@ ptregs_clone:
11107 * normal stack and adjusts ESP with the matching offset.
11109 /* fixup the stack */
11110 - PER_CPU(gdt_page, %ebx)
11112 + movl PER_CPU_VAR(cpu_number), %ebx
11113 + shll $PAGE_SHIFT_asm, %ebx
11114 + addl $cpu_gdt_table, %ebx
11116 + movl $cpu_gdt_table, %ebx
11118 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
11119 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
11121 @@ -1273,7 +1390,6 @@ return_to_handler:
11125 -.section .rodata,"a"
11126 #include "syscall_table_32.S"
11128 syscall_table_size=(.-sys_call_table)
11129 @@ -1330,9 +1446,12 @@ error_code:
11130 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11133 - movl $(__USER_DS), %ecx
11134 + movl $(__KERNEL_DS), %ecx
11141 movl %esp,%eax # pt_regs pointer
11143 @@ -1426,6 +1545,9 @@ nmi_stack_correct:
11144 xorl %edx,%edx # zero error code
11145 movl %esp,%eax # pt_regs pointer
11150 jmp restore_all_notrace
11153 @@ -1466,6 +1588,9 @@ nmi_espfix_stack:
11154 FIXUP_ESPFIX_STACK # %eax == %esp
11155 xorl %edx,%edx # zero error code
11161 lss 12+4(%esp), %esp # back to espfix stack
11162 CFI_ADJUST_CFA_OFFSET -24
11163 diff -urNp linux-2.6.35.4/arch/x86/kernel/entry_64.S linux-2.6.35.4/arch/x86/kernel/entry_64.S
11164 --- linux-2.6.35.4/arch/x86/kernel/entry_64.S 2010-08-26 19:47:12.000000000 -0400
11165 +++ linux-2.6.35.4/arch/x86/kernel/entry_64.S 2010-09-17 20:12:09.000000000 -0400
11167 #include <asm/paravirt.h>
11168 #include <asm/ftrace.h>
11169 #include <asm/percpu.h>
11170 +#include <asm/pgtable.h>
11172 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11173 #include <linux/elf-em.h>
11174 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11175 ENDPROC(native_usergs_sysret64)
11176 #endif /* CONFIG_PARAVIRT */
11178 + .macro ljmpq sel, off
11179 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11180 + .byte 0x48; ljmp *1234f(%rip)
11181 + .pushsection .rodata
11183 + 1234: .quad \off; .word \sel
11192 +ENTRY(pax_enter_kernel)
11194 +#ifdef CONFIG_PAX_KERNEXEC
11197 +#ifdef CONFIG_PARAVIRT
11198 + PV_SAVE_REGS(CLBR_RDI)
11205 + cmp $__KERNEL_CS,%edi
11207 + ljmpq __KERNEL_CS,3f
11208 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11209 +2: SET_RDI_INTO_CR0
11212 +#ifdef CONFIG_PARAVIRT
11213 + PV_RESTORE_REGS(CLBR_RDI)
11220 +ENDPROC(pax_enter_kernel)
11222 +ENTRY(pax_exit_kernel)
11224 +#ifdef CONFIG_PAX_KERNEXEC
11227 +#ifdef CONFIG_PARAVIRT
11228 + PV_SAVE_REGS(CLBR_RDI)
11232 + cmp $__KERNEXEC_KERNEL_CS,%edi
11236 + ljmpq __KERNEL_CS,1f
11237 +1: SET_RDI_INTO_CR0
11240 +#ifdef CONFIG_PARAVIRT
11241 + PV_RESTORE_REGS(CLBR_RDI);
11248 +ENDPROC(pax_exit_kernel)
11250 +ENTRY(pax_enter_kernel_user)
11252 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11256 +#ifdef CONFIG_PARAVIRT
11257 + PV_SAVE_REGS(CLBR_RDI)
11262 + add $__START_KERNEL_map,%rbx
11263 + sub phys_base(%rip),%rbx
11265 +#ifdef CONFIG_PARAVIRT
11267 + cmpl $0, pv_info+PARAVIRT_enabled
11270 + .rept USER_PGD_PTRS
11271 + mov i*8(%rbx),%rsi
11273 + lea i*8(%rbx),%rdi
11274 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11282 + .rept USER_PGD_PTRS
11283 + movb $0,i*8(%rbx)
11287 +#ifdef CONFIG_PARAVIRT
11292 +#ifdef CONFIG_PAX_KERNEXEC
11298 +#ifdef CONFIG_PARAVIRT
11299 + PV_RESTORE_REGS(CLBR_RDI)
11307 +ENDPROC(pax_enter_kernel_user)
11309 +ENTRY(pax_exit_kernel_user)
11311 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11314 +#ifdef CONFIG_PARAVIRT
11316 + PV_SAVE_REGS(CLBR_RDI)
11319 +#ifdef CONFIG_PAX_KERNEXEC
11326 + add $__START_KERNEL_map,%rdi
11327 + sub phys_base(%rip),%rdi
11329 +#ifdef CONFIG_PARAVIRT
11330 + cmpl $0, pv_info+PARAVIRT_enabled
11334 + .rept USER_PGD_PTRS
11335 + mov i*8(%rbx),%rsi
11337 + lea i*8(%rbx),%rdi
11338 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11346 + .rept USER_PGD_PTRS
11347 + movb $0x67,i*8(%rdi)
11351 +#ifdef CONFIG_PARAVIRT
11352 +2: PV_RESTORE_REGS(CLBR_RDI)
11360 +ENDPROC(pax_exit_kernel_user)
11362 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11363 #ifdef CONFIG_TRACE_IRQFLAGS
11364 @@ -317,7 +501,7 @@ ENTRY(save_args)
11365 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11366 movq_cfi rbp, 8 /* push %rbp */
11367 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11368 - testl $3, CS(%rdi)
11369 + testb $3, CS(%rdi)
11373 @@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11377 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11378 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11379 je int_ret_from_sys_call
11381 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11382 @@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11384 movq %rsp,PER_CPU_VAR(old_rsp)
11385 movq PER_CPU_VAR(kernel_stack),%rsp
11387 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11388 + call pax_enter_kernel_user
11392 * No need to follow this irqs off/on section - it's straight
11394 @@ -502,6 +691,11 @@ sysret_check:
11399 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11400 + call pax_exit_kernel_user
11404 * sysretq will re-enable interrupts:
11406 @@ -613,7 +807,7 @@ tracesys:
11407 GLOBAL(int_ret_from_sys_call)
11408 DISABLE_INTERRUPTS(CLBR_NONE)
11410 - testl $3,CS-ARGOFFSET(%rsp)
11411 + testb $3,CS-ARGOFFSET(%rsp)
11412 je retint_restore_args
11413 movl $_TIF_ALLWORK_MASK,%edi
11414 /* edi: mask to check */
11415 @@ -800,6 +994,16 @@ END(interrupt)
11416 CFI_ADJUST_CFA_OFFSET 10*8
11419 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11420 + testb $3, CS(%rdi)
11422 + call pax_enter_kernel
11424 +1: call pax_enter_kernel_user
11427 + call pax_enter_kernel
11432 @@ -826,7 +1030,7 @@ ret_from_intr:
11433 CFI_ADJUST_CFA_OFFSET -8
11435 GET_THREAD_INFO(%rcx)
11436 - testl $3,CS-ARGOFFSET(%rsp)
11437 + testb $3,CS-ARGOFFSET(%rsp)
11440 /* Interrupt came from user space */
11441 @@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11442 * The iretq could re-enable interrupts:
11444 DISABLE_INTERRUPTS(CLBR_ANY)
11446 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11447 + call pax_exit_kernel_user
11454 retint_restore_args: /* return to kernel space */
11455 DISABLE_INTERRUPTS(CLBR_ANY)
11456 + call pax_exit_kernel
11458 * The iretq could re-enable interrupts:
11460 @@ -1040,6 +1250,16 @@ ENTRY(\sym)
11461 CFI_ADJUST_CFA_OFFSET 15*8
11464 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11465 + testb $3, CS(%rsp)
11467 + call pax_enter_kernel
11469 +1: call pax_enter_kernel_user
11472 + call pax_enter_kernel
11474 movq %rsp,%rdi /* pt_regs pointer */
11475 xorl %esi,%esi /* no error code */
11477 @@ -1057,6 +1277,16 @@ ENTRY(\sym)
11481 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11482 + testb $3, CS(%rsp)
11484 + call pax_enter_kernel
11486 +1: call pax_enter_kernel_user
11489 + call pax_enter_kernel
11491 movq %rsp,%rdi /* pt_regs pointer */
11492 xorl %esi,%esi /* no error code */
11494 @@ -1074,9 +1304,24 @@ ENTRY(\sym)
11498 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11499 + testb $3, CS(%rsp)
11501 + call pax_enter_kernel
11503 +1: call pax_enter_kernel_user
11506 + call pax_enter_kernel
11508 movq %rsp,%rdi /* pt_regs pointer */
11509 xorl %esi,%esi /* no error code */
11510 - PER_CPU(init_tss, %r12)
11512 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11513 + lea init_tss(%r12), %r12
11515 + lea init_tss(%rip), %r12
11517 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11519 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11520 @@ -1093,6 +1338,16 @@ ENTRY(\sym)
11521 CFI_ADJUST_CFA_OFFSET 15*8
11524 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11525 + testb $3, CS(%rsp)
11527 + call pax_enter_kernel
11529 +1: call pax_enter_kernel_user
11532 + call pax_enter_kernel
11534 movq %rsp,%rdi /* pt_regs pointer */
11535 movq ORIG_RAX(%rsp),%rsi /* get error code */
11536 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11537 @@ -1112,6 +1367,16 @@ ENTRY(\sym)
11541 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11542 + testb $3, CS(%rsp)
11544 + call pax_enter_kernel
11546 +1: call pax_enter_kernel_user
11549 + call pax_enter_kernel
11551 movq %rsp,%rdi /* pt_regs pointer */
11552 movq ORIG_RAX(%rsp),%rsi /* get error code */
11553 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11554 @@ -1370,14 +1635,27 @@ ENTRY(paranoid_exit)
11556 testl %ebx,%ebx /* swapgs needed? */
11557 jnz paranoid_restore
11558 - testl $3,CS(%rsp)
11559 + testb $3,CS(%rsp)
11560 jnz paranoid_userspace
11561 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11562 + call pax_exit_kernel
11563 + TRACE_IRQS_IRETQ 0
11564 + SWAPGS_UNSAFE_STACK
11569 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11570 + call pax_exit_kernel_user
11572 + call pax_exit_kernel
11575 SWAPGS_UNSAFE_STACK
11579 + call pax_exit_kernel
11583 @@ -1435,7 +1713,7 @@ ENTRY(error_entry)
11584 movq_cfi r14, R14+8
11585 movq_cfi r15, R15+8
11587 - testl $3,CS+8(%rsp)
11588 + testb $3,CS+8(%rsp)
11589 je error_kernelspace
11592 @@ -1499,6 +1777,16 @@ ENTRY(nmi)
11593 CFI_ADJUST_CFA_OFFSET 15*8
11596 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11597 + testb $3, CS(%rsp)
11599 + call pax_enter_kernel
11601 +1: call pax_enter_kernel_user
11604 + call pax_enter_kernel
11606 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11609 @@ -1509,11 +1797,12 @@ ENTRY(nmi)
11610 DISABLE_INTERRUPTS(CLBR_NONE)
11611 testl %ebx,%ebx /* swapgs needed? */
11613 - testl $3,CS(%rsp)
11614 + testb $3,CS(%rsp)
11617 SWAPGS_UNSAFE_STACK
11619 + call pax_exit_kernel
11623 diff -urNp linux-2.6.35.4/arch/x86/kernel/ftrace.c linux-2.6.35.4/arch/x86/kernel/ftrace.c
11624 --- linux-2.6.35.4/arch/x86/kernel/ftrace.c 2010-08-26 19:47:12.000000000 -0400
11625 +++ linux-2.6.35.4/arch/x86/kernel/ftrace.c 2010-09-17 20:12:09.000000000 -0400
11626 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11628 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11630 + pax_open_kernel();
11632 + pax_close_kernel();
11633 atomic_inc(&nmi_update_count);
11635 /* Must have previous changes seen before executions */
11636 @@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
11640 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
11641 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
11643 static unsigned char *ftrace_nop_replace(void)
11645 @@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
11647 unsigned char replaced[MCOUNT_INSN_SIZE];
11649 + ip = ktla_ktva(ip);
11652 * Note: Due to modules and __init, code can
11653 * disappear and change, we need to protect against faulting
11654 @@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11655 unsigned char old[MCOUNT_INSN_SIZE], *new;
11658 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11659 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11660 new = ftrace_call_replace(ip, (unsigned long)func);
11661 ret = ftrace_modify_code(ip, old, new);
11663 @@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
11666 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
11667 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
11668 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
11671 pr_info("converting mcount calls to 66 66 66 66 90\n");
11672 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
11673 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
11676 pr_info("converting mcount calls to jmp . + 5\n");
11677 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
11678 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
11682 @@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
11684 unsigned char code[MCOUNT_INSN_SIZE];
11686 + ip = ktla_ktva(ip);
11688 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11691 diff -urNp linux-2.6.35.4/arch/x86/kernel/head32.c linux-2.6.35.4/arch/x86/kernel/head32.c
11692 --- linux-2.6.35.4/arch/x86/kernel/head32.c 2010-08-26 19:47:12.000000000 -0400
11693 +++ linux-2.6.35.4/arch/x86/kernel/head32.c 2010-09-17 20:12:09.000000000 -0400
11695 #include <asm/apic.h>
11696 #include <asm/io_apic.h>
11697 #include <asm/bios_ebda.h>
11698 +#include <asm/boot.h>
11700 static void __init i386_default_early_setup(void)
11702 @@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
11706 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11707 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11709 #ifdef CONFIG_BLK_DEV_INITRD
11710 /* Reserve INITRD */
11711 diff -urNp linux-2.6.35.4/arch/x86/kernel/head_32.S linux-2.6.35.4/arch/x86/kernel/head_32.S
11712 --- linux-2.6.35.4/arch/x86/kernel/head_32.S 2010-08-26 19:47:12.000000000 -0400
11713 +++ linux-2.6.35.4/arch/x86/kernel/head_32.S 2010-09-17 20:12:09.000000000 -0400
11715 /* Physical address */
11716 #define pa(X) ((X) - __PAGE_OFFSET)
11718 +#ifdef CONFIG_PAX_KERNEXEC
11721 +#define ta(X) ((X) - __PAGE_OFFSET)
11725 * References to members of the new_cpu_data structure.
11728 * and small than max_low_pfn, otherwise will waste some page table entries
11731 -#if PTRS_PER_PMD > 1
11732 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11734 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11736 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11738 /* Enough space to fit pagetables for the low memory linear map */
11739 MAPPING_BEYOND_END = \
11740 @@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
11741 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11744 + * Real beginning of normal "text" segment
11750 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
11751 * %esi points to the real-mode code as a 32-bit pointer.
11752 * CS and DS must be 4 GB flat segments, but we don't depend on
11753 @@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11758 +#ifdef CONFIG_PAX_KERNEXEC
11760 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
11761 +.fill PAGE_SIZE-5,1,0xcc
11765 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
11766 us to not reload segments */
11767 @@ -99,6 +114,55 @@ ENTRY(startup_32)
11772 + movl $pa(cpu_gdt_table),%edi
11773 + movl $__per_cpu_load,%eax
11774 + movw %ax,__KERNEL_PERCPU + 2(%edi)
11776 + movb %al,__KERNEL_PERCPU + 4(%edi)
11777 + movb %ah,__KERNEL_PERCPU + 7(%edi)
11778 + movl $__per_cpu_end - 1,%eax
11779 + subl $__per_cpu_start,%eax
11780 + movw %ax,__KERNEL_PERCPU + 0(%edi)
11783 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11784 + movl $NR_CPUS,%ecx
11785 + movl $pa(cpu_gdt_table),%edi
11787 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
11788 + addl $PAGE_SIZE_asm,%edi
11792 +#ifdef CONFIG_PAX_KERNEXEC
11793 + movl $pa(boot_gdt),%edi
11794 + movl $__LOAD_PHYSICAL_ADDR,%eax
11795 + movw %ax,__BOOT_CS + 2(%edi)
11797 + movb %al,__BOOT_CS + 4(%edi)
11798 + movb %ah,__BOOT_CS + 7(%edi)
11801 + ljmp $(__BOOT_CS),$1f
11804 + movl $NR_CPUS,%ecx
11805 + movl $pa(cpu_gdt_table),%edi
11806 + addl $__PAGE_OFFSET,%eax
11808 + movw %ax,__KERNEL_CS + 2(%edi)
11809 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
11811 + movb %al,__KERNEL_CS + 4(%edi)
11812 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
11813 + movb %ah,__KERNEL_CS + 7(%edi)
11814 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
11816 + addl $PAGE_SIZE_asm,%edi
11821 * Clear BSS first so that there are no surprises...
11823 @@ -142,9 +206,7 @@ ENTRY(startup_32)
11824 cmpl $num_subarch_entries, %eax
11827 - movl pa(subarch_entries)(,%eax,4), %eax
11828 - subl $__PAGE_OFFSET, %eax
11830 + jmp *pa(subarch_entries)(,%eax,4)
11834 @@ -156,10 +218,10 @@ WEAK(xen_entry)
11838 - .long default_entry /* normal x86/PC */
11839 - .long lguest_entry /* lguest hypervisor */
11840 - .long xen_entry /* Xen hypervisor */
11841 - .long default_entry /* Moorestown MID */
11842 + .long ta(default_entry) /* normal x86/PC */
11843 + .long ta(lguest_entry) /* lguest hypervisor */
11844 + .long ta(xen_entry) /* Xen hypervisor */
11845 + .long ta(default_entry) /* Moorestown MID */
11846 num_subarch_entries = (. - subarch_entries) / 4
11848 #endif /* CONFIG_PARAVIRT */
11849 @@ -220,8 +282,11 @@ default_entry:
11850 movl %eax, pa(max_pfn_mapped)
11852 /* Do early initialization of the fixmap area */
11853 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11854 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11855 +#ifdef CONFIG_COMPAT_VDSO
11856 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11858 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11860 #else /* Not PAE */
11862 page_pde_offset = (__PAGE_OFFSET >> 20);
11863 @@ -251,8 +316,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
11864 movl %eax, pa(max_pfn_mapped)
11866 /* Do early initialization of the fixmap area */
11867 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11868 - movl %eax,pa(swapper_pg_dir+0xffc)
11869 +#ifdef CONFIG_COMPAT_VDSO
11870 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
11872 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
11877 @@ -299,6 +367,7 @@ ENTRY(startup_32_smp)
11881 +#ifdef CONFIG_X86_PAE
11882 testb $X86_CR4_PAE, %al # check if PAE is enabled
11885 @@ -323,6 +392,9 @@ ENTRY(startup_32_smp)
11886 /* Make changes effective */
11889 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
11895 @@ -348,9 +420,7 @@ ENTRY(startup_32_smp)
11899 - jz 1f /* Initial CPU cleans BSS */
11902 + jnz checkCPUtype /* Initial CPU cleans BSS */
11903 #endif /* CONFIG_SMP */
11906 @@ -428,7 +498,7 @@ is386: movl $2,%ecx # set MP
11907 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
11908 movl %eax,%ss # after changing gdt.
11910 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
11911 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
11915 @@ -442,8 +512,11 @@ is386: movl $2,%ecx # set MP
11919 - movl $gdt_page,%eax
11920 + movl $cpu_gdt_table,%eax
11921 movl $stack_canary,%ecx
11923 + addl $__per_cpu_load,%ecx
11925 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
11927 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
11928 @@ -461,10 +534,6 @@ is386: movl $2,%ecx # set MP
11932 - cmpb $0,%cl # the first CPU calls start_kernel
11934 - movl (stack_start), %esp
11936 #endif /* CONFIG_SMP */
11937 jmp *(initial_code)
11939 @@ -550,22 +619,22 @@ early_page_fault:
11944 #ifdef CONFIG_PRINTK
11945 + cmpl $1,%ss:early_recursion_flag
11947 + incl %ss:early_recursion_flag
11950 movl $(__KERNEL_DS),%eax
11953 - cmpl $2,early_recursion_flag
11955 - incl early_recursion_flag
11958 pushl %edx /* trapno */
11967 @@ -573,8 +642,11 @@ hlt_loop:
11968 /* This is the default interrupt "handler" :-) */
11972 #ifdef CONFIG_PRINTK
11973 + cmpl $2,%ss:early_recursion_flag
11975 + incl %ss:early_recursion_flag
11980 @@ -583,9 +655,6 @@ ignore_int:
11981 movl $(__KERNEL_DS),%eax
11984 - cmpl $2,early_recursion_flag
11986 - incl early_recursion_flag
11990 @@ -612,27 +681,38 @@ ENTRY(initial_code)
11994 -__PAGE_ALIGNED_BSS
11995 - .align PAGE_SIZE_asm
11996 #ifdef CONFIG_X86_PAE
11997 +.section .swapper_pg_pmd,"a",@progbits
11999 .fill 1024*KPMDS,4,0
12001 +.section .swapper_pg_dir,"a",@progbits
12002 ENTRY(swapper_pg_dir)
12009 +.section .empty_zero_page,"a",@progbits
12010 ENTRY(empty_zero_page)
12014 + * The IDT has to be page-aligned to simplify the Pentium
12015 + * F0 0F bug workaround.. We have a special link segment
12018 +.section .idt,"a",@progbits
12023 * This starts the data section.
12025 #ifdef CONFIG_X86_PAE
12026 -__PAGE_ALIGNED_DATA
12027 - /* Page-aligned for the benefit of paravirt? */
12028 - .align PAGE_SIZE_asm
12029 +.section .swapper_pg_dir,"a",@progbits
12031 ENTRY(swapper_pg_dir)
12032 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12034 @@ -651,15 +731,24 @@ ENTRY(swapper_pg_dir)
12035 # error "Kernel PMDs should be 1, 2 or 3"
12037 .align PAGE_SIZE_asm /* needs to be page-sized too */
12039 +#ifdef CONFIG_PAX_PER_CPU_PGD
12050 - .long init_thread_union+THREAD_SIZE
12051 + .long init_thread_union+THREAD_SIZE-8
12056 +.section .rodata,"a",@progbits
12057 early_recursion_flag:
12060 @@ -695,7 +784,7 @@ fault_msg:
12061 .word 0 # 32 bit align gdt_desc.address
12064 - .long boot_gdt - __PAGE_OFFSET
12065 + .long pa(boot_gdt)
12067 .word 0 # 32-bit align idt_desc.address
12069 @@ -706,7 +795,7 @@ idt_descr:
12070 .word 0 # 32 bit align gdt_desc.address
12071 ENTRY(early_gdt_descr)
12072 .word GDT_ENTRIES*8-1
12073 - .long gdt_page /* Overwritten for secondary CPUs */
12074 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12077 * The boot_gdt must mirror the equivalent in setup.S and is
12078 @@ -715,5 +804,65 @@ ENTRY(early_gdt_descr)
12079 .align L1_CACHE_BYTES
12081 .fill GDT_ENTRY_BOOT_CS,8,0
12082 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12083 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12084 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12085 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12087 + .align PAGE_SIZE_asm
12088 +ENTRY(cpu_gdt_table)
12090 + .quad 0x0000000000000000 /* NULL descriptor */
12091 + .quad 0x0000000000000000 /* 0x0b reserved */
12092 + .quad 0x0000000000000000 /* 0x13 reserved */
12093 + .quad 0x0000000000000000 /* 0x1b reserved */
12095 +#ifdef CONFIG_PAX_KERNEXEC
12096 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12098 + .quad 0x0000000000000000 /* 0x20 unused */
12101 + .quad 0x0000000000000000 /* 0x28 unused */
12102 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12103 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12104 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12105 + .quad 0x0000000000000000 /* 0x4b reserved */
12106 + .quad 0x0000000000000000 /* 0x53 reserved */
12107 + .quad 0x0000000000000000 /* 0x5b reserved */
12109 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12110 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12111 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12112 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12114 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12115 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12118 + * Segments used for calling PnP BIOS have byte granularity.
12119 + * The code segments and data segments have fixed 64k limits,
12120 + * the transfer segment sizes are set at run time.
12122 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12123 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12124 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12125 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12126 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12129 + * The APM segments have byte granularity and their bases
12130 + * are set at run time. All have 64k limits.
12132 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12133 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12134 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12136 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12137 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12138 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12139 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12140 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12141 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12143 + /* Be sure this is zeroed to avoid false validations in Xen */
12144 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12146 diff -urNp linux-2.6.35.4/arch/x86/kernel/head_64.S linux-2.6.35.4/arch/x86/kernel/head_64.S
12147 --- linux-2.6.35.4/arch/x86/kernel/head_64.S 2010-08-26 19:47:12.000000000 -0400
12148 +++ linux-2.6.35.4/arch/x86/kernel/head_64.S 2010-09-17 20:12:09.000000000 -0400
12150 #include <asm/cache.h>
12151 #include <asm/processor-flags.h>
12152 #include <asm/percpu.h>
12153 +#include <asm/cpufeature.h>
12155 #ifdef CONFIG_PARAVIRT
12156 #include <asm/asm-offsets.h>
12157 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12158 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12159 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12160 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12161 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12162 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12163 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12164 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12168 @@ -85,35 +90,22 @@ startup_64:
12170 addq %rbp, init_level4_pgt + 0(%rip)
12171 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12172 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12173 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12174 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12176 addq %rbp, level3_ident_pgt + 0(%rip)
12177 +#ifndef CONFIG_XEN
12178 + addq %rbp, level3_ident_pgt + 8(%rip)
12181 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12182 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12183 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12185 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12186 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12187 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12189 - /* Add an Identity mapping if I am above 1G */
12190 - leaq _text(%rip), %rdi
12191 - andq $PMD_PAGE_MASK, %rdi
12194 - shrq $PUD_SHIFT, %rax
12195 - andq $(PTRS_PER_PUD - 1), %rax
12196 - jz ident_complete
12198 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12199 - leaq level3_ident_pgt(%rip), %rbx
12200 - movq %rdx, 0(%rbx, %rax, 8)
12203 - shrq $PMD_SHIFT, %rax
12204 - andq $(PTRS_PER_PMD - 1), %rax
12205 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12206 - leaq level2_spare_pgt(%rip), %rbx
12207 - movq %rdx, 0(%rbx, %rax, 8)
12209 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12210 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12213 * Fixup the kernel text+data virtual addresses. Note that
12214 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12215 * after the boot processor executes this code.
12218 - /* Enable PAE mode and PGE */
12219 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12220 + /* Enable PAE mode and PSE/PGE */
12221 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12224 /* Setup early boot stage 4 level pagetables. */
12225 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12226 movl $MSR_EFER, %ecx
12228 btsl $_EFER_SCE, %eax /* Enable System Call */
12229 - btl $20,%edi /* No Execute supported? */
12230 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12232 btsl $_EFER_NX, %eax
12233 + leaq init_level4_pgt(%rip), %rdi
12234 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12235 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12236 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12237 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12238 1: wrmsr /* Make changes effective */
12241 @@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
12245 - .section ".init.text","ax"
12247 #ifdef CONFIG_EARLY_PRINTK
12248 .globl early_idt_handlers
12249 early_idt_handlers:
12250 @@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
12251 #endif /* EARLY_PRINTK */
12256 #ifdef CONFIG_EARLY_PRINTK
12258 early_recursion_flag:
12262 + .section .rodata,"a",@progbits
12264 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12267 -#endif /* CONFIG_EARLY_PRINTK */
12269 +#endif /* CONFIG_EARLY_PRINTK */
12271 + .section .rodata,"a",@progbits
12272 #define NEXT_PAGE(name) \
12273 .balign PAGE_SIZE; \
12275 @@ -351,13 +353,36 @@ NEXT_PAGE(init_level4_pgt)
12276 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12277 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12278 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12279 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12280 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12281 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12282 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12283 .org init_level4_pgt + L4_START_KERNEL*8, 0
12284 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12285 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12287 +#ifdef CONFIG_PAX_PER_CPU_PGD
12288 +NEXT_PAGE(cpu_pgd)
12294 NEXT_PAGE(level3_ident_pgt)
12295 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12299 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12303 +NEXT_PAGE(level3_vmalloc_pgt)
12306 +NEXT_PAGE(level3_vmemmap_pgt)
12307 + .fill L3_VMEMMAP_START,8,0
12308 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12310 NEXT_PAGE(level3_kernel_pgt)
12311 .fill L3_START_KERNEL,8,0
12312 @@ -365,20 +390,23 @@ NEXT_PAGE(level3_kernel_pgt)
12313 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12314 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12316 +NEXT_PAGE(level2_vmemmap_pgt)
12319 NEXT_PAGE(level2_fixmap_pgt)
12321 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12322 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12325 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12326 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12329 -NEXT_PAGE(level1_fixmap_pgt)
12330 +NEXT_PAGE(level1_vsyscall_pgt)
12333 -NEXT_PAGE(level2_ident_pgt)
12334 - /* Since I easily can, map the first 1G.
12335 + /* Since I easily can, map the first 2G.
12336 * Don't set NX because code runs from these pages.
12338 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12339 +NEXT_PAGE(level2_ident_pgt)
12340 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12342 NEXT_PAGE(level2_kernel_pgt)
12344 @@ -391,33 +419,55 @@ NEXT_PAGE(level2_kernel_pgt)
12345 * If you want to increase this then increase MODULES_VADDR
12348 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12349 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12351 -NEXT_PAGE(level2_spare_pgt)
12353 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12360 +ENTRY(cpu_gdt_table)
12362 + .quad 0x0000000000000000 /* NULL descriptor */
12363 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12364 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12365 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12366 + .quad 0x00cffb000000ffff /* __USER32_CS */
12367 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12368 + .quad 0x00affb000000ffff /* __USER_CS */
12370 +#ifdef CONFIG_PAX_KERNEXEC
12371 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12373 + .quad 0x0 /* unused */
12376 + .quad 0,0 /* TSS */
12377 + .quad 0,0 /* LDT */
12378 + .quad 0,0,0 /* three TLS descriptors */
12379 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12380 + /* asm/segment.h:GDT_ENTRIES must match this */
12382 + /* zero the remaining page */
12383 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12387 .globl early_gdt_descr
12389 .word GDT_ENTRIES*8-1
12390 early_gdt_descr_base:
12391 - .quad INIT_PER_CPU_VAR(gdt_page)
12392 + .quad cpu_gdt_table
12395 /* This must match the first entry in level2_kernel_pgt */
12396 .quad 0x0000000000000000
12398 #include "../../x86/xen/xen-head.S"
12400 - .section .bss, "aw", @nobits
12402 + .section .rodata,"a",@progbits
12403 .align L1_CACHE_BYTES
12405 - .skip IDT_ENTRIES * 16
12410 diff -urNp linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c
12411 --- linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c 2010-08-26 19:47:12.000000000 -0400
12412 +++ linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c 2010-09-17 20:12:09.000000000 -0400
12413 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12414 EXPORT_SYMBOL(cmpxchg8b_emu);
12417 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12419 /* Networking helper routines. */
12420 EXPORT_SYMBOL(csum_partial_copy_generic);
12421 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12422 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12424 EXPORT_SYMBOL(__get_user_1);
12425 EXPORT_SYMBOL(__get_user_2);
12426 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12428 EXPORT_SYMBOL(csum_partial);
12429 EXPORT_SYMBOL(empty_zero_page);
12431 +#ifdef CONFIG_PAX_KERNEXEC
12432 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12434 diff -urNp linux-2.6.35.4/arch/x86/kernel/init_task.c linux-2.6.35.4/arch/x86/kernel/init_task.c
12435 --- linux-2.6.35.4/arch/x86/kernel/init_task.c 2010-08-26 19:47:12.000000000 -0400
12436 +++ linux-2.6.35.4/arch/x86/kernel/init_task.c 2010-09-17 20:12:09.000000000 -0400
12437 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12438 * section. Since TSS's are completely CPU-local, we want them
12439 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12441 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12443 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12444 +EXPORT_SYMBOL(init_tss);
12445 diff -urNp linux-2.6.35.4/arch/x86/kernel/ioport.c linux-2.6.35.4/arch/x86/kernel/ioport.c
12446 --- linux-2.6.35.4/arch/x86/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
12447 +++ linux-2.6.35.4/arch/x86/kernel/ioport.c 2010-09-17 20:12:37.000000000 -0400
12449 #include <linux/sched.h>
12450 #include <linux/kernel.h>
12451 #include <linux/capability.h>
12452 +#include <linux/security.h>
12453 #include <linux/errno.h>
12454 #include <linux/types.h>
12455 #include <linux/ioport.h>
12456 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12458 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12460 +#ifdef CONFIG_GRKERNSEC_IO
12461 + if (turn_on && grsec_disable_privio) {
12462 + gr_handle_ioperm();
12466 if (turn_on && !capable(CAP_SYS_RAWIO))
12469 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12470 * because the ->io_bitmap_max value must match the bitmap
12473 - tss = &per_cpu(init_tss, get_cpu());
12474 + tss = init_tss + get_cpu();
12476 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12478 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12480 /* Trying to gain more privileges? */
12482 +#ifdef CONFIG_GRKERNSEC_IO
12483 + if (grsec_disable_privio) {
12484 + gr_handle_iopl();
12488 if (!capable(CAP_SYS_RAWIO))
12491 diff -urNp linux-2.6.35.4/arch/x86/kernel/irq_32.c linux-2.6.35.4/arch/x86/kernel/irq_32.c
12492 --- linux-2.6.35.4/arch/x86/kernel/irq_32.c 2010-08-26 19:47:12.000000000 -0400
12493 +++ linux-2.6.35.4/arch/x86/kernel/irq_32.c 2010-09-17 20:12:09.000000000 -0400
12494 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
12497 /* build the stack frame on the IRQ stack */
12498 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12499 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12500 irqctx->tinfo.task = curctx->tinfo.task;
12501 irqctx->tinfo.previous_esp = current_stack_pointer;
12503 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
12504 irqctx->tinfo.previous_esp = current_stack_pointer;
12506 /* build the stack frame on the softirq stack */
12507 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12508 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12510 call_on_stack(__do_softirq, isp);
12512 diff -urNp linux-2.6.35.4/arch/x86/kernel/kgdb.c linux-2.6.35.4/arch/x86/kernel/kgdb.c
12513 --- linux-2.6.35.4/arch/x86/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
12514 +++ linux-2.6.35.4/arch/x86/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
12515 @@ -77,7 +77,7 @@ void pt_regs_to_gdb_regs(unsigned long *
12516 gdb_regs[GDB_CS] = regs->cs;
12517 gdb_regs[GDB_FS] = 0xFFFF;
12518 gdb_regs[GDB_GS] = 0xFFFF;
12519 - if (user_mode_vm(regs)) {
12520 + if (user_mode(regs)) {
12521 gdb_regs[GDB_SS] = regs->ss;
12522 gdb_regs[GDB_SP] = regs->sp;
12524 @@ -720,7 +720,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12528 -struct kgdb_arch arch_kgdb_ops = {
12529 +const struct kgdb_arch arch_kgdb_ops = {
12530 /* Breakpoint instruction: */
12531 .gdb_bpt_instr = { 0xcc },
12532 .flags = KGDB_HW_BREAKPOINT,
12533 diff -urNp linux-2.6.35.4/arch/x86/kernel/kprobes.c linux-2.6.35.4/arch/x86/kernel/kprobes.c
12534 --- linux-2.6.35.4/arch/x86/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
12535 +++ linux-2.6.35.4/arch/x86/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
12536 @@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
12538 } __attribute__((packed)) *insn;
12540 - insn = (struct __arch_relative_insn *)from;
12541 + insn = (struct __arch_relative_insn *)(ktla_ktva(from));
12543 + pax_open_kernel();
12544 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12546 + pax_close_kernel();
12549 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12550 @@ -315,7 +318,9 @@ static int __kprobes __copy_instruction(
12553 insn_get_length(&insn);
12554 + pax_open_kernel();
12555 memcpy(dest, insn.kaddr, insn.length);
12556 + pax_close_kernel();
12558 #ifdef CONFIG_X86_64
12559 if (insn_rip_relative(&insn)) {
12560 @@ -339,7 +344,9 @@ static int __kprobes __copy_instruction(
12562 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12563 disp = (u8 *) dest + insn_offset_displacement(&insn);
12564 + pax_open_kernel();
12565 *(s32 *) disp = (s32) newdisp;
12566 + pax_close_kernel();
12569 return insn.length;
12570 @@ -353,12 +360,12 @@ static void __kprobes arch_copy_kprobe(s
12572 __copy_instruction(p->ainsn.insn, p->addr, 0);
12574 - if (can_boost(p->addr))
12575 + if (can_boost(ktla_ktva(p->addr)))
12576 p->ainsn.boostable = 0;
12578 p->ainsn.boostable = -1;
12580 - p->opcode = *p->addr;
12581 + p->opcode = *(ktla_ktva(p->addr));
12584 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12585 @@ -475,7 +482,7 @@ static void __kprobes setup_singlestep(s
12586 * nor set current_kprobe, because it doesn't use single
12589 - regs->ip = (unsigned long)p->ainsn.insn;
12590 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12591 preempt_enable_no_resched();
12594 @@ -494,7 +501,7 @@ static void __kprobes setup_singlestep(s
12595 if (p->opcode == BREAKPOINT_INSTRUCTION)
12596 regs->ip = (unsigned long)p->addr;
12598 - regs->ip = (unsigned long)p->ainsn.insn;
12599 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12603 @@ -573,7 +580,7 @@ static int __kprobes kprobe_handler(stru
12604 setup_singlestep(p, regs, kcb, 0);
12607 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12608 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12610 * The breakpoint instruction was removed right
12611 * after we hit it. Another cpu has removed
12612 @@ -799,7 +806,7 @@ static void __kprobes resume_execution(s
12613 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12615 unsigned long *tos = stack_addr(regs);
12616 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12617 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12618 unsigned long orig_ip = (unsigned long)p->addr;
12619 kprobe_opcode_t *insn = p->ainsn.insn;
12621 @@ -982,7 +989,7 @@ int __kprobes kprobe_exceptions_notify(s
12622 struct die_args *args = data;
12623 int ret = NOTIFY_DONE;
12625 - if (args->regs && user_mode_vm(args->regs))
12626 + if (args->regs && user_mode(args->regs))
12630 diff -urNp linux-2.6.35.4/arch/x86/kernel/ldt.c linux-2.6.35.4/arch/x86/kernel/ldt.c
12631 --- linux-2.6.35.4/arch/x86/kernel/ldt.c 2010-08-26 19:47:12.000000000 -0400
12632 +++ linux-2.6.35.4/arch/x86/kernel/ldt.c 2010-09-17 20:12:09.000000000 -0400
12633 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12638 + load_LDT_nolock(pc);
12639 if (!cpumask_equal(mm_cpumask(current->mm),
12640 cpumask_of(smp_processor_id())))
12641 smp_call_function(flush_ldt, current->mm, 1);
12645 + load_LDT_nolock(pc);
12649 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
12652 for (i = 0; i < old->size; i++)
12653 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12654 + write_ldt_entry(new->ldt, i, old->ldt + i);
12658 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
12659 retval = copy_ldt(&mm->context, &old_mm->context);
12660 mutex_unlock(&old_mm->context.lock);
12663 + if (tsk == current) {
12664 + mm->context.vdso = ~0UL;
12666 +#ifdef CONFIG_X86_32
12667 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
12668 + mm->context.user_cs_base = 0UL;
12669 + mm->context.user_cs_limit = ~0UL;
12671 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
12672 + cpus_clear(mm->context.cpu_user_cs_mask);
12683 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
12687 +#ifdef CONFIG_PAX_SEGMEXEC
12688 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
12694 fill_ldt(&ldt, &ldt_info);
12697 diff -urNp linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c
12698 --- linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c 2010-08-26 19:47:12.000000000 -0400
12699 +++ linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c 2010-09-17 20:12:09.000000000 -0400
12701 #include <asm/cacheflush.h>
12702 #include <asm/debugreg.h>
12704 -static void set_idt(void *newidt, __u16 limit)
12705 +static void set_idt(struct desc_struct *newidt, __u16 limit)
12707 struct desc_ptr curidt;
12709 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
12713 -static void set_gdt(void *newgdt, __u16 limit)
12714 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
12716 struct desc_ptr curgdt;
12718 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
12721 control_page = page_address(image->control_code_page);
12722 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
12723 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
12725 relocate_kernel_ptr = control_page;
12726 page_list[PA_CONTROL_PAGE] = __pa(control_page);
12727 diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_amd.c linux-2.6.35.4/arch/x86/kernel/microcode_amd.c
12728 --- linux-2.6.35.4/arch/x86/kernel/microcode_amd.c 2010-08-26 19:47:12.000000000 -0400
12729 +++ linux-2.6.35.4/arch/x86/kernel/microcode_amd.c 2010-09-17 20:12:09.000000000 -0400
12730 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
12734 -static struct microcode_ops microcode_amd_ops = {
12735 +static const struct microcode_ops microcode_amd_ops = {
12736 .request_microcode_user = request_microcode_user,
12737 .request_microcode_fw = request_microcode_fw,
12738 .collect_cpu_info = collect_cpu_info_amd,
12739 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
12740 .microcode_fini_cpu = microcode_fini_cpu_amd,
12743 -struct microcode_ops * __init init_amd_microcode(void)
12744 +const struct microcode_ops * __init init_amd_microcode(void)
12746 return µcode_amd_ops;
12748 diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_core.c linux-2.6.35.4/arch/x86/kernel/microcode_core.c
12749 --- linux-2.6.35.4/arch/x86/kernel/microcode_core.c 2010-08-26 19:47:12.000000000 -0400
12750 +++ linux-2.6.35.4/arch/x86/kernel/microcode_core.c 2010-09-17 20:12:09.000000000 -0400
12751 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
12753 #define MICROCODE_VERSION "2.00"
12755 -static struct microcode_ops *microcode_ops;
12756 +static const struct microcode_ops *microcode_ops;
12760 diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_intel.c linux-2.6.35.4/arch/x86/kernel/microcode_intel.c
12761 --- linux-2.6.35.4/arch/x86/kernel/microcode_intel.c 2010-08-26 19:47:12.000000000 -0400
12762 +++ linux-2.6.35.4/arch/x86/kernel/microcode_intel.c 2010-09-17 20:12:09.000000000 -0400
12763 @@ -446,13 +446,13 @@ static enum ucode_state request_microcod
12765 static int get_ucode_user(void *to, const void *from, size_t n)
12767 - return copy_from_user(to, from, n);
12768 + return copy_from_user(to, (__force const void __user *)from, n);
12771 static enum ucode_state
12772 request_microcode_user(int cpu, const void __user *buf, size_t size)
12774 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
12775 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
12778 static void microcode_fini_cpu(int cpu)
12779 @@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
12783 -static struct microcode_ops microcode_intel_ops = {
12784 +static const struct microcode_ops microcode_intel_ops = {
12785 .request_microcode_user = request_microcode_user,
12786 .request_microcode_fw = request_microcode_fw,
12787 .collect_cpu_info = collect_cpu_info,
12788 @@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
12789 .microcode_fini_cpu = microcode_fini_cpu,
12792 -struct microcode_ops * __init init_intel_microcode(void)
12793 +const struct microcode_ops * __init init_intel_microcode(void)
12795 return µcode_intel_ops;
12797 diff -urNp linux-2.6.35.4/arch/x86/kernel/module.c linux-2.6.35.4/arch/x86/kernel/module.c
12798 --- linux-2.6.35.4/arch/x86/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
12799 +++ linux-2.6.35.4/arch/x86/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
12801 #define DEBUGP(fmt...)
12804 -void *module_alloc(unsigned long size)
12805 +static void *__module_alloc(unsigned long size, pgprot_t prot)
12807 struct vm_struct *area;
12809 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
12813 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
12814 - PAGE_KERNEL_EXEC);
12815 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
12818 +void *module_alloc(unsigned long size)
12821 +#ifdef CONFIG_PAX_KERNEXEC
12822 + return __module_alloc(size, PAGE_KERNEL);
12824 + return __module_alloc(size, PAGE_KERNEL_EXEC);
12829 /* Free memory returned from module_alloc */
12830 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
12831 vfree(module_region);
12834 +#ifdef CONFIG_PAX_KERNEXEC
12835 +#ifdef CONFIG_X86_32
12836 +void *module_alloc_exec(unsigned long size)
12838 + struct vm_struct *area;
12843 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
12844 + return area ? area->addr : NULL;
12846 +EXPORT_SYMBOL(module_alloc_exec);
12848 +void module_free_exec(struct module *mod, void *module_region)
12850 + vunmap(module_region);
12852 +EXPORT_SYMBOL(module_free_exec);
12854 +void module_free_exec(struct module *mod, void *module_region)
12856 + module_free(mod, module_region);
12858 +EXPORT_SYMBOL(module_free_exec);
12860 +void *module_alloc_exec(unsigned long size)
12862 + return __module_alloc(size, PAGE_KERNEL_RX);
12864 +EXPORT_SYMBOL(module_alloc_exec);
12868 /* We don't need anything special. */
12869 int module_frob_arch_sections(Elf_Ehdr *hdr,
12871 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12873 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
12875 - uint32_t *location;
12876 + uint32_t *plocation, location;
12878 DEBUGP("Applying relocate section %u to %u\n", relsec,
12879 sechdrs[relsec].sh_info);
12880 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
12881 /* This is where to make the change */
12882 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
12883 - + rel[i].r_offset;
12884 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
12885 + location = (uint32_t)plocation;
12886 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
12887 + plocation = ktla_ktva((void *)plocation);
12888 /* This is the symbol it is referring to. Note that all
12889 undefined symbols have been resolved. */
12890 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
12891 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12892 switch (ELF32_R_TYPE(rel[i].r_info)) {
12894 /* We add the value into the location given */
12895 - *location += sym->st_value;
12896 + pax_open_kernel();
12897 + *plocation += sym->st_value;
12898 + pax_close_kernel();
12901 /* Add the value, subtract its postition */
12902 - *location += sym->st_value - (uint32_t)location;
12903 + pax_open_kernel();
12904 + *plocation += sym->st_value - location;
12905 + pax_close_kernel();
12908 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
12909 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
12910 case R_X86_64_NONE:
12913 + pax_open_kernel();
12915 + pax_close_kernel();
12918 + pax_open_kernel();
12920 + pax_close_kernel();
12921 if (val != *(u32 *)loc)
12925 + pax_open_kernel();
12927 + pax_close_kernel();
12928 if ((s64)val != *(s32 *)loc)
12931 case R_X86_64_PC32:
12933 + pax_open_kernel();
12935 + pax_close_kernel();
12938 if ((s64)val != *(s32 *)loc)
12940 diff -urNp linux-2.6.35.4/arch/x86/kernel/paravirt.c linux-2.6.35.4/arch/x86/kernel/paravirt.c
12941 --- linux-2.6.35.4/arch/x86/kernel/paravirt.c 2010-08-26 19:47:12.000000000 -0400
12942 +++ linux-2.6.35.4/arch/x86/kernel/paravirt.c 2010-09-17 20:12:09.000000000 -0400
12943 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
12944 * corresponding structure. */
12945 static void *get_call_destination(u8 type)
12947 - struct paravirt_patch_template tmpl = {
12948 + const struct paravirt_patch_template tmpl = {
12949 .pv_init_ops = pv_init_ops,
12950 .pv_time_ops = pv_time_ops,
12951 .pv_cpu_ops = pv_cpu_ops,
12952 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
12953 if (opfunc == NULL)
12954 /* If there's no function, patch it with a ud2a (BUG) */
12955 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
12956 - else if (opfunc == _paravirt_nop)
12957 + else if (opfunc == (void *)_paravirt_nop)
12958 /* If the operation is a nop, then nop the callsite */
12959 ret = paravirt_patch_nop();
12961 /* identity functions just return their single argument */
12962 - else if (opfunc == _paravirt_ident_32)
12963 + else if (opfunc == (void *)_paravirt_ident_32)
12964 ret = paravirt_patch_ident_32(insnbuf, len);
12965 - else if (opfunc == _paravirt_ident_64)
12966 + else if (opfunc == (void *)_paravirt_ident_64)
12967 ret = paravirt_patch_ident_64(insnbuf, len);
12969 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
12970 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
12971 if (insn_len > len || start == NULL)
12974 - memcpy(insnbuf, start, insn_len);
12975 + memcpy(insnbuf, ktla_ktva(start), insn_len);
12979 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
12983 -struct pv_info pv_info = {
12984 +struct pv_info pv_info __read_only = {
12985 .name = "bare hardware",
12986 .paravirt_enabled = 0,
12988 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
12991 -struct pv_init_ops pv_init_ops = {
12992 +struct pv_init_ops pv_init_ops __read_only = {
12993 .patch = native_patch,
12996 -struct pv_time_ops pv_time_ops = {
12997 +struct pv_time_ops pv_time_ops __read_only = {
12998 .sched_clock = native_sched_clock,
13001 -struct pv_irq_ops pv_irq_ops = {
13002 +struct pv_irq_ops pv_irq_ops __read_only = {
13003 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13004 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13005 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13006 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13010 -struct pv_cpu_ops pv_cpu_ops = {
13011 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13012 .cpuid = native_cpuid,
13013 .get_debugreg = native_get_debugreg,
13014 .set_debugreg = native_set_debugreg,
13015 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13016 .end_context_switch = paravirt_nop,
13019 -struct pv_apic_ops pv_apic_ops = {
13020 +struct pv_apic_ops pv_apic_ops __read_only = {
13021 #ifdef CONFIG_X86_LOCAL_APIC
13022 .startup_ipi_hook = paravirt_nop,
13024 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13025 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13028 -struct pv_mmu_ops pv_mmu_ops = {
13029 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13031 .read_cr2 = native_read_cr2,
13032 .write_cr2 = native_write_cr2,
13033 @@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13036 .set_fixmap = native_set_fixmap,
13038 +#ifdef CONFIG_PAX_KERNEXEC
13039 + .pax_open_kernel = native_pax_open_kernel,
13040 + .pax_close_kernel = native_pax_close_kernel,
13045 EXPORT_SYMBOL_GPL(pv_time_ops);
13046 diff -urNp linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c
13047 --- linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c 2010-08-26 19:47:12.000000000 -0400
13048 +++ linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c 2010-09-17 20:12:09.000000000 -0400
13049 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13050 arch_spin_lock(lock);
13053 -struct pv_lock_ops pv_lock_ops = {
13054 +struct pv_lock_ops pv_lock_ops __read_only = {
13056 .spin_is_locked = __ticket_spin_is_locked,
13057 .spin_is_contended = __ticket_spin_is_contended,
13058 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c
13059 --- linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c 2010-08-26 19:47:12.000000000 -0400
13060 +++ linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c 2010-09-17 20:12:09.000000000 -0400
13061 @@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
13062 free_pages((unsigned long)vaddr, get_order(size));
13065 -static struct dma_map_ops calgary_dma_ops = {
13066 +static const struct dma_map_ops calgary_dma_ops = {
13067 .alloc_coherent = calgary_alloc_coherent,
13068 .free_coherent = calgary_free_coherent,
13069 .map_sg = calgary_map_sg,
13070 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-dma.c linux-2.6.35.4/arch/x86/kernel/pci-dma.c
13071 --- linux-2.6.35.4/arch/x86/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
13072 +++ linux-2.6.35.4/arch/x86/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
13075 static int forbid_dac __read_mostly;
13077 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13078 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13079 EXPORT_SYMBOL(dma_ops);
13081 static int iommu_sac_force __read_mostly;
13082 @@ -248,7 +248,7 @@ early_param("iommu", iommu_setup);
13084 int dma_supported(struct device *dev, u64 mask)
13086 - struct dma_map_ops *ops = get_dma_ops(dev);
13087 + const struct dma_map_ops *ops = get_dma_ops(dev);
13090 if (mask > 0xffffffff && forbid_dac > 0) {
13091 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c
13092 --- linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c 2010-08-26 19:47:12.000000000 -0400
13093 +++ linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c 2010-09-17 20:12:09.000000000 -0400
13094 @@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
13098 -static struct dma_map_ops gart_dma_ops = {
13099 +static const struct dma_map_ops gart_dma_ops = {
13100 .map_sg = gart_map_sg,
13101 .unmap_sg = gart_unmap_sg,
13102 .map_page = gart_map_page,
13103 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-nommu.c linux-2.6.35.4/arch/x86/kernel/pci-nommu.c
13104 --- linux-2.6.35.4/arch/x86/kernel/pci-nommu.c 2010-08-26 19:47:12.000000000 -0400
13105 +++ linux-2.6.35.4/arch/x86/kernel/pci-nommu.c 2010-09-17 20:12:09.000000000 -0400
13106 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13107 flush_write_buffers();
13110 -struct dma_map_ops nommu_dma_ops = {
13111 +const struct dma_map_ops nommu_dma_ops = {
13112 .alloc_coherent = dma_generic_alloc_coherent,
13113 .free_coherent = nommu_free_coherent,
13114 .map_sg = nommu_map_sg,
13115 diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c
13116 --- linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
13117 +++ linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
13118 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13119 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13122 -static struct dma_map_ops swiotlb_dma_ops = {
13123 +static const struct dma_map_ops swiotlb_dma_ops = {
13124 .mapping_error = swiotlb_dma_mapping_error,
13125 .alloc_coherent = x86_swiotlb_alloc_coherent,
13126 .free_coherent = swiotlb_free_coherent,
13127 diff -urNp linux-2.6.35.4/arch/x86/kernel/process_32.c linux-2.6.35.4/arch/x86/kernel/process_32.c
13128 --- linux-2.6.35.4/arch/x86/kernel/process_32.c 2010-08-26 19:47:12.000000000 -0400
13129 +++ linux-2.6.35.4/arch/x86/kernel/process_32.c 2010-09-17 20:12:09.000000000 -0400
13130 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13131 unsigned long thread_saved_pc(struct task_struct *tsk)
13133 return ((unsigned long *)tsk->thread.sp)[3];
13134 +//XXX return tsk->thread.eip;
13138 @@ -126,7 +127,7 @@ void __show_regs(struct pt_regs *regs, i
13140 unsigned short ss, gs;
13142 - if (user_mode_vm(regs)) {
13143 + if (user_mode(regs)) {
13145 ss = regs->ss & 0xffff;
13146 gs = get_user_gs(regs);
13147 @@ -196,7 +197,7 @@ int copy_thread(unsigned long clone_flag
13148 struct task_struct *tsk;
13151 - childregs = task_pt_regs(p);
13152 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13153 *childregs = *regs;
13155 childregs->sp = sp;
13156 @@ -230,6 +231,7 @@ int copy_thread(unsigned long clone_flag
13157 * Set a new TLS for the child thread?
13159 if (clone_flags & CLONE_SETTLS)
13160 +//XXX needs set_fs()?
13161 err = do_set_thread_area(p, -1,
13162 (struct user_desc __user *)childregs->si, 0);
13164 @@ -293,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
13165 struct thread_struct *prev = &prev_p->thread,
13166 *next = &next_p->thread;
13167 int cpu = smp_processor_id();
13168 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13169 + struct tss_struct *tss = init_tss + cpu;
13172 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13173 @@ -328,6 +330,11 @@ __switch_to(struct task_struct *prev_p,
13175 lazy_save_gs(prev->gs);
13177 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13178 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13179 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13183 * Load the per-thread Thread-Local Storage descriptor.
13185 @@ -404,3 +411,27 @@ unsigned long get_wchan(struct task_stru
13189 +#ifdef CONFIG_PAX_RANDKSTACK
13190 +asmlinkage void pax_randomize_kstack(void)
13192 + struct thread_struct *thread = ¤t->thread;
13193 + unsigned long time;
13195 + if (!randomize_va_space)
13200 + /* P4 seems to return a 0 LSB, ignore it */
13201 +#ifdef CONFIG_MPENTIUM4
13209 + thread->sp0 ^= time;
13210 + load_sp0(init_tss + smp_processor_id(), thread);
13213 diff -urNp linux-2.6.35.4/arch/x86/kernel/process_64.c linux-2.6.35.4/arch/x86/kernel/process_64.c
13214 --- linux-2.6.35.4/arch/x86/kernel/process_64.c 2010-08-26 19:47:12.000000000 -0400
13215 +++ linux-2.6.35.4/arch/x86/kernel/process_64.c 2010-09-17 20:12:09.000000000 -0400
13216 @@ -87,7 +87,7 @@ static void __exit_idle(void)
13217 void exit_idle(void)
13219 /* idle loop has pid 0 */
13220 - if (current->pid)
13221 + if (task_pid_nr(current))
13225 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
13226 struct thread_struct *prev = &prev_p->thread;
13227 struct thread_struct *next = &next_p->thread;
13228 int cpu = smp_processor_id();
13229 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13230 + struct tss_struct *tss = init_tss + cpu;
13231 unsigned fsindex, gsindex;
13234 @@ -528,12 +528,11 @@ unsigned long get_wchan(struct task_stru
13235 if (!p || p == current || p->state == TASK_RUNNING)
13237 stack = (unsigned long)task_stack_page(p);
13238 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13239 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13241 fp = *(u64 *)(p->thread.sp);
13243 - if (fp < (unsigned long)stack ||
13244 - fp >= (unsigned long)stack+THREAD_SIZE)
13245 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13247 ip = *(u64 *)(fp+8);
13248 if (!in_sched_functions(ip))
13249 diff -urNp linux-2.6.35.4/arch/x86/kernel/process.c linux-2.6.35.4/arch/x86/kernel/process.c
13250 --- linux-2.6.35.4/arch/x86/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
13251 +++ linux-2.6.35.4/arch/x86/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
13252 @@ -73,7 +73,7 @@ void exit_thread(void)
13253 unsigned long *bp = t->io_bitmap_ptr;
13256 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13257 + struct tss_struct *tss = init_tss + get_cpu();
13259 t->io_bitmap_ptr = NULL;
13260 clear_thread_flag(TIF_IO_BITMAP);
13261 @@ -117,6 +117,9 @@ void flush_thread(void)
13263 struct task_struct *tsk = current;
13265 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13266 + loadsegment(gs, 0);
13268 flush_ptrace_hw_breakpoint(tsk);
13269 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13271 @@ -279,8 +282,8 @@ int kernel_thread(int (*fn)(void *), voi
13272 regs.di = (unsigned long) arg;
13274 #ifdef CONFIG_X86_32
13275 - regs.ds = __USER_DS;
13276 - regs.es = __USER_DS;
13277 + regs.ds = __KERNEL_DS;
13278 + regs.es = __KERNEL_DS;
13279 regs.fs = __KERNEL_PERCPU;
13280 regs.gs = __KERNEL_STACK_CANARY;
13282 @@ -689,17 +692,3 @@ static int __init idle_setup(char *str)
13285 early_param("idle", idle_setup);
13287 -unsigned long arch_align_stack(unsigned long sp)
13289 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13290 - sp -= get_random_int() % 8192;
13291 - return sp & ~0xf;
13294 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13296 - unsigned long range_end = mm->brk + 0x02000000;
13297 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13300 diff -urNp linux-2.6.35.4/arch/x86/kernel/ptrace.c linux-2.6.35.4/arch/x86/kernel/ptrace.c
13301 --- linux-2.6.35.4/arch/x86/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
13302 +++ linux-2.6.35.4/arch/x86/kernel/ptrace.c 2010-09-17 20:12:09.000000000 -0400
13303 @@ -804,7 +804,7 @@ static const struct user_regset_view use
13304 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13307 - unsigned long __user *datap = (unsigned long __user *)data;
13308 + unsigned long __user *datap = (__force unsigned long __user *)data;
13311 /* read the word at location addr in the USER area. */
13312 @@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
13315 ret = do_get_thread_area(child, addr,
13316 - (struct user_desc __user *) data);
13317 + (__force struct user_desc __user *) data);
13320 case PTRACE_SET_THREAD_AREA:
13323 ret = do_set_thread_area(child, addr,
13324 - (struct user_desc __user *) data, 0);
13325 + (__force struct user_desc __user *) data, 0);
13329 @@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
13330 memset(info, 0, sizeof(*info));
13331 info->si_signo = SIGTRAP;
13332 info->si_code = si_code;
13333 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13334 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13337 void user_single_step_siginfo(struct task_struct *tsk,
13338 diff -urNp linux-2.6.35.4/arch/x86/kernel/reboot.c linux-2.6.35.4/arch/x86/kernel/reboot.c
13339 --- linux-2.6.35.4/arch/x86/kernel/reboot.c 2010-08-26 19:47:12.000000000 -0400
13340 +++ linux-2.6.35.4/arch/x86/kernel/reboot.c 2010-09-17 20:12:09.000000000 -0400
13341 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13342 EXPORT_SYMBOL(pm_power_off);
13344 static const struct desc_ptr no_idt = {};
13345 -static int reboot_mode;
13346 +static unsigned short reboot_mode;
13347 enum reboot_type reboot_type = BOOT_KBD;
13350 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13351 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13355 + { NULL, NULL, {{0, {0}}}, NULL}
13358 static int __init reboot_init(void)
13359 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13360 controller to pulse the CPU reset line, which is more thorough, but
13361 doesn't work with at least one type of 486 motherboard. It is easy
13362 to stop this code working; hence the copious comments. */
13363 -static const unsigned long long
13364 -real_mode_gdt_entries [3] =
13365 +static struct desc_struct
13366 +real_mode_gdt_entries [3] __read_only =
13368 - 0x0000000000000000ULL, /* Null descriptor */
13369 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13370 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13371 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13372 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13373 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13376 static const struct desc_ptr
13377 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13378 * specified by the code and length parameters.
13379 * We assume that length will aways be less that 100!
13381 -void machine_real_restart(const unsigned char *code, int length)
13382 +void machine_real_restart(const unsigned char *code, unsigned int length)
13384 local_irq_disable();
13386 @@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
13387 /* Remap the kernel at virtual address zero, as well as offset zero
13388 from the kernel segment. This assumes the kernel segment starts at
13389 virtual address PAGE_OFFSET. */
13390 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13391 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13392 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13393 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13396 * Use `swapper_pg_dir' as our page directory.
13397 @@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
13398 boot)". This seems like a fairly standard thing that gets set by
13399 REBOOT.COM programs, and the previous reset routine did this
13401 - *((unsigned short *)0x472) = reboot_mode;
13402 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13404 /* For the switch to real mode, copy some code to low memory. It has
13405 to be in the first 64k because it is running in 16-bit mode, and it
13406 has to have the same physical and virtual address, because it turns
13407 off paging. Copy it near the end of the first page, out of the way
13408 of BIOS variables. */
13409 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13410 - real_mode_switch, sizeof (real_mode_switch));
13411 - memcpy((void *)(0x1000 - 100), code, length);
13412 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13413 + memcpy(__va(0x1000 - 100), code, length);
13415 /* Set up the IDT for real mode. */
13416 load_idt(&real_mode_idt);
13417 diff -urNp linux-2.6.35.4/arch/x86/kernel/setup.c linux-2.6.35.4/arch/x86/kernel/setup.c
13418 --- linux-2.6.35.4/arch/x86/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
13419 +++ linux-2.6.35.4/arch/x86/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
13420 @@ -704,7 +704,7 @@ static void __init trim_bios_range(void)
13421 * area (640->1Mb) as ram even though it is not.
13424 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13425 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13426 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13429 @@ -791,14 +791,14 @@ void __init setup_arch(char **cmdline_p)
13431 if (!boot_params.hdr.root_flags)
13432 root_mountflags &= ~MS_RDONLY;
13433 - init_mm.start_code = (unsigned long) _text;
13434 - init_mm.end_code = (unsigned long) _etext;
13435 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13436 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13437 init_mm.end_data = (unsigned long) _edata;
13438 init_mm.brk = _brk_end;
13440 - code_resource.start = virt_to_phys(_text);
13441 - code_resource.end = virt_to_phys(_etext)-1;
13442 - data_resource.start = virt_to_phys(_etext);
13443 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13444 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13445 + data_resource.start = virt_to_phys(_sdata);
13446 data_resource.end = virt_to_phys(_edata)-1;
13447 bss_resource.start = virt_to_phys(&__bss_start);
13448 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13449 diff -urNp linux-2.6.35.4/arch/x86/kernel/setup_percpu.c linux-2.6.35.4/arch/x86/kernel/setup_percpu.c
13450 --- linux-2.6.35.4/arch/x86/kernel/setup_percpu.c 2010-08-26 19:47:12.000000000 -0400
13451 +++ linux-2.6.35.4/arch/x86/kernel/setup_percpu.c 2010-09-17 20:12:09.000000000 -0400
13452 @@ -21,19 +21,17 @@
13453 #include <asm/cpu.h>
13454 #include <asm/stackprotector.h>
13457 DEFINE_PER_CPU(int, cpu_number);
13458 EXPORT_PER_CPU_SYMBOL(cpu_number);
13461 -#ifdef CONFIG_X86_64
13462 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13464 -#define BOOT_PERCPU_OFFSET 0
13467 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13468 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13470 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13471 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13472 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13474 EXPORT_SYMBOL(__per_cpu_offset);
13475 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
13477 #ifdef CONFIG_X86_32
13478 struct desc_struct gdt;
13479 + unsigned long base = per_cpu_offset(cpu);
13481 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13482 - 0x2 | DESCTYPE_S, 0x8);
13484 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13485 + 0x83 | DESCTYPE_S, 0xC);
13486 write_gdt_entry(get_cpu_gdt_table(cpu),
13487 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13489 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
13490 /* alrighty, percpu areas up and running */
13491 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13492 for_each_possible_cpu(cpu) {
13493 +#ifdef CONFIG_CC_STACKPROTECTOR
13494 +#ifdef CONFIG_x86_32
13495 + unsigned long canary = per_cpu(stack_canary, cpu);
13498 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13499 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13500 per_cpu(cpu_number, cpu) = cpu;
13501 @@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
13502 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13505 +#ifdef CONFIG_CC_STACKPROTECTOR
13506 +#ifdef CONFIG_x86_32
13507 + if (cpu == boot_cpu_id)
13508 + per_cpu(stack_canary, cpu) = canary;
13512 * Up to this point, the boot CPU has been using .init.data
13513 * area. Reload any changed state for the boot CPU.
13514 diff -urNp linux-2.6.35.4/arch/x86/kernel/signal.c linux-2.6.35.4/arch/x86/kernel/signal.c
13515 --- linux-2.6.35.4/arch/x86/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
13516 +++ linux-2.6.35.4/arch/x86/kernel/signal.c 2010-09-17 20:12:09.000000000 -0400
13517 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13518 * Align the stack pointer according to the i386 ABI,
13519 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13521 - sp = ((sp + 4) & -16ul) - 4;
13522 + sp = ((sp - 12) & -16ul) - 4;
13523 #else /* !CONFIG_X86_32 */
13524 sp = round_down(sp, 16) - 8;
13526 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13527 * Return an always-bogus address instead so we will die with SIGSEGV.
13529 if (onsigstack && !likely(on_sig_stack(sp)))
13530 - return (void __user *)-1L;
13531 + return (__force void __user *)-1L;
13533 /* save i387 state */
13534 if (used_math() && save_i387_xstate(*fpstate) < 0)
13535 - return (void __user *)-1L;
13536 + return (__force void __user *)-1L;
13538 return (void __user *)sp;
13540 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13543 if (current->mm->context.vdso)
13544 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13545 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13547 - restorer = &frame->retcode;
13548 + restorer = (void __user *)&frame->retcode;
13549 if (ka->sa.sa_flags & SA_RESTORER)
13550 restorer = ka->sa.sa_restorer;
13552 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13553 * reasons and because gdb uses it as a signature to notice
13554 * signal handler stack frames.
13556 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13557 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13561 @@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
13562 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13564 /* Set up to return from userspace. */
13565 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13566 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13567 if (ka->sa.sa_flags & SA_RESTORER)
13568 restorer = ka->sa.sa_restorer;
13569 put_user_ex(restorer, &frame->pretcode);
13570 @@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
13571 * reasons and because gdb uses it as a signature to notice
13572 * signal handler stack frames.
13574 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13575 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13576 } put_user_catch(err);
13579 @@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
13580 * X86_32: vm86 regs switched out by assembly code before reaching
13581 * here, so testing against kernel CS suffices.
13583 - if (!user_mode(regs))
13584 + if (!user_mode_novm(regs))
13587 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13588 diff -urNp linux-2.6.35.4/arch/x86/kernel/smpboot.c linux-2.6.35.4/arch/x86/kernel/smpboot.c
13589 --- linux-2.6.35.4/arch/x86/kernel/smpboot.c 2010-08-26 19:47:12.000000000 -0400
13590 +++ linux-2.6.35.4/arch/x86/kernel/smpboot.c 2010-09-17 20:12:09.000000000 -0400
13591 @@ -780,7 +780,11 @@ do_rest:
13592 (unsigned long)task_stack_page(c_idle.idle) -
13593 KERNEL_STACK_OFFSET + THREAD_SIZE;
13596 + pax_open_kernel();
13597 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13598 + pax_close_kernel();
13600 initial_code = (unsigned long)start_secondary;
13601 stack_start.sp = (void *) c_idle.idle->thread.sp;
13603 @@ -920,6 +924,12 @@ int __cpuinit native_cpu_up(unsigned int
13605 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13607 +#ifdef CONFIG_PAX_PER_CPU_PGD
13608 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13609 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13610 + KERNEL_PGD_PTRS);
13613 #ifdef CONFIG_X86_32
13614 /* init low mem mapping */
13615 clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13616 diff -urNp linux-2.6.35.4/arch/x86/kernel/step.c linux-2.6.35.4/arch/x86/kernel/step.c
13617 --- linux-2.6.35.4/arch/x86/kernel/step.c 2010-08-26 19:47:12.000000000 -0400
13618 +++ linux-2.6.35.4/arch/x86/kernel/step.c 2010-09-17 20:12:09.000000000 -0400
13619 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13620 struct desc_struct *desc;
13621 unsigned long base;
13626 mutex_lock(&child->mm->context.lock);
13627 - if (unlikely((seg >> 3) >= child->mm->context.size))
13628 + if (unlikely(seg >= child->mm->context.size))
13629 addr = -1L; /* bogus selector, access would fault */
13631 desc = child->mm->context.ldt + seg;
13632 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
13633 unsigned char opcode[15];
13634 unsigned long addr = convert_ip_to_linear(child, regs);
13636 + if (addr == -EINVAL)
13639 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
13640 for (i = 0; i < copied; i++) {
13641 switch (opcode[i]) {
13642 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
13644 #ifdef CONFIG_X86_64
13645 case 0x40 ... 0x4f:
13646 - if (regs->cs != __USER_CS)
13647 + if ((regs->cs & 0xffff) != __USER_CS)
13648 /* 32-bit mode: register increment */
13650 /* 64-bit mode: REX prefix */
13651 diff -urNp linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S
13652 --- linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S 2010-08-26 19:47:12.000000000 -0400
13653 +++ linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S 2010-09-17 20:12:09.000000000 -0400
13655 +.section .rodata,"a",@progbits
13656 ENTRY(sys_call_table)
13657 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
13659 diff -urNp linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c
13660 --- linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c 2010-08-26 19:47:12.000000000 -0400
13661 +++ linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c 2010-09-17 20:12:09.000000000 -0400
13662 @@ -24,6 +24,224 @@
13664 #include <asm/syscalls.h>
13666 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
13668 + unsigned long pax_task_size = TASK_SIZE;
13670 +#ifdef CONFIG_PAX_SEGMEXEC
13671 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13672 + pax_task_size = SEGMEXEC_TASK_SIZE;
13675 + if (len > pax_task_size || addr > pax_task_size - len)
13682 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
13683 + unsigned long len, unsigned long pgoff, unsigned long flags)
13685 + struct mm_struct *mm = current->mm;
13686 + struct vm_area_struct *vma;
13687 + unsigned long start_addr, pax_task_size = TASK_SIZE;
13689 +#ifdef CONFIG_PAX_SEGMEXEC
13690 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13691 + pax_task_size = SEGMEXEC_TASK_SIZE;
13694 + if (len > pax_task_size)
13697 + if (flags & MAP_FIXED)
13700 +#ifdef CONFIG_PAX_RANDMMAP
13701 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13705 + addr = PAGE_ALIGN(addr);
13706 + if (pax_task_size - len >= addr) {
13707 + vma = find_vma(mm, addr);
13708 + if (check_heap_stack_gap(vma, addr, len))
13712 + if (len > mm->cached_hole_size) {
13713 + start_addr = addr = mm->free_area_cache;
13715 + start_addr = addr = mm->mmap_base;
13716 + mm->cached_hole_size = 0;
13719 +#ifdef CONFIG_PAX_PAGEEXEC
13720 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
13721 + start_addr = 0x00110000UL;
13723 +#ifdef CONFIG_PAX_RANDMMAP
13724 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13725 + start_addr += mm->delta_mmap & 0x03FFF000UL;
13728 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
13729 + start_addr = addr = mm->mmap_base;
13731 + addr = start_addr;
13736 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
13737 + /* At this point: (!vma || addr < vma->vm_end). */
13738 + if (pax_task_size - len < addr) {
13740 + * Start a new search - just in case we missed
13743 + if (start_addr != mm->mmap_base) {
13744 + start_addr = addr = mm->mmap_base;
13745 + mm->cached_hole_size = 0;
13746 + goto full_search;
13750 + if (check_heap_stack_gap(vma, addr, len))
13752 + if (addr + mm->cached_hole_size < vma->vm_start)
13753 + mm->cached_hole_size = vma->vm_start - addr;
13754 + addr = vma->vm_end;
13755 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
13756 + start_addr = addr = mm->mmap_base;
13757 + mm->cached_hole_size = 0;
13758 + goto full_search;
13763 + * Remember the place where we stopped the search:
13765 + mm->free_area_cache = addr + len;
13770 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
13771 + const unsigned long len, const unsigned long pgoff,
13772 + const unsigned long flags)
13774 + struct vm_area_struct *vma;
13775 + struct mm_struct *mm = current->mm;
13776 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
13778 +#ifdef CONFIG_PAX_SEGMEXEC
13779 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13780 + pax_task_size = SEGMEXEC_TASK_SIZE;
13783 + /* requested length too big for entire address space */
13784 + if (len > pax_task_size)
13787 + if (flags & MAP_FIXED)
13790 +#ifdef CONFIG_PAX_PAGEEXEC
13791 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
13795 +#ifdef CONFIG_PAX_RANDMMAP
13796 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13799 + /* requesting a specific address */
13801 + addr = PAGE_ALIGN(addr);
13802 + if (pax_task_size - len >= addr) {
13803 + vma = find_vma(mm, addr);
13804 + if (check_heap_stack_gap(vma, addr, len))
13809 + /* check if free_area_cache is useful for us */
13810 + if (len <= mm->cached_hole_size) {
13811 + mm->cached_hole_size = 0;
13812 + mm->free_area_cache = mm->mmap_base;
13815 + /* either no address requested or can't fit in requested address hole */
13816 + addr = mm->free_area_cache;
13818 + /* make sure it can fit in the remaining address space */
13819 + if (addr > len) {
13820 + vma = find_vma(mm, addr-len);
13821 + if (check_heap_stack_gap(vma, addr - len, len))
13822 + /* remember the address as a hint for next time */
13823 + return (mm->free_area_cache = addr-len);
13826 + if (mm->mmap_base < len)
13829 + addr = mm->mmap_base-len;
13833 + * Lookup failure means no vma is above this address,
13834 + * else if new region fits below vma->vm_start,
13835 + * return with success:
13837 + vma = find_vma(mm, addr);
13838 + if (check_heap_stack_gap(vma, addr, len))
13839 + /* remember the address as a hint for next time */
13840 + return (mm->free_area_cache = addr);
13842 + /* remember the largest hole we saw so far */
13843 + if (addr + mm->cached_hole_size < vma->vm_start)
13844 + mm->cached_hole_size = vma->vm_start - addr;
13846 + /* try just below the current vma->vm_start */
13847 + addr = vma->vm_start-len;
13848 + } while (len < vma->vm_start);
13852 + * A failed mmap() very likely causes application failure,
13853 + * so fall back to the bottom-up function here. This scenario
13854 + * can happen with large stack limits and large mmap()
13858 +#ifdef CONFIG_PAX_SEGMEXEC
13859 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13860 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
13864 + mm->mmap_base = TASK_UNMAPPED_BASE;
13866 +#ifdef CONFIG_PAX_RANDMMAP
13867 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13868 + mm->mmap_base += mm->delta_mmap;
13871 + mm->free_area_cache = mm->mmap_base;
13872 + mm->cached_hole_size = ~0UL;
13873 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
13875 + * Restore the topdown base:
13877 + mm->mmap_base = base;
13878 + mm->free_area_cache = base;
13879 + mm->cached_hole_size = ~0UL;
13885 * Do a system call from kernel instead of calling sys_execve so we
13886 * end up with proper pt_regs.
13887 diff -urNp linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c
13888 --- linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c 2010-08-26 19:47:12.000000000 -0400
13889 +++ linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c 2010-09-17 20:12:09.000000000 -0400
13890 @@ -32,8 +32,8 @@ out:
13894 -static void find_start_end(unsigned long flags, unsigned long *begin,
13895 - unsigned long *end)
13896 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
13897 + unsigned long *begin, unsigned long *end)
13899 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
13900 unsigned long new_begin;
13901 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
13902 *begin = new_begin;
13905 - *begin = TASK_UNMAPPED_BASE;
13906 + *begin = mm->mmap_base;
13910 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
13911 if (flags & MAP_FIXED)
13914 - find_start_end(flags, &begin, &end);
13915 + find_start_end(mm, flags, &begin, &end);
13920 +#ifdef CONFIG_PAX_RANDMMAP
13921 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13925 addr = PAGE_ALIGN(addr);
13926 vma = find_vma(mm, addr);
13927 - if (end - len >= addr &&
13928 - (!vma || addr + len <= vma->vm_start))
13929 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
13932 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
13933 @@ -106,7 +109,7 @@ full_search:
13937 - if (!vma || addr + len <= vma->vm_start) {
13938 + if (check_heap_stack_gap(vma, addr, len)) {
13940 * Remember the place where we stopped the search:
13942 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
13944 struct vm_area_struct *vma;
13945 struct mm_struct *mm = current->mm;
13946 - unsigned long addr = addr0;
13947 + unsigned long base = mm->mmap_base, addr = addr0;
13949 /* requested length too big for entire address space */
13950 if (len > TASK_SIZE)
13951 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
13952 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
13955 +#ifdef CONFIG_PAX_RANDMMAP
13956 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13959 /* requesting a specific address */
13961 addr = PAGE_ALIGN(addr);
13962 vma = find_vma(mm, addr);
13963 - if (TASK_SIZE - len >= addr &&
13964 - (!vma || addr + len <= vma->vm_start))
13965 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
13969 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
13970 /* make sure it can fit in the remaining address space */
13972 vma = find_vma(mm, addr-len);
13973 - if (!vma || addr <= vma->vm_start)
13974 + if (check_heap_stack_gap(vma, addr - len, len))
13975 /* remember the address as a hint for next time */
13976 return mm->free_area_cache = addr-len;
13978 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
13979 * return with success:
13981 vma = find_vma(mm, addr);
13982 - if (!vma || addr+len <= vma->vm_start)
13983 + if (check_heap_stack_gap(vma, addr, len))
13984 /* remember the address as a hint for next time */
13985 return mm->free_area_cache = addr;
13987 @@ -198,13 +204,21 @@ bottomup:
13988 * can happen with large stack limits and large mmap()
13991 + mm->mmap_base = TASK_UNMAPPED_BASE;
13993 +#ifdef CONFIG_PAX_RANDMMAP
13994 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13995 + mm->mmap_base += mm->delta_mmap;
13998 + mm->free_area_cache = mm->mmap_base;
13999 mm->cached_hole_size = ~0UL;
14000 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14001 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14003 * Restore the topdown base:
14005 - mm->free_area_cache = mm->mmap_base;
14006 + mm->mmap_base = base;
14007 + mm->free_area_cache = base;
14008 mm->cached_hole_size = ~0UL;
14011 diff -urNp linux-2.6.35.4/arch/x86/kernel/time.c linux-2.6.35.4/arch/x86/kernel/time.c
14012 --- linux-2.6.35.4/arch/x86/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
14013 +++ linux-2.6.35.4/arch/x86/kernel/time.c 2010-09-17 20:12:09.000000000 -0400
14014 @@ -26,17 +26,13 @@
14018 -#ifdef CONFIG_X86_64
14019 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14022 unsigned long profile_pc(struct pt_regs *regs)
14024 unsigned long pc = instruction_pointer(regs);
14026 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14027 + if (!user_mode(regs) && in_lock_functions(pc)) {
14028 #ifdef CONFIG_FRAME_POINTER
14029 - return *(unsigned long *)(regs->bp + sizeof(long));
14030 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14032 unsigned long *sp =
14033 (unsigned long *)kernel_stack_pointer(regs);
14034 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14035 * or above a saved flags. Eflags has bits 22-31 zero,
14036 * kernel addresses don't.
14039 +#ifdef CONFIG_PAX_KERNEXEC
14040 + return ktla_ktva(sp[0]);
14052 diff -urNp linux-2.6.35.4/arch/x86/kernel/tls.c linux-2.6.35.4/arch/x86/kernel/tls.c
14053 --- linux-2.6.35.4/arch/x86/kernel/tls.c 2010-08-26 19:47:12.000000000 -0400
14054 +++ linux-2.6.35.4/arch/x86/kernel/tls.c 2010-09-17 20:12:09.000000000 -0400
14055 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14056 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14059 +#ifdef CONFIG_PAX_SEGMEXEC
14060 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14064 set_tls_desc(p, idx, &info, 1);
14067 diff -urNp linux-2.6.35.4/arch/x86/kernel/trampoline_32.S linux-2.6.35.4/arch/x86/kernel/trampoline_32.S
14068 --- linux-2.6.35.4/arch/x86/kernel/trampoline_32.S 2010-08-26 19:47:12.000000000 -0400
14069 +++ linux-2.6.35.4/arch/x86/kernel/trampoline_32.S 2010-09-17 20:12:09.000000000 -0400
14071 #include <asm/segment.h>
14072 #include <asm/page_types.h>
14074 +#ifdef CONFIG_PAX_KERNEXEC
14077 +#define ta(X) ((X) - __PAGE_OFFSET)
14080 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14083 @@ -60,7 +66,7 @@ r_base = .
14084 inc %ax # protected mode (PE) bit
14085 lmsw %ax # into protected mode
14086 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14087 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14088 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14090 # These need to be in the same 64K segment as the above;
14091 # hence we don't use the boot_gdt_descr defined in head.S
14092 diff -urNp linux-2.6.35.4/arch/x86/kernel/traps.c linux-2.6.35.4/arch/x86/kernel/traps.c
14093 --- linux-2.6.35.4/arch/x86/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
14094 +++ linux-2.6.35.4/arch/x86/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
14095 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14097 /* Do we ignore FPU interrupts ? */
14098 char ignore_fpu_irq;
14101 - * The IDT has to be page-aligned to simplify the Pentium
14102 - * F0 0F bug workaround.
14104 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14107 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14108 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14111 static void __kprobes
14112 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14113 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14114 long error_code, siginfo_t *info)
14116 struct task_struct *tsk = current;
14118 #ifdef CONFIG_X86_32
14119 - if (regs->flags & X86_VM_MASK) {
14120 + if (v8086_mode(regs)) {
14122 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14123 * On nmi (interrupt 2), do_trap should not be called.
14124 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14128 - if (!user_mode(regs))
14129 + if (!user_mode_novm(regs))
14132 #ifdef CONFIG_X86_32
14133 @@ -150,7 +144,7 @@ trap_signal:
14134 printk_ratelimit()) {
14136 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14137 - tsk->comm, tsk->pid, str,
14138 + tsk->comm, task_pid_nr(tsk), str,
14139 regs->ip, regs->sp, error_code);
14140 print_vma_addr(" in ", regs->ip);
14142 @@ -167,8 +161,20 @@ kernel_trap:
14143 if (!fixup_exception(regs)) {
14144 tsk->thread.error_code = error_code;
14145 tsk->thread.trap_no = trapnr;
14147 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14148 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14149 + str = "PAX: suspicious stack segment fault";
14152 die(str, regs, error_code);
14155 +#ifdef CONFIG_PAX_REFCOUNT
14157 + pax_report_refcount_overflow(regs);
14162 #ifdef CONFIG_X86_32
14163 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14164 conditional_sti(regs);
14166 #ifdef CONFIG_X86_32
14167 - if (regs->flags & X86_VM_MASK)
14168 + if (v8086_mode(regs))
14173 - if (!user_mode(regs))
14174 + if (!user_mode_novm(regs))
14177 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14178 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14179 + struct mm_struct *mm = tsk->mm;
14180 + unsigned long limit;
14182 + down_write(&mm->mmap_sem);
14183 + limit = mm->context.user_cs_limit;
14184 + if (limit < TASK_SIZE) {
14185 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14186 + up_write(&mm->mmap_sem);
14189 + up_write(&mm->mmap_sem);
14193 tsk->thread.error_code = error_code;
14194 tsk->thread.trap_no = 13;
14196 @@ -297,6 +319,13 @@ gp_in_kernel:
14197 if (notify_die(DIE_GPF, "general protection fault", regs,
14198 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14201 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14202 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14203 + die("PAX: suspicious general protection fault", regs, error_code);
14207 die("general protection fault", regs, error_code);
14210 @@ -565,7 +594,7 @@ dotraplinkage void __kprobes do_debug(st
14211 /* It's safe to allow irq's after DR6 has been saved */
14212 preempt_conditional_sti(regs);
14214 - if (regs->flags & X86_VM_MASK) {
14215 + if (v8086_mode(regs)) {
14216 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14219 @@ -578,7 +607,7 @@ dotraplinkage void __kprobes do_debug(st
14220 * We already checked v86 mode above, so we can check for kernel mode
14221 * by just checking the CPL of CS.
14223 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14224 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14225 tsk->thread.debugreg6 &= ~DR_STEP;
14226 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14227 regs->flags &= ~X86_EFLAGS_TF;
14228 @@ -607,7 +636,7 @@ void math_error(struct pt_regs *regs, in
14230 conditional_sti(regs);
14232 - if (!user_mode_vm(regs))
14233 + if (!user_mode(regs))
14235 if (!fixup_exception(regs)) {
14236 task->thread.error_code = error_code;
14237 diff -urNp linux-2.6.35.4/arch/x86/kernel/tsc.c linux-2.6.35.4/arch/x86/kernel/tsc.c
14238 --- linux-2.6.35.4/arch/x86/kernel/tsc.c 2010-08-26 19:47:12.000000000 -0400
14239 +++ linux-2.6.35.4/arch/x86/kernel/tsc.c 2010-09-17 20:12:09.000000000 -0400
14240 @@ -795,7 +795,7 @@ static struct dmi_system_id __initdata b
14241 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14245 + { NULL, NULL, {{0, {0}}}, NULL}
14248 static void __init check_system_tsc_reliable(void)
14249 diff -urNp linux-2.6.35.4/arch/x86/kernel/vm86_32.c linux-2.6.35.4/arch/x86/kernel/vm86_32.c
14250 --- linux-2.6.35.4/arch/x86/kernel/vm86_32.c 2010-08-26 19:47:12.000000000 -0400
14251 +++ linux-2.6.35.4/arch/x86/kernel/vm86_32.c 2010-09-17 20:12:37.000000000 -0400
14253 #include <linux/ptrace.h>
14254 #include <linux/audit.h>
14255 #include <linux/stddef.h>
14256 +#include <linux/grsecurity.h>
14258 #include <asm/uaccess.h>
14259 #include <asm/io.h>
14260 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14264 - tss = &per_cpu(init_tss, get_cpu());
14265 + tss = init_tss + get_cpu();
14266 current->thread.sp0 = current->thread.saved_sp0;
14267 current->thread.sysenter_cs = __KERNEL_CS;
14268 load_sp0(tss, ¤t->thread);
14269 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14270 struct task_struct *tsk;
14271 int tmp, ret = -EPERM;
14273 +#ifdef CONFIG_GRKERNSEC_VM86
14274 + if (!capable(CAP_SYS_RAWIO)) {
14275 + gr_handle_vm86();
14281 if (tsk->thread.saved_sp0)
14283 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14285 struct vm86plus_struct __user *v86;
14287 +#ifdef CONFIG_GRKERNSEC_VM86
14288 + if (!capable(CAP_SYS_RAWIO)) {
14289 + gr_handle_vm86();
14297 case VM86_REQUEST_IRQ:
14298 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14299 tsk->thread.saved_fs = info->regs32->fs;
14300 tsk->thread.saved_gs = get_user_gs(info->regs32);
14302 - tss = &per_cpu(init_tss, get_cpu());
14303 + tss = init_tss + get_cpu();
14304 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14306 tsk->thread.sysenter_cs = 0;
14307 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14308 goto cannot_handle;
14309 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14310 goto cannot_handle;
14311 - intr_ptr = (unsigned long __user *) (i << 2);
14312 + intr_ptr = (__force unsigned long __user *) (i << 2);
14313 if (get_user(segoffs, intr_ptr))
14314 goto cannot_handle;
14315 if ((segoffs >> 16) == BIOSSEG)
14316 diff -urNp linux-2.6.35.4/arch/x86/kernel/vmi_32.c linux-2.6.35.4/arch/x86/kernel/vmi_32.c
14317 --- linux-2.6.35.4/arch/x86/kernel/vmi_32.c 2010-08-26 19:47:12.000000000 -0400
14318 +++ linux-2.6.35.4/arch/x86/kernel/vmi_32.c 2010-09-17 20:12:09.000000000 -0400
14319 @@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
14320 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14322 #define call_vrom_func(rom,func) \
14323 - (((VROMFUNC *)(rom->func))())
14324 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
14326 #define call_vrom_long_func(rom,func,arg) \
14327 - (((VROMLONGFUNC *)(rom->func)) (arg))
14329 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14330 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14331 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14335 -static struct vrom_header *vmi_rom;
14336 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14337 static int disable_pge;
14338 static int disable_pse;
14339 static int disable_sep;
14340 @@ -78,10 +83,10 @@ static struct {
14341 void (*set_initial_ap_state)(int, int);
14342 void (*halt)(void);
14343 void (*set_lazy_mode)(int mode);
14345 +} vmi_ops __read_only;
14347 /* Cached VMI operations */
14348 -struct vmi_timer_ops vmi_timer_ops;
14349 +struct vmi_timer_ops vmi_timer_ops __read_only;
14352 * VMI patching routines.
14353 @@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
14354 static inline void patch_offset(void *insnbuf,
14355 unsigned long ip, unsigned long dest)
14357 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
14358 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
14361 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
14362 @@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
14365 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
14367 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14368 switch(rel->type) {
14369 case VMI_RELOCATION_CALL_REL:
14370 @@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
14372 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
14374 - const pte_t pte = { .pte = 0 };
14375 + const pte_t pte = __pte(0ULL);
14376 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
14379 static void vmi_pmd_clear(pmd_t *pmd)
14381 - const pte_t pte = { .pte = 0 };
14382 + const pte_t pte = __pte(0ULL);
14383 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
14386 @@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
14387 ap.ss = __KERNEL_DS;
14388 ap.esp = (unsigned long) start_esp;
14390 - ap.ds = __USER_DS;
14391 - ap.es = __USER_DS;
14392 + ap.ds = __KERNEL_DS;
14393 + ap.es = __KERNEL_DS;
14394 ap.fs = __KERNEL_PERCPU;
14395 ap.gs = __KERNEL_STACK_CANARY;
14397 @@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
14398 paravirt_leave_lazy_mmu();
14401 +#ifdef CONFIG_PAX_KERNEXEC
14402 +static unsigned long vmi_pax_open_kernel(void)
14407 +static unsigned long vmi_pax_close_kernel(void)
14413 static inline int __init check_vmi_rom(struct vrom_header *rom)
14415 struct pci_header *pci;
14416 @@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
14418 if (rom->vrom_signature != VMI_SIGNATURE)
14420 + if (rom->rom_length * 512 > sizeof(*rom)) {
14421 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
14424 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
14425 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
14426 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
14427 @@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
14428 struct vrom_header *romstart;
14429 romstart = (struct vrom_header *)isa_bus_to_virt(base);
14430 if (check_vmi_rom(romstart)) {
14431 - vmi_rom = romstart;
14432 + vmi_rom = *romstart;
14436 @@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
14438 para_fill(pv_irq_ops.safe_halt, Halt);
14440 +#ifdef CONFIG_PAX_KERNEXEC
14441 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
14442 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
14446 * Alternative instruction rewriting doesn't happen soon enough
14447 * to convert VMI_IRET to a call instead of a jump; so we have
14448 @@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
14450 void __init vmi_init(void)
14453 + if (!vmi_rom.rom_signature)
14456 - check_vmi_rom(vmi_rom);
14457 + check_vmi_rom(&vmi_rom);
14459 /* In case probing for or validating the ROM failed, basil */
14461 + if (!vmi_rom.rom_signature)
14464 - reserve_top_address(-vmi_rom->virtual_top);
14465 + reserve_top_address(-vmi_rom.virtual_top);
14467 #ifdef CONFIG_X86_IO_APIC
14468 /* This is virtual hardware; timer routing is wired correctly */
14469 @@ -854,7 +881,7 @@ void __init vmi_activate(void)
14471 unsigned long flags;
14474 + if (!vmi_rom.rom_signature)
14477 local_irq_save(flags);
14478 diff -urNp linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S
14479 --- linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
14480 +++ linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
14482 #include <asm/page_types.h>
14483 #include <asm/cache.h>
14484 #include <asm/boot.h>
14485 +#include <asm/segment.h>
14487 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14488 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14490 +#define __KERNEL_TEXT_OFFSET 0
14493 #undef i386 /* in case the preprocessor is a 32bit one */
14495 @@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14496 #ifdef CONFIG_X86_32
14498 ENTRY(phys_startup_32)
14499 -jiffies = jiffies_64;
14501 OUTPUT_ARCH(i386:x86-64)
14502 ENTRY(phys_startup_64)
14503 -jiffies_64 = jiffies;
14506 +jiffies = jiffies_64;
14508 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14510 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
14511 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
14514 text PT_LOAD FLAGS(5); /* R_E */
14515 - data PT_LOAD FLAGS(7); /* RWE */
14516 +#ifdef CONFIG_X86_32
14517 + module PT_LOAD FLAGS(5); /* R_E */
14520 + rodata PT_LOAD FLAGS(5); /* R_E */
14522 + rodata PT_LOAD FLAGS(4); /* R__ */
14524 + data PT_LOAD FLAGS(6); /* RW_ */
14525 #ifdef CONFIG_X86_64
14526 user PT_LOAD FLAGS(5); /* R_E */
14528 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14530 percpu PT_LOAD FLAGS(6); /* RW_ */
14532 + text.init PT_LOAD FLAGS(5); /* R_E */
14533 + text.exit PT_LOAD FLAGS(5); /* R_E */
14534 init PT_LOAD FLAGS(7); /* RWE */
14536 note PT_NOTE FLAGS(0); /* ___ */
14541 #ifdef CONFIG_X86_32
14542 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14543 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14544 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14546 - . = __START_KERNEL;
14547 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14548 + . = __START_KERNEL;
14551 /* Text and read-only data */
14552 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14554 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14555 /* bootstrapping code */
14556 +#ifdef CONFIG_X86_32
14557 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14559 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14561 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14564 #ifdef CONFIG_X86_32
14565 . = ALIGN(PAGE_SIZE);
14566 @@ -108,13 +130,50 @@ SECTIONS
14570 - /* End of text section */
14574 - NOTES :text :note
14575 + . += __KERNEL_TEXT_OFFSET;
14577 +#ifdef CONFIG_X86_32
14578 + . = ALIGN(PAGE_SIZE);
14579 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
14583 + . = ALIGN(PAGE_SIZE);
14584 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14586 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14587 + MODULES_EXEC_VADDR = .;
14589 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14590 + . = ALIGN(HPAGE_SIZE);
14591 + MODULES_EXEC_END = . - 1;
14597 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14598 + /* End of text section */
14599 + _etext = . - __KERNEL_TEXT_OFFSET;
14602 +#ifdef CONFIG_X86_32
14603 + . = ALIGN(PAGE_SIZE);
14604 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14606 + . = ALIGN(PAGE_SIZE);
14607 + *(.empty_zero_page)
14608 + *(.swapper_pg_pmd)
14609 + *(.swapper_pg_dir)
14613 + . = ALIGN(PAGE_SIZE);
14614 + NOTES :rodata :note
14616 - EXCEPTION_TABLE(16) :text = 0x9090
14617 + EXCEPTION_TABLE(16) :rodata
14619 X64_ALIGN_DEBUG_RODATA_BEGIN
14621 @@ -122,16 +181,20 @@ SECTIONS
14624 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14626 +#ifdef CONFIG_PAX_KERNEXEC
14627 + . = ALIGN(HPAGE_SIZE);
14629 + . = ALIGN(PAGE_SIZE);
14632 /* Start of data section */
14636 INIT_TASK_DATA(THREAD_SIZE)
14638 -#ifdef CONFIG_X86_32
14639 - /* 32 bit has nosave before _edata */
14643 PAGE_ALIGNED_DATA(PAGE_SIZE)
14645 @@ -194,12 +257,6 @@ SECTIONS
14647 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14649 - . = ALIGN(L1_CACHE_BYTES);
14650 - .jiffies : AT(VLOAD(.jiffies)) {
14653 - jiffies = VVIRT(.jiffies);
14655 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14658 @@ -215,12 +272,19 @@ SECTIONS
14659 #endif /* CONFIG_X86_64 */
14661 /* Init code and data - will be freed after init */
14662 - . = ALIGN(PAGE_SIZE);
14663 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14666 +#ifdef CONFIG_PAX_KERNEXEC
14667 + . = ALIGN(HPAGE_SIZE);
14669 + . = ALIGN(PAGE_SIZE);
14672 __init_begin = .; /* paired with __init_end */
14676 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14679 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14680 * output PHDR, so the next output section - .init.text - should
14681 @@ -229,12 +293,27 @@ SECTIONS
14682 PERCPU_VADDR(0, :percpu)
14685 - INIT_TEXT_SECTION(PAGE_SIZE)
14686 -#ifdef CONFIG_X86_64
14689 + . = ALIGN(PAGE_SIZE);
14691 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14692 + VMLINUX_SYMBOL(_sinittext) = .;
14694 + VMLINUX_SYMBOL(_einittext) = .;
14695 + . = ALIGN(PAGE_SIZE);
14699 + * .exit.text is discard at runtime, not link time, to deal with
14700 + * references from .altinstructions and .eh_frame
14702 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14706 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14708 - INIT_DATA_SECTION(16)
14709 + . = ALIGN(PAGE_SIZE);
14710 + INIT_DATA_SECTION(16) :init
14712 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14713 __x86_cpu_dev_start = .;
14714 @@ -260,19 +339,11 @@ SECTIONS
14715 *(.altinstr_replacement)
14719 - * .exit.text is discard at runtime, not link time, to deal with
14720 - * references from .altinstructions and .eh_frame
14722 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14726 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14730 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14731 +#ifndef CONFIG_SMP
14735 @@ -291,16 +362,10 @@ SECTIONS
14736 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
14739 - . = ALIGN(PAGE_SIZE);
14740 __smp_locks_end = .;
14741 + . = ALIGN(PAGE_SIZE);
14744 -#ifdef CONFIG_X86_64
14745 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
14751 . = ALIGN(PAGE_SIZE);
14752 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
14753 @@ -316,6 +381,7 @@ SECTIONS
14755 . += 64 * 1024; /* 64k alignment slop space */
14756 *(.brk_reservation) /* areas brk users have reserved */
14757 + . = ALIGN(HPAGE_SIZE);
14761 @@ -342,13 +408,12 @@ SECTIONS
14762 * for the boot processor.
14764 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
14765 -INIT_PER_CPU(gdt_page);
14766 INIT_PER_CPU(irq_stack_union);
14769 * Build-time check on the image size:
14771 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
14772 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
14773 "kernel image bigger than KERNEL_IMAGE_SIZE");
14776 diff -urNp linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c
14777 --- linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c 2010-08-26 19:47:12.000000000 -0400
14778 +++ linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c 2010-09-17 20:12:09.000000000 -0400
14779 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
14781 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
14782 /* copy vsyscall data */
14783 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
14784 vsyscall_gtod_data.clock.vread = clock->vread;
14785 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
14786 vsyscall_gtod_data.clock.mask = clock->mask;
14787 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
14788 We do this here because otherwise user space would do it on
14789 its own in a likely inferior way (no access to jiffies).
14790 If you don't like it pass NULL. */
14791 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
14792 + if (tcache && tcache->blob[0] == (j = jiffies)) {
14793 p = tcache->blob[1];
14794 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
14795 /* Load per CPU data from RDTSCP */
14796 diff -urNp linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c
14797 --- linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c 2010-08-26 19:47:12.000000000 -0400
14798 +++ linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c 2010-09-17 20:12:09.000000000 -0400
14799 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
14800 EXPORT_SYMBOL(copy_user_generic_string);
14801 EXPORT_SYMBOL(copy_user_generic_unrolled);
14802 EXPORT_SYMBOL(__copy_user_nocache);
14803 -EXPORT_SYMBOL(_copy_from_user);
14804 -EXPORT_SYMBOL(_copy_to_user);
14806 EXPORT_SYMBOL(copy_page);
14807 EXPORT_SYMBOL(clear_page);
14808 diff -urNp linux-2.6.35.4/arch/x86/kernel/xsave.c linux-2.6.35.4/arch/x86/kernel/xsave.c
14809 --- linux-2.6.35.4/arch/x86/kernel/xsave.c 2010-08-26 19:47:12.000000000 -0400
14810 +++ linux-2.6.35.4/arch/x86/kernel/xsave.c 2010-09-17 20:12:09.000000000 -0400
14811 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
14812 fx_sw_user->xstate_size > fx_sw_user->extended_size)
14815 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
14816 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
14817 fx_sw_user->extended_size -
14818 FP_XSTATE_MAGIC2_SIZE));
14820 @@ -196,7 +196,7 @@ fx_only:
14821 * the other extended state.
14823 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
14824 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
14825 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
14829 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
14831 err = restore_user_xstate(buf);
14833 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
14834 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
14836 if (unlikely(err)) {
14838 diff -urNp linux-2.6.35.4/arch/x86/kvm/emulate.c linux-2.6.35.4/arch/x86/kvm/emulate.c
14839 --- linux-2.6.35.4/arch/x86/kvm/emulate.c 2010-08-26 19:47:12.000000000 -0400
14840 +++ linux-2.6.35.4/arch/x86/kvm/emulate.c 2010-09-17 20:12:09.000000000 -0400
14841 @@ -88,11 +88,11 @@
14842 #define Src2CL (1<<29)
14843 #define Src2ImmByte (2<<29)
14844 #define Src2One (3<<29)
14845 -#define Src2Imm16 (4<<29)
14846 -#define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
14847 +#define Src2Imm16 (4U<<29)
14848 +#define Src2Mem16 (5U<<29) /* Used for Ep encoding. First argument has to be
14849 in memory and second argument is located
14850 immediately after the first one in memory. */
14851 -#define Src2Mask (7<<29)
14852 +#define Src2Mask (7U<<29)
14855 Group1_80, Group1_81, Group1_82, Group1_83,
14856 @@ -446,6 +446,7 @@ static u32 group2_table[] = {
14858 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
14860 + unsigned long _tmp; \
14861 __asm__ __volatile__ ( \
14862 _PRE_EFLAGS("0", "4", "2") \
14863 _op _suffix " %"_x"3,%1; " \
14864 @@ -459,8 +460,6 @@ static u32 group2_table[] = {
14865 /* Raw emulation: instruction has two explicit operands. */
14866 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
14868 - unsigned long _tmp; \
14870 switch ((_dst).bytes) { \
14872 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
14873 @@ -476,7 +475,6 @@ static u32 group2_table[] = {
14875 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
14877 - unsigned long _tmp; \
14878 switch ((_dst).bytes) { \
14880 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
14881 diff -urNp linux-2.6.35.4/arch/x86/kvm/lapic.c linux-2.6.35.4/arch/x86/kvm/lapic.c
14882 --- linux-2.6.35.4/arch/x86/kvm/lapic.c 2010-08-26 19:47:12.000000000 -0400
14883 +++ linux-2.6.35.4/arch/x86/kvm/lapic.c 2010-09-17 20:12:09.000000000 -0400
14885 #define APIC_BUS_CYCLE_NS 1
14887 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
14888 -#define apic_debug(fmt, arg...)
14889 +#define apic_debug(fmt, arg...) do {} while (0)
14891 #define APIC_LVT_NUM 6
14892 /* 14 is the version for Xeon and Pentium 8.4.8*/
14893 diff -urNp linux-2.6.35.4/arch/x86/kvm/svm.c linux-2.6.35.4/arch/x86/kvm/svm.c
14894 --- linux-2.6.35.4/arch/x86/kvm/svm.c 2010-08-26 19:47:12.000000000 -0400
14895 +++ linux-2.6.35.4/arch/x86/kvm/svm.c 2010-09-17 20:12:09.000000000 -0400
14896 @@ -2796,7 +2796,11 @@ static void reload_tss(struct kvm_vcpu *
14897 int cpu = raw_smp_processor_id();
14899 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
14901 + pax_open_kernel();
14902 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
14903 + pax_close_kernel();
14908 @@ -3337,7 +3341,7 @@ static void svm_fpu_deactivate(struct kv
14909 update_cr0_intercept(svm);
14912 -static struct kvm_x86_ops svm_x86_ops = {
14913 +static const struct kvm_x86_ops svm_x86_ops = {
14914 .cpu_has_kvm_support = has_svm,
14915 .disabled_by_bios = is_disabled,
14916 .hardware_setup = svm_hardware_setup,
14917 diff -urNp linux-2.6.35.4/arch/x86/kvm/vmx.c linux-2.6.35.4/arch/x86/kvm/vmx.c
14918 --- linux-2.6.35.4/arch/x86/kvm/vmx.c 2010-08-26 19:47:12.000000000 -0400
14919 +++ linux-2.6.35.4/arch/x86/kvm/vmx.c 2010-09-17 20:12:09.000000000 -0400
14920 @@ -653,7 +653,11 @@ static void reload_tss(void)
14922 native_store_gdt(&gdt);
14923 descs = (void *)gdt.address;
14925 + pax_open_kernel();
14926 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
14927 + pax_close_kernel();
14932 @@ -1550,8 +1554,11 @@ static __init int hardware_setup(void)
14933 if (!cpu_has_vmx_flexpriority())
14934 flexpriority_enabled = 0;
14936 - if (!cpu_has_vmx_tpr_shadow())
14937 - kvm_x86_ops->update_cr8_intercept = NULL;
14938 + if (!cpu_has_vmx_tpr_shadow()) {
14939 + pax_open_kernel();
14940 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
14941 + pax_close_kernel();
14944 if (enable_ept && !cpu_has_vmx_ept_2m_page())
14945 kvm_disable_largepages();
14946 @@ -2533,7 +2540,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
14947 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
14949 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
14950 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
14951 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
14952 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
14953 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
14954 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
14955 @@ -3909,6 +3916,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
14956 "jmp .Lkvm_vmx_return \n\t"
14957 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
14958 ".Lkvm_vmx_return: "
14960 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14961 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
14962 + ".Lkvm_vmx_return2: "
14965 /* Save guest registers, load host registers, keep flags */
14966 "xchg %0, (%%"R"sp) \n\t"
14967 "mov %%"R"ax, %c[rax](%0) \n\t"
14968 @@ -3955,8 +3968,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
14969 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
14971 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
14973 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14974 + ,[cs]"i"(__KERNEL_CS)
14978 - , R"bx", R"di", R"si"
14979 + , R"ax", R"bx", R"di", R"si"
14980 #ifdef CONFIG_X86_64
14981 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
14983 @@ -3970,7 +3988,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
14984 if (vmx->rmode.irq.pending)
14985 fixup_rmode_irq(vmx);
14987 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
14988 + asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
14991 vmx_complete_interrupts(vmx);
14992 @@ -4191,7 +4209,7 @@ static void vmx_set_supported_cpuid(u32
14996 -static struct kvm_x86_ops vmx_x86_ops = {
14997 +static const struct kvm_x86_ops vmx_x86_ops = {
14998 .cpu_has_kvm_support = cpu_has_kvm_support,
14999 .disabled_by_bios = vmx_disabled_by_bios,
15000 .hardware_setup = hardware_setup,
15001 diff -urNp linux-2.6.35.4/arch/x86/kvm/x86.c linux-2.6.35.4/arch/x86/kvm/x86.c
15002 --- linux-2.6.35.4/arch/x86/kvm/x86.c 2010-08-26 19:47:12.000000000 -0400
15003 +++ linux-2.6.35.4/arch/x86/kvm/x86.c 2010-09-17 20:12:09.000000000 -0400
15004 @@ -86,7 +86,7 @@ static void update_cr8_intercept(struct
15005 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15006 struct kvm_cpuid_entry2 __user *entries);
15008 -struct kvm_x86_ops *kvm_x86_ops;
15009 +const struct kvm_x86_ops *kvm_x86_ops;
15010 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15012 int ignore_msrs = 0;
15013 @@ -112,38 +112,38 @@ static struct kvm_shared_msrs_global __r
15014 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15016 struct kvm_stats_debugfs_item debugfs_entries[] = {
15017 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15018 - { "pf_guest", VCPU_STAT(pf_guest) },
15019 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15020 - { "invlpg", VCPU_STAT(invlpg) },
15021 - { "exits", VCPU_STAT(exits) },
15022 - { "io_exits", VCPU_STAT(io_exits) },
15023 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15024 - { "signal_exits", VCPU_STAT(signal_exits) },
15025 - { "irq_window", VCPU_STAT(irq_window_exits) },
15026 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15027 - { "halt_exits", VCPU_STAT(halt_exits) },
15028 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15029 - { "hypercalls", VCPU_STAT(hypercalls) },
15030 - { "request_irq", VCPU_STAT(request_irq_exits) },
15031 - { "irq_exits", VCPU_STAT(irq_exits) },
15032 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15033 - { "efer_reload", VCPU_STAT(efer_reload) },
15034 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15035 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15036 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15037 - { "irq_injections", VCPU_STAT(irq_injections) },
15038 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15039 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15040 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15041 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15042 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15043 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15044 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15045 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15046 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15047 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15048 - { "largepages", VM_STAT(lpages) },
15049 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15050 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15051 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15052 + { "invlpg", VCPU_STAT(invlpg), NULL },
15053 + { "exits", VCPU_STAT(exits), NULL },
15054 + { "io_exits", VCPU_STAT(io_exits), NULL },
15055 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15056 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15057 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15058 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15059 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15060 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15061 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15062 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15063 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15064 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15065 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15066 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15067 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15068 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15069 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15070 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15071 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15072 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15073 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15074 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15075 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15076 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15077 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15078 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15079 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15080 + { "largepages", VM_STAT(lpages), NULL },
15084 @@ -1672,6 +1672,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15085 if (n < msr_list.nmsrs)
15088 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15090 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15091 num_msrs_to_save * sizeof(u32)))
15093 @@ -2103,7 +2105,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15094 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15095 struct kvm_interrupt *irq)
15097 - if (irq->irq < 0 || irq->irq >= 256)
15098 + if (irq->irq >= 256)
15100 if (irqchip_in_kernel(vcpu->kvm))
15102 @@ -4070,10 +4072,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15104 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15106 -int kvm_arch_init(void *opaque)
15107 +int kvm_arch_init(const void *opaque)
15110 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15111 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15114 printk(KERN_ERR "kvm: already loaded the other module\n");
15115 diff -urNp linux-2.6.35.4/arch/x86/lib/checksum_32.S linux-2.6.35.4/arch/x86/lib/checksum_32.S
15116 --- linux-2.6.35.4/arch/x86/lib/checksum_32.S 2010-08-26 19:47:12.000000000 -0400
15117 +++ linux-2.6.35.4/arch/x86/lib/checksum_32.S 2010-09-17 20:12:09.000000000 -0400
15119 #include <linux/linkage.h>
15120 #include <asm/dwarf2.h>
15121 #include <asm/errno.h>
15123 +#include <asm/segment.h>
15126 * computes a partial checksum, e.g. for TCP/UDP fragments
15128 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15133 -ENTRY(csum_partial_copy_generic)
15135 +ENTRY(csum_partial_copy_generic_to_user)
15137 + pushl $(__USER_DS)
15138 + CFI_ADJUST_CFA_OFFSET 4
15140 + CFI_ADJUST_CFA_OFFSET -4
15141 + jmp csum_partial_copy_generic
15143 +ENTRY(csum_partial_copy_generic_from_user)
15144 + pushl $(__USER_DS)
15145 + CFI_ADJUST_CFA_OFFSET 4
15147 + CFI_ADJUST_CFA_OFFSET -4
15149 +ENTRY(csum_partial_copy_generic)
15151 CFI_ADJUST_CFA_OFFSET 4
15153 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15155 SRC(1: movw (%esi), %bx )
15157 -DST( movw %bx, (%edi) )
15158 +DST( movw %bx, %es:(%edi) )
15162 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15163 SRC(1: movl (%esi), %ebx )
15164 SRC( movl 4(%esi), %edx )
15166 -DST( movl %ebx, (%edi) )
15167 +DST( movl %ebx, %es:(%edi) )
15169 -DST( movl %edx, 4(%edi) )
15170 +DST( movl %edx, %es:4(%edi) )
15172 SRC( movl 8(%esi), %ebx )
15173 SRC( movl 12(%esi), %edx )
15175 -DST( movl %ebx, 8(%edi) )
15176 +DST( movl %ebx, %es:8(%edi) )
15178 -DST( movl %edx, 12(%edi) )
15179 +DST( movl %edx, %es:12(%edi) )
15181 SRC( movl 16(%esi), %ebx )
15182 SRC( movl 20(%esi), %edx )
15184 -DST( movl %ebx, 16(%edi) )
15185 +DST( movl %ebx, %es:16(%edi) )
15187 -DST( movl %edx, 20(%edi) )
15188 +DST( movl %edx, %es:20(%edi) )
15190 SRC( movl 24(%esi), %ebx )
15191 SRC( movl 28(%esi), %edx )
15193 -DST( movl %ebx, 24(%edi) )
15194 +DST( movl %ebx, %es:24(%edi) )
15196 -DST( movl %edx, 28(%edi) )
15197 +DST( movl %edx, %es:28(%edi) )
15201 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15202 shrl $2, %edx # This clears CF
15203 SRC(3: movl (%esi), %ebx )
15205 -DST( movl %ebx, (%edi) )
15206 +DST( movl %ebx, %es:(%edi) )
15210 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15212 SRC( movw (%esi), %cx )
15214 -DST( movw %cx, (%edi) )
15215 +DST( movw %cx, %es:(%edi) )
15219 SRC(5: movb (%esi), %cl )
15220 -DST( movb %cl, (%edi) )
15221 +DST( movb %cl, %es:(%edi) )
15225 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15228 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15229 - movl $-EFAULT, (%ebx)
15230 + movl $-EFAULT, %ss:(%ebx)
15232 # zero the complete destination - computing the rest
15234 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15237 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15238 - movl $-EFAULT,(%ebx)
15239 + movl $-EFAULT,%ss:(%ebx)
15245 + CFI_ADJUST_CFA_OFFSET 4
15247 + CFI_ADJUST_CFA_OFFSET -4
15249 + CFI_ADJUST_CFA_OFFSET 4
15251 + CFI_ADJUST_CFA_OFFSET -4
15253 CFI_ADJUST_CFA_OFFSET -4
15255 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15256 CFI_ADJUST_CFA_OFFSET -4
15259 -ENDPROC(csum_partial_copy_generic)
15260 +ENDPROC(csum_partial_copy_generic_to_user)
15264 /* Version for PentiumII/PPro */
15266 #define ROUND1(x) \
15268 SRC(movl x(%esi), %ebx ) ; \
15269 addl %ebx, %eax ; \
15270 - DST(movl %ebx, x(%edi) ) ;
15271 + DST(movl %ebx, %es:x(%edi)) ;
15275 SRC(movl x(%esi), %ebx ) ; \
15276 adcl %ebx, %eax ; \
15277 - DST(movl %ebx, x(%edi) ) ;
15278 + DST(movl %ebx, %es:x(%edi)) ;
15282 -ENTRY(csum_partial_copy_generic)
15284 +ENTRY(csum_partial_copy_generic_to_user)
15286 + pushl $(__USER_DS)
15287 + CFI_ADJUST_CFA_OFFSET 4
15289 + CFI_ADJUST_CFA_OFFSET -4
15290 + jmp csum_partial_copy_generic
15292 +ENTRY(csum_partial_copy_generic_from_user)
15293 + pushl $(__USER_DS)
15294 + CFI_ADJUST_CFA_OFFSET 4
15296 + CFI_ADJUST_CFA_OFFSET -4
15298 +ENTRY(csum_partial_copy_generic)
15300 CFI_ADJUST_CFA_OFFSET 4
15301 CFI_REL_OFFSET ebx, 0
15302 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
15306 - lea 3f(%ebx,%ebx), %ebx
15307 + lea 3f(%ebx,%ebx,2), %ebx
15311 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
15313 SRC( movw (%esi), %dx )
15315 -DST( movw %dx, (%edi) )
15316 +DST( movw %dx, %es:(%edi) )
15321 SRC( movb (%esi), %dl )
15322 -DST( movb %dl, (%edi) )
15323 +DST( movb %dl, %es:(%edi) )
15327 .section .fixup, "ax"
15328 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15329 - movl $-EFAULT, (%ebx)
15330 + movl $-EFAULT, %ss:(%ebx)
15331 # zero the complete destination (computing the rest is too much work)
15332 movl ARGBASE+8(%esp),%edi # dst
15333 movl ARGBASE+12(%esp),%ecx # len
15334 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
15337 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15338 - movl $-EFAULT, (%ebx)
15339 + movl $-EFAULT, %ss:(%ebx)
15344 + CFI_ADJUST_CFA_OFFSET 4
15346 + CFI_ADJUST_CFA_OFFSET -4
15348 + CFI_ADJUST_CFA_OFFSET 4
15350 + CFI_ADJUST_CFA_OFFSET -4
15352 CFI_ADJUST_CFA_OFFSET -4
15354 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
15358 -ENDPROC(csum_partial_copy_generic)
15359 +ENDPROC(csum_partial_copy_generic_to_user)
15363 diff -urNp linux-2.6.35.4/arch/x86/lib/clear_page_64.S linux-2.6.35.4/arch/x86/lib/clear_page_64.S
15364 --- linux-2.6.35.4/arch/x86/lib/clear_page_64.S 2010-08-26 19:47:12.000000000 -0400
15365 +++ linux-2.6.35.4/arch/x86/lib/clear_page_64.S 2010-09-17 20:12:09.000000000 -0400
15366 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15368 #include <asm/cpufeature.h>
15370 - .section .altinstr_replacement,"ax"
15371 + .section .altinstr_replacement,"a"
15372 1: .byte 0xeb /* jmp <disp8> */
15373 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15375 diff -urNp linux-2.6.35.4/arch/x86/lib/copy_page_64.S linux-2.6.35.4/arch/x86/lib/copy_page_64.S
15376 --- linux-2.6.35.4/arch/x86/lib/copy_page_64.S 2010-08-26 19:47:12.000000000 -0400
15377 +++ linux-2.6.35.4/arch/x86/lib/copy_page_64.S 2010-09-17 20:12:09.000000000 -0400
15378 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15380 #include <asm/cpufeature.h>
15382 - .section .altinstr_replacement,"ax"
15383 + .section .altinstr_replacement,"a"
15384 1: .byte 0xeb /* jmp <disp8> */
15385 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15387 diff -urNp linux-2.6.35.4/arch/x86/lib/copy_user_64.S linux-2.6.35.4/arch/x86/lib/copy_user_64.S
15388 --- linux-2.6.35.4/arch/x86/lib/copy_user_64.S 2010-08-26 19:47:12.000000000 -0400
15389 +++ linux-2.6.35.4/arch/x86/lib/copy_user_64.S 2010-09-17 20:12:09.000000000 -0400
15390 @@ -15,13 +15,14 @@
15391 #include <asm/asm-offsets.h>
15392 #include <asm/thread_info.h>
15393 #include <asm/cpufeature.h>
15394 +#include <asm/pgtable.h>
15396 .macro ALTERNATIVE_JUMP feature,orig,alt
15398 .byte 0xe9 /* 32bit jump */
15399 .long \orig-1f /* by default jump to orig */
15401 - .section .altinstr_replacement,"ax"
15402 + .section .altinstr_replacement,"a"
15403 2: .byte 0xe9 /* near jump with 32bit immediate */
15404 .long \alt-1b /* offset */ /* or alternatively to alt */
15406 @@ -64,37 +65,13 @@
15410 -/* Standard copy_to_user with segment limit checking */
15411 -ENTRY(_copy_to_user)
15413 - GET_THREAD_INFO(%rax)
15417 - cmpq TI_addr_limit(%rax),%rcx
15419 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15421 -ENDPROC(_copy_to_user)
15423 -/* Standard copy_from_user with segment limit checking */
15424 -ENTRY(_copy_from_user)
15426 - GET_THREAD_INFO(%rax)
15430 - cmpq TI_addr_limit(%rax),%rcx
15431 - jae bad_from_user
15432 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15434 -ENDPROC(_copy_from_user)
15436 .section .fixup,"ax"
15437 /* must zero dest */
15438 ENTRY(bad_from_user)
15446 diff -urNp linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S
15447 --- linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S 2010-08-26 19:47:12.000000000 -0400
15448 +++ linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S 2010-09-17 20:12:09.000000000 -0400
15450 #include <asm/current.h>
15451 #include <asm/asm-offsets.h>
15452 #include <asm/thread_info.h>
15453 +#include <asm/pgtable.h>
15455 .macro ALIGN_DESTINATION
15456 #ifdef FIX_ALIGNMENT
15459 ENTRY(__copy_user_nocache)
15462 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15463 + mov $PAX_USER_SHADOW_BASE,%rcx
15471 jb 20f /* less then 8 bytes, go to byte copy loop */
15473 diff -urNp linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c
15474 --- linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c 2010-08-26 19:47:12.000000000 -0400
15475 +++ linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c 2010-09-17 20:12:09.000000000 -0400
15476 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15480 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15481 + src += PAX_USER_SHADOW_BASE;
15482 isum = csum_partial_copy_generic((__force const void *)src,
15483 dst, len, isum, errp, NULL);
15484 if (unlikely(*errp))
15485 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15489 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15490 + dst += PAX_USER_SHADOW_BASE;
15491 return csum_partial_copy_generic(src, (void __force *)dst,
15492 len, isum, NULL, errp);
15494 diff -urNp linux-2.6.35.4/arch/x86/lib/getuser.S linux-2.6.35.4/arch/x86/lib/getuser.S
15495 --- linux-2.6.35.4/arch/x86/lib/getuser.S 2010-08-26 19:47:12.000000000 -0400
15496 +++ linux-2.6.35.4/arch/x86/lib/getuser.S 2010-09-17 20:12:09.000000000 -0400
15497 @@ -33,14 +33,38 @@
15498 #include <asm/asm-offsets.h>
15499 #include <asm/thread_info.h>
15500 #include <asm/asm.h>
15501 +#include <asm/segment.h>
15502 +#include <asm/pgtable.h>
15505 ENTRY(__get_user_1)
15508 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15509 + pushl $(__USER_DS)
15512 GET_THREAD_INFO(%_ASM_DX)
15513 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15516 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15517 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15518 + cmp %_ASM_DX,%_ASM_AX
15520 + add %_ASM_DX,%_ASM_AX
15526 1: movzb (%_ASM_AX),%edx
15528 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15536 @@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
15537 ENTRY(__get_user_2)
15541 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15542 + pushl $(__USER_DS)
15546 GET_THREAD_INFO(%_ASM_DX)
15547 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15550 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15551 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15552 + cmp %_ASM_DX,%_ASM_AX
15554 + add %_ASM_DX,%_ASM_AX
15560 2: movzwl -1(%_ASM_AX),%edx
15562 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15570 @@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
15571 ENTRY(__get_user_4)
15575 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15576 + pushl $(__USER_DS)
15580 GET_THREAD_INFO(%_ASM_DX)
15581 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15584 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15585 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15586 + cmp %_ASM_DX,%_ASM_AX
15588 + add %_ASM_DX,%_ASM_AX
15594 3: mov -3(%_ASM_AX),%edx
15596 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15604 @@ -80,6 +148,15 @@ ENTRY(__get_user_8)
15605 GET_THREAD_INFO(%_ASM_DX)
15606 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15609 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15610 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15611 + cmp %_ASM_DX,%_ASM_AX
15613 + add %_ASM_DX,%_ASM_AX
15617 4: movq -7(%_ASM_AX),%_ASM_DX
15620 @@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
15625 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15631 mov $(-EFAULT),%_ASM_AX
15633 diff -urNp linux-2.6.35.4/arch/x86/lib/insn.c linux-2.6.35.4/arch/x86/lib/insn.c
15634 --- linux-2.6.35.4/arch/x86/lib/insn.c 2010-08-26 19:47:12.000000000 -0400
15635 +++ linux-2.6.35.4/arch/x86/lib/insn.c 2010-09-17 20:12:09.000000000 -0400
15637 #include <linux/string.h>
15638 #include <asm/inat.h>
15639 #include <asm/insn.h>
15640 +#include <asm/pgtable_types.h>
15642 #define get_next(t, insn) \
15643 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15645 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15647 memset(insn, 0, sizeof(*insn));
15648 - insn->kaddr = kaddr;
15649 - insn->next_byte = kaddr;
15650 + insn->kaddr = ktla_ktva(kaddr);
15651 + insn->next_byte = ktla_ktva(kaddr);
15652 insn->x86_64 = x86_64 ? 1 : 0;
15653 insn->opnd_bytes = 4;
15655 diff -urNp linux-2.6.35.4/arch/x86/lib/mmx_32.c linux-2.6.35.4/arch/x86/lib/mmx_32.c
15656 --- linux-2.6.35.4/arch/x86/lib/mmx_32.c 2010-08-26 19:47:12.000000000 -0400
15657 +++ linux-2.6.35.4/arch/x86/lib/mmx_32.c 2010-09-17 20:12:09.000000000 -0400
15658 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15662 + unsigned long cr0;
15664 if (unlikely(in_interrupt()))
15665 return __memcpy(to, from, len);
15666 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15667 kernel_fpu_begin();
15669 __asm__ __volatile__ (
15670 - "1: prefetch (%0)\n" /* This set is 28 bytes */
15671 - " prefetch 64(%0)\n"
15672 - " prefetch 128(%0)\n"
15673 - " prefetch 192(%0)\n"
15674 - " prefetch 256(%0)\n"
15675 + "1: prefetch (%1)\n" /* This set is 28 bytes */
15676 + " prefetch 64(%1)\n"
15677 + " prefetch 128(%1)\n"
15678 + " prefetch 192(%1)\n"
15679 + " prefetch 256(%1)\n"
15681 ".section .fixup, \"ax\"\n"
15682 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15685 +#ifdef CONFIG_PAX_KERNEXEC
15686 + " movl %%cr0, %0\n"
15687 + " movl %0, %%eax\n"
15688 + " andl $0xFFFEFFFF, %%eax\n"
15689 + " movl %%eax, %%cr0\n"
15692 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15694 +#ifdef CONFIG_PAX_KERNEXEC
15695 + " movl %0, %%cr0\n"
15700 _ASM_EXTABLE(1b, 3b)
15702 + : "=&r" (cr0) : "r" (from) : "ax");
15704 for ( ; i > 5; i--) {
15705 __asm__ __volatile__ (
15706 - "1: prefetch 320(%0)\n"
15707 - "2: movq (%0), %%mm0\n"
15708 - " movq 8(%0), %%mm1\n"
15709 - " movq 16(%0), %%mm2\n"
15710 - " movq 24(%0), %%mm3\n"
15711 - " movq %%mm0, (%1)\n"
15712 - " movq %%mm1, 8(%1)\n"
15713 - " movq %%mm2, 16(%1)\n"
15714 - " movq %%mm3, 24(%1)\n"
15715 - " movq 32(%0), %%mm0\n"
15716 - " movq 40(%0), %%mm1\n"
15717 - " movq 48(%0), %%mm2\n"
15718 - " movq 56(%0), %%mm3\n"
15719 - " movq %%mm0, 32(%1)\n"
15720 - " movq %%mm1, 40(%1)\n"
15721 - " movq %%mm2, 48(%1)\n"
15722 - " movq %%mm3, 56(%1)\n"
15723 + "1: prefetch 320(%1)\n"
15724 + "2: movq (%1), %%mm0\n"
15725 + " movq 8(%1), %%mm1\n"
15726 + " movq 16(%1), %%mm2\n"
15727 + " movq 24(%1), %%mm3\n"
15728 + " movq %%mm0, (%2)\n"
15729 + " movq %%mm1, 8(%2)\n"
15730 + " movq %%mm2, 16(%2)\n"
15731 + " movq %%mm3, 24(%2)\n"
15732 + " movq 32(%1), %%mm0\n"
15733 + " movq 40(%1), %%mm1\n"
15734 + " movq 48(%1), %%mm2\n"
15735 + " movq 56(%1), %%mm3\n"
15736 + " movq %%mm0, 32(%2)\n"
15737 + " movq %%mm1, 40(%2)\n"
15738 + " movq %%mm2, 48(%2)\n"
15739 + " movq %%mm3, 56(%2)\n"
15740 ".section .fixup, \"ax\"\n"
15741 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15744 +#ifdef CONFIG_PAX_KERNEXEC
15745 + " movl %%cr0, %0\n"
15746 + " movl %0, %%eax\n"
15747 + " andl $0xFFFEFFFF, %%eax\n"
15748 + " movl %%eax, %%cr0\n"
15751 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15753 +#ifdef CONFIG_PAX_KERNEXEC
15754 + " movl %0, %%cr0\n"
15759 _ASM_EXTABLE(1b, 3b)
15760 - : : "r" (from), "r" (to) : "memory");
15761 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15765 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
15766 static void fast_copy_page(void *to, void *from)
15769 + unsigned long cr0;
15771 kernel_fpu_begin();
15773 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
15774 * but that is for later. -AV
15776 __asm__ __volatile__(
15777 - "1: prefetch (%0)\n"
15778 - " prefetch 64(%0)\n"
15779 - " prefetch 128(%0)\n"
15780 - " prefetch 192(%0)\n"
15781 - " prefetch 256(%0)\n"
15782 + "1: prefetch (%1)\n"
15783 + " prefetch 64(%1)\n"
15784 + " prefetch 128(%1)\n"
15785 + " prefetch 192(%1)\n"
15786 + " prefetch 256(%1)\n"
15788 ".section .fixup, \"ax\"\n"
15789 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15792 +#ifdef CONFIG_PAX_KERNEXEC
15793 + " movl %%cr0, %0\n"
15794 + " movl %0, %%eax\n"
15795 + " andl $0xFFFEFFFF, %%eax\n"
15796 + " movl %%eax, %%cr0\n"
15799 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15801 +#ifdef CONFIG_PAX_KERNEXEC
15802 + " movl %0, %%cr0\n"
15807 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15808 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15810 for (i = 0; i < (4096-320)/64; i++) {
15811 __asm__ __volatile__ (
15812 - "1: prefetch 320(%0)\n"
15813 - "2: movq (%0), %%mm0\n"
15814 - " movntq %%mm0, (%1)\n"
15815 - " movq 8(%0), %%mm1\n"
15816 - " movntq %%mm1, 8(%1)\n"
15817 - " movq 16(%0), %%mm2\n"
15818 - " movntq %%mm2, 16(%1)\n"
15819 - " movq 24(%0), %%mm3\n"
15820 - " movntq %%mm3, 24(%1)\n"
15821 - " movq 32(%0), %%mm4\n"
15822 - " movntq %%mm4, 32(%1)\n"
15823 - " movq 40(%0), %%mm5\n"
15824 - " movntq %%mm5, 40(%1)\n"
15825 - " movq 48(%0), %%mm6\n"
15826 - " movntq %%mm6, 48(%1)\n"
15827 - " movq 56(%0), %%mm7\n"
15828 - " movntq %%mm7, 56(%1)\n"
15829 + "1: prefetch 320(%1)\n"
15830 + "2: movq (%1), %%mm0\n"
15831 + " movntq %%mm0, (%2)\n"
15832 + " movq 8(%1), %%mm1\n"
15833 + " movntq %%mm1, 8(%2)\n"
15834 + " movq 16(%1), %%mm2\n"
15835 + " movntq %%mm2, 16(%2)\n"
15836 + " movq 24(%1), %%mm3\n"
15837 + " movntq %%mm3, 24(%2)\n"
15838 + " movq 32(%1), %%mm4\n"
15839 + " movntq %%mm4, 32(%2)\n"
15840 + " movq 40(%1), %%mm5\n"
15841 + " movntq %%mm5, 40(%2)\n"
15842 + " movq 48(%1), %%mm6\n"
15843 + " movntq %%mm6, 48(%2)\n"
15844 + " movq 56(%1), %%mm7\n"
15845 + " movntq %%mm7, 56(%2)\n"
15846 ".section .fixup, \"ax\"\n"
15847 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15850 +#ifdef CONFIG_PAX_KERNEXEC
15851 + " movl %%cr0, %0\n"
15852 + " movl %0, %%eax\n"
15853 + " andl $0xFFFEFFFF, %%eax\n"
15854 + " movl %%eax, %%cr0\n"
15857 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15859 +#ifdef CONFIG_PAX_KERNEXEC
15860 + " movl %0, %%cr0\n"
15865 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
15866 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15870 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
15871 static void fast_copy_page(void *to, void *from)
15874 + unsigned long cr0;
15876 kernel_fpu_begin();
15878 __asm__ __volatile__ (
15879 - "1: prefetch (%0)\n"
15880 - " prefetch 64(%0)\n"
15881 - " prefetch 128(%0)\n"
15882 - " prefetch 192(%0)\n"
15883 - " prefetch 256(%0)\n"
15884 + "1: prefetch (%1)\n"
15885 + " prefetch 64(%1)\n"
15886 + " prefetch 128(%1)\n"
15887 + " prefetch 192(%1)\n"
15888 + " prefetch 256(%1)\n"
15890 ".section .fixup, \"ax\"\n"
15891 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15894 +#ifdef CONFIG_PAX_KERNEXEC
15895 + " movl %%cr0, %0\n"
15896 + " movl %0, %%eax\n"
15897 + " andl $0xFFFEFFFF, %%eax\n"
15898 + " movl %%eax, %%cr0\n"
15901 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15903 +#ifdef CONFIG_PAX_KERNEXEC
15904 + " movl %0, %%cr0\n"
15909 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15910 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15912 for (i = 0; i < 4096/64; i++) {
15913 __asm__ __volatile__ (
15914 - "1: prefetch 320(%0)\n"
15915 - "2: movq (%0), %%mm0\n"
15916 - " movq 8(%0), %%mm1\n"
15917 - " movq 16(%0), %%mm2\n"
15918 - " movq 24(%0), %%mm3\n"
15919 - " movq %%mm0, (%1)\n"
15920 - " movq %%mm1, 8(%1)\n"
15921 - " movq %%mm2, 16(%1)\n"
15922 - " movq %%mm3, 24(%1)\n"
15923 - " movq 32(%0), %%mm0\n"
15924 - " movq 40(%0), %%mm1\n"
15925 - " movq 48(%0), %%mm2\n"
15926 - " movq 56(%0), %%mm3\n"
15927 - " movq %%mm0, 32(%1)\n"
15928 - " movq %%mm1, 40(%1)\n"
15929 - " movq %%mm2, 48(%1)\n"
15930 - " movq %%mm3, 56(%1)\n"
15931 + "1: prefetch 320(%1)\n"
15932 + "2: movq (%1), %%mm0\n"
15933 + " movq 8(%1), %%mm1\n"
15934 + " movq 16(%1), %%mm2\n"
15935 + " movq 24(%1), %%mm3\n"
15936 + " movq %%mm0, (%2)\n"
15937 + " movq %%mm1, 8(%2)\n"
15938 + " movq %%mm2, 16(%2)\n"
15939 + " movq %%mm3, 24(%2)\n"
15940 + " movq 32(%1), %%mm0\n"
15941 + " movq 40(%1), %%mm1\n"
15942 + " movq 48(%1), %%mm2\n"
15943 + " movq 56(%1), %%mm3\n"
15944 + " movq %%mm0, 32(%2)\n"
15945 + " movq %%mm1, 40(%2)\n"
15946 + " movq %%mm2, 48(%2)\n"
15947 + " movq %%mm3, 56(%2)\n"
15948 ".section .fixup, \"ax\"\n"
15949 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15952 +#ifdef CONFIG_PAX_KERNEXEC
15953 + " movl %%cr0, %0\n"
15954 + " movl %0, %%eax\n"
15955 + " andl $0xFFFEFFFF, %%eax\n"
15956 + " movl %%eax, %%cr0\n"
15959 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15961 +#ifdef CONFIG_PAX_KERNEXEC
15962 + " movl %0, %%cr0\n"
15967 _ASM_EXTABLE(1b, 3b)
15968 - : : "r" (from), "r" (to) : "memory");
15969 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15973 diff -urNp linux-2.6.35.4/arch/x86/lib/putuser.S linux-2.6.35.4/arch/x86/lib/putuser.S
15974 --- linux-2.6.35.4/arch/x86/lib/putuser.S 2010-08-26 19:47:12.000000000 -0400
15975 +++ linux-2.6.35.4/arch/x86/lib/putuser.S 2010-09-17 20:12:09.000000000 -0400
15977 #include <asm/thread_info.h>
15978 #include <asm/errno.h>
15979 #include <asm/asm.h>
15981 +#include <asm/segment.h>
15982 +#include <asm/pgtable.h>
15986 @@ -29,59 +30,162 @@
15987 * as they get called from within inline assembly.
15990 -#define ENTER CFI_STARTPROC ; \
15991 - GET_THREAD_INFO(%_ASM_BX)
15992 +#define ENTER CFI_STARTPROC
15993 #define EXIT ret ; \
15996 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15997 +#define _DEST %_ASM_CX,%_ASM_BX
15999 +#define _DEST %_ASM_CX
16003 ENTRY(__put_user_1)
16006 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16007 + pushl $(__USER_DS)
16010 + GET_THREAD_INFO(%_ASM_BX)
16011 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16013 -1: movb %al,(%_ASM_CX)
16015 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16016 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16017 + cmp %_ASM_BX,%_ASM_CX
16025 +1: movb %al,(_DEST)
16027 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16034 ENDPROC(__put_user_1)
16036 ENTRY(__put_user_2)
16039 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16040 + pushl $(__USER_DS)
16043 + GET_THREAD_INFO(%_ASM_BX)
16044 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16046 cmp %_ASM_BX,%_ASM_CX
16048 -2: movw %ax,(%_ASM_CX)
16050 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16051 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16052 + cmp %_ASM_BX,%_ASM_CX
16060 +2: movw %ax,(_DEST)
16062 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16069 ENDPROC(__put_user_2)
16071 ENTRY(__put_user_4)
16074 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16075 + pushl $(__USER_DS)
16078 + GET_THREAD_INFO(%_ASM_BX)
16079 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16081 cmp %_ASM_BX,%_ASM_CX
16083 -3: movl %eax,(%_ASM_CX)
16085 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16086 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16087 + cmp %_ASM_BX,%_ASM_CX
16095 +3: movl %eax,(_DEST)
16097 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16104 ENDPROC(__put_user_4)
16106 ENTRY(__put_user_8)
16109 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16110 + pushl $(__USER_DS)
16113 + GET_THREAD_INFO(%_ASM_BX)
16114 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16116 cmp %_ASM_BX,%_ASM_CX
16118 -4: mov %_ASM_AX,(%_ASM_CX)
16120 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16121 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16122 + cmp %_ASM_BX,%_ASM_CX
16130 +4: mov %_ASM_AX,(_DEST)
16131 #ifdef CONFIG_X86_32
16132 -5: movl %edx,4(%_ASM_CX)
16133 +5: movl %edx,4(_DEST)
16136 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16143 ENDPROC(__put_user_8)
16148 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16156 diff -urNp linux-2.6.35.4/arch/x86/lib/usercopy_32.c linux-2.6.35.4/arch/x86/lib/usercopy_32.c
16157 --- linux-2.6.35.4/arch/x86/lib/usercopy_32.c 2010-08-26 19:47:12.000000000 -0400
16158 +++ linux-2.6.35.4/arch/x86/lib/usercopy_32.c 2010-09-17 20:12:09.000000000 -0400
16159 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16160 * Copy a null terminated string from userspace.
16163 -#define __do_strncpy_from_user(dst, src, count, res) \
16165 - int __d0, __d1, __d2; \
16167 - __asm__ __volatile__( \
16168 - " testl %1,%1\n" \
16172 - " testb %%al,%%al\n" \
16176 - "1: subl %1,%0\n" \
16178 - ".section .fixup,\"ax\"\n" \
16179 - "3: movl %5,%0\n" \
16182 - _ASM_EXTABLE(0b,3b) \
16183 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16185 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16188 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16190 + int __d0, __d1, __d2;
16191 + long res = -EFAULT;
16194 + __asm__ __volatile__(
16195 + " movw %w10,%%ds\n"
16200 + " testb %%al,%%al\n"
16204 + "1: subl %1,%0\n"
16208 + ".section .fixup,\"ax\"\n"
16209 + "3: movl %5,%0\n"
16212 + _ASM_EXTABLE(0b,3b)
16213 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16215 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16222 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16223 @@ -85,9 +92,7 @@ do { \
16225 __strncpy_from_user(char *dst, const char __user *src, long count)
16228 - __do_strncpy_from_user(dst, src, count, res);
16230 + return __do_strncpy_from_user(dst, src, count);
16232 EXPORT_SYMBOL(__strncpy_from_user);
16234 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16236 long res = -EFAULT;
16237 if (access_ok(VERIFY_READ, src, 1))
16238 - __do_strncpy_from_user(dst, src, count, res);
16239 + res = __do_strncpy_from_user(dst, src, count);
16242 EXPORT_SYMBOL(strncpy_from_user);
16243 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16247 -#define __do_clear_user(addr,size) \
16251 - __asm__ __volatile__( \
16252 - "0: rep; stosl\n" \
16253 - " movl %2,%0\n" \
16254 - "1: rep; stosb\n" \
16256 - ".section .fixup,\"ax\"\n" \
16257 - "3: lea 0(%2,%0,4),%0\n" \
16260 - _ASM_EXTABLE(0b,3b) \
16261 - _ASM_EXTABLE(1b,2b) \
16262 - : "=&c"(size), "=&D" (__d0) \
16263 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16265 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16270 + __asm__ __volatile__(
16271 + " movw %w6,%%es\n"
16272 + "0: rep; stosl\n"
16274 + "1: rep; stosb\n"
16278 + ".section .fixup,\"ax\"\n"
16279 + "3: lea 0(%2,%0,4),%0\n"
16282 + _ASM_EXTABLE(0b,3b)
16283 + _ASM_EXTABLE(1b,2b)
16284 + : "=&c"(size), "=&D" (__d0)
16285 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16291 * clear_user: - Zero a block of memory in user space.
16292 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
16295 if (access_ok(VERIFY_WRITE, to, n))
16296 - __do_clear_user(to, n);
16297 + n = __do_clear_user(to, n);
16300 EXPORT_SYMBOL(clear_user);
16301 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
16303 __clear_user(void __user *to, unsigned long n)
16305 - __do_clear_user(to, n);
16307 + return __do_clear_user(to, n);
16309 EXPORT_SYMBOL(__clear_user);
16311 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
16314 __asm__ __volatile__(
16315 + " movw %w8,%%es\n"
16318 - " andl %0,%%ecx\n"
16319 + " movl %0,%%ecx\n"
16320 "0: repne; scasb\n"
16327 ".section .fixup,\"ax\"\n"
16328 "2: xorl %%eax,%%eax\n"
16330 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
16333 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
16334 - :"0" (n), "1" (s), "2" (0), "3" (mask)
16335 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
16339 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
16341 #ifdef CONFIG_X86_INTEL_USERCOPY
16342 static unsigned long
16343 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16344 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16347 + __asm__ __volatile__(
16348 + " movw %w6, %%es\n"
16349 + " .align 2,0x90\n"
16350 + "1: movl 32(%4), %%eax\n"
16351 + " cmpl $67, %0\n"
16353 + "2: movl 64(%4), %%eax\n"
16354 + " .align 2,0x90\n"
16355 + "3: movl 0(%4), %%eax\n"
16356 + "4: movl 4(%4), %%edx\n"
16357 + "5: movl %%eax, %%es:0(%3)\n"
16358 + "6: movl %%edx, %%es:4(%3)\n"
16359 + "7: movl 8(%4), %%eax\n"
16360 + "8: movl 12(%4),%%edx\n"
16361 + "9: movl %%eax, %%es:8(%3)\n"
16362 + "10: movl %%edx, %%es:12(%3)\n"
16363 + "11: movl 16(%4), %%eax\n"
16364 + "12: movl 20(%4), %%edx\n"
16365 + "13: movl %%eax, %%es:16(%3)\n"
16366 + "14: movl %%edx, %%es:20(%3)\n"
16367 + "15: movl 24(%4), %%eax\n"
16368 + "16: movl 28(%4), %%edx\n"
16369 + "17: movl %%eax, %%es:24(%3)\n"
16370 + "18: movl %%edx, %%es:28(%3)\n"
16371 + "19: movl 32(%4), %%eax\n"
16372 + "20: movl 36(%4), %%edx\n"
16373 + "21: movl %%eax, %%es:32(%3)\n"
16374 + "22: movl %%edx, %%es:36(%3)\n"
16375 + "23: movl 40(%4), %%eax\n"
16376 + "24: movl 44(%4), %%edx\n"
16377 + "25: movl %%eax, %%es:40(%3)\n"
16378 + "26: movl %%edx, %%es:44(%3)\n"
16379 + "27: movl 48(%4), %%eax\n"
16380 + "28: movl 52(%4), %%edx\n"
16381 + "29: movl %%eax, %%es:48(%3)\n"
16382 + "30: movl %%edx, %%es:52(%3)\n"
16383 + "31: movl 56(%4), %%eax\n"
16384 + "32: movl 60(%4), %%edx\n"
16385 + "33: movl %%eax, %%es:56(%3)\n"
16386 + "34: movl %%edx, %%es:60(%3)\n"
16387 + " addl $-64, %0\n"
16388 + " addl $64, %4\n"
16389 + " addl $64, %3\n"
16390 + " cmpl $63, %0\n"
16392 + "35: movl %0, %%eax\n"
16394 + " andl $3, %%eax\n"
16396 + "99: rep; movsl\n"
16397 + "36: movl %%eax, %0\n"
16398 + "37: rep; movsb\n"
16402 + ".section .fixup,\"ax\"\n"
16403 + "101: lea 0(%%eax,%0,4),%0\n"
16406 + ".section __ex_table,\"a\"\n"
16408 + " .long 1b,100b\n"
16409 + " .long 2b,100b\n"
16410 + " .long 3b,100b\n"
16411 + " .long 4b,100b\n"
16412 + " .long 5b,100b\n"
16413 + " .long 6b,100b\n"
16414 + " .long 7b,100b\n"
16415 + " .long 8b,100b\n"
16416 + " .long 9b,100b\n"
16417 + " .long 10b,100b\n"
16418 + " .long 11b,100b\n"
16419 + " .long 12b,100b\n"
16420 + " .long 13b,100b\n"
16421 + " .long 14b,100b\n"
16422 + " .long 15b,100b\n"
16423 + " .long 16b,100b\n"
16424 + " .long 17b,100b\n"
16425 + " .long 18b,100b\n"
16426 + " .long 19b,100b\n"
16427 + " .long 20b,100b\n"
16428 + " .long 21b,100b\n"
16429 + " .long 22b,100b\n"
16430 + " .long 23b,100b\n"
16431 + " .long 24b,100b\n"
16432 + " .long 25b,100b\n"
16433 + " .long 26b,100b\n"
16434 + " .long 27b,100b\n"
16435 + " .long 28b,100b\n"
16436 + " .long 29b,100b\n"
16437 + " .long 30b,100b\n"
16438 + " .long 31b,100b\n"
16439 + " .long 32b,100b\n"
16440 + " .long 33b,100b\n"
16441 + " .long 34b,100b\n"
16442 + " .long 35b,100b\n"
16443 + " .long 36b,100b\n"
16444 + " .long 37b,100b\n"
16445 + " .long 99b,101b\n"
16447 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16448 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16449 + : "eax", "edx", "memory");
16453 +static unsigned long
16454 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16457 __asm__ __volatile__(
16458 + " movw %w6, %%ds\n"
16460 "1: movl 32(%4), %%eax\n"
16462 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
16464 "3: movl 0(%4), %%eax\n"
16465 "4: movl 4(%4), %%edx\n"
16466 - "5: movl %%eax, 0(%3)\n"
16467 - "6: movl %%edx, 4(%3)\n"
16468 + "5: movl %%eax, %%es:0(%3)\n"
16469 + "6: movl %%edx, %%es:4(%3)\n"
16470 "7: movl 8(%4), %%eax\n"
16471 "8: movl 12(%4),%%edx\n"
16472 - "9: movl %%eax, 8(%3)\n"
16473 - "10: movl %%edx, 12(%3)\n"
16474 + "9: movl %%eax, %%es:8(%3)\n"
16475 + "10: movl %%edx, %%es:12(%3)\n"
16476 "11: movl 16(%4), %%eax\n"
16477 "12: movl 20(%4), %%edx\n"
16478 - "13: movl %%eax, 16(%3)\n"
16479 - "14: movl %%edx, 20(%3)\n"
16480 + "13: movl %%eax, %%es:16(%3)\n"
16481 + "14: movl %%edx, %%es:20(%3)\n"
16482 "15: movl 24(%4), %%eax\n"
16483 "16: movl 28(%4), %%edx\n"
16484 - "17: movl %%eax, 24(%3)\n"
16485 - "18: movl %%edx, 28(%3)\n"
16486 + "17: movl %%eax, %%es:24(%3)\n"
16487 + "18: movl %%edx, %%es:28(%3)\n"
16488 "19: movl 32(%4), %%eax\n"
16489 "20: movl 36(%4), %%edx\n"
16490 - "21: movl %%eax, 32(%3)\n"
16491 - "22: movl %%edx, 36(%3)\n"
16492 + "21: movl %%eax, %%es:32(%3)\n"
16493 + "22: movl %%edx, %%es:36(%3)\n"
16494 "23: movl 40(%4), %%eax\n"
16495 "24: movl 44(%4), %%edx\n"
16496 - "25: movl %%eax, 40(%3)\n"
16497 - "26: movl %%edx, 44(%3)\n"
16498 + "25: movl %%eax, %%es:40(%3)\n"
16499 + "26: movl %%edx, %%es:44(%3)\n"
16500 "27: movl 48(%4), %%eax\n"
16501 "28: movl 52(%4), %%edx\n"
16502 - "29: movl %%eax, 48(%3)\n"
16503 - "30: movl %%edx, 52(%3)\n"
16504 + "29: movl %%eax, %%es:48(%3)\n"
16505 + "30: movl %%edx, %%es:52(%3)\n"
16506 "31: movl 56(%4), %%eax\n"
16507 "32: movl 60(%4), %%edx\n"
16508 - "33: movl %%eax, 56(%3)\n"
16509 - "34: movl %%edx, 60(%3)\n"
16510 + "33: movl %%eax, %%es:56(%3)\n"
16511 + "34: movl %%edx, %%es:60(%3)\n"
16515 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
16516 "36: movl %%eax, %0\n"
16521 ".section .fixup,\"ax\"\n"
16522 "101: lea 0(%%eax,%0,4),%0\n"
16524 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
16525 " .long 99b,101b\n"
16527 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16528 - : "1"(to), "2"(from), "0"(size)
16529 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16530 : "eax", "edx", "memory");
16533 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
16536 __asm__ __volatile__(
16537 + " movw %w6, %%ds\n"
16539 "0: movl 32(%4), %%eax\n"
16541 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
16543 "2: movl 0(%4), %%eax\n"
16544 "21: movl 4(%4), %%edx\n"
16545 - " movl %%eax, 0(%3)\n"
16546 - " movl %%edx, 4(%3)\n"
16547 + " movl %%eax, %%es:0(%3)\n"
16548 + " movl %%edx, %%es:4(%3)\n"
16549 "3: movl 8(%4), %%eax\n"
16550 "31: movl 12(%4),%%edx\n"
16551 - " movl %%eax, 8(%3)\n"
16552 - " movl %%edx, 12(%3)\n"
16553 + " movl %%eax, %%es:8(%3)\n"
16554 + " movl %%edx, %%es:12(%3)\n"
16555 "4: movl 16(%4), %%eax\n"
16556 "41: movl 20(%4), %%edx\n"
16557 - " movl %%eax, 16(%3)\n"
16558 - " movl %%edx, 20(%3)\n"
16559 + " movl %%eax, %%es:16(%3)\n"
16560 + " movl %%edx, %%es:20(%3)\n"
16561 "10: movl 24(%4), %%eax\n"
16562 "51: movl 28(%4), %%edx\n"
16563 - " movl %%eax, 24(%3)\n"
16564 - " movl %%edx, 28(%3)\n"
16565 + " movl %%eax, %%es:24(%3)\n"
16566 + " movl %%edx, %%es:28(%3)\n"
16567 "11: movl 32(%4), %%eax\n"
16568 "61: movl 36(%4), %%edx\n"
16569 - " movl %%eax, 32(%3)\n"
16570 - " movl %%edx, 36(%3)\n"
16571 + " movl %%eax, %%es:32(%3)\n"
16572 + " movl %%edx, %%es:36(%3)\n"
16573 "12: movl 40(%4), %%eax\n"
16574 "71: movl 44(%4), %%edx\n"
16575 - " movl %%eax, 40(%3)\n"
16576 - " movl %%edx, 44(%3)\n"
16577 + " movl %%eax, %%es:40(%3)\n"
16578 + " movl %%edx, %%es:44(%3)\n"
16579 "13: movl 48(%4), %%eax\n"
16580 "81: movl 52(%4), %%edx\n"
16581 - " movl %%eax, 48(%3)\n"
16582 - " movl %%edx, 52(%3)\n"
16583 + " movl %%eax, %%es:48(%3)\n"
16584 + " movl %%edx, %%es:52(%3)\n"
16585 "14: movl 56(%4), %%eax\n"
16586 "91: movl 60(%4), %%edx\n"
16587 - " movl %%eax, 56(%3)\n"
16588 - " movl %%edx, 60(%3)\n"
16589 + " movl %%eax, %%es:56(%3)\n"
16590 + " movl %%edx, %%es:60(%3)\n"
16594 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
16600 ".section .fixup,\"ax\"\n"
16601 "9: lea 0(%%eax,%0,4),%0\n"
16603 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
16606 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16607 - : "1"(to), "2"(from), "0"(size)
16608 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16609 : "eax", "edx", "memory");
16612 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
16615 __asm__ __volatile__(
16616 + " movw %w6, %%ds\n"
16618 "0: movl 32(%4), %%eax\n"
16620 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
16622 "2: movl 0(%4), %%eax\n"
16623 "21: movl 4(%4), %%edx\n"
16624 - " movnti %%eax, 0(%3)\n"
16625 - " movnti %%edx, 4(%3)\n"
16626 + " movnti %%eax, %%es:0(%3)\n"
16627 + " movnti %%edx, %%es:4(%3)\n"
16628 "3: movl 8(%4), %%eax\n"
16629 "31: movl 12(%4),%%edx\n"
16630 - " movnti %%eax, 8(%3)\n"
16631 - " movnti %%edx, 12(%3)\n"
16632 + " movnti %%eax, %%es:8(%3)\n"
16633 + " movnti %%edx, %%es:12(%3)\n"
16634 "4: movl 16(%4), %%eax\n"
16635 "41: movl 20(%4), %%edx\n"
16636 - " movnti %%eax, 16(%3)\n"
16637 - " movnti %%edx, 20(%3)\n"
16638 + " movnti %%eax, %%es:16(%3)\n"
16639 + " movnti %%edx, %%es:20(%3)\n"
16640 "10: movl 24(%4), %%eax\n"
16641 "51: movl 28(%4), %%edx\n"
16642 - " movnti %%eax, 24(%3)\n"
16643 - " movnti %%edx, 28(%3)\n"
16644 + " movnti %%eax, %%es:24(%3)\n"
16645 + " movnti %%edx, %%es:28(%3)\n"
16646 "11: movl 32(%4), %%eax\n"
16647 "61: movl 36(%4), %%edx\n"
16648 - " movnti %%eax, 32(%3)\n"
16649 - " movnti %%edx, 36(%3)\n"
16650 + " movnti %%eax, %%es:32(%3)\n"
16651 + " movnti %%edx, %%es:36(%3)\n"
16652 "12: movl 40(%4), %%eax\n"
16653 "71: movl 44(%4), %%edx\n"
16654 - " movnti %%eax, 40(%3)\n"
16655 - " movnti %%edx, 44(%3)\n"
16656 + " movnti %%eax, %%es:40(%3)\n"
16657 + " movnti %%edx, %%es:44(%3)\n"
16658 "13: movl 48(%4), %%eax\n"
16659 "81: movl 52(%4), %%edx\n"
16660 - " movnti %%eax, 48(%3)\n"
16661 - " movnti %%edx, 52(%3)\n"
16662 + " movnti %%eax, %%es:48(%3)\n"
16663 + " movnti %%edx, %%es:52(%3)\n"
16664 "14: movl 56(%4), %%eax\n"
16665 "91: movl 60(%4), %%edx\n"
16666 - " movnti %%eax, 56(%3)\n"
16667 - " movnti %%edx, 60(%3)\n"
16668 + " movnti %%eax, %%es:56(%3)\n"
16669 + " movnti %%edx, %%es:60(%3)\n"
16673 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
16679 ".section .fixup,\"ax\"\n"
16680 "9: lea 0(%%eax,%0,4),%0\n"
16682 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
16685 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16686 - : "1"(to), "2"(from), "0"(size)
16687 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16688 : "eax", "edx", "memory");
16691 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
16694 __asm__ __volatile__(
16695 + " movw %w6, %%ds\n"
16697 "0: movl 32(%4), %%eax\n"
16699 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
16701 "2: movl 0(%4), %%eax\n"
16702 "21: movl 4(%4), %%edx\n"
16703 - " movnti %%eax, 0(%3)\n"
16704 - " movnti %%edx, 4(%3)\n"
16705 + " movnti %%eax, %%es:0(%3)\n"
16706 + " movnti %%edx, %%es:4(%3)\n"
16707 "3: movl 8(%4), %%eax\n"
16708 "31: movl 12(%4),%%edx\n"
16709 - " movnti %%eax, 8(%3)\n"
16710 - " movnti %%edx, 12(%3)\n"
16711 + " movnti %%eax, %%es:8(%3)\n"
16712 + " movnti %%edx, %%es:12(%3)\n"
16713 "4: movl 16(%4), %%eax\n"
16714 "41: movl 20(%4), %%edx\n"
16715 - " movnti %%eax, 16(%3)\n"
16716 - " movnti %%edx, 20(%3)\n"
16717 + " movnti %%eax, %%es:16(%3)\n"
16718 + " movnti %%edx, %%es:20(%3)\n"
16719 "10: movl 24(%4), %%eax\n"
16720 "51: movl 28(%4), %%edx\n"
16721 - " movnti %%eax, 24(%3)\n"
16722 - " movnti %%edx, 28(%3)\n"
16723 + " movnti %%eax, %%es:24(%3)\n"
16724 + " movnti %%edx, %%es:28(%3)\n"
16725 "11: movl 32(%4), %%eax\n"
16726 "61: movl 36(%4), %%edx\n"
16727 - " movnti %%eax, 32(%3)\n"
16728 - " movnti %%edx, 36(%3)\n"
16729 + " movnti %%eax, %%es:32(%3)\n"
16730 + " movnti %%edx, %%es:36(%3)\n"
16731 "12: movl 40(%4), %%eax\n"
16732 "71: movl 44(%4), %%edx\n"
16733 - " movnti %%eax, 40(%3)\n"
16734 - " movnti %%edx, 44(%3)\n"
16735 + " movnti %%eax, %%es:40(%3)\n"
16736 + " movnti %%edx, %%es:44(%3)\n"
16737 "13: movl 48(%4), %%eax\n"
16738 "81: movl 52(%4), %%edx\n"
16739 - " movnti %%eax, 48(%3)\n"
16740 - " movnti %%edx, 52(%3)\n"
16741 + " movnti %%eax, %%es:48(%3)\n"
16742 + " movnti %%edx, %%es:52(%3)\n"
16743 "14: movl 56(%4), %%eax\n"
16744 "91: movl 60(%4), %%edx\n"
16745 - " movnti %%eax, 56(%3)\n"
16746 - " movnti %%edx, 60(%3)\n"
16747 + " movnti %%eax, %%es:56(%3)\n"
16748 + " movnti %%edx, %%es:60(%3)\n"
16752 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
16758 ".section .fixup,\"ax\"\n"
16759 "9: lea 0(%%eax,%0,4),%0\n"
16761 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
16764 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16765 - : "1"(to), "2"(from), "0"(size)
16766 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16767 : "eax", "edx", "memory");
16770 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
16772 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16773 unsigned long size);
16774 -unsigned long __copy_user_intel(void __user *to, const void *from,
16775 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16776 + unsigned long size);
16777 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16778 unsigned long size);
16779 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16780 const void __user *from, unsigned long size);
16781 #endif /* CONFIG_X86_INTEL_USERCOPY */
16783 /* Generic arbitrary sized copy. */
16784 -#define __copy_user(to, from, size) \
16786 - int __d0, __d1, __d2; \
16787 - __asm__ __volatile__( \
16790 - " movl %1,%0\n" \
16792 - " andl $7,%0\n" \
16793 - " subl %0,%3\n" \
16794 - "4: rep; movsb\n" \
16795 - " movl %3,%0\n" \
16796 - " shrl $2,%0\n" \
16797 - " andl $3,%3\n" \
16798 - " .align 2,0x90\n" \
16799 - "0: rep; movsl\n" \
16800 - " movl %3,%0\n" \
16801 - "1: rep; movsb\n" \
16803 - ".section .fixup,\"ax\"\n" \
16804 - "5: addl %3,%0\n" \
16806 - "3: lea 0(%3,%0,4),%0\n" \
16809 - ".section __ex_table,\"a\"\n" \
16811 - " .long 4b,5b\n" \
16812 - " .long 0b,3b\n" \
16813 - " .long 1b,2b\n" \
16815 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16816 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16820 -#define __copy_user_zeroing(to, from, size) \
16822 - int __d0, __d1, __d2; \
16823 - __asm__ __volatile__( \
16826 - " movl %1,%0\n" \
16828 - " andl $7,%0\n" \
16829 - " subl %0,%3\n" \
16830 - "4: rep; movsb\n" \
16831 - " movl %3,%0\n" \
16832 - " shrl $2,%0\n" \
16833 - " andl $3,%3\n" \
16834 - " .align 2,0x90\n" \
16835 - "0: rep; movsl\n" \
16836 - " movl %3,%0\n" \
16837 - "1: rep; movsb\n" \
16839 - ".section .fixup,\"ax\"\n" \
16840 - "5: addl %3,%0\n" \
16842 - "3: lea 0(%3,%0,4),%0\n" \
16843 - "6: pushl %0\n" \
16844 - " pushl %%eax\n" \
16845 - " xorl %%eax,%%eax\n" \
16846 - " rep; stosb\n" \
16847 - " popl %%eax\n" \
16851 - ".section __ex_table,\"a\"\n" \
16853 - " .long 4b,5b\n" \
16854 - " .long 0b,3b\n" \
16855 - " .long 1b,6b\n" \
16857 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16858 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16861 +static unsigned long
16862 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
16864 + int __d0, __d1, __d2;
16866 + __asm__ __volatile__(
16867 + " movw %w8,%%es\n"
16874 + "4: rep; movsb\n"
16878 + " .align 2,0x90\n"
16879 + "0: rep; movsl\n"
16881 + "1: rep; movsb\n"
16885 + ".section .fixup,\"ax\"\n"
16886 + "5: addl %3,%0\n"
16888 + "3: lea 0(%3,%0,4),%0\n"
16891 + ".section __ex_table,\"a\"\n"
16897 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
16898 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
16903 +static unsigned long
16904 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
16906 + int __d0, __d1, __d2;
16908 + __asm__ __volatile__(
16909 + " movw %w8,%%ds\n"
16916 + "4: rep; movsb\n"
16920 + " .align 2,0x90\n"
16921 + "0: rep; movsl\n"
16923 + "1: rep; movsb\n"
16927 + ".section .fixup,\"ax\"\n"
16928 + "5: addl %3,%0\n"
16930 + "3: lea 0(%3,%0,4),%0\n"
16933 + ".section __ex_table,\"a\"\n"
16939 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
16940 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
16945 +static unsigned long
16946 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
16948 + int __d0, __d1, __d2;
16950 + __asm__ __volatile__(
16951 + " movw %w8,%%ds\n"
16958 + "4: rep; movsb\n"
16962 + " .align 2,0x90\n"
16963 + "0: rep; movsl\n"
16965 + "1: rep; movsb\n"
16969 + ".section .fixup,\"ax\"\n"
16970 + "5: addl %3,%0\n"
16972 + "3: lea 0(%3,%0,4),%0\n"
16975 + " xorl %%eax,%%eax\n"
16981 + ".section __ex_table,\"a\"\n"
16987 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
16988 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
16993 unsigned long __copy_to_user_ll(void __user *to, const void *from,
16995 @@ -775,9 +966,9 @@ survive:
16998 if (movsl_is_ok(to, from, n))
16999 - __copy_user(to, from, n);
17000 + n = __generic_copy_to_user(to, from, n);
17002 - n = __copy_user_intel(to, from, n);
17003 + n = __generic_copy_to_user_intel(to, from, n);
17006 EXPORT_SYMBOL(__copy_to_user_ll);
17007 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17010 if (movsl_is_ok(to, from, n))
17011 - __copy_user_zeroing(to, from, n);
17012 + n = __copy_user_zeroing(to, from, n);
17014 n = __copy_user_zeroing_intel(to, from, n);
17016 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17019 if (movsl_is_ok(to, from, n))
17020 - __copy_user(to, from, n);
17021 + n = __generic_copy_from_user(to, from, n);
17023 - n = __copy_user_intel((void __user *)to,
17024 - (const void *)from, n);
17025 + n = __generic_copy_from_user_intel(to, from, n);
17028 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17029 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17030 if (n > 64 && cpu_has_xmm2)
17031 n = __copy_user_zeroing_intel_nocache(to, from, n);
17033 - __copy_user_zeroing(to, from, n);
17034 + n = __copy_user_zeroing(to, from, n);
17036 - __copy_user_zeroing(to, from, n);
17037 + n = __copy_user_zeroing(to, from, n);
17041 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
17042 if (n > 64 && cpu_has_xmm2)
17043 n = __copy_user_intel_nocache(to, from, n);
17045 - __copy_user(to, from, n);
17046 + n = __generic_copy_from_user(to, from, n);
17048 - __copy_user(to, from, n);
17049 + n = __generic_copy_from_user(to, from, n);
17053 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17056 - * copy_to_user: - Copy a block of data into user space.
17057 - * @to: Destination address, in user space.
17058 - * @from: Source address, in kernel space.
17059 - * @n: Number of bytes to copy.
17061 - * Context: User context only. This function may sleep.
17063 - * Copy data from kernel space to user space.
17065 - * Returns number of bytes that could not be copied.
17066 - * On success, this will be zero.
17069 -copy_to_user(void __user *to, const void *from, unsigned long n)
17070 +void copy_from_user_overflow(void)
17072 - if (access_ok(VERIFY_WRITE, to, n))
17073 - n = __copy_to_user(to, from, n);
17075 + WARN(1, "Buffer overflow detected!\n");
17077 -EXPORT_SYMBOL(copy_to_user);
17078 +EXPORT_SYMBOL(copy_from_user_overflow);
17081 - * copy_from_user: - Copy a block of data from user space.
17082 - * @to: Destination address, in kernel space.
17083 - * @from: Source address, in user space.
17084 - * @n: Number of bytes to copy.
17086 - * Context: User context only. This function may sleep.
17088 - * Copy data from user space to kernel space.
17090 - * Returns number of bytes that could not be copied.
17091 - * On success, this will be zero.
17093 - * If some data could not be copied, this function will pad the copied
17094 - * data to the requested size using zero bytes.
17097 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17098 +void copy_to_user_overflow(void)
17100 - if (access_ok(VERIFY_READ, from, n))
17101 - n = __copy_from_user(to, from, n);
17103 - memset(to, 0, n);
17105 + WARN(1, "Buffer overflow detected!\n");
17107 -EXPORT_SYMBOL(_copy_from_user);
17108 +EXPORT_SYMBOL(copy_to_user_overflow);
17110 -void copy_from_user_overflow(void)
17111 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17112 +void __set_fs(mm_segment_t x, int cpu)
17114 - WARN(1, "Buffer overflow detected!\n");
17115 + unsigned long limit = x.seg;
17116 + struct desc_struct d;
17118 + current_thread_info()->addr_limit = x;
17119 + if (unlikely(paravirt_enabled()))
17122 + if (likely(limit))
17123 + limit = (limit - 1UL) >> PAGE_SHIFT;
17124 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17125 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17127 -EXPORT_SYMBOL(copy_from_user_overflow);
17129 +void set_fs(mm_segment_t x)
17131 + __set_fs(x, get_cpu());
17134 +EXPORT_SYMBOL(copy_from_user);
17136 +void set_fs(mm_segment_t x)
17138 + current_thread_info()->addr_limit = x;
17142 +EXPORT_SYMBOL(set_fs);
17143 diff -urNp linux-2.6.35.4/arch/x86/lib/usercopy_64.c linux-2.6.35.4/arch/x86/lib/usercopy_64.c
17144 --- linux-2.6.35.4/arch/x86/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
17145 +++ linux-2.6.35.4/arch/x86/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
17146 @@ -42,6 +42,8 @@ long
17147 __strncpy_from_user(char *dst, const char __user *src, long count)
17150 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17151 + src += PAX_USER_SHADOW_BASE;
17152 __do_strncpy_from_user(dst, src, count, res);
17155 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17159 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17160 + addr += PAX_USER_SHADOW_BASE;
17161 /* no memory constraint because it doesn't change any memory gcc knows
17164 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17166 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17168 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17169 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17170 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17171 + to += PAX_USER_SHADOW_BASE;
17172 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17173 + from += PAX_USER_SHADOW_BASE;
17174 return copy_user_generic((__force void *)to, (__force void *)from, len);
17180 EXPORT_SYMBOL(copy_in_user);
17182 diff -urNp linux-2.6.35.4/arch/x86/Makefile linux-2.6.35.4/arch/x86/Makefile
17183 --- linux-2.6.35.4/arch/x86/Makefile 2010-08-26 19:47:12.000000000 -0400
17184 +++ linux-2.6.35.4/arch/x86/Makefile 2010-09-17 20:12:09.000000000 -0400
17185 @@ -191,3 +191,12 @@ define archhelp
17186 echo ' FDARGS="..." arguments for the booted kernel'
17187 echo ' FDINITRD=file initrd for the booted kernel'
17192 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17193 +*** Please upgrade your binutils to 2.18 or newer
17197 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17198 diff -urNp linux-2.6.35.4/arch/x86/mm/extable.c linux-2.6.35.4/arch/x86/mm/extable.c
17199 --- linux-2.6.35.4/arch/x86/mm/extable.c 2010-08-26 19:47:12.000000000 -0400
17200 +++ linux-2.6.35.4/arch/x86/mm/extable.c 2010-09-17 20:12:09.000000000 -0400
17202 #include <linux/module.h>
17203 #include <linux/spinlock.h>
17204 +#include <linux/sort.h>
17205 #include <asm/uaccess.h>
17206 +#include <asm/pgtable.h>
17209 + * The exception table needs to be sorted so that the binary
17210 + * search that we use to find entries in it works properly.
17211 + * This is used both for the kernel exception table and for
17212 + * the exception tables of modules that get loaded.
17214 +static int cmp_ex(const void *a, const void *b)
17216 + const struct exception_table_entry *x = a, *y = b;
17218 + /* avoid overflow */
17219 + if (x->insn > y->insn)
17221 + if (x->insn < y->insn)
17226 +static void swap_ex(void *a, void *b, int size)
17228 + struct exception_table_entry t, *x = a, *y = b;
17232 + pax_open_kernel();
17235 + pax_close_kernel();
17238 +void sort_extable(struct exception_table_entry *start,
17239 + struct exception_table_entry *finish)
17241 + sort(start, finish - start, sizeof(struct exception_table_entry),
17242 + cmp_ex, swap_ex);
17245 +#ifdef CONFIG_MODULES
17247 + * If the exception table is sorted, any referring to the module init
17248 + * will be at the beginning or the end.
17250 +void trim_init_extable(struct module *m)
17252 + /*trim the beginning*/
17253 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17255 + m->num_exentries--;
17258 + while (m->num_exentries &&
17259 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17260 + m->num_exentries--;
17262 +#endif /* CONFIG_MODULES */
17264 int fixup_exception(struct pt_regs *regs)
17266 const struct exception_table_entry *fixup;
17268 #ifdef CONFIG_PNPBIOS
17269 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17270 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17271 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17272 extern u32 pnp_bios_is_utter_crap;
17273 pnp_bios_is_utter_crap = 1;
17274 diff -urNp linux-2.6.35.4/arch/x86/mm/fault.c linux-2.6.35.4/arch/x86/mm/fault.c
17275 --- linux-2.6.35.4/arch/x86/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
17276 +++ linux-2.6.35.4/arch/x86/mm/fault.c 2010-09-17 20:12:37.000000000 -0400
17277 @@ -11,10 +11,19 @@
17278 #include <linux/kprobes.h> /* __kprobes, ... */
17279 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17280 #include <linux/perf_event.h> /* perf_sw_event */
17281 +#include <linux/unistd.h>
17282 +#include <linux/compiler.h>
17284 #include <asm/traps.h> /* dotraplinkage, ... */
17285 #include <asm/pgalloc.h> /* pgd_*(), ... */
17286 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17287 +#include <asm/vsyscall.h>
17288 +#include <asm/tlbflush.h>
17290 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17291 +#include <asm/stacktrace.h>
17292 +#include "../kernel/dumpstack.h"
17296 * Page fault error code bits:
17297 @@ -52,7 +61,7 @@ static inline int __kprobes notify_page_
17300 /* kprobe_running() needs smp_processor_id() */
17301 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17302 + if (kprobes_built_in() && !user_mode(regs)) {
17304 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17306 @@ -173,6 +182,30 @@ force_sig_info_fault(int si_signo, int s
17307 force_sig_info(si_signo, &info, tsk);
17310 +#ifdef CONFIG_PAX_EMUTRAMP
17311 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17314 +#ifdef CONFIG_PAX_PAGEEXEC
17315 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17321 + pgd = pgd_offset(mm, address);
17322 + if (!pgd_present(*pgd))
17324 + pud = pud_offset(pgd, address);
17325 + if (!pud_present(*pud))
17327 + pmd = pmd_offset(pud, address);
17328 + if (!pmd_present(*pmd))
17334 DEFINE_SPINLOCK(pgd_lock);
17335 LIST_HEAD(pgd_list);
17337 @@ -225,11 +258,24 @@ void vmalloc_sync_all(void)
17338 address += PMD_SIZE) {
17340 unsigned long flags;
17342 +#ifdef CONFIG_PAX_PER_CPU_PGD
17343 + unsigned long cpu;
17348 spin_lock_irqsave(&pgd_lock, flags);
17350 +#ifdef CONFIG_PAX_PER_CPU_PGD
17351 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17352 + pgd_t *pgd = get_cpu_pgd(cpu);
17354 list_for_each_entry(page, &pgd_list, lru) {
17355 - if (!vmalloc_sync_one(page_address(page), address))
17356 + pgd_t *pgd = page_address(page);
17359 + if (!vmalloc_sync_one(pgd, address))
17362 spin_unlock_irqrestore(&pgd_lock, flags);
17363 @@ -259,6 +305,11 @@ static noinline __kprobes int vmalloc_fa
17364 * an interrupt in the middle of a task switch..
17366 pgd_paddr = read_cr3();
17368 +#ifdef CONFIG_PAX_PER_CPU_PGD
17369 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17372 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17375 @@ -333,15 +384,27 @@ void vmalloc_sync_all(void)
17377 const pgd_t *pgd_ref = pgd_offset_k(address);
17378 unsigned long flags;
17380 +#ifdef CONFIG_PAX_PER_CPU_PGD
17381 + unsigned long cpu;
17386 if (pgd_none(*pgd_ref))
17389 spin_lock_irqsave(&pgd_lock, flags);
17391 +#ifdef CONFIG_PAX_PER_CPU_PGD
17392 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17393 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
17395 list_for_each_entry(page, &pgd_list, lru) {
17397 pgd = (pgd_t *)page_address(page) + pgd_index(address);
17400 if (pgd_none(*pgd))
17401 set_pgd(pgd, *pgd_ref);
17403 @@ -374,7 +437,14 @@ static noinline __kprobes int vmalloc_fa
17404 * happen within a race in page table update. In the later
17408 +#ifdef CONFIG_PAX_PER_CPU_PGD
17409 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17410 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17412 pgd = pgd_offset(current->active_mm, address);
17415 pgd_ref = pgd_offset_k(address);
17416 if (pgd_none(*pgd_ref))
17418 @@ -536,7 +606,7 @@ static int is_errata93(struct pt_regs *r
17419 static int is_errata100(struct pt_regs *regs, unsigned long address)
17421 #ifdef CONFIG_X86_64
17422 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17423 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17427 @@ -563,7 +633,7 @@ static int is_f00f_bug(struct pt_regs *r
17430 static const char nx_warning[] = KERN_CRIT
17431 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17432 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17435 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17436 @@ -572,15 +642,26 @@ show_fault_oops(struct pt_regs *regs, un
17437 if (!oops_may_print())
17440 - if (error_code & PF_INSTR) {
17441 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17442 unsigned int level;
17444 pte_t *pte = lookup_address(address, &level);
17446 if (pte && pte_present(*pte) && !pte_exec(*pte))
17447 - printk(nx_warning, current_uid());
17448 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17451 +#ifdef CONFIG_PAX_KERNEXEC
17452 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17453 + if (current->signal->curr_ip)
17454 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17455 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17457 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17458 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17462 printk(KERN_ALERT "BUG: unable to handle kernel ");
17463 if (address < PAGE_SIZE)
17464 printk(KERN_CONT "NULL pointer dereference");
17465 @@ -705,6 +786,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17466 unsigned long address, int si_code)
17468 struct task_struct *tsk = current;
17469 + struct mm_struct *mm = tsk->mm;
17471 +#ifdef CONFIG_X86_64
17472 + if (mm && (error_code & PF_INSTR)) {
17473 + if (regs->ip == (unsigned long)vgettimeofday) {
17474 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17476 + } else if (regs->ip == (unsigned long)vtime) {
17477 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17479 + } else if (regs->ip == (unsigned long)vgetcpu) {
17480 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17486 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17487 + if (mm && (error_code & PF_USER)) {
17488 + unsigned long ip = regs->ip;
17490 + if (v8086_mode(regs))
17491 + ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
17494 + * It's possible to have interrupts off here:
17496 + local_irq_enable();
17498 +#ifdef CONFIG_PAX_PAGEEXEC
17499 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17500 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
17502 +#ifdef CONFIG_PAX_EMUTRAMP
17503 + switch (pax_handle_fetch_fault(regs)) {
17509 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17510 + do_group_exit(SIGKILL);
17514 +#ifdef CONFIG_PAX_SEGMEXEC
17515 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
17517 +#ifdef CONFIG_PAX_EMUTRAMP
17518 + switch (pax_handle_fetch_fault(regs)) {
17524 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17525 + do_group_exit(SIGKILL);
17532 /* User mode accesses just cause a SIGSEGV */
17533 if (error_code & PF_USER) {
17534 @@ -851,6 +994,106 @@ static int spurious_fault_check(unsigned
17538 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17539 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17544 + unsigned char pte_mask;
17546 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17547 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17550 + /* PaX: it's our fault, let's handle it if we can */
17552 + /* PaX: take a look at read faults before acquiring any locks */
17553 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17554 + /* instruction fetch attempt from a protected page in user mode */
17555 + up_read(&mm->mmap_sem);
17557 +#ifdef CONFIG_PAX_EMUTRAMP
17558 + switch (pax_handle_fetch_fault(regs)) {
17564 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17565 + do_group_exit(SIGKILL);
17568 + pmd = pax_get_pmd(mm, address);
17569 + if (unlikely(!pmd))
17572 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17573 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17574 + pte_unmap_unlock(pte, ptl);
17578 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17579 + /* write attempt to a protected page in user mode */
17580 + pte_unmap_unlock(pte, ptl);
17585 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17587 + if (likely(address > get_limit(regs->cs)))
17590 + set_pte(pte, pte_mkread(*pte));
17591 + __flush_tlb_one(address);
17592 + pte_unmap_unlock(pte, ptl);
17593 + up_read(&mm->mmap_sem);
17597 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17600 + * PaX: fill DTLB with user rights and retry
17602 + __asm__ __volatile__ (
17603 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17604 + "movw %w4,%%es\n"
17607 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17609 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17610 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17611 + * page fault when examined during a TLB load attempt. this is true not only
17612 + * for PTEs holding a non-present entry but also present entries that will
17613 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17614 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17615 + * for our target pages since their PTEs are simply not in the TLBs at all.
17617 + * the best thing in omitting it is that we gain around 15-20% speed in the
17618 + * fast path of the page fault handler and can get rid of tracing since we
17619 + * can no longer flush unintended entries.
17623 + "testb $0,%%es:(%0)\n"
17625 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17630 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
17631 + : "memory", "cc");
17632 + pte_unmap_unlock(pte, ptl);
17633 + up_read(&mm->mmap_sem);
17639 * Handle a spurious fault caused by a stale TLB entry.
17641 @@ -917,6 +1160,9 @@ int show_unhandled_signals = 1;
17643 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
17645 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17649 /* write, present and write, not present: */
17650 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17651 @@ -950,17 +1196,31 @@ do_page_fault(struct pt_regs *regs, unsi
17653 struct vm_area_struct *vma;
17654 struct task_struct *tsk;
17655 - unsigned long address;
17656 struct mm_struct *mm;
17660 + /* Get the faulting address: */
17661 + unsigned long address = read_cr2();
17663 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17664 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17665 + if (!search_exception_tables(regs->ip)) {
17666 + bad_area_nosemaphore(regs, error_code, address);
17669 + if (address < PAX_USER_SHADOW_BASE) {
17670 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17671 + printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
17672 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17674 + address -= PAX_USER_SHADOW_BASE;
17681 - /* Get the faulting address: */
17682 - address = read_cr2();
17685 * Detect and handle instructions that would cause a page fault for
17686 * both a tracked kernel page and a userspace page.
17687 @@ -1020,7 +1280,7 @@ do_page_fault(struct pt_regs *regs, unsi
17688 * User-mode registers count as a user access even for any
17689 * potential system fault or CPU buglet:
17691 - if (user_mode_vm(regs)) {
17692 + if (user_mode(regs)) {
17693 local_irq_enable();
17694 error_code |= PF_USER;
17696 @@ -1074,6 +1334,11 @@ do_page_fault(struct pt_regs *regs, unsi
17700 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17701 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17705 vma = find_vma(mm, address);
17706 if (unlikely(!vma)) {
17707 bad_area(regs, error_code, address);
17708 @@ -1085,18 +1350,24 @@ do_page_fault(struct pt_regs *regs, unsi
17709 bad_area(regs, error_code, address);
17712 - if (error_code & PF_USER) {
17714 - * Accessing the stack below %sp is always a bug.
17715 - * The large cushion allows instructions like enter
17716 - * and pusha to work. ("enter $65535, $31" pushes
17717 - * 32 pointers and then decrements %sp by 65535.)
17719 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17720 - bad_area(regs, error_code, address);
17724 + * Accessing the stack below %sp is always a bug.
17725 + * The large cushion allows instructions like enter
17726 + * and pusha to work. ("enter $65535, $31" pushes
17727 + * 32 pointers and then decrements %sp by 65535.)
17729 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17730 + bad_area(regs, error_code, address);
17734 +#ifdef CONFIG_PAX_SEGMEXEC
17735 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17736 + bad_area(regs, error_code, address);
17741 if (unlikely(expand_stack(vma, address))) {
17742 bad_area(regs, error_code, address);
17744 @@ -1140,3 +1411,199 @@ good_area:
17746 up_read(&mm->mmap_sem);
17749 +#ifdef CONFIG_PAX_EMUTRAMP
17750 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17754 + do { /* PaX: gcc trampoline emulation #1 */
17755 + unsigned char mov1, mov2;
17756 + unsigned short jmp;
17757 + unsigned int addr1, addr2;
17759 +#ifdef CONFIG_X86_64
17760 + if ((regs->ip + 11) >> 32)
17764 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17765 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17766 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17767 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17768 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17773 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17774 + regs->cx = addr1;
17775 + regs->ax = addr2;
17776 + regs->ip = addr2;
17781 + do { /* PaX: gcc trampoline emulation #2 */
17782 + unsigned char mov, jmp;
17783 + unsigned int addr1, addr2;
17785 +#ifdef CONFIG_X86_64
17786 + if ((regs->ip + 9) >> 32)
17790 + err = get_user(mov, (unsigned char __user *)regs->ip);
17791 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17792 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17793 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17798 + if (mov == 0xB9 && jmp == 0xE9) {
17799 + regs->cx = addr1;
17800 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17805 + return 1; /* PaX in action */
17808 +#ifdef CONFIG_X86_64
17809 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17813 + do { /* PaX: gcc trampoline emulation #1 */
17814 + unsigned short mov1, mov2, jmp1;
17815 + unsigned char jmp2;
17816 + unsigned int addr1;
17817 + unsigned long addr2;
17819 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17820 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17821 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17822 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17823 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17824 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17829 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17830 + regs->r11 = addr1;
17831 + regs->r10 = addr2;
17832 + regs->ip = addr1;
17837 + do { /* PaX: gcc trampoline emulation #2 */
17838 + unsigned short mov1, mov2, jmp1;
17839 + unsigned char jmp2;
17840 + unsigned long addr1, addr2;
17842 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17843 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
17844 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
17845 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
17846 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
17847 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
17852 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17853 + regs->r11 = addr1;
17854 + regs->r10 = addr2;
17855 + regs->ip = addr1;
17860 + return 1; /* PaX in action */
17865 + * PaX: decide what to do with offenders (regs->ip = fault address)
17867 + * returns 1 when task should be killed
17868 + * 2 when gcc trampoline was detected
17870 +static int pax_handle_fetch_fault(struct pt_regs *regs)
17872 + if (v8086_mode(regs))
17875 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
17878 +#ifdef CONFIG_X86_32
17879 + return pax_handle_fetch_fault_32(regs);
17881 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
17882 + return pax_handle_fetch_fault_32(regs);
17884 + return pax_handle_fetch_fault_64(regs);
17889 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17890 +void pax_report_insns(void *pc, void *sp)
17894 + printk(KERN_ERR "PAX: bytes at PC: ");
17895 + for (i = 0; i < 20; i++) {
17897 + if (get_user(c, (__force unsigned char __user *)pc+i))
17898 + printk(KERN_CONT "?? ");
17900 + printk(KERN_CONT "%02x ", c);
17904 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
17905 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
17907 + if (get_user(c, (__force unsigned long __user *)sp+i))
17908 +#ifdef CONFIG_X86_32
17909 + printk(KERN_CONT "???????? ");
17911 + printk(KERN_CONT "???????????????? ");
17914 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
17921 + * probe_kernel_write(): safely attempt to write to a location
17922 + * @dst: address to write to
17923 + * @src: pointer to the data that shall be written
17924 + * @size: size of the data chunk
17926 + * Safely write to address @dst from the buffer at @src. If a kernel fault
17927 + * happens, handle that and return -EFAULT.
17929 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
17932 + mm_segment_t old_fs = get_fs();
17934 + set_fs(KERNEL_DS);
17935 + pagefault_disable();
17936 + pax_open_kernel();
17937 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
17938 + pax_close_kernel();
17939 + pagefault_enable();
17942 + return ret ? -EFAULT : 0;
17944 diff -urNp linux-2.6.35.4/arch/x86/mm/gup.c linux-2.6.35.4/arch/x86/mm/gup.c
17945 --- linux-2.6.35.4/arch/x86/mm/gup.c 2010-08-26 19:47:12.000000000 -0400
17946 +++ linux-2.6.35.4/arch/x86/mm/gup.c 2010-09-17 20:12:09.000000000 -0400
17947 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
17949 len = (unsigned long) nr_pages << PAGE_SHIFT;
17951 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17952 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17953 (void __user *)start, len)))
17956 diff -urNp linux-2.6.35.4/arch/x86/mm/highmem_32.c linux-2.6.35.4/arch/x86/mm/highmem_32.c
17957 --- linux-2.6.35.4/arch/x86/mm/highmem_32.c 2010-08-26 19:47:12.000000000 -0400
17958 +++ linux-2.6.35.4/arch/x86/mm/highmem_32.c 2010-09-17 20:12:09.000000000 -0400
17959 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
17960 idx = type + KM_TYPE_NR*smp_processor_id();
17961 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17962 BUG_ON(!pte_none(*(kmap_pte-idx)));
17964 + pax_open_kernel();
17965 set_pte(kmap_pte-idx, mk_pte(page, prot));
17966 + pax_close_kernel();
17968 return (void *)vaddr;
17970 diff -urNp linux-2.6.35.4/arch/x86/mm/hugetlbpage.c linux-2.6.35.4/arch/x86/mm/hugetlbpage.c
17971 --- linux-2.6.35.4/arch/x86/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
17972 +++ linux-2.6.35.4/arch/x86/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
17973 @@ -266,13 +266,18 @@ static unsigned long hugetlb_get_unmappe
17974 struct hstate *h = hstate_file(file);
17975 struct mm_struct *mm = current->mm;
17976 struct vm_area_struct *vma;
17977 - unsigned long start_addr;
17978 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17980 +#ifdef CONFIG_PAX_SEGMEXEC
17981 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17982 + pax_task_size = SEGMEXEC_TASK_SIZE;
17985 if (len > mm->cached_hole_size) {
17986 - start_addr = mm->free_area_cache;
17987 + start_addr = mm->free_area_cache;
17989 - start_addr = TASK_UNMAPPED_BASE;
17990 - mm->cached_hole_size = 0;
17991 + start_addr = mm->mmap_base;
17992 + mm->cached_hole_size = 0;
17996 @@ -280,26 +285,27 @@ full_search:
17998 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17999 /* At this point: (!vma || addr < vma->vm_end). */
18000 - if (TASK_SIZE - len < addr) {
18001 + if (pax_task_size - len < addr) {
18003 * Start a new search - just in case we missed
18006 - if (start_addr != TASK_UNMAPPED_BASE) {
18007 - start_addr = TASK_UNMAPPED_BASE;
18008 + if (start_addr != mm->mmap_base) {
18009 + start_addr = mm->mmap_base;
18010 mm->cached_hole_size = 0;
18015 - if (!vma || addr + len <= vma->vm_start) {
18016 - mm->free_area_cache = addr + len;
18019 + if (check_heap_stack_gap(vma, addr, len))
18021 if (addr + mm->cached_hole_size < vma->vm_start)
18022 mm->cached_hole_size = vma->vm_start - addr;
18023 addr = ALIGN(vma->vm_end, huge_page_size(h));
18026 + mm->free_area_cache = addr + len;
18030 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18031 @@ -308,10 +314,9 @@ static unsigned long hugetlb_get_unmappe
18033 struct hstate *h = hstate_file(file);
18034 struct mm_struct *mm = current->mm;
18035 - struct vm_area_struct *vma, *prev_vma;
18036 - unsigned long base = mm->mmap_base, addr = addr0;
18037 + struct vm_area_struct *vma;
18038 + unsigned long base = mm->mmap_base, addr;
18039 unsigned long largest_hole = mm->cached_hole_size;
18040 - int first_time = 1;
18042 /* don't allow allocations above current base */
18043 if (mm->free_area_cache > base)
18044 @@ -321,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
18046 mm->free_area_cache = base;
18050 /* make sure it can fit in the remaining address space */
18051 if (mm->free_area_cache < len)
18053 @@ -329,33 +334,27 @@ try_again:
18054 /* either no address requested or cant fit in requested address hole */
18055 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18057 + vma = find_vma(mm, addr);
18059 * Lookup failure means no vma is above this address,
18060 * i.e. return with success:
18062 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18066 * new region fits between prev_vma->vm_end and
18067 * vma->vm_start, use it:
18069 - if (addr + len <= vma->vm_start &&
18070 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18071 + if (check_heap_stack_gap(vma, addr, len)) {
18072 /* remember the address as a hint for next time */
18073 - mm->cached_hole_size = largest_hole;
18074 - return (mm->free_area_cache = addr);
18076 - /* pull free_area_cache down to the first hole */
18077 - if (mm->free_area_cache == vma->vm_end) {
18078 - mm->free_area_cache = vma->vm_start;
18079 - mm->cached_hole_size = largest_hole;
18081 + mm->cached_hole_size = largest_hole;
18082 + return (mm->free_area_cache = addr);
18084 + /* pull free_area_cache down to the first hole */
18085 + if (mm->free_area_cache == vma->vm_end) {
18086 + mm->free_area_cache = vma->vm_start;
18087 + mm->cached_hole_size = largest_hole;
18090 /* remember the largest hole we saw so far */
18091 if (addr + largest_hole < vma->vm_start)
18092 - largest_hole = vma->vm_start - addr;
18093 + largest_hole = vma->vm_start - addr;
18095 /* try just below the current vma->vm_start */
18096 addr = (vma->vm_start - len) & huge_page_mask(h);
18097 @@ -363,22 +362,26 @@ try_again:
18101 - * if hint left us with no space for the requested
18102 - * mapping then try again:
18104 - if (first_time) {
18105 - mm->free_area_cache = base;
18106 - largest_hole = 0;
18111 * A failed mmap() very likely causes application failure,
18112 * so fall back to the bottom-up function here. This scenario
18113 * can happen with large stack limits and large mmap()
18116 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18118 +#ifdef CONFIG_PAX_SEGMEXEC
18119 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18120 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18124 + mm->mmap_base = TASK_UNMAPPED_BASE;
18126 +#ifdef CONFIG_PAX_RANDMMAP
18127 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18128 + mm->mmap_base += mm->delta_mmap;
18131 + mm->free_area_cache = mm->mmap_base;
18132 mm->cached_hole_size = ~0UL;
18133 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18134 len, pgoff, flags);
18135 @@ -386,6 +389,7 @@ fail:
18137 * Restore the topdown base:
18139 + mm->mmap_base = base;
18140 mm->free_area_cache = base;
18141 mm->cached_hole_size = ~0UL;
18143 @@ -399,10 +403,17 @@ hugetlb_get_unmapped_area(struct file *f
18144 struct hstate *h = hstate_file(file);
18145 struct mm_struct *mm = current->mm;
18146 struct vm_area_struct *vma;
18147 + unsigned long pax_task_size = TASK_SIZE;
18149 if (len & ~huge_page_mask(h))
18151 - if (len > TASK_SIZE)
18153 +#ifdef CONFIG_PAX_SEGMEXEC
18154 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18155 + pax_task_size = SEGMEXEC_TASK_SIZE;
18158 + if (len > pax_task_size)
18161 if (flags & MAP_FIXED) {
18162 @@ -414,8 +425,7 @@ hugetlb_get_unmapped_area(struct file *f
18164 addr = ALIGN(addr, huge_page_size(h));
18165 vma = find_vma(mm, addr);
18166 - if (TASK_SIZE - len >= addr &&
18167 - (!vma || addr + len <= vma->vm_start))
18168 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18171 if (mm->get_unmapped_area == arch_get_unmapped_area)
18172 diff -urNp linux-2.6.35.4/arch/x86/mm/init_32.c linux-2.6.35.4/arch/x86/mm/init_32.c
18173 --- linux-2.6.35.4/arch/x86/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
18174 +++ linux-2.6.35.4/arch/x86/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
18175 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
18179 - * Creates a middle page table and puts a pointer to it in the
18180 - * given global directory entry. This only returns the gd entry
18181 - * in non-PAE compilation mode, since the middle layer is folded.
18183 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18186 - pmd_t *pmd_table;
18188 -#ifdef CONFIG_X86_PAE
18189 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18190 - if (after_bootmem)
18191 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18193 - pmd_table = (pmd_t *)alloc_low_page();
18194 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18195 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18196 - pud = pud_offset(pgd, 0);
18197 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18199 - return pmd_table;
18202 - pud = pud_offset(pgd, 0);
18203 - pmd_table = pmd_offset(pud, 0);
18205 - return pmd_table;
18209 * Create a page table and place a pointer to it in a middle page
18212 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
18213 page_table = (pte_t *)alloc_low_page();
18215 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18216 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18217 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18219 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18221 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18224 return pte_offset_kernel(pmd, 0);
18227 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18230 + pmd_t *pmd_table;
18232 + pud = pud_offset(pgd, 0);
18233 + pmd_table = pmd_offset(pud, 0);
18235 + return pmd_table;
18238 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18240 int pgd_idx = pgd_index(vaddr);
18241 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
18242 int pgd_idx, pmd_idx;
18243 unsigned long vaddr;
18249 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
18250 pgd = pgd_base + pgd_idx;
18252 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18253 - pmd = one_md_table_init(pgd);
18254 - pmd = pmd + pmd_index(vaddr);
18255 + pud = pud_offset(pgd, vaddr);
18256 + pmd = pmd_offset(pud, vaddr);
18258 +#ifdef CONFIG_X86_PAE
18259 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18262 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18263 pmd++, pmd_idx++) {
18264 pte = page_table_kmap_check(one_page_table_init(pmd),
18265 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
18269 -static inline int is_kernel_text(unsigned long addr)
18270 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18272 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18275 + if ((start > ktla_ktva((unsigned long)_etext) ||
18276 + end <= ktla_ktva((unsigned long)_stext)) &&
18277 + (start > ktla_ktva((unsigned long)_einittext) ||
18278 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18280 +#ifdef CONFIG_ACPI_SLEEP
18281 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18284 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18290 @@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
18291 unsigned long last_map_addr = end;
18292 unsigned long start_pfn, end_pfn;
18293 pgd_t *pgd_base = swapper_pg_dir;
18294 - int pgd_idx, pmd_idx, pte_ofs;
18295 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18301 unsigned pages_2m, pages_4k;
18302 @@ -279,8 +280,13 @@ repeat:
18304 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18305 pgd = pgd_base + pgd_idx;
18306 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18307 - pmd = one_md_table_init(pgd);
18308 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18309 + pud = pud_offset(pgd, 0);
18310 + pmd = pmd_offset(pud, 0);
18312 +#ifdef CONFIG_X86_PAE
18313 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18316 if (pfn >= end_pfn)
18318 @@ -292,14 +298,13 @@ repeat:
18320 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18321 pmd++, pmd_idx++) {
18322 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18323 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18326 * Map with big pages if possible, otherwise
18327 * create normal page tables:
18330 - unsigned int addr2;
18331 pgprot_t prot = PAGE_KERNEL_LARGE;
18333 * first pass will use the same initial
18334 @@ -309,11 +314,7 @@ repeat:
18335 __pgprot(PTE_IDENT_ATTR |
18338 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18339 - PAGE_OFFSET + PAGE_SIZE-1;
18341 - if (is_kernel_text(addr) ||
18342 - is_kernel_text(addr2))
18343 + if (is_kernel_text(address, address + PMD_SIZE))
18344 prot = PAGE_KERNEL_LARGE_EXEC;
18347 @@ -330,7 +331,7 @@ repeat:
18348 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18350 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18351 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18352 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18353 pgprot_t prot = PAGE_KERNEL;
18355 * first pass will use the same initial
18356 @@ -338,7 +339,7 @@ repeat:
18358 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18360 - if (is_kernel_text(addr))
18361 + if (is_kernel_text(address, address + PAGE_SIZE))
18362 prot = PAGE_KERNEL_EXEC;
18365 @@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
18367 pud = pud_offset(pgd, va);
18368 pmd = pmd_offset(pud, va);
18369 - if (!pmd_present(*pmd))
18370 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18373 pte = pte_offset_kernel(pmd, va);
18374 @@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
18376 static void __init pagetable_init(void)
18378 - pgd_t *pgd_base = swapper_pg_dir;
18380 - permanent_kmaps_init(pgd_base);
18381 + permanent_kmaps_init(swapper_pg_dir);
18384 #ifdef CONFIG_ACPI_SLEEP
18385 @@ -553,12 +552,12 @@ static void __init pagetable_init(void)
18386 * ACPI suspend needs this for resume, because things like the intel-agp
18387 * driver might have split up a kernel 4MB mapping.
18389 -char swsusp_pg_dir[PAGE_SIZE]
18390 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
18391 __attribute__ ((aligned(PAGE_SIZE)));
18393 static inline void save_pg_dir(void)
18395 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
18396 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
18398 #else /* !CONFIG_ACPI_SLEEP */
18399 static inline void save_pg_dir(void)
18400 @@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
18404 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18405 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18406 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18408 /* user-defined highmem size */
18409 @@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
18410 * Initialize the boot-time allocator (with low memory only):
18412 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
18413 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18414 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18416 if (bootmap == -1L)
18417 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
18418 @@ -871,6 +870,12 @@ void __init mem_init(void)
18422 +#ifdef CONFIG_PAX_PER_CPU_PGD
18423 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18424 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18425 + KERNEL_PGD_PTRS);
18428 #ifdef CONFIG_FLATMEM
18431 @@ -888,7 +893,7 @@ void __init mem_init(void)
18432 set_highmem_pages_init();
18434 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18435 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18436 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18437 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18439 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18440 @@ -929,10 +934,10 @@ void __init mem_init(void)
18441 ((unsigned long)&__init_end -
18442 (unsigned long)&__init_begin) >> 10,
18444 - (unsigned long)&_etext, (unsigned long)&_edata,
18445 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18446 + (unsigned long)&_sdata, (unsigned long)&_edata,
18447 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18449 - (unsigned long)&_text, (unsigned long)&_etext,
18450 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18451 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18454 @@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
18455 if (!kernel_set_to_readonly)
18458 + start = ktla_ktva(start);
18459 pr_debug("Set kernel text: %lx - %lx for read write\n",
18460 start, start+size);
18462 @@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
18463 if (!kernel_set_to_readonly)
18466 + start = ktla_ktva(start);
18467 pr_debug("Set kernel text: %lx - %lx for read only\n",
18468 start, start+size);
18470 @@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
18471 unsigned long start = PFN_ALIGN(_text);
18472 unsigned long size = PFN_ALIGN(_etext) - start;
18474 + start = ktla_ktva(start);
18475 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18476 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18478 diff -urNp linux-2.6.35.4/arch/x86/mm/init_64.c linux-2.6.35.4/arch/x86/mm/init_64.c
18479 --- linux-2.6.35.4/arch/x86/mm/init_64.c 2010-08-26 19:47:12.000000000 -0400
18480 +++ linux-2.6.35.4/arch/x86/mm/init_64.c 2010-09-17 20:12:09.000000000 -0400
18482 #include <asm/numa.h>
18483 #include <asm/cacheflush.h>
18484 #include <asm/init.h>
18485 -#include <linux/bootmem.h>
18487 static unsigned long dma_reserve __initdata;
18489 @@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
18490 * around without checking the pgd every time.
18493 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18494 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18495 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18497 int force_personality32;
18498 @@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18499 pmd = fill_pmd(pud, vaddr);
18500 pte = fill_pte(pmd, vaddr);
18502 + pax_open_kernel();
18503 set_pte(pte, new_pte);
18504 + pax_close_kernel();
18507 * It's enough to flush this one mapping.
18508 @@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
18509 pgd = pgd_offset_k((unsigned long)__va(phys));
18510 if (pgd_none(*pgd)) {
18511 pud = (pud_t *) spp_getpage();
18512 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18514 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18516 pud = pud_offset(pgd, (unsigned long)__va(phys));
18517 if (pud_none(*pud)) {
18518 pmd = (pmd_t *) spp_getpage();
18519 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18521 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18523 pmd = pmd_offset(pud, phys);
18524 BUG_ON(!pmd_none(*pmd));
18525 @@ -680,6 +679,12 @@ void __init mem_init(void)
18529 +#ifdef CONFIG_PAX_PER_CPU_PGD
18530 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18531 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18532 + KERNEL_PGD_PTRS);
18535 /* clear_bss() already clear the empty_zero_page */
18538 @@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
18539 static struct vm_area_struct gate_vma = {
18540 .vm_start = VSYSCALL_START,
18541 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18542 - .vm_page_prot = PAGE_READONLY_EXEC,
18543 - .vm_flags = VM_READ | VM_EXEC
18544 + .vm_page_prot = PAGE_READONLY,
18545 + .vm_flags = VM_READ
18548 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18549 @@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
18551 const char *arch_vma_name(struct vm_area_struct *vma)
18553 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18554 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18556 if (vma == &gate_vma)
18557 return "[vsyscall]";
18558 diff -urNp linux-2.6.35.4/arch/x86/mm/init.c linux-2.6.35.4/arch/x86/mm/init.c
18559 --- linux-2.6.35.4/arch/x86/mm/init.c 2010-08-26 19:47:12.000000000 -0400
18560 +++ linux-2.6.35.4/arch/x86/mm/init.c 2010-09-17 20:12:09.000000000 -0400
18561 @@ -70,11 +70,7 @@ static void __init find_early_table_spac
18562 * cause a hotspot and fill up ZONE_DMA. The page tables
18563 * need roughly 0.5KB per GB.
18565 -#ifdef CONFIG_X86_32
18570 + start = 0x100000;
18571 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
18572 tables, PAGE_SIZE);
18573 if (e820_table_start == -1UL)
18574 @@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
18576 int devmem_is_allowed(unsigned long pagenr)
18578 - if (pagenr <= 256)
18581 +#ifdef CONFIG_VM86
18582 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18585 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18587 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18589 @@ -380,6 +382,88 @@ void free_init_pages(char *what, unsigne
18591 void free_initmem(void)
18594 +#ifdef CONFIG_PAX_KERNEXEC
18595 +#ifdef CONFIG_X86_32
18596 + /* PaX: limit KERNEL_CS to actual size */
18597 + unsigned long addr, limit;
18598 + struct desc_struct d;
18601 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18602 + limit = (limit - 1UL) >> PAGE_SHIFT;
18604 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18605 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18606 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18607 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18610 + /* PaX: make KERNEL_CS read-only */
18611 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18612 + if (!paravirt_enabled())
18613 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18615 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18616 + pgd = pgd_offset_k(addr);
18617 + pud = pud_offset(pgd, addr);
18618 + pmd = pmd_offset(pud, addr);
18619 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18622 +#ifdef CONFIG_X86_PAE
18623 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18625 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18626 + pgd = pgd_offset_k(addr);
18627 + pud = pud_offset(pgd, addr);
18628 + pmd = pmd_offset(pud, addr);
18629 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18634 +#ifdef CONFIG_MODULES
18635 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18642 + unsigned long addr, end;
18644 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18645 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18646 + pgd = pgd_offset_k(addr);
18647 + pud = pud_offset(pgd, addr);
18648 + pmd = pmd_offset(pud, addr);
18649 + if (!pmd_present(*pmd))
18651 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18652 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18654 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18657 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18658 + end = addr + KERNEL_IMAGE_SIZE;
18659 + for (; addr < end; addr += PMD_SIZE) {
18660 + pgd = pgd_offset_k(addr);
18661 + pud = pud_offset(pgd, addr);
18662 + pmd = pmd_offset(pud, addr);
18663 + if (!pmd_present(*pmd))
18665 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18666 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18668 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18675 free_init_pages("unused kernel memory",
18676 (unsigned long)(&__init_begin),
18677 (unsigned long)(&__init_end));
18678 diff -urNp linux-2.6.35.4/arch/x86/mm/iomap_32.c linux-2.6.35.4/arch/x86/mm/iomap_32.c
18679 --- linux-2.6.35.4/arch/x86/mm/iomap_32.c 2010-08-26 19:47:12.000000000 -0400
18680 +++ linux-2.6.35.4/arch/x86/mm/iomap_32.c 2010-09-17 20:12:09.000000000 -0400
18681 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18682 debug_kmap_atomic(type);
18683 idx = type + KM_TYPE_NR * smp_processor_id();
18684 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18686 + pax_open_kernel();
18687 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18688 + pax_close_kernel();
18690 arch_flush_lazy_mmu_mode();
18692 return (void *)vaddr;
18693 diff -urNp linux-2.6.35.4/arch/x86/mm/ioremap.c linux-2.6.35.4/arch/x86/mm/ioremap.c
18694 --- linux-2.6.35.4/arch/x86/mm/ioremap.c 2010-08-26 19:47:12.000000000 -0400
18695 +++ linux-2.6.35.4/arch/x86/mm/ioremap.c 2010-09-17 20:12:09.000000000 -0400
18696 @@ -100,13 +100,10 @@ static void __iomem *__ioremap_caller(re
18698 * Don't allow anybody to remap normal RAM that we're using..
18700 - for (pfn = phys_addr >> PAGE_SHIFT;
18701 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
18704 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
18705 int is_ram = page_is_ram(pfn);
18707 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18708 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18710 WARN_ON_ONCE(is_ram);
18712 @@ -346,7 +343,7 @@ static int __init early_ioremap_debug_se
18713 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18715 static __initdata int after_paging_init;
18716 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18717 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18719 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18721 @@ -378,8 +375,7 @@ void __init early_ioremap_init(void)
18722 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18724 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18725 - memset(bm_pte, 0, sizeof(bm_pte));
18726 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18727 + pmd_populate_user(&init_mm, pmd, bm_pte);
18730 * The boot-ioremap range spans multiple pmds, for which
18731 diff -urNp linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c
18732 --- linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c 2010-08-26 19:47:12.000000000 -0400
18733 +++ linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c 2010-09-17 20:12:09.000000000 -0400
18734 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18735 * memory (e.g. tracked pages)? For now, we need this to avoid
18736 * invoking kmemcheck for PnP BIOS calls.
18738 - if (regs->flags & X86_VM_MASK)
18739 + if (v8086_mode(regs))
18741 - if (regs->cs != __KERNEL_CS)
18742 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18745 pte = kmemcheck_pte_lookup(address);
18746 diff -urNp linux-2.6.35.4/arch/x86/mm/mmap.c linux-2.6.35.4/arch/x86/mm/mmap.c
18747 --- linux-2.6.35.4/arch/x86/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
18748 +++ linux-2.6.35.4/arch/x86/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
18749 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18750 * Leave an at least ~128 MB hole with possible stack randomization.
18752 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18753 -#define MAX_GAP (TASK_SIZE/6*5)
18754 +#define MAX_GAP (pax_task_size/6*5)
18757 * True on X86_32 or when emulating IA32 on X86_64
18758 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18759 return rnd << PAGE_SHIFT;
18762 -static unsigned long mmap_base(void)
18763 +static unsigned long mmap_base(struct mm_struct *mm)
18765 unsigned long gap = rlimit(RLIMIT_STACK);
18766 + unsigned long pax_task_size = TASK_SIZE;
18768 +#ifdef CONFIG_PAX_SEGMEXEC
18769 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18770 + pax_task_size = SEGMEXEC_TASK_SIZE;
18775 else if (gap > MAX_GAP)
18778 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18779 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18783 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18784 * does, but not when emulating X86_32
18786 -static unsigned long mmap_legacy_base(void)
18787 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18789 - if (mmap_is_ia32())
18790 + if (mmap_is_ia32()) {
18792 +#ifdef CONFIG_PAX_SEGMEXEC
18793 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18794 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18798 return TASK_UNMAPPED_BASE;
18801 return TASK_UNMAPPED_BASE + mmap_rnd();
18804 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18805 void arch_pick_mmap_layout(struct mm_struct *mm)
18807 if (mmap_is_legacy()) {
18808 - mm->mmap_base = mmap_legacy_base();
18809 + mm->mmap_base = mmap_legacy_base(mm);
18811 +#ifdef CONFIG_PAX_RANDMMAP
18812 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18813 + mm->mmap_base += mm->delta_mmap;
18816 mm->get_unmapped_area = arch_get_unmapped_area;
18817 mm->unmap_area = arch_unmap_area;
18819 - mm->mmap_base = mmap_base();
18820 + mm->mmap_base = mmap_base(mm);
18822 +#ifdef CONFIG_PAX_RANDMMAP
18823 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18824 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18827 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18828 mm->unmap_area = arch_unmap_area_topdown;
18830 diff -urNp linux-2.6.35.4/arch/x86/mm/numa_32.c linux-2.6.35.4/arch/x86/mm/numa_32.c
18831 --- linux-2.6.35.4/arch/x86/mm/numa_32.c 2010-08-26 19:47:12.000000000 -0400
18832 +++ linux-2.6.35.4/arch/x86/mm/numa_32.c 2010-09-17 20:12:09.000000000 -0400
18833 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
18837 -extern unsigned long find_max_low_pfn(void);
18838 extern unsigned long highend_pfn, highstart_pfn;
18840 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
18841 diff -urNp linux-2.6.35.4/arch/x86/mm/pageattr.c linux-2.6.35.4/arch/x86/mm/pageattr.c
18842 --- linux-2.6.35.4/arch/x86/mm/pageattr.c 2010-08-26 19:47:12.000000000 -0400
18843 +++ linux-2.6.35.4/arch/x86/mm/pageattr.c 2010-09-17 20:12:09.000000000 -0400
18844 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
18845 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
18847 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
18848 - pgprot_val(forbidden) |= _PAGE_NX;
18849 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18852 * The kernel text needs to be executable for obvious reasons
18853 * Does not cover __inittext since that is gone later on. On
18854 * 64bit we do not enforce !NX on the low mapping
18856 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
18857 - pgprot_val(forbidden) |= _PAGE_NX;
18858 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
18859 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18861 +#ifdef CONFIG_DEBUG_RODATA
18863 * The .rodata section needs to be read-only. Using the pfn
18864 * catches all aliases.
18865 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
18866 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
18867 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
18868 pgprot_val(forbidden) |= _PAGE_RW;
18871 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18873 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
18877 +#ifdef CONFIG_PAX_KERNEXEC
18878 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
18879 + pgprot_val(forbidden) |= _PAGE_RW;
18880 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18884 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
18887 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
18888 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
18890 /* change init_mm */
18891 + pax_open_kernel();
18892 set_pte_atomic(kpte, pte);
18894 #ifdef CONFIG_X86_32
18895 if (!SHARED_KERNEL_PMD) {
18897 +#ifdef CONFIG_PAX_PER_CPU_PGD
18898 + unsigned long cpu;
18903 +#ifdef CONFIG_PAX_PER_CPU_PGD
18904 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18905 + pgd_t *pgd = get_cpu_pgd(cpu);
18907 list_for_each_entry(page, &pgd_list, lru) {
18909 + pgd_t *pgd = (pgd_t *)page_address(page);
18915 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
18916 + pgd += pgd_index(address);
18917 pud = pud_offset(pgd, address);
18918 pmd = pmd_offset(pud, address);
18919 set_pte_atomic((pte_t *)pmd, pte);
18923 + pax_close_kernel();
18927 diff -urNp linux-2.6.35.4/arch/x86/mm/pageattr-test.c linux-2.6.35.4/arch/x86/mm/pageattr-test.c
18928 --- linux-2.6.35.4/arch/x86/mm/pageattr-test.c 2010-08-26 19:47:12.000000000 -0400
18929 +++ linux-2.6.35.4/arch/x86/mm/pageattr-test.c 2010-09-17 20:12:09.000000000 -0400
18930 @@ -36,7 +36,7 @@ enum {
18932 static int pte_testbit(pte_t pte)
18934 - return pte_flags(pte) & _PAGE_UNUSED1;
18935 + return pte_flags(pte) & _PAGE_CPA_TEST;
18938 struct split_state {
18939 diff -urNp linux-2.6.35.4/arch/x86/mm/pat.c linux-2.6.35.4/arch/x86/mm/pat.c
18940 --- linux-2.6.35.4/arch/x86/mm/pat.c 2010-08-26 19:47:12.000000000 -0400
18941 +++ linux-2.6.35.4/arch/x86/mm/pat.c 2010-09-17 20:12:09.000000000 -0400
18942 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
18945 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
18946 - current->comm, current->pid, start, end);
18947 + current->comm, task_pid_nr(current), start, end);
18951 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
18952 while (cursor < to) {
18953 if (!devmem_is_allowed(pfn)) {
18955 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
18956 - current->comm, from, to);
18957 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
18958 + current->comm, from, to, cursor);
18961 cursor += PAGE_SIZE;
18962 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
18964 "%s:%d ioremap_change_attr failed %s "
18966 - current->comm, current->pid,
18967 + current->comm, task_pid_nr(current),
18969 base, (unsigned long long)(base + size));
18971 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
18972 if (want_flags != flags) {
18973 printk(KERN_WARNING
18974 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
18975 - current->comm, current->pid,
18976 + current->comm, task_pid_nr(current),
18977 cattr_name(want_flags),
18978 (unsigned long long)paddr,
18979 (unsigned long long)(paddr + size),
18980 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
18981 free_memtype(paddr, paddr + size);
18982 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
18983 " for %Lx-%Lx, got %s\n",
18984 - current->comm, current->pid,
18985 + current->comm, task_pid_nr(current),
18986 cattr_name(want_flags),
18987 (unsigned long long)paddr,
18988 (unsigned long long)(paddr + size),
18989 diff -urNp linux-2.6.35.4/arch/x86/mm/pgtable_32.c linux-2.6.35.4/arch/x86/mm/pgtable_32.c
18990 --- linux-2.6.35.4/arch/x86/mm/pgtable_32.c 2010-08-26 19:47:12.000000000 -0400
18991 +++ linux-2.6.35.4/arch/x86/mm/pgtable_32.c 2010-09-17 20:12:09.000000000 -0400
18992 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
18995 pte = pte_offset_kernel(pmd, vaddr);
18997 + pax_open_kernel();
18998 if (pte_val(pteval))
18999 set_pte_at(&init_mm, vaddr, pte, pteval);
19001 pte_clear(&init_mm, vaddr, pte);
19002 + pax_close_kernel();
19005 * It's enough to flush this one mapping.
19006 diff -urNp linux-2.6.35.4/arch/x86/mm/pgtable.c linux-2.6.35.4/arch/x86/mm/pgtable.c
19007 --- linux-2.6.35.4/arch/x86/mm/pgtable.c 2010-08-26 19:47:12.000000000 -0400
19008 +++ linux-2.6.35.4/arch/x86/mm/pgtable.c 2010-09-17 20:12:09.000000000 -0400
19009 @@ -84,8 +84,59 @@ static inline void pgd_list_del(pgd_t *p
19010 list_del(&page->lru);
19013 -#define UNSHARED_PTRS_PER_PGD \
19014 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19015 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19016 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19018 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19021 + *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
19026 +#ifdef CONFIG_PAX_PER_CPU_PGD
19027 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19031 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19032 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19040 +#ifdef CONFIG_PAX_PER_CPU_PGD
19041 +static inline void pgd_ctor(pgd_t *pgd) {}
19042 +static inline void pgd_dtor(pgd_t *pgd) {}
19043 +#ifdef CONFIG_X86_64
19044 +#define pxd_t pud_t
19045 +#define pyd_t pgd_t
19046 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19047 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19048 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19049 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19050 +#define PYD_SIZE PGDIR_SIZE
19052 +#define pxd_t pmd_t
19053 +#define pyd_t pud_t
19054 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19055 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19056 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19057 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19058 +#define PYD_SIZE PUD_SIZE
19061 +#define pxd_t pmd_t
19062 +#define pyd_t pud_t
19063 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19064 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19065 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19066 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19067 +#define PYD_SIZE PUD_SIZE
19069 static void pgd_ctor(pgd_t *pgd)
19071 @@ -120,6 +171,7 @@ static void pgd_dtor(pgd_t *pgd)
19073 spin_unlock_irqrestore(&pgd_lock, flags);
19078 * List of all pgd's needed for non-PAE so it can invalidate entries
19079 @@ -132,7 +184,7 @@ static void pgd_dtor(pgd_t *pgd)
19083 -#ifdef CONFIG_X86_PAE
19084 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19086 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19087 * updating the top-level pagetable entries to guarantee the
19088 @@ -144,7 +196,7 @@ static void pgd_dtor(pgd_t *pgd)
19089 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19090 * and initialize the kernel pmds here.
19092 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19093 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19095 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19097 @@ -163,36 +215,38 @@ void pud_populate(struct mm_struct *mm,
19098 if (mm == current->active_mm)
19099 write_cr3(read_cr3());
19101 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19102 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19103 #else /* !CONFIG_X86_PAE */
19105 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19106 -#define PREALLOCATED_PMDS 0
19107 +#define PREALLOCATED_PXDS 0
19109 #endif /* CONFIG_X86_PAE */
19111 -static void free_pmds(pmd_t *pmds[])
19112 +static void free_pxds(pxd_t *pxds[])
19116 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19118 - free_page((unsigned long)pmds[i]);
19119 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19121 + free_page((unsigned long)pxds[i]);
19124 -static int preallocate_pmds(pmd_t *pmds[])
19125 +static int preallocate_pxds(pxd_t *pxds[])
19128 bool failed = false;
19130 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19131 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19133 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19134 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19147 @@ -205,51 +259,56 @@ static int preallocate_pmds(pmd_t *pmds[
19148 * preallocate which never got a corresponding vma will need to be
19151 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19152 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19156 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19157 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19158 pgd_t pgd = pgdp[i];
19160 if (pgd_val(pgd) != 0) {
19161 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19162 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19164 - pgdp[i] = native_make_pgd(0);
19165 + set_pgd(pgdp + i, native_make_pgd(0));
19167 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19168 - pmd_free(mm, pmd);
19169 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19170 + pxd_free(mm, pxd);
19175 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19176 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19180 unsigned long addr;
19183 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19184 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19187 - pud = pud_offset(pgd, 0);
19188 +#ifdef CONFIG_X86_64
19189 + pyd = pyd_offset(mm, 0L);
19191 + pyd = pyd_offset(pgd, 0L);
19194 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19195 - i++, pud++, addr += PUD_SIZE) {
19196 - pmd_t *pmd = pmds[i];
19197 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19198 + i++, pyd++, addr += PYD_SIZE) {
19199 + pxd_t *pxd = pxds[i];
19201 if (i >= KERNEL_PGD_BOUNDARY)
19202 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19203 - sizeof(pmd_t) * PTRS_PER_PMD);
19204 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19205 + sizeof(pxd_t) * PTRS_PER_PMD);
19207 - pud_populate(mm, pud, pmd);
19208 + pyd_populate(mm, pyd, pxd);
19212 pgd_t *pgd_alloc(struct mm_struct *mm)
19215 - pmd_t *pmds[PREALLOCATED_PMDS];
19216 + pxd_t *pxds[PREALLOCATED_PXDS];
19218 unsigned long flags;
19220 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19221 @@ -259,11 +318,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19225 - if (preallocate_pmds(pmds) != 0)
19226 + if (preallocate_pxds(pxds) != 0)
19229 if (paravirt_pgd_alloc(mm) != 0)
19230 - goto out_free_pmds;
19231 + goto out_free_pxds;
19234 * Make sure that pre-populating the pmds is atomic with
19235 @@ -273,14 +332,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19236 spin_lock_irqsave(&pgd_lock, flags);
19239 - pgd_prepopulate_pmd(mm, pgd, pmds);
19240 + pgd_prepopulate_pxd(mm, pgd, pxds);
19242 spin_unlock_irqrestore(&pgd_lock, flags);
19251 free_page((unsigned long)pgd);
19253 @@ -289,7 +348,7 @@ out:
19255 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19257 - pgd_mop_up_pmds(mm, pgd);
19258 + pgd_mop_up_pxds(mm, pgd);
19260 paravirt_pgd_free(mm, pgd);
19261 free_page((unsigned long)pgd);
19262 diff -urNp linux-2.6.35.4/arch/x86/mm/setup_nx.c linux-2.6.35.4/arch/x86/mm/setup_nx.c
19263 --- linux-2.6.35.4/arch/x86/mm/setup_nx.c 2010-08-26 19:47:12.000000000 -0400
19264 +++ linux-2.6.35.4/arch/x86/mm/setup_nx.c 2010-09-17 20:12:09.000000000 -0400
19266 #include <asm/pgtable.h>
19267 #include <asm/proto.h>
19269 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19270 static int disable_nx __cpuinitdata;
19272 +#ifndef CONFIG_PAX_PAGEEXEC
19276 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19279 early_param("noexec", noexec_setup);
19284 void __cpuinit x86_configure_nx(void)
19286 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19287 if (cpu_has_nx && !disable_nx)
19288 __supported_pte_mask |= _PAGE_NX;
19291 __supported_pte_mask &= ~_PAGE_NX;
19294 diff -urNp linux-2.6.35.4/arch/x86/mm/tlb.c linux-2.6.35.4/arch/x86/mm/tlb.c
19295 --- linux-2.6.35.4/arch/x86/mm/tlb.c 2010-08-26 19:47:12.000000000 -0400
19296 +++ linux-2.6.35.4/arch/x86/mm/tlb.c 2010-09-17 20:12:09.000000000 -0400
19298 #include <asm/uv/uv.h>
19300 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19301 - = { &init_mm, 0, };
19302 + = { &init_mm, 0 };
19305 * Smarter SMP flushing macros.
19306 @@ -62,7 +62,11 @@ void leave_mm(int cpu)
19308 cpumask_clear_cpu(cpu,
19309 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19311 +#ifndef CONFIG_PAX_PER_CPU_PGD
19312 load_cr3(swapper_pg_dir);
19316 EXPORT_SYMBOL_GPL(leave_mm);
19318 diff -urNp linux-2.6.35.4/arch/x86/oprofile/backtrace.c linux-2.6.35.4/arch/x86/oprofile/backtrace.c
19319 --- linux-2.6.35.4/arch/x86/oprofile/backtrace.c 2010-08-26 19:47:12.000000000 -0400
19320 +++ linux-2.6.35.4/arch/x86/oprofile/backtrace.c 2010-09-17 20:12:09.000000000 -0400
19321 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
19322 struct frame_head bufhead[2];
19324 /* Also check accessibility of one struct frame_head beyond */
19325 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19326 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19328 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19330 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
19332 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
19334 - if (!user_mode_vm(regs)) {
19335 + if (!user_mode(regs)) {
19336 unsigned long stack = kernel_stack_pointer(regs);
19338 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19339 diff -urNp linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c
19340 --- linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c 2010-08-26 19:47:12.000000000 -0400
19341 +++ linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c 2010-09-17 20:12:09.000000000 -0400
19342 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19346 -static int inline addr_increment(void)
19347 +static inline int addr_increment(void)
19350 return smp_num_siblings == 2 ? 2 : 1;
19351 diff -urNp linux-2.6.35.4/arch/x86/pci/common.c linux-2.6.35.4/arch/x86/pci/common.c
19352 --- linux-2.6.35.4/arch/x86/pci/common.c 2010-08-26 19:47:12.000000000 -0400
19353 +++ linux-2.6.35.4/arch/x86/pci/common.c 2010-09-17 20:12:09.000000000 -0400
19354 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19355 int pcibios_last_bus = -1;
19356 unsigned long pirq_table_addr;
19357 struct pci_bus *pci_root_bus;
19358 -struct pci_raw_ops *raw_pci_ops;
19359 -struct pci_raw_ops *raw_pci_ext_ops;
19360 +const struct pci_raw_ops *raw_pci_ops;
19361 +const struct pci_raw_ops *raw_pci_ext_ops;
19363 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19364 int reg, int len, u32 *val)
19365 @@ -365,7 +365,7 @@ static const struct dmi_system_id __devi
19366 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19370 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19373 void __init dmi_check_pciprobe(void)
19374 diff -urNp linux-2.6.35.4/arch/x86/pci/direct.c linux-2.6.35.4/arch/x86/pci/direct.c
19375 --- linux-2.6.35.4/arch/x86/pci/direct.c 2010-08-26 19:47:12.000000000 -0400
19376 +++ linux-2.6.35.4/arch/x86/pci/direct.c 2010-09-17 20:12:09.000000000 -0400
19377 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19379 #undef PCI_CONF1_ADDRESS
19381 -struct pci_raw_ops pci_direct_conf1 = {
19382 +const struct pci_raw_ops pci_direct_conf1 = {
19383 .read = pci_conf1_read,
19384 .write = pci_conf1_write,
19386 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19388 #undef PCI_CONF2_ADDRESS
19390 -struct pci_raw_ops pci_direct_conf2 = {
19391 +const struct pci_raw_ops pci_direct_conf2 = {
19392 .read = pci_conf2_read,
19393 .write = pci_conf2_write,
19395 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19396 * This should be close to trivial, but it isn't, because there are buggy
19397 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19399 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19400 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19404 diff -urNp linux-2.6.35.4/arch/x86/pci/fixup.c linux-2.6.35.4/arch/x86/pci/fixup.c
19405 --- linux-2.6.35.4/arch/x86/pci/fixup.c 2010-08-26 19:47:12.000000000 -0400
19406 +++ linux-2.6.35.4/arch/x86/pci/fixup.c 2010-09-17 20:12:09.000000000 -0400
19407 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19408 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19412 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19416 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19417 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19421 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19424 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19425 diff -urNp linux-2.6.35.4/arch/x86/pci/irq.c linux-2.6.35.4/arch/x86/pci/irq.c
19426 --- linux-2.6.35.4/arch/x86/pci/irq.c 2010-08-26 19:47:12.000000000 -0400
19427 +++ linux-2.6.35.4/arch/x86/pci/irq.c 2010-09-17 20:12:09.000000000 -0400
19428 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19429 static struct pci_device_id __initdata pirq_440gx[] = {
19430 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19431 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19433 + { PCI_DEVICE(0, 0) }
19436 /* 440GX has a proprietary PIRQ router -- don't use it */
19437 @@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
19438 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19442 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19445 void __init pcibios_irq_init(void)
19446 diff -urNp linux-2.6.35.4/arch/x86/pci/mmconfig_32.c linux-2.6.35.4/arch/x86/pci/mmconfig_32.c
19447 --- linux-2.6.35.4/arch/x86/pci/mmconfig_32.c 2010-08-26 19:47:12.000000000 -0400
19448 +++ linux-2.6.35.4/arch/x86/pci/mmconfig_32.c 2010-09-17 20:12:09.000000000 -0400
19449 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19453 -static struct pci_raw_ops pci_mmcfg = {
19454 +static const struct pci_raw_ops pci_mmcfg = {
19455 .read = pci_mmcfg_read,
19456 .write = pci_mmcfg_write,
19458 diff -urNp linux-2.6.35.4/arch/x86/pci/mmconfig_64.c linux-2.6.35.4/arch/x86/pci/mmconfig_64.c
19459 --- linux-2.6.35.4/arch/x86/pci/mmconfig_64.c 2010-08-26 19:47:12.000000000 -0400
19460 +++ linux-2.6.35.4/arch/x86/pci/mmconfig_64.c 2010-09-17 20:12:09.000000000 -0400
19461 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19465 -static struct pci_raw_ops pci_mmcfg = {
19466 +static const struct pci_raw_ops pci_mmcfg = {
19467 .read = pci_mmcfg_read,
19468 .write = pci_mmcfg_write,
19470 diff -urNp linux-2.6.35.4/arch/x86/pci/numaq_32.c linux-2.6.35.4/arch/x86/pci/numaq_32.c
19471 --- linux-2.6.35.4/arch/x86/pci/numaq_32.c 2010-08-26 19:47:12.000000000 -0400
19472 +++ linux-2.6.35.4/arch/x86/pci/numaq_32.c 2010-09-17 20:12:09.000000000 -0400
19473 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19475 #undef PCI_CONF1_MQ_ADDRESS
19477 -static struct pci_raw_ops pci_direct_conf1_mq = {
19478 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19479 .read = pci_conf1_mq_read,
19480 .write = pci_conf1_mq_write
19482 diff -urNp linux-2.6.35.4/arch/x86/pci/olpc.c linux-2.6.35.4/arch/x86/pci/olpc.c
19483 --- linux-2.6.35.4/arch/x86/pci/olpc.c 2010-08-26 19:47:12.000000000 -0400
19484 +++ linux-2.6.35.4/arch/x86/pci/olpc.c 2010-09-17 20:12:09.000000000 -0400
19485 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19489 -static struct pci_raw_ops pci_olpc_conf = {
19490 +static const struct pci_raw_ops pci_olpc_conf = {
19491 .read = pci_olpc_read,
19492 .write = pci_olpc_write,
19494 diff -urNp linux-2.6.35.4/arch/x86/pci/pcbios.c linux-2.6.35.4/arch/x86/pci/pcbios.c
19495 --- linux-2.6.35.4/arch/x86/pci/pcbios.c 2010-08-26 19:47:12.000000000 -0400
19496 +++ linux-2.6.35.4/arch/x86/pci/pcbios.c 2010-09-17 20:12:09.000000000 -0400
19497 @@ -57,50 +57,93 @@ union bios32 {
19499 unsigned long address;
19500 unsigned short segment;
19501 -} bios32_indirect = { 0, __KERNEL_CS };
19502 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19505 * Returns the entry point for the given service, NULL on error
19508 -static unsigned long bios32_service(unsigned long service)
19509 +static unsigned long __devinit bios32_service(unsigned long service)
19511 unsigned char return_code; /* %al */
19512 unsigned long address; /* %ebx */
19513 unsigned long length; /* %ecx */
19514 unsigned long entry; /* %edx */
19515 unsigned long flags;
19516 + struct desc_struct d, *gdt;
19518 local_irq_save(flags);
19519 - __asm__("lcall *(%%edi); cld"
19521 + gdt = get_cpu_gdt_table(smp_processor_id());
19523 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19524 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19525 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19526 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19528 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19529 : "=a" (return_code),
19535 - "D" (&bios32_indirect));
19536 + "D" (&bios32_indirect),
19537 + "r"(__PCIBIOS_DS)
19540 + pax_open_kernel();
19541 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19542 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19543 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19544 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19545 + pax_close_kernel();
19547 local_irq_restore(flags);
19549 switch (return_code) {
19551 - return address + entry;
19552 - case 0x80: /* Not present */
19553 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19555 - default: /* Shouldn't happen */
19556 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19557 - service, return_code);
19560 + unsigned char flags;
19562 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19563 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19564 + printk(KERN_WARNING "bios32_service: not valid\n");
19567 + address = address + PAGE_OFFSET;
19568 + length += 16UL; /* some BIOSs underreport this... */
19570 + if (length >= 64*1024*1024) {
19571 + length >>= PAGE_SHIFT;
19575 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19576 + gdt = get_cpu_gdt_table(cpu);
19577 + pack_descriptor(&d, address, length, 0x9b, flags);
19578 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19579 + pack_descriptor(&d, address, length, 0x93, flags);
19580 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19584 + case 0x80: /* Not present */
19585 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19587 + default: /* Shouldn't happen */
19588 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19589 + service, return_code);
19595 unsigned long address;
19596 unsigned short segment;
19597 -} pci_indirect = { 0, __KERNEL_CS };
19598 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19600 -static int pci_bios_present;
19601 +static int pci_bios_present __read_only;
19603 static int __devinit check_pcibios(void)
19605 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
19606 unsigned long flags, pcibios_entry;
19608 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19609 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19610 + pci_indirect.address = pcibios_entry;
19612 local_irq_save(flags);
19614 - "lcall *(%%edi); cld\n\t"
19615 + __asm__("movw %w6, %%ds\n\t"
19616 + "lcall *%%ss:(%%edi); cld\n\t"
19622 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
19625 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19626 - "D" (&pci_indirect)
19627 + "D" (&pci_indirect),
19628 + "r" (__PCIBIOS_DS)
19630 local_irq_restore(flags);
19632 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
19636 - __asm__("lcall *(%%esi); cld\n\t"
19637 + __asm__("movw %w6, %%ds\n\t"
19638 + "lcall *%%ss:(%%esi); cld\n\t"
19644 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
19645 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19648 - "S" (&pci_indirect));
19649 + "S" (&pci_indirect),
19650 + "r" (__PCIBIOS_DS));
19652 * Zero-extend the result beyond 8 bits, do not trust the
19653 * BIOS having done it:
19654 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
19658 - __asm__("lcall *(%%esi); cld\n\t"
19659 + __asm__("movw %w6, %%ds\n\t"
19660 + "lcall *%%ss:(%%esi); cld\n\t"
19666 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
19667 : "1" (PCIBIOS_READ_CONFIG_WORD),
19670 - "S" (&pci_indirect));
19671 + "S" (&pci_indirect),
19672 + "r" (__PCIBIOS_DS));
19674 * Zero-extend the result beyond 16 bits, do not trust the
19675 * BIOS having done it:
19676 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
19680 - __asm__("lcall *(%%esi); cld\n\t"
19681 + __asm__("movw %w6, %%ds\n\t"
19682 + "lcall *%%ss:(%%esi); cld\n\t"
19688 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
19689 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19692 - "S" (&pci_indirect));
19693 + "S" (&pci_indirect),
19694 + "r" (__PCIBIOS_DS));
19698 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
19702 - __asm__("lcall *(%%esi); cld\n\t"
19703 + __asm__("movw %w6, %%ds\n\t"
19704 + "lcall *%%ss:(%%esi); cld\n\t"
19710 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
19714 - "S" (&pci_indirect));
19715 + "S" (&pci_indirect),
19716 + "r" (__PCIBIOS_DS));
19719 - __asm__("lcall *(%%esi); cld\n\t"
19720 + __asm__("movw %w6, %%ds\n\t"
19721 + "lcall *%%ss:(%%esi); cld\n\t"
19727 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
19731 - "S" (&pci_indirect));
19732 + "S" (&pci_indirect),
19733 + "r" (__PCIBIOS_DS));
19736 - __asm__("lcall *(%%esi); cld\n\t"
19737 + __asm__("movw %w6, %%ds\n\t"
19738 + "lcall *%%ss:(%%esi); cld\n\t"
19744 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
19748 - "S" (&pci_indirect));
19749 + "S" (&pci_indirect),
19750 + "r" (__PCIBIOS_DS));
19754 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
19755 * Function table for BIOS32 access
19758 -static struct pci_raw_ops pci_bios_access = {
19759 +static const struct pci_raw_ops pci_bios_access = {
19760 .read = pci_bios_read,
19761 .write = pci_bios_write
19763 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
19764 * Try to find PCI BIOS.
19767 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19768 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19770 union bios32 *check;
19772 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
19774 DBG("PCI: Fetching IRQ routing table... ");
19775 __asm__("push %%es\n\t"
19776 + "movw %w8, %%ds\n\t"
19779 - "lcall *(%%esi); cld\n\t"
19780 + "lcall *%%ss:(%%esi); cld\n\t"
19787 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
19790 "S" (&pci_indirect),
19793 + "r" (__PCIBIOS_DS)
19795 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19797 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
19801 - __asm__("lcall *(%%esi); cld\n\t"
19802 + __asm__("movw %w5, %%ds\n\t"
19803 + "lcall *%%ss:(%%esi); cld\n\t"
19809 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
19810 : "0" (PCIBIOS_SET_PCI_HW_INT),
19811 "b" ((dev->bus->number << 8) | dev->devfn),
19812 "c" ((irq << 8) | (pin + 10)),
19813 - "S" (&pci_indirect));
19814 + "S" (&pci_indirect),
19815 + "r" (__PCIBIOS_DS));
19816 return !(ret & 0xff00);
19818 EXPORT_SYMBOL(pcibios_set_irq_routing);
19819 diff -urNp linux-2.6.35.4/arch/x86/power/cpu.c linux-2.6.35.4/arch/x86/power/cpu.c
19820 --- linux-2.6.35.4/arch/x86/power/cpu.c 2010-08-26 19:47:12.000000000 -0400
19821 +++ linux-2.6.35.4/arch/x86/power/cpu.c 2010-09-17 20:12:09.000000000 -0400
19822 @@ -129,7 +129,7 @@ static void do_fpu_end(void)
19823 static void fix_processor_context(void)
19825 int cpu = smp_processor_id();
19826 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19827 + struct tss_struct *t = init_tss + cpu;
19829 set_tss_desc(cpu, t); /*
19830 * This just modifies memory; should not be
19831 @@ -139,7 +139,9 @@ static void fix_processor_context(void)
19834 #ifdef CONFIG_X86_64
19835 + pax_open_kernel();
19836 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19837 + pax_close_kernel();
19839 syscall_init(); /* This sets MSR_*STAR and related */
19841 diff -urNp linux-2.6.35.4/arch/x86/vdso/Makefile linux-2.6.35.4/arch/x86/vdso/Makefile
19842 --- linux-2.6.35.4/arch/x86/vdso/Makefile 2010-08-26 19:47:12.000000000 -0400
19843 +++ linux-2.6.35.4/arch/x86/vdso/Makefile 2010-09-17 20:12:09.000000000 -0400
19844 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
19845 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
19846 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
19848 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19849 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19853 diff -urNp linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c
19854 --- linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c 2010-08-26 19:47:12.000000000 -0400
19855 +++ linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c 2010-09-17 20:12:09.000000000 -0400
19856 @@ -22,24 +22,48 @@
19857 #include <asm/hpet.h>
19858 #include <asm/unistd.h>
19859 #include <asm/io.h>
19860 +#include <asm/fixmap.h>
19861 #include "vextern.h"
19863 #define gtod vdso_vsyscall_gtod_data
19865 +notrace noinline long __vdso_fallback_time(long *t)
19868 + asm volatile("syscall"
19870 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
19874 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
19877 asm("syscall" : "=a" (ret) :
19878 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
19879 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
19883 +notrace static inline cycle_t __vdso_vread_hpet(void)
19885 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
19888 +notrace static inline cycle_t __vdso_vread_tsc(void)
19890 + cycle_t ret = (cycle_t)vget_cycles();
19892 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
19895 notrace static inline long vgetns(void)
19898 - cycles_t (*vread)(void);
19899 - vread = gtod->clock.vread;
19900 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
19901 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
19902 + v = __vdso_vread_tsc();
19904 + v = __vdso_vread_hpet();
19905 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
19906 return (v * gtod->clock.mult) >> gtod->clock.shift;
19909 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
19911 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
19913 - if (likely(gtod->sysctl_enabled))
19914 + if (likely(gtod->sysctl_enabled &&
19915 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
19916 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
19918 case CLOCK_REALTIME:
19919 if (likely(gtod->clock.vread))
19920 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
19921 int clock_gettime(clockid_t, struct timespec *)
19922 __attribute__((weak, alias("__vdso_clock_gettime")));
19924 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
19925 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
19928 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
19929 + asm("syscall" : "=a" (ret) :
19930 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
19934 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
19936 + if (likely(gtod->sysctl_enabled &&
19937 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
19938 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
19940 if (likely(tv != NULL)) {
19941 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
19942 offsetof(struct timespec, tv_nsec) ||
19943 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
19947 - asm("syscall" : "=a" (ret) :
19948 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
19950 + return __vdso_fallback_gettimeofday(tv, tz);
19952 int gettimeofday(struct timeval *, struct timezone *)
19953 __attribute__((weak, alias("__vdso_gettimeofday")));
19954 diff -urNp linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c
19955 --- linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c 2010-08-26 19:47:12.000000000 -0400
19956 +++ linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c 2010-09-17 20:12:09.000000000 -0400
19958 #include <asm/tlbflush.h>
19959 #include <asm/vdso.h>
19960 #include <asm/proto.h>
19961 +#include <asm/mman.h>
19965 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
19966 void enable_sep_cpu(void)
19968 int cpu = get_cpu();
19969 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
19970 + struct tss_struct *tss = init_tss + cpu;
19972 if (!boot_cpu_has(X86_FEATURE_SEP)) {
19974 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
19975 gate_vma.vm_start = FIXADDR_USER_START;
19976 gate_vma.vm_end = FIXADDR_USER_END;
19977 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
19978 - gate_vma.vm_page_prot = __P101;
19979 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
19981 * Make sure the vDSO gets into every core dump.
19982 * Dumping its contents makes post-mortem fully interpretable later
19983 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
19985 addr = VDSO_HIGH_BASE;
19987 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
19988 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
19989 if (IS_ERR_VALUE(addr)) {
19995 - current->mm->context.vdso = (void *)addr;
19996 + current->mm->context.vdso = addr;
19998 if (compat_uses_vma || !compat) {
20000 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20003 current_thread_info()->sysenter_return =
20004 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20005 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20009 - current->mm->context.vdso = NULL;
20010 + current->mm->context.vdso = 0;
20012 up_write(&mm->mmap_sem);
20014 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20016 const char *arch_vma_name(struct vm_area_struct *vma)
20018 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20019 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20022 +#ifdef CONFIG_PAX_SEGMEXEC
20023 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20030 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20031 struct mm_struct *mm = tsk->mm;
20033 /* Check to see if this task was created in compat vdso mode */
20034 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20035 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20039 diff -urNp linux-2.6.35.4/arch/x86/vdso/vdso.lds.S linux-2.6.35.4/arch/x86/vdso/vdso.lds.S
20040 --- linux-2.6.35.4/arch/x86/vdso/vdso.lds.S 2010-08-26 19:47:12.000000000 -0400
20041 +++ linux-2.6.35.4/arch/x86/vdso/vdso.lds.S 2010-09-17 20:12:09.000000000 -0400
20042 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20043 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20044 #include "vextern.h"
20047 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20048 +VEXTERN(fallback_gettimeofday)
20049 +VEXTERN(fallback_time)
20052 diff -urNp linux-2.6.35.4/arch/x86/vdso/vextern.h linux-2.6.35.4/arch/x86/vdso/vextern.h
20053 --- linux-2.6.35.4/arch/x86/vdso/vextern.h 2010-08-26 19:47:12.000000000 -0400
20054 +++ linux-2.6.35.4/arch/x86/vdso/vextern.h 2010-09-17 20:12:09.000000000 -0400
20056 put into vextern.h and be referenced as a pointer with vdso prefix.
20057 The main kernel later fills in the values. */
20060 VEXTERN(vgetcpu_mode)
20061 VEXTERN(vsyscall_gtod_data)
20062 diff -urNp linux-2.6.35.4/arch/x86/vdso/vma.c linux-2.6.35.4/arch/x86/vdso/vma.c
20063 --- linux-2.6.35.4/arch/x86/vdso/vma.c 2010-08-26 19:47:12.000000000 -0400
20064 +++ linux-2.6.35.4/arch/x86/vdso/vma.c 2010-09-17 20:12:09.000000000 -0400
20065 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20069 - if (memcmp(vbase, "\177ELF", 4)) {
20070 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20071 printk("VDSO: I'm broken; not ELF\n");
20074 @@ -67,6 +67,7 @@ static int __init init_vdso_vars(void)
20075 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
20076 #include "vextern.h"
20082 @@ -117,7 +118,7 @@ int arch_setup_additional_pages(struct l
20086 - current->mm->context.vdso = (void *)addr;
20087 + current->mm->context.vdso = addr;
20089 ret = install_special_mapping(mm, addr, vdso_size,
20091 @@ -125,7 +126,7 @@ int arch_setup_additional_pages(struct l
20095 - current->mm->context.vdso = NULL;
20096 + current->mm->context.vdso = 0;
20100 @@ -133,10 +134,3 @@ up_fail:
20101 up_write(&mm->mmap_sem);
20105 -static __init int vdso_setup(char *s)
20107 - vdso_enabled = simple_strtoul(s, NULL, 0);
20110 -__setup("vdso=", vdso_setup);
20111 diff -urNp linux-2.6.35.4/arch/x86/xen/enlighten.c linux-2.6.35.4/arch/x86/xen/enlighten.c
20112 --- linux-2.6.35.4/arch/x86/xen/enlighten.c 2010-08-26 19:47:12.000000000 -0400
20113 +++ linux-2.6.35.4/arch/x86/xen/enlighten.c 2010-09-17 20:12:09.000000000 -0400
20114 @@ -74,8 +74,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20116 struct shared_info xen_dummy_shared_info;
20118 -void *xen_initial_gdt;
20121 * Point at some empty memory to start with. We map the real shared_info
20122 * page as soon as fixmap is up and running.
20123 @@ -551,7 +549,7 @@ static void xen_write_idt_entry(gate_des
20127 - start = __get_cpu_var(idt_desc).address;
20128 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20129 end = start + __get_cpu_var(idt_desc).size + 1;
20132 @@ -1103,7 +1101,17 @@ asmlinkage void __init xen_start_kernel(
20133 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20135 /* Work out if we support NX */
20136 - x86_configure_nx();
20137 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20138 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20139 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20142 + __supported_pte_mask |= _PAGE_NX;
20143 + rdmsr(MSR_EFER, l, h);
20145 + wrmsr(MSR_EFER, l, h);
20149 xen_setup_features();
20151 @@ -1134,13 +1142,6 @@ asmlinkage void __init xen_start_kernel(
20153 machine_ops = xen_machine_ops;
20156 - * The only reliable way to retain the initial address of the
20157 - * percpu gdt_page is to remember it here, so we can go and
20158 - * mark it RW later, when the initial percpu area is freed.
20160 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20164 pgd = (pgd_t *)xen_start_info->pt_base;
20165 diff -urNp linux-2.6.35.4/arch/x86/xen/mmu.c linux-2.6.35.4/arch/x86/xen/mmu.c
20166 --- linux-2.6.35.4/arch/x86/xen/mmu.c 2010-08-26 19:47:12.000000000 -0400
20167 +++ linux-2.6.35.4/arch/x86/xen/mmu.c 2010-09-17 20:12:09.000000000 -0400
20168 @@ -1694,6 +1694,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20169 convert_pfn_mfn(init_level4_pgt);
20170 convert_pfn_mfn(level3_ident_pgt);
20171 convert_pfn_mfn(level3_kernel_pgt);
20172 + convert_pfn_mfn(level3_vmalloc_pgt);
20173 + convert_pfn_mfn(level3_vmemmap_pgt);
20175 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20176 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20177 @@ -1712,7 +1714,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20178 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20179 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20180 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20181 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20182 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20183 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20184 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20185 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20186 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20188 diff -urNp linux-2.6.35.4/arch/x86/xen/smp.c linux-2.6.35.4/arch/x86/xen/smp.c
20189 --- linux-2.6.35.4/arch/x86/xen/smp.c 2010-08-26 19:47:12.000000000 -0400
20190 +++ linux-2.6.35.4/arch/x86/xen/smp.c 2010-09-17 20:12:09.000000000 -0400
20191 @@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
20193 BUG_ON(smp_processor_id() != 0);
20194 native_smp_prepare_boot_cpu();
20196 - /* We've switched to the "real" per-cpu gdt, so make sure the
20197 - old memory can be recycled */
20198 - make_lowmem_page_readwrite(xen_initial_gdt);
20200 xen_setup_vcpu_info_placement();
20203 @@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
20204 gdt = get_cpu_gdt_table(cpu);
20206 ctxt->flags = VGCF_IN_KERNEL;
20207 - ctxt->user_regs.ds = __USER_DS;
20208 - ctxt->user_regs.es = __USER_DS;
20209 + ctxt->user_regs.ds = __KERNEL_DS;
20210 + ctxt->user_regs.es = __KERNEL_DS;
20211 ctxt->user_regs.ss = __KERNEL_DS;
20212 #ifdef CONFIG_X86_32
20213 ctxt->user_regs.fs = __KERNEL_PERCPU;
20214 diff -urNp linux-2.6.35.4/arch/x86/xen/xen-head.S linux-2.6.35.4/arch/x86/xen/xen-head.S
20215 --- linux-2.6.35.4/arch/x86/xen/xen-head.S 2010-08-26 19:47:12.000000000 -0400
20216 +++ linux-2.6.35.4/arch/x86/xen/xen-head.S 2010-09-17 20:12:09.000000000 -0400
20217 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20218 #ifdef CONFIG_X86_32
20219 mov %esi,xen_start_info
20220 mov $init_thread_union+THREAD_SIZE,%esp
20222 + movl $cpu_gdt_table,%edi
20223 + movl $__per_cpu_load,%eax
20224 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20226 + movb %al,__KERNEL_PERCPU + 4(%edi)
20227 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20228 + movl $__per_cpu_end - 1,%eax
20229 + subl $__per_cpu_start,%eax
20230 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20233 mov %rsi,xen_start_info
20234 mov $init_thread_union+THREAD_SIZE,%rsp
20235 diff -urNp linux-2.6.35.4/arch/x86/xen/xen-ops.h linux-2.6.35.4/arch/x86/xen/xen-ops.h
20236 --- linux-2.6.35.4/arch/x86/xen/xen-ops.h 2010-08-26 19:47:12.000000000 -0400
20237 +++ linux-2.6.35.4/arch/x86/xen/xen-ops.h 2010-09-17 20:12:09.000000000 -0400
20239 extern const char xen_hypervisor_callback[];
20240 extern const char xen_failsafe_callback[];
20242 -extern void *xen_initial_gdt;
20245 void xen_copy_trap_info(struct trap_info *traps);
20247 diff -urNp linux-2.6.35.4/block/blk-iopoll.c linux-2.6.35.4/block/blk-iopoll.c
20248 --- linux-2.6.35.4/block/blk-iopoll.c 2010-08-26 19:47:12.000000000 -0400
20249 +++ linux-2.6.35.4/block/blk-iopoll.c 2010-09-17 20:12:09.000000000 -0400
20250 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20252 EXPORT_SYMBOL(blk_iopoll_complete);
20254 -static void blk_iopoll_softirq(struct softirq_action *h)
20255 +static void blk_iopoll_softirq(void)
20257 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20258 int rearm = 0, budget = blk_iopoll_budget;
20259 diff -urNp linux-2.6.35.4/block/blk-map.c linux-2.6.35.4/block/blk-map.c
20260 --- linux-2.6.35.4/block/blk-map.c 2010-08-26 19:47:12.000000000 -0400
20261 +++ linux-2.6.35.4/block/blk-map.c 2010-09-17 20:12:09.000000000 -0400
20262 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20263 * direct dma. else, set up kernel bounce buffers
20265 uaddr = (unsigned long) ubuf;
20266 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
20267 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20268 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20270 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20271 @@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
20275 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20276 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20278 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20280 diff -urNp linux-2.6.35.4/block/blk-softirq.c linux-2.6.35.4/block/blk-softirq.c
20281 --- linux-2.6.35.4/block/blk-softirq.c 2010-08-26 19:47:12.000000000 -0400
20282 +++ linux-2.6.35.4/block/blk-softirq.c 2010-09-17 20:12:09.000000000 -0400
20283 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20284 * Softirq action handler - move entries to local list and loop over them
20285 * while passing them to the queue registered handler.
20287 -static void blk_done_softirq(struct softirq_action *h)
20288 +static void blk_done_softirq(void)
20290 struct list_head *cpu_list, local_list;
20292 diff -urNp linux-2.6.35.4/crypto/lrw.c linux-2.6.35.4/crypto/lrw.c
20293 --- linux-2.6.35.4/crypto/lrw.c 2010-08-26 19:47:12.000000000 -0400
20294 +++ linux-2.6.35.4/crypto/lrw.c 2010-09-17 20:12:09.000000000 -0400
20295 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20296 struct priv *ctx = crypto_tfm_ctx(parent);
20297 struct crypto_cipher *child = ctx->child;
20299 - be128 tmp = { 0 };
20300 + be128 tmp = { 0, 0 };
20301 int bsize = crypto_cipher_blocksize(child);
20303 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20304 diff -urNp linux-2.6.35.4/Documentation/dontdiff linux-2.6.35.4/Documentation/dontdiff
20305 --- linux-2.6.35.4/Documentation/dontdiff 2010-08-26 19:47:12.000000000 -0400
20306 +++ linux-2.6.35.4/Documentation/dontdiff 2010-09-17 20:12:09.000000000 -0400
20326 @@ -49,11 +52,16 @@
20343 @@ -76,7 +84,10 @@ btfixupprep
20354 @@ -100,19 +111,22 @@ fore200e_mkfirm
20369 initramfs_data.cpio
20370 +initramfs_data.cpio.bz2
20371 initramfs_data.cpio.gz
20378 @@ -136,10 +150,13 @@ mkboot
20392 @@ -151,7 +168,9 @@ parse.h
20402 @@ -160,12 +179,14 @@ qconf
20417 @@ -189,14 +210,20 @@ version.h*
20438 diff -urNp linux-2.6.35.4/Documentation/filesystems/sysfs.txt linux-2.6.35.4/Documentation/filesystems/sysfs.txt
20439 --- linux-2.6.35.4/Documentation/filesystems/sysfs.txt 2010-08-26 19:47:12.000000000 -0400
20440 +++ linux-2.6.35.4/Documentation/filesystems/sysfs.txt 2010-09-17 20:12:09.000000000 -0400
20441 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20442 show and store methods of the attribute owners.
20445 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20446 - ssize_t (*store)(struct kobject *, struct attribute *, const char *);
20447 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20448 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
20451 [ Subsystems should have already defined a struct kobj_type as a
20452 diff -urNp linux-2.6.35.4/Documentation/kernel-parameters.txt linux-2.6.35.4/Documentation/kernel-parameters.txt
20453 --- linux-2.6.35.4/Documentation/kernel-parameters.txt 2010-08-26 19:47:12.000000000 -0400
20454 +++ linux-2.6.35.4/Documentation/kernel-parameters.txt 2010-09-17 20:12:09.000000000 -0400
20455 @@ -1910,6 +1910,12 @@ and is between 256 and 4096 characters.
20456 the specified number of seconds. This is to be used if
20457 your oopses keep scrolling off the screen.
20459 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
20460 + virtualization environments that don't cope well with the
20461 + expand down segment used by UDEREF on X86-32.
20463 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20468 diff -urNp linux-2.6.35.4/drivers/acpi/battery.c linux-2.6.35.4/drivers/acpi/battery.c
20469 --- linux-2.6.35.4/drivers/acpi/battery.c 2010-08-26 19:47:12.000000000 -0400
20470 +++ linux-2.6.35.4/drivers/acpi/battery.c 2010-09-17 20:12:09.000000000 -0400
20471 @@ -810,7 +810,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20474 static struct battery_file {
20475 - struct file_operations ops;
20476 + const struct file_operations ops;
20479 } acpi_battery_file[] = {
20480 diff -urNp linux-2.6.35.4/drivers/acpi/blacklist.c linux-2.6.35.4/drivers/acpi/blacklist.c
20481 --- linux-2.6.35.4/drivers/acpi/blacklist.c 2010-08-26 19:47:12.000000000 -0400
20482 +++ linux-2.6.35.4/drivers/acpi/blacklist.c 2010-09-17 20:12:09.000000000 -0400
20483 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20484 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20485 "Incorrect _ADR", 1},
20488 + {"", "", 0, NULL, all_versions, NULL, 0}
20491 #if CONFIG_ACPI_BLACKLIST_YEAR
20492 diff -urNp linux-2.6.35.4/drivers/acpi/dock.c linux-2.6.35.4/drivers/acpi/dock.c
20493 --- linux-2.6.35.4/drivers/acpi/dock.c 2010-08-26 19:47:12.000000000 -0400
20494 +++ linux-2.6.35.4/drivers/acpi/dock.c 2010-09-17 20:12:09.000000000 -0400
20495 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20496 struct list_head list;
20497 struct list_head hotplug_list;
20498 acpi_handle handle;
20499 - struct acpi_dock_ops *ops;
20500 + const struct acpi_dock_ops *ops;
20504 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20505 * the dock driver after _DCK is executed.
20508 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20509 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20512 struct dock_dependent_device *dd;
20513 diff -urNp linux-2.6.35.4/drivers/acpi/osl.c linux-2.6.35.4/drivers/acpi/osl.c
20514 --- linux-2.6.35.4/drivers/acpi/osl.c 2010-08-26 19:47:12.000000000 -0400
20515 +++ linux-2.6.35.4/drivers/acpi/osl.c 2010-09-17 20:12:09.000000000 -0400
20516 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
20517 void __iomem *virt_addr;
20519 virt_addr = ioremap(phys_addr, width);
20521 + return AE_NO_MEMORY;
20525 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
20526 void __iomem *virt_addr;
20528 virt_addr = ioremap(phys_addr, width);
20530 + return AE_NO_MEMORY;
20534 diff -urNp linux-2.6.35.4/drivers/acpi/power_meter.c linux-2.6.35.4/drivers/acpi/power_meter.c
20535 --- linux-2.6.35.4/drivers/acpi/power_meter.c 2010-08-26 19:47:12.000000000 -0400
20536 +++ linux-2.6.35.4/drivers/acpi/power_meter.c 2010-09-17 20:12:09.000000000 -0400
20537 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20544 mutex_lock(&resource->lock);
20545 resource->trip[attr->index - 7] = temp;
20546 diff -urNp linux-2.6.35.4/drivers/acpi/proc.c linux-2.6.35.4/drivers/acpi/proc.c
20547 --- linux-2.6.35.4/drivers/acpi/proc.c 2010-08-26 19:47:12.000000000 -0400
20548 +++ linux-2.6.35.4/drivers/acpi/proc.c 2010-09-17 20:12:09.000000000 -0400
20549 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
20550 size_t count, loff_t * ppos)
20552 struct list_head *node, *next;
20554 - char str[5] = "";
20555 - unsigned int len = count;
20556 + char strbuf[5] = {0};
20557 struct acpi_device *found_dev = NULL;
20566 - if (copy_from_user(strbuf, buffer, len))
20567 + if (copy_from_user(strbuf, buffer, count))
20569 - strbuf[len] = '\0';
20570 - sscanf(strbuf, "%s", str);
20571 + strbuf[count] = '\0';
20573 mutex_lock(&acpi_device_lock);
20574 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20575 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
20576 if (!dev->wakeup.flags.valid)
20579 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20580 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20581 dev->wakeup.state.enabled =
20582 dev->wakeup.state.enabled ? 0 : 1;
20584 diff -urNp linux-2.6.35.4/drivers/acpi/processor_driver.c linux-2.6.35.4/drivers/acpi/processor_driver.c
20585 --- linux-2.6.35.4/drivers/acpi/processor_driver.c 2010-08-26 19:47:12.000000000 -0400
20586 +++ linux-2.6.35.4/drivers/acpi/processor_driver.c 2010-09-17 20:12:09.000000000 -0400
20587 @@ -586,7 +586,7 @@ static int __cpuinit acpi_processor_add(
20591 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20592 + BUG_ON(pr->id >= nr_cpu_ids);
20596 diff -urNp linux-2.6.35.4/drivers/acpi/processor_idle.c linux-2.6.35.4/drivers/acpi/processor_idle.c
20597 --- linux-2.6.35.4/drivers/acpi/processor_idle.c 2010-08-26 19:47:12.000000000 -0400
20598 +++ linux-2.6.35.4/drivers/acpi/processor_idle.c 2010-09-17 20:12:09.000000000 -0400
20599 @@ -124,7 +124,7 @@ static struct dmi_system_id __cpuinitdat
20600 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20601 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20604 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20608 diff -urNp linux-2.6.35.4/drivers/acpi/sleep.c linux-2.6.35.4/drivers/acpi/sleep.c
20609 --- linux-2.6.35.4/drivers/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
20610 +++ linux-2.6.35.4/drivers/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
20611 @@ -318,7 +318,7 @@ static int acpi_suspend_state_valid(susp
20615 -static struct platform_suspend_ops acpi_suspend_ops = {
20616 +static const struct platform_suspend_ops acpi_suspend_ops = {
20617 .valid = acpi_suspend_state_valid,
20618 .begin = acpi_suspend_begin,
20619 .prepare_late = acpi_pm_prepare,
20620 @@ -346,7 +346,7 @@ static int acpi_suspend_begin_old(suspen
20621 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20624 -static struct platform_suspend_ops acpi_suspend_ops_old = {
20625 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
20626 .valid = acpi_suspend_state_valid,
20627 .begin = acpi_suspend_begin_old,
20628 .prepare_late = acpi_pm_freeze,
20629 @@ -478,7 +478,7 @@ static void acpi_pm_thaw(void)
20630 acpi_enable_all_runtime_gpes();
20633 -static struct platform_hibernation_ops acpi_hibernation_ops = {
20634 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
20635 .begin = acpi_hibernation_begin,
20636 .end = acpi_pm_end,
20637 .pre_snapshot = acpi_hibernation_pre_snapshot,
20638 @@ -528,7 +528,7 @@ static int acpi_hibernation_pre_snapshot
20639 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20642 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20643 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20644 .begin = acpi_hibernation_begin_old,
20645 .end = acpi_pm_end,
20646 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
20647 diff -urNp linux-2.6.35.4/drivers/acpi/video.c linux-2.6.35.4/drivers/acpi/video.c
20648 --- linux-2.6.35.4/drivers/acpi/video.c 2010-08-26 19:47:12.000000000 -0400
20649 +++ linux-2.6.35.4/drivers/acpi/video.c 2010-09-17 20:12:09.000000000 -0400
20650 @@ -363,7 +363,7 @@ static int acpi_video_set_brightness(str
20651 vd->brightness->levels[request_level]);
20654 -static struct backlight_ops acpi_backlight_ops = {
20655 +static const struct backlight_ops acpi_backlight_ops = {
20656 .get_brightness = acpi_video_get_brightness,
20657 .update_status = acpi_video_set_brightness,
20659 diff -urNp linux-2.6.35.4/drivers/ata/ahci.c linux-2.6.35.4/drivers/ata/ahci.c
20660 --- linux-2.6.35.4/drivers/ata/ahci.c 2010-08-26 19:47:12.000000000 -0400
20661 +++ linux-2.6.35.4/drivers/ata/ahci.c 2010-09-17 20:12:09.000000000 -0400
20662 @@ -89,17 +89,17 @@ static int ahci_pci_device_suspend(struc
20663 static int ahci_pci_device_resume(struct pci_dev *pdev);
20666 -static struct ata_port_operations ahci_vt8251_ops = {
20667 +static const struct ata_port_operations ahci_vt8251_ops = {
20668 .inherits = &ahci_ops,
20669 .hardreset = ahci_vt8251_hardreset,
20672 -static struct ata_port_operations ahci_p5wdh_ops = {
20673 +static const struct ata_port_operations ahci_p5wdh_ops = {
20674 .inherits = &ahci_ops,
20675 .hardreset = ahci_p5wdh_hardreset,
20678 -static struct ata_port_operations ahci_sb600_ops = {
20679 +static const struct ata_port_operations ahci_sb600_ops = {
20680 .inherits = &ahci_ops,
20681 .softreset = ahci_sb600_softreset,
20682 .pmp_softreset = ahci_sb600_softreset,
20683 @@ -370,7 +370,7 @@ static const struct pci_device_id ahci_p
20684 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20685 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20687 - { } /* terminate list */
20688 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20692 diff -urNp linux-2.6.35.4/drivers/ata/ahci.h linux-2.6.35.4/drivers/ata/ahci.h
20693 --- linux-2.6.35.4/drivers/ata/ahci.h 2010-08-26 19:47:12.000000000 -0400
20694 +++ linux-2.6.35.4/drivers/ata/ahci.h 2010-09-17 20:12:09.000000000 -0400
20695 @@ -298,7 +298,7 @@ struct ahci_host_priv {
20696 extern int ahci_ignore_sss;
20698 extern struct scsi_host_template ahci_sht;
20699 -extern struct ata_port_operations ahci_ops;
20700 +extern const struct ata_port_operations ahci_ops;
20702 void ahci_save_initial_config(struct device *dev,
20703 struct ahci_host_priv *hpriv,
20704 diff -urNp linux-2.6.35.4/drivers/ata/ata_generic.c linux-2.6.35.4/drivers/ata/ata_generic.c
20705 --- linux-2.6.35.4/drivers/ata/ata_generic.c 2010-08-26 19:47:12.000000000 -0400
20706 +++ linux-2.6.35.4/drivers/ata/ata_generic.c 2010-09-17 20:12:09.000000000 -0400
20707 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
20708 ATA_BMDMA_SHT(DRV_NAME),
20711 -static struct ata_port_operations generic_port_ops = {
20712 +static const struct ata_port_operations generic_port_ops = {
20713 .inherits = &ata_bmdma_port_ops,
20714 .cable_detect = ata_cable_unknown,
20715 .set_mode = generic_set_mode,
20716 diff -urNp linux-2.6.35.4/drivers/ata/ata_piix.c linux-2.6.35.4/drivers/ata/ata_piix.c
20717 --- linux-2.6.35.4/drivers/ata/ata_piix.c 2010-08-26 19:47:12.000000000 -0400
20718 +++ linux-2.6.35.4/drivers/ata/ata_piix.c 2010-09-17 20:12:09.000000000 -0400
20719 @@ -302,7 +302,7 @@ static const struct pci_device_id piix_p
20720 { 0x8086, 0x1c08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20721 /* SATA Controller IDE (CPT) */
20722 { 0x8086, 0x1c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20723 - { } /* terminate list */
20724 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20727 static struct pci_driver piix_pci_driver = {
20728 @@ -320,12 +320,12 @@ static struct scsi_host_template piix_sh
20729 ATA_BMDMA_SHT(DRV_NAME),
20732 -static struct ata_port_operations piix_sata_ops = {
20733 +static const struct ata_port_operations piix_sata_ops = {
20734 .inherits = &ata_bmdma32_port_ops,
20735 .sff_irq_check = piix_irq_check,
20738 -static struct ata_port_operations piix_pata_ops = {
20739 +static const struct ata_port_operations piix_pata_ops = {
20740 .inherits = &piix_sata_ops,
20741 .cable_detect = ata_cable_40wire,
20742 .set_piomode = piix_set_piomode,
20743 @@ -333,18 +333,18 @@ static struct ata_port_operations piix_p
20744 .prereset = piix_pata_prereset,
20747 -static struct ata_port_operations piix_vmw_ops = {
20748 +static const struct ata_port_operations piix_vmw_ops = {
20749 .inherits = &piix_pata_ops,
20750 .bmdma_status = piix_vmw_bmdma_status,
20753 -static struct ata_port_operations ich_pata_ops = {
20754 +static const struct ata_port_operations ich_pata_ops = {
20755 .inherits = &piix_pata_ops,
20756 .cable_detect = ich_pata_cable_detect,
20757 .set_dmamode = ich_set_dmamode,
20760 -static struct ata_port_operations piix_sidpr_sata_ops = {
20761 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20762 .inherits = &piix_sata_ops,
20763 .hardreset = sata_std_hardreset,
20764 .scr_read = piix_sidpr_scr_read,
20765 @@ -620,7 +620,7 @@ static const struct ich_laptop ich_lapto
20766 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20767 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20774 @@ -1112,7 +1112,7 @@ static int piix_broken_suspend(void)
20778 - { } /* terminate list */
20779 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20781 static const char *oemstrs[] = {
20783 diff -urNp linux-2.6.35.4/drivers/ata/libahci.c linux-2.6.35.4/drivers/ata/libahci.c
20784 --- linux-2.6.35.4/drivers/ata/libahci.c 2010-08-26 19:47:12.000000000 -0400
20785 +++ linux-2.6.35.4/drivers/ata/libahci.c 2010-09-17 20:12:09.000000000 -0400
20786 @@ -149,7 +149,7 @@ struct scsi_host_template ahci_sht = {
20788 EXPORT_SYMBOL_GPL(ahci_sht);
20790 -struct ata_port_operations ahci_ops = {
20791 +const struct ata_port_operations ahci_ops = {
20792 .inherits = &sata_pmp_port_ops,
20794 .qc_defer = ahci_pmp_qc_defer,
20795 diff -urNp linux-2.6.35.4/drivers/ata/libata-acpi.c linux-2.6.35.4/drivers/ata/libata-acpi.c
20796 --- linux-2.6.35.4/drivers/ata/libata-acpi.c 2010-08-26 19:47:12.000000000 -0400
20797 +++ linux-2.6.35.4/drivers/ata/libata-acpi.c 2010-09-17 20:12:09.000000000 -0400
20798 @@ -224,12 +224,12 @@ static void ata_acpi_dev_uevent(acpi_han
20799 ata_acpi_uevent(dev->link->ap, dev, event);
20802 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20803 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20804 .handler = ata_acpi_dev_notify_dock,
20805 .uevent = ata_acpi_dev_uevent,
20808 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20809 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20810 .handler = ata_acpi_ap_notify_dock,
20811 .uevent = ata_acpi_ap_uevent,
20813 diff -urNp linux-2.6.35.4/drivers/ata/libata-core.c linux-2.6.35.4/drivers/ata/libata-core.c
20814 --- linux-2.6.35.4/drivers/ata/libata-core.c 2010-08-26 19:47:12.000000000 -0400
20815 +++ linux-2.6.35.4/drivers/ata/libata-core.c 2010-09-17 20:12:09.000000000 -0400
20816 @@ -901,7 +901,7 @@ static const struct ata_xfer_ent {
20817 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20818 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20819 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20825 @@ -3073,7 +3073,7 @@ static const struct ata_timing ata_timin
20826 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20827 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20830 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20833 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20834 @@ -4323,7 +4323,7 @@ static const struct ata_blacklist_entry
20835 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
20839 + { NULL, NULL, 0 }
20842 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
20843 @@ -5869,7 +5869,7 @@ static void ata_host_stop(struct device
20847 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
20848 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
20850 static DEFINE_SPINLOCK(lock);
20851 const struct ata_port_operations *cur;
20852 @@ -5881,6 +5881,7 @@ static void ata_finalize_port_ops(struct
20856 + pax_open_kernel();
20858 for (cur = ops->inherits; cur; cur = cur->inherits) {
20859 void **inherit = (void **)cur;
20860 @@ -5894,8 +5895,9 @@ static void ata_finalize_port_ops(struct
20864 - ops->inherits = NULL;
20865 + ((struct ata_port_operations *)ops)->inherits = NULL;
20867 + pax_close_kernel();
20868 spin_unlock(&lock);
20871 @@ -5992,7 +5994,7 @@ int ata_host_start(struct ata_host *host
20873 /* KILLME - the only user left is ipr */
20874 void ata_host_init(struct ata_host *host, struct device *dev,
20875 - unsigned long flags, struct ata_port_operations *ops)
20876 + unsigned long flags, const struct ata_port_operations *ops)
20878 spin_lock_init(&host->lock);
20880 @@ -6642,7 +6644,7 @@ static void ata_dummy_error_handler(stru
20884 -struct ata_port_operations ata_dummy_port_ops = {
20885 +const struct ata_port_operations ata_dummy_port_ops = {
20886 .qc_prep = ata_noop_qc_prep,
20887 .qc_issue = ata_dummy_qc_issue,
20888 .error_handler = ata_dummy_error_handler,
20889 diff -urNp linux-2.6.35.4/drivers/ata/libata-eh.c linux-2.6.35.4/drivers/ata/libata-eh.c
20890 --- linux-2.6.35.4/drivers/ata/libata-eh.c 2010-08-26 19:47:12.000000000 -0400
20891 +++ linux-2.6.35.4/drivers/ata/libata-eh.c 2010-09-17 20:12:09.000000000 -0400
20892 @@ -3680,7 +3680,7 @@ void ata_do_eh(struct ata_port *ap, ata_
20894 void ata_std_error_handler(struct ata_port *ap)
20896 - struct ata_port_operations *ops = ap->ops;
20897 + const struct ata_port_operations *ops = ap->ops;
20898 ata_reset_fn_t hardreset = ops->hardreset;
20900 /* ignore built-in hardreset if SCR access is not available */
20901 diff -urNp linux-2.6.35.4/drivers/ata/libata-pmp.c linux-2.6.35.4/drivers/ata/libata-pmp.c
20902 --- linux-2.6.35.4/drivers/ata/libata-pmp.c 2010-08-26 19:47:12.000000000 -0400
20903 +++ linux-2.6.35.4/drivers/ata/libata-pmp.c 2010-09-17 20:12:09.000000000 -0400
20904 @@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
20906 static int sata_pmp_eh_recover(struct ata_port *ap)
20908 - struct ata_port_operations *ops = ap->ops;
20909 + const struct ata_port_operations *ops = ap->ops;
20910 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
20911 struct ata_link *pmp_link = &ap->link;
20912 struct ata_device *pmp_dev = pmp_link->device;
20913 diff -urNp linux-2.6.35.4/drivers/ata/pata_acpi.c linux-2.6.35.4/drivers/ata/pata_acpi.c
20914 --- linux-2.6.35.4/drivers/ata/pata_acpi.c 2010-08-26 19:47:12.000000000 -0400
20915 +++ linux-2.6.35.4/drivers/ata/pata_acpi.c 2010-09-17 20:12:09.000000000 -0400
20916 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
20917 ATA_BMDMA_SHT(DRV_NAME),
20920 -static struct ata_port_operations pacpi_ops = {
20921 +static const struct ata_port_operations pacpi_ops = {
20922 .inherits = &ata_bmdma_port_ops,
20923 .qc_issue = pacpi_qc_issue,
20924 .cable_detect = pacpi_cable_detect,
20925 diff -urNp linux-2.6.35.4/drivers/ata/pata_ali.c linux-2.6.35.4/drivers/ata/pata_ali.c
20926 --- linux-2.6.35.4/drivers/ata/pata_ali.c 2010-08-26 19:47:12.000000000 -0400
20927 +++ linux-2.6.35.4/drivers/ata/pata_ali.c 2010-09-17 20:12:09.000000000 -0400
20928 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
20929 * Port operations for PIO only ALi
20932 -static struct ata_port_operations ali_early_port_ops = {
20933 +static const struct ata_port_operations ali_early_port_ops = {
20934 .inherits = &ata_sff_port_ops,
20935 .cable_detect = ata_cable_40wire,
20936 .set_piomode = ali_set_piomode,
20937 @@ -380,7 +380,7 @@ static const struct ata_port_operations
20938 * Port operations for DMA capable ALi without cable
20941 -static struct ata_port_operations ali_20_port_ops = {
20942 +static const struct ata_port_operations ali_20_port_ops = {
20943 .inherits = &ali_dma_base_ops,
20944 .cable_detect = ata_cable_40wire,
20945 .mode_filter = ali_20_filter,
20946 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
20948 * Port operations for DMA capable ALi with cable detect
20950 -static struct ata_port_operations ali_c2_port_ops = {
20951 +static const struct ata_port_operations ali_c2_port_ops = {
20952 .inherits = &ali_dma_base_ops,
20953 .check_atapi_dma = ali_check_atapi_dma,
20954 .cable_detect = ali_c2_cable_detect,
20955 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
20957 * Port operations for DMA capable ALi with cable detect
20959 -static struct ata_port_operations ali_c4_port_ops = {
20960 +static const struct ata_port_operations ali_c4_port_ops = {
20961 .inherits = &ali_dma_base_ops,
20962 .check_atapi_dma = ali_check_atapi_dma,
20963 .cable_detect = ali_c2_cable_detect,
20964 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
20966 * Port operations for DMA capable ALi with cable detect and LBA48
20968 -static struct ata_port_operations ali_c5_port_ops = {
20969 +static const struct ata_port_operations ali_c5_port_ops = {
20970 .inherits = &ali_dma_base_ops,
20971 .check_atapi_dma = ali_check_atapi_dma,
20972 .dev_config = ali_warn_atapi_dma,
20973 diff -urNp linux-2.6.35.4/drivers/ata/pata_amd.c linux-2.6.35.4/drivers/ata/pata_amd.c
20974 --- linux-2.6.35.4/drivers/ata/pata_amd.c 2010-08-26 19:47:12.000000000 -0400
20975 +++ linux-2.6.35.4/drivers/ata/pata_amd.c 2010-09-17 20:12:09.000000000 -0400
20976 @@ -397,28 +397,28 @@ static const struct ata_port_operations
20977 .prereset = amd_pre_reset,
20980 -static struct ata_port_operations amd33_port_ops = {
20981 +static const struct ata_port_operations amd33_port_ops = {
20982 .inherits = &amd_base_port_ops,
20983 .cable_detect = ata_cable_40wire,
20984 .set_piomode = amd33_set_piomode,
20985 .set_dmamode = amd33_set_dmamode,
20988 -static struct ata_port_operations amd66_port_ops = {
20989 +static const struct ata_port_operations amd66_port_ops = {
20990 .inherits = &amd_base_port_ops,
20991 .cable_detect = ata_cable_unknown,
20992 .set_piomode = amd66_set_piomode,
20993 .set_dmamode = amd66_set_dmamode,
20996 -static struct ata_port_operations amd100_port_ops = {
20997 +static const struct ata_port_operations amd100_port_ops = {
20998 .inherits = &amd_base_port_ops,
20999 .cable_detect = ata_cable_unknown,
21000 .set_piomode = amd100_set_piomode,
21001 .set_dmamode = amd100_set_dmamode,
21004 -static struct ata_port_operations amd133_port_ops = {
21005 +static const struct ata_port_operations amd133_port_ops = {
21006 .inherits = &amd_base_port_ops,
21007 .cable_detect = amd_cable_detect,
21008 .set_piomode = amd133_set_piomode,
21009 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21010 .host_stop = nv_host_stop,
21013 -static struct ata_port_operations nv100_port_ops = {
21014 +static const struct ata_port_operations nv100_port_ops = {
21015 .inherits = &nv_base_port_ops,
21016 .set_piomode = nv100_set_piomode,
21017 .set_dmamode = nv100_set_dmamode,
21020 -static struct ata_port_operations nv133_port_ops = {
21021 +static const struct ata_port_operations nv133_port_ops = {
21022 .inherits = &nv_base_port_ops,
21023 .set_piomode = nv133_set_piomode,
21024 .set_dmamode = nv133_set_dmamode,
21025 diff -urNp linux-2.6.35.4/drivers/ata/pata_artop.c linux-2.6.35.4/drivers/ata/pata_artop.c
21026 --- linux-2.6.35.4/drivers/ata/pata_artop.c 2010-08-26 19:47:12.000000000 -0400
21027 +++ linux-2.6.35.4/drivers/ata/pata_artop.c 2010-09-17 20:12:09.000000000 -0400
21028 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
21029 ATA_BMDMA_SHT(DRV_NAME),
21032 -static struct ata_port_operations artop6210_ops = {
21033 +static const struct ata_port_operations artop6210_ops = {
21034 .inherits = &ata_bmdma_port_ops,
21035 .cable_detect = ata_cable_40wire,
21036 .set_piomode = artop6210_set_piomode,
21037 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
21038 .qc_defer = artop6210_qc_defer,
21041 -static struct ata_port_operations artop6260_ops = {
21042 +static const struct ata_port_operations artop6260_ops = {
21043 .inherits = &ata_bmdma_port_ops,
21044 .cable_detect = artop6260_cable_detect,
21045 .set_piomode = artop6260_set_piomode,
21046 diff -urNp linux-2.6.35.4/drivers/ata/pata_at32.c linux-2.6.35.4/drivers/ata/pata_at32.c
21047 --- linux-2.6.35.4/drivers/ata/pata_at32.c 2010-08-26 19:47:12.000000000 -0400
21048 +++ linux-2.6.35.4/drivers/ata/pata_at32.c 2010-09-17 20:12:09.000000000 -0400
21049 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21050 ATA_PIO_SHT(DRV_NAME),
21053 -static struct ata_port_operations at32_port_ops = {
21054 +static const struct ata_port_operations at32_port_ops = {
21055 .inherits = &ata_sff_port_ops,
21056 .cable_detect = ata_cable_40wire,
21057 .set_piomode = pata_at32_set_piomode,
21058 diff -urNp linux-2.6.35.4/drivers/ata/pata_at91.c linux-2.6.35.4/drivers/ata/pata_at91.c
21059 --- linux-2.6.35.4/drivers/ata/pata_at91.c 2010-08-26 19:47:12.000000000 -0400
21060 +++ linux-2.6.35.4/drivers/ata/pata_at91.c 2010-09-17 20:12:09.000000000 -0400
21061 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21062 ATA_PIO_SHT(DRV_NAME),
21065 -static struct ata_port_operations pata_at91_port_ops = {
21066 +static const struct ata_port_operations pata_at91_port_ops = {
21067 .inherits = &ata_sff_port_ops,
21069 .sff_data_xfer = pata_at91_data_xfer_noirq,
21070 diff -urNp linux-2.6.35.4/drivers/ata/pata_atiixp.c linux-2.6.35.4/drivers/ata/pata_atiixp.c
21071 --- linux-2.6.35.4/drivers/ata/pata_atiixp.c 2010-08-26 19:47:12.000000000 -0400
21072 +++ linux-2.6.35.4/drivers/ata/pata_atiixp.c 2010-09-17 20:12:09.000000000 -0400
21073 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21074 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21077 -static struct ata_port_operations atiixp_port_ops = {
21078 +static const struct ata_port_operations atiixp_port_ops = {
21079 .inherits = &ata_bmdma_port_ops,
21081 .qc_prep = ata_bmdma_dumb_qc_prep,
21082 diff -urNp linux-2.6.35.4/drivers/ata/pata_atp867x.c linux-2.6.35.4/drivers/ata/pata_atp867x.c
21083 --- linux-2.6.35.4/drivers/ata/pata_atp867x.c 2010-08-26 19:47:12.000000000 -0400
21084 +++ linux-2.6.35.4/drivers/ata/pata_atp867x.c 2010-09-17 20:12:09.000000000 -0400
21085 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21086 ATA_BMDMA_SHT(DRV_NAME),
21089 -static struct ata_port_operations atp867x_ops = {
21090 +static const struct ata_port_operations atp867x_ops = {
21091 .inherits = &ata_bmdma_port_ops,
21092 .cable_detect = atp867x_cable_detect,
21093 .set_piomode = atp867x_set_piomode,
21094 diff -urNp linux-2.6.35.4/drivers/ata/pata_bf54x.c linux-2.6.35.4/drivers/ata/pata_bf54x.c
21095 --- linux-2.6.35.4/drivers/ata/pata_bf54x.c 2010-08-26 19:47:12.000000000 -0400
21096 +++ linux-2.6.35.4/drivers/ata/pata_bf54x.c 2010-09-17 20:12:09.000000000 -0400
21097 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21098 .dma_boundary = ATA_DMA_BOUNDARY,
21101 -static struct ata_port_operations bfin_pata_ops = {
21102 +static const struct ata_port_operations bfin_pata_ops = {
21103 .inherits = &ata_bmdma_port_ops,
21105 .set_piomode = bfin_set_piomode,
21106 diff -urNp linux-2.6.35.4/drivers/ata/pata_cmd640.c linux-2.6.35.4/drivers/ata/pata_cmd640.c
21107 --- linux-2.6.35.4/drivers/ata/pata_cmd640.c 2010-08-26 19:47:12.000000000 -0400
21108 +++ linux-2.6.35.4/drivers/ata/pata_cmd640.c 2010-09-17 20:12:09.000000000 -0400
21109 @@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21110 ATA_PIO_SHT(DRV_NAME),
21113 -static struct ata_port_operations cmd640_port_ops = {
21114 +static const struct ata_port_operations cmd640_port_ops = {
21115 .inherits = &ata_sff_port_ops,
21116 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21117 .sff_data_xfer = ata_sff_data_xfer_noirq,
21118 diff -urNp linux-2.6.35.4/drivers/ata/pata_cmd64x.c linux-2.6.35.4/drivers/ata/pata_cmd64x.c
21119 --- linux-2.6.35.4/drivers/ata/pata_cmd64x.c 2010-08-26 19:47:12.000000000 -0400
21120 +++ linux-2.6.35.4/drivers/ata/pata_cmd64x.c 2010-09-17 20:12:09.000000000 -0400
21121 @@ -274,18 +274,18 @@ static const struct ata_port_operations
21122 .set_dmamode = cmd64x_set_dmamode,
21125 -static struct ata_port_operations cmd64x_port_ops = {
21126 +static const struct ata_port_operations cmd64x_port_ops = {
21127 .inherits = &cmd64x_base_ops,
21128 .cable_detect = ata_cable_40wire,
21131 -static struct ata_port_operations cmd646r1_port_ops = {
21132 +static const struct ata_port_operations cmd646r1_port_ops = {
21133 .inherits = &cmd64x_base_ops,
21134 .bmdma_stop = cmd646r1_bmdma_stop,
21135 .cable_detect = ata_cable_40wire,
21138 -static struct ata_port_operations cmd648_port_ops = {
21139 +static const struct ata_port_operations cmd648_port_ops = {
21140 .inherits = &cmd64x_base_ops,
21141 .bmdma_stop = cmd648_bmdma_stop,
21142 .cable_detect = cmd648_cable_detect,
21143 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5520.c linux-2.6.35.4/drivers/ata/pata_cs5520.c
21144 --- linux-2.6.35.4/drivers/ata/pata_cs5520.c 2010-08-26 19:47:12.000000000 -0400
21145 +++ linux-2.6.35.4/drivers/ata/pata_cs5520.c 2010-09-17 20:12:09.000000000 -0400
21146 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21147 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21150 -static struct ata_port_operations cs5520_port_ops = {
21151 +static const struct ata_port_operations cs5520_port_ops = {
21152 .inherits = &ata_bmdma_port_ops,
21153 .qc_prep = ata_bmdma_dumb_qc_prep,
21154 .cable_detect = ata_cable_40wire,
21155 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5530.c linux-2.6.35.4/drivers/ata/pata_cs5530.c
21156 --- linux-2.6.35.4/drivers/ata/pata_cs5530.c 2010-08-26 19:47:12.000000000 -0400
21157 +++ linux-2.6.35.4/drivers/ata/pata_cs5530.c 2010-09-17 20:12:09.000000000 -0400
21158 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21159 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21162 -static struct ata_port_operations cs5530_port_ops = {
21163 +static const struct ata_port_operations cs5530_port_ops = {
21164 .inherits = &ata_bmdma_port_ops,
21166 .qc_prep = ata_bmdma_dumb_qc_prep,
21167 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5535.c linux-2.6.35.4/drivers/ata/pata_cs5535.c
21168 --- linux-2.6.35.4/drivers/ata/pata_cs5535.c 2010-08-26 19:47:12.000000000 -0400
21169 +++ linux-2.6.35.4/drivers/ata/pata_cs5535.c 2010-09-17 20:12:09.000000000 -0400
21170 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21171 ATA_BMDMA_SHT(DRV_NAME),
21174 -static struct ata_port_operations cs5535_port_ops = {
21175 +static const struct ata_port_operations cs5535_port_ops = {
21176 .inherits = &ata_bmdma_port_ops,
21177 .cable_detect = cs5535_cable_detect,
21178 .set_piomode = cs5535_set_piomode,
21179 diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5536.c linux-2.6.35.4/drivers/ata/pata_cs5536.c
21180 --- linux-2.6.35.4/drivers/ata/pata_cs5536.c 2010-08-26 19:47:12.000000000 -0400
21181 +++ linux-2.6.35.4/drivers/ata/pata_cs5536.c 2010-09-17 20:12:09.000000000 -0400
21182 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21183 ATA_BMDMA_SHT(DRV_NAME),
21186 -static struct ata_port_operations cs5536_port_ops = {
21187 +static const struct ata_port_operations cs5536_port_ops = {
21188 .inherits = &ata_bmdma32_port_ops,
21189 .cable_detect = cs5536_cable_detect,
21190 .set_piomode = cs5536_set_piomode,
21191 diff -urNp linux-2.6.35.4/drivers/ata/pata_cypress.c linux-2.6.35.4/drivers/ata/pata_cypress.c
21192 --- linux-2.6.35.4/drivers/ata/pata_cypress.c 2010-08-26 19:47:12.000000000 -0400
21193 +++ linux-2.6.35.4/drivers/ata/pata_cypress.c 2010-09-17 20:12:09.000000000 -0400
21194 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21195 ATA_BMDMA_SHT(DRV_NAME),
21198 -static struct ata_port_operations cy82c693_port_ops = {
21199 +static const struct ata_port_operations cy82c693_port_ops = {
21200 .inherits = &ata_bmdma_port_ops,
21201 .cable_detect = ata_cable_40wire,
21202 .set_piomode = cy82c693_set_piomode,
21203 diff -urNp linux-2.6.35.4/drivers/ata/pata_efar.c linux-2.6.35.4/drivers/ata/pata_efar.c
21204 --- linux-2.6.35.4/drivers/ata/pata_efar.c 2010-08-26 19:47:12.000000000 -0400
21205 +++ linux-2.6.35.4/drivers/ata/pata_efar.c 2010-09-17 20:12:09.000000000 -0400
21206 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21207 ATA_BMDMA_SHT(DRV_NAME),
21210 -static struct ata_port_operations efar_ops = {
21211 +static const struct ata_port_operations efar_ops = {
21212 .inherits = &ata_bmdma_port_ops,
21213 .cable_detect = efar_cable_detect,
21214 .set_piomode = efar_set_piomode,
21215 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt366.c linux-2.6.35.4/drivers/ata/pata_hpt366.c
21216 --- linux-2.6.35.4/drivers/ata/pata_hpt366.c 2010-08-26 19:47:12.000000000 -0400
21217 +++ linux-2.6.35.4/drivers/ata/pata_hpt366.c 2010-09-17 20:12:09.000000000 -0400
21218 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21219 * Configuration for HPT366/68
21222 -static struct ata_port_operations hpt366_port_ops = {
21223 +static const struct ata_port_operations hpt366_port_ops = {
21224 .inherits = &ata_bmdma_port_ops,
21225 .cable_detect = hpt36x_cable_detect,
21226 .mode_filter = hpt366_filter,
21227 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt37x.c linux-2.6.35.4/drivers/ata/pata_hpt37x.c
21228 --- linux-2.6.35.4/drivers/ata/pata_hpt37x.c 2010-08-26 19:47:12.000000000 -0400
21229 +++ linux-2.6.35.4/drivers/ata/pata_hpt37x.c 2010-09-17 20:12:09.000000000 -0400
21230 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21231 * Configuration for HPT370
21234 -static struct ata_port_operations hpt370_port_ops = {
21235 +static const struct ata_port_operations hpt370_port_ops = {
21236 .inherits = &ata_bmdma_port_ops,
21238 .bmdma_stop = hpt370_bmdma_stop,
21239 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21240 * Configuration for HPT370A. Close to 370 but less filters
21243 -static struct ata_port_operations hpt370a_port_ops = {
21244 +static const struct ata_port_operations hpt370a_port_ops = {
21245 .inherits = &hpt370_port_ops,
21246 .mode_filter = hpt370a_filter,
21248 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21249 * and DMA mode setting functionality.
21252 -static struct ata_port_operations hpt372_port_ops = {
21253 +static const struct ata_port_operations hpt372_port_ops = {
21254 .inherits = &ata_bmdma_port_ops,
21256 .bmdma_stop = hpt37x_bmdma_stop,
21257 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21258 * but we have a different cable detection procedure for function 1.
21261 -static struct ata_port_operations hpt374_fn1_port_ops = {
21262 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21263 .inherits = &hpt372_port_ops,
21264 .cable_detect = hpt374_fn1_cable_detect,
21265 .prereset = hpt37x_pre_reset,
21266 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c
21267 --- linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c 2010-08-26 19:47:12.000000000 -0400
21268 +++ linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c 2010-09-17 20:12:09.000000000 -0400
21269 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21270 * Configuration for HPT3x2n.
21273 -static struct ata_port_operations hpt3x2n_port_ops = {
21274 +static const struct ata_port_operations hpt3x2n_port_ops = {
21275 .inherits = &ata_bmdma_port_ops,
21277 .bmdma_stop = hpt3x2n_bmdma_stop,
21278 diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt3x3.c linux-2.6.35.4/drivers/ata/pata_hpt3x3.c
21279 --- linux-2.6.35.4/drivers/ata/pata_hpt3x3.c 2010-08-26 19:47:12.000000000 -0400
21280 +++ linux-2.6.35.4/drivers/ata/pata_hpt3x3.c 2010-09-17 20:12:09.000000000 -0400
21281 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21282 ATA_BMDMA_SHT(DRV_NAME),
21285 -static struct ata_port_operations hpt3x3_port_ops = {
21286 +static const struct ata_port_operations hpt3x3_port_ops = {
21287 .inherits = &ata_bmdma_port_ops,
21288 .cable_detect = ata_cable_40wire,
21289 .set_piomode = hpt3x3_set_piomode,
21290 diff -urNp linux-2.6.35.4/drivers/ata/pata_icside.c linux-2.6.35.4/drivers/ata/pata_icside.c
21291 --- linux-2.6.35.4/drivers/ata/pata_icside.c 2010-08-26 19:47:12.000000000 -0400
21292 +++ linux-2.6.35.4/drivers/ata/pata_icside.c 2010-09-17 20:12:09.000000000 -0400
21293 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21297 -static struct ata_port_operations pata_icside_port_ops = {
21298 +static const struct ata_port_operations pata_icside_port_ops = {
21299 .inherits = &ata_bmdma_port_ops,
21300 /* no need to build any PRD tables for DMA */
21301 .qc_prep = ata_noop_qc_prep,
21302 diff -urNp linux-2.6.35.4/drivers/ata/pata_isapnp.c linux-2.6.35.4/drivers/ata/pata_isapnp.c
21303 --- linux-2.6.35.4/drivers/ata/pata_isapnp.c 2010-08-26 19:47:12.000000000 -0400
21304 +++ linux-2.6.35.4/drivers/ata/pata_isapnp.c 2010-09-17 20:12:09.000000000 -0400
21305 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21306 ATA_PIO_SHT(DRV_NAME),
21309 -static struct ata_port_operations isapnp_port_ops = {
21310 +static const struct ata_port_operations isapnp_port_ops = {
21311 .inherits = &ata_sff_port_ops,
21312 .cable_detect = ata_cable_40wire,
21315 -static struct ata_port_operations isapnp_noalt_port_ops = {
21316 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21317 .inherits = &ata_sff_port_ops,
21318 .cable_detect = ata_cable_40wire,
21319 /* No altstatus so we don't want to use the lost interrupt poll */
21320 diff -urNp linux-2.6.35.4/drivers/ata/pata_it8213.c linux-2.6.35.4/drivers/ata/pata_it8213.c
21321 --- linux-2.6.35.4/drivers/ata/pata_it8213.c 2010-08-26 19:47:12.000000000 -0400
21322 +++ linux-2.6.35.4/drivers/ata/pata_it8213.c 2010-09-17 20:12:09.000000000 -0400
21323 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21327 -static struct ata_port_operations it8213_ops = {
21328 +static const struct ata_port_operations it8213_ops = {
21329 .inherits = &ata_bmdma_port_ops,
21330 .cable_detect = it8213_cable_detect,
21331 .set_piomode = it8213_set_piomode,
21332 diff -urNp linux-2.6.35.4/drivers/ata/pata_it821x.c linux-2.6.35.4/drivers/ata/pata_it821x.c
21333 --- linux-2.6.35.4/drivers/ata/pata_it821x.c 2010-08-26 19:47:12.000000000 -0400
21334 +++ linux-2.6.35.4/drivers/ata/pata_it821x.c 2010-09-17 20:12:09.000000000 -0400
21335 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21336 ATA_BMDMA_SHT(DRV_NAME),
21339 -static struct ata_port_operations it821x_smart_port_ops = {
21340 +static const struct ata_port_operations it821x_smart_port_ops = {
21341 .inherits = &ata_bmdma_port_ops,
21343 .check_atapi_dma= it821x_check_atapi_dma,
21344 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21345 .port_start = it821x_port_start,
21348 -static struct ata_port_operations it821x_passthru_port_ops = {
21349 +static const struct ata_port_operations it821x_passthru_port_ops = {
21350 .inherits = &ata_bmdma_port_ops,
21352 .check_atapi_dma= it821x_check_atapi_dma,
21353 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21354 .port_start = it821x_port_start,
21357 -static struct ata_port_operations it821x_rdc_port_ops = {
21358 +static const struct ata_port_operations it821x_rdc_port_ops = {
21359 .inherits = &ata_bmdma_port_ops,
21361 .check_atapi_dma= it821x_check_atapi_dma,
21362 diff -urNp linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c
21363 --- linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c 2010-08-26 19:47:12.000000000 -0400
21364 +++ linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c 2010-09-17 20:12:09.000000000 -0400
21365 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21366 ATA_PIO_SHT(DRV_NAME),
21369 -static struct ata_port_operations ixp4xx_port_ops = {
21370 +static const struct ata_port_operations ixp4xx_port_ops = {
21371 .inherits = &ata_sff_port_ops,
21372 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21373 .cable_detect = ata_cable_40wire,
21374 diff -urNp linux-2.6.35.4/drivers/ata/pata_jmicron.c linux-2.6.35.4/drivers/ata/pata_jmicron.c
21375 --- linux-2.6.35.4/drivers/ata/pata_jmicron.c 2010-08-26 19:47:12.000000000 -0400
21376 +++ linux-2.6.35.4/drivers/ata/pata_jmicron.c 2010-09-17 20:12:09.000000000 -0400
21377 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21378 ATA_BMDMA_SHT(DRV_NAME),
21381 -static struct ata_port_operations jmicron_ops = {
21382 +static const struct ata_port_operations jmicron_ops = {
21383 .inherits = &ata_bmdma_port_ops,
21384 .prereset = jmicron_pre_reset,
21386 diff -urNp linux-2.6.35.4/drivers/ata/pata_legacy.c linux-2.6.35.4/drivers/ata/pata_legacy.c
21387 --- linux-2.6.35.4/drivers/ata/pata_legacy.c 2010-08-26 19:47:12.000000000 -0400
21388 +++ linux-2.6.35.4/drivers/ata/pata_legacy.c 2010-09-17 20:12:09.000000000 -0400
21389 @@ -113,7 +113,7 @@ struct legacy_probe {
21391 struct legacy_controller {
21393 - struct ata_port_operations *ops;
21394 + const struct ata_port_operations *ops;
21395 unsigned int pio_mask;
21396 unsigned int flags;
21397 unsigned int pflags;
21398 @@ -230,12 +230,12 @@ static const struct ata_port_operations
21399 * pio_mask as well.
21402 -static struct ata_port_operations simple_port_ops = {
21403 +static const struct ata_port_operations simple_port_ops = {
21404 .inherits = &legacy_base_port_ops,
21405 .sff_data_xfer = ata_sff_data_xfer_noirq,
21408 -static struct ata_port_operations legacy_port_ops = {
21409 +static const struct ata_port_operations legacy_port_ops = {
21410 .inherits = &legacy_base_port_ops,
21411 .sff_data_xfer = ata_sff_data_xfer_noirq,
21412 .set_mode = legacy_set_mode,
21413 @@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
21417 -static struct ata_port_operations pdc20230_port_ops = {
21418 +static const struct ata_port_operations pdc20230_port_ops = {
21419 .inherits = &legacy_base_port_ops,
21420 .set_piomode = pdc20230_set_piomode,
21421 .sff_data_xfer = pdc_data_xfer_vlb,
21422 @@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
21423 ioread8(ap->ioaddr.status_addr);
21426 -static struct ata_port_operations ht6560a_port_ops = {
21427 +static const struct ata_port_operations ht6560a_port_ops = {
21428 .inherits = &legacy_base_port_ops,
21429 .set_piomode = ht6560a_set_piomode,
21431 @@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
21432 ioread8(ap->ioaddr.status_addr);
21435 -static struct ata_port_operations ht6560b_port_ops = {
21436 +static const struct ata_port_operations ht6560b_port_ops = {
21437 .inherits = &legacy_base_port_ops,
21438 .set_piomode = ht6560b_set_piomode,
21440 @@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
21444 -static struct ata_port_operations opti82c611a_port_ops = {
21445 +static const struct ata_port_operations opti82c611a_port_ops = {
21446 .inherits = &legacy_base_port_ops,
21447 .set_piomode = opti82c611a_set_piomode,
21449 @@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
21450 return ata_sff_qc_issue(qc);
21453 -static struct ata_port_operations opti82c46x_port_ops = {
21454 +static const struct ata_port_operations opti82c46x_port_ops = {
21455 .inherits = &legacy_base_port_ops,
21456 .set_piomode = opti82c46x_set_piomode,
21457 .qc_issue = opti82c46x_qc_issue,
21458 @@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
21462 -static struct ata_port_operations qdi6500_port_ops = {
21463 +static const struct ata_port_operations qdi6500_port_ops = {
21464 .inherits = &legacy_base_port_ops,
21465 .set_piomode = qdi6500_set_piomode,
21466 .qc_issue = qdi_qc_issue,
21467 .sff_data_xfer = vlb32_data_xfer,
21470 -static struct ata_port_operations qdi6580_port_ops = {
21471 +static const struct ata_port_operations qdi6580_port_ops = {
21472 .inherits = &legacy_base_port_ops,
21473 .set_piomode = qdi6580_set_piomode,
21474 .sff_data_xfer = vlb32_data_xfer,
21477 -static struct ata_port_operations qdi6580dp_port_ops = {
21478 +static const struct ata_port_operations qdi6580dp_port_ops = {
21479 .inherits = &legacy_base_port_ops,
21480 .set_piomode = qdi6580dp_set_piomode,
21481 .qc_issue = qdi_qc_issue,
21482 @@ -863,7 +863,7 @@ static int winbond_port(struct platform_
21486 -static struct ata_port_operations winbond_port_ops = {
21487 +static const struct ata_port_operations winbond_port_ops = {
21488 .inherits = &legacy_base_port_ops,
21489 .set_piomode = winbond_set_piomode,
21490 .sff_data_xfer = vlb32_data_xfer,
21491 @@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
21492 int pio_modes = controller->pio_mask;
21493 unsigned long io = probe->port;
21494 u32 mask = (1 << probe->slot);
21495 - struct ata_port_operations *ops = controller->ops;
21496 + const struct ata_port_operations *ops = controller->ops;
21497 struct legacy_data *ld = &legacy_data[probe->slot];
21498 struct ata_host *host = NULL;
21499 struct ata_port *ap;
21500 diff -urNp linux-2.6.35.4/drivers/ata/pata_macio.c linux-2.6.35.4/drivers/ata/pata_macio.c
21501 --- linux-2.6.35.4/drivers/ata/pata_macio.c 2010-08-26 19:47:12.000000000 -0400
21502 +++ linux-2.6.35.4/drivers/ata/pata_macio.c 2010-09-17 20:12:09.000000000 -0400
21503 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21504 .slave_configure = pata_macio_slave_config,
21507 -static struct ata_port_operations pata_macio_ops = {
21508 +static const struct ata_port_operations pata_macio_ops = {
21509 .inherits = &ata_bmdma_port_ops,
21511 .freeze = pata_macio_freeze,
21512 .set_piomode = pata_macio_set_timings,
21513 .set_dmamode = pata_macio_set_timings,
21514 diff -urNp linux-2.6.35.4/drivers/ata/pata_marvell.c linux-2.6.35.4/drivers/ata/pata_marvell.c
21515 --- linux-2.6.35.4/drivers/ata/pata_marvell.c 2010-08-26 19:47:12.000000000 -0400
21516 +++ linux-2.6.35.4/drivers/ata/pata_marvell.c 2010-09-17 20:12:09.000000000 -0400
21517 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21518 ATA_BMDMA_SHT(DRV_NAME),
21521 -static struct ata_port_operations marvell_ops = {
21522 +static const struct ata_port_operations marvell_ops = {
21523 .inherits = &ata_bmdma_port_ops,
21524 .cable_detect = marvell_cable_detect,
21525 .prereset = marvell_pre_reset,
21526 diff -urNp linux-2.6.35.4/drivers/ata/pata_mpc52xx.c linux-2.6.35.4/drivers/ata/pata_mpc52xx.c
21527 --- linux-2.6.35.4/drivers/ata/pata_mpc52xx.c 2010-08-26 19:47:12.000000000 -0400
21528 +++ linux-2.6.35.4/drivers/ata/pata_mpc52xx.c 2010-09-17 20:12:09.000000000 -0400
21529 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21530 ATA_PIO_SHT(DRV_NAME),
21533 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21534 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21535 .inherits = &ata_sff_port_ops,
21536 .sff_dev_select = mpc52xx_ata_dev_select,
21537 .set_piomode = mpc52xx_ata_set_piomode,
21538 diff -urNp linux-2.6.35.4/drivers/ata/pata_mpiix.c linux-2.6.35.4/drivers/ata/pata_mpiix.c
21539 --- linux-2.6.35.4/drivers/ata/pata_mpiix.c 2010-08-26 19:47:12.000000000 -0400
21540 +++ linux-2.6.35.4/drivers/ata/pata_mpiix.c 2010-09-17 20:12:09.000000000 -0400
21541 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21542 ATA_PIO_SHT(DRV_NAME),
21545 -static struct ata_port_operations mpiix_port_ops = {
21546 +static const struct ata_port_operations mpiix_port_ops = {
21547 .inherits = &ata_sff_port_ops,
21548 .qc_issue = mpiix_qc_issue,
21549 .cable_detect = ata_cable_40wire,
21550 diff -urNp linux-2.6.35.4/drivers/ata/pata_netcell.c linux-2.6.35.4/drivers/ata/pata_netcell.c
21551 --- linux-2.6.35.4/drivers/ata/pata_netcell.c 2010-08-26 19:47:12.000000000 -0400
21552 +++ linux-2.6.35.4/drivers/ata/pata_netcell.c 2010-09-17 20:12:09.000000000 -0400
21553 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21554 ATA_BMDMA_SHT(DRV_NAME),
21557 -static struct ata_port_operations netcell_ops = {
21558 +static const struct ata_port_operations netcell_ops = {
21559 .inherits = &ata_bmdma_port_ops,
21560 .cable_detect = ata_cable_80wire,
21561 .read_id = netcell_read_id,
21562 diff -urNp linux-2.6.35.4/drivers/ata/pata_ninja32.c linux-2.6.35.4/drivers/ata/pata_ninja32.c
21563 --- linux-2.6.35.4/drivers/ata/pata_ninja32.c 2010-08-26 19:47:12.000000000 -0400
21564 +++ linux-2.6.35.4/drivers/ata/pata_ninja32.c 2010-09-17 20:12:09.000000000 -0400
21565 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21566 ATA_BMDMA_SHT(DRV_NAME),
21569 -static struct ata_port_operations ninja32_port_ops = {
21570 +static const struct ata_port_operations ninja32_port_ops = {
21571 .inherits = &ata_bmdma_port_ops,
21572 .sff_dev_select = ninja32_dev_select,
21573 .cable_detect = ata_cable_40wire,
21574 diff -urNp linux-2.6.35.4/drivers/ata/pata_ns87410.c linux-2.6.35.4/drivers/ata/pata_ns87410.c
21575 --- linux-2.6.35.4/drivers/ata/pata_ns87410.c 2010-08-26 19:47:12.000000000 -0400
21576 +++ linux-2.6.35.4/drivers/ata/pata_ns87410.c 2010-09-17 20:12:09.000000000 -0400
21577 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21578 ATA_PIO_SHT(DRV_NAME),
21581 -static struct ata_port_operations ns87410_port_ops = {
21582 +static const struct ata_port_operations ns87410_port_ops = {
21583 .inherits = &ata_sff_port_ops,
21584 .qc_issue = ns87410_qc_issue,
21585 .cable_detect = ata_cable_40wire,
21586 diff -urNp linux-2.6.35.4/drivers/ata/pata_ns87415.c linux-2.6.35.4/drivers/ata/pata_ns87415.c
21587 --- linux-2.6.35.4/drivers/ata/pata_ns87415.c 2010-08-26 19:47:12.000000000 -0400
21588 +++ linux-2.6.35.4/drivers/ata/pata_ns87415.c 2010-09-17 20:12:09.000000000 -0400
21589 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21591 #endif /* 87560 SuperIO Support */
21593 -static struct ata_port_operations ns87415_pata_ops = {
21594 +static const struct ata_port_operations ns87415_pata_ops = {
21595 .inherits = &ata_bmdma_port_ops,
21597 .check_atapi_dma = ns87415_check_atapi_dma,
21598 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21601 #if defined(CONFIG_SUPERIO)
21602 -static struct ata_port_operations ns87560_pata_ops = {
21603 +static const struct ata_port_operations ns87560_pata_ops = {
21604 .inherits = &ns87415_pata_ops,
21605 .sff_tf_read = ns87560_tf_read,
21606 .sff_check_status = ns87560_check_status,
21607 diff -urNp linux-2.6.35.4/drivers/ata/pata_octeon_cf.c linux-2.6.35.4/drivers/ata/pata_octeon_cf.c
21608 --- linux-2.6.35.4/drivers/ata/pata_octeon_cf.c 2010-08-26 19:47:12.000000000 -0400
21609 +++ linux-2.6.35.4/drivers/ata/pata_octeon_cf.c 2010-09-17 20:12:09.000000000 -0400
21610 @@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
21614 +/* cannot be const */
21615 static struct ata_port_operations octeon_cf_ops = {
21616 .inherits = &ata_sff_port_ops,
21617 .check_atapi_dma = octeon_cf_check_atapi_dma,
21618 diff -urNp linux-2.6.35.4/drivers/ata/pata_oldpiix.c linux-2.6.35.4/drivers/ata/pata_oldpiix.c
21619 --- linux-2.6.35.4/drivers/ata/pata_oldpiix.c 2010-08-26 19:47:12.000000000 -0400
21620 +++ linux-2.6.35.4/drivers/ata/pata_oldpiix.c 2010-09-17 20:12:09.000000000 -0400
21621 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21622 ATA_BMDMA_SHT(DRV_NAME),
21625 -static struct ata_port_operations oldpiix_pata_ops = {
21626 +static const struct ata_port_operations oldpiix_pata_ops = {
21627 .inherits = &ata_bmdma_port_ops,
21628 .qc_issue = oldpiix_qc_issue,
21629 .cable_detect = ata_cable_40wire,
21630 diff -urNp linux-2.6.35.4/drivers/ata/pata_opti.c linux-2.6.35.4/drivers/ata/pata_opti.c
21631 --- linux-2.6.35.4/drivers/ata/pata_opti.c 2010-08-26 19:47:12.000000000 -0400
21632 +++ linux-2.6.35.4/drivers/ata/pata_opti.c 2010-09-17 20:12:09.000000000 -0400
21633 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21634 ATA_PIO_SHT(DRV_NAME),
21637 -static struct ata_port_operations opti_port_ops = {
21638 +static const struct ata_port_operations opti_port_ops = {
21639 .inherits = &ata_sff_port_ops,
21640 .cable_detect = ata_cable_40wire,
21641 .set_piomode = opti_set_piomode,
21642 diff -urNp linux-2.6.35.4/drivers/ata/pata_optidma.c linux-2.6.35.4/drivers/ata/pata_optidma.c
21643 --- linux-2.6.35.4/drivers/ata/pata_optidma.c 2010-08-26 19:47:12.000000000 -0400
21644 +++ linux-2.6.35.4/drivers/ata/pata_optidma.c 2010-09-17 20:12:09.000000000 -0400
21645 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21646 ATA_BMDMA_SHT(DRV_NAME),
21649 -static struct ata_port_operations optidma_port_ops = {
21650 +static const struct ata_port_operations optidma_port_ops = {
21651 .inherits = &ata_bmdma_port_ops,
21652 .cable_detect = ata_cable_40wire,
21653 .set_piomode = optidma_set_pio_mode,
21654 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21655 .prereset = optidma_pre_reset,
21658 -static struct ata_port_operations optiplus_port_ops = {
21659 +static const struct ata_port_operations optiplus_port_ops = {
21660 .inherits = &optidma_port_ops,
21661 .set_piomode = optiplus_set_pio_mode,
21662 .set_dmamode = optiplus_set_dma_mode,
21663 diff -urNp linux-2.6.35.4/drivers/ata/pata_palmld.c linux-2.6.35.4/drivers/ata/pata_palmld.c
21664 --- linux-2.6.35.4/drivers/ata/pata_palmld.c 2010-08-26 19:47:12.000000000 -0400
21665 +++ linux-2.6.35.4/drivers/ata/pata_palmld.c 2010-09-17 20:12:09.000000000 -0400
21666 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21667 ATA_PIO_SHT(DRV_NAME),
21670 -static struct ata_port_operations palmld_port_ops = {
21671 +static const struct ata_port_operations palmld_port_ops = {
21672 .inherits = &ata_sff_port_ops,
21673 .sff_data_xfer = ata_sff_data_xfer_noirq,
21674 .cable_detect = ata_cable_40wire,
21675 diff -urNp linux-2.6.35.4/drivers/ata/pata_pcmcia.c linux-2.6.35.4/drivers/ata/pata_pcmcia.c
21676 --- linux-2.6.35.4/drivers/ata/pata_pcmcia.c 2010-08-26 19:47:12.000000000 -0400
21677 +++ linux-2.6.35.4/drivers/ata/pata_pcmcia.c 2010-09-17 20:12:09.000000000 -0400
21678 @@ -153,14 +153,14 @@ static struct scsi_host_template pcmcia_
21679 ATA_PIO_SHT(DRV_NAME),
21682 -static struct ata_port_operations pcmcia_port_ops = {
21683 +static const struct ata_port_operations pcmcia_port_ops = {
21684 .inherits = &ata_sff_port_ops,
21685 .sff_data_xfer = ata_sff_data_xfer_noirq,
21686 .cable_detect = ata_cable_40wire,
21687 .set_mode = pcmcia_set_mode,
21690 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21691 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21692 .inherits = &ata_sff_port_ops,
21693 .sff_data_xfer = ata_data_xfer_8bit,
21694 .cable_detect = ata_cable_40wire,
21695 @@ -243,7 +243,7 @@ static int pcmcia_init_one(struct pcmcia
21696 unsigned long io_base, ctl_base;
21697 void __iomem *io_addr, *ctl_addr;
21699 - struct ata_port_operations *ops = &pcmcia_port_ops;
21700 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21702 /* Set up attributes in order to probe card and get resources */
21703 pdev->io.Attributes1 = IO_DATA_PATH_WIDTH_AUTO;
21704 diff -urNp linux-2.6.35.4/drivers/ata/pata_pdc2027x.c linux-2.6.35.4/drivers/ata/pata_pdc2027x.c
21705 --- linux-2.6.35.4/drivers/ata/pata_pdc2027x.c 2010-08-26 19:47:12.000000000 -0400
21706 +++ linux-2.6.35.4/drivers/ata/pata_pdc2027x.c 2010-09-17 20:12:09.000000000 -0400
21707 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21708 ATA_BMDMA_SHT(DRV_NAME),
21711 -static struct ata_port_operations pdc2027x_pata100_ops = {
21712 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21713 .inherits = &ata_bmdma_port_ops,
21714 .check_atapi_dma = pdc2027x_check_atapi_dma,
21715 .cable_detect = pdc2027x_cable_detect,
21716 .prereset = pdc2027x_prereset,
21719 -static struct ata_port_operations pdc2027x_pata133_ops = {
21720 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21721 .inherits = &pdc2027x_pata100_ops,
21722 .mode_filter = pdc2027x_mode_filter,
21723 .set_piomode = pdc2027x_set_piomode,
21724 diff -urNp linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c
21725 --- linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c 2010-08-26 19:47:12.000000000 -0400
21726 +++ linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c 2010-09-17 20:12:09.000000000 -0400
21727 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
21728 ATA_BMDMA_SHT(DRV_NAME),
21731 -static struct ata_port_operations pdc2024x_port_ops = {
21732 +static const struct ata_port_operations pdc2024x_port_ops = {
21733 .inherits = &ata_bmdma_port_ops,
21735 .cable_detect = ata_cable_40wire,
21736 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
21737 .sff_exec_command = pdc202xx_exec_command,
21740 -static struct ata_port_operations pdc2026x_port_ops = {
21741 +static const struct ata_port_operations pdc2026x_port_ops = {
21742 .inherits = &pdc2024x_port_ops,
21744 .check_atapi_dma = pdc2026x_check_atapi_dma,
21745 diff -urNp linux-2.6.35.4/drivers/ata/pata_piccolo.c linux-2.6.35.4/drivers/ata/pata_piccolo.c
21746 --- linux-2.6.35.4/drivers/ata/pata_piccolo.c 2010-08-26 19:47:12.000000000 -0400
21747 +++ linux-2.6.35.4/drivers/ata/pata_piccolo.c 2010-09-17 20:12:09.000000000 -0400
21748 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21749 ATA_BMDMA_SHT(DRV_NAME),
21752 -static struct ata_port_operations tosh_port_ops = {
21753 +static const struct ata_port_operations tosh_port_ops = {
21754 .inherits = &ata_bmdma_port_ops,
21755 .cable_detect = ata_cable_unknown,
21756 .set_piomode = tosh_set_piomode,
21757 diff -urNp linux-2.6.35.4/drivers/ata/pata_platform.c linux-2.6.35.4/drivers/ata/pata_platform.c
21758 --- linux-2.6.35.4/drivers/ata/pata_platform.c 2010-08-26 19:47:12.000000000 -0400
21759 +++ linux-2.6.35.4/drivers/ata/pata_platform.c 2010-09-17 20:12:09.000000000 -0400
21760 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21761 ATA_PIO_SHT(DRV_NAME),
21764 -static struct ata_port_operations pata_platform_port_ops = {
21765 +static const struct ata_port_operations pata_platform_port_ops = {
21766 .inherits = &ata_sff_port_ops,
21767 .sff_data_xfer = ata_sff_data_xfer_noirq,
21768 .cable_detect = ata_cable_unknown,
21769 diff -urNp linux-2.6.35.4/drivers/ata/pata_qdi.c linux-2.6.35.4/drivers/ata/pata_qdi.c
21770 --- linux-2.6.35.4/drivers/ata/pata_qdi.c 2010-08-26 19:47:12.000000000 -0400
21771 +++ linux-2.6.35.4/drivers/ata/pata_qdi.c 2010-09-17 20:12:09.000000000 -0400
21772 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21773 ATA_PIO_SHT(DRV_NAME),
21776 -static struct ata_port_operations qdi6500_port_ops = {
21777 +static const struct ata_port_operations qdi6500_port_ops = {
21778 .inherits = &ata_sff_port_ops,
21779 .qc_issue = qdi_qc_issue,
21780 .sff_data_xfer = qdi_data_xfer,
21781 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21782 .set_piomode = qdi6500_set_piomode,
21785 -static struct ata_port_operations qdi6580_port_ops = {
21786 +static const struct ata_port_operations qdi6580_port_ops = {
21787 .inherits = &qdi6500_port_ops,
21788 .set_piomode = qdi6580_set_piomode,
21790 diff -urNp linux-2.6.35.4/drivers/ata/pata_radisys.c linux-2.6.35.4/drivers/ata/pata_radisys.c
21791 --- linux-2.6.35.4/drivers/ata/pata_radisys.c 2010-08-26 19:47:12.000000000 -0400
21792 +++ linux-2.6.35.4/drivers/ata/pata_radisys.c 2010-09-17 20:12:09.000000000 -0400
21793 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21794 ATA_BMDMA_SHT(DRV_NAME),
21797 -static struct ata_port_operations radisys_pata_ops = {
21798 +static const struct ata_port_operations radisys_pata_ops = {
21799 .inherits = &ata_bmdma_port_ops,
21800 .qc_issue = radisys_qc_issue,
21801 .cable_detect = ata_cable_unknown,
21802 diff -urNp linux-2.6.35.4/drivers/ata/pata_rb532_cf.c linux-2.6.35.4/drivers/ata/pata_rb532_cf.c
21803 --- linux-2.6.35.4/drivers/ata/pata_rb532_cf.c 2010-08-26 19:47:12.000000000 -0400
21804 +++ linux-2.6.35.4/drivers/ata/pata_rb532_cf.c 2010-09-17 20:12:09.000000000 -0400
21805 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21806 return IRQ_HANDLED;
21809 -static struct ata_port_operations rb532_pata_port_ops = {
21810 +static const struct ata_port_operations rb532_pata_port_ops = {
21811 .inherits = &ata_sff_port_ops,
21812 .sff_data_xfer = ata_sff_data_xfer32,
21814 diff -urNp linux-2.6.35.4/drivers/ata/pata_rdc.c linux-2.6.35.4/drivers/ata/pata_rdc.c
21815 --- linux-2.6.35.4/drivers/ata/pata_rdc.c 2010-08-26 19:47:12.000000000 -0400
21816 +++ linux-2.6.35.4/drivers/ata/pata_rdc.c 2010-09-17 20:12:09.000000000 -0400
21817 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21818 pci_write_config_byte(dev, 0x48, udma_enable);
21821 -static struct ata_port_operations rdc_pata_ops = {
21822 +static const struct ata_port_operations rdc_pata_ops = {
21823 .inherits = &ata_bmdma32_port_ops,
21824 .cable_detect = rdc_pata_cable_detect,
21825 .set_piomode = rdc_set_piomode,
21826 diff -urNp linux-2.6.35.4/drivers/ata/pata_rz1000.c linux-2.6.35.4/drivers/ata/pata_rz1000.c
21827 --- linux-2.6.35.4/drivers/ata/pata_rz1000.c 2010-08-26 19:47:12.000000000 -0400
21828 +++ linux-2.6.35.4/drivers/ata/pata_rz1000.c 2010-09-17 20:12:09.000000000 -0400
21829 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
21830 ATA_PIO_SHT(DRV_NAME),
21833 -static struct ata_port_operations rz1000_port_ops = {
21834 +static const struct ata_port_operations rz1000_port_ops = {
21835 .inherits = &ata_sff_port_ops,
21836 .cable_detect = ata_cable_40wire,
21837 .set_mode = rz1000_set_mode,
21838 diff -urNp linux-2.6.35.4/drivers/ata/pata_sc1200.c linux-2.6.35.4/drivers/ata/pata_sc1200.c
21839 --- linux-2.6.35.4/drivers/ata/pata_sc1200.c 2010-08-26 19:47:12.000000000 -0400
21840 +++ linux-2.6.35.4/drivers/ata/pata_sc1200.c 2010-09-17 20:12:09.000000000 -0400
21841 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
21842 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21845 -static struct ata_port_operations sc1200_port_ops = {
21846 +static const struct ata_port_operations sc1200_port_ops = {
21847 .inherits = &ata_bmdma_port_ops,
21848 .qc_prep = ata_bmdma_dumb_qc_prep,
21849 .qc_issue = sc1200_qc_issue,
21850 diff -urNp linux-2.6.35.4/drivers/ata/pata_scc.c linux-2.6.35.4/drivers/ata/pata_scc.c
21851 --- linux-2.6.35.4/drivers/ata/pata_scc.c 2010-08-26 19:47:12.000000000 -0400
21852 +++ linux-2.6.35.4/drivers/ata/pata_scc.c 2010-09-17 20:12:09.000000000 -0400
21853 @@ -927,7 +927,7 @@ static struct scsi_host_template scc_sht
21854 ATA_BMDMA_SHT(DRV_NAME),
21857 -static struct ata_port_operations scc_pata_ops = {
21858 +static const struct ata_port_operations scc_pata_ops = {
21859 .inherits = &ata_bmdma_port_ops,
21861 .set_piomode = scc_set_piomode,
21862 diff -urNp linux-2.6.35.4/drivers/ata/pata_sch.c linux-2.6.35.4/drivers/ata/pata_sch.c
21863 --- linux-2.6.35.4/drivers/ata/pata_sch.c 2010-08-26 19:47:12.000000000 -0400
21864 +++ linux-2.6.35.4/drivers/ata/pata_sch.c 2010-09-17 20:12:09.000000000 -0400
21865 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
21866 ATA_BMDMA_SHT(DRV_NAME),
21869 -static struct ata_port_operations sch_pata_ops = {
21870 +static const struct ata_port_operations sch_pata_ops = {
21871 .inherits = &ata_bmdma_port_ops,
21872 .cable_detect = ata_cable_unknown,
21873 .set_piomode = sch_set_piomode,
21874 diff -urNp linux-2.6.35.4/drivers/ata/pata_serverworks.c linux-2.6.35.4/drivers/ata/pata_serverworks.c
21875 --- linux-2.6.35.4/drivers/ata/pata_serverworks.c 2010-08-26 19:47:12.000000000 -0400
21876 +++ linux-2.6.35.4/drivers/ata/pata_serverworks.c 2010-09-17 20:12:09.000000000 -0400
21877 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
21878 ATA_BMDMA_SHT(DRV_NAME),
21881 -static struct ata_port_operations serverworks_osb4_port_ops = {
21882 +static const struct ata_port_operations serverworks_osb4_port_ops = {
21883 .inherits = &ata_bmdma_port_ops,
21884 .cable_detect = serverworks_cable_detect,
21885 .mode_filter = serverworks_osb4_filter,
21886 @@ -308,7 +308,7 @@ static struct ata_port_operations server
21887 .set_dmamode = serverworks_set_dmamode,
21890 -static struct ata_port_operations serverworks_csb_port_ops = {
21891 +static const struct ata_port_operations serverworks_csb_port_ops = {
21892 .inherits = &serverworks_osb4_port_ops,
21893 .mode_filter = serverworks_csb_filter,
21895 diff -urNp linux-2.6.35.4/drivers/ata/pata_sil680.c linux-2.6.35.4/drivers/ata/pata_sil680.c
21896 --- linux-2.6.35.4/drivers/ata/pata_sil680.c 2010-08-26 19:47:12.000000000 -0400
21897 +++ linux-2.6.35.4/drivers/ata/pata_sil680.c 2010-09-17 20:12:09.000000000 -0400
21898 @@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
21899 ATA_BMDMA_SHT(DRV_NAME),
21903 -static struct ata_port_operations sil680_port_ops = {
21904 +static const struct ata_port_operations sil680_port_ops = {
21905 .inherits = &ata_bmdma32_port_ops,
21906 .sff_exec_command = sil680_sff_exec_command,
21907 .cable_detect = sil680_cable_detect,
21908 diff -urNp linux-2.6.35.4/drivers/ata/pata_sis.c linux-2.6.35.4/drivers/ata/pata_sis.c
21909 --- linux-2.6.35.4/drivers/ata/pata_sis.c 2010-08-26 19:47:12.000000000 -0400
21910 +++ linux-2.6.35.4/drivers/ata/pata_sis.c 2010-09-17 20:12:09.000000000 -0400
21911 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
21912 ATA_BMDMA_SHT(DRV_NAME),
21915 -static struct ata_port_operations sis_133_for_sata_ops = {
21916 +static const struct ata_port_operations sis_133_for_sata_ops = {
21917 .inherits = &ata_bmdma_port_ops,
21918 .set_piomode = sis_133_set_piomode,
21919 .set_dmamode = sis_133_set_dmamode,
21920 .cable_detect = sis_133_cable_detect,
21923 -static struct ata_port_operations sis_base_ops = {
21924 +static const struct ata_port_operations sis_base_ops = {
21925 .inherits = &ata_bmdma_port_ops,
21926 .prereset = sis_pre_reset,
21929 -static struct ata_port_operations sis_133_ops = {
21930 +static const struct ata_port_operations sis_133_ops = {
21931 .inherits = &sis_base_ops,
21932 .set_piomode = sis_133_set_piomode,
21933 .set_dmamode = sis_133_set_dmamode,
21934 .cable_detect = sis_133_cable_detect,
21937 -static struct ata_port_operations sis_133_early_ops = {
21938 +static const struct ata_port_operations sis_133_early_ops = {
21939 .inherits = &sis_base_ops,
21940 .set_piomode = sis_100_set_piomode,
21941 .set_dmamode = sis_133_early_set_dmamode,
21942 .cable_detect = sis_66_cable_detect,
21945 -static struct ata_port_operations sis_100_ops = {
21946 +static const struct ata_port_operations sis_100_ops = {
21947 .inherits = &sis_base_ops,
21948 .set_piomode = sis_100_set_piomode,
21949 .set_dmamode = sis_100_set_dmamode,
21950 .cable_detect = sis_66_cable_detect,
21953 -static struct ata_port_operations sis_66_ops = {
21954 +static const struct ata_port_operations sis_66_ops = {
21955 .inherits = &sis_base_ops,
21956 .set_piomode = sis_old_set_piomode,
21957 .set_dmamode = sis_66_set_dmamode,
21958 .cable_detect = sis_66_cable_detect,
21961 -static struct ata_port_operations sis_old_ops = {
21962 +static const struct ata_port_operations sis_old_ops = {
21963 .inherits = &sis_base_ops,
21964 .set_piomode = sis_old_set_piomode,
21965 .set_dmamode = sis_old_set_dmamode,
21966 diff -urNp linux-2.6.35.4/drivers/ata/pata_sl82c105.c linux-2.6.35.4/drivers/ata/pata_sl82c105.c
21967 --- linux-2.6.35.4/drivers/ata/pata_sl82c105.c 2010-08-26 19:47:12.000000000 -0400
21968 +++ linux-2.6.35.4/drivers/ata/pata_sl82c105.c 2010-09-17 20:12:09.000000000 -0400
21969 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
21970 ATA_BMDMA_SHT(DRV_NAME),
21973 -static struct ata_port_operations sl82c105_port_ops = {
21974 +static const struct ata_port_operations sl82c105_port_ops = {
21975 .inherits = &ata_bmdma_port_ops,
21976 .qc_defer = sl82c105_qc_defer,
21977 .bmdma_start = sl82c105_bmdma_start,
21978 diff -urNp linux-2.6.35.4/drivers/ata/pata_triflex.c linux-2.6.35.4/drivers/ata/pata_triflex.c
21979 --- linux-2.6.35.4/drivers/ata/pata_triflex.c 2010-08-26 19:47:12.000000000 -0400
21980 +++ linux-2.6.35.4/drivers/ata/pata_triflex.c 2010-09-17 20:12:09.000000000 -0400
21981 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
21982 ATA_BMDMA_SHT(DRV_NAME),
21985 -static struct ata_port_operations triflex_port_ops = {
21986 +static const struct ata_port_operations triflex_port_ops = {
21987 .inherits = &ata_bmdma_port_ops,
21988 .bmdma_start = triflex_bmdma_start,
21989 .bmdma_stop = triflex_bmdma_stop,
21990 diff -urNp linux-2.6.35.4/drivers/ata/pata_via.c linux-2.6.35.4/drivers/ata/pata_via.c
21991 --- linux-2.6.35.4/drivers/ata/pata_via.c 2010-08-26 19:47:12.000000000 -0400
21992 +++ linux-2.6.35.4/drivers/ata/pata_via.c 2010-09-17 20:12:09.000000000 -0400
21993 @@ -439,7 +439,7 @@ static struct scsi_host_template via_sht
21994 ATA_BMDMA_SHT(DRV_NAME),
21997 -static struct ata_port_operations via_port_ops = {
21998 +static const struct ata_port_operations via_port_ops = {
21999 .inherits = &ata_bmdma_port_ops,
22000 .cable_detect = via_cable_detect,
22001 .set_piomode = via_set_piomode,
22002 @@ -450,7 +450,7 @@ static struct ata_port_operations via_po
22003 .mode_filter = via_mode_filter,
22006 -static struct ata_port_operations via_port_ops_noirq = {
22007 +static const struct ata_port_operations via_port_ops_noirq = {
22008 .inherits = &via_port_ops,
22009 .sff_data_xfer = ata_sff_data_xfer_noirq,
22011 diff -urNp linux-2.6.35.4/drivers/ata/pata_winbond.c linux-2.6.35.4/drivers/ata/pata_winbond.c
22012 --- linux-2.6.35.4/drivers/ata/pata_winbond.c 2010-08-26 19:47:12.000000000 -0400
22013 +++ linux-2.6.35.4/drivers/ata/pata_winbond.c 2010-09-17 20:12:09.000000000 -0400
22014 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
22015 ATA_PIO_SHT(DRV_NAME),
22018 -static struct ata_port_operations winbond_port_ops = {
22019 +static const struct ata_port_operations winbond_port_ops = {
22020 .inherits = &ata_sff_port_ops,
22021 .sff_data_xfer = winbond_data_xfer,
22022 .cable_detect = ata_cable_40wire,
22023 diff -urNp linux-2.6.35.4/drivers/ata/pdc_adma.c linux-2.6.35.4/drivers/ata/pdc_adma.c
22024 --- linux-2.6.35.4/drivers/ata/pdc_adma.c 2010-08-26 19:47:12.000000000 -0400
22025 +++ linux-2.6.35.4/drivers/ata/pdc_adma.c 2010-09-17 20:12:09.000000000 -0400
22026 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22027 .dma_boundary = ADMA_DMA_BOUNDARY,
22030 -static struct ata_port_operations adma_ata_ops = {
22031 +static const struct ata_port_operations adma_ata_ops = {
22032 .inherits = &ata_sff_port_ops,
22034 .lost_interrupt = ATA_OP_NULL,
22035 diff -urNp linux-2.6.35.4/drivers/ata/sata_fsl.c linux-2.6.35.4/drivers/ata/sata_fsl.c
22036 --- linux-2.6.35.4/drivers/ata/sata_fsl.c 2010-08-26 19:47:12.000000000 -0400
22037 +++ linux-2.6.35.4/drivers/ata/sata_fsl.c 2010-09-17 20:12:09.000000000 -0400
22038 @@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
22039 .dma_boundary = ATA_DMA_BOUNDARY,
22042 -static struct ata_port_operations sata_fsl_ops = {
22043 +static const struct ata_port_operations sata_fsl_ops = {
22044 .inherits = &sata_pmp_port_ops,
22046 .qc_defer = ata_std_qc_defer,
22047 diff -urNp linux-2.6.35.4/drivers/ata/sata_inic162x.c linux-2.6.35.4/drivers/ata/sata_inic162x.c
22048 --- linux-2.6.35.4/drivers/ata/sata_inic162x.c 2010-08-26 19:47:12.000000000 -0400
22049 +++ linux-2.6.35.4/drivers/ata/sata_inic162x.c 2010-09-17 20:12:09.000000000 -0400
22050 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22054 -static struct ata_port_operations inic_port_ops = {
22055 +static const struct ata_port_operations inic_port_ops = {
22056 .inherits = &sata_port_ops,
22058 .check_atapi_dma = inic_check_atapi_dma,
22059 diff -urNp linux-2.6.35.4/drivers/ata/sata_mv.c linux-2.6.35.4/drivers/ata/sata_mv.c
22060 --- linux-2.6.35.4/drivers/ata/sata_mv.c 2010-08-26 19:47:12.000000000 -0400
22061 +++ linux-2.6.35.4/drivers/ata/sata_mv.c 2010-09-17 20:12:09.000000000 -0400
22062 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22063 .dma_boundary = MV_DMA_BOUNDARY,
22066 -static struct ata_port_operations mv5_ops = {
22067 +static const struct ata_port_operations mv5_ops = {
22068 .inherits = &ata_sff_port_ops,
22070 .lost_interrupt = ATA_OP_NULL,
22071 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22072 .port_stop = mv_port_stop,
22075 -static struct ata_port_operations mv6_ops = {
22076 +static const struct ata_port_operations mv6_ops = {
22077 .inherits = &ata_bmdma_port_ops,
22079 .lost_interrupt = ATA_OP_NULL,
22080 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22081 .port_stop = mv_port_stop,
22084 -static struct ata_port_operations mv_iie_ops = {
22085 +static const struct ata_port_operations mv_iie_ops = {
22086 .inherits = &mv6_ops,
22087 .dev_config = ATA_OP_NULL,
22088 .qc_prep = mv_qc_prep_iie,
22089 diff -urNp linux-2.6.35.4/drivers/ata/sata_nv.c linux-2.6.35.4/drivers/ata/sata_nv.c
22090 --- linux-2.6.35.4/drivers/ata/sata_nv.c 2010-08-26 19:47:12.000000000 -0400
22091 +++ linux-2.6.35.4/drivers/ata/sata_nv.c 2010-09-17 20:12:09.000000000 -0400
22092 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22093 * cases. Define nv_hardreset() which only kicks in for post-boot
22094 * probing and use it for all variants.
22096 -static struct ata_port_operations nv_generic_ops = {
22097 +static const struct ata_port_operations nv_generic_ops = {
22098 .inherits = &ata_bmdma_port_ops,
22099 .lost_interrupt = ATA_OP_NULL,
22100 .scr_read = nv_scr_read,
22101 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22102 .hardreset = nv_hardreset,
22105 -static struct ata_port_operations nv_nf2_ops = {
22106 +static const struct ata_port_operations nv_nf2_ops = {
22107 .inherits = &nv_generic_ops,
22108 .freeze = nv_nf2_freeze,
22109 .thaw = nv_nf2_thaw,
22112 -static struct ata_port_operations nv_ck804_ops = {
22113 +static const struct ata_port_operations nv_ck804_ops = {
22114 .inherits = &nv_generic_ops,
22115 .freeze = nv_ck804_freeze,
22116 .thaw = nv_ck804_thaw,
22117 .host_stop = nv_ck804_host_stop,
22120 -static struct ata_port_operations nv_adma_ops = {
22121 +static const struct ata_port_operations nv_adma_ops = {
22122 .inherits = &nv_ck804_ops,
22124 .check_atapi_dma = nv_adma_check_atapi_dma,
22125 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22126 .host_stop = nv_adma_host_stop,
22129 -static struct ata_port_operations nv_swncq_ops = {
22130 +static const struct ata_port_operations nv_swncq_ops = {
22131 .inherits = &nv_generic_ops,
22133 .qc_defer = ata_std_qc_defer,
22134 diff -urNp linux-2.6.35.4/drivers/ata/sata_promise.c linux-2.6.35.4/drivers/ata/sata_promise.c
22135 --- linux-2.6.35.4/drivers/ata/sata_promise.c 2010-08-26 19:47:12.000000000 -0400
22136 +++ linux-2.6.35.4/drivers/ata/sata_promise.c 2010-09-17 20:12:09.000000000 -0400
22137 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22138 .error_handler = pdc_error_handler,
22141 -static struct ata_port_operations pdc_sata_ops = {
22142 +static const struct ata_port_operations pdc_sata_ops = {
22143 .inherits = &pdc_common_ops,
22144 .cable_detect = pdc_sata_cable_detect,
22145 .freeze = pdc_sata_freeze,
22146 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22148 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22149 and ->freeze/thaw that ignore the hotplug controls. */
22150 -static struct ata_port_operations pdc_old_sata_ops = {
22151 +static const struct ata_port_operations pdc_old_sata_ops = {
22152 .inherits = &pdc_sata_ops,
22153 .freeze = pdc_freeze,
22155 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22158 -static struct ata_port_operations pdc_pata_ops = {
22159 +static const struct ata_port_operations pdc_pata_ops = {
22160 .inherits = &pdc_common_ops,
22161 .cable_detect = pdc_pata_cable_detect,
22162 .freeze = pdc_freeze,
22163 diff -urNp linux-2.6.35.4/drivers/ata/sata_qstor.c linux-2.6.35.4/drivers/ata/sata_qstor.c
22164 --- linux-2.6.35.4/drivers/ata/sata_qstor.c 2010-08-26 19:47:12.000000000 -0400
22165 +++ linux-2.6.35.4/drivers/ata/sata_qstor.c 2010-09-17 20:12:09.000000000 -0400
22166 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22167 .dma_boundary = QS_DMA_BOUNDARY,
22170 -static struct ata_port_operations qs_ata_ops = {
22171 +static const struct ata_port_operations qs_ata_ops = {
22172 .inherits = &ata_sff_port_ops,
22174 .check_atapi_dma = qs_check_atapi_dma,
22175 diff -urNp linux-2.6.35.4/drivers/ata/sata_sil24.c linux-2.6.35.4/drivers/ata/sata_sil24.c
22176 --- linux-2.6.35.4/drivers/ata/sata_sil24.c 2010-08-26 19:47:12.000000000 -0400
22177 +++ linux-2.6.35.4/drivers/ata/sata_sil24.c 2010-09-17 20:12:09.000000000 -0400
22178 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22179 .dma_boundary = ATA_DMA_BOUNDARY,
22182 -static struct ata_port_operations sil24_ops = {
22183 +static const struct ata_port_operations sil24_ops = {
22184 .inherits = &sata_pmp_port_ops,
22186 .qc_defer = sil24_qc_defer,
22187 diff -urNp linux-2.6.35.4/drivers/ata/sata_sil.c linux-2.6.35.4/drivers/ata/sata_sil.c
22188 --- linux-2.6.35.4/drivers/ata/sata_sil.c 2010-08-26 19:47:12.000000000 -0400
22189 +++ linux-2.6.35.4/drivers/ata/sata_sil.c 2010-09-17 20:12:09.000000000 -0400
22190 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22191 .sg_tablesize = ATA_MAX_PRD
22194 -static struct ata_port_operations sil_ops = {
22195 +static const struct ata_port_operations sil_ops = {
22196 .inherits = &ata_bmdma32_port_ops,
22197 .dev_config = sil_dev_config,
22198 .set_mode = sil_set_mode,
22199 diff -urNp linux-2.6.35.4/drivers/ata/sata_sis.c linux-2.6.35.4/drivers/ata/sata_sis.c
22200 --- linux-2.6.35.4/drivers/ata/sata_sis.c 2010-08-26 19:47:12.000000000 -0400
22201 +++ linux-2.6.35.4/drivers/ata/sata_sis.c 2010-09-17 20:12:09.000000000 -0400
22202 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22203 ATA_BMDMA_SHT(DRV_NAME),
22206 -static struct ata_port_operations sis_ops = {
22207 +static const struct ata_port_operations sis_ops = {
22208 .inherits = &ata_bmdma_port_ops,
22209 .scr_read = sis_scr_read,
22210 .scr_write = sis_scr_write,
22211 diff -urNp linux-2.6.35.4/drivers/ata/sata_svw.c linux-2.6.35.4/drivers/ata/sata_svw.c
22212 --- linux-2.6.35.4/drivers/ata/sata_svw.c 2010-08-26 19:47:12.000000000 -0400
22213 +++ linux-2.6.35.4/drivers/ata/sata_svw.c 2010-09-17 20:12:09.000000000 -0400
22214 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22218 -static struct ata_port_operations k2_sata_ops = {
22219 +static const struct ata_port_operations k2_sata_ops = {
22220 .inherits = &ata_bmdma_port_ops,
22221 .sff_tf_load = k2_sata_tf_load,
22222 .sff_tf_read = k2_sata_tf_read,
22223 diff -urNp linux-2.6.35.4/drivers/ata/sata_sx4.c linux-2.6.35.4/drivers/ata/sata_sx4.c
22224 --- linux-2.6.35.4/drivers/ata/sata_sx4.c 2010-08-26 19:47:12.000000000 -0400
22225 +++ linux-2.6.35.4/drivers/ata/sata_sx4.c 2010-09-17 20:12:09.000000000 -0400
22226 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22229 /* TODO: inherit from base port_ops after converting to new EH */
22230 -static struct ata_port_operations pdc_20621_ops = {
22231 +static const struct ata_port_operations pdc_20621_ops = {
22232 .inherits = &ata_sff_port_ops,
22234 .check_atapi_dma = pdc_check_atapi_dma,
22235 diff -urNp linux-2.6.35.4/drivers/ata/sata_uli.c linux-2.6.35.4/drivers/ata/sata_uli.c
22236 --- linux-2.6.35.4/drivers/ata/sata_uli.c 2010-08-26 19:47:12.000000000 -0400
22237 +++ linux-2.6.35.4/drivers/ata/sata_uli.c 2010-09-17 20:12:09.000000000 -0400
22238 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22239 ATA_BMDMA_SHT(DRV_NAME),
22242 -static struct ata_port_operations uli_ops = {
22243 +static const struct ata_port_operations uli_ops = {
22244 .inherits = &ata_bmdma_port_ops,
22245 .scr_read = uli_scr_read,
22246 .scr_write = uli_scr_write,
22247 diff -urNp linux-2.6.35.4/drivers/ata/sata_via.c linux-2.6.35.4/drivers/ata/sata_via.c
22248 --- linux-2.6.35.4/drivers/ata/sata_via.c 2010-08-26 19:47:12.000000000 -0400
22249 +++ linux-2.6.35.4/drivers/ata/sata_via.c 2010-09-17 20:12:09.000000000 -0400
22250 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22251 ATA_BMDMA_SHT(DRV_NAME),
22254 -static struct ata_port_operations svia_base_ops = {
22255 +static const struct ata_port_operations svia_base_ops = {
22256 .inherits = &ata_bmdma_port_ops,
22257 .sff_tf_load = svia_tf_load,
22260 -static struct ata_port_operations vt6420_sata_ops = {
22261 +static const struct ata_port_operations vt6420_sata_ops = {
22262 .inherits = &svia_base_ops,
22263 .freeze = svia_noop_freeze,
22264 .prereset = vt6420_prereset,
22265 .bmdma_start = vt6420_bmdma_start,
22268 -static struct ata_port_operations vt6421_pata_ops = {
22269 +static const struct ata_port_operations vt6421_pata_ops = {
22270 .inherits = &svia_base_ops,
22271 .cable_detect = vt6421_pata_cable_detect,
22272 .set_piomode = vt6421_set_pio_mode,
22273 .set_dmamode = vt6421_set_dma_mode,
22276 -static struct ata_port_operations vt6421_sata_ops = {
22277 +static const struct ata_port_operations vt6421_sata_ops = {
22278 .inherits = &svia_base_ops,
22279 .scr_read = svia_scr_read,
22280 .scr_write = svia_scr_write,
22283 -static struct ata_port_operations vt8251_ops = {
22284 +static const struct ata_port_operations vt8251_ops = {
22285 .inherits = &svia_base_ops,
22286 .hardreset = sata_std_hardreset,
22287 .scr_read = vt8251_scr_read,
22288 diff -urNp linux-2.6.35.4/drivers/ata/sata_vsc.c linux-2.6.35.4/drivers/ata/sata_vsc.c
22289 --- linux-2.6.35.4/drivers/ata/sata_vsc.c 2010-08-26 19:47:12.000000000 -0400
22290 +++ linux-2.6.35.4/drivers/ata/sata_vsc.c 2010-09-17 20:12:09.000000000 -0400
22291 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22295 -static struct ata_port_operations vsc_sata_ops = {
22296 +static const struct ata_port_operations vsc_sata_ops = {
22297 .inherits = &ata_bmdma_port_ops,
22298 /* The IRQ handling is not quite standard SFF behaviour so we
22299 cannot use the default lost interrupt handler */
22300 diff -urNp linux-2.6.35.4/drivers/atm/adummy.c linux-2.6.35.4/drivers/atm/adummy.c
22301 --- linux-2.6.35.4/drivers/atm/adummy.c 2010-08-26 19:47:12.000000000 -0400
22302 +++ linux-2.6.35.4/drivers/atm/adummy.c 2010-09-17 20:12:09.000000000 -0400
22303 @@ -78,7 +78,7 @@ adummy_send(struct atm_vcc *vcc, struct
22304 vcc->pop(vcc, skb);
22306 dev_kfree_skb_any(skb);
22307 - atomic_inc(&vcc->stats->tx);
22308 + atomic_inc_unchecked(&vcc->stats->tx);
22312 diff -urNp linux-2.6.35.4/drivers/atm/ambassador.c linux-2.6.35.4/drivers/atm/ambassador.c
22313 --- linux-2.6.35.4/drivers/atm/ambassador.c 2010-08-26 19:47:12.000000000 -0400
22314 +++ linux-2.6.35.4/drivers/atm/ambassador.c 2010-09-17 20:12:09.000000000 -0400
22315 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22316 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22319 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22320 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22322 // free the descriptor
22324 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22325 dump_skb ("<<<", vc, skb);
22328 - atomic_inc(&atm_vcc->stats->rx);
22329 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22330 __net_timestamp(skb);
22331 // end of our responsability
22332 atm_vcc->push (atm_vcc, skb);
22333 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22335 PRINTK (KERN_INFO, "dropped over-size frame");
22336 // should we count this?
22337 - atomic_inc(&atm_vcc->stats->rx_drop);
22338 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22342 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22345 if (check_area (skb->data, skb->len)) {
22346 - atomic_inc(&atm_vcc->stats->tx_err);
22347 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22348 return -ENOMEM; // ?
22351 diff -urNp linux-2.6.35.4/drivers/atm/atmtcp.c linux-2.6.35.4/drivers/atm/atmtcp.c
22352 --- linux-2.6.35.4/drivers/atm/atmtcp.c 2010-08-26 19:47:12.000000000 -0400
22353 +++ linux-2.6.35.4/drivers/atm/atmtcp.c 2010-09-17 20:12:09.000000000 -0400
22354 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22355 if (vcc->pop) vcc->pop(vcc,skb);
22356 else dev_kfree_skb(skb);
22357 if (dev_data) return 0;
22358 - atomic_inc(&vcc->stats->tx_err);
22359 + atomic_inc_unchecked(&vcc->stats->tx_err);
22362 size = skb->len+sizeof(struct atmtcp_hdr);
22363 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22365 if (vcc->pop) vcc->pop(vcc,skb);
22366 else dev_kfree_skb(skb);
22367 - atomic_inc(&vcc->stats->tx_err);
22368 + atomic_inc_unchecked(&vcc->stats->tx_err);
22371 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22372 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22373 if (vcc->pop) vcc->pop(vcc,skb);
22374 else dev_kfree_skb(skb);
22375 out_vcc->push(out_vcc,new_skb);
22376 - atomic_inc(&vcc->stats->tx);
22377 - atomic_inc(&out_vcc->stats->rx);
22378 + atomic_inc_unchecked(&vcc->stats->tx);
22379 + atomic_inc_unchecked(&out_vcc->stats->rx);
22383 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22384 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22385 read_unlock(&vcc_sklist_lock);
22387 - atomic_inc(&vcc->stats->tx_err);
22388 + atomic_inc_unchecked(&vcc->stats->tx_err);
22391 skb_pull(skb,sizeof(struct atmtcp_hdr));
22392 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22393 __net_timestamp(new_skb);
22394 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22395 out_vcc->push(out_vcc,new_skb);
22396 - atomic_inc(&vcc->stats->tx);
22397 - atomic_inc(&out_vcc->stats->rx);
22398 + atomic_inc_unchecked(&vcc->stats->tx);
22399 + atomic_inc_unchecked(&out_vcc->stats->rx);
22401 if (vcc->pop) vcc->pop(vcc,skb);
22402 else dev_kfree_skb(skb);
22403 diff -urNp linux-2.6.35.4/drivers/atm/eni.c linux-2.6.35.4/drivers/atm/eni.c
22404 --- linux-2.6.35.4/drivers/atm/eni.c 2010-08-26 19:47:12.000000000 -0400
22405 +++ linux-2.6.35.4/drivers/atm/eni.c 2010-09-17 20:12:09.000000000 -0400
22406 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22407 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22410 - atomic_inc(&vcc->stats->rx_err);
22411 + atomic_inc_unchecked(&vcc->stats->rx_err);
22414 length = ATM_CELL_SIZE-1; /* no HEC */
22415 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22419 - atomic_inc(&vcc->stats->rx_err);
22420 + atomic_inc_unchecked(&vcc->stats->rx_err);
22423 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22424 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22425 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22426 vcc->dev->number,vcc->vci,length,size << 2,descr);
22428 - atomic_inc(&vcc->stats->rx_err);
22429 + atomic_inc_unchecked(&vcc->stats->rx_err);
22432 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22433 @@ -771,7 +771,7 @@ rx_dequeued++;
22434 vcc->push(vcc,skb);
22437 - atomic_inc(&vcc->stats->rx);
22438 + atomic_inc_unchecked(&vcc->stats->rx);
22440 wake_up(&eni_dev->rx_wait);
22442 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22444 if (vcc->pop) vcc->pop(vcc,skb);
22445 else dev_kfree_skb_irq(skb);
22446 - atomic_inc(&vcc->stats->tx);
22447 + atomic_inc_unchecked(&vcc->stats->tx);
22448 wake_up(&eni_dev->tx_wait);
22451 diff -urNp linux-2.6.35.4/drivers/atm/firestream.c linux-2.6.35.4/drivers/atm/firestream.c
22452 --- linux-2.6.35.4/drivers/atm/firestream.c 2010-08-26 19:47:12.000000000 -0400
22453 +++ linux-2.6.35.4/drivers/atm/firestream.c 2010-09-17 20:12:09.000000000 -0400
22454 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22458 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22459 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22461 fs_dprintk (FS_DEBUG_TXMEM, "i");
22462 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22463 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22465 skb_put (skb, qe->p1 & 0xffff);
22466 ATM_SKB(skb)->vcc = atm_vcc;
22467 - atomic_inc(&atm_vcc->stats->rx);
22468 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22469 __net_timestamp(skb);
22470 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22471 atm_vcc->push (atm_vcc, skb);
22472 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22476 - atomic_inc(&atm_vcc->stats->rx_drop);
22477 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22479 case 0x1f: /* Reassembly abort: no buffers. */
22480 /* Silently increment error counter. */
22482 - atomic_inc(&atm_vcc->stats->rx_drop);
22483 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22485 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22486 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22487 diff -urNp linux-2.6.35.4/drivers/atm/fore200e.c linux-2.6.35.4/drivers/atm/fore200e.c
22488 --- linux-2.6.35.4/drivers/atm/fore200e.c 2010-08-26 19:47:12.000000000 -0400
22489 +++ linux-2.6.35.4/drivers/atm/fore200e.c 2010-09-17 20:12:09.000000000 -0400
22490 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22492 /* check error condition */
22493 if (*entry->status & STATUS_ERROR)
22494 - atomic_inc(&vcc->stats->tx_err);
22495 + atomic_inc_unchecked(&vcc->stats->tx_err);
22497 - atomic_inc(&vcc->stats->tx);
22498 + atomic_inc_unchecked(&vcc->stats->tx);
22502 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22504 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22506 - atomic_inc(&vcc->stats->rx_drop);
22507 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22511 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22513 dev_kfree_skb_any(skb);
22515 - atomic_inc(&vcc->stats->rx_drop);
22516 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22520 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22522 vcc->push(vcc, skb);
22523 - atomic_inc(&vcc->stats->rx);
22524 + atomic_inc_unchecked(&vcc->stats->rx);
22526 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22528 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22529 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22530 fore200e->atm_dev->number,
22531 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22532 - atomic_inc(&vcc->stats->rx_err);
22533 + atomic_inc_unchecked(&vcc->stats->rx_err);
22537 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22541 - atomic_inc(&vcc->stats->tx_err);
22542 + atomic_inc_unchecked(&vcc->stats->tx_err);
22544 fore200e->tx_sat++;
22545 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22546 diff -urNp linux-2.6.35.4/drivers/atm/he.c linux-2.6.35.4/drivers/atm/he.c
22547 --- linux-2.6.35.4/drivers/atm/he.c 2010-08-26 19:47:12.000000000 -0400
22548 +++ linux-2.6.35.4/drivers/atm/he.c 2010-09-17 20:12:09.000000000 -0400
22549 @@ -1770,7 +1770,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22551 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22552 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22553 - atomic_inc(&vcc->stats->rx_drop);
22554 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22555 goto return_host_buffers;
22558 @@ -1803,7 +1803,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22559 RBRQ_LEN_ERR(he_dev->rbrq_head)
22561 vcc->vpi, vcc->vci);
22562 - atomic_inc(&vcc->stats->rx_err);
22563 + atomic_inc_unchecked(&vcc->stats->rx_err);
22564 goto return_host_buffers;
22567 @@ -1862,7 +1862,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22568 vcc->push(vcc, skb);
22569 spin_lock(&he_dev->global_lock);
22571 - atomic_inc(&vcc->stats->rx);
22572 + atomic_inc_unchecked(&vcc->stats->rx);
22574 return_host_buffers:
22576 @@ -2207,7 +2207,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22577 tpd->vcc->pop(tpd->vcc, tpd->skb);
22579 dev_kfree_skb_any(tpd->skb);
22580 - atomic_inc(&tpd->vcc->stats->tx_err);
22581 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22583 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22585 @@ -2619,7 +2619,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22586 vcc->pop(vcc, skb);
22588 dev_kfree_skb_any(skb);
22589 - atomic_inc(&vcc->stats->tx_err);
22590 + atomic_inc_unchecked(&vcc->stats->tx_err);
22594 @@ -2630,7 +2630,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22595 vcc->pop(vcc, skb);
22597 dev_kfree_skb_any(skb);
22598 - atomic_inc(&vcc->stats->tx_err);
22599 + atomic_inc_unchecked(&vcc->stats->tx_err);
22603 @@ -2642,7 +2642,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22604 vcc->pop(vcc, skb);
22606 dev_kfree_skb_any(skb);
22607 - atomic_inc(&vcc->stats->tx_err);
22608 + atomic_inc_unchecked(&vcc->stats->tx_err);
22609 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22612 @@ -2684,7 +2684,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22613 vcc->pop(vcc, skb);
22615 dev_kfree_skb_any(skb);
22616 - atomic_inc(&vcc->stats->tx_err);
22617 + atomic_inc_unchecked(&vcc->stats->tx_err);
22618 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22621 @@ -2715,7 +2715,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22622 __enqueue_tpd(he_dev, tpd, cid);
22623 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22625 - atomic_inc(&vcc->stats->tx);
22626 + atomic_inc_unchecked(&vcc->stats->tx);
22630 diff -urNp linux-2.6.35.4/drivers/atm/horizon.c linux-2.6.35.4/drivers/atm/horizon.c
22631 --- linux-2.6.35.4/drivers/atm/horizon.c 2010-08-26 19:47:12.000000000 -0400
22632 +++ linux-2.6.35.4/drivers/atm/horizon.c 2010-09-17 20:12:09.000000000 -0400
22633 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22635 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22637 - atomic_inc(&vcc->stats->rx);
22638 + atomic_inc_unchecked(&vcc->stats->rx);
22639 __net_timestamp(skb);
22640 // end of our responsability
22641 vcc->push (vcc, skb);
22642 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22643 dev->tx_iovec = NULL;
22646 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22647 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22650 hrz_kfree_skb (skb);
22651 diff -urNp linux-2.6.35.4/drivers/atm/idt77252.c linux-2.6.35.4/drivers/atm/idt77252.c
22652 --- linux-2.6.35.4/drivers/atm/idt77252.c 2010-08-26 19:47:12.000000000 -0400
22653 +++ linux-2.6.35.4/drivers/atm/idt77252.c 2010-09-17 20:12:09.000000000 -0400
22654 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22656 dev_kfree_skb(skb);
22658 - atomic_inc(&vcc->stats->tx);
22659 + atomic_inc_unchecked(&vcc->stats->tx);
22662 atomic_dec(&scq->used);
22663 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22664 if ((sb = dev_alloc_skb(64)) == NULL) {
22665 printk("%s: Can't allocate buffers for aal0.\n",
22667 - atomic_add(i, &vcc->stats->rx_drop);
22668 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22671 if (!atm_charge(vcc, sb->truesize)) {
22672 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22674 - atomic_add(i - 1, &vcc->stats->rx_drop);
22675 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22679 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22680 ATM_SKB(sb)->vcc = vcc;
22681 __net_timestamp(sb);
22682 vcc->push(vcc, sb);
22683 - atomic_inc(&vcc->stats->rx);
22684 + atomic_inc_unchecked(&vcc->stats->rx);
22686 cell += ATM_CELL_PAYLOAD;
22688 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22690 card->name, len, rpp->len, readl(SAR_REG_CDC));
22691 recycle_rx_pool_skb(card, rpp);
22692 - atomic_inc(&vcc->stats->rx_err);
22693 + atomic_inc_unchecked(&vcc->stats->rx_err);
22696 if (stat & SAR_RSQE_CRC) {
22697 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22698 recycle_rx_pool_skb(card, rpp);
22699 - atomic_inc(&vcc->stats->rx_err);
22700 + atomic_inc_unchecked(&vcc->stats->rx_err);
22703 if (skb_queue_len(&rpp->queue) > 1) {
22704 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22705 RXPRINTK("%s: Can't alloc RX skb.\n",
22707 recycle_rx_pool_skb(card, rpp);
22708 - atomic_inc(&vcc->stats->rx_err);
22709 + atomic_inc_unchecked(&vcc->stats->rx_err);
22712 if (!atm_charge(vcc, skb->truesize)) {
22713 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22714 __net_timestamp(skb);
22716 vcc->push(vcc, skb);
22717 - atomic_inc(&vcc->stats->rx);
22718 + atomic_inc_unchecked(&vcc->stats->rx);
22722 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22723 __net_timestamp(skb);
22725 vcc->push(vcc, skb);
22726 - atomic_inc(&vcc->stats->rx);
22727 + atomic_inc_unchecked(&vcc->stats->rx);
22729 if (skb->truesize > SAR_FB_SIZE_3)
22730 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22731 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22732 if (vcc->qos.aal != ATM_AAL0) {
22733 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22734 card->name, vpi, vci);
22735 - atomic_inc(&vcc->stats->rx_drop);
22736 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22740 if ((sb = dev_alloc_skb(64)) == NULL) {
22741 printk("%s: Can't allocate buffers for AAL0.\n",
22743 - atomic_inc(&vcc->stats->rx_err);
22744 + atomic_inc_unchecked(&vcc->stats->rx_err);
22748 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22749 ATM_SKB(sb)->vcc = vcc;
22750 __net_timestamp(sb);
22751 vcc->push(vcc, sb);
22752 - atomic_inc(&vcc->stats->rx);
22753 + atomic_inc_unchecked(&vcc->stats->rx);
22756 skb_pull(queue, 64);
22757 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22760 printk("%s: NULL connection in send().\n", card->name);
22761 - atomic_inc(&vcc->stats->tx_err);
22762 + atomic_inc_unchecked(&vcc->stats->tx_err);
22763 dev_kfree_skb(skb);
22766 if (!test_bit(VCF_TX, &vc->flags)) {
22767 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22768 - atomic_inc(&vcc->stats->tx_err);
22769 + atomic_inc_unchecked(&vcc->stats->tx_err);
22770 dev_kfree_skb(skb);
22773 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22776 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22777 - atomic_inc(&vcc->stats->tx_err);
22778 + atomic_inc_unchecked(&vcc->stats->tx_err);
22779 dev_kfree_skb(skb);
22783 if (skb_shinfo(skb)->nr_frags != 0) {
22784 printk("%s: No scatter-gather yet.\n", card->name);
22785 - atomic_inc(&vcc->stats->tx_err);
22786 + atomic_inc_unchecked(&vcc->stats->tx_err);
22787 dev_kfree_skb(skb);
22790 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22792 err = queue_skb(card, vc, skb, oam);
22794 - atomic_inc(&vcc->stats->tx_err);
22795 + atomic_inc_unchecked(&vcc->stats->tx_err);
22796 dev_kfree_skb(skb);
22799 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22800 skb = dev_alloc_skb(64);
22802 printk("%s: Out of memory in send_oam().\n", card->name);
22803 - atomic_inc(&vcc->stats->tx_err);
22804 + atomic_inc_unchecked(&vcc->stats->tx_err);
22807 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22808 diff -urNp linux-2.6.35.4/drivers/atm/iphase.c linux-2.6.35.4/drivers/atm/iphase.c
22809 --- linux-2.6.35.4/drivers/atm/iphase.c 2010-08-26 19:47:12.000000000 -0400
22810 +++ linux-2.6.35.4/drivers/atm/iphase.c 2010-09-17 20:12:09.000000000 -0400
22811 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22812 status = (u_short) (buf_desc_ptr->desc_mode);
22813 if (status & (RX_CER | RX_PTE | RX_OFL))
22815 - atomic_inc(&vcc->stats->rx_err);
22816 + atomic_inc_unchecked(&vcc->stats->rx_err);
22817 IF_ERR(printk("IA: bad packet, dropping it");)
22818 if (status & RX_CER) {
22819 IF_ERR(printk(" cause: packet CRC error\n");)
22820 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22821 len = dma_addr - buf_addr;
22822 if (len > iadev->rx_buf_sz) {
22823 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
22824 - atomic_inc(&vcc->stats->rx_err);
22825 + atomic_inc_unchecked(&vcc->stats->rx_err);
22826 goto out_free_desc;
22829 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
22830 ia_vcc = INPH_IA_VCC(vcc);
22831 if (ia_vcc == NULL)
22833 - atomic_inc(&vcc->stats->rx_err);
22834 + atomic_inc_unchecked(&vcc->stats->rx_err);
22835 dev_kfree_skb_any(skb);
22836 atm_return(vcc, atm_guess_pdu2truesize(len));
22838 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
22839 if ((length > iadev->rx_buf_sz) || (length >
22840 (skb->len - sizeof(struct cpcs_trailer))))
22842 - atomic_inc(&vcc->stats->rx_err);
22843 + atomic_inc_unchecked(&vcc->stats->rx_err);
22844 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
22845 length, skb->len);)
22846 dev_kfree_skb_any(skb);
22847 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
22849 IF_RX(printk("rx_dle_intr: skb push");)
22850 vcc->push(vcc,skb);
22851 - atomic_inc(&vcc->stats->rx);
22852 + atomic_inc_unchecked(&vcc->stats->rx);
22853 iadev->rx_pkt_cnt++;
22856 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
22858 struct k_sonet_stats *stats;
22859 stats = &PRIV(_ia_dev[board])->sonet_stats;
22860 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
22861 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
22862 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
22863 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
22864 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
22865 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
22866 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
22867 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
22868 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
22869 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
22870 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
22871 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
22872 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
22873 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
22874 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
22875 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
22876 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
22877 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
22879 ia_cmds.status = 0;
22881 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
22882 if ((desc == 0) || (desc > iadev->num_tx_desc))
22884 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
22885 - atomic_inc(&vcc->stats->tx);
22886 + atomic_inc_unchecked(&vcc->stats->tx);
22888 vcc->pop(vcc, skb);
22890 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
22891 ATM_DESC(skb) = vcc->vci;
22892 skb_queue_tail(&iadev->tx_dma_q, skb);
22894 - atomic_inc(&vcc->stats->tx);
22895 + atomic_inc_unchecked(&vcc->stats->tx);
22896 iadev->tx_pkt_cnt++;
22897 /* Increment transaction counter */
22898 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
22901 /* add flow control logic */
22902 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
22903 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
22904 if (iavcc->vc_desc_cnt > 10) {
22905 vcc->tx_quota = vcc->tx_quota * 3 / 4;
22906 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
22907 diff -urNp linux-2.6.35.4/drivers/atm/lanai.c linux-2.6.35.4/drivers/atm/lanai.c
22908 --- linux-2.6.35.4/drivers/atm/lanai.c 2010-08-26 19:47:12.000000000 -0400
22909 +++ linux-2.6.35.4/drivers/atm/lanai.c 2010-09-17 20:12:09.000000000 -0400
22910 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
22911 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
22912 lanai_endtx(lanai, lvcc);
22913 lanai_free_skb(lvcc->tx.atmvcc, skb);
22914 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
22915 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
22918 /* Try to fill the buffer - don't call unless there is backlog */
22919 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
22920 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
22921 __net_timestamp(skb);
22922 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
22923 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
22924 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
22926 lvcc->rx.buf.ptr = end;
22927 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
22928 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
22929 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
22930 "vcc %d\n", lanai->number, (unsigned int) s, vci);
22931 lanai->stats.service_rxnotaal5++;
22932 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22933 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22936 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
22937 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
22939 read_unlock(&vcc_sklist_lock);
22940 DPRINTK("got trashed rx pdu on vci %d\n", vci);
22941 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22942 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22943 lvcc->stats.x.aal5.service_trash++;
22944 bytes = (SERVICE_GET_END(s) * 16) -
22945 (((unsigned long) lvcc->rx.buf.ptr) -
22946 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
22948 if (s & SERVICE_STREAM) {
22949 read_unlock(&vcc_sklist_lock);
22950 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22951 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22952 lvcc->stats.x.aal5.service_stream++;
22953 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
22954 "PDU on VCI %d!\n", lanai->number, vci);
22955 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
22958 DPRINTK("got rx crc error on vci %d\n", vci);
22959 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22960 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22961 lvcc->stats.x.aal5.service_rxcrc++;
22962 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
22963 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
22964 diff -urNp linux-2.6.35.4/drivers/atm/nicstar.c linux-2.6.35.4/drivers/atm/nicstar.c
22965 --- linux-2.6.35.4/drivers/atm/nicstar.c 2010-08-26 19:47:12.000000000 -0400
22966 +++ linux-2.6.35.4/drivers/atm/nicstar.c 2010-09-17 20:12:09.000000000 -0400
22967 @@ -1722,7 +1722,7 @@ static int ns_send(struct atm_vcc *vcc,
22968 if ((vc = (vc_map *) vcc->dev_data) == NULL)
22970 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
22971 - atomic_inc(&vcc->stats->tx_err);
22972 + atomic_inc_unchecked(&vcc->stats->tx_err);
22973 dev_kfree_skb_any(skb);
22976 @@ -1730,7 +1730,7 @@ static int ns_send(struct atm_vcc *vcc,
22979 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
22980 - atomic_inc(&vcc->stats->tx_err);
22981 + atomic_inc_unchecked(&vcc->stats->tx_err);
22982 dev_kfree_skb_any(skb);
22985 @@ -1738,7 +1738,7 @@ static int ns_send(struct atm_vcc *vcc,
22986 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
22988 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
22989 - atomic_inc(&vcc->stats->tx_err);
22990 + atomic_inc_unchecked(&vcc->stats->tx_err);
22991 dev_kfree_skb_any(skb);
22994 @@ -1746,7 +1746,7 @@ static int ns_send(struct atm_vcc *vcc,
22995 if (skb_shinfo(skb)->nr_frags != 0)
22997 printk("nicstar%d: No scatter-gather yet.\n", card->index);
22998 - atomic_inc(&vcc->stats->tx_err);
22999 + atomic_inc_unchecked(&vcc->stats->tx_err);
23000 dev_kfree_skb_any(skb);
23003 @@ -1791,11 +1791,11 @@ static int ns_send(struct atm_vcc *vcc,
23005 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
23007 - atomic_inc(&vcc->stats->tx_err);
23008 + atomic_inc_unchecked(&vcc->stats->tx_err);
23009 dev_kfree_skb_any(skb);
23012 - atomic_inc(&vcc->stats->tx);
23013 + atomic_inc_unchecked(&vcc->stats->tx);
23017 @@ -2110,14 +2110,14 @@ static void dequeue_rx(ns_dev *card, ns_
23019 printk("nicstar%d: Can't allocate buffers for aal0.\n",
23021 - atomic_add(i,&vcc->stats->rx_drop);
23022 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
23025 if (!atm_charge(vcc, sb->truesize))
23027 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
23029 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23030 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23031 dev_kfree_skb_any(sb);
23034 @@ -2132,7 +2132,7 @@ static void dequeue_rx(ns_dev *card, ns_
23035 ATM_SKB(sb)->vcc = vcc;
23036 __net_timestamp(sb);
23037 vcc->push(vcc, sb);
23038 - atomic_inc(&vcc->stats->rx);
23039 + atomic_inc_unchecked(&vcc->stats->rx);
23040 cell += ATM_CELL_PAYLOAD;
23043 @@ -2151,7 +2151,7 @@ static void dequeue_rx(ns_dev *card, ns_
23046 printk("nicstar%d: Out of iovec buffers.\n", card->index);
23047 - atomic_inc(&vcc->stats->rx_drop);
23048 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23049 recycle_rx_buf(card, skb);
23052 @@ -2181,7 +2181,7 @@ static void dequeue_rx(ns_dev *card, ns_
23053 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
23055 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23056 - atomic_inc(&vcc->stats->rx_err);
23057 + atomic_inc_unchecked(&vcc->stats->rx_err);
23058 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
23059 NS_SKB(iovb)->iovcnt = 0;
23061 @@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev *card, ns_
23062 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
23064 which_list(card, skb);
23065 - atomic_inc(&vcc->stats->rx_err);
23066 + atomic_inc_unchecked(&vcc->stats->rx_err);
23067 recycle_rx_buf(card, skb);
23069 recycle_iov_buf(card, iovb);
23070 @@ -2215,7 +2215,7 @@ static void dequeue_rx(ns_dev *card, ns_
23071 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
23073 which_list(card, skb);
23074 - atomic_inc(&vcc->stats->rx_err);
23075 + atomic_inc_unchecked(&vcc->stats->rx_err);
23076 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23077 NS_SKB(iovb)->iovcnt);
23079 @@ -2239,7 +2239,7 @@ static void dequeue_rx(ns_dev *card, ns_
23080 printk(" - PDU size mismatch.\n");
23083 - atomic_inc(&vcc->stats->rx_err);
23084 + atomic_inc_unchecked(&vcc->stats->rx_err);
23085 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23086 NS_SKB(iovb)->iovcnt);
23088 @@ -2255,7 +2255,7 @@ static void dequeue_rx(ns_dev *card, ns_
23089 if (!atm_charge(vcc, skb->truesize))
23091 push_rxbufs(card, skb);
23092 - atomic_inc(&vcc->stats->rx_drop);
23093 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23097 @@ -2267,7 +2267,7 @@ static void dequeue_rx(ns_dev *card, ns_
23098 ATM_SKB(skb)->vcc = vcc;
23099 __net_timestamp(skb);
23100 vcc->push(vcc, skb);
23101 - atomic_inc(&vcc->stats->rx);
23102 + atomic_inc_unchecked(&vcc->stats->rx);
23105 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
23106 @@ -2282,7 +2282,7 @@ static void dequeue_rx(ns_dev *card, ns_
23107 if (!atm_charge(vcc, sb->truesize))
23109 push_rxbufs(card, sb);
23110 - atomic_inc(&vcc->stats->rx_drop);
23111 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23115 @@ -2294,7 +2294,7 @@ static void dequeue_rx(ns_dev *card, ns_
23116 ATM_SKB(sb)->vcc = vcc;
23117 __net_timestamp(sb);
23118 vcc->push(vcc, sb);
23119 - atomic_inc(&vcc->stats->rx);
23120 + atomic_inc_unchecked(&vcc->stats->rx);
23123 push_rxbufs(card, skb);
23124 @@ -2305,7 +2305,7 @@ static void dequeue_rx(ns_dev *card, ns_
23125 if (!atm_charge(vcc, skb->truesize))
23127 push_rxbufs(card, skb);
23128 - atomic_inc(&vcc->stats->rx_drop);
23129 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23133 @@ -2319,7 +2319,7 @@ static void dequeue_rx(ns_dev *card, ns_
23134 ATM_SKB(skb)->vcc = vcc;
23135 __net_timestamp(skb);
23136 vcc->push(vcc, skb);
23137 - atomic_inc(&vcc->stats->rx);
23138 + atomic_inc_unchecked(&vcc->stats->rx);
23141 push_rxbufs(card, sb);
23142 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev *card, ns_
23145 printk("nicstar%d: Out of huge buffers.\n", card->index);
23146 - atomic_inc(&vcc->stats->rx_drop);
23147 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23148 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23149 NS_SKB(iovb)->iovcnt);
23151 @@ -2392,7 +2392,7 @@ static void dequeue_rx(ns_dev *card, ns_
23154 dev_kfree_skb_any(hb);
23155 - atomic_inc(&vcc->stats->rx_drop);
23156 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23160 @@ -2426,7 +2426,7 @@ static void dequeue_rx(ns_dev *card, ns_
23161 #endif /* NS_USE_DESTRUCTORS */
23162 __net_timestamp(hb);
23163 vcc->push(vcc, hb);
23164 - atomic_inc(&vcc->stats->rx);
23165 + atomic_inc_unchecked(&vcc->stats->rx);
23169 diff -urNp linux-2.6.35.4/drivers/atm/solos-pci.c linux-2.6.35.4/drivers/atm/solos-pci.c
23170 --- linux-2.6.35.4/drivers/atm/solos-pci.c 2010-08-26 19:47:12.000000000 -0400
23171 +++ linux-2.6.35.4/drivers/atm/solos-pci.c 2010-09-17 20:12:09.000000000 -0400
23172 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
23174 atm_charge(vcc, skb->truesize);
23175 vcc->push(vcc, skb);
23176 - atomic_inc(&vcc->stats->rx);
23177 + atomic_inc_unchecked(&vcc->stats->rx);
23181 @@ -1023,7 +1023,7 @@ static uint32_t fpga_tx(struct solos_car
23182 vcc = SKB_CB(oldskb)->vcc;
23185 - atomic_inc(&vcc->stats->tx);
23186 + atomic_inc_unchecked(&vcc->stats->tx);
23187 solos_pop(vcc, oldskb);
23189 dev_kfree_skb_irq(oldskb);
23190 diff -urNp linux-2.6.35.4/drivers/atm/suni.c linux-2.6.35.4/drivers/atm/suni.c
23191 --- linux-2.6.35.4/drivers/atm/suni.c 2010-08-26 19:47:12.000000000 -0400
23192 +++ linux-2.6.35.4/drivers/atm/suni.c 2010-09-17 20:12:09.000000000 -0400
23193 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23196 #define ADD_LIMITED(s,v) \
23197 - atomic_add((v),&stats->s); \
23198 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23199 + atomic_add_unchecked((v),&stats->s); \
23200 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23203 static void suni_hz(unsigned long from_timer)
23204 diff -urNp linux-2.6.35.4/drivers/atm/uPD98402.c linux-2.6.35.4/drivers/atm/uPD98402.c
23205 --- linux-2.6.35.4/drivers/atm/uPD98402.c 2010-08-26 19:47:12.000000000 -0400
23206 +++ linux-2.6.35.4/drivers/atm/uPD98402.c 2010-09-17 20:12:09.000000000 -0400
23207 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23208 struct sonet_stats tmp;
23211 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23212 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23213 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23214 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23215 if (zero && !error) {
23216 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23219 #define ADD_LIMITED(s,v) \
23220 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23221 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23222 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23223 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23224 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23225 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23228 static void stat_event(struct atm_dev *dev)
23229 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23230 if (reason & uPD98402_INT_PFM) stat_event(dev);
23231 if (reason & uPD98402_INT_PCO) {
23232 (void) GET(PCOCR); /* clear interrupt cause */
23233 - atomic_add(GET(HECCT),
23234 + atomic_add_unchecked(GET(HECCT),
23235 &PRIV(dev)->sonet_stats.uncorr_hcs);
23237 if ((reason & uPD98402_INT_RFO) &&
23238 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23239 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23240 uPD98402_INT_LOS),PIMR); /* enable them */
23241 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23242 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23243 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23244 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23245 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23246 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23247 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23251 diff -urNp linux-2.6.35.4/drivers/atm/zatm.c linux-2.6.35.4/drivers/atm/zatm.c
23252 --- linux-2.6.35.4/drivers/atm/zatm.c 2010-08-26 19:47:12.000000000 -0400
23253 +++ linux-2.6.35.4/drivers/atm/zatm.c 2010-09-17 20:12:09.000000000 -0400
23254 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23257 dev_kfree_skb_irq(skb);
23258 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23259 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23262 if (!atm_charge(vcc,skb->truesize)) {
23263 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23265 ATM_SKB(skb)->vcc = vcc;
23266 vcc->push(vcc,skb);
23267 - atomic_inc(&vcc->stats->rx);
23268 + atomic_inc_unchecked(&vcc->stats->rx);
23270 zout(pos & 0xffff,MTA(mbx));
23271 #if 0 /* probably a stupid idea */
23272 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23273 skb_queue_head(&zatm_vcc->backlog,skb);
23276 - atomic_inc(&vcc->stats->tx);
23277 + atomic_inc_unchecked(&vcc->stats->tx);
23278 wake_up(&zatm_vcc->tx_wait);
23281 diff -urNp linux-2.6.35.4/drivers/char/agp/frontend.c linux-2.6.35.4/drivers/char/agp/frontend.c
23282 --- linux-2.6.35.4/drivers/char/agp/frontend.c 2010-08-26 19:47:12.000000000 -0400
23283 +++ linux-2.6.35.4/drivers/char/agp/frontend.c 2010-09-17 20:12:09.000000000 -0400
23284 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
23285 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23288 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23289 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23292 client = agp_find_client_by_pid(reserve.pid);
23293 diff -urNp linux-2.6.35.4/drivers/char/agp/intel-agp.c linux-2.6.35.4/drivers/char/agp/intel-agp.c
23294 --- linux-2.6.35.4/drivers/char/agp/intel-agp.c 2010-08-26 19:47:12.000000000 -0400
23295 +++ linux-2.6.35.4/drivers/char/agp/intel-agp.c 2010-09-17 20:12:09.000000000 -0400
23296 @@ -1036,7 +1036,7 @@ static struct pci_device_id agp_intel_pc
23297 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
23298 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23299 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23301 + { 0, 0, 0, 0, 0, 0, 0 }
23304 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23305 diff -urNp linux-2.6.35.4/drivers/char/hpet.c linux-2.6.35.4/drivers/char/hpet.c
23306 --- linux-2.6.35.4/drivers/char/hpet.c 2010-08-26 19:47:12.000000000 -0400
23307 +++ linux-2.6.35.4/drivers/char/hpet.c 2010-09-17 20:12:09.000000000 -0400
23308 @@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
23312 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
23313 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
23315 static long hpet_ioctl(struct file *file, unsigned int cmd,
23317 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23321 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
23322 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
23324 struct hpet_timer __iomem *timer;
23325 struct hpet __iomem *hpet;
23326 @@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
23330 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23331 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23333 static int __init hpet_init(void)
23335 diff -urNp linux-2.6.35.4/drivers/char/hvc_console.h linux-2.6.35.4/drivers/char/hvc_console.h
23336 --- linux-2.6.35.4/drivers/char/hvc_console.h 2010-08-26 19:47:12.000000000 -0400
23337 +++ linux-2.6.35.4/drivers/char/hvc_console.h 2010-09-17 20:12:09.000000000 -0400
23338 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23339 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23340 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23341 const struct hv_ops *ops, int outbuf_size);
23343 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23344 extern int hvc_remove(struct hvc_struct *hp);
23346 diff -urNp linux-2.6.35.4/drivers/char/hvcs.c linux-2.6.35.4/drivers/char/hvcs.c
23347 --- linux-2.6.35.4/drivers/char/hvcs.c 2010-08-26 19:47:12.000000000 -0400
23348 +++ linux-2.6.35.4/drivers/char/hvcs.c 2010-09-17 20:12:09.000000000 -0400
23349 @@ -270,7 +270,7 @@ struct hvcs_struct {
23350 unsigned int index;
23352 struct tty_struct *tty;
23354 + atomic_t open_count;
23357 * Used to tell the driver kernel_thread what operations need to take
23358 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
23360 spin_lock_irqsave(&hvcsd->lock, flags);
23362 - if (hvcsd->open_count > 0) {
23363 + if (atomic_read(&hvcsd->open_count) > 0) {
23364 spin_unlock_irqrestore(&hvcsd->lock, flags);
23365 printk(KERN_INFO "HVCS: vterm state unchanged. "
23366 "The hvcs device node is still in use.\n");
23367 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
23368 if ((retval = hvcs_partner_connect(hvcsd)))
23369 goto error_release;
23371 - hvcsd->open_count = 1;
23372 + atomic_set(&hvcsd->open_count, 1);
23374 tty->driver_data = hvcsd;
23376 @@ -1170,7 +1170,7 @@ fast_open:
23378 spin_lock_irqsave(&hvcsd->lock, flags);
23379 kref_get(&hvcsd->kref);
23380 - hvcsd->open_count++;
23381 + atomic_inc(&hvcsd->open_count);
23382 hvcsd->todo_mask |= HVCS_SCHED_READ;
23383 spin_unlock_irqrestore(&hvcsd->lock, flags);
23385 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
23386 hvcsd = tty->driver_data;
23388 spin_lock_irqsave(&hvcsd->lock, flags);
23389 - if (--hvcsd->open_count == 0) {
23390 + if (atomic_dec_and_test(&hvcsd->open_count)) {
23392 vio_disable_interrupts(hvcsd->vdev);
23394 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
23395 free_irq(irq, hvcsd);
23396 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23398 - } else if (hvcsd->open_count < 0) {
23399 + } else if (atomic_read(&hvcsd->open_count) < 0) {
23400 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23401 " is missmanaged.\n",
23402 - hvcsd->vdev->unit_address, hvcsd->open_count);
23403 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23406 spin_unlock_irqrestore(&hvcsd->lock, flags);
23407 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
23409 spin_lock_irqsave(&hvcsd->lock, flags);
23410 /* Preserve this so that we know how many kref refs to put */
23411 - temp_open_count = hvcsd->open_count;
23412 + temp_open_count = atomic_read(&hvcsd->open_count);
23415 * Don't kref put inside the spinlock because the destruction
23416 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
23417 hvcsd->tty->driver_data = NULL;
23420 - hvcsd->open_count = 0;
23421 + atomic_set(&hvcsd->open_count, 0);
23423 /* This will drop any buffered data on the floor which is OK in a hangup
23425 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
23426 * the middle of a write operation? This is a crummy place to do this
23427 * but we want to keep it all in the spinlock.
23429 - if (hvcsd->open_count <= 0) {
23430 + if (atomic_read(&hvcsd->open_count) <= 0) {
23431 spin_unlock_irqrestore(&hvcsd->lock, flags);
23434 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
23436 struct hvcs_struct *hvcsd = tty->driver_data;
23438 - if (!hvcsd || hvcsd->open_count <= 0)
23439 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23442 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23443 diff -urNp linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c
23444 --- linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c 2010-08-26 19:47:12.000000000 -0400
23445 +++ linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c 2010-09-17 20:12:09.000000000 -0400
23446 @@ -414,7 +414,7 @@ struct ipmi_smi {
23447 struct proc_dir_entry *proc_dir;
23448 char proc_dir_name[10];
23450 - atomic_t stats[IPMI_NUM_STATS];
23451 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23454 * run_to_completion duplicate of smb_info, smi_info
23455 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23458 #define ipmi_inc_stat(intf, stat) \
23459 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23460 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23461 #define ipmi_get_stat(intf, stat) \
23462 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23463 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23465 static int is_lan_addr(struct ipmi_addr *addr)
23467 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23468 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23469 init_waitqueue_head(&intf->waitq);
23470 for (i = 0; i < IPMI_NUM_STATS; i++)
23471 - atomic_set(&intf->stats[i], 0);
23472 + atomic_set_unchecked(&intf->stats[i], 0);
23474 intf->proc_dir = NULL;
23476 diff -urNp linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c
23477 --- linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c 2010-08-26 19:47:12.000000000 -0400
23478 +++ linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c 2010-09-17 20:12:09.000000000 -0400
23479 @@ -286,7 +286,7 @@ struct smi_info {
23480 unsigned char slave_addr;
23482 /* Counters and things for the proc filesystem. */
23483 - atomic_t stats[SI_NUM_STATS];
23484 + atomic_unchecked_t stats[SI_NUM_STATS];
23486 struct task_struct *thread;
23488 @@ -294,9 +294,9 @@ struct smi_info {
23491 #define smi_inc_stat(smi, stat) \
23492 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23493 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23494 #define smi_get_stat(smi, stat) \
23495 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23496 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23498 #define SI_MAX_PARMS 4
23500 @@ -3143,7 +3143,7 @@ static int try_smi_init(struct smi_info
23501 atomic_set(&new_smi->req_events, 0);
23502 new_smi->run_to_completion = 0;
23503 for (i = 0; i < SI_NUM_STATS; i++)
23504 - atomic_set(&new_smi->stats[i], 0);
23505 + atomic_set_unchecked(&new_smi->stats[i], 0);
23507 new_smi->interrupt_disabled = 1;
23508 atomic_set(&new_smi->stop_operation, 0);
23509 diff -urNp linux-2.6.35.4/drivers/char/keyboard.c linux-2.6.35.4/drivers/char/keyboard.c
23510 --- linux-2.6.35.4/drivers/char/keyboard.c 2010-08-26 19:47:12.000000000 -0400
23511 +++ linux-2.6.35.4/drivers/char/keyboard.c 2010-09-17 20:12:37.000000000 -0400
23512 @@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
23513 kbd->kbdmode == VC_MEDIUMRAW) &&
23514 value != KVAL(K_SAK))
23515 return; /* SAK is allowed even in raw mode */
23517 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
23519 + void *func = fn_handler[value];
23520 + if (func == fn_show_state || func == fn_show_ptregs ||
23521 + func == fn_show_mem)
23526 fn_handler[value](vc);
23529 @@ -1392,7 +1402,7 @@ static const struct input_device_id kbd_
23530 .evbit = { BIT_MASK(EV_SND) },
23533 - { }, /* Terminating entry */
23534 + { 0 }, /* Terminating entry */
23537 MODULE_DEVICE_TABLE(input, kbd_ids);
23538 diff -urNp linux-2.6.35.4/drivers/char/mem.c linux-2.6.35.4/drivers/char/mem.c
23539 --- linux-2.6.35.4/drivers/char/mem.c 2010-08-26 19:47:12.000000000 -0400
23540 +++ linux-2.6.35.4/drivers/char/mem.c 2010-09-17 20:12:37.000000000 -0400
23542 #include <linux/raw.h>
23543 #include <linux/tty.h>
23544 #include <linux/capability.h>
23545 +#include <linux/security.h>
23546 #include <linux/ptrace.h>
23547 #include <linux/device.h>
23548 #include <linux/highmem.h>
23550 # include <linux/efi.h>
23553 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23554 +extern struct file_operations grsec_fops;
23557 static inline unsigned long size_inside_page(unsigned long start,
23558 unsigned long size)
23560 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23562 while (count > 0) {
23563 unsigned long remaining;
23566 sz = size_inside_page(p, count);
23568 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23572 - remaining = copy_to_user(buf, ptr, sz);
23573 +#ifdef CONFIG_PAX_USERCOPY
23574 + temp = kmalloc(sz, GFP_KERNEL);
23576 + unxlate_dev_mem_ptr(p, ptr);
23579 + memcpy(temp, ptr, sz);
23584 + remaining = copy_to_user(buf, temp, sz);
23586 +#ifdef CONFIG_PAX_USERCOPY
23590 unxlate_dev_mem_ptr(p, ptr);
23593 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23594 if (!valid_phys_addr_range(p, count))
23597 +#ifdef CONFIG_GRKERNSEC_KMEM
23598 + gr_handle_mem_write();
23604 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23605 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23606 &vma->vm_page_prot))
23609 +#ifdef CONFIG_GRKERNSEC_KMEM
23610 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23614 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23616 vma->vm_page_prot);
23617 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23618 size_t count, loff_t *ppos)
23620 unsigned long p = *ppos;
23621 - ssize_t low_count, read, sz;
23622 + ssize_t low_count, read, sz, err = 0;
23623 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23627 if (p < (unsigned long) high_memory) {
23628 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23631 while (low_count > 0) {
23634 sz = size_inside_page(p, low_count);
23637 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23639 kbuf = xlate_dev_kmem_ptr((char *)p);
23641 - if (copy_to_user(buf, kbuf, sz))
23642 +#ifdef CONFIG_PAX_USERCOPY
23643 + temp = kmalloc(sz, GFP_KERNEL);
23646 + memcpy(temp, kbuf, sz);
23651 + err = copy_to_user(buf, temp, sz);
23653 +#ifdef CONFIG_PAX_USERCOPY
23661 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23662 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23665 +#ifdef CONFIG_GRKERNSEC_KMEM
23666 + gr_handle_kmem_write();
23670 if (p < (unsigned long) high_memory) {
23671 unsigned long to_write = min_t(unsigned long, count,
23672 (unsigned long)high_memory - p);
23673 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23675 static int open_port(struct inode * inode, struct file * filp)
23677 +#ifdef CONFIG_GRKERNSEC_KMEM
23678 + gr_handle_open_port();
23682 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23685 +static int open_mem(struct inode * inode, struct file * filp)
23687 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23690 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23691 #define full_lseek null_lseek
23692 #define write_zero write_null
23693 #define read_full read_zero
23694 -#define open_mem open_port
23695 #define open_kmem open_mem
23696 #define open_oldmem open_mem
23698 @@ -854,6 +916,9 @@ static const struct memdev {
23699 #ifdef CONFIG_CRASH_DUMP
23700 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23702 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23703 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23707 static int memory_open(struct inode *inode, struct file *filp)
23708 diff -urNp linux-2.6.35.4/drivers/char/n_tty.c linux-2.6.35.4/drivers/char/n_tty.c
23709 --- linux-2.6.35.4/drivers/char/n_tty.c 2010-08-26 19:47:12.000000000 -0400
23710 +++ linux-2.6.35.4/drivers/char/n_tty.c 2010-09-17 20:12:09.000000000 -0400
23711 @@ -2105,6 +2105,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
23713 *ops = tty_ldisc_N_TTY;
23715 - ops->refcount = ops->flags = 0;
23716 + atomic_set(&ops->refcount, 0);
23719 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
23720 diff -urNp linux-2.6.35.4/drivers/char/nvram.c linux-2.6.35.4/drivers/char/nvram.c
23721 --- linux-2.6.35.4/drivers/char/nvram.c 2010-08-26 19:47:12.000000000 -0400
23722 +++ linux-2.6.35.4/drivers/char/nvram.c 2010-09-17 20:12:09.000000000 -0400
23723 @@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
23725 spin_unlock_irq(&rtc_lock);
23727 - if (copy_to_user(buf, contents, tmp - contents))
23728 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23732 @@ -434,7 +434,10 @@ static const struct file_operations nvra
23733 static struct miscdevice nvram_dev = {
23743 static int __init nvram_init(void)
23744 diff -urNp linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c
23745 --- linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c 2010-08-26 19:47:12.000000000 -0400
23746 +++ linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c 2010-09-17 20:12:09.000000000 -0400
23747 @@ -51,7 +51,7 @@ struct ipw_tty {
23749 struct ipw_network *network;
23750 struct tty_struct *linux_tty;
23752 + atomic_t open_count;
23753 unsigned int control_lines;
23754 struct mutex ipw_tty_mutex;
23755 int tx_bytes_queued;
23756 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
23757 mutex_unlock(&tty->ipw_tty_mutex);
23760 - if (tty->open_count == 0)
23761 + if (atomic_read(&tty->open_count) == 0)
23762 tty->tx_bytes_queued = 0;
23764 - tty->open_count++;
23765 + atomic_inc(&tty->open_count);
23767 tty->linux_tty = linux_tty;
23768 linux_tty->driver_data = tty;
23769 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
23771 static void do_ipw_close(struct ipw_tty *tty)
23773 - tty->open_count--;
23775 - if (tty->open_count == 0) {
23776 + if (atomic_dec_return(&tty->open_count) == 0) {
23777 struct tty_struct *linux_tty = tty->linux_tty;
23779 if (linux_tty != NULL) {
23780 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
23783 mutex_lock(&tty->ipw_tty_mutex);
23784 - if (tty->open_count == 0) {
23785 + if (atomic_read(&tty->open_count) == 0) {
23786 mutex_unlock(&tty->ipw_tty_mutex);
23789 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
23793 - if (!tty->open_count) {
23794 + if (!atomic_read(&tty->open_count)) {
23795 mutex_unlock(&tty->ipw_tty_mutex);
23798 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
23801 mutex_lock(&tty->ipw_tty_mutex);
23802 - if (!tty->open_count) {
23803 + if (!atomic_read(&tty->open_count)) {
23804 mutex_unlock(&tty->ipw_tty_mutex);
23807 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
23811 - if (!tty->open_count)
23812 + if (!atomic_read(&tty->open_count))
23815 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23816 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
23820 - if (!tty->open_count)
23821 + if (!atomic_read(&tty->open_count))
23824 return tty->tx_bytes_queued;
23825 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
23829 - if (!tty->open_count)
23830 + if (!atomic_read(&tty->open_count))
23833 return get_control_lines(tty);
23834 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
23838 - if (!tty->open_count)
23839 + if (!atomic_read(&tty->open_count))
23842 return set_control_lines(tty, set, clear);
23843 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
23847 - if (!tty->open_count)
23848 + if (!atomic_read(&tty->open_count))
23851 /* FIXME: Exactly how is the tty object locked here .. */
23852 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
23853 against a parallel ioctl etc */
23854 mutex_lock(&ttyj->ipw_tty_mutex);
23856 - while (ttyj->open_count)
23857 + while (atomic_read(&ttyj->open_count))
23858 do_ipw_close(ttyj);
23859 ipwireless_disassociate_network_ttys(network,
23860 ttyj->channel_idx);
23861 diff -urNp linux-2.6.35.4/drivers/char/pty.c linux-2.6.35.4/drivers/char/pty.c
23862 --- linux-2.6.35.4/drivers/char/pty.c 2010-08-26 19:47:12.000000000 -0400
23863 +++ linux-2.6.35.4/drivers/char/pty.c 2010-09-17 20:12:09.000000000 -0400
23864 @@ -677,7 +677,18 @@ static int ptmx_open(struct inode *inode
23868 -static struct file_operations ptmx_fops;
23869 +static const struct file_operations ptmx_fops = {
23870 + .llseek = no_llseek,
23871 + .read = tty_read,
23872 + .write = tty_write,
23873 + .poll = tty_poll,
23874 + .unlocked_ioctl = tty_ioctl,
23875 + .compat_ioctl = tty_compat_ioctl,
23876 + .open = ptmx_open,
23877 + .release = tty_release,
23878 + .fasync = tty_fasync,
23882 static void __init unix98_pty_init(void)
23884 @@ -731,9 +742,6 @@ static void __init unix98_pty_init(void)
23885 register_sysctl_table(pty_root_table);
23887 /* Now create the /dev/ptmx special device */
23888 - tty_default_fops(&ptmx_fops);
23889 - ptmx_fops.open = ptmx_open;
23891 cdev_init(&ptmx_cdev, &ptmx_fops);
23892 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
23893 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
23894 diff -urNp linux-2.6.35.4/drivers/char/random.c linux-2.6.35.4/drivers/char/random.c
23895 --- linux-2.6.35.4/drivers/char/random.c 2010-08-26 19:47:12.000000000 -0400
23896 +++ linux-2.6.35.4/drivers/char/random.c 2010-09-17 20:24:41.000000000 -0400
23897 @@ -254,8 +254,13 @@
23899 * Configuration information
23901 +#ifdef CONFIG_GRKERNSEC_RANDNET
23902 +#define INPUT_POOL_WORDS 512
23903 +#define OUTPUT_POOL_WORDS 128
23905 #define INPUT_POOL_WORDS 128
23906 #define OUTPUT_POOL_WORDS 32
23908 #define SEC_XFER_SIZE 512
23909 #define EXTRACT_SIZE 10
23911 @@ -293,10 +298,17 @@ static struct poolinfo {
23913 int tap1, tap2, tap3, tap4, tap5;
23914 } poolinfo_table[] = {
23915 +#ifdef CONFIG_GRKERNSEC_RANDNET
23916 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
23917 + { 512, 411, 308, 208, 104, 1 },
23918 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
23919 + { 128, 103, 76, 51, 25, 1 },
23921 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
23922 { 128, 103, 76, 51, 25, 1 },
23923 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
23924 { 32, 26, 20, 14, 7, 1 },
23927 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
23928 { 2048, 1638, 1231, 819, 411, 1 },
23929 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
23931 extract_buf(r, tmp);
23932 i = min_t(int, nbytes, EXTRACT_SIZE);
23933 - if (copy_to_user(buf, tmp, i)) {
23934 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
23938 @@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
23939 #include <linux/sysctl.h>
23941 static int min_read_thresh = 8, min_write_thresh;
23942 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
23943 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
23944 static int max_write_thresh = INPUT_POOL_WORDS * 32;
23945 static char sysctl_bootid[16];
23947 diff -urNp linux-2.6.35.4/drivers/char/sonypi.c linux-2.6.35.4/drivers/char/sonypi.c
23948 --- linux-2.6.35.4/drivers/char/sonypi.c 2010-08-26 19:47:12.000000000 -0400
23949 +++ linux-2.6.35.4/drivers/char/sonypi.c 2010-09-17 20:12:09.000000000 -0400
23950 @@ -491,7 +491,7 @@ static struct sonypi_device {
23951 spinlock_t fifo_lock;
23952 wait_queue_head_t fifo_proc_list;
23953 struct fasync_struct *fifo_async;
23955 + atomic_t open_count;
23957 struct input_dev *input_jog_dev;
23958 struct input_dev *input_key_dev;
23959 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
23960 static int sonypi_misc_release(struct inode *inode, struct file *file)
23962 mutex_lock(&sonypi_device.lock);
23963 - sonypi_device.open_count--;
23964 + atomic_dec(&sonypi_device.open_count);
23965 mutex_unlock(&sonypi_device.lock);
23968 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
23970 mutex_lock(&sonypi_device.lock);
23971 /* Flush input queue on first open */
23972 - if (!sonypi_device.open_count)
23973 + if (!atomic_read(&sonypi_device.open_count))
23974 kfifo_reset(&sonypi_device.fifo);
23975 - sonypi_device.open_count++;
23976 + atomic_inc(&sonypi_device.open_count);
23977 mutex_unlock(&sonypi_device.lock);
23980 diff -urNp linux-2.6.35.4/drivers/char/tpm/tpm_bios.c linux-2.6.35.4/drivers/char/tpm/tpm_bios.c
23981 --- linux-2.6.35.4/drivers/char/tpm/tpm_bios.c 2010-08-26 19:47:12.000000000 -0400
23982 +++ linux-2.6.35.4/drivers/char/tpm/tpm_bios.c 2010-09-17 20:12:09.000000000 -0400
23983 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
23986 if ((event->event_type == 0 && event->event_size == 0) ||
23987 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
23988 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
23992 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
23995 if ((event->event_type == 0 && event->event_size == 0) ||
23996 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
23997 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24001 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24004 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24005 - seq_putc(m, data[i]);
24006 + if (!seq_putc(m, data[i]))
24011 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24012 log->bios_event_log_end = log->bios_event_log + len;
24014 virt = acpi_os_map_memory(start, len);
24016 + kfree(log->bios_event_log);
24017 + log->bios_event_log = NULL;
24021 memcpy(log->bios_event_log, virt, len);
24023 diff -urNp linux-2.6.35.4/drivers/char/tty_io.c linux-2.6.35.4/drivers/char/tty_io.c
24024 --- linux-2.6.35.4/drivers/char/tty_io.c 2010-08-26 19:47:12.000000000 -0400
24025 +++ linux-2.6.35.4/drivers/char/tty_io.c 2010-09-17 20:12:09.000000000 -0400
24026 @@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
24027 DEFINE_MUTEX(tty_mutex);
24028 EXPORT_SYMBOL(tty_mutex);
24030 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24031 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24032 ssize_t redirected_tty_write(struct file *, const char __user *,
24034 -static unsigned int tty_poll(struct file *, poll_table *);
24035 static int tty_open(struct inode *, struct file *);
24036 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24037 -#ifdef CONFIG_COMPAT
24038 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24039 - unsigned long arg);
24041 -#define tty_compat_ioctl NULL
24043 -static int tty_fasync(int fd, struct file *filp, int on);
24044 static void release_tty(struct tty_struct *tty, int idx);
24045 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24046 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24047 @@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
24048 * read calls may be outstanding in parallel.
24051 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24052 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24056 @@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
24060 +EXPORT_SYMBOL(tty_read);
24062 void tty_write_unlock(struct tty_struct *tty)
24064 mutex_unlock(&tty->atomic_write_lock);
24065 @@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
24066 * write method will not be invoked in parallel for each device.
24069 -static ssize_t tty_write(struct file *file, const char __user *buf,
24070 +ssize_t tty_write(struct file *file, const char __user *buf,
24071 size_t count, loff_t *ppos)
24073 struct tty_struct *tty;
24074 @@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
24078 +EXPORT_SYMBOL(tty_write);
24080 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24081 size_t count, loff_t *ppos)
24083 @@ -1897,6 +1891,8 @@ got_driver:
24087 +EXPORT_SYMBOL(tty_release);
24090 * tty_poll - check tty status
24091 * @filp: file being polled
24092 @@ -1909,7 +1905,7 @@ got_driver:
24093 * may be re-entered freely by other callers.
24096 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
24097 +unsigned int tty_poll(struct file *filp, poll_table *wait)
24099 struct tty_struct *tty;
24100 struct tty_ldisc *ld;
24101 @@ -1926,7 +1922,9 @@ static unsigned int tty_poll(struct file
24105 -static int tty_fasync(int fd, struct file *filp, int on)
24106 +EXPORT_SYMBOL(tty_poll);
24108 +int tty_fasync(int fd, struct file *filp, int on)
24110 struct tty_struct *tty;
24111 unsigned long flags;
24112 @@ -1970,6 +1968,8 @@ out:
24116 +EXPORT_SYMBOL(tty_fasync);
24119 * tiocsti - fake input character
24120 * @tty: tty to fake input into
24121 @@ -2602,8 +2602,10 @@ long tty_ioctl(struct file *file, unsign
24125 +EXPORT_SYMBOL(tty_ioctl);
24127 #ifdef CONFIG_COMPAT
24128 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24129 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
24132 struct inode *inode = file->f_dentry->d_inode;
24133 @@ -2627,6 +2629,9 @@ static long tty_compat_ioctl(struct file
24138 +EXPORT_SYMBOL(tty_compat_ioctl);
24143 @@ -3070,11 +3075,6 @@ struct tty_struct *get_current_tty(void)
24145 EXPORT_SYMBOL_GPL(get_current_tty);
24147 -void tty_default_fops(struct file_operations *fops)
24149 - *fops = tty_fops;
24153 * Initialize the console device. This is called *early*, so
24154 * we can't necessarily depend on lots of kernel help here.
24155 diff -urNp linux-2.6.35.4/drivers/char/tty_ldisc.c linux-2.6.35.4/drivers/char/tty_ldisc.c
24156 --- linux-2.6.35.4/drivers/char/tty_ldisc.c 2010-08-26 19:47:12.000000000 -0400
24157 +++ linux-2.6.35.4/drivers/char/tty_ldisc.c 2010-09-17 20:12:09.000000000 -0400
24158 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
24159 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24160 struct tty_ldisc_ops *ldo = ld->ops;
24163 + atomic_dec(&ldo->refcount);
24164 module_put(ldo->owner);
24165 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24167 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
24168 spin_lock_irqsave(&tty_ldisc_lock, flags);
24169 tty_ldiscs[disc] = new_ldisc;
24170 new_ldisc->num = disc;
24171 - new_ldisc->refcount = 0;
24172 + atomic_set(&new_ldisc->refcount, 0);
24173 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24176 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
24179 spin_lock_irqsave(&tty_ldisc_lock, flags);
24180 - if (tty_ldiscs[disc]->refcount)
24181 + if (atomic_read(&tty_ldiscs[disc]->refcount))
24184 tty_ldiscs[disc] = NULL;
24185 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
24187 ret = ERR_PTR(-EAGAIN);
24188 if (try_module_get(ldops->owner)) {
24189 - ldops->refcount++;
24190 + atomic_inc(&ldops->refcount);
24194 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
24195 unsigned long flags;
24197 spin_lock_irqsave(&tty_ldisc_lock, flags);
24198 - ldops->refcount--;
24199 + atomic_dec(&ldops->refcount);
24200 module_put(ldops->owner);
24201 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24203 diff -urNp linux-2.6.35.4/drivers/char/vt_ioctl.c linux-2.6.35.4/drivers/char/vt_ioctl.c
24204 --- linux-2.6.35.4/drivers/char/vt_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24205 +++ linux-2.6.35.4/drivers/char/vt_ioctl.c 2010-09-17 20:12:37.000000000 -0400
24206 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24207 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
24210 - if (!capable(CAP_SYS_TTY_CONFIG))
24215 key_map = key_maps[s];
24216 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24217 val = (i ? K_HOLE : K_NOSUCHMAP);
24218 return put_user(val, &user_kbe->kb_value);
24220 + if (!capable(CAP_SYS_TTY_CONFIG))
24226 if (!i && v == K_NOSUCHMAP) {
24227 /* deallocate map */
24228 key_map = key_maps[s];
24229 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24233 - if (!capable(CAP_SYS_TTY_CONFIG))
24236 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
24239 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24241 return ((p && *p) ? -EOVERFLOW : 0);
24243 + if (!capable(CAP_SYS_TTY_CONFIG))
24249 diff -urNp linux-2.6.35.4/drivers/cpuidle/sysfs.c linux-2.6.35.4/drivers/cpuidle/sysfs.c
24250 --- linux-2.6.35.4/drivers/cpuidle/sysfs.c 2010-08-26 19:47:12.000000000 -0400
24251 +++ linux-2.6.35.4/drivers/cpuidle/sysfs.c 2010-09-17 20:12:09.000000000 -0400
24252 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24253 .release = cpuidle_state_sysfs_release,
24256 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24257 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24259 kobject_put(&device->kobjs[i]->kobj);
24260 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24261 diff -urNp linux-2.6.35.4/drivers/edac/edac_core.h linux-2.6.35.4/drivers/edac/edac_core.h
24262 --- linux-2.6.35.4/drivers/edac/edac_core.h 2010-08-26 19:47:12.000000000 -0400
24263 +++ linux-2.6.35.4/drivers/edac/edac_core.h 2010-09-17 20:12:09.000000000 -0400
24264 @@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
24266 #else /* !CONFIG_EDAC_DEBUG */
24268 -#define debugf0( ... )
24269 -#define debugf1( ... )
24270 -#define debugf2( ... )
24271 -#define debugf3( ... )
24272 -#define debugf4( ... )
24273 +#define debugf0( ... ) do {} while (0)
24274 +#define debugf1( ... ) do {} while (0)
24275 +#define debugf2( ... ) do {} while (0)
24276 +#define debugf3( ... ) do {} while (0)
24277 +#define debugf4( ... ) do {} while (0)
24279 #endif /* !CONFIG_EDAC_DEBUG */
24281 diff -urNp linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c
24282 --- linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c 2010-08-26 19:47:12.000000000 -0400
24283 +++ linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c 2010-09-17 20:12:09.000000000 -0400
24284 @@ -776,7 +776,7 @@ static void edac_inst_grp_release(struct
24287 /* Intermediate show/store table */
24288 -static struct sysfs_ops inst_grp_ops = {
24289 +static const struct sysfs_ops inst_grp_ops = {
24290 .show = inst_grp_show,
24291 .store = inst_grp_store
24293 diff -urNp linux-2.6.35.4/drivers/firewire/core-cdev.c linux-2.6.35.4/drivers/firewire/core-cdev.c
24294 --- linux-2.6.35.4/drivers/firewire/core-cdev.c 2010-08-26 19:47:12.000000000 -0400
24295 +++ linux-2.6.35.4/drivers/firewire/core-cdev.c 2010-09-17 20:12:09.000000000 -0400
24296 @@ -1195,8 +1195,7 @@ static int init_iso_resource(struct clie
24299 if ((request->channels == 0 && request->bandwidth == 0) ||
24300 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24301 - request->bandwidth < 0)
24302 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24305 r = kmalloc(sizeof(*r), GFP_KERNEL);
24306 diff -urNp linux-2.6.35.4/drivers/firmware/dmi_scan.c linux-2.6.35.4/drivers/firmware/dmi_scan.c
24307 --- linux-2.6.35.4/drivers/firmware/dmi_scan.c 2010-08-26 19:47:12.000000000 -0400
24308 +++ linux-2.6.35.4/drivers/firmware/dmi_scan.c 2010-09-17 20:12:09.000000000 -0400
24309 @@ -387,11 +387,6 @@ void __init dmi_scan_machine(void)
24314 - * no iounmap() for that ioremap(); it would be a no-op, but
24315 - * it's so early in setup that sucker gets confused into doing
24316 - * what it shouldn't if we actually call it.
24318 p = dmi_ioremap(0xF0000, 0x10000);
24321 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_drv.c linux-2.6.35.4/drivers/gpu/drm/drm_drv.c
24322 --- linux-2.6.35.4/drivers/gpu/drm/drm_drv.c 2010-08-26 19:47:12.000000000 -0400
24323 +++ linux-2.6.35.4/drivers/gpu/drm/drm_drv.c 2010-09-17 20:12:09.000000000 -0400
24324 @@ -449,7 +449,7 @@ long drm_ioctl(struct file *filp,
24326 dev = file_priv->minor->dev;
24327 atomic_inc(&dev->ioctl_count);
24328 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24329 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24330 ++file_priv->ioctl_count;
24332 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24333 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_fops.c linux-2.6.35.4/drivers/gpu/drm/drm_fops.c
24334 --- linux-2.6.35.4/drivers/gpu/drm/drm_fops.c 2010-08-26 19:47:12.000000000 -0400
24335 +++ linux-2.6.35.4/drivers/gpu/drm/drm_fops.c 2010-09-17 20:12:09.000000000 -0400
24336 @@ -67,7 +67,7 @@ static int drm_setup(struct drm_device *
24339 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24340 - atomic_set(&dev->counts[i], 0);
24341 + atomic_set_unchecked(&dev->counts[i], 0);
24343 dev->sigdata.lock = NULL;
24345 @@ -131,9 +131,9 @@ int drm_open(struct inode *inode, struct
24347 retcode = drm_open_helper(inode, filp, dev);
24349 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24350 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24351 spin_lock(&dev->count_lock);
24352 - if (!dev->open_count++) {
24353 + if (atomic_inc_return(&dev->open_count) == 1) {
24354 spin_unlock(&dev->count_lock);
24355 retcode = drm_setup(dev);
24357 @@ -474,7 +474,7 @@ int drm_release(struct inode *inode, str
24361 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24362 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24364 if (dev->driver->preclose)
24365 dev->driver->preclose(dev, file_priv);
24366 @@ -486,7 +486,7 @@ int drm_release(struct inode *inode, str
24367 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24368 task_pid_nr(current),
24369 (long)old_encode_dev(file_priv->minor->device),
24370 - dev->open_count);
24371 + atomic_read(&dev->open_count));
24373 /* if the master has gone away we can't do anything with the lock */
24374 if (file_priv->minor->master)
24375 @@ -567,9 +567,9 @@ int drm_release(struct inode *inode, str
24376 * End inline drm_release
24379 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24380 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24381 spin_lock(&dev->count_lock);
24382 - if (!--dev->open_count) {
24383 + if (atomic_dec_and_test(&dev->open_count)) {
24384 if (atomic_read(&dev->ioctl_count)) {
24385 DRM_ERROR("Device busy: %d\n",
24386 atomic_read(&dev->ioctl_count));
24387 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c
24388 --- linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24389 +++ linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c 2010-09-17 20:12:09.000000000 -0400
24390 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
24391 stats->data[i].value =
24392 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24394 - stats->data[i].value = atomic_read(&dev->counts[i]);
24395 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24396 stats->data[i].type = dev->types[i];
24399 diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_lock.c linux-2.6.35.4/drivers/gpu/drm/drm_lock.c
24400 --- linux-2.6.35.4/drivers/gpu/drm/drm_lock.c 2010-08-26 19:47:12.000000000 -0400
24401 +++ linux-2.6.35.4/drivers/gpu/drm/drm_lock.c 2010-09-17 20:12:09.000000000 -0400
24402 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
24403 if (drm_lock_take(&master->lock, lock->context)) {
24404 master->lock.file_priv = file_priv;
24405 master->lock.lock_time = jiffies;
24406 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24407 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24408 break; /* Got lock */
24411 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
24415 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24416 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24418 /* kernel_context_switch isn't used by any of the x86 drm
24419 * modules but is required by the Sparc driver.
24420 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c
24421 --- linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c 2010-08-26 19:47:12.000000000 -0400
24422 +++ linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c 2010-09-17 20:12:09.000000000 -0400
24423 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24424 dma->buflist[vertex->idx],
24425 vertex->discard, vertex->used);
24427 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24428 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24429 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24430 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24431 sarea_priv->last_enqueue = dev_priv->counter - 1;
24432 sarea_priv->last_dispatch = (int)hw_status[5];
24434 @@ -1116,8 +1116,8 @@ static int i810_dma_mc(struct drm_device
24435 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24438 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24439 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24440 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24441 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24442 sarea_priv->last_enqueue = dev_priv->counter - 1;
24443 sarea_priv->last_dispatch = (int)hw_status[5];
24445 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c
24446 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c 2010-08-26 19:47:12.000000000 -0400
24447 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c 2010-09-17 20:12:09.000000000 -0400
24448 @@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
24452 -struct intel_dvo_dev_ops ch7017_ops = {
24453 +const struct intel_dvo_dev_ops ch7017_ops = {
24454 .init = ch7017_init,
24455 .detect = ch7017_detect,
24456 .mode_valid = ch7017_mode_valid,
24457 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c
24458 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-08-26 19:47:12.000000000 -0400
24459 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-09-17 20:12:09.000000000 -0400
24460 @@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
24464 -struct intel_dvo_dev_ops ch7xxx_ops = {
24465 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24466 .init = ch7xxx_init,
24467 .detect = ch7xxx_detect,
24468 .mode_valid = ch7xxx_mode_valid,
24469 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h
24470 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h 2010-08-26 19:47:12.000000000 -0400
24471 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h 2010-09-17 20:12:09.000000000 -0400
24472 @@ -125,23 +125,23 @@ struct intel_dvo_dev_ops {
24474 * \return singly-linked list of modes or NULL if no modes found.
24476 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24477 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24480 * Clean up driver-specific bits of the output
24482 - void (*destroy) (struct intel_dvo_device *dvo);
24483 + void (* const destroy) (struct intel_dvo_device *dvo);
24486 * Debugging hook to dump device registers to log file
24488 - void (*dump_regs)(struct intel_dvo_device *dvo);
24489 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24492 -extern struct intel_dvo_dev_ops sil164_ops;
24493 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24494 -extern struct intel_dvo_dev_ops ivch_ops;
24495 -extern struct intel_dvo_dev_ops tfp410_ops;
24496 -extern struct intel_dvo_dev_ops ch7017_ops;
24497 +extern const struct intel_dvo_dev_ops sil164_ops;
24498 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24499 +extern const struct intel_dvo_dev_ops ivch_ops;
24500 +extern const struct intel_dvo_dev_ops tfp410_ops;
24501 +extern const struct intel_dvo_dev_ops ch7017_ops;
24503 #endif /* _INTEL_DVO_H */
24504 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c
24505 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c 2010-08-26 19:47:12.000000000 -0400
24506 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c 2010-09-17 20:12:09.000000000 -0400
24507 @@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
24511 -struct intel_dvo_dev_ops ivch_ops= {
24512 +const struct intel_dvo_dev_ops ivch_ops= {
24515 .mode_valid = ivch_mode_valid,
24516 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c
24517 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c 2010-08-26 19:47:12.000000000 -0400
24518 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c 2010-09-17 20:12:09.000000000 -0400
24519 @@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
24523 -struct intel_dvo_dev_ops sil164_ops = {
24524 +const struct intel_dvo_dev_ops sil164_ops = {
24525 .init = sil164_init,
24526 .detect = sil164_detect,
24527 .mode_valid = sil164_mode_valid,
24528 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c
24529 --- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c 2010-08-26 19:47:12.000000000 -0400
24530 +++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c 2010-09-17 20:12:09.000000000 -0400
24531 @@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
24535 -struct intel_dvo_dev_ops tfp410_ops = {
24536 +const struct intel_dvo_dev_ops tfp410_ops = {
24537 .init = tfp410_init,
24538 .detect = tfp410_detect,
24539 .mode_valid = tfp410_mode_valid,
24540 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c
24541 --- linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c 2010-08-26 19:47:12.000000000 -0400
24542 +++ linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c 2010-09-17 20:12:09.000000000 -0400
24543 @@ -1342,7 +1342,7 @@ static bool i915_switcheroo_can_switch(s
24546 spin_lock(&dev->count_lock);
24547 - can_switch = (dev->open_count == 0);
24548 + can_switch = (atomic_read(&dev->open_count) == 0);
24549 spin_unlock(&dev->count_lock);
24552 diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c
24553 --- linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c 2010-08-26 19:47:12.000000000 -0400
24554 +++ linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c 2010-09-17 20:12:09.000000000 -0400
24555 @@ -491,7 +491,7 @@ const struct dev_pm_ops i915_pm_ops = {
24556 .restore = i915_pm_resume,
24559 -static struct vm_operations_struct i915_gem_vm_ops = {
24560 +static const struct vm_operations_struct i915_gem_vm_ops = {
24561 .fault = i915_gem_fault,
24562 .open = drm_gem_vm_open,
24563 .close = drm_gem_vm_close,
24564 diff -urNp linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c
24565 --- linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-08-26 19:47:12.000000000 -0400
24566 +++ linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-09-17 20:12:09.000000000 -0400
24567 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
24571 -static struct backlight_ops nv40_bl_ops = {
24572 +static const struct backlight_ops nv40_bl_ops = {
24573 .options = BL_CORE_SUSPENDRESUME,
24574 .get_brightness = nv40_get_intensity,
24575 .update_status = nv40_set_intensity,
24576 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
24580 -static struct backlight_ops nv50_bl_ops = {
24581 +static const struct backlight_ops nv50_bl_ops = {
24582 .options = BL_CORE_SUSPENDRESUME,
24583 .get_brightness = nv50_get_intensity,
24584 .update_status = nv50_set_intensity,
24585 diff -urNp linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c
24586 --- linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c 2010-08-26 19:47:12.000000000 -0400
24587 +++ linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c 2010-09-17 20:12:09.000000000 -0400
24588 @@ -395,7 +395,7 @@ static bool nouveau_switcheroo_can_switc
24591 spin_lock(&dev->count_lock);
24592 - can_switch = (dev->open_count == 0);
24593 + can_switch = (atomic_read(&dev->open_count) == 0);
24594 spin_unlock(&dev->count_lock);
24597 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c
24598 --- linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c 2010-08-26 19:47:12.000000000 -0400
24599 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c 2010-09-17 20:12:09.000000000 -0400
24600 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24602 regmatch_t match[4];
24610 struct offset *offset;
24611 char last_reg_s[10];
24613 + unsigned long last_reg;
24616 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24617 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c
24618 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c 2010-08-26 19:47:12.000000000 -0400
24619 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c 2010-09-17 20:12:09.000000000 -0400
24620 @@ -562,7 +562,7 @@ static bool radeon_switcheroo_can_switch
24623 spin_lock(&dev->count_lock);
24624 - can_switch = (dev->open_count == 0);
24625 + can_switch = (atomic_read(&dev->open_count) == 0);
24626 spin_unlock(&dev->count_lock);
24629 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c
24630 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c 2010-08-26 19:47:12.000000000 -0400
24631 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c 2010-09-17 20:12:09.000000000 -0400
24632 @@ -559,7 +559,7 @@ static void radeon_compute_pll_legacy(st
24634 if (pll->flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
24635 error = freq - current_freq;
24636 - error = error < 0 ? 0xffffffff : error;
24637 + error = (int32_t)error < 0 ? 0xffffffff : error;
24639 error = abs(current_freq - freq);
24640 vco_diff = abs(vco - best_vco);
24641 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c
24642 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c 2010-08-26 19:47:12.000000000 -0400
24643 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c 2010-09-17 20:12:09.000000000 -0400
24644 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24645 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24646 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24648 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24649 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24650 sarea_priv->nbox * sizeof(depth_boxes[0])))
24653 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24655 drm_radeon_private_t *dev_priv = dev->dev_private;
24656 drm_radeon_getparam_t *param = data;
24660 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24662 diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c
24663 --- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c 2010-08-26 19:47:12.000000000 -0400
24664 +++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c 2010-09-17 20:12:09.000000000 -0400
24665 @@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
24666 DRM_INFO("radeon: ttm finalized\n");
24669 -static struct vm_operations_struct radeon_ttm_vm_ops;
24670 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24671 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24672 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24673 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24675 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24677 @@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
24678 struct radeon_device *rdev;
24681 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24682 - if (bo == NULL) {
24683 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24685 return VM_FAULT_NOPAGE;
24687 rdev = radeon_get_rdev(bo->bdev);
24688 mutex_lock(&rdev->vram_mutex);
24689 - r = ttm_vm_ops->fault(vma, vmf);
24690 + r = ttm_bo_vm_fault(vma, vmf);
24691 mutex_unlock(&rdev->vram_mutex);
24695 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24696 + .fault = radeon_ttm_fault,
24697 + .open = ttm_bo_vm_open,
24698 + .close = ttm_bo_vm_close
24701 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24703 struct drm_file *file_priv;
24704 @@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
24706 file_priv = (struct drm_file *)filp->private_data;
24707 rdev = file_priv->minor->dev->dev_private;
24708 - if (rdev == NULL) {
24712 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24713 - if (unlikely(r != 0)) {
24717 - if (unlikely(ttm_vm_ops == NULL)) {
24718 - ttm_vm_ops = vma->vm_ops;
24719 - radeon_ttm_vm_ops = *ttm_vm_ops;
24720 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24722 vma->vm_ops = &radeon_ttm_vm_ops;
24725 diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c
24726 --- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c 2010-08-26 19:47:12.000000000 -0400
24727 +++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c 2010-09-17 20:12:09.000000000 -0400
24729 #include <linux/module.h>
24731 #define TTM_ASSERT_LOCKED(param)
24732 -#define TTM_DEBUG(fmt, arg...)
24733 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24734 #define TTM_BO_HASH_ORDER 13
24736 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24737 diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c
24738 --- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-08-26 19:47:12.000000000 -0400
24739 +++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-09-17 20:12:09.000000000 -0400
24740 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24744 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24745 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24747 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24748 vma->vm_private_data;
24749 - struct ttm_bo_device *bdev = bo->bdev;
24750 + struct ttm_bo_device *bdev;
24751 unsigned long page_offset;
24752 unsigned long page_last;
24754 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
24755 unsigned long address = (unsigned long)vmf->virtual_address;
24756 int retval = VM_FAULT_NOPAGE;
24759 + return VM_FAULT_NOPAGE;
24763 * Work around locking order reversal in fault / nopfn
24764 * between mmap_sem and bo_reserve: Perform a trylock operation
24765 @@ -213,7 +217,7 @@ out_unlock:
24769 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24770 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24772 struct ttm_buffer_object *bo =
24773 (struct ttm_buffer_object *)vma->vm_private_data;
24774 @@ -221,7 +225,7 @@ static void ttm_bo_vm_open(struct vm_are
24775 (void)ttm_bo_reference(bo);
24778 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24779 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24781 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24783 diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c
24784 --- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c 2010-08-26 19:47:12.000000000 -0400
24785 +++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c 2010-09-17 20:12:09.000000000 -0400
24787 struct ttm_global_item {
24788 struct mutex mutex;
24791 + atomic_t refcount;
24794 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
24795 @@ -49,7 +49,7 @@ void ttm_global_init(void)
24796 struct ttm_global_item *item = &glob[i];
24797 mutex_init(&item->mutex);
24798 item->object = NULL;
24799 - item->refcount = 0;
24800 + atomic_set(&item->refcount, 0);
24804 @@ -59,7 +59,7 @@ void ttm_global_release(void)
24805 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
24806 struct ttm_global_item *item = &glob[i];
24807 BUG_ON(item->object != NULL);
24808 - BUG_ON(item->refcount != 0);
24809 + BUG_ON(atomic_read(&item->refcount) != 0);
24813 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
24816 mutex_lock(&item->mutex);
24817 - if (item->refcount == 0) {
24818 + if (atomic_read(&item->refcount) == 0) {
24819 item->object = kzalloc(ref->size, GFP_KERNEL);
24820 if (unlikely(item->object == NULL)) {
24822 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
24826 - ++item->refcount;
24827 + atomic_inc(&item->refcount);
24828 ref->object = item->object;
24829 object = item->object;
24830 mutex_unlock(&item->mutex);
24831 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
24832 struct ttm_global_item *item = &glob[ref->global_type];
24834 mutex_lock(&item->mutex);
24835 - BUG_ON(item->refcount == 0);
24836 + BUG_ON(atomic_read(&item->refcount) == 0);
24837 BUG_ON(ref->object != item->object);
24838 - if (--item->refcount == 0) {
24839 + if (atomic_dec_and_test(&item->refcount)) {
24841 item->object = NULL;
24843 diff -urNp linux-2.6.35.4/drivers/hid/usbhid/hiddev.c linux-2.6.35.4/drivers/hid/usbhid/hiddev.c
24844 --- linux-2.6.35.4/drivers/hid/usbhid/hiddev.c 2010-08-26 19:47:12.000000000 -0400
24845 +++ linux-2.6.35.4/drivers/hid/usbhid/hiddev.c 2010-09-17 20:12:09.000000000 -0400
24846 @@ -616,7 +616,7 @@ static long hiddev_ioctl(struct file *fi
24847 return put_user(HID_VERSION, (int __user *)arg);
24849 case HIDIOCAPPLICATION:
24850 - if (arg < 0 || arg >= hid->maxapplication)
24851 + if (arg >= hid->maxapplication)
24854 for (i = 0; i < hid->maxcollection; i++)
24855 diff -urNp linux-2.6.35.4/drivers/hwmon/k8temp.c linux-2.6.35.4/drivers/hwmon/k8temp.c
24856 --- linux-2.6.35.4/drivers/hwmon/k8temp.c 2010-08-26 19:47:12.000000000 -0400
24857 +++ linux-2.6.35.4/drivers/hwmon/k8temp.c 2010-09-17 20:12:09.000000000 -0400
24858 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
24860 static const struct pci_device_id k8temp_ids[] = {
24861 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
24863 + { 0, 0, 0, 0, 0, 0, 0 },
24866 MODULE_DEVICE_TABLE(pci, k8temp_ids);
24867 diff -urNp linux-2.6.35.4/drivers/hwmon/sis5595.c linux-2.6.35.4/drivers/hwmon/sis5595.c
24868 --- linux-2.6.35.4/drivers/hwmon/sis5595.c 2010-08-26 19:47:12.000000000 -0400
24869 +++ linux-2.6.35.4/drivers/hwmon/sis5595.c 2010-09-17 20:12:09.000000000 -0400
24870 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
24872 static const struct pci_device_id sis5595_pci_ids[] = {
24873 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24875 + { 0, 0, 0, 0, 0, 0, 0 }
24878 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
24879 diff -urNp linux-2.6.35.4/drivers/hwmon/via686a.c linux-2.6.35.4/drivers/hwmon/via686a.c
24880 --- linux-2.6.35.4/drivers/hwmon/via686a.c 2010-08-26 19:47:12.000000000 -0400
24881 +++ linux-2.6.35.4/drivers/hwmon/via686a.c 2010-09-17 20:12:09.000000000 -0400
24882 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
24884 static const struct pci_device_id via686a_pci_ids[] = {
24885 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
24887 + { 0, 0, 0, 0, 0, 0, 0 }
24890 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
24891 diff -urNp linux-2.6.35.4/drivers/hwmon/vt8231.c linux-2.6.35.4/drivers/hwmon/vt8231.c
24892 --- linux-2.6.35.4/drivers/hwmon/vt8231.c 2010-08-26 19:47:12.000000000 -0400
24893 +++ linux-2.6.35.4/drivers/hwmon/vt8231.c 2010-09-17 20:12:09.000000000 -0400
24894 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
24896 static const struct pci_device_id vt8231_pci_ids[] = {
24897 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
24899 + { 0, 0, 0, 0, 0, 0, 0 }
24902 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
24903 diff -urNp linux-2.6.35.4/drivers/hwmon/w83791d.c linux-2.6.35.4/drivers/hwmon/w83791d.c
24904 --- linux-2.6.35.4/drivers/hwmon/w83791d.c 2010-08-26 19:47:12.000000000 -0400
24905 +++ linux-2.6.35.4/drivers/hwmon/w83791d.c 2010-09-17 20:12:09.000000000 -0400
24906 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
24907 struct i2c_board_info *info);
24908 static int w83791d_remove(struct i2c_client *client);
24910 -static int w83791d_read(struct i2c_client *client, u8 register);
24911 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
24912 +static int w83791d_read(struct i2c_client *client, u8 reg);
24913 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
24914 static struct w83791d_data *w83791d_update_device(struct device *dev);
24917 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c
24918 --- linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c 2010-08-26 19:47:12.000000000 -0400
24919 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c 2010-09-17 20:12:09.000000000 -0400
24920 @@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
24921 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
24922 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
24923 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
24925 + { 0, 0, 0, 0, 0, 0, 0 }
24928 MODULE_DEVICE_TABLE(pci, i801_ids);
24929 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c
24930 --- linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c 2010-08-26 19:47:12.000000000 -0400
24931 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c 2010-09-17 20:12:09.000000000 -0400
24932 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
24934 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
24937 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24940 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
24941 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
24942 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
24943 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
24944 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
24946 + { 0, 0, 0, 0, 0, 0, 0 }
24949 MODULE_DEVICE_TABLE (pci, piix4_ids);
24950 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c
24951 --- linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c 2010-08-26 19:47:12.000000000 -0400
24952 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c 2010-09-17 20:12:09.000000000 -0400
24953 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
24954 static const struct pci_device_id sis630_ids[] __devinitconst = {
24955 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24956 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
24958 + { 0, 0, 0, 0, 0, 0, 0 }
24961 MODULE_DEVICE_TABLE (pci, sis630_ids);
24962 diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c
24963 --- linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c 2010-08-26 19:47:12.000000000 -0400
24964 +++ linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c 2010-09-17 20:12:09.000000000 -0400
24965 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
24967 static const struct pci_device_id sis96x_ids[] = {
24968 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
24970 + { 0, 0, 0, 0, 0, 0, 0 }
24973 MODULE_DEVICE_TABLE (pci, sis96x_ids);
24974 diff -urNp linux-2.6.35.4/drivers/ide/ide-cd.c linux-2.6.35.4/drivers/ide/ide-cd.c
24975 --- linux-2.6.35.4/drivers/ide/ide-cd.c 2010-08-26 19:47:12.000000000 -0400
24976 +++ linux-2.6.35.4/drivers/ide/ide-cd.c 2010-09-17 20:12:09.000000000 -0400
24977 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
24978 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
24979 if ((unsigned long)buf & alignment
24980 || blk_rq_bytes(rq) & q->dma_pad_mask
24981 - || object_is_on_stack(buf))
24982 + || object_starts_on_stack(buf))
24986 diff -urNp linux-2.6.35.4/drivers/ieee1394/dv1394.c linux-2.6.35.4/drivers/ieee1394/dv1394.c
24987 --- linux-2.6.35.4/drivers/ieee1394/dv1394.c 2010-08-26 19:47:12.000000000 -0400
24988 +++ linux-2.6.35.4/drivers/ieee1394/dv1394.c 2010-09-17 20:12:09.000000000 -0400
24989 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
24990 based upon DIF section and sequence
24993 -static void inline
24994 +static inline void
24995 frame_put_packet (struct frame *f, struct packet *p)
24997 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
24998 @@ -2179,7 +2179,7 @@ static const struct ieee1394_device_id d
24999 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25000 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25003 + { 0, 0, 0, 0, 0, 0 }
25006 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
25007 diff -urNp linux-2.6.35.4/drivers/ieee1394/eth1394.c linux-2.6.35.4/drivers/ieee1394/eth1394.c
25008 --- linux-2.6.35.4/drivers/ieee1394/eth1394.c 2010-08-26 19:47:12.000000000 -0400
25009 +++ linux-2.6.35.4/drivers/ieee1394/eth1394.c 2010-09-17 20:12:09.000000000 -0400
25010 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
25011 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25012 .version = ETHER1394_GASP_VERSION,
25015 + { 0, 0, 0, 0, 0, 0 }
25018 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
25019 diff -urNp linux-2.6.35.4/drivers/ieee1394/hosts.c linux-2.6.35.4/drivers/ieee1394/hosts.c
25020 --- linux-2.6.35.4/drivers/ieee1394/hosts.c 2010-08-26 19:47:12.000000000 -0400
25021 +++ linux-2.6.35.4/drivers/ieee1394/hosts.c 2010-09-17 20:12:09.000000000 -0400
25022 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25025 static struct hpsb_host_driver dummy_driver = {
25027 .transmit_packet = dummy_transmit_packet,
25028 .devctl = dummy_devctl,
25029 .isoctl = dummy_isoctl
25030 diff -urNp linux-2.6.35.4/drivers/ieee1394/ohci1394.c linux-2.6.35.4/drivers/ieee1394/ohci1394.c
25031 --- linux-2.6.35.4/drivers/ieee1394/ohci1394.c 2010-08-26 19:47:12.000000000 -0400
25032 +++ linux-2.6.35.4/drivers/ieee1394/ohci1394.c 2010-09-17 20:12:09.000000000 -0400
25033 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
25034 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25036 /* Module Parameters */
25037 -static int phys_dma = 1;
25038 +static int phys_dma;
25039 module_param(phys_dma, int, 0444);
25040 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25041 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25043 static void dma_trm_tasklet(unsigned long data);
25044 static void dma_trm_reset(struct dma_trm_ctx *d);
25045 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
25046 .subvendor = PCI_ANY_ID,
25047 .subdevice = PCI_ANY_ID,
25050 + { 0, 0, 0, 0, 0, 0, 0 },
25053 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
25054 diff -urNp linux-2.6.35.4/drivers/ieee1394/raw1394.c linux-2.6.35.4/drivers/ieee1394/raw1394.c
25055 --- linux-2.6.35.4/drivers/ieee1394/raw1394.c 2010-08-26 19:47:12.000000000 -0400
25056 +++ linux-2.6.35.4/drivers/ieee1394/raw1394.c 2010-09-17 20:12:09.000000000 -0400
25057 @@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
25058 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25059 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25060 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25062 + { 0, 0, 0, 0, 0, 0 }
25065 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
25066 diff -urNp linux-2.6.35.4/drivers/ieee1394/sbp2.c linux-2.6.35.4/drivers/ieee1394/sbp2.c
25067 --- linux-2.6.35.4/drivers/ieee1394/sbp2.c 2010-08-26 19:47:12.000000000 -0400
25068 +++ linux-2.6.35.4/drivers/ieee1394/sbp2.c 2010-09-17 20:12:09.000000000 -0400
25069 @@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
25070 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25071 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25072 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25074 + { 0, 0, 0, 0, 0, 0 }
25076 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25078 @@ -2110,7 +2110,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
25079 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25080 MODULE_LICENSE("GPL");
25082 -static int sbp2_module_init(void)
25083 +static int __init sbp2_module_init(void)
25087 diff -urNp linux-2.6.35.4/drivers/ieee1394/video1394.c linux-2.6.35.4/drivers/ieee1394/video1394.c
25088 --- linux-2.6.35.4/drivers/ieee1394/video1394.c 2010-08-26 19:47:12.000000000 -0400
25089 +++ linux-2.6.35.4/drivers/ieee1394/video1394.c 2010-09-17 20:12:09.000000000 -0400
25090 @@ -1312,7 +1312,7 @@ static const struct ieee1394_device_id v
25091 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25092 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25095 + { 0, 0, 0, 0, 0, 0 }
25098 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
25099 diff -urNp linux-2.6.35.4/drivers/infiniband/core/cm.c linux-2.6.35.4/drivers/infiniband/core/cm.c
25100 --- linux-2.6.35.4/drivers/infiniband/core/cm.c 2010-08-26 19:47:12.000000000 -0400
25101 +++ linux-2.6.35.4/drivers/infiniband/core/cm.c 2010-09-17 20:12:09.000000000 -0400
25102 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25104 struct cm_counter_group {
25105 struct kobject obj;
25106 - atomic_long_t counter[CM_ATTR_COUNT];
25107 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25110 struct cm_counter_attribute {
25111 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25112 struct ib_mad_send_buf *msg = NULL;
25115 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25116 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25117 counter[CM_REQ_COUNTER]);
25119 /* Quick state check to discard duplicate REQs. */
25120 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25124 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25125 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25126 counter[CM_REP_COUNTER]);
25127 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25129 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25130 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25131 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25132 spin_unlock_irq(&cm_id_priv->lock);
25133 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25134 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25135 counter[CM_RTU_COUNTER]);
25138 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25139 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25140 dreq_msg->local_comm_id);
25142 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25143 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25144 counter[CM_DREQ_COUNTER]);
25145 cm_issue_drep(work->port, work->mad_recv_wc);
25147 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25148 case IB_CM_MRA_REP_RCVD:
25150 case IB_CM_TIMEWAIT:
25151 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25152 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25153 counter[CM_DREQ_COUNTER]);
25154 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25156 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25159 case IB_CM_DREQ_RCVD:
25160 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25161 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25162 counter[CM_DREQ_COUNTER]);
25165 @@ -2502,7 +2502,7 @@ static int cm_mra_handler(struct cm_work
25166 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25167 cm_id_priv->msg, timeout)) {
25168 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25169 - atomic_long_inc(&work->port->
25170 + atomic_long_inc_unchecked(&work->port->
25171 counter_group[CM_RECV_DUPLICATES].
25172 counter[CM_MRA_COUNTER]);
25174 @@ -2511,7 +2511,7 @@ static int cm_mra_handler(struct cm_work
25176 case IB_CM_MRA_REQ_RCVD:
25177 case IB_CM_MRA_REP_RCVD:
25178 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25179 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25180 counter[CM_MRA_COUNTER]);
25183 @@ -2673,7 +2673,7 @@ static int cm_lap_handler(struct cm_work
25184 case IB_CM_LAP_IDLE:
25186 case IB_CM_MRA_LAP_SENT:
25187 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25188 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25189 counter[CM_LAP_COUNTER]);
25190 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25192 @@ -2689,7 +2689,7 @@ static int cm_lap_handler(struct cm_work
25195 case IB_CM_LAP_RCVD:
25196 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25197 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25198 counter[CM_LAP_COUNTER]);
25201 @@ -2973,7 +2973,7 @@ static int cm_sidr_req_handler(struct cm
25202 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25203 if (cur_cm_id_priv) {
25204 spin_unlock_irq(&cm.lock);
25205 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25206 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25207 counter[CM_SIDR_REQ_COUNTER]);
25208 goto out; /* Duplicate message. */
25210 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
25211 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25214 - atomic_long_add(1 + msg->retries,
25215 + atomic_long_add_unchecked(1 + msg->retries,
25216 &port->counter_group[CM_XMIT].counter[attr_index]);
25218 - atomic_long_add(msg->retries,
25219 + atomic_long_add_unchecked(msg->retries,
25220 &port->counter_group[CM_XMIT_RETRIES].
25221 counter[attr_index]);
25223 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
25226 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25227 - atomic_long_inc(&port->counter_group[CM_RECV].
25228 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25229 counter[attr_id - CM_ATTR_ID_OFFSET]);
25231 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25232 @@ -3595,7 +3595,7 @@ static ssize_t cm_show_counter(struct ko
25233 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25235 return sprintf(buf, "%ld\n",
25236 - atomic_long_read(&group->counter[cm_attr->index]));
25237 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25240 static const struct sysfs_ops cm_counter_ops = {
25241 diff -urNp linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h
25242 --- linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h 2010-08-26 19:47:12.000000000 -0400
25243 +++ linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h 2010-09-17 20:12:09.000000000 -0400
25245 #include <linux/completion.h>
25246 #include <linux/kref.h>
25247 #include <linux/sched.h>
25248 +#include <linux/slab.h>
25250 #include "qib_common.h"
25251 #include "qib_verbs.h"
25252 diff -urNp linux-2.6.35.4/drivers/input/keyboard/atkbd.c linux-2.6.35.4/drivers/input/keyboard/atkbd.c
25253 --- linux-2.6.35.4/drivers/input/keyboard/atkbd.c 2010-08-26 19:47:12.000000000 -0400
25254 +++ linux-2.6.35.4/drivers/input/keyboard/atkbd.c 2010-09-17 20:12:09.000000000 -0400
25255 @@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
25257 .extra = SERIO_ANY,
25263 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25264 diff -urNp linux-2.6.35.4/drivers/input/mouse/lifebook.c linux-2.6.35.4/drivers/input/mouse/lifebook.c
25265 --- linux-2.6.35.4/drivers/input/mouse/lifebook.c 2010-08-26 19:47:12.000000000 -0400
25266 +++ linux-2.6.35.4/drivers/input/mouse/lifebook.c 2010-09-17 20:12:09.000000000 -0400
25267 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25268 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25272 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25275 void __init lifebook_module_init(void)
25276 diff -urNp linux-2.6.35.4/drivers/input/mouse/psmouse-base.c linux-2.6.35.4/drivers/input/mouse/psmouse-base.c
25277 --- linux-2.6.35.4/drivers/input/mouse/psmouse-base.c 2010-08-26 19:47:12.000000000 -0400
25278 +++ linux-2.6.35.4/drivers/input/mouse/psmouse-base.c 2010-09-17 20:12:09.000000000 -0400
25279 @@ -1460,7 +1460,7 @@ static struct serio_device_id psmouse_se
25281 .extra = SERIO_ANY,
25287 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25288 diff -urNp linux-2.6.35.4/drivers/input/mouse/synaptics.c linux-2.6.35.4/drivers/input/mouse/synaptics.c
25289 --- linux-2.6.35.4/drivers/input/mouse/synaptics.c 2010-08-26 19:47:12.000000000 -0400
25290 +++ linux-2.6.35.4/drivers/input/mouse/synaptics.c 2010-09-17 20:12:09.000000000 -0400
25291 @@ -476,7 +476,7 @@ static void synaptics_process_packet(str
25294 if (SYN_MODEL_PEN(priv->model_id))
25295 - ; /* Nothing, treat a pen as a single finger */
25296 + break; /* Nothing, treat a pen as a single finger */
25299 if (SYN_CAP_PALMDETECT(priv->capabilities))
25300 @@ -701,7 +701,6 @@ static const struct dmi_system_id __init
25301 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25302 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25307 /* Toshiba Portege M300 */
25308 @@ -710,9 +709,8 @@ static const struct dmi_system_id __init
25309 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25310 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25315 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25319 diff -urNp linux-2.6.35.4/drivers/input/mousedev.c linux-2.6.35.4/drivers/input/mousedev.c
25320 --- linux-2.6.35.4/drivers/input/mousedev.c 2010-08-26 19:47:12.000000000 -0400
25321 +++ linux-2.6.35.4/drivers/input/mousedev.c 2010-09-17 20:12:09.000000000 -0400
25322 @@ -754,7 +754,7 @@ static ssize_t mousedev_read(struct file
25324 spin_unlock_irq(&client->packet_lock);
25326 - if (copy_to_user(buffer, data, count))
25327 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25331 @@ -1051,7 +1051,7 @@ static struct input_handler mousedev_han
25333 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25334 static struct miscdevice psaux_mouse = {
25335 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25336 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25338 static int psaux_registered;
25340 diff -urNp linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h
25341 --- linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h 2010-08-26 19:47:12.000000000 -0400
25342 +++ linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h 2010-09-17 20:12:09.000000000 -0400
25343 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25344 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25348 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25352 @@ -413,7 +413,7 @@ static const struct dmi_system_id __init
25353 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25357 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25360 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25361 @@ -487,7 +487,7 @@ static const struct dmi_system_id __init
25362 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25366 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25370 @@ -506,7 +506,7 @@ static const struct dmi_system_id __init
25371 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25375 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25378 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25379 @@ -530,7 +530,7 @@ static const struct dmi_system_id __init
25380 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25384 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25388 @@ -604,7 +604,7 @@ static const struct dmi_system_id __init
25389 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25393 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25396 #endif /* CONFIG_X86 */
25397 diff -urNp linux-2.6.35.4/drivers/input/serio/serio_raw.c linux-2.6.35.4/drivers/input/serio/serio_raw.c
25398 --- linux-2.6.35.4/drivers/input/serio/serio_raw.c 2010-08-26 19:47:12.000000000 -0400
25399 +++ linux-2.6.35.4/drivers/input/serio/serio_raw.c 2010-09-17 20:12:09.000000000 -0400
25400 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25402 .extra = SERIO_ANY,
25408 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25409 diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/common.c linux-2.6.35.4/drivers/isdn/gigaset/common.c
25410 --- linux-2.6.35.4/drivers/isdn/gigaset/common.c 2010-08-26 19:47:12.000000000 -0400
25411 +++ linux-2.6.35.4/drivers/isdn/gigaset/common.c 2010-09-17 20:12:09.000000000 -0400
25412 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25413 cs->commands_pending = 0;
25414 cs->cur_at_seq = 0;
25416 - cs->open_count = 0;
25417 + atomic_set(&cs->open_count, 0);
25420 cs->tty_dev = NULL;
25421 diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h
25422 --- linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h 2010-08-26 19:47:12.000000000 -0400
25423 +++ linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h 2010-09-17 20:12:09.000000000 -0400
25424 @@ -442,7 +442,7 @@ struct cardstate {
25425 spinlock_t cmdlock;
25426 unsigned curlen, cmdbytes;
25428 - unsigned open_count;
25429 + atomic_t open_count;
25430 struct tty_struct *tty;
25431 struct tasklet_struct if_wake_tasklet;
25432 unsigned control_state;
25433 diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/interface.c linux-2.6.35.4/drivers/isdn/gigaset/interface.c
25434 --- linux-2.6.35.4/drivers/isdn/gigaset/interface.c 2010-08-26 19:47:12.000000000 -0400
25435 +++ linux-2.6.35.4/drivers/isdn/gigaset/interface.c 2010-09-17 20:12:09.000000000 -0400
25436 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25437 return -ERESTARTSYS;
25438 tty->driver_data = cs;
25440 - ++cs->open_count;
25442 - if (cs->open_count == 1) {
25443 + if (atomic_inc_return(&cs->open_count) == 1) {
25444 spin_lock_irqsave(&cs->lock, flags);
25446 spin_unlock_irqrestore(&cs->lock, flags);
25447 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25449 if (!cs->connected)
25450 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25451 - else if (!cs->open_count)
25452 + else if (!atomic_read(&cs->open_count))
25453 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25455 - if (!--cs->open_count) {
25456 + if (!atomic_dec_return(&cs->open_count)) {
25457 spin_lock_irqsave(&cs->lock, flags);
25459 spin_unlock_irqrestore(&cs->lock, flags);
25460 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25461 if (!cs->connected) {
25462 gig_dbg(DEBUG_IF, "not connected");
25464 - } else if (!cs->open_count)
25465 + } else if (!atomic_read(&cs->open_count))
25466 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25469 @@ -355,7 +353,7 @@ static int if_write(struct tty_struct *t
25470 if (!cs->connected) {
25471 gig_dbg(DEBUG_IF, "not connected");
25473 - } else if (!cs->open_count)
25474 + } else if (!atomic_read(&cs->open_count))
25475 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25476 else if (cs->mstate != MS_LOCKED) {
25477 dev_warn(cs->dev, "can't write to unlocked device\n");
25478 @@ -389,7 +387,7 @@ static int if_write_room(struct tty_stru
25479 if (!cs->connected) {
25480 gig_dbg(DEBUG_IF, "not connected");
25482 - } else if (!cs->open_count)
25483 + } else if (!atomic_read(&cs->open_count))
25484 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25485 else if (cs->mstate != MS_LOCKED) {
25486 dev_warn(cs->dev, "can't write to unlocked device\n");
25487 @@ -419,7 +417,7 @@ static int if_chars_in_buffer(struct tty
25489 if (!cs->connected)
25490 gig_dbg(DEBUG_IF, "not connected");
25491 - else if (!cs->open_count)
25492 + else if (!atomic_read(&cs->open_count))
25493 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25494 else if (cs->mstate != MS_LOCKED)
25495 dev_warn(cs->dev, "can't write to unlocked device\n");
25496 @@ -447,7 +445,7 @@ static void if_throttle(struct tty_struc
25498 if (!cs->connected)
25499 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25500 - else if (!cs->open_count)
25501 + else if (!atomic_read(&cs->open_count))
25502 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25504 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25505 @@ -471,7 +469,7 @@ static void if_unthrottle(struct tty_str
25507 if (!cs->connected)
25508 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25509 - else if (!cs->open_count)
25510 + else if (!atomic_read(&cs->open_count))
25511 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25513 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25514 @@ -502,7 +500,7 @@ static void if_set_termios(struct tty_st
25518 - if (!cs->open_count) {
25519 + if (!atomic_read(&cs->open_count)) {
25520 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25523 diff -urNp linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c
25524 --- linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c 2010-08-26 19:47:12.000000000 -0400
25525 +++ linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c 2010-09-17 20:12:37.000000000 -0400
25526 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25529 if (t4file->user) {
25530 - if (copy_from_user(buf, dp, left))
25531 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25534 memcpy(buf, dp, left);
25535 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25538 if (config->user) {
25539 - if (copy_from_user(buf, dp, left))
25540 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25543 memcpy(buf, dp, left);
25544 diff -urNp linux-2.6.35.4/drivers/isdn/icn/icn.c linux-2.6.35.4/drivers/isdn/icn/icn.c
25545 --- linux-2.6.35.4/drivers/isdn/icn/icn.c 2010-08-26 19:47:12.000000000 -0400
25546 +++ linux-2.6.35.4/drivers/isdn/icn/icn.c 2010-09-17 20:12:37.000000000 -0400
25547 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25551 - if (copy_from_user(msg, buf, count))
25552 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
25555 memcpy(msg, buf, count);
25556 diff -urNp linux-2.6.35.4/drivers/lguest/core.c linux-2.6.35.4/drivers/lguest/core.c
25557 --- linux-2.6.35.4/drivers/lguest/core.c 2010-08-26 19:47:12.000000000 -0400
25558 +++ linux-2.6.35.4/drivers/lguest/core.c 2010-09-17 20:12:09.000000000 -0400
25559 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25560 * it's worked so far. The end address needs +1 because __get_vm_area
25561 * allocates an extra guard page, so we need space for that.
25564 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25565 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25566 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25567 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25569 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25570 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25571 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25574 if (!switcher_vma) {
25576 printk("lguest: could not map switcher pages high\n");
25577 diff -urNp linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c
25578 --- linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c 2010-08-26 19:47:12.000000000 -0400
25579 +++ linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c 2010-09-17 20:12:09.000000000 -0400
25582 #define MAX_PMU_LEVEL 0xFF
25584 -static struct backlight_ops pmu_backlight_data;
25585 +static const struct backlight_ops pmu_backlight_data;
25586 static DEFINE_SPINLOCK(pmu_backlight_lock);
25587 static int sleeping, uses_pmu_bl;
25588 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25589 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25590 return bd->props.brightness;
25593 -static struct backlight_ops pmu_backlight_data = {
25594 +static const struct backlight_ops pmu_backlight_data = {
25595 .get_brightness = pmu_backlight_get_brightness,
25596 .update_status = pmu_backlight_update_status,
25598 diff -urNp linux-2.6.35.4/drivers/macintosh/via-pmu.c linux-2.6.35.4/drivers/macintosh/via-pmu.c
25599 --- linux-2.6.35.4/drivers/macintosh/via-pmu.c 2010-08-26 19:47:12.000000000 -0400
25600 +++ linux-2.6.35.4/drivers/macintosh/via-pmu.c 2010-09-17 20:12:09.000000000 -0400
25601 @@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
25602 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25605 -static struct platform_suspend_ops pmu_pm_ops = {
25606 +static const struct platform_suspend_ops pmu_pm_ops = {
25607 .enter = powerbook_sleep,
25608 .valid = pmu_sleep_valid,
25610 diff -urNp linux-2.6.35.4/drivers/md/bitmap.c linux-2.6.35.4/drivers/md/bitmap.c
25611 --- linux-2.6.35.4/drivers/md/bitmap.c 2010-08-26 19:47:12.000000000 -0400
25612 +++ linux-2.6.35.4/drivers/md/bitmap.c 2010-09-17 20:12:09.000000000 -0400
25615 # define PRINTK(x...) printk(KERN_DEBUG x)
25617 -# define PRINTK(x...)
25618 +# define PRINTK(x...) do {} while (0)
25622 diff -urNp linux-2.6.35.4/drivers/md/dm-table.c linux-2.6.35.4/drivers/md/dm-table.c
25623 --- linux-2.6.35.4/drivers/md/dm-table.c 2010-08-26 19:47:12.000000000 -0400
25624 +++ linux-2.6.35.4/drivers/md/dm-table.c 2010-09-17 20:12:09.000000000 -0400
25625 @@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
25629 - if ((start >= dev_size) || (start + len > dev_size)) {
25630 + if ((start >= dev_size) || (len > dev_size - start)) {
25631 DMWARN("%s: %s too small for target: "
25632 "start=%llu, len=%llu, dev_size=%llu",
25633 dm_device_name(ti->table->md), bdevname(bdev, b),
25634 diff -urNp linux-2.6.35.4/drivers/md/md.c linux-2.6.35.4/drivers/md/md.c
25635 --- linux-2.6.35.4/drivers/md/md.c 2010-08-26 19:47:12.000000000 -0400
25636 +++ linux-2.6.35.4/drivers/md/md.c 2010-09-17 20:12:09.000000000 -0400
25637 @@ -6352,7 +6352,7 @@ static int md_seq_show(struct seq_file *
25638 chunk_kb ? "KB" : "B");
25639 if (bitmap->file) {
25640 seq_printf(seq, ", file: ");
25641 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25642 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25645 seq_printf(seq, "\n");
25646 @@ -6446,7 +6446,7 @@ static int is_mddev_idle(mddev_t *mddev,
25647 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25648 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25649 (int)part_stat_read(&disk->part0, sectors[1]) -
25650 - atomic_read(&disk->sync_io);
25651 + atomic_read_unchecked(&disk->sync_io);
25652 /* sync IO will cause sync_io to increase before the disk_stats
25653 * as sync_io is counted when a request starts, and
25654 * disk_stats is counted when it completes.
25655 diff -urNp linux-2.6.35.4/drivers/md/md.h linux-2.6.35.4/drivers/md/md.h
25656 --- linux-2.6.35.4/drivers/md/md.h 2010-08-26 19:47:12.000000000 -0400
25657 +++ linux-2.6.35.4/drivers/md/md.h 2010-09-17 20:12:09.000000000 -0400
25658 @@ -334,7 +334,7 @@ static inline void rdev_dec_pending(mdk_
25660 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25662 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25663 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25666 struct mdk_personality
25667 diff -urNp linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c
25668 --- linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c 2010-08-26 19:47:12.000000000 -0400
25669 +++ linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c 2010-09-17 20:12:09.000000000 -0400
25670 @@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
25671 const struct dvb_device *template, void *priv, int type)
25673 struct dvb_device *dvbdev;
25674 + /* cannot be const, see this function */
25675 struct file_operations *dvbdevfops;
25676 struct device *clsdev;
25678 diff -urNp linux-2.6.35.4/drivers/media/radio/radio-cadet.c linux-2.6.35.4/drivers/media/radio/radio-cadet.c
25679 --- linux-2.6.35.4/drivers/media/radio/radio-cadet.c 2010-08-26 19:47:12.000000000 -0400
25680 +++ linux-2.6.35.4/drivers/media/radio/radio-cadet.c 2010-09-17 20:12:37.000000000 -0400
25681 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
25682 while (i < count && dev->rdsin != dev->rdsout)
25683 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25685 - if (copy_to_user(data, readbuf, i))
25686 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
25690 diff -urNp linux-2.6.35.4/drivers/message/fusion/mptbase.c linux-2.6.35.4/drivers/message/fusion/mptbase.c
25691 --- linux-2.6.35.4/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
25692 +++ linux-2.6.35.4/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
25693 @@ -6715,8 +6715,14 @@ procmpt_iocinfo_read(char *buf, char **s
25694 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25695 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25697 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25698 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25701 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25702 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25706 * Rounding UP to nearest 4-kB boundary here...
25708 diff -urNp linux-2.6.35.4/drivers/message/fusion/mptdebug.h linux-2.6.35.4/drivers/message/fusion/mptdebug.h
25709 --- linux-2.6.35.4/drivers/message/fusion/mptdebug.h 2010-08-26 19:47:12.000000000 -0400
25710 +++ linux-2.6.35.4/drivers/message/fusion/mptdebug.h 2010-09-17 20:12:09.000000000 -0400
25715 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25716 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25720 diff -urNp linux-2.6.35.4/drivers/message/fusion/mptsas.c linux-2.6.35.4/drivers/message/fusion/mptsas.c
25721 --- linux-2.6.35.4/drivers/message/fusion/mptsas.c 2010-08-26 19:47:12.000000000 -0400
25722 +++ linux-2.6.35.4/drivers/message/fusion/mptsas.c 2010-09-17 20:12:09.000000000 -0400
25723 @@ -437,6 +437,23 @@ mptsas_is_end_device(struct mptsas_devin
25727 +static inline void
25728 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25730 + if (phy_info->port_details) {
25731 + phy_info->port_details->rphy = rphy;
25732 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25733 + ioc->name, rphy));
25737 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25738 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25739 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25740 + ioc->name, rphy, rphy->dev.release));
25746 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25747 @@ -475,23 +492,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25751 -static inline void
25752 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25754 - if (phy_info->port_details) {
25755 - phy_info->port_details->rphy = rphy;
25756 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25757 - ioc->name, rphy));
25761 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25762 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25763 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25764 - ioc->name, rphy, rphy->dev.release));
25768 static inline struct sas_port *
25769 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25771 diff -urNp linux-2.6.35.4/drivers/message/i2o/i2o_proc.c linux-2.6.35.4/drivers/message/i2o/i2o_proc.c
25772 --- linux-2.6.35.4/drivers/message/i2o/i2o_proc.c 2010-08-26 19:47:12.000000000 -0400
25773 +++ linux-2.6.35.4/drivers/message/i2o/i2o_proc.c 2010-09-17 20:12:09.000000000 -0400
25774 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25775 "Array Controller Device"
25778 -static char *chtostr(u8 * chars, int n)
25782 - return strncat(tmp, (char *)chars, n);
25785 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25788 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25790 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25791 seq_printf(seq, "%-#8x", ddm_table.module_id);
25792 - seq_printf(seq, "%-29s",
25793 - chtostr(ddm_table.module_name_version, 28));
25794 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25795 seq_printf(seq, "%9d ", ddm_table.data_size);
25796 seq_printf(seq, "%8d", ddm_table.code_size);
25798 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25800 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25801 seq_printf(seq, "%-#8x", dst->module_id);
25802 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25803 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25804 + seq_printf(seq, "%-.28s", dst->module_name_version);
25805 + seq_printf(seq, "%-.8s", dst->date);
25806 seq_printf(seq, "%8d ", dst->module_size);
25807 seq_printf(seq, "%8d ", dst->mpb_size);
25808 seq_printf(seq, "0x%04x", dst->module_flags);
25809 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25810 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25811 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25812 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25813 - seq_printf(seq, "Vendor info : %s\n",
25814 - chtostr((u8 *) (work32 + 2), 16));
25815 - seq_printf(seq, "Product info : %s\n",
25816 - chtostr((u8 *) (work32 + 6), 16));
25817 - seq_printf(seq, "Description : %s\n",
25818 - chtostr((u8 *) (work32 + 10), 16));
25819 - seq_printf(seq, "Product rev. : %s\n",
25820 - chtostr((u8 *) (work32 + 14), 8));
25821 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25822 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25823 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25824 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25826 seq_printf(seq, "Serial number : ");
25827 print_serial_number(seq, (u8 *) (work32 + 16),
25828 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
25831 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
25832 - seq_printf(seq, "Module name : %s\n",
25833 - chtostr(result.module_name, 24));
25834 - seq_printf(seq, "Module revision : %s\n",
25835 - chtostr(result.module_rev, 8));
25836 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
25837 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
25839 seq_printf(seq, "Serial number : ");
25840 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
25841 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
25845 - seq_printf(seq, "Device name : %s\n",
25846 - chtostr(result.device_name, 64));
25847 - seq_printf(seq, "Service name : %s\n",
25848 - chtostr(result.service_name, 64));
25849 - seq_printf(seq, "Physical name : %s\n",
25850 - chtostr(result.physical_location, 64));
25851 - seq_printf(seq, "Instance number : %s\n",
25852 - chtostr(result.instance_number, 4));
25853 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
25854 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
25855 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
25856 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
25860 diff -urNp linux-2.6.35.4/drivers/mfd/janz-cmodio.c linux-2.6.35.4/drivers/mfd/janz-cmodio.c
25861 --- linux-2.6.35.4/drivers/mfd/janz-cmodio.c 2010-08-26 19:47:12.000000000 -0400
25862 +++ linux-2.6.35.4/drivers/mfd/janz-cmodio.c 2010-09-17 20:12:09.000000000 -0400
25865 #include <linux/kernel.h>
25866 #include <linux/module.h>
25867 +#include <linux/slab.h>
25868 #include <linux/init.h>
25869 #include <linux/pci.h>
25870 #include <linux/interrupt.h>
25871 diff -urNp linux-2.6.35.4/drivers/misc/kgdbts.c linux-2.6.35.4/drivers/misc/kgdbts.c
25872 --- linux-2.6.35.4/drivers/misc/kgdbts.c 2010-08-26 19:47:12.000000000 -0400
25873 +++ linux-2.6.35.4/drivers/misc/kgdbts.c 2010-09-17 20:12:09.000000000 -0400
25874 @@ -118,7 +118,7 @@
25876 #define MAX_CONFIG_LEN 40
25878 -static struct kgdb_io kgdbts_io_ops;
25879 +static const struct kgdb_io kgdbts_io_ops;
25880 static char get_buf[BUFMAX];
25881 static int get_buf_cnt;
25882 static char put_buf[BUFMAX];
25883 @@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
25884 module_put(THIS_MODULE);
25887 -static struct kgdb_io kgdbts_io_ops = {
25888 +static const struct kgdb_io kgdbts_io_ops = {
25890 .read_char = kgdbts_get_char,
25891 .write_char = kgdbts_put_char,
25892 diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c
25893 --- linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c 2010-08-26 19:47:12.000000000 -0400
25894 +++ linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c 2010-09-17 20:12:09.000000000 -0400
25895 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
25896 unsigned long nsec;
25898 nsec = CLKS2NSEC(clks);
25899 - atomic_long_inc(&mcs_op_statistics[op].count);
25900 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
25901 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
25902 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
25903 if (mcs_op_statistics[op].max < nsec)
25904 mcs_op_statistics[op].max = nsec;
25906 diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c
25907 --- linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c 2010-08-26 19:47:12.000000000 -0400
25908 +++ linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c 2010-09-17 20:12:09.000000000 -0400
25911 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
25913 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
25914 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
25916 - unsigned long val = atomic_long_read(v);
25917 + unsigned long val = atomic_long_read_unchecked(v);
25919 seq_printf(s, "%16lu %s\n", val, id);
25921 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
25923 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
25924 for (op = 0; op < mcsop_last; op++) {
25925 - count = atomic_long_read(&mcs_op_statistics[op].count);
25926 - total = atomic_long_read(&mcs_op_statistics[op].total);
25927 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
25928 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
25929 max = mcs_op_statistics[op].max;
25930 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
25931 count ? total / count : 0, max);
25932 diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h
25933 --- linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h 2010-08-26 19:47:12.000000000 -0400
25934 +++ linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h 2010-09-17 20:12:09.000000000 -0400
25935 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
25938 struct gru_stats_s {
25939 - atomic_long_t vdata_alloc;
25940 - atomic_long_t vdata_free;
25941 - atomic_long_t gts_alloc;
25942 - atomic_long_t gts_free;
25943 - atomic_long_t gms_alloc;
25944 - atomic_long_t gms_free;
25945 - atomic_long_t gts_double_allocate;
25946 - atomic_long_t assign_context;
25947 - atomic_long_t assign_context_failed;
25948 - atomic_long_t free_context;
25949 - atomic_long_t load_user_context;
25950 - atomic_long_t load_kernel_context;
25951 - atomic_long_t lock_kernel_context;
25952 - atomic_long_t unlock_kernel_context;
25953 - atomic_long_t steal_user_context;
25954 - atomic_long_t steal_kernel_context;
25955 - atomic_long_t steal_context_failed;
25956 - atomic_long_t nopfn;
25957 - atomic_long_t asid_new;
25958 - atomic_long_t asid_next;
25959 - atomic_long_t asid_wrap;
25960 - atomic_long_t asid_reuse;
25961 - atomic_long_t intr;
25962 - atomic_long_t intr_cbr;
25963 - atomic_long_t intr_tfh;
25964 - atomic_long_t intr_spurious;
25965 - atomic_long_t intr_mm_lock_failed;
25966 - atomic_long_t call_os;
25967 - atomic_long_t call_os_wait_queue;
25968 - atomic_long_t user_flush_tlb;
25969 - atomic_long_t user_unload_context;
25970 - atomic_long_t user_exception;
25971 - atomic_long_t set_context_option;
25972 - atomic_long_t check_context_retarget_intr;
25973 - atomic_long_t check_context_unload;
25974 - atomic_long_t tlb_dropin;
25975 - atomic_long_t tlb_preload_page;
25976 - atomic_long_t tlb_dropin_fail_no_asid;
25977 - atomic_long_t tlb_dropin_fail_upm;
25978 - atomic_long_t tlb_dropin_fail_invalid;
25979 - atomic_long_t tlb_dropin_fail_range_active;
25980 - atomic_long_t tlb_dropin_fail_idle;
25981 - atomic_long_t tlb_dropin_fail_fmm;
25982 - atomic_long_t tlb_dropin_fail_no_exception;
25983 - atomic_long_t tfh_stale_on_fault;
25984 - atomic_long_t mmu_invalidate_range;
25985 - atomic_long_t mmu_invalidate_page;
25986 - atomic_long_t flush_tlb;
25987 - atomic_long_t flush_tlb_gru;
25988 - atomic_long_t flush_tlb_gru_tgh;
25989 - atomic_long_t flush_tlb_gru_zero_asid;
25991 - atomic_long_t copy_gpa;
25992 - atomic_long_t read_gpa;
25994 - atomic_long_t mesq_receive;
25995 - atomic_long_t mesq_receive_none;
25996 - atomic_long_t mesq_send;
25997 - atomic_long_t mesq_send_failed;
25998 - atomic_long_t mesq_noop;
25999 - atomic_long_t mesq_send_unexpected_error;
26000 - atomic_long_t mesq_send_lb_overflow;
26001 - atomic_long_t mesq_send_qlimit_reached;
26002 - atomic_long_t mesq_send_amo_nacked;
26003 - atomic_long_t mesq_send_put_nacked;
26004 - atomic_long_t mesq_page_overflow;
26005 - atomic_long_t mesq_qf_locked;
26006 - atomic_long_t mesq_qf_noop_not_full;
26007 - atomic_long_t mesq_qf_switch_head_failed;
26008 - atomic_long_t mesq_qf_unexpected_error;
26009 - atomic_long_t mesq_noop_unexpected_error;
26010 - atomic_long_t mesq_noop_lb_overflow;
26011 - atomic_long_t mesq_noop_qlimit_reached;
26012 - atomic_long_t mesq_noop_amo_nacked;
26013 - atomic_long_t mesq_noop_put_nacked;
26014 - atomic_long_t mesq_noop_page_overflow;
26015 + atomic_long_unchecked_t vdata_alloc;
26016 + atomic_long_unchecked_t vdata_free;
26017 + atomic_long_unchecked_t gts_alloc;
26018 + atomic_long_unchecked_t gts_free;
26019 + atomic_long_unchecked_t gms_alloc;
26020 + atomic_long_unchecked_t gms_free;
26021 + atomic_long_unchecked_t gts_double_allocate;
26022 + atomic_long_unchecked_t assign_context;
26023 + atomic_long_unchecked_t assign_context_failed;
26024 + atomic_long_unchecked_t free_context;
26025 + atomic_long_unchecked_t load_user_context;
26026 + atomic_long_unchecked_t load_kernel_context;
26027 + atomic_long_unchecked_t lock_kernel_context;
26028 + atomic_long_unchecked_t unlock_kernel_context;
26029 + atomic_long_unchecked_t steal_user_context;
26030 + atomic_long_unchecked_t steal_kernel_context;
26031 + atomic_long_unchecked_t steal_context_failed;
26032 + atomic_long_unchecked_t nopfn;
26033 + atomic_long_unchecked_t asid_new;
26034 + atomic_long_unchecked_t asid_next;
26035 + atomic_long_unchecked_t asid_wrap;
26036 + atomic_long_unchecked_t asid_reuse;
26037 + atomic_long_unchecked_t intr;
26038 + atomic_long_unchecked_t intr_cbr;
26039 + atomic_long_unchecked_t intr_tfh;
26040 + atomic_long_unchecked_t intr_spurious;
26041 + atomic_long_unchecked_t intr_mm_lock_failed;
26042 + atomic_long_unchecked_t call_os;
26043 + atomic_long_unchecked_t call_os_wait_queue;
26044 + atomic_long_unchecked_t user_flush_tlb;
26045 + atomic_long_unchecked_t user_unload_context;
26046 + atomic_long_unchecked_t user_exception;
26047 + atomic_long_unchecked_t set_context_option;
26048 + atomic_long_unchecked_t check_context_retarget_intr;
26049 + atomic_long_unchecked_t check_context_unload;
26050 + atomic_long_unchecked_t tlb_dropin;
26051 + atomic_long_unchecked_t tlb_preload_page;
26052 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26053 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26054 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26055 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26056 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26057 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26058 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26059 + atomic_long_unchecked_t tfh_stale_on_fault;
26060 + atomic_long_unchecked_t mmu_invalidate_range;
26061 + atomic_long_unchecked_t mmu_invalidate_page;
26062 + atomic_long_unchecked_t flush_tlb;
26063 + atomic_long_unchecked_t flush_tlb_gru;
26064 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26065 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26067 + atomic_long_unchecked_t copy_gpa;
26068 + atomic_long_unchecked_t read_gpa;
26070 + atomic_long_unchecked_t mesq_receive;
26071 + atomic_long_unchecked_t mesq_receive_none;
26072 + atomic_long_unchecked_t mesq_send;
26073 + atomic_long_unchecked_t mesq_send_failed;
26074 + atomic_long_unchecked_t mesq_noop;
26075 + atomic_long_unchecked_t mesq_send_unexpected_error;
26076 + atomic_long_unchecked_t mesq_send_lb_overflow;
26077 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26078 + atomic_long_unchecked_t mesq_send_amo_nacked;
26079 + atomic_long_unchecked_t mesq_send_put_nacked;
26080 + atomic_long_unchecked_t mesq_page_overflow;
26081 + atomic_long_unchecked_t mesq_qf_locked;
26082 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26083 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26084 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26085 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26086 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26087 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26088 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26089 + atomic_long_unchecked_t mesq_noop_put_nacked;
26090 + atomic_long_unchecked_t mesq_noop_page_overflow;
26094 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26095 tghop_invalidate, mcsop_last};
26097 struct mcs_op_statistic {
26098 - atomic_long_t count;
26099 - atomic_long_t total;
26100 + atomic_long_unchecked_t count;
26101 + atomic_long_unchecked_t total;
26105 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26107 #define STAT(id) do { \
26108 if (gru_options & OPT_STATS) \
26109 - atomic_long_inc(&gru_stats.id); \
26110 + atomic_long_inc_unchecked(&gru_stats.id); \
26113 #ifdef CONFIG_SGI_GRU_DEBUG
26114 diff -urNp linux-2.6.35.4/drivers/mtd/devices/doc2000.c linux-2.6.35.4/drivers/mtd/devices/doc2000.c
26115 --- linux-2.6.35.4/drivers/mtd/devices/doc2000.c 2010-08-26 19:47:12.000000000 -0400
26116 +++ linux-2.6.35.4/drivers/mtd/devices/doc2000.c 2010-09-17 20:12:09.000000000 -0400
26117 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26119 /* The ECC will not be calculated correctly if less than 512 is written */
26121 - if (len != 0x200 && eccbuf)
26122 + if (len != 0x200)
26123 printk(KERN_WARNING
26124 "ECC needs a full sector write (adr: %lx size %lx)\n",
26125 (long) to, (long) len);
26126 diff -urNp linux-2.6.35.4/drivers/mtd/devices/doc2001.c linux-2.6.35.4/drivers/mtd/devices/doc2001.c
26127 --- linux-2.6.35.4/drivers/mtd/devices/doc2001.c 2010-08-26 19:47:12.000000000 -0400
26128 +++ linux-2.6.35.4/drivers/mtd/devices/doc2001.c 2010-09-17 20:12:09.000000000 -0400
26129 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26130 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26132 /* Don't allow read past end of device */
26133 - if (from >= this->totlen)
26134 + if (from >= this->totlen || !len)
26137 /* Don't allow a single read to cross a 512-byte block boundary */
26138 diff -urNp linux-2.6.35.4/drivers/mtd/nand/denali.c linux-2.6.35.4/drivers/mtd/nand/denali.c
26139 --- linux-2.6.35.4/drivers/mtd/nand/denali.c 2010-08-26 19:47:12.000000000 -0400
26140 +++ linux-2.6.35.4/drivers/mtd/nand/denali.c 2010-09-17 20:12:09.000000000 -0400
26142 #include <linux/pci.h>
26143 #include <linux/mtd/mtd.h>
26144 #include <linux/module.h>
26145 +#include <linux/slab.h>
26147 #include "denali.h"
26149 diff -urNp linux-2.6.35.4/drivers/mtd/ubi/build.c linux-2.6.35.4/drivers/mtd/ubi/build.c
26150 --- linux-2.6.35.4/drivers/mtd/ubi/build.c 2010-08-26 19:47:12.000000000 -0400
26151 +++ linux-2.6.35.4/drivers/mtd/ubi/build.c 2010-09-17 20:12:09.000000000 -0400
26152 @@ -1282,7 +1282,7 @@ module_exit(ubi_exit);
26153 static int __init bytes_str_to_int(const char *str)
26156 - unsigned long result;
26157 + unsigned long result, scale = 1;
26159 result = simple_strtoul(str, &endp, 0);
26160 if (str == endp || result >= INT_MAX) {
26161 @@ -1293,11 +1293,11 @@ static int __init bytes_str_to_int(const
26173 if (endp[1] == 'i' && endp[2] == 'B')
26176 @@ -1308,7 +1308,13 @@ static int __init bytes_str_to_int(const
26181 + if ((intoverflow_t)result*scale >= INT_MAX) {
26182 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26187 + return result*scale;
26191 diff -urNp linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c
26192 --- linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-08-26 19:47:12.000000000 -0400
26193 +++ linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-09-17 20:12:37.000000000 -0400
26194 @@ -2296,6 +2296,8 @@ static int cxgb_extension_ioctl(struct n
26195 case CHELSIO_GET_QSET_NUM:{
26196 struct ch_reg edata;
26198 + memset(&edata, 0, sizeof(edata));
26200 edata.cmd = CHELSIO_GET_QSET_NUM;
26201 edata.val = pi->nqsets;
26202 if (copy_to_user(useraddr, &edata, sizeof(edata)))
26203 diff -urNp linux-2.6.35.4/drivers/net/e1000e/82571.c linux-2.6.35.4/drivers/net/e1000e/82571.c
26204 --- linux-2.6.35.4/drivers/net/e1000e/82571.c 2010-08-26 19:47:12.000000000 -0400
26205 +++ linux-2.6.35.4/drivers/net/e1000e/82571.c 2010-09-17 20:12:09.000000000 -0400
26206 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
26208 struct e1000_hw *hw = &adapter->hw;
26209 struct e1000_mac_info *mac = &hw->mac;
26210 + /* cannot be const */
26211 struct e1000_mac_operations *func = &mac->ops;
26214 @@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
26218 -static struct e1000_mac_operations e82571_mac_ops = {
26219 +static const struct e1000_mac_operations e82571_mac_ops = {
26220 /* .check_mng_mode: mac type dependent */
26221 /* .check_for_link: media type dependent */
26222 .id_led_init = e1000e_id_led_init,
26223 @@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
26224 .read_mac_addr = e1000_read_mac_addr_82571,
26227 -static struct e1000_phy_operations e82_phy_ops_igp = {
26228 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26229 .acquire = e1000_get_hw_semaphore_82571,
26230 .check_polarity = e1000_check_polarity_igp,
26231 .check_reset_block = e1000e_check_reset_block_generic,
26232 @@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
26233 .cfg_on_link_up = NULL,
26236 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26237 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26238 .acquire = e1000_get_hw_semaphore_82571,
26239 .check_polarity = e1000_check_polarity_m88,
26240 .check_reset_block = e1000e_check_reset_block_generic,
26241 @@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
26242 .cfg_on_link_up = NULL,
26245 -static struct e1000_phy_operations e82_phy_ops_bm = {
26246 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26247 .acquire = e1000_get_hw_semaphore_82571,
26248 .check_polarity = e1000_check_polarity_m88,
26249 .check_reset_block = e1000e_check_reset_block_generic,
26250 @@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
26251 .cfg_on_link_up = NULL,
26254 -static struct e1000_nvm_operations e82571_nvm_ops = {
26255 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26256 .acquire = e1000_acquire_nvm_82571,
26257 .read = e1000e_read_nvm_eerd,
26258 .release = e1000_release_nvm_82571,
26259 diff -urNp linux-2.6.35.4/drivers/net/e1000e/e1000.h linux-2.6.35.4/drivers/net/e1000e/e1000.h
26260 --- linux-2.6.35.4/drivers/net/e1000e/e1000.h 2010-08-26 19:47:12.000000000 -0400
26261 +++ linux-2.6.35.4/drivers/net/e1000e/e1000.h 2010-09-17 20:12:09.000000000 -0400
26262 @@ -377,9 +377,9 @@ struct e1000_info {
26264 u32 max_hw_frame_size;
26265 s32 (*get_variants)(struct e1000_adapter *);
26266 - struct e1000_mac_operations *mac_ops;
26267 - struct e1000_phy_operations *phy_ops;
26268 - struct e1000_nvm_operations *nvm_ops;
26269 + const struct e1000_mac_operations *mac_ops;
26270 + const struct e1000_phy_operations *phy_ops;
26271 + const struct e1000_nvm_operations *nvm_ops;
26274 /* hardware capability, feature, and workaround flags */
26275 diff -urNp linux-2.6.35.4/drivers/net/e1000e/es2lan.c linux-2.6.35.4/drivers/net/e1000e/es2lan.c
26276 --- linux-2.6.35.4/drivers/net/e1000e/es2lan.c 2010-08-26 19:47:12.000000000 -0400
26277 +++ linux-2.6.35.4/drivers/net/e1000e/es2lan.c 2010-09-17 20:12:09.000000000 -0400
26278 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26280 struct e1000_hw *hw = &adapter->hw;
26281 struct e1000_mac_info *mac = &hw->mac;
26282 + /* cannot be const */
26283 struct e1000_mac_operations *func = &mac->ops;
26285 /* Set media type */
26286 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26290 -static struct e1000_mac_operations es2_mac_ops = {
26291 +static const struct e1000_mac_operations es2_mac_ops = {
26292 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26293 .id_led_init = e1000e_id_led_init,
26294 .check_mng_mode = e1000e_check_mng_mode_generic,
26295 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26296 .setup_led = e1000e_setup_led_generic,
26299 -static struct e1000_phy_operations es2_phy_ops = {
26300 +static const struct e1000_phy_operations es2_phy_ops = {
26301 .acquire = e1000_acquire_phy_80003es2lan,
26302 .check_polarity = e1000_check_polarity_m88,
26303 .check_reset_block = e1000e_check_reset_block_generic,
26304 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26305 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26308 -static struct e1000_nvm_operations es2_nvm_ops = {
26309 +static const struct e1000_nvm_operations es2_nvm_ops = {
26310 .acquire = e1000_acquire_nvm_80003es2lan,
26311 .read = e1000e_read_nvm_eerd,
26312 .release = e1000_release_nvm_80003es2lan,
26313 diff -urNp linux-2.6.35.4/drivers/net/e1000e/hw.h linux-2.6.35.4/drivers/net/e1000e/hw.h
26314 --- linux-2.6.35.4/drivers/net/e1000e/hw.h 2010-08-26 19:47:12.000000000 -0400
26315 +++ linux-2.6.35.4/drivers/net/e1000e/hw.h 2010-09-17 20:12:09.000000000 -0400
26316 @@ -791,13 +791,13 @@ struct e1000_phy_operations {
26318 /* Function pointers for the NVM. */
26319 struct e1000_nvm_operations {
26320 - s32 (*acquire)(struct e1000_hw *);
26321 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26322 - void (*release)(struct e1000_hw *);
26323 - s32 (*update)(struct e1000_hw *);
26324 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26325 - s32 (*validate)(struct e1000_hw *);
26326 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26327 + s32 (* const acquire)(struct e1000_hw *);
26328 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26329 + void (* const release)(struct e1000_hw *);
26330 + s32 (* const update)(struct e1000_hw *);
26331 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26332 + s32 (* const validate)(struct e1000_hw *);
26333 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26336 struct e1000_mac_info {
26337 @@ -877,6 +877,7 @@ struct e1000_phy_info {
26340 struct e1000_nvm_info {
26341 + /* cannot be const */
26342 struct e1000_nvm_operations ops;
26344 enum e1000_nvm_type type;
26345 diff -urNp linux-2.6.35.4/drivers/net/e1000e/ich8lan.c linux-2.6.35.4/drivers/net/e1000e/ich8lan.c
26346 --- linux-2.6.35.4/drivers/net/e1000e/ich8lan.c 2010-08-26 19:47:12.000000000 -0400
26347 +++ linux-2.6.35.4/drivers/net/e1000e/ich8lan.c 2010-09-17 20:12:09.000000000 -0400
26348 @@ -3388,7 +3388,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26352 -static struct e1000_mac_operations ich8_mac_ops = {
26353 +static const struct e1000_mac_operations ich8_mac_ops = {
26354 .id_led_init = e1000e_id_led_init,
26355 .check_mng_mode = e1000_check_mng_mode_ich8lan,
26356 .check_for_link = e1000_check_for_copper_link_ich8lan,
26357 @@ -3407,7 +3407,7 @@ static struct e1000_mac_operations ich8_
26358 /* id_led_init dependent on mac type */
26361 -static struct e1000_phy_operations ich8_phy_ops = {
26362 +static const struct e1000_phy_operations ich8_phy_ops = {
26363 .acquire = e1000_acquire_swflag_ich8lan,
26364 .check_reset_block = e1000_check_reset_block_ich8lan,
26366 @@ -3421,7 +3421,7 @@ static struct e1000_phy_operations ich8_
26367 .write_reg = e1000e_write_phy_reg_igp,
26370 -static struct e1000_nvm_operations ich8_nvm_ops = {
26371 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26372 .acquire = e1000_acquire_nvm_ich8lan,
26373 .read = e1000_read_nvm_ich8lan,
26374 .release = e1000_release_nvm_ich8lan,
26375 diff -urNp linux-2.6.35.4/drivers/net/eql.c linux-2.6.35.4/drivers/net/eql.c
26376 --- linux-2.6.35.4/drivers/net/eql.c 2010-08-26 19:47:12.000000000 -0400
26377 +++ linux-2.6.35.4/drivers/net/eql.c 2010-09-17 20:12:37.000000000 -0400
26378 @@ -555,6 +555,8 @@ static int eql_g_master_cfg(struct net_d
26380 master_config_t mc;
26382 + memset(&mc, 0, sizeof(mc));
26384 if (eql_is_master(dev)) {
26385 eql = netdev_priv(dev);
26386 mc.max_slaves = eql->max_slaves;
26387 diff -urNp linux-2.6.35.4/drivers/net/igb/e1000_82575.c linux-2.6.35.4/drivers/net/igb/e1000_82575.c
26388 --- linux-2.6.35.4/drivers/net/igb/e1000_82575.c 2010-08-26 19:47:12.000000000 -0400
26389 +++ linux-2.6.35.4/drivers/net/igb/e1000_82575.c 2010-09-17 20:12:09.000000000 -0400
26390 @@ -1597,7 +1597,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26394 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26395 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26396 .init_hw = igb_init_hw_82575,
26397 .check_for_link = igb_check_for_link_82575,
26398 .rar_set = igb_rar_set,
26399 @@ -1605,13 +1605,13 @@ static struct e1000_mac_operations e1000
26400 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26403 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26404 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26405 .acquire = igb_acquire_phy_82575,
26406 .get_cfg_done = igb_get_cfg_done_82575,
26407 .release = igb_release_phy_82575,
26410 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26411 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26412 .acquire = igb_acquire_nvm_82575,
26413 .read = igb_read_nvm_eerd,
26414 .release = igb_release_nvm_82575,
26415 diff -urNp linux-2.6.35.4/drivers/net/igb/e1000_hw.h linux-2.6.35.4/drivers/net/igb/e1000_hw.h
26416 --- linux-2.6.35.4/drivers/net/igb/e1000_hw.h 2010-08-26 19:47:12.000000000 -0400
26417 +++ linux-2.6.35.4/drivers/net/igb/e1000_hw.h 2010-09-17 20:12:09.000000000 -0400
26418 @@ -323,17 +323,17 @@ struct e1000_phy_operations {
26421 struct e1000_nvm_operations {
26422 - s32 (*acquire)(struct e1000_hw *);
26423 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26424 - void (*release)(struct e1000_hw *);
26425 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26426 + s32 (* const acquire)(struct e1000_hw *);
26427 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26428 + void (* const release)(struct e1000_hw *);
26429 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26432 struct e1000_info {
26433 s32 (*get_invariants)(struct e1000_hw *);
26434 - struct e1000_mac_operations *mac_ops;
26435 - struct e1000_phy_operations *phy_ops;
26436 - struct e1000_nvm_operations *nvm_ops;
26437 + const struct e1000_mac_operations *mac_ops;
26438 + const struct e1000_phy_operations *phy_ops;
26439 + const struct e1000_nvm_operations *nvm_ops;
26442 extern const struct e1000_info e1000_82575_info;
26443 @@ -412,6 +412,7 @@ struct e1000_phy_info {
26446 struct e1000_nvm_info {
26447 + /* cannot be const */
26448 struct e1000_nvm_operations ops;
26450 enum e1000_nvm_type type;
26451 diff -urNp linux-2.6.35.4/drivers/net/irda/vlsi_ir.c linux-2.6.35.4/drivers/net/irda/vlsi_ir.c
26452 --- linux-2.6.35.4/drivers/net/irda/vlsi_ir.c 2010-08-26 19:47:12.000000000 -0400
26453 +++ linux-2.6.35.4/drivers/net/irda/vlsi_ir.c 2010-09-17 20:12:09.000000000 -0400
26454 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26455 /* no race - tx-ring already empty */
26456 vlsi_set_baud(idev, iobase);
26457 netif_wake_queue(ndev);
26462 /* keep the speed change pending like it would
26463 * for any len>0 packet. tx completion interrupt
26464 * will apply it when the tx ring becomes empty.
26467 spin_unlock_irqrestore(&idev->lock, flags);
26468 dev_kfree_skb_any(skb);
26469 return NETDEV_TX_OK;
26470 diff -urNp linux-2.6.35.4/drivers/net/pcnet32.c linux-2.6.35.4/drivers/net/pcnet32.c
26471 --- linux-2.6.35.4/drivers/net/pcnet32.c 2010-08-26 19:47:12.000000000 -0400
26472 +++ linux-2.6.35.4/drivers/net/pcnet32.c 2010-09-17 20:12:09.000000000 -0400
26473 @@ -82,7 +82,7 @@ static int cards_found;
26475 * VLB I/O addresses
26477 -static unsigned int pcnet32_portlist[] __initdata =
26478 +static unsigned int pcnet32_portlist[] __devinitdata =
26479 { 0x300, 0x320, 0x340, 0x360, 0 };
26481 static int pcnet32_debug;
26482 diff -urNp linux-2.6.35.4/drivers/net/ppp_generic.c linux-2.6.35.4/drivers/net/ppp_generic.c
26483 --- linux-2.6.35.4/drivers/net/ppp_generic.c 2010-08-26 19:47:12.000000000 -0400
26484 +++ linux-2.6.35.4/drivers/net/ppp_generic.c 2010-09-17 20:12:09.000000000 -0400
26485 @@ -992,7 +992,6 @@ ppp_net_ioctl(struct net_device *dev, st
26486 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26487 struct ppp_stats stats;
26488 struct ppp_comp_stats cstats;
26492 case SIOCGPPPSTATS:
26493 @@ -1014,8 +1013,7 @@ ppp_net_ioctl(struct net_device *dev, st
26497 - vers = PPP_VERSION;
26498 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26499 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26503 diff -urNp linux-2.6.35.4/drivers/net/tg3.c linux-2.6.35.4/drivers/net/tg3.c
26504 --- linux-2.6.35.4/drivers/net/tg3.c 2010-08-26 19:47:12.000000000 -0400
26505 +++ linux-2.6.35.4/drivers/net/tg3.c 2010-09-17 20:12:09.000000000 -0400
26506 @@ -12410,7 +12410,7 @@ static void __devinit tg3_read_vpd(struc
26507 cnt = pci_read_vpd(tp->pdev, pos,
26508 TG3_NVM_VPD_LEN - pos,
26510 - if (cnt == -ETIMEDOUT || -EINTR)
26511 + if (cnt == -ETIMEDOUT || cnt == -EINTR)
26514 goto out_not_found;
26515 diff -urNp linux-2.6.35.4/drivers/net/tg3.h linux-2.6.35.4/drivers/net/tg3.h
26516 --- linux-2.6.35.4/drivers/net/tg3.h 2010-08-26 19:47:12.000000000 -0400
26517 +++ linux-2.6.35.4/drivers/net/tg3.h 2010-09-17 20:12:09.000000000 -0400
26518 @@ -130,6 +130,7 @@
26519 #define CHIPREV_ID_5750_A0 0x4000
26520 #define CHIPREV_ID_5750_A1 0x4001
26521 #define CHIPREV_ID_5750_A3 0x4003
26522 +#define CHIPREV_ID_5750_C1 0x4201
26523 #define CHIPREV_ID_5750_C2 0x4202
26524 #define CHIPREV_ID_5752_A0_HW 0x5000
26525 #define CHIPREV_ID_5752_A0 0x6000
26526 diff -urNp linux-2.6.35.4/drivers/net/tulip/de4x5.c linux-2.6.35.4/drivers/net/tulip/de4x5.c
26527 --- linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-08-26 19:47:12.000000000 -0400
26528 +++ linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-09-17 20:12:37.000000000 -0400
26529 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26530 for (i=0; i<ETH_ALEN; i++) {
26531 tmp.addr[i] = dev->dev_addr[i];
26533 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26534 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26537 case DE4X5_SET_HWADDR: /* Set the hardware address */
26538 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26539 spin_lock_irqsave(&lp->lock, flags);
26540 memcpy(&statbuf, &lp->pktStats, ioc->len);
26541 spin_unlock_irqrestore(&lp->lock, flags);
26542 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26543 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
26547 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
26548 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
26549 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
26551 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26552 + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
26555 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
26556 diff -urNp linux-2.6.35.4/drivers/net/usb/hso.c linux-2.6.35.4/drivers/net/usb/hso.c
26557 --- linux-2.6.35.4/drivers/net/usb/hso.c 2010-08-26 19:47:12.000000000 -0400
26558 +++ linux-2.6.35.4/drivers/net/usb/hso.c 2010-09-17 20:12:37.000000000 -0400
26559 @@ -258,7 +258,7 @@ struct hso_serial {
26561 /* from usb_serial_port */
26562 struct tty_struct *tty;
26564 + atomic_t open_count;
26565 spinlock_t serial_lock;
26567 int (*write_data) (struct hso_serial *serial);
26568 @@ -1201,7 +1201,7 @@ static void put_rxbuf_data_and_resubmit_
26571 urb = serial->rx_urb[0];
26572 - if (serial->open_count > 0) {
26573 + if (atomic_read(&serial->open_count) > 0) {
26574 count = put_rxbuf_data(urb, serial);
26577 @@ -1237,7 +1237,7 @@ static void hso_std_serial_read_bulk_cal
26578 DUMP1(urb->transfer_buffer, urb->actual_length);
26580 /* Anyone listening? */
26581 - if (serial->open_count == 0)
26582 + if (atomic_read(&serial->open_count) == 0)
26586 @@ -1332,8 +1332,7 @@ static int hso_serial_open(struct tty_st
26587 spin_unlock_irq(&serial->serial_lock);
26589 /* check for port already opened, if not set the termios */
26590 - serial->open_count++;
26591 - if (serial->open_count == 1) {
26592 + if (atomic_inc_return(&serial->open_count) == 1) {
26593 serial->rx_state = RX_IDLE;
26594 /* Force default termio settings */
26595 _hso_serial_set_termios(tty, NULL);
26596 @@ -1345,7 +1344,7 @@ static int hso_serial_open(struct tty_st
26597 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26599 hso_stop_serial_device(serial->parent);
26600 - serial->open_count--;
26601 + atomic_dec(&serial->open_count);
26602 kref_put(&serial->parent->ref, hso_serial_ref_free);
26605 @@ -1382,10 +1381,10 @@ static void hso_serial_close(struct tty_
26607 /* reset the rts and dtr */
26608 /* do the actual close */
26609 - serial->open_count--;
26610 + atomic_dec(&serial->open_count);
26612 - if (serial->open_count <= 0) {
26613 - serial->open_count = 0;
26614 + if (atomic_read(&serial->open_count) <= 0) {
26615 + atomic_set(&serial->open_count, 0);
26616 spin_lock_irq(&serial->serial_lock);
26617 if (serial->tty == tty) {
26618 serial->tty->driver_data = NULL;
26619 @@ -1467,7 +1466,7 @@ static void hso_serial_set_termios(struc
26621 /* the actual setup */
26622 spin_lock_irqsave(&serial->serial_lock, flags);
26623 - if (serial->open_count)
26624 + if (atomic_read(&serial->open_count))
26625 _hso_serial_set_termios(tty, old);
26627 tty->termios = old;
26628 @@ -1655,6 +1654,9 @@ static int hso_get_count(struct hso_seri
26633 + memset(&icount, 0, sizeof(icount));
26635 spin_lock_irq(&serial->serial_lock);
26636 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
26637 spin_unlock_irq(&serial->serial_lock);
26638 @@ -1929,7 +1931,7 @@ static void intr_callback(struct urb *ur
26639 D1("Pending read interrupt on port %d\n", i);
26640 spin_lock(&serial->serial_lock);
26641 if (serial->rx_state == RX_IDLE &&
26642 - serial->open_count > 0) {
26643 + atomic_read(&serial->open_count) > 0) {
26644 /* Setup and send a ctrl req read on
26646 if (!serial->rx_urb_filled[0]) {
26647 @@ -3119,7 +3121,7 @@ static int hso_resume(struct usb_interfa
26648 /* Start all serial ports */
26649 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26650 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26651 - if (dev2ser(serial_table[i])->open_count) {
26652 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
26654 hso_start_serial_device(serial_table[i], GFP_NOIO);
26655 hso_kick_transmit(dev2ser(serial_table[i]));
26656 diff -urNp linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c
26657 --- linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26658 +++ linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26659 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26660 struct b43_debugfs_fops {
26661 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26662 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26663 - struct file_operations fops;
26664 + const struct file_operations fops;
26665 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26666 size_t file_struct_offset;
26668 diff -urNp linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c
26669 --- linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26670 +++ linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26671 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26672 struct b43legacy_debugfs_fops {
26673 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26674 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26675 - struct file_operations fops;
26676 + const struct file_operations fops;
26677 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26678 size_t file_struct_offset;
26679 /* Take wl->irq_lock before calling read/write? */
26680 diff -urNp linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h
26681 --- linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-08-26 19:47:12.000000000 -0400
26682 +++ linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-09-17 20:12:09.000000000 -0400
26683 @@ -68,8 +68,8 @@ do {
26687 -#define IWL_DEBUG(__priv, level, fmt, args...)
26688 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26689 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26690 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26691 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26694 diff -urNp linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c
26695 --- linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26696 +++ linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26697 @@ -718,7 +718,7 @@ out_unlock:
26698 struct lbs_debugfs_files {
26701 - struct file_operations fops;
26702 + const struct file_operations fops;
26705 static const struct lbs_debugfs_files debugfs_files[] = {
26706 diff -urNp linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c
26707 --- linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c 2010-08-26 19:47:12.000000000 -0400
26708 +++ linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c 2010-09-17 20:12:09.000000000 -0400
26709 @@ -1235,7 +1235,7 @@ static int set_rts_threshold(struct usbn
26711 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26713 - if (rts_threshold < 0 || rts_threshold > 2347)
26714 + if (rts_threshold > 2347)
26715 rts_threshold = 2347;
26717 tmp = cpu_to_le32(rts_threshold);
26718 diff -urNp linux-2.6.35.4/drivers/oprofile/buffer_sync.c linux-2.6.35.4/drivers/oprofile/buffer_sync.c
26719 --- linux-2.6.35.4/drivers/oprofile/buffer_sync.c 2010-08-26 19:47:12.000000000 -0400
26720 +++ linux-2.6.35.4/drivers/oprofile/buffer_sync.c 2010-09-17 20:12:09.000000000 -0400
26721 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
26722 if (cookie == NO_COOKIE)
26724 if (cookie == INVALID_COOKIE) {
26725 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26726 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26729 if (cookie != last_cookie) {
26730 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
26731 /* add userspace sample */
26734 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26735 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26739 cookie = lookup_dcookie(mm, s->eip, &offset);
26741 if (cookie == INVALID_COOKIE) {
26742 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26743 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26747 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
26748 /* ignore backtraces if failed to add a sample */
26749 if (state == sb_bt_start) {
26750 state = sb_bt_ignore;
26751 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26752 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26756 diff -urNp linux-2.6.35.4/drivers/oprofile/event_buffer.c linux-2.6.35.4/drivers/oprofile/event_buffer.c
26757 --- linux-2.6.35.4/drivers/oprofile/event_buffer.c 2010-08-26 19:47:12.000000000 -0400
26758 +++ linux-2.6.35.4/drivers/oprofile/event_buffer.c 2010-09-17 20:12:09.000000000 -0400
26759 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26762 if (buffer_pos == buffer_size) {
26763 - atomic_inc(&oprofile_stats.event_lost_overflow);
26764 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26768 diff -urNp linux-2.6.35.4/drivers/oprofile/oprof.c linux-2.6.35.4/drivers/oprofile/oprof.c
26769 --- linux-2.6.35.4/drivers/oprofile/oprof.c 2010-08-26 19:47:12.000000000 -0400
26770 +++ linux-2.6.35.4/drivers/oprofile/oprof.c 2010-09-17 20:12:09.000000000 -0400
26771 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26772 if (oprofile_ops.switch_events())
26775 - atomic_inc(&oprofile_stats.multiplex_counter);
26776 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26777 start_switch_worker();
26780 diff -urNp linux-2.6.35.4/drivers/oprofile/oprofilefs.c linux-2.6.35.4/drivers/oprofile/oprofilefs.c
26781 --- linux-2.6.35.4/drivers/oprofile/oprofilefs.c 2010-08-26 19:47:12.000000000 -0400
26782 +++ linux-2.6.35.4/drivers/oprofile/oprofilefs.c 2010-09-17 20:12:09.000000000 -0400
26783 @@ -187,7 +187,7 @@ static const struct file_operations atom
26786 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26787 - char const *name, atomic_t *val)
26788 + char const *name, atomic_unchecked_t *val)
26790 struct dentry *d = __oprofilefs_create_file(sb, root, name,
26791 &atomic_ro_fops, 0444);
26792 diff -urNp linux-2.6.35.4/drivers/oprofile/oprofile_stats.c linux-2.6.35.4/drivers/oprofile/oprofile_stats.c
26793 --- linux-2.6.35.4/drivers/oprofile/oprofile_stats.c 2010-08-26 19:47:12.000000000 -0400
26794 +++ linux-2.6.35.4/drivers/oprofile/oprofile_stats.c 2010-09-17 20:12:09.000000000 -0400
26795 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26796 cpu_buf->sample_invalid_eip = 0;
26799 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26800 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26801 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26802 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26803 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26804 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26805 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26806 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26807 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26808 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26812 diff -urNp linux-2.6.35.4/drivers/oprofile/oprofile_stats.h linux-2.6.35.4/drivers/oprofile/oprofile_stats.h
26813 --- linux-2.6.35.4/drivers/oprofile/oprofile_stats.h 2010-08-26 19:47:12.000000000 -0400
26814 +++ linux-2.6.35.4/drivers/oprofile/oprofile_stats.h 2010-09-17 20:12:09.000000000 -0400
26815 @@ -13,11 +13,11 @@
26816 #include <asm/atomic.h>
26818 struct oprofile_stat_struct {
26819 - atomic_t sample_lost_no_mm;
26820 - atomic_t sample_lost_no_mapping;
26821 - atomic_t bt_lost_no_mapping;
26822 - atomic_t event_lost_overflow;
26823 - atomic_t multiplex_counter;
26824 + atomic_unchecked_t sample_lost_no_mm;
26825 + atomic_unchecked_t sample_lost_no_mapping;
26826 + atomic_unchecked_t bt_lost_no_mapping;
26827 + atomic_unchecked_t event_lost_overflow;
26828 + atomic_unchecked_t multiplex_counter;
26831 extern struct oprofile_stat_struct oprofile_stats;
26832 diff -urNp linux-2.6.35.4/drivers/parport/procfs.c linux-2.6.35.4/drivers/parport/procfs.c
26833 --- linux-2.6.35.4/drivers/parport/procfs.c 2010-08-26 19:47:12.000000000 -0400
26834 +++ linux-2.6.35.4/drivers/parport/procfs.c 2010-09-17 20:12:37.000000000 -0400
26835 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
26839 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
26840 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
26843 #ifdef CONFIG_PARPORT_1284
26844 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
26848 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
26849 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
26851 #endif /* IEEE1284.3 support. */
26853 diff -urNp linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c
26854 --- linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c 2010-08-26 19:47:12.000000000 -0400
26855 +++ linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c 2010-09-17 20:12:09.000000000 -0400
26856 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
26860 -static struct acpi_dock_ops acpiphp_dock_ops = {
26861 +static const struct acpi_dock_ops acpiphp_dock_ops = {
26862 .handler = handle_hotplug_event_func,
26865 diff -urNp linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c
26866 --- linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c 2010-08-26 19:47:12.000000000 -0400
26867 +++ linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c 2010-09-17 20:12:09.000000000 -0400
26868 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
26870 void compaq_nvram_init (void __iomem *rom_start)
26873 +#ifndef CONFIG_PAX_KERNEXEC
26875 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
26879 dbg("int15 entry = %p\n", compaq_int15_entry_point);
26881 /* initialize our int15 lock */
26882 diff -urNp linux-2.6.35.4/drivers/pci/intel-iommu.c linux-2.6.35.4/drivers/pci/intel-iommu.c
26883 --- linux-2.6.35.4/drivers/pci/intel-iommu.c 2010-08-26 19:47:12.000000000 -0400
26884 +++ linux-2.6.35.4/drivers/pci/intel-iommu.c 2010-09-17 20:12:09.000000000 -0400
26885 @@ -2938,7 +2938,7 @@ static int intel_mapping_error(struct de
26889 -struct dma_map_ops intel_dma_ops = {
26890 +const struct dma_map_ops intel_dma_ops = {
26891 .alloc_coherent = intel_alloc_coherent,
26892 .free_coherent = intel_free_coherent,
26893 .map_sg = intel_map_sg,
26894 diff -urNp linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c
26895 --- linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c 2010-08-26 19:47:12.000000000 -0400
26896 +++ linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c 2010-09-17 20:12:09.000000000 -0400
26897 @@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
26898 static const struct pci_device_id port_pci_ids[] = { {
26899 /* handle any PCI-Express port */
26900 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
26901 - }, { /* end: all zeroes */ }
26902 + }, { 0, 0, 0, 0, 0, 0, 0 }
26904 MODULE_DEVICE_TABLE(pci, port_pci_ids);
26906 diff -urNp linux-2.6.35.4/drivers/pci/probe.c linux-2.6.35.4/drivers/pci/probe.c
26907 --- linux-2.6.35.4/drivers/pci/probe.c 2010-08-26 19:47:12.000000000 -0400
26908 +++ linux-2.6.35.4/drivers/pci/probe.c 2010-09-17 20:12:09.000000000 -0400
26909 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
26913 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
26914 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
26915 struct device_attribute *attr,
26918 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
26921 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
26922 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
26923 struct device_attribute *attr,
26926 diff -urNp linux-2.6.35.4/drivers/pci/proc.c linux-2.6.35.4/drivers/pci/proc.c
26927 --- linux-2.6.35.4/drivers/pci/proc.c 2010-08-26 19:47:12.000000000 -0400
26928 +++ linux-2.6.35.4/drivers/pci/proc.c 2010-09-17 20:12:37.000000000 -0400
26929 @@ -481,7 +481,16 @@ static const struct file_operations proc
26930 static int __init pci_proc_init(void)
26932 struct pci_dev *dev = NULL;
26934 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26935 +#ifdef CONFIG_GRKERNSEC_PROC_USER
26936 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
26937 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
26938 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
26941 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
26943 proc_create("devices", 0, proc_bus_pci_dir,
26944 &proc_bus_pci_dev_operations);
26945 proc_initialized = 1;
26946 diff -urNp linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c
26947 --- linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c 2010-08-26 19:47:12.000000000 -0400
26948 +++ linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c 2010-09-17 20:12:09.000000000 -0400
26949 @@ -850,7 +850,7 @@ static int ds_ioctl(struct file *file, u
26953 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
26954 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
26958 diff -urNp linux-2.6.35.4/drivers/pcmcia/ti113x.h linux-2.6.35.4/drivers/pcmcia/ti113x.h
26959 --- linux-2.6.35.4/drivers/pcmcia/ti113x.h 2010-08-26 19:47:12.000000000 -0400
26960 +++ linux-2.6.35.4/drivers/pcmcia/ti113x.h 2010-09-17 20:12:09.000000000 -0400
26961 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
26962 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
26963 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
26966 + { 0, 0, 0, 0, 0, 0, 0 }
26969 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
26970 diff -urNp linux-2.6.35.4/drivers/pcmcia/yenta_socket.c linux-2.6.35.4/drivers/pcmcia/yenta_socket.c
26971 --- linux-2.6.35.4/drivers/pcmcia/yenta_socket.c 2010-08-26 19:47:12.000000000 -0400
26972 +++ linux-2.6.35.4/drivers/pcmcia/yenta_socket.c 2010-09-17 20:12:09.000000000 -0400
26973 @@ -1428,7 +1428,7 @@ static struct pci_device_id yenta_table[
26975 /* match any cardbus bridge */
26976 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
26977 - { /* all zeroes */ }
26978 + { 0, 0, 0, 0, 0, 0, 0 }
26980 MODULE_DEVICE_TABLE(pci, yenta_table);
26982 diff -urNp linux-2.6.35.4/drivers/platform/x86/acer-wmi.c linux-2.6.35.4/drivers/platform/x86/acer-wmi.c
26983 --- linux-2.6.35.4/drivers/platform/x86/acer-wmi.c 2010-08-26 19:47:12.000000000 -0400
26984 +++ linux-2.6.35.4/drivers/platform/x86/acer-wmi.c 2010-09-17 20:12:09.000000000 -0400
26985 @@ -916,7 +916,7 @@ static int update_bl_status(struct backl
26989 -static struct backlight_ops acer_bl_ops = {
26990 +static const struct backlight_ops acer_bl_ops = {
26991 .get_brightness = read_brightness,
26992 .update_status = update_bl_status,
26994 diff -urNp linux-2.6.35.4/drivers/platform/x86/asus_acpi.c linux-2.6.35.4/drivers/platform/x86/asus_acpi.c
26995 --- linux-2.6.35.4/drivers/platform/x86/asus_acpi.c 2010-08-26 19:47:12.000000000 -0400
26996 +++ linux-2.6.35.4/drivers/platform/x86/asus_acpi.c 2010-09-17 20:12:09.000000000 -0400
26997 @@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
27001 -static struct backlight_ops asus_backlight_data = {
27002 +static const struct backlight_ops asus_backlight_data = {
27003 .get_brightness = read_brightness,
27004 .update_status = set_brightness_status,
27006 diff -urNp linux-2.6.35.4/drivers/platform/x86/asus-laptop.c linux-2.6.35.4/drivers/platform/x86/asus-laptop.c
27007 --- linux-2.6.35.4/drivers/platform/x86/asus-laptop.c 2010-08-26 19:47:12.000000000 -0400
27008 +++ linux-2.6.35.4/drivers/platform/x86/asus-laptop.c 2010-09-17 20:12:09.000000000 -0400
27009 @@ -224,7 +224,6 @@ struct asus_laptop {
27010 struct asus_led gled;
27011 struct asus_led kled;
27012 struct workqueue_struct *led_workqueue;
27014 int wireless_status;
27017 @@ -621,7 +620,7 @@ static int update_bl_status(struct backl
27018 return asus_lcd_set(asus, value);
27021 -static struct backlight_ops asusbl_ops = {
27022 +static const struct backlight_ops asusbl_ops = {
27023 .get_brightness = asus_read_brightness,
27024 .update_status = update_bl_status,
27026 diff -urNp linux-2.6.35.4/drivers/platform/x86/compal-laptop.c linux-2.6.35.4/drivers/platform/x86/compal-laptop.c
27027 --- linux-2.6.35.4/drivers/platform/x86/compal-laptop.c 2010-08-26 19:47:12.000000000 -0400
27028 +++ linux-2.6.35.4/drivers/platform/x86/compal-laptop.c 2010-09-17 20:12:09.000000000 -0400
27029 @@ -168,7 +168,7 @@ static int bl_update_status(struct backl
27030 return set_lcd_level(b->props.brightness);
27033 -static struct backlight_ops compalbl_ops = {
27034 +static const struct backlight_ops compalbl_ops = {
27035 .get_brightness = bl_get_brightness,
27036 .update_status = bl_update_status,
27038 diff -urNp linux-2.6.35.4/drivers/platform/x86/dell-laptop.c linux-2.6.35.4/drivers/platform/x86/dell-laptop.c
27039 --- linux-2.6.35.4/drivers/platform/x86/dell-laptop.c 2010-08-26 19:47:12.000000000 -0400
27040 +++ linux-2.6.35.4/drivers/platform/x86/dell-laptop.c 2010-09-17 20:12:09.000000000 -0400
27041 @@ -469,7 +469,7 @@ out:
27042 return buffer->output[1];
27045 -static struct backlight_ops dell_ops = {
27046 +static const struct backlight_ops dell_ops = {
27047 .get_brightness = dell_get_intensity,
27048 .update_status = dell_send_intensity,
27050 diff -urNp linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c
27051 --- linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c 2010-08-26 19:47:12.000000000 -0400
27052 +++ linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c 2010-09-17 20:12:09.000000000 -0400
27053 @@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
27054 return set_brightness(bd, bd->props.brightness);
27057 -static struct backlight_ops eeepcbl_ops = {
27058 +static const struct backlight_ops eeepcbl_ops = {
27059 .get_brightness = read_brightness,
27060 .update_status = update_bl_status,
27062 diff -urNp linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c
27063 --- linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c 2010-08-26 19:47:12.000000000 -0400
27064 +++ linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c 2010-09-17 20:12:09.000000000 -0400
27065 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27069 -static struct backlight_ops fujitsubl_ops = {
27070 +static const struct backlight_ops fujitsubl_ops = {
27071 .get_brightness = bl_get_brightness,
27072 .update_status = bl_update_status,
27074 diff -urNp linux-2.6.35.4/drivers/platform/x86/sony-laptop.c linux-2.6.35.4/drivers/platform/x86/sony-laptop.c
27075 --- linux-2.6.35.4/drivers/platform/x86/sony-laptop.c 2010-08-26 19:47:12.000000000 -0400
27076 +++ linux-2.6.35.4/drivers/platform/x86/sony-laptop.c 2010-09-17 20:12:09.000000000 -0400
27077 @@ -857,7 +857,7 @@ static int sony_backlight_get_brightness
27080 static struct backlight_device *sony_backlight_device;
27081 -static struct backlight_ops sony_backlight_ops = {
27082 +static const struct backlight_ops sony_backlight_ops = {
27083 .update_status = sony_backlight_update_status,
27084 .get_brightness = sony_backlight_get_brightness,
27086 diff -urNp linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c
27087 --- linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c 2010-08-26 19:47:12.000000000 -0400
27088 +++ linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c 2010-09-17 20:12:09.000000000 -0400
27089 @@ -6142,7 +6142,7 @@ static void tpacpi_brightness_notify_cha
27090 BACKLIGHT_UPDATE_HOTKEY);
27093 -static struct backlight_ops ibm_backlight_data = {
27094 +static const struct backlight_ops ibm_backlight_data = {
27095 .get_brightness = brightness_get,
27096 .update_status = brightness_update_status,
27098 diff -urNp linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c
27099 --- linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c 2010-08-26 19:47:12.000000000 -0400
27100 +++ linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c 2010-09-17 20:12:09.000000000 -0400
27101 @@ -741,7 +741,7 @@ static acpi_status remove_device(void)
27105 -static struct backlight_ops toshiba_backlight_data = {
27106 +static const struct backlight_ops toshiba_backlight_data = {
27107 .get_brightness = get_lcd,
27108 .update_status = set_lcd_status,
27110 diff -urNp linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c
27111 --- linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c 2010-08-26 19:47:12.000000000 -0400
27112 +++ linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c 2010-09-17 20:12:09.000000000 -0400
27113 @@ -59,7 +59,7 @@ do { \
27114 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27117 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27118 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27119 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27122 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27125 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27127 + pax_open_kernel();
27128 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27129 + pax_close_kernel();
27131 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27132 spin_lock_irqsave(&pnp_bios_lock, flags);
27133 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27135 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27137 + pax_open_kernel();
27138 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27139 + pax_close_kernel();
27143 /* If we get here and this is set then the PnP BIOS faulted on us. */
27144 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27148 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27149 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27153 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27154 pnp_bios_callpoint.offset = header->fields.pm16offset;
27155 pnp_bios_callpoint.segment = PNP_CS16;
27157 + pax_open_kernel();
27159 for_each_possible_cpu(i) {
27160 struct desc_struct *gdt = get_cpu_gdt_table(i);
27162 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27163 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27164 (unsigned long)__va(header->fields.pm16dseg));
27167 + pax_close_kernel();
27169 diff -urNp linux-2.6.35.4/drivers/pnp/quirks.c linux-2.6.35.4/drivers/pnp/quirks.c
27170 --- linux-2.6.35.4/drivers/pnp/quirks.c 2010-08-26 19:47:12.000000000 -0400
27171 +++ linux-2.6.35.4/drivers/pnp/quirks.c 2010-09-17 20:12:09.000000000 -0400
27172 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27173 /* PnP resources that might overlap PCI BARs */
27174 {"PNP0c01", quirk_system_pci_resources},
27175 {"PNP0c02", quirk_system_pci_resources},
27180 void pnp_fixup_device(struct pnp_dev *dev)
27181 diff -urNp linux-2.6.35.4/drivers/pnp/resource.c linux-2.6.35.4/drivers/pnp/resource.c
27182 --- linux-2.6.35.4/drivers/pnp/resource.c 2010-08-26 19:47:12.000000000 -0400
27183 +++ linux-2.6.35.4/drivers/pnp/resource.c 2010-09-17 20:12:09.000000000 -0400
27184 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27187 /* check if the resource is valid */
27188 - if (*irq < 0 || *irq > 15)
27192 /* check if the resource is reserved */
27193 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27196 /* check if the resource is valid */
27197 - if (*dma < 0 || *dma == 4 || *dma > 7)
27198 + if (*dma == 4 || *dma > 7)
27201 /* check if the resource is reserved */
27202 diff -urNp linux-2.6.35.4/drivers/s390/cio/qdio_debug.c linux-2.6.35.4/drivers/s390/cio/qdio_debug.c
27203 --- linux-2.6.35.4/drivers/s390/cio/qdio_debug.c 2010-08-26 19:47:12.000000000 -0400
27204 +++ linux-2.6.35.4/drivers/s390/cio/qdio_debug.c 2010-09-17 20:12:09.000000000 -0400
27205 @@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
27206 filp->f_path.dentry->d_inode->i_private);
27209 -static struct file_operations debugfs_perf_fops = {
27210 +static const struct file_operations debugfs_perf_fops = {
27211 .owner = THIS_MODULE,
27212 .open = qperf_seq_open,
27214 diff -urNp linux-2.6.35.4/drivers/scsi/ipr.c linux-2.6.35.4/drivers/scsi/ipr.c
27215 --- linux-2.6.35.4/drivers/scsi/ipr.c 2010-08-26 19:47:12.000000000 -0400
27216 +++ linux-2.6.35.4/drivers/scsi/ipr.c 2010-09-17 20:12:09.000000000 -0400
27217 @@ -6091,7 +6091,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27221 -static struct ata_port_operations ipr_sata_ops = {
27222 +static const struct ata_port_operations ipr_sata_ops = {
27223 .phy_reset = ipr_ata_phy_reset,
27224 .hardreset = ipr_sata_reset,
27225 .post_internal_cmd = ipr_ata_post_internal,
27226 diff -urNp linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c
27227 --- linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c 2010-08-26 19:47:12.000000000 -0400
27228 +++ linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c 2010-09-17 20:12:09.000000000 -0400
27229 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27230 * all together if not used XXX
27233 - atomic_t no_free_exch;
27234 - atomic_t no_free_exch_xid;
27235 - atomic_t xid_not_found;
27236 - atomic_t xid_busy;
27237 - atomic_t seq_not_found;
27238 - atomic_t non_bls_resp;
27239 + atomic_unchecked_t no_free_exch;
27240 + atomic_unchecked_t no_free_exch_xid;
27241 + atomic_unchecked_t xid_not_found;
27242 + atomic_unchecked_t xid_busy;
27243 + atomic_unchecked_t seq_not_found;
27244 + atomic_unchecked_t non_bls_resp;
27247 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27248 @@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
27249 /* allocate memory for exchange */
27250 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27252 - atomic_inc(&mp->stats.no_free_exch);
27253 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27256 memset(ep, 0, sizeof(*ep));
27257 @@ -719,7 +719,7 @@ out:
27260 spin_unlock_bh(&pool->lock);
27261 - atomic_inc(&mp->stats.no_free_exch_xid);
27262 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27263 mempool_free(ep, mp->ep_pool);
27266 @@ -864,7 +864,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27267 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27268 ep = fc_exch_find(mp, xid);
27270 - atomic_inc(&mp->stats.xid_not_found);
27271 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27272 reject = FC_RJT_OX_ID;
27275 @@ -894,7 +894,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27276 ep = fc_exch_find(mp, xid);
27277 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27279 - atomic_inc(&mp->stats.xid_busy);
27280 + atomic_inc_unchecked(&mp->stats.xid_busy);
27281 reject = FC_RJT_RX_ID;
27284 @@ -905,7 +905,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27286 xid = ep->xid; /* get our XID */
27288 - atomic_inc(&mp->stats.xid_not_found);
27289 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27290 reject = FC_RJT_RX_ID; /* XID not found */
27293 @@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27296 if (sp->id != fh->fh_seq_id) {
27297 - atomic_inc(&mp->stats.seq_not_found);
27298 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27299 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27302 @@ -1303,22 +1303,22 @@ static void fc_exch_recv_seq_resp(struct
27304 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27306 - atomic_inc(&mp->stats.xid_not_found);
27307 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27310 if (ep->esb_stat & ESB_ST_COMPLETE) {
27311 - atomic_inc(&mp->stats.xid_not_found);
27312 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27315 if (ep->rxid == FC_XID_UNKNOWN)
27316 ep->rxid = ntohs(fh->fh_rx_id);
27317 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27318 - atomic_inc(&mp->stats.xid_not_found);
27319 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27322 if (ep->did != ntoh24(fh->fh_s_id) &&
27323 ep->did != FC_FID_FLOGI) {
27324 - atomic_inc(&mp->stats.xid_not_found);
27325 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27329 @@ -1327,7 +1327,7 @@ static void fc_exch_recv_seq_resp(struct
27330 sp->ssb_stat |= SSB_ST_RESP;
27331 sp->id = fh->fh_seq_id;
27332 } else if (sp->id != fh->fh_seq_id) {
27333 - atomic_inc(&mp->stats.seq_not_found);
27334 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27338 @@ -1390,9 +1390,9 @@ static void fc_exch_recv_resp(struct fc_
27339 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27342 - atomic_inc(&mp->stats.xid_not_found);
27343 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27345 - atomic_inc(&mp->stats.non_bls_resp);
27346 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27350 diff -urNp linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c
27351 --- linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c 2010-08-26 19:47:12.000000000 -0400
27352 +++ linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c 2010-09-17 20:12:09.000000000 -0400
27353 @@ -344,7 +344,7 @@ static int sas_ata_scr_read(struct ata_l
27357 -static struct ata_port_operations sas_sata_ops = {
27358 +static const struct ata_port_operations sas_sata_ops = {
27359 .phy_reset = sas_ata_phy_reset,
27360 .post_internal_cmd = sas_ata_post_internal,
27361 .qc_prep = ata_noop_qc_prep,
27362 diff -urNp linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h
27363 --- linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-08-26 19:47:12.000000000 -0400
27364 +++ linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-09-17 20:12:09.000000000 -0400
27369 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27370 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27371 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27374 diff -urNp linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c
27375 --- linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c 2010-08-26 19:47:12.000000000 -0400
27376 +++ linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c 2010-09-17 20:12:09.000000000 -0400
27377 @@ -3899,7 +3899,7 @@ static struct pci_driver qla2xxx_pci_dri
27378 .err_handler = &qla2xxx_err_handler,
27381 -static struct file_operations apidev_fops = {
27382 +static const struct file_operations apidev_fops = {
27383 .owner = THIS_MODULE,
27386 diff -urNp linux-2.6.35.4/drivers/scsi/scsi_logging.h linux-2.6.35.4/drivers/scsi/scsi_logging.h
27387 --- linux-2.6.35.4/drivers/scsi/scsi_logging.h 2010-08-26 19:47:12.000000000 -0400
27388 +++ linux-2.6.35.4/drivers/scsi/scsi_logging.h 2010-09-17 20:12:09.000000000 -0400
27389 @@ -51,7 +51,7 @@ do { \
27393 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27394 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27395 #endif /* CONFIG_SCSI_LOGGING */
27398 diff -urNp linux-2.6.35.4/drivers/scsi/sg.c linux-2.6.35.4/drivers/scsi/sg.c
27399 --- linux-2.6.35.4/drivers/scsi/sg.c 2010-08-26 19:47:12.000000000 -0400
27400 +++ linux-2.6.35.4/drivers/scsi/sg.c 2010-09-17 20:12:09.000000000 -0400
27401 @@ -2302,7 +2302,7 @@ struct sg_proc_leaf {
27402 const struct file_operations * fops;
27405 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27406 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27407 {"allow_dio", &adio_fops},
27408 {"debug", &debug_fops},
27409 {"def_reserved_size", &dressz_fops},
27410 @@ -2317,7 +2317,7 @@ sg_proc_init(void)
27413 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27414 - struct sg_proc_leaf * leaf;
27415 + const struct sg_proc_leaf * leaf;
27417 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27419 diff -urNp linux-2.6.35.4/drivers/serial/8250_pci.c linux-2.6.35.4/drivers/serial/8250_pci.c
27420 --- linux-2.6.35.4/drivers/serial/8250_pci.c 2010-08-26 19:47:12.000000000 -0400
27421 +++ linux-2.6.35.4/drivers/serial/8250_pci.c 2010-09-17 20:12:09.000000000 -0400
27422 @@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
27423 PCI_ANY_ID, PCI_ANY_ID,
27424 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27425 0xffff00, pbn_default },
27427 + { 0, 0, 0, 0, 0, 0, 0 }
27430 static struct pci_driver serial_pci_driver = {
27431 diff -urNp linux-2.6.35.4/drivers/serial/kgdboc.c linux-2.6.35.4/drivers/serial/kgdboc.c
27432 --- linux-2.6.35.4/drivers/serial/kgdboc.c 2010-08-26 19:47:12.000000000 -0400
27433 +++ linux-2.6.35.4/drivers/serial/kgdboc.c 2010-09-17 20:12:09.000000000 -0400
27436 #define MAX_CONFIG_LEN 40
27438 -static struct kgdb_io kgdboc_io_ops;
27439 +static struct kgdb_io kgdboc_io_ops;
27441 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27442 static int configured = -1;
27443 diff -urNp linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c
27444 --- linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c 2010-08-26 19:47:12.000000000 -0400
27445 +++ linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c 2010-09-17 20:12:09.000000000 -0400
27446 @@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
27447 mutex_unlock(&dev->mutex);
27450 -static struct vm_operations_struct comedi_vm_ops = {
27451 +static const struct vm_operations_struct comedi_vm_ops = {
27452 .close = comedi_unmap,
27455 diff -urNp linux-2.6.35.4/drivers/staging/dream/pmem.c linux-2.6.35.4/drivers/staging/dream/pmem.c
27456 --- linux-2.6.35.4/drivers/staging/dream/pmem.c 2010-08-26 19:47:12.000000000 -0400
27457 +++ linux-2.6.35.4/drivers/staging/dream/pmem.c 2010-09-17 20:12:09.000000000 -0400
27458 @@ -175,7 +175,7 @@ static int pmem_mmap(struct file *, stru
27459 static int pmem_open(struct inode *, struct file *);
27460 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
27462 -struct file_operations pmem_fops = {
27463 +const struct file_operations pmem_fops = {
27464 .release = pmem_release,
27467 @@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
27468 return simple_read_from_buffer(buf, count, ppos, buffer, n);
27471 -static struct file_operations debug_fops = {
27472 +static const struct file_operations debug_fops = {
27473 .read = debug_read,
27474 .open = debug_open,
27476 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c
27477 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c 2010-08-26 19:47:12.000000000 -0400
27478 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c 2010-09-17 20:12:09.000000000 -0400
27479 @@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
27480 static dev_t adsp_devno;
27481 static struct class *adsp_class;
27483 -static struct file_operations adsp_fops = {
27484 +static const struct file_operations adsp_fops = {
27485 .owner = THIS_MODULE,
27487 .unlocked_ioctl = adsp_ioctl,
27488 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c
27489 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c 2010-08-26 19:47:12.000000000 -0400
27490 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c 2010-09-17 20:12:09.000000000 -0400
27491 @@ -1023,7 +1023,7 @@ done:
27495 -static struct file_operations audio_aac_fops = {
27496 +static const struct file_operations audio_aac_fops = {
27497 .owner = THIS_MODULE,
27498 .open = audio_open,
27499 .release = audio_release,
27500 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c
27501 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-08-26 19:47:12.000000000 -0400
27502 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-09-17 20:12:09.000000000 -0400
27503 @@ -834,7 +834,7 @@ done:
27507 -static struct file_operations audio_amrnb_fops = {
27508 +static const struct file_operations audio_amrnb_fops = {
27509 .owner = THIS_MODULE,
27510 .open = audamrnb_open,
27511 .release = audamrnb_release,
27512 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c
27513 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c 2010-08-26 19:47:12.000000000 -0400
27514 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c 2010-09-17 20:12:09.000000000 -0400
27515 @@ -806,7 +806,7 @@ dma_fail:
27519 -static struct file_operations audio_evrc_fops = {
27520 +static const struct file_operations audio_evrc_fops = {
27521 .owner = THIS_MODULE,
27522 .open = audevrc_open,
27523 .release = audevrc_release,
27524 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c
27525 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c 2010-08-26 19:47:12.000000000 -0400
27526 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c 2010-09-17 20:12:09.000000000 -0400
27527 @@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
27531 -static struct file_operations audio_fops = {
27532 +static const struct file_operations audio_fops = {
27533 .owner = THIS_MODULE,
27534 .open = audio_in_open,
27535 .release = audio_in_release,
27536 @@ -923,7 +923,7 @@ static struct file_operations audio_fops
27537 .unlocked_ioctl = audio_in_ioctl,
27540 -static struct file_operations audpre_fops = {
27541 +static const struct file_operations audpre_fops = {
27542 .owner = THIS_MODULE,
27543 .open = audpre_open,
27544 .unlocked_ioctl = audpre_ioctl,
27545 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c
27546 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c 2010-08-26 19:47:12.000000000 -0400
27547 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c 2010-09-17 20:12:09.000000000 -0400
27548 @@ -941,7 +941,7 @@ done:
27552 -static struct file_operations audio_mp3_fops = {
27553 +static const struct file_operations audio_mp3_fops = {
27554 .owner = THIS_MODULE,
27555 .open = audio_open,
27556 .release = audio_release,
27557 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c
27558 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c 2010-08-26 19:47:12.000000000 -0400
27559 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c 2010-09-17 20:12:09.000000000 -0400
27560 @@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
27564 -static struct file_operations audio_fops = {
27565 +static const struct file_operations audio_fops = {
27566 .owner = THIS_MODULE,
27567 .open = audio_open,
27568 .release = audio_release,
27569 @@ -809,7 +809,7 @@ static struct file_operations audio_fops
27570 .unlocked_ioctl = audio_ioctl,
27573 -static struct file_operations audpp_fops = {
27574 +static const struct file_operations audpp_fops = {
27575 .owner = THIS_MODULE,
27576 .open = audpp_open,
27577 .unlocked_ioctl = audpp_ioctl,
27578 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c
27579 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-08-26 19:47:12.000000000 -0400
27580 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-09-17 20:12:09.000000000 -0400
27581 @@ -817,7 +817,7 @@ err:
27585 -static struct file_operations audio_qcelp_fops = {
27586 +static const struct file_operations audio_qcelp_fops = {
27587 .owner = THIS_MODULE,
27588 .open = audqcelp_open,
27589 .release = audqcelp_release,
27590 diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c
27591 --- linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c 2010-08-26 19:47:12.000000000 -0400
27592 +++ linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c 2010-09-17 20:12:09.000000000 -0400
27593 @@ -242,7 +242,7 @@ err:
27597 -static struct file_operations snd_fops = {
27598 +static const struct file_operations snd_fops = {
27599 .owner = THIS_MODULE,
27601 .release = snd_release,
27602 diff -urNp linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c
27603 --- linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c 2010-08-26 19:47:12.000000000 -0400
27604 +++ linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c 2010-09-17 20:12:09.000000000 -0400
27605 @@ -853,7 +853,7 @@ dt3155_unlocked_ioctl(struct file *file,
27606 * needed by init_module
27608 *****************************************************/
27609 -static struct file_operations dt3155_fops = {
27610 +static const struct file_operations dt3155_fops = {
27611 .read = dt3155_read,
27612 .unlocked_ioctl = dt3155_unlocked_ioctl,
27613 .mmap = dt3155_mmap,
27614 diff -urNp linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c
27615 --- linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c 2010-08-26 19:47:12.000000000 -0400
27616 +++ linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c 2010-09-17 20:12:09.000000000 -0400
27617 @@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
27621 -static struct vm_operations_struct go7007_vm_ops = {
27622 +static const struct vm_operations_struct go7007_vm_ops = {
27623 .open = go7007_vm_open,
27624 .close = go7007_vm_close,
27625 .fault = go7007_vm_fault,
27626 diff -urNp linux-2.6.35.4/drivers/staging/hv/hv.c linux-2.6.35.4/drivers/staging/hv/hv.c
27627 --- linux-2.6.35.4/drivers/staging/hv/hv.c 2010-08-26 19:47:12.000000000 -0400
27628 +++ linux-2.6.35.4/drivers/staging/hv/hv.c 2010-09-17 20:12:09.000000000 -0400
27629 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
27630 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
27631 u32 outputAddressHi = outputAddress >> 32;
27632 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
27633 - volatile void *hypercallPage = gHvContext.HypercallPage;
27634 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
27636 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27637 Control, Input, Output);
27638 diff -urNp linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c
27639 --- linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c 2010-08-26 19:47:12.000000000 -0400
27640 +++ linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c 2010-09-17 20:12:09.000000000 -0400
27641 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
27645 -static struct backlight_ops msm_fb_bl_ops = {
27646 +static const struct backlight_ops msm_fb_bl_ops = {
27647 .get_brightness = msm_fb_bl_get_brightness,
27648 .update_status = msm_fb_bl_update_status,
27650 diff -urNp linux-2.6.35.4/drivers/staging/panel/panel.c linux-2.6.35.4/drivers/staging/panel/panel.c
27651 --- linux-2.6.35.4/drivers/staging/panel/panel.c 2010-08-26 19:47:12.000000000 -0400
27652 +++ linux-2.6.35.4/drivers/staging/panel/panel.c 2010-09-17 20:12:09.000000000 -0400
27653 @@ -1304,7 +1304,7 @@ static int lcd_release(struct inode *ino
27657 -static struct file_operations lcd_fops = {
27658 +static const struct file_operations lcd_fops = {
27659 .write = lcd_write,
27661 .release = lcd_release,
27662 @@ -1564,7 +1564,7 @@ static int keypad_release(struct inode *
27666 -static struct file_operations keypad_fops = {
27667 +static const struct file_operations keypad_fops = {
27668 .read = keypad_read, /* read */
27669 .open = keypad_open, /* open */
27670 .release = keypad_release, /* close */
27671 diff -urNp linux-2.6.35.4/drivers/staging/phison/phison.c linux-2.6.35.4/drivers/staging/phison/phison.c
27672 --- linux-2.6.35.4/drivers/staging/phison/phison.c 2010-08-26 19:47:12.000000000 -0400
27673 +++ linux-2.6.35.4/drivers/staging/phison/phison.c 2010-09-17 20:12:09.000000000 -0400
27674 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27675 ATA_BMDMA_SHT(DRV_NAME),
27678 -static struct ata_port_operations phison_ops = {
27679 +static const struct ata_port_operations phison_ops = {
27680 .inherits = &ata_bmdma_port_ops,
27681 .prereset = phison_pre_reset,
27683 diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/inode.c linux-2.6.35.4/drivers/staging/pohmelfs/inode.c
27684 --- linux-2.6.35.4/drivers/staging/pohmelfs/inode.c 2010-08-26 19:47:12.000000000 -0400
27685 +++ linux-2.6.35.4/drivers/staging/pohmelfs/inode.c 2010-09-17 20:12:09.000000000 -0400
27686 @@ -1846,7 +1846,7 @@ static int pohmelfs_fill_super(struct su
27687 mutex_init(&psb->mcache_lock);
27688 psb->mcache_root = RB_ROOT;
27689 psb->mcache_timeout = msecs_to_jiffies(5000);
27690 - atomic_long_set(&psb->mcache_gen, 0);
27691 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27693 psb->trans_max_pages = 100;
27695 diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c
27696 --- linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c 2010-08-26 19:47:12.000000000 -0400
27697 +++ linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c 2010-09-17 20:12:09.000000000 -0400
27698 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27702 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27703 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27705 mutex_lock(&psb->mcache_lock);
27706 err = pohmelfs_mcache_insert(psb, m);
27707 diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h
27708 --- linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h 2010-08-26 19:47:12.000000000 -0400
27709 +++ linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h 2010-09-17 20:12:09.000000000 -0400
27710 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27711 struct pohmelfs_sb {
27712 struct rb_root mcache_root;
27713 struct mutex mcache_lock;
27714 - atomic_long_t mcache_gen;
27715 + atomic_long_unchecked_t mcache_gen;
27716 unsigned long mcache_timeout;
27719 diff -urNp linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c
27720 --- linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c 2010-08-26 19:47:12.000000000 -0400
27721 +++ linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c 2010-09-17 20:12:09.000000000 -0400
27722 @@ -693,7 +693,7 @@ void ramzswap_slot_free_notify(struct bl
27726 -static struct block_device_operations ramzswap_devops = {
27727 +static const struct block_device_operations ramzswap_devops = {
27728 .ioctl = ramzswap_ioctl,
27729 .swap_slot_free_notify = ramzswap_slot_free_notify,
27730 .owner = THIS_MODULE
27731 diff -urNp linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c
27732 --- linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c 2010-08-26 19:47:12.000000000 -0400
27733 +++ linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c 2010-09-17 20:12:09.000000000 -0400
27734 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27735 return seq_open(file, &crypto_seq_ops);
27738 -static struct file_operations proc_crypto_ops = {
27739 +static const struct file_operations proc_crypto_ops = {
27740 .open = crypto_info_open,
27742 .llseek = seq_lseek,
27743 diff -urNp linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c
27744 --- linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c 2010-08-26 19:47:12.000000000 -0400
27745 +++ linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c 2010-09-17 20:12:09.000000000 -0400
27746 @@ -269,7 +269,7 @@ static int update_status(struct backligh
27750 -static struct backlight_ops backlight_ops = {
27751 +static const struct backlight_ops backlight_ops = {
27752 .get_brightness = get_brightness,
27753 .update_status = update_status,
27755 diff -urNp linux-2.6.35.4/drivers/staging/sep/sep_driver.c linux-2.6.35.4/drivers/staging/sep/sep_driver.c
27756 --- linux-2.6.35.4/drivers/staging/sep/sep_driver.c 2010-08-26 19:47:12.000000000 -0400
27757 +++ linux-2.6.35.4/drivers/staging/sep/sep_driver.c 2010-09-17 20:12:09.000000000 -0400
27758 @@ -2637,7 +2637,7 @@ static struct pci_driver sep_pci_driver
27759 static dev_t sep_devno;
27761 /* the files operations structure of the driver */
27762 -static struct file_operations sep_file_operations = {
27763 +static const struct file_operations sep_file_operations = {
27764 .owner = THIS_MODULE,
27765 .unlocked_ioctl = sep_ioctl,
27767 diff -urNp linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c
27768 --- linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c 2010-08-26 19:47:12.000000000 -0400
27769 +++ linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c 2010-09-17 20:12:09.000000000 -0400
27770 @@ -136,7 +136,7 @@ static long vme_user_unlocked_ioctl(stru
27771 static int __init vme_user_probe(struct device *, int, int);
27772 static int __exit vme_user_remove(struct device *, int, int);
27774 -static struct file_operations vme_user_fops = {
27775 +static const struct file_operations vme_user_fops = {
27776 .open = vme_user_open,
27777 .release = vme_user_release,
27778 .read = vme_user_read,
27779 diff -urNp linux-2.6.35.4/drivers/usb/atm/usbatm.c linux-2.6.35.4/drivers/usb/atm/usbatm.c
27780 --- linux-2.6.35.4/drivers/usb/atm/usbatm.c 2010-08-26 19:47:12.000000000 -0400
27781 +++ linux-2.6.35.4/drivers/usb/atm/usbatm.c 2010-09-17 20:12:09.000000000 -0400
27782 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
27783 if (printk_ratelimit())
27784 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
27785 __func__, vpi, vci);
27786 - atomic_inc(&vcc->stats->rx_err);
27787 + atomic_inc_unchecked(&vcc->stats->rx_err);
27791 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
27792 if (length > ATM_MAX_AAL5_PDU) {
27793 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
27794 __func__, length, vcc);
27795 - atomic_inc(&vcc->stats->rx_err);
27796 + atomic_inc_unchecked(&vcc->stats->rx_err);
27800 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
27801 if (sarb->len < pdu_length) {
27802 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
27803 __func__, pdu_length, sarb->len, vcc);
27804 - atomic_inc(&vcc->stats->rx_err);
27805 + atomic_inc_unchecked(&vcc->stats->rx_err);
27809 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
27810 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
27812 - atomic_inc(&vcc->stats->rx_err);
27813 + atomic_inc_unchecked(&vcc->stats->rx_err);
27817 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
27818 if (printk_ratelimit())
27819 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
27821 - atomic_inc(&vcc->stats->rx_drop);
27822 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27826 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
27828 vcc->push(vcc, skb);
27830 - atomic_inc(&vcc->stats->rx);
27831 + atomic_inc_unchecked(&vcc->stats->rx);
27835 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
27836 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
27838 usbatm_pop(vcc, skb);
27839 - atomic_inc(&vcc->stats->tx);
27840 + atomic_inc_unchecked(&vcc->stats->tx);
27842 skb = skb_dequeue(&instance->sndqueue);
27844 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
27846 return sprintf(page,
27847 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
27848 - atomic_read(&atm_dev->stats.aal5.tx),
27849 - atomic_read(&atm_dev->stats.aal5.tx_err),
27850 - atomic_read(&atm_dev->stats.aal5.rx),
27851 - atomic_read(&atm_dev->stats.aal5.rx_err),
27852 - atomic_read(&atm_dev->stats.aal5.rx_drop));
27853 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
27854 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
27855 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
27856 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
27857 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
27860 if (instance->disconnected)
27861 diff -urNp linux-2.6.35.4/drivers/usb/class/cdc-acm.c linux-2.6.35.4/drivers/usb/class/cdc-acm.c
27862 --- linux-2.6.35.4/drivers/usb/class/cdc-acm.c 2010-08-26 19:47:12.000000000 -0400
27863 +++ linux-2.6.35.4/drivers/usb/class/cdc-acm.c 2010-09-17 20:12:09.000000000 -0400
27864 @@ -1619,7 +1619,7 @@ static const struct usb_device_id acm_id
27865 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
27866 USB_CDC_ACM_PROTO_AT_CDMA) },
27869 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
27872 MODULE_DEVICE_TABLE(usb, acm_ids);
27873 diff -urNp linux-2.6.35.4/drivers/usb/class/cdc-wdm.c linux-2.6.35.4/drivers/usb/class/cdc-wdm.c
27874 --- linux-2.6.35.4/drivers/usb/class/cdc-wdm.c 2010-08-26 19:47:12.000000000 -0400
27875 +++ linux-2.6.35.4/drivers/usb/class/cdc-wdm.c 2010-09-17 20:12:09.000000000 -0400
27876 @@ -342,7 +342,7 @@ static ssize_t wdm_write
27880 - if (!file->f_flags && O_NONBLOCK)
27881 + if (!(file->f_flags & O_NONBLOCK))
27882 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
27885 diff -urNp linux-2.6.35.4/drivers/usb/class/usblp.c linux-2.6.35.4/drivers/usb/class/usblp.c
27886 --- linux-2.6.35.4/drivers/usb/class/usblp.c 2010-08-26 19:47:12.000000000 -0400
27887 +++ linux-2.6.35.4/drivers/usb/class/usblp.c 2010-09-17 20:12:09.000000000 -0400
27888 @@ -226,7 +226,7 @@ static const struct quirk_printer_struct
27889 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
27890 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
27891 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
27896 static int usblp_wwait(struct usblp *usblp, int nonblock);
27897 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
27898 { USB_INTERFACE_INFO(7, 1, 2) },
27899 { USB_INTERFACE_INFO(7, 1, 3) },
27900 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
27901 - { } /* Terminating entry */
27902 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
27905 MODULE_DEVICE_TABLE (usb, usblp_ids);
27906 diff -urNp linux-2.6.35.4/drivers/usb/core/hcd.c linux-2.6.35.4/drivers/usb/core/hcd.c
27907 --- linux-2.6.35.4/drivers/usb/core/hcd.c 2010-08-26 19:47:12.000000000 -0400
27908 +++ linux-2.6.35.4/drivers/usb/core/hcd.c 2010-09-17 20:12:09.000000000 -0400
27909 @@ -2381,7 +2381,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
27911 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
27913 -struct usb_mon_operations *mon_ops;
27914 +const struct usb_mon_operations *mon_ops;
27917 * The registration is unlocked.
27918 @@ -2391,7 +2391,7 @@ struct usb_mon_operations *mon_ops;
27919 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
27922 -int usb_mon_register (struct usb_mon_operations *ops)
27923 +int usb_mon_register (const struct usb_mon_operations *ops)
27927 diff -urNp linux-2.6.35.4/drivers/usb/core/hub.c linux-2.6.35.4/drivers/usb/core/hub.c
27928 --- linux-2.6.35.4/drivers/usb/core/hub.c 2010-08-26 19:47:12.000000000 -0400
27929 +++ linux-2.6.35.4/drivers/usb/core/hub.c 2010-09-17 20:12:09.000000000 -0400
27930 @@ -3453,7 +3453,7 @@ static const struct usb_device_id hub_id
27931 .bDeviceClass = USB_CLASS_HUB},
27932 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
27933 .bInterfaceClass = USB_CLASS_HUB},
27934 - { } /* Terminating entry */
27935 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
27938 MODULE_DEVICE_TABLE (usb, hub_id_table);
27939 diff -urNp linux-2.6.35.4/drivers/usb/core/message.c linux-2.6.35.4/drivers/usb/core/message.c
27940 --- linux-2.6.35.4/drivers/usb/core/message.c 2010-08-26 19:47:12.000000000 -0400
27941 +++ linux-2.6.35.4/drivers/usb/core/message.c 2010-09-17 20:12:09.000000000 -0400
27942 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
27943 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
27945 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
27947 - smallbuf = kmalloc(++len, GFP_NOIO);
27949 + smallbuf = kmalloc(len, GFP_NOIO);
27952 memcpy(smallbuf, buf, len);
27953 diff -urNp linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c
27954 --- linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c 2010-08-26 19:47:12.000000000 -0400
27955 +++ linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c 2010-09-17 20:12:09.000000000 -0400
27956 @@ -1026,6 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
27957 early_dbgp_write(NULL, &chr, 1);
27960 +/* cannot be const, see kgdbdbgp_parse_config() */
27961 static struct kgdb_io kgdbdbgp_io_ops = {
27962 .name = "kgdbdbgp",
27963 .read_char = kgdbdbgp_read_char,
27964 diff -urNp linux-2.6.35.4/drivers/usb/host/ehci-pci.c linux-2.6.35.4/drivers/usb/host/ehci-pci.c
27965 --- linux-2.6.35.4/drivers/usb/host/ehci-pci.c 2010-08-26 19:47:12.000000000 -0400
27966 +++ linux-2.6.35.4/drivers/usb/host/ehci-pci.c 2010-09-17 20:12:09.000000000 -0400
27967 @@ -419,7 +419,7 @@ static const struct pci_device_id pci_id
27968 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
27969 .driver_data = (unsigned long) &ehci_pci_hc_driver,
27971 - { /* end: all zeroes */ }
27972 + { 0, 0, 0, 0, 0, 0, 0 }
27974 MODULE_DEVICE_TABLE(pci, pci_ids);
27976 diff -urNp linux-2.6.35.4/drivers/usb/host/uhci-hcd.c linux-2.6.35.4/drivers/usb/host/uhci-hcd.c
27977 --- linux-2.6.35.4/drivers/usb/host/uhci-hcd.c 2010-08-26 19:47:12.000000000 -0400
27978 +++ linux-2.6.35.4/drivers/usb/host/uhci-hcd.c 2010-09-17 20:12:09.000000000 -0400
27979 @@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
27980 /* handle any USB UHCI controller */
27981 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
27982 .driver_data = (unsigned long) &uhci_driver,
27983 - }, { /* end: all zeroes */ }
27984 + }, { 0, 0, 0, 0, 0, 0, 0 }
27987 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
27988 diff -urNp linux-2.6.35.4/drivers/usb/mon/mon_main.c linux-2.6.35.4/drivers/usb/mon/mon_main.c
27989 --- linux-2.6.35.4/drivers/usb/mon/mon_main.c 2010-08-26 19:47:12.000000000 -0400
27990 +++ linux-2.6.35.4/drivers/usb/mon/mon_main.c 2010-09-17 20:12:09.000000000 -0400
27991 @@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
27995 -static struct usb_mon_operations mon_ops_0 = {
27996 +static const struct usb_mon_operations mon_ops_0 = {
27997 .urb_submit = mon_submit,
27998 .urb_submit_error = mon_submit_error,
27999 .urb_complete = mon_complete,
28000 diff -urNp linux-2.6.35.4/drivers/usb/storage/debug.h linux-2.6.35.4/drivers/usb/storage/debug.h
28001 --- linux-2.6.35.4/drivers/usb/storage/debug.h 2010-08-26 19:47:12.000000000 -0400
28002 +++ linux-2.6.35.4/drivers/usb/storage/debug.h 2010-09-17 20:12:09.000000000 -0400
28003 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28004 #define US_DEBUGPX(x...) printk( x )
28005 #define US_DEBUG(x) x
28007 -#define US_DEBUGP(x...)
28008 -#define US_DEBUGPX(x...)
28009 -#define US_DEBUG(x)
28010 +#define US_DEBUGP(x...) do {} while (0)
28011 +#define US_DEBUGPX(x...) do {} while (0)
28012 +#define US_DEBUG(x) do {} while (0)
28016 diff -urNp linux-2.6.35.4/drivers/usb/storage/usb.c linux-2.6.35.4/drivers/usb/storage/usb.c
28017 --- linux-2.6.35.4/drivers/usb/storage/usb.c 2010-08-26 19:47:12.000000000 -0400
28018 +++ linux-2.6.35.4/drivers/usb/storage/usb.c 2010-09-17 20:12:09.000000000 -0400
28019 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28021 static struct us_unusual_dev us_unusual_dev_list[] = {
28022 # include "unusual_devs.h"
28023 - { } /* Terminating entry */
28024 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28028 diff -urNp linux-2.6.35.4/drivers/usb/storage/usual-tables.c linux-2.6.35.4/drivers/usb/storage/usual-tables.c
28029 --- linux-2.6.35.4/drivers/usb/storage/usual-tables.c 2010-08-26 19:47:12.000000000 -0400
28030 +++ linux-2.6.35.4/drivers/usb/storage/usual-tables.c 2010-09-17 20:12:09.000000000 -0400
28033 struct usb_device_id usb_storage_usb_ids[] = {
28034 # include "unusual_devs.h"
28035 - { } /* Terminating entry */
28036 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28038 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28040 diff -urNp linux-2.6.35.4/drivers/uwb/wlp/messages.c linux-2.6.35.4/drivers/uwb/wlp/messages.c
28041 --- linux-2.6.35.4/drivers/uwb/wlp/messages.c 2010-08-26 19:47:12.000000000 -0400
28042 +++ linux-2.6.35.4/drivers/uwb/wlp/messages.c 2010-09-17 20:12:09.000000000 -0400
28043 @@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
28044 size_t len = skb->len;
28047 - struct wlp_nonce enonce, rnonce;
28048 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
28049 enum wlp_assc_error assc_err;
28050 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
28051 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
28052 diff -urNp linux-2.6.35.4/drivers/vhost/vhost.c linux-2.6.35.4/drivers/vhost/vhost.c
28053 --- linux-2.6.35.4/drivers/vhost/vhost.c 2010-08-26 19:47:12.000000000 -0400
28054 +++ linux-2.6.35.4/drivers/vhost/vhost.c 2010-09-17 20:12:09.000000000 -0400
28055 @@ -357,7 +357,7 @@ static int init_used(struct vhost_virtqu
28056 return get_user(vq->last_used_idx, &used->idx);
28059 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28060 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28062 struct file *eventfp, *filep = NULL,
28063 *pollstart = NULL, *pollstop = NULL;
28064 diff -urNp linux-2.6.35.4/drivers/video/atmel_lcdfb.c linux-2.6.35.4/drivers/video/atmel_lcdfb.c
28065 --- linux-2.6.35.4/drivers/video/atmel_lcdfb.c 2010-08-26 19:47:12.000000000 -0400
28066 +++ linux-2.6.35.4/drivers/video/atmel_lcdfb.c 2010-09-17 20:12:09.000000000 -0400
28067 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28068 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28071 -static struct backlight_ops atmel_lcdc_bl_ops = {
28072 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28073 .update_status = atmel_bl_update_status,
28074 .get_brightness = atmel_bl_get_brightness,
28076 diff -urNp linux-2.6.35.4/drivers/video/aty/aty128fb.c linux-2.6.35.4/drivers/video/aty/aty128fb.c
28077 --- linux-2.6.35.4/drivers/video/aty/aty128fb.c 2010-08-26 19:47:12.000000000 -0400
28078 +++ linux-2.6.35.4/drivers/video/aty/aty128fb.c 2010-09-17 20:12:09.000000000 -0400
28079 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28080 return bd->props.brightness;
28083 -static struct backlight_ops aty128_bl_data = {
28084 +static const struct backlight_ops aty128_bl_data = {
28085 .get_brightness = aty128_bl_get_brightness,
28086 .update_status = aty128_bl_update_status,
28088 diff -urNp linux-2.6.35.4/drivers/video/aty/atyfb_base.c linux-2.6.35.4/drivers/video/aty/atyfb_base.c
28089 --- linux-2.6.35.4/drivers/video/aty/atyfb_base.c 2010-08-26 19:47:12.000000000 -0400
28090 +++ linux-2.6.35.4/drivers/video/aty/atyfb_base.c 2010-09-17 20:12:09.000000000 -0400
28091 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28092 return bd->props.brightness;
28095 -static struct backlight_ops aty_bl_data = {
28096 +static const struct backlight_ops aty_bl_data = {
28097 .get_brightness = aty_bl_get_brightness,
28098 .update_status = aty_bl_update_status,
28100 diff -urNp linux-2.6.35.4/drivers/video/aty/radeon_backlight.c linux-2.6.35.4/drivers/video/aty/radeon_backlight.c
28101 --- linux-2.6.35.4/drivers/video/aty/radeon_backlight.c 2010-08-26 19:47:12.000000000 -0400
28102 +++ linux-2.6.35.4/drivers/video/aty/radeon_backlight.c 2010-09-17 20:12:09.000000000 -0400
28103 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28104 return bd->props.brightness;
28107 -static struct backlight_ops radeon_bl_data = {
28108 +static const struct backlight_ops radeon_bl_data = {
28109 .get_brightness = radeon_bl_get_brightness,
28110 .update_status = radeon_bl_update_status,
28112 diff -urNp linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c
28113 --- linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c 2010-08-26 19:47:12.000000000 -0400
28114 +++ linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c 2010-09-17 20:12:09.000000000 -0400
28115 @@ -155,7 +155,7 @@ out:
28119 -static struct backlight_ops pm860x_backlight_ops = {
28120 +static const struct backlight_ops pm860x_backlight_ops = {
28121 .options = BL_CORE_SUSPENDRESUME,
28122 .update_status = pm860x_backlight_update_status,
28123 .get_brightness = pm860x_backlight_get_brightness,
28124 diff -urNp linux-2.6.35.4/drivers/video/backlight/max8925_bl.c linux-2.6.35.4/drivers/video/backlight/max8925_bl.c
28125 --- linux-2.6.35.4/drivers/video/backlight/max8925_bl.c 2010-08-26 19:47:12.000000000 -0400
28126 +++ linux-2.6.35.4/drivers/video/backlight/max8925_bl.c 2010-09-17 20:12:09.000000000 -0400
28127 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28131 -static struct backlight_ops max8925_backlight_ops = {
28132 +static const struct backlight_ops max8925_backlight_ops = {
28133 .options = BL_CORE_SUSPENDRESUME,
28134 .update_status = max8925_backlight_update_status,
28135 .get_brightness = max8925_backlight_get_brightness,
28136 diff -urNp linux-2.6.35.4/drivers/video/fbcmap.c linux-2.6.35.4/drivers/video/fbcmap.c
28137 --- linux-2.6.35.4/drivers/video/fbcmap.c 2010-08-26 19:47:12.000000000 -0400
28138 +++ linux-2.6.35.4/drivers/video/fbcmap.c 2010-09-17 20:12:09.000000000 -0400
28139 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28143 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28144 - !info->fbops->fb_setcmap)) {
28145 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28149 diff -urNp linux-2.6.35.4/drivers/video/fbmem.c linux-2.6.35.4/drivers/video/fbmem.c
28150 --- linux-2.6.35.4/drivers/video/fbmem.c 2010-08-26 19:47:12.000000000 -0400
28151 +++ linux-2.6.35.4/drivers/video/fbmem.c 2010-09-17 20:12:09.000000000 -0400
28152 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28153 image->dx += image->width + 8;
28155 } else if (rotate == FB_ROTATE_UD) {
28156 - for (x = 0; x < num && image->dx >= 0; x++) {
28157 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28158 info->fbops->fb_imageblit(info, image);
28159 image->dx -= image->width + 8;
28161 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28162 image->dy += image->height + 8;
28164 } else if (rotate == FB_ROTATE_CCW) {
28165 - for (x = 0; x < num && image->dy >= 0; x++) {
28166 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28167 info->fbops->fb_imageblit(info, image);
28168 image->dy -= image->height + 8;
28170 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
28172 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28174 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28175 + if (con2fb.framebuffer >= FB_MAX)
28177 if (!registered_fb[con2fb.framebuffer])
28178 request_module("fb%d", con2fb.framebuffer);
28179 diff -urNp linux-2.6.35.4/drivers/video/fbmon.c linux-2.6.35.4/drivers/video/fbmon.c
28180 --- linux-2.6.35.4/drivers/video/fbmon.c 2010-08-26 19:47:12.000000000 -0400
28181 +++ linux-2.6.35.4/drivers/video/fbmon.c 2010-09-17 20:12:09.000000000 -0400
28184 #define DPRINTK(fmt, args...) printk(fmt,## args)
28186 -#define DPRINTK(fmt, args...)
28187 +#define DPRINTK(fmt, args...) do {} while (0)
28190 #define FBMON_FIX_HEADER 1
28191 diff -urNp linux-2.6.35.4/drivers/video/i810/i810_accel.c linux-2.6.35.4/drivers/video/i810/i810_accel.c
28192 --- linux-2.6.35.4/drivers/video/i810/i810_accel.c 2010-08-26 19:47:12.000000000 -0400
28193 +++ linux-2.6.35.4/drivers/video/i810/i810_accel.c 2010-09-17 20:12:09.000000000 -0400
28194 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28197 printk("ringbuffer lockup!!!\n");
28198 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28199 i810_report_error(mmio);
28200 par->dev_flags |= LOCKUP;
28201 info->pixmap.scan_align = 1;
28202 diff -urNp linux-2.6.35.4/drivers/video/i810/i810_main.c linux-2.6.35.4/drivers/video/i810/i810_main.c
28203 --- linux-2.6.35.4/drivers/video/i810/i810_main.c 2010-08-26 19:47:12.000000000 -0400
28204 +++ linux-2.6.35.4/drivers/video/i810/i810_main.c 2010-09-17 20:12:09.000000000 -0400
28205 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28206 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28207 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28208 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28210 + { 0, 0, 0, 0, 0, 0, 0 },
28213 static struct pci_driver i810fb_driver = {
28214 diff -urNp linux-2.6.35.4/drivers/video/modedb.c linux-2.6.35.4/drivers/video/modedb.c
28215 --- linux-2.6.35.4/drivers/video/modedb.c 2010-08-26 19:47:12.000000000 -0400
28216 +++ linux-2.6.35.4/drivers/video/modedb.c 2010-09-17 20:12:09.000000000 -0400
28217 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28219 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28220 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28221 - 0, FB_VMODE_NONINTERLACED
28222 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28224 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28225 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28226 - 0, FB_VMODE_NONINTERLACED
28227 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28229 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28230 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28231 - 0, FB_VMODE_NONINTERLACED
28232 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28234 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28235 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28236 - 0, FB_VMODE_INTERLACED
28237 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28239 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28240 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28241 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28242 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28244 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28245 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28246 - 0, FB_VMODE_NONINTERLACED
28247 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28249 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28250 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28251 - 0, FB_VMODE_NONINTERLACED
28252 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28254 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28255 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28256 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28257 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28259 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28260 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28261 - 0, FB_VMODE_NONINTERLACED
28262 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28264 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28265 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28266 - 0, FB_VMODE_INTERLACED
28267 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28269 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28270 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28271 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28272 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28274 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28275 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28276 - 0, FB_VMODE_NONINTERLACED
28277 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28279 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28280 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28281 - 0, FB_VMODE_NONINTERLACED
28282 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28284 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28285 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28286 - 0, FB_VMODE_NONINTERLACED
28287 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28289 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28290 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28291 - 0, FB_VMODE_NONINTERLACED
28292 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28294 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28295 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28296 - 0, FB_VMODE_NONINTERLACED
28297 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28299 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28300 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28301 - 0, FB_VMODE_INTERLACED
28302 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28304 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28305 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28306 - 0, FB_VMODE_NONINTERLACED
28307 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28309 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28310 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28311 - 0, FB_VMODE_NONINTERLACED
28312 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28314 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28315 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28316 - 0, FB_VMODE_NONINTERLACED
28317 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28319 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28320 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28321 - 0, FB_VMODE_NONINTERLACED
28322 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28324 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28325 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28326 - 0, FB_VMODE_NONINTERLACED
28327 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28329 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28330 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28331 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28332 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28334 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28335 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28336 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28337 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28339 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28340 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28341 - 0, FB_VMODE_NONINTERLACED
28342 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28344 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28345 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28346 - 0, FB_VMODE_NONINTERLACED
28347 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28349 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28350 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28351 - 0, FB_VMODE_NONINTERLACED
28352 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28354 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28355 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28356 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28357 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28359 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28360 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28361 - 0, FB_VMODE_NONINTERLACED
28362 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28364 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28365 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28366 - 0, FB_VMODE_NONINTERLACED
28367 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28369 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28370 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28371 - 0, FB_VMODE_NONINTERLACED
28372 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28374 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28375 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28376 - 0, FB_VMODE_NONINTERLACED
28377 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28379 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28380 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28381 - 0, FB_VMODE_NONINTERLACED
28382 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28384 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28385 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28386 - 0, FB_VMODE_NONINTERLACED
28387 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28389 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28390 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28391 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28392 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28394 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28395 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28396 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28397 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28399 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28400 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28401 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28402 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28404 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28405 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28406 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28407 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28409 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28410 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28411 - 0, FB_VMODE_NONINTERLACED
28412 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28414 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28415 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28416 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28417 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28419 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28420 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28421 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28422 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28424 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28425 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28426 - 0, FB_VMODE_NONINTERLACED
28427 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28429 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28430 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28431 - 0, FB_VMODE_NONINTERLACED
28432 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28434 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28435 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28436 - 0, FB_VMODE_DOUBLE
28437 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28439 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28440 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28441 - 0, FB_VMODE_DOUBLE
28442 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28444 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28445 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28446 - 0, FB_VMODE_DOUBLE
28447 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28449 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28450 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28451 - 0, FB_VMODE_DOUBLE
28452 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28454 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28455 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28456 - 0, FB_VMODE_DOUBLE
28457 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28459 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28460 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28461 - 0, FB_VMODE_DOUBLE
28462 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28464 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28465 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28466 - 0, FB_VMODE_DOUBLE
28467 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28469 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28470 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28471 - 0, FB_VMODE_DOUBLE
28472 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28474 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28475 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28476 - 0, FB_VMODE_DOUBLE
28477 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28479 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28480 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28481 - 0, FB_VMODE_DOUBLE
28482 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28484 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28485 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28486 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28487 - FB_VMODE_NONINTERLACED
28488 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28490 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28491 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28492 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28493 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28495 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28496 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28497 - 0, FB_VMODE_NONINTERLACED
28498 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28500 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28501 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28502 - 0, FB_VMODE_NONINTERLACED
28503 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28505 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28506 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28507 - 0, FB_VMODE_INTERLACED
28508 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28510 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28511 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28512 - 0, FB_VMODE_INTERLACED
28513 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28517 diff -urNp linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c
28518 --- linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c 2010-08-26 19:47:12.000000000 -0400
28519 +++ linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c 2010-09-17 20:12:09.000000000 -0400
28520 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28521 return bd->props.brightness;
28524 -static struct backlight_ops nvidia_bl_ops = {
28525 +static const struct backlight_ops nvidia_bl_ops = {
28526 .get_brightness = nvidia_bl_get_brightness,
28527 .update_status = nvidia_bl_update_status,
28529 diff -urNp linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c
28530 --- linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c 2010-08-26 19:47:12.000000000 -0400
28531 +++ linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c 2010-09-17 20:12:09.000000000 -0400
28532 @@ -319,7 +319,7 @@ static int taal_bl_get_intensity(struct
28536 -static struct backlight_ops taal_bl_ops = {
28537 +static const struct backlight_ops taal_bl_ops = {
28538 .get_brightness = taal_bl_get_intensity,
28539 .update_status = taal_bl_update_status,
28541 diff -urNp linux-2.6.35.4/drivers/video/riva/fbdev.c linux-2.6.35.4/drivers/video/riva/fbdev.c
28542 --- linux-2.6.35.4/drivers/video/riva/fbdev.c 2010-08-26 19:47:12.000000000 -0400
28543 +++ linux-2.6.35.4/drivers/video/riva/fbdev.c 2010-09-17 20:12:09.000000000 -0400
28544 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
28545 return bd->props.brightness;
28548 -static struct backlight_ops riva_bl_ops = {
28549 +static const struct backlight_ops riva_bl_ops = {
28550 .get_brightness = riva_bl_get_brightness,
28551 .update_status = riva_bl_update_status,
28553 diff -urNp linux-2.6.35.4/drivers/video/uvesafb.c linux-2.6.35.4/drivers/video/uvesafb.c
28554 --- linux-2.6.35.4/drivers/video/uvesafb.c 2010-08-26 19:47:12.000000000 -0400
28555 +++ linux-2.6.35.4/drivers/video/uvesafb.c 2010-09-17 20:12:09.000000000 -0400
28557 #include <linux/io.h>
28558 #include <linux/mutex.h>
28559 #include <linux/slab.h>
28560 +#include <linux/moduleloader.h>
28561 #include <video/edid.h>
28562 #include <video/uvesafb.h>
28564 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28568 - return call_usermodehelper(v86d_path, argv, envp, 1);
28569 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28573 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
28574 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28575 par->pmi_setpal = par->ypan = 0;
28578 +#ifdef CONFIG_PAX_KERNEXEC
28579 +#ifdef CONFIG_MODULES
28580 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28582 + if (!par->pmi_code) {
28583 + par->pmi_setpal = par->ypan = 0;
28588 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28589 + task->t.regs.edi);
28591 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28592 + pax_open_kernel();
28593 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
28594 + pax_close_kernel();
28596 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28597 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28599 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28600 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28603 printk(KERN_INFO "uvesafb: protected mode interface info at "
28605 (u16)task->t.regs.es, (u16)task->t.regs.edi);
28606 @@ -1800,6 +1823,11 @@ out:
28607 if (par->vbe_modes)
28608 kfree(par->vbe_modes);
28610 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28611 + if (par->pmi_code)
28612 + module_free_exec(NULL, par->pmi_code);
28615 framebuffer_release(info);
28618 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
28619 kfree(par->vbe_state_orig);
28620 if (par->vbe_state_saved)
28621 kfree(par->vbe_state_saved);
28623 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28624 + if (par->pmi_code)
28625 + module_free_exec(NULL, par->pmi_code);
28630 framebuffer_release(info);
28631 diff -urNp linux-2.6.35.4/drivers/video/vesafb.c linux-2.6.35.4/drivers/video/vesafb.c
28632 --- linux-2.6.35.4/drivers/video/vesafb.c 2010-08-26 19:47:12.000000000 -0400
28633 +++ linux-2.6.35.4/drivers/video/vesafb.c 2010-09-17 20:12:09.000000000 -0400
28637 #include <linux/module.h>
28638 +#include <linux/moduleloader.h>
28639 #include <linux/kernel.h>
28640 #include <linux/errno.h>
28641 #include <linux/string.h>
28642 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
28643 static int vram_total __initdata; /* Set total amount of memory */
28644 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
28645 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
28646 -static void (*pmi_start)(void) __read_mostly;
28647 -static void (*pmi_pal) (void) __read_mostly;
28648 +static void (*pmi_start)(void) __read_only;
28649 +static void (*pmi_pal) (void) __read_only;
28650 static int depth __read_mostly;
28651 static int vga_compat __read_mostly;
28652 /* --------------------------------------------------------------------- */
28653 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
28654 unsigned int size_vmode;
28655 unsigned int size_remap;
28656 unsigned int size_total;
28657 + void *pmi_code = NULL;
28659 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
28661 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
28662 size_remap = size_total;
28663 vesafb_fix.smem_len = size_remap;
28666 - screen_info.vesapm_seg = 0;
28669 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
28670 printk(KERN_WARNING
28671 "vesafb: cannot reserve video memory at 0x%lx\n",
28672 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
28673 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
28674 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
28678 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28679 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
28681 +#elif !defined(CONFIG_PAX_KERNEXEC)
28686 + screen_info.vesapm_seg = 0;
28688 if (screen_info.vesapm_seg) {
28689 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
28690 - screen_info.vesapm_seg,screen_info.vesapm_off);
28691 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
28692 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
28695 if (screen_info.vesapm_seg < 0xc000)
28696 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
28698 if (ypan || pmi_setpal) {
28699 unsigned short *pmi_base;
28700 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28701 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
28702 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
28704 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28706 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28707 + pax_open_kernel();
28708 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
28710 + pmi_code = pmi_base;
28713 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
28714 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
28716 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28717 + pmi_start = ktva_ktla(pmi_start);
28718 + pmi_pal = ktva_ktla(pmi_pal);
28719 + pax_close_kernel();
28722 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
28724 printk(KERN_INFO "vesafb: pmi: ports = ");
28725 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
28726 info->node, info->fix.id);
28730 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28731 + module_free_exec(NULL, pmi_code);
28734 if (info->screen_base)
28735 iounmap(info->screen_base);
28736 framebuffer_release(info);
28737 diff -urNp linux-2.6.35.4/fs/9p/vfs_inode.c linux-2.6.35.4/fs/9p/vfs_inode.c
28738 --- linux-2.6.35.4/fs/9p/vfs_inode.c 2010-08-26 19:47:12.000000000 -0400
28739 +++ linux-2.6.35.4/fs/9p/vfs_inode.c 2010-09-17 20:12:09.000000000 -0400
28740 @@ -1087,7 +1087,7 @@ static void *v9fs_vfs_follow_link(struct
28742 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
28744 - char *s = nd_get_link(nd);
28745 + const char *s = nd_get_link(nd);
28747 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
28748 IS_ERR(s) ? "<error>" : s);
28749 diff -urNp linux-2.6.35.4/fs/aio.c linux-2.6.35.4/fs/aio.c
28750 --- linux-2.6.35.4/fs/aio.c 2010-08-26 19:47:12.000000000 -0400
28751 +++ linux-2.6.35.4/fs/aio.c 2010-09-17 20:12:09.000000000 -0400
28752 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
28753 size += sizeof(struct io_event) * nr_events;
28754 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
28756 - if (nr_pages < 0)
28757 + if (nr_pages <= 0)
28760 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
28761 diff -urNp linux-2.6.35.4/fs/attr.c linux-2.6.35.4/fs/attr.c
28762 --- linux-2.6.35.4/fs/attr.c 2010-08-26 19:47:12.000000000 -0400
28763 +++ linux-2.6.35.4/fs/attr.c 2010-09-17 20:12:37.000000000 -0400
28764 @@ -82,6 +82,7 @@ int inode_newsize_ok(const struct inode
28765 unsigned long limit;
28767 limit = rlimit(RLIMIT_FSIZE);
28768 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
28769 if (limit != RLIM_INFINITY && offset > limit)
28771 if (offset > inode->i_sb->s_maxbytes)
28772 diff -urNp linux-2.6.35.4/fs/autofs/root.c linux-2.6.35.4/fs/autofs/root.c
28773 --- linux-2.6.35.4/fs/autofs/root.c 2010-08-26 19:47:12.000000000 -0400
28774 +++ linux-2.6.35.4/fs/autofs/root.c 2010-09-17 20:12:09.000000000 -0400
28775 @@ -301,7 +301,8 @@ static int autofs_root_symlink(struct in
28776 set_bit(n,sbi->symlink_bitmap);
28777 sl = &sbi->symlink[n];
28778 sl->len = strlen(symname);
28779 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
28780 + slsize = sl->len+1;
28781 + sl->data = kmalloc(slsize, GFP_KERNEL);
28783 clear_bit(n,sbi->symlink_bitmap);
28785 diff -urNp linux-2.6.35.4/fs/autofs4/symlink.c linux-2.6.35.4/fs/autofs4/symlink.c
28786 --- linux-2.6.35.4/fs/autofs4/symlink.c 2010-08-26 19:47:12.000000000 -0400
28787 +++ linux-2.6.35.4/fs/autofs4/symlink.c 2010-09-17 20:12:09.000000000 -0400
28789 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
28791 struct autofs_info *ino = autofs4_dentry_ino(dentry);
28792 - nd_set_link(nd, (char *)ino->u.symlink);
28793 + nd_set_link(nd, ino->u.symlink);
28797 diff -urNp linux-2.6.35.4/fs/befs/linuxvfs.c linux-2.6.35.4/fs/befs/linuxvfs.c
28798 --- linux-2.6.35.4/fs/befs/linuxvfs.c 2010-08-26 19:47:12.000000000 -0400
28799 +++ linux-2.6.35.4/fs/befs/linuxvfs.c 2010-09-17 20:12:09.000000000 -0400
28800 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
28802 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
28803 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
28804 - char *link = nd_get_link(nd);
28805 + const char *link = nd_get_link(nd);
28809 diff -urNp linux-2.6.35.4/fs/binfmt_aout.c linux-2.6.35.4/fs/binfmt_aout.c
28810 --- linux-2.6.35.4/fs/binfmt_aout.c 2010-08-26 19:47:12.000000000 -0400
28811 +++ linux-2.6.35.4/fs/binfmt_aout.c 2010-09-17 20:12:37.000000000 -0400
28813 #include <linux/string.h>
28814 #include <linux/fs.h>
28815 #include <linux/file.h>
28816 +#include <linux/security.h>
28817 #include <linux/stat.h>
28818 #include <linux/fcntl.h>
28819 #include <linux/ptrace.h>
28820 @@ -97,10 +98,12 @@ static int aout_core_dump(struct coredum
28822 /* If the size of the dump file exceeds the rlimit, then see what would happen
28823 if we wrote the stack, but not the data area. */
28824 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
28825 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
28828 /* Make sure we have enough room to write the stack and data areas. */
28829 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
28830 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
28833 @@ -238,6 +241,8 @@ static int load_aout_binary(struct linux
28834 rlim = rlimit(RLIMIT_DATA);
28835 if (rlim >= RLIM_INFINITY)
28838 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
28839 if (ex.a_data + ex.a_bss > rlim)
28842 @@ -266,6 +271,27 @@ static int load_aout_binary(struct linux
28843 install_exec_creds(bprm);
28844 current->flags &= ~PF_FORKNOEXEC;
28846 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
28847 + current->mm->pax_flags = 0UL;
28850 +#ifdef CONFIG_PAX_PAGEEXEC
28851 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
28852 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
28854 +#ifdef CONFIG_PAX_EMUTRAMP
28855 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
28856 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
28859 +#ifdef CONFIG_PAX_MPROTECT
28860 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
28861 + current->mm->pax_flags |= MF_PAX_MPROTECT;
28867 if (N_MAGIC(ex) == OMAGIC) {
28868 unsigned long text_addr, map_size;
28870 @@ -338,7 +364,7 @@ static int load_aout_binary(struct linux
28872 down_write(¤t->mm->mmap_sem);
28873 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
28874 - PROT_READ | PROT_WRITE | PROT_EXEC,
28875 + PROT_READ | PROT_WRITE,
28876 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
28877 fd_offset + ex.a_text);
28878 up_write(¤t->mm->mmap_sem);
28879 diff -urNp linux-2.6.35.4/fs/binfmt_elf.c linux-2.6.35.4/fs/binfmt_elf.c
28880 --- linux-2.6.35.4/fs/binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
28881 +++ linux-2.6.35.4/fs/binfmt_elf.c 2010-09-17 20:12:37.000000000 -0400
28882 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
28883 #define elf_core_dump NULL
28886 +#ifdef CONFIG_PAX_MPROTECT
28887 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
28890 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
28891 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
28893 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
28894 .load_binary = load_elf_binary,
28895 .load_shlib = load_elf_library,
28896 .core_dump = elf_core_dump,
28898 +#ifdef CONFIG_PAX_MPROTECT
28899 + .handle_mprotect= elf_handle_mprotect,
28902 .min_coredump = ELF_EXEC_PAGESIZE,
28905 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
28907 static int set_brk(unsigned long start, unsigned long end)
28909 + unsigned long e = end;
28911 start = ELF_PAGEALIGN(start);
28912 end = ELF_PAGEALIGN(end);
28914 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
28915 if (BAD_ADDR(addr))
28918 - current->mm->start_brk = current->mm->brk = end;
28919 + current->mm->start_brk = current->mm->brk = e;
28923 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
28924 elf_addr_t __user *u_rand_bytes;
28925 const char *k_platform = ELF_PLATFORM;
28926 const char *k_base_platform = ELF_BASE_PLATFORM;
28927 - unsigned char k_rand_bytes[16];
28928 + u32 k_rand_bytes[4];
28930 elf_addr_t *elf_info;
28932 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
28933 * Generate 16 random bytes for userspace PRNG seeding.
28935 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
28936 - u_rand_bytes = (elf_addr_t __user *)
28937 - STACK_ALLOC(p, sizeof(k_rand_bytes));
28938 + srandom32(k_rand_bytes[0] ^ random32());
28939 + srandom32(k_rand_bytes[1] ^ random32());
28940 + srandom32(k_rand_bytes[2] ^ random32());
28941 + srandom32(k_rand_bytes[3] ^ random32());
28942 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
28943 + u_rand_bytes = (elf_addr_t __user *) p;
28944 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
28947 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
28949 struct elf_phdr *elf_phdata;
28950 struct elf_phdr *eppnt;
28951 - unsigned long load_addr = 0;
28952 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
28953 int load_addr_set = 0;
28954 unsigned long last_bss = 0, elf_bss = 0;
28955 - unsigned long error = ~0UL;
28956 + unsigned long error = -EINVAL;
28957 unsigned long total_size;
28958 int retval, i, size;
28960 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
28964 +#ifdef CONFIG_PAX_SEGMEXEC
28965 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
28966 + pax_task_size = SEGMEXEC_TASK_SIZE;
28969 eppnt = elf_phdata;
28970 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
28971 if (eppnt->p_type == PT_LOAD) {
28972 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
28973 k = load_addr + eppnt->p_vaddr;
28975 eppnt->p_filesz > eppnt->p_memsz ||
28976 - eppnt->p_memsz > TASK_SIZE ||
28977 - TASK_SIZE - eppnt->p_memsz < k) {
28978 + eppnt->p_memsz > pax_task_size ||
28979 + pax_task_size - eppnt->p_memsz < k) {
28983 @@ -533,6 +553,177 @@ out:
28987 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
28988 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
28990 + unsigned long pax_flags = 0UL;
28992 +#ifdef CONFIG_PAX_PAGEEXEC
28993 + if (elf_phdata->p_flags & PF_PAGEEXEC)
28994 + pax_flags |= MF_PAX_PAGEEXEC;
28997 +#ifdef CONFIG_PAX_SEGMEXEC
28998 + if (elf_phdata->p_flags & PF_SEGMEXEC)
28999 + pax_flags |= MF_PAX_SEGMEXEC;
29002 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29003 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29004 + if ((__supported_pte_mask & _PAGE_NX))
29005 + pax_flags &= ~MF_PAX_SEGMEXEC;
29007 + pax_flags &= ~MF_PAX_PAGEEXEC;
29011 +#ifdef CONFIG_PAX_EMUTRAMP
29012 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29013 + pax_flags |= MF_PAX_EMUTRAMP;
29016 +#ifdef CONFIG_PAX_MPROTECT
29017 + if (elf_phdata->p_flags & PF_MPROTECT)
29018 + pax_flags |= MF_PAX_MPROTECT;
29021 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29022 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29023 + pax_flags |= MF_PAX_RANDMMAP;
29026 + return pax_flags;
29030 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29031 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29033 + unsigned long pax_flags = 0UL;
29035 +#ifdef CONFIG_PAX_PAGEEXEC
29036 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29037 + pax_flags |= MF_PAX_PAGEEXEC;
29040 +#ifdef CONFIG_PAX_SEGMEXEC
29041 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29042 + pax_flags |= MF_PAX_SEGMEXEC;
29045 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29046 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29047 + if ((__supported_pte_mask & _PAGE_NX))
29048 + pax_flags &= ~MF_PAX_SEGMEXEC;
29050 + pax_flags &= ~MF_PAX_PAGEEXEC;
29054 +#ifdef CONFIG_PAX_EMUTRAMP
29055 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29056 + pax_flags |= MF_PAX_EMUTRAMP;
29059 +#ifdef CONFIG_PAX_MPROTECT
29060 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29061 + pax_flags |= MF_PAX_MPROTECT;
29064 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29065 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29066 + pax_flags |= MF_PAX_RANDMMAP;
29069 + return pax_flags;
29073 +#ifdef CONFIG_PAX_EI_PAX
29074 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29076 + unsigned long pax_flags = 0UL;
29078 +#ifdef CONFIG_PAX_PAGEEXEC
29079 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29080 + pax_flags |= MF_PAX_PAGEEXEC;
29083 +#ifdef CONFIG_PAX_SEGMEXEC
29084 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29085 + pax_flags |= MF_PAX_SEGMEXEC;
29088 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29089 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29090 + if ((__supported_pte_mask & _PAGE_NX))
29091 + pax_flags &= ~MF_PAX_SEGMEXEC;
29093 + pax_flags &= ~MF_PAX_PAGEEXEC;
29097 +#ifdef CONFIG_PAX_EMUTRAMP
29098 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29099 + pax_flags |= MF_PAX_EMUTRAMP;
29102 +#ifdef CONFIG_PAX_MPROTECT
29103 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29104 + pax_flags |= MF_PAX_MPROTECT;
29107 +#ifdef CONFIG_PAX_ASLR
29108 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29109 + pax_flags |= MF_PAX_RANDMMAP;
29112 + return pax_flags;
29116 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29117 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29119 + unsigned long pax_flags = 0UL;
29121 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29125 +#ifdef CONFIG_PAX_EI_PAX
29126 + pax_flags = pax_parse_ei_pax(elf_ex);
29129 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29130 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29131 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29132 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29133 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29134 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29135 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29136 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29139 +#ifdef CONFIG_PAX_SOFTMODE
29140 + if (pax_softmode)
29141 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29145 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29150 + if (0 > pax_check_flags(&pax_flags))
29153 + current->mm->pax_flags = pax_flags;
29159 * These are the functions used to load ELF style executables and shared
29160 * libraries. There is no binary dependent code anywhere else.
29161 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29163 unsigned int random_variable = 0;
29165 +#ifdef CONFIG_PAX_RANDUSTACK
29166 + if (randomize_va_space)
29167 + return stack_top - current->mm->delta_stack;
29170 if ((current->flags & PF_RANDOMIZE) &&
29171 !(current->personality & ADDR_NO_RANDOMIZE)) {
29172 random_variable = get_random_int() & STACK_RND_MASK;
29173 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29174 unsigned long load_addr = 0, load_bias = 0;
29175 int load_addr_set = 0;
29176 char * elf_interpreter = NULL;
29177 - unsigned long error;
29178 + unsigned long error = 0;
29179 struct elf_phdr *elf_ppnt, *elf_phdata;
29180 unsigned long elf_bss, elf_brk;
29182 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29183 unsigned long start_code, end_code, start_data, end_data;
29184 unsigned long reloc_func_desc = 0;
29185 int executable_stack = EXSTACK_DEFAULT;
29186 - unsigned long def_flags = 0;
29188 struct elfhdr elf_ex;
29189 struct elfhdr interp_elf_ex;
29191 + unsigned long pax_task_size = TASK_SIZE;
29193 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29195 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29197 /* OK, This is the point of no return */
29198 current->flags &= ~PF_FORKNOEXEC;
29199 - current->mm->def_flags = def_flags;
29201 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29202 + current->mm->pax_flags = 0UL;
29205 +#ifdef CONFIG_PAX_DLRESOLVE
29206 + current->mm->call_dl_resolve = 0UL;
29209 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29210 + current->mm->call_syscall = 0UL;
29213 +#ifdef CONFIG_PAX_ASLR
29214 + current->mm->delta_mmap = 0UL;
29215 + current->mm->delta_stack = 0UL;
29218 + current->mm->def_flags = 0;
29220 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29221 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29222 + send_sig(SIGKILL, current, 0);
29223 + goto out_free_dentry;
29227 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29228 + pax_set_initial_flags(bprm);
29229 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29230 + if (pax_set_initial_flags_func)
29231 + (pax_set_initial_flags_func)(bprm);
29234 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29235 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29236 + current->mm->context.user_cs_limit = PAGE_SIZE;
29237 + current->mm->def_flags |= VM_PAGEEXEC;
29241 +#ifdef CONFIG_PAX_SEGMEXEC
29242 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29243 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29244 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29245 + pax_task_size = SEGMEXEC_TASK_SIZE;
29249 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29250 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29251 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29256 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29257 may depend on the personality. */
29258 SET_PERSONALITY(loc->elf_ex);
29260 +#ifdef CONFIG_PAX_ASLR
29261 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29262 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29263 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29267 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29268 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29269 + executable_stack = EXSTACK_DISABLE_X;
29270 + current->personality &= ~READ_IMPLIES_EXEC;
29274 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29275 current->personality |= READ_IMPLIES_EXEC;
29277 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29279 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29282 +#ifdef CONFIG_PAX_RANDMMAP
29283 + /* PaX: randomize base address at the default exe base if requested */
29284 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29285 +#ifdef CONFIG_SPARC64
29286 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29288 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29290 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29291 + elf_flags |= MAP_FIXED;
29297 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29298 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29299 * allowed task size. Note that p_filesz must always be
29300 * <= p_memsz so it is only necessary to check p_memsz.
29302 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29303 - elf_ppnt->p_memsz > TASK_SIZE ||
29304 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29305 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29306 + elf_ppnt->p_memsz > pax_task_size ||
29307 + pax_task_size - elf_ppnt->p_memsz < k) {
29308 /* set_brk can never work. Avoid overflows. */
29309 send_sig(SIGKILL, current, 0);
29311 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29312 start_data += load_bias;
29313 end_data += load_bias;
29315 +#ifdef CONFIG_PAX_RANDMMAP
29316 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29317 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29320 /* Calling set_brk effectively mmaps the pages that we need
29321 * for the bss and break sections. We must do this before
29322 * mapping in the interpreter, to make sure it doesn't wind
29323 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
29324 goto out_free_dentry;
29326 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29327 - send_sig(SIGSEGV, current, 0);
29328 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29329 - goto out_free_dentry;
29331 + * This bss-zeroing can fail if the ELF
29332 + * file specifies odd protections. So
29333 + * we don't check the return value
29337 if (elf_interpreter) {
29338 @@ -1091,7 +1377,7 @@ out:
29339 * Decide what to dump of a segment, part, all or none.
29341 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29342 - unsigned long mm_flags)
29343 + unsigned long mm_flags, long signr)
29345 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29347 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
29348 if (vma->vm_file == NULL)
29351 - if (FILTER(MAPPED_PRIVATE))
29352 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29356 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
29358 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29363 - while (auxv[i - 2] != AT_NULL);
29364 + } while (auxv[i - 2] != AT_NULL);
29365 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29368 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29371 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29372 - unsigned long mm_flags)
29373 + struct coredump_params *cprm)
29375 struct vm_area_struct *vma;
29378 for (vma = first_vma(current, gate_vma); vma != NULL;
29379 vma = next_vma(vma, gate_vma))
29380 - size += vma_dump_size(vma, mm_flags);
29381 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29385 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29387 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29389 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29390 + offset += elf_core_vma_data_size(gate_vma, cprm);
29391 offset += elf_core_extra_data_size();
29394 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29397 size += sizeof(*elf);
29398 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29399 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29402 size += sizeof(*phdr4note);
29403 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29404 if (size > cprm->limit
29405 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29407 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
29408 phdr.p_offset = offset;
29409 phdr.p_vaddr = vma->vm_start;
29411 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29412 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29413 phdr.p_memsz = vma->vm_end - vma->vm_start;
29414 offset += phdr.p_filesz;
29415 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29416 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29417 phdr.p_align = ELF_EXEC_PAGESIZE;
29419 size += sizeof(phdr);
29420 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29421 if (size > cprm->limit
29422 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29424 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
29425 unsigned long addr;
29428 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29429 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29431 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29433 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
29434 page = get_dump_page(addr);
29436 void *kaddr = kmap(page);
29437 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29438 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29439 !dump_write(cprm->file, kaddr,
29441 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29443 if (e_phnum == PN_XNUM) {
29444 size += sizeof(*shdr4extnum);
29445 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29446 if (size > cprm->limit
29447 || !dump_write(cprm->file, shdr4extnum,
29448 sizeof(*shdr4extnum)))
29449 @@ -2068,6 +2359,97 @@ out:
29451 #endif /* CONFIG_ELF_CORE */
29453 +#ifdef CONFIG_PAX_MPROTECT
29454 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29455 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29456 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29458 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29459 + * basis because we want to allow the common case and not the special ones.
29461 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29463 + struct elfhdr elf_h;
29464 + struct elf_phdr elf_p;
29466 + unsigned long oldflags;
29467 + bool is_textrel_rw, is_textrel_rx, is_relro;
29469 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29472 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29473 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29475 +#ifdef CONFIG_PAX_ELFRELOCS
29476 + /* possible TEXTREL */
29477 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29478 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29480 + is_textrel_rw = false;
29481 + is_textrel_rx = false;
29484 + /* possible RELRO */
29485 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29487 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29490 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29491 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29493 +#ifdef CONFIG_PAX_ETEXECRELOCS
29494 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29496 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29499 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29500 + !elf_check_arch(&elf_h) ||
29501 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29502 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29505 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29506 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29508 + switch (elf_p.p_type) {
29510 + if (!is_textrel_rw && !is_textrel_rx)
29513 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29516 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29518 + if (dyn.d_tag == DT_NULL)
29520 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29521 + gr_log_textrel(vma);
29522 + if (is_textrel_rw)
29523 + vma->vm_flags |= VM_MAYWRITE;
29525 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29526 + vma->vm_flags &= ~VM_MAYWRITE;
29533 + case PT_GNU_RELRO:
29536 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29537 + vma->vm_flags &= ~VM_MAYWRITE;
29544 static int __init init_elf_binfmt(void)
29546 return register_binfmt(&elf_format);
29547 diff -urNp linux-2.6.35.4/fs/binfmt_flat.c linux-2.6.35.4/fs/binfmt_flat.c
29548 --- linux-2.6.35.4/fs/binfmt_flat.c 2010-08-26 19:47:12.000000000 -0400
29549 +++ linux-2.6.35.4/fs/binfmt_flat.c 2010-09-17 20:12:09.000000000 -0400
29550 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
29551 realdatastart = (unsigned long) -ENOMEM;
29552 printk("Unable to allocate RAM for process data, errno %d\n",
29553 (int)-realdatastart);
29554 + down_write(¤t->mm->mmap_sem);
29555 do_munmap(current->mm, textpos, text_len);
29556 + up_write(¤t->mm->mmap_sem);
29557 ret = realdatastart;
29560 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
29562 if (IS_ERR_VALUE(result)) {
29563 printk("Unable to read data+bss, errno %d\n", (int)-result);
29564 + down_write(¤t->mm->mmap_sem);
29565 do_munmap(current->mm, textpos, text_len);
29566 do_munmap(current->mm, realdatastart, len);
29567 + up_write(¤t->mm->mmap_sem);
29571 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
29573 if (IS_ERR_VALUE(result)) {
29574 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29575 + down_write(¤t->mm->mmap_sem);
29576 do_munmap(current->mm, textpos, text_len + data_len + extra +
29577 MAX_SHARED_LIBS * sizeof(unsigned long));
29578 + up_write(¤t->mm->mmap_sem);
29582 diff -urNp linux-2.6.35.4/fs/binfmt_misc.c linux-2.6.35.4/fs/binfmt_misc.c
29583 --- linux-2.6.35.4/fs/binfmt_misc.c 2010-08-26 19:47:12.000000000 -0400
29584 +++ linux-2.6.35.4/fs/binfmt_misc.c 2010-09-17 20:12:09.000000000 -0400
29585 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
29586 static struct tree_descr bm_files[] = {
29587 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29588 [3] = {"register", &bm_register_operations, S_IWUSR},
29589 - /* last one */ {""}
29590 + /* last one */ {"", NULL, 0}
29592 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29594 diff -urNp linux-2.6.35.4/fs/bio.c linux-2.6.35.4/fs/bio.c
29595 --- linux-2.6.35.4/fs/bio.c 2010-08-26 19:47:12.000000000 -0400
29596 +++ linux-2.6.35.4/fs/bio.c 2010-09-17 20:12:09.000000000 -0400
29597 @@ -1213,7 +1213,7 @@ static void bio_copy_kern_endio(struct b
29598 const int read = bio_data_dir(bio) == READ;
29599 struct bio_map_data *bmd = bio->bi_private;
29601 - char *p = bmd->sgvecs[0].iov_base;
29602 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
29604 __bio_for_each_segment(bvec, bio, i, 0) {
29605 char *addr = page_address(bvec->bv_page);
29606 diff -urNp linux-2.6.35.4/fs/block_dev.c linux-2.6.35.4/fs/block_dev.c
29607 --- linux-2.6.35.4/fs/block_dev.c 2010-08-26 19:47:12.000000000 -0400
29608 +++ linux-2.6.35.4/fs/block_dev.c 2010-09-17 20:12:09.000000000 -0400
29609 @@ -647,7 +647,7 @@ static bool bd_may_claim(struct block_de
29610 else if (bdev->bd_contains == bdev)
29611 return true; /* is a whole device which isn't held */
29613 - else if (whole->bd_holder == bd_claim)
29614 + else if (whole->bd_holder == (void *)bd_claim)
29615 return true; /* is a partition of a device that is being partitioned */
29616 else if (whole->bd_holder != NULL)
29617 return false; /* is a partition of a held device */
29618 diff -urNp linux-2.6.35.4/fs/btrfs/ctree.c linux-2.6.35.4/fs/btrfs/ctree.c
29619 --- linux-2.6.35.4/fs/btrfs/ctree.c 2010-08-26 19:47:12.000000000 -0400
29620 +++ linux-2.6.35.4/fs/btrfs/ctree.c 2010-09-17 20:12:09.000000000 -0400
29621 @@ -3763,7 +3763,6 @@ setup_items_for_insert(struct btrfs_tran
29625 - struct btrfs_disk_key disk_key;
29626 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29627 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29629 diff -urNp linux-2.6.35.4/fs/btrfs/disk-io.c linux-2.6.35.4/fs/btrfs/disk-io.c
29630 --- linux-2.6.35.4/fs/btrfs/disk-io.c 2010-08-26 19:47:12.000000000 -0400
29631 +++ linux-2.6.35.4/fs/btrfs/disk-io.c 2010-09-17 20:12:09.000000000 -0400
29633 #include "tree-log.h"
29634 #include "free-space-cache.h"
29636 -static struct extent_io_ops btree_extent_io_ops;
29637 +static const struct extent_io_ops btree_extent_io_ops;
29638 static void end_workqueue_fn(struct btrfs_work *work);
29639 static void free_fs_root(struct btrfs_root *root);
29641 @@ -2597,7 +2597,7 @@ out:
29645 -static struct extent_io_ops btree_extent_io_ops = {
29646 +static const struct extent_io_ops btree_extent_io_ops = {
29647 .write_cache_pages_lock_hook = btree_lock_page_hook,
29648 .readpage_end_io_hook = btree_readpage_end_io_hook,
29649 .submit_bio_hook = btree_submit_bio_hook,
29650 diff -urNp linux-2.6.35.4/fs/btrfs/extent_io.h linux-2.6.35.4/fs/btrfs/extent_io.h
29651 --- linux-2.6.35.4/fs/btrfs/extent_io.h 2010-08-26 19:47:12.000000000 -0400
29652 +++ linux-2.6.35.4/fs/btrfs/extent_io.h 2010-09-17 20:12:09.000000000 -0400
29653 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
29654 struct bio *bio, int mirror_num,
29655 unsigned long bio_flags, u64 bio_offset);
29656 struct extent_io_ops {
29657 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
29658 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
29659 u64 start, u64 end, int *page_started,
29660 unsigned long *nr_written);
29661 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
29662 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
29663 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
29664 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
29665 extent_submit_bio_hook_t *submit_bio_hook;
29666 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
29667 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
29668 size_t size, struct bio *bio,
29669 unsigned long bio_flags);
29670 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
29671 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
29672 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
29673 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
29674 u64 start, u64 end,
29675 struct extent_state *state);
29676 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
29677 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
29678 u64 start, u64 end,
29679 struct extent_state *state);
29680 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29681 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29682 struct extent_state *state);
29683 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29684 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29685 struct extent_state *state, int uptodate);
29686 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
29687 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
29689 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
29690 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
29692 - int (*merge_extent_hook)(struct inode *inode,
29693 + int (* const merge_extent_hook)(struct inode *inode,
29694 struct extent_state *new,
29695 struct extent_state *other);
29696 - int (*split_extent_hook)(struct inode *inode,
29697 + int (* const split_extent_hook)(struct inode *inode,
29698 struct extent_state *orig, u64 split);
29699 - int (*write_cache_pages_lock_hook)(struct page *page);
29700 + int (* const write_cache_pages_lock_hook)(struct page *page);
29703 struct extent_io_tree {
29704 @@ -90,7 +90,7 @@ struct extent_io_tree {
29707 spinlock_t buffer_lock;
29708 - struct extent_io_ops *ops;
29709 + const struct extent_io_ops *ops;
29712 struct extent_state {
29713 diff -urNp linux-2.6.35.4/fs/btrfs/free-space-cache.c linux-2.6.35.4/fs/btrfs/free-space-cache.c
29714 --- linux-2.6.35.4/fs/btrfs/free-space-cache.c 2010-08-26 19:47:12.000000000 -0400
29715 +++ linux-2.6.35.4/fs/btrfs/free-space-cache.c 2010-09-17 20:12:09.000000000 -0400
29716 @@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
29719 if (entry->bytes < bytes || entry->offset < min_start) {
29720 - struct rb_node *node;
29722 node = rb_next(&entry->offset_index);
29725 @@ -1227,7 +1225,7 @@ again:
29727 while (entry->bitmap || found_bitmap ||
29728 (!entry->bitmap && entry->bytes < min_bytes)) {
29729 - struct rb_node *node = rb_next(&entry->offset_index);
29730 + node = rb_next(&entry->offset_index);
29732 if (entry->bitmap && entry->bytes > bytes + empty_size) {
29733 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
29734 diff -urNp linux-2.6.35.4/fs/btrfs/inode.c linux-2.6.35.4/fs/btrfs/inode.c
29735 --- linux-2.6.35.4/fs/btrfs/inode.c 2010-08-26 19:47:12.000000000 -0400
29736 +++ linux-2.6.35.4/fs/btrfs/inode.c 2010-09-17 20:12:09.000000000 -0400
29737 @@ -64,7 +64,7 @@ static const struct inode_operations btr
29738 static const struct address_space_operations btrfs_aops;
29739 static const struct address_space_operations btrfs_symlink_aops;
29740 static const struct file_operations btrfs_dir_file_operations;
29741 -static struct extent_io_ops btrfs_extent_io_ops;
29742 +static const struct extent_io_ops btrfs_extent_io_ops;
29744 static struct kmem_cache *btrfs_inode_cachep;
29745 struct kmem_cache *btrfs_trans_handle_cachep;
29746 @@ -6958,7 +6958,7 @@ static const struct file_operations btrf
29747 .fsync = btrfs_sync_file,
29750 -static struct extent_io_ops btrfs_extent_io_ops = {
29751 +static const struct extent_io_ops btrfs_extent_io_ops = {
29752 .fill_delalloc = run_delalloc_range,
29753 .submit_bio_hook = btrfs_submit_bio_hook,
29754 .merge_bio_hook = btrfs_merge_bio_hook,
29755 diff -urNp linux-2.6.35.4/fs/buffer.c linux-2.6.35.4/fs/buffer.c
29756 --- linux-2.6.35.4/fs/buffer.c 2010-08-26 19:47:12.000000000 -0400
29757 +++ linux-2.6.35.4/fs/buffer.c 2010-09-17 20:12:37.000000000 -0400
29759 #include <linux/percpu.h>
29760 #include <linux/slab.h>
29761 #include <linux/capability.h>
29762 +#include <linux/security.h>
29763 #include <linux/blkdev.h>
29764 #include <linux/file.h>
29765 #include <linux/quotaops.h>
29766 diff -urNp linux-2.6.35.4/fs/cachefiles/bind.c linux-2.6.35.4/fs/cachefiles/bind.c
29767 --- linux-2.6.35.4/fs/cachefiles/bind.c 2010-08-26 19:47:12.000000000 -0400
29768 +++ linux-2.6.35.4/fs/cachefiles/bind.c 2010-09-17 20:12:09.000000000 -0400
29769 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
29772 /* start by checking things over */
29773 - ASSERT(cache->fstop_percent >= 0 &&
29774 - cache->fstop_percent < cache->fcull_percent &&
29775 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
29776 cache->fcull_percent < cache->frun_percent &&
29777 cache->frun_percent < 100);
29779 - ASSERT(cache->bstop_percent >= 0 &&
29780 - cache->bstop_percent < cache->bcull_percent &&
29781 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
29782 cache->bcull_percent < cache->brun_percent &&
29783 cache->brun_percent < 100);
29785 diff -urNp linux-2.6.35.4/fs/cachefiles/daemon.c linux-2.6.35.4/fs/cachefiles/daemon.c
29786 --- linux-2.6.35.4/fs/cachefiles/daemon.c 2010-08-26 19:47:12.000000000 -0400
29787 +++ linux-2.6.35.4/fs/cachefiles/daemon.c 2010-09-17 20:12:09.000000000 -0400
29788 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
29792 - if (copy_to_user(_buffer, buffer, n) != 0)
29793 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
29797 @@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
29798 if (test_bit(CACHEFILES_DEAD, &cache->flags))
29801 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
29802 + if (datalen > PAGE_SIZE - 1)
29803 return -EOPNOTSUPP;
29805 /* drag the command string into the kernel so we can parse it */
29806 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
29807 if (args[0] != '%' || args[1] != '\0')
29810 - if (fstop < 0 || fstop >= cache->fcull_percent)
29811 + if (fstop >= cache->fcull_percent)
29812 return cachefiles_daemon_range_error(cache, args);
29814 cache->fstop_percent = fstop;
29815 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
29816 if (args[0] != '%' || args[1] != '\0')
29819 - if (bstop < 0 || bstop >= cache->bcull_percent)
29820 + if (bstop >= cache->bcull_percent)
29821 return cachefiles_daemon_range_error(cache, args);
29823 cache->bstop_percent = bstop;
29824 diff -urNp linux-2.6.35.4/fs/cachefiles/rdwr.c linux-2.6.35.4/fs/cachefiles/rdwr.c
29825 --- linux-2.6.35.4/fs/cachefiles/rdwr.c 2010-08-26 19:47:12.000000000 -0400
29826 +++ linux-2.6.35.4/fs/cachefiles/rdwr.c 2010-09-17 20:12:09.000000000 -0400
29827 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
29830 ret = file->f_op->write(
29831 - file, (const void __user *) data, len, &pos);
29832 + file, (__force const void __user *) data, len, &pos);
29836 diff -urNp linux-2.6.35.4/fs/cifs/cifs_uniupr.h linux-2.6.35.4/fs/cifs/cifs_uniupr.h
29837 --- linux-2.6.35.4/fs/cifs/cifs_uniupr.h 2010-08-26 19:47:12.000000000 -0400
29838 +++ linux-2.6.35.4/fs/cifs/cifs_uniupr.h 2010-09-17 20:12:09.000000000 -0400
29839 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
29840 {0x0490, 0x04cc, UniCaseRangeU0490},
29841 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
29842 {0xff40, 0xff5a, UniCaseRangeUff40},
29848 diff -urNp linux-2.6.35.4/fs/cifs/link.c linux-2.6.35.4/fs/cifs/link.c
29849 --- linux-2.6.35.4/fs/cifs/link.c 2010-08-26 19:47:12.000000000 -0400
29850 +++ linux-2.6.35.4/fs/cifs/link.c 2010-09-17 20:12:09.000000000 -0400
29851 @@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
29853 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
29855 - char *p = nd_get_link(nd);
29856 + const char *p = nd_get_link(nd);
29860 diff -urNp linux-2.6.35.4/fs/compat_binfmt_elf.c linux-2.6.35.4/fs/compat_binfmt_elf.c
29861 --- linux-2.6.35.4/fs/compat_binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29862 +++ linux-2.6.35.4/fs/compat_binfmt_elf.c 2010-09-17 20:12:09.000000000 -0400
29863 @@ -30,11 +30,13 @@
29869 #define elfhdr elf32_hdr
29870 #define elf_phdr elf32_phdr
29871 #define elf_shdr elf32_shdr
29872 #define elf_note elf32_note
29873 +#define elf_dyn Elf32_Dyn
29874 #define elf_addr_t Elf32_Addr
29877 diff -urNp linux-2.6.35.4/fs/compat.c linux-2.6.35.4/fs/compat.c
29878 --- linux-2.6.35.4/fs/compat.c 2010-08-26 19:47:12.000000000 -0400
29879 +++ linux-2.6.35.4/fs/compat.c 2010-09-17 20:12:37.000000000 -0400
29880 @@ -1433,14 +1433,12 @@ static int compat_copy_strings(int argc,
29881 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
29884 -#ifdef CONFIG_STACK_GROWSUP
29885 ret = expand_stack_downwards(bprm->vma, pos);
29887 /* We've exceed the stack rlimit. */
29892 ret = get_user_pages(current, bprm->mm, pos,
29893 1, 1, 1, &page, NULL);
29895 @@ -1486,6 +1484,11 @@ int compat_do_execve(char * filename,
29896 compat_uptr_t __user *envp,
29897 struct pt_regs * regs)
29899 +#ifdef CONFIG_GRKERNSEC
29900 + struct file *old_exec_file;
29901 + struct acl_subject_label *old_acl;
29902 + struct rlimit old_rlim[RLIM_NLIMITS];
29904 struct linux_binprm *bprm;
29906 struct files_struct *displaced;
29907 @@ -1522,6 +1525,14 @@ int compat_do_execve(char * filename,
29908 bprm->filename = filename;
29909 bprm->interp = filename;
29911 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
29912 + retval = -EAGAIN;
29913 + if (gr_handle_nproc())
29915 + retval = -EACCES;
29916 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
29919 retval = bprm_mm_init(bprm);
29922 @@ -1551,9 +1562,40 @@ int compat_do_execve(char * filename,
29926 + if (!gr_tpe_allow(file)) {
29927 + retval = -EACCES;
29931 + if (gr_check_crash_exec(file)) {
29932 + retval = -EACCES;
29936 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
29938 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
29940 +#ifdef CONFIG_GRKERNSEC
29941 + old_acl = current->acl;
29942 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
29943 + old_exec_file = current->exec_file;
29945 + current->exec_file = file;
29948 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
29949 + bprm->unsafe & LSM_UNSAFE_SHARE);
29953 retval = search_binary_handler(bprm, regs);
29957 +#ifdef CONFIG_GRKERNSEC
29958 + if (old_exec_file)
29959 + fput(old_exec_file);
29962 /* execve succeeded */
29963 current->fs->in_exec = 0;
29964 @@ -1564,6 +1606,14 @@ int compat_do_execve(char * filename,
29965 put_files_struct(displaced);
29969 +#ifdef CONFIG_GRKERNSEC
29970 + current->acl = old_acl;
29971 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
29972 + fput(current->exec_file);
29973 + current->exec_file = old_exec_file;
29979 diff -urNp linux-2.6.35.4/fs/debugfs/inode.c linux-2.6.35.4/fs/debugfs/inode.c
29980 --- linux-2.6.35.4/fs/debugfs/inode.c 2010-08-26 19:47:12.000000000 -0400
29981 +++ linux-2.6.35.4/fs/debugfs/inode.c 2010-09-17 20:12:09.000000000 -0400
29982 @@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
29984 static int debug_fill_super(struct super_block *sb, void *data, int silent)
29986 - static struct tree_descr debug_files[] = {{""}};
29987 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
29989 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
29991 diff -urNp linux-2.6.35.4/fs/dlm/lockspace.c linux-2.6.35.4/fs/dlm/lockspace.c
29992 --- linux-2.6.35.4/fs/dlm/lockspace.c 2010-08-26 19:47:12.000000000 -0400
29993 +++ linux-2.6.35.4/fs/dlm/lockspace.c 2010-09-17 20:12:09.000000000 -0400
29994 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
29998 -static struct kset_uevent_ops dlm_uevent_ops = {
29999 +static const struct kset_uevent_ops dlm_uevent_ops = {
30000 .uevent = dlm_uevent,
30003 diff -urNp linux-2.6.35.4/fs/ecryptfs/inode.c linux-2.6.35.4/fs/ecryptfs/inode.c
30004 --- linux-2.6.35.4/fs/ecryptfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30005 +++ linux-2.6.35.4/fs/ecryptfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30006 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
30009 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30010 - (char __user *)lower_buf,
30011 + (__force char __user *)lower_buf,
30015 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
30019 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30020 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30024 @@ -719,7 +719,7 @@ out:
30026 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30028 - char *buf = nd_get_link(nd);
30029 + const char *buf = nd_get_link(nd);
30030 if (!IS_ERR(buf)) {
30031 /* Free the char* */
30033 diff -urNp linux-2.6.35.4/fs/ecryptfs/miscdev.c linux-2.6.35.4/fs/ecryptfs/miscdev.c
30034 --- linux-2.6.35.4/fs/ecryptfs/miscdev.c 2010-08-26 19:47:12.000000000 -0400
30035 +++ linux-2.6.35.4/fs/ecryptfs/miscdev.c 2010-09-17 20:12:09.000000000 -0400
30036 @@ -328,7 +328,7 @@ check_list:
30037 goto out_unlock_msg_ctx;
30039 if (msg_ctx->msg) {
30040 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30041 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30042 goto out_unlock_msg_ctx;
30043 i += packet_length_size;
30044 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30045 diff -urNp linux-2.6.35.4/fs/exec.c linux-2.6.35.4/fs/exec.c
30046 --- linux-2.6.35.4/fs/exec.c 2010-08-26 19:47:12.000000000 -0400
30047 +++ linux-2.6.35.4/fs/exec.c 2010-09-17 20:12:37.000000000 -0400
30048 @@ -55,12 +55,24 @@
30049 #include <linux/fsnotify.h>
30050 #include <linux/fs_struct.h>
30051 #include <linux/pipe_fs_i.h>
30052 +#include <linux/random.h>
30053 +#include <linux/seq_file.h>
30055 +#ifdef CONFIG_PAX_REFCOUNT
30056 +#include <linux/kallsyms.h>
30057 +#include <linux/kdebug.h>
30060 #include <asm/uaccess.h>
30061 #include <asm/mmu_context.h>
30062 #include <asm/tlb.h>
30063 #include "internal.h"
30065 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30066 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30067 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30071 char core_pattern[CORENAME_MAX_SIZE] = "core";
30072 unsigned int core_pipe_limit;
30073 @@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30076 file = do_filp_open(AT_FDCWD, tmp,
30077 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30078 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30079 MAY_READ | MAY_EXEC | MAY_OPEN);
30081 error = PTR_ERR(file);
30082 @@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
30088 -#ifdef CONFIG_STACK_GROWSUP
30090 - ret = expand_stack_downwards(bprm->vma, pos);
30095 - ret = get_user_pages(current, bprm->mm, pos,
30096 - 1, write, 1, &page, NULL);
30098 + if (0 > expand_stack_downwards(bprm->vma, pos))
30100 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30104 @@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
30105 vma->vm_end = STACK_TOP_MAX;
30106 vma->vm_start = vma->vm_end - PAGE_SIZE;
30107 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30109 +#ifdef CONFIG_PAX_SEGMEXEC
30110 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30113 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30114 INIT_LIST_HEAD(&vma->anon_vma_chain);
30115 err = insert_vm_struct(mm, vma);
30116 @@ -255,6 +264,12 @@ static int __bprm_mm_init(struct linux_b
30117 mm->stack_vm = mm->total_vm = 1;
30118 up_write(&mm->mmap_sem);
30119 bprm->p = vma->vm_end - sizeof(void *);
30121 +#ifdef CONFIG_PAX_RANDUSTACK
30122 + if (randomize_va_space)
30123 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30128 up_write(&mm->mmap_sem);
30129 @@ -476,7 +491,7 @@ int copy_strings_kernel(int argc,char **
30131 mm_segment_t oldfs = get_fs();
30133 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
30134 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
30138 @@ -506,7 +521,8 @@ static int shift_arg_pages(struct vm_are
30139 unsigned long new_end = old_end - shift;
30140 struct mmu_gather *tlb;
30142 - BUG_ON(new_start > new_end);
30143 + if (new_start >= new_end || new_start < mmap_min_addr)
30147 * ensure there are no vmas between where we want to go
30148 @@ -515,6 +531,10 @@ static int shift_arg_pages(struct vm_are
30149 if (vma != find_vma(mm, new_start))
30152 +#ifdef CONFIG_PAX_SEGMEXEC
30153 + BUG_ON(pax_find_mirror_vma(vma));
30157 * cover the whole range: [new_start, old_end)
30159 @@ -605,8 +625,28 @@ int setup_arg_pages(struct linux_binprm
30160 bprm->exec -= stack_shift;
30162 down_write(&mm->mmap_sem);
30164 + /* Move stack pages down in memory. */
30165 + if (stack_shift) {
30166 + ret = shift_arg_pages(vma, stack_shift);
30171 vm_flags = VM_STACK_FLAGS;
30173 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30174 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30175 + vm_flags &= ~VM_EXEC;
30177 +#ifdef CONFIG_PAX_MPROTECT
30178 + if (mm->pax_flags & MF_PAX_MPROTECT)
30179 + vm_flags &= ~VM_MAYEXEC;
30186 * Adjust stack execute permissions; explicitly enable for
30187 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30188 @@ -625,13 +665,6 @@ int setup_arg_pages(struct linux_binprm
30190 BUG_ON(prev != vma);
30192 - /* Move stack pages down in memory. */
30193 - if (stack_shift) {
30194 - ret = shift_arg_pages(vma, stack_shift);
30199 /* mprotect_fixup is overkill to remove the temporary stack flags */
30200 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30202 @@ -671,7 +704,7 @@ struct file *open_exec(const char *name)
30205 file = do_filp_open(AT_FDCWD, name,
30206 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30207 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30208 MAY_EXEC | MAY_OPEN);
30211 @@ -708,7 +741,7 @@ int kernel_read(struct file *file, loff_
30214 /* The cast to a user pointer is valid due to the set_fs() */
30215 - result = vfs_read(file, (void __user *)addr, count, &pos);
30216 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30220 @@ -1125,7 +1158,7 @@ int check_unsafe_exec(struct linux_binpr
30224 - if (p->fs->users > n_fs) {
30225 + if (atomic_read(&p->fs->users) > n_fs) {
30226 bprm->unsafe |= LSM_UNSAFE_SHARE;
30229 @@ -1321,6 +1354,11 @@ int do_execve(char * filename,
30230 char __user *__user *envp,
30231 struct pt_regs * regs)
30233 +#ifdef CONFIG_GRKERNSEC
30234 + struct file *old_exec_file;
30235 + struct acl_subject_label *old_acl;
30236 + struct rlimit old_rlim[RLIM_NLIMITS];
30238 struct linux_binprm *bprm;
30240 struct files_struct *displaced;
30241 @@ -1357,6 +1395,18 @@ int do_execve(char * filename,
30242 bprm->filename = filename;
30243 bprm->interp = filename;
30245 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30247 + if (gr_handle_nproc()) {
30248 + retval = -EAGAIN;
30252 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30253 + retval = -EACCES;
30257 retval = bprm_mm_init(bprm);
30260 @@ -1386,10 +1436,41 @@ int do_execve(char * filename,
30264 + if (!gr_tpe_allow(file)) {
30265 + retval = -EACCES;
30269 + if (gr_check_crash_exec(file)) {
30270 + retval = -EACCES;
30274 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30276 + gr_handle_exec_args(bprm, argv);
30278 +#ifdef CONFIG_GRKERNSEC
30279 + old_acl = current->acl;
30280 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30281 + old_exec_file = current->exec_file;
30283 + current->exec_file = file;
30286 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30287 + bprm->unsafe & LSM_UNSAFE_SHARE);
30291 current->flags &= ~PF_KTHREAD;
30292 retval = search_binary_handler(bprm,regs);
30296 +#ifdef CONFIG_GRKERNSEC
30297 + if (old_exec_file)
30298 + fput(old_exec_file);
30301 /* execve succeeded */
30302 current->fs->in_exec = 0;
30303 @@ -1400,6 +1481,14 @@ int do_execve(char * filename,
30304 put_files_struct(displaced);
30308 +#ifdef CONFIG_GRKERNSEC
30309 + current->acl = old_acl;
30310 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30311 + fput(current->exec_file);
30312 + current->exec_file = old_exec_file;
30318 @@ -1563,6 +1652,225 @@ out:
30322 +int pax_check_flags(unsigned long *flags)
30326 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30327 + if (*flags & MF_PAX_SEGMEXEC)
30329 + *flags &= ~MF_PAX_SEGMEXEC;
30330 + retval = -EINVAL;
30334 + if ((*flags & MF_PAX_PAGEEXEC)
30336 +#ifdef CONFIG_PAX_PAGEEXEC
30337 + && (*flags & MF_PAX_SEGMEXEC)
30342 + *flags &= ~MF_PAX_PAGEEXEC;
30343 + retval = -EINVAL;
30346 + if ((*flags & MF_PAX_MPROTECT)
30348 +#ifdef CONFIG_PAX_MPROTECT
30349 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30354 + *flags &= ~MF_PAX_MPROTECT;
30355 + retval = -EINVAL;
30358 + if ((*flags & MF_PAX_EMUTRAMP)
30360 +#ifdef CONFIG_PAX_EMUTRAMP
30361 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30366 + *flags &= ~MF_PAX_EMUTRAMP;
30367 + retval = -EINVAL;
30373 +EXPORT_SYMBOL(pax_check_flags);
30375 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30376 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30378 + struct task_struct *tsk = current;
30379 + struct mm_struct *mm = current->mm;
30380 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30381 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30382 + char *path_exec = NULL;
30383 + char *path_fault = NULL;
30384 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30386 + if (buffer_exec && buffer_fault) {
30387 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30389 + down_read(&mm->mmap_sem);
30391 + while (vma && (!vma_exec || !vma_fault)) {
30392 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30394 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30396 + vma = vma->vm_next;
30399 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30400 + if (IS_ERR(path_exec))
30401 + path_exec = "<path too long>";
30403 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30406 + path_exec = buffer_exec;
30408 + path_exec = "<path too long>";
30412 + start = vma_fault->vm_start;
30413 + end = vma_fault->vm_end;
30414 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30415 + if (vma_fault->vm_file) {
30416 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30417 + if (IS_ERR(path_fault))
30418 + path_fault = "<path too long>";
30420 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30421 + if (path_fault) {
30423 + path_fault = buffer_fault;
30425 + path_fault = "<path too long>";
30428 + path_fault = "<anonymous mapping>";
30430 + up_read(&mm->mmap_sem);
30432 + if (tsk->signal->curr_ip)
30433 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30435 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30436 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30437 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30438 + task_uid(tsk), task_euid(tsk), pc, sp);
30439 + free_page((unsigned long)buffer_exec);
30440 + free_page((unsigned long)buffer_fault);
30441 + pax_report_insns(pc, sp);
30442 + do_coredump(SIGKILL, SIGKILL, regs);
30446 +#ifdef CONFIG_PAX_REFCOUNT
30447 +void pax_report_refcount_overflow(struct pt_regs *regs)
30449 + if (current->signal->curr_ip)
30450 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30451 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
30453 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30454 + current->comm, task_pid_nr(current), current_uid(), current_euid());
30455 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
30457 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
30461 +#ifdef CONFIG_PAX_USERCOPY
30462 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30463 +struct stack_frame {
30464 + struct stack_frame *next_frame;
30465 + unsigned long return_address;
30469 +/* 0: not at all, 1: fully, 2: fully inside frame,
30470 + -1: partially (implies an error) */
30472 +int object_is_on_stack(const void *obj, unsigned long len)
30474 + const void *stack = task_stack_page(current);
30475 + const void *stackend = stack + THREAD_SIZE;
30477 + if (obj + len < obj)
30480 + if (stack <= obj && obj + len <= stackend) {
30481 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30482 + void *frame = __builtin_frame_address(2);
30483 + void *oldframe = __builtin_frame_address(1);
30485 + bottom ----------------------------------------------> top
30486 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
30487 + ^----------------^
30488 + allow copies only within here
30491 + /* if obj + len extends past the last frame, this
30492 + check won't pass and the next frame will be 0,
30493 + causing us to bail out and correctly report
30494 + the copy as invalid
30496 + if (obj + len <= frame) {
30497 + if (obj >= (oldframe + (2 * sizeof(void *))))
30502 + oldframe = frame;
30503 + frame = ((struct stack_frame *)frame)->next_frame;
30511 + if (obj + len <= stack || stackend <= obj)
30518 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
30520 + if (current->signal->curr_ip)
30521 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
30522 + ¤t->signal->curr_ip, ptr, len);
30524 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
30526 + do_group_exit(SIGKILL);
30529 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
30531 + if (current->signal->curr_ip)
30532 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
30533 + ¤t->signal->curr_ip, ptr, len);
30535 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
30537 + do_group_exit(SIGKILL);
30541 static int zap_process(struct task_struct *start, int exit_code)
30543 struct task_struct *t;
30544 @@ -1773,17 +2081,17 @@ static void wait_for_dump_helpers(struct
30545 pipe = file->f_path.dentry->d_inode->i_pipe;
30550 + atomic_inc(&pipe->readers);
30551 + atomic_dec(&pipe->writers);
30553 - while ((pipe->readers > 1) && (!signal_pending(current))) {
30554 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
30555 wake_up_interruptible_sync(&pipe->wait);
30556 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30562 + atomic_dec(&pipe->readers);
30563 + atomic_inc(&pipe->writers);
30567 @@ -1891,6 +2199,10 @@ void do_coredump(long signr, int exit_co
30569 clear_thread_flag(TIF_SIGPENDING);
30571 + if (signr == SIGKILL || signr == SIGILL)
30572 + gr_handle_brute_attach(current);
30573 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
30576 * lock_kernel() because format_corename() is controlled by sysctl, which
30577 * uses lock_kernel()
30578 diff -urNp linux-2.6.35.4/fs/ext2/balloc.c linux-2.6.35.4/fs/ext2/balloc.c
30579 --- linux-2.6.35.4/fs/ext2/balloc.c 2010-08-26 19:47:12.000000000 -0400
30580 +++ linux-2.6.35.4/fs/ext2/balloc.c 2010-09-17 20:12:37.000000000 -0400
30581 @@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
30583 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30584 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30585 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30586 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30587 sbi->s_resuid != current_fsuid() &&
30588 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30590 diff -urNp linux-2.6.35.4/fs/ext2/xattr.c linux-2.6.35.4/fs/ext2/xattr.c
30591 --- linux-2.6.35.4/fs/ext2/xattr.c 2010-08-26 19:47:12.000000000 -0400
30592 +++ linux-2.6.35.4/fs/ext2/xattr.c 2010-09-17 20:12:09.000000000 -0400
30597 -# define ea_idebug(f...)
30598 -# define ea_bdebug(f...)
30599 +# define ea_idebug(inode, f...) do {} while (0)
30600 +# define ea_bdebug(bh, f...) do {} while (0)
30603 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
30604 diff -urNp linux-2.6.35.4/fs/ext3/balloc.c linux-2.6.35.4/fs/ext3/balloc.c
30605 --- linux-2.6.35.4/fs/ext3/balloc.c 2010-08-26 19:47:12.000000000 -0400
30606 +++ linux-2.6.35.4/fs/ext3/balloc.c 2010-09-17 20:12:37.000000000 -0400
30607 @@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
30609 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30610 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30611 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30612 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30613 sbi->s_resuid != current_fsuid() &&
30614 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30616 diff -urNp linux-2.6.35.4/fs/ext3/namei.c linux-2.6.35.4/fs/ext3/namei.c
30617 --- linux-2.6.35.4/fs/ext3/namei.c 2010-08-26 19:47:12.000000000 -0400
30618 +++ linux-2.6.35.4/fs/ext3/namei.c 2010-09-17 20:12:09.000000000 -0400
30619 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
30620 char *data1 = (*bh)->b_data, *data2;
30621 unsigned split, move, size;
30622 struct ext3_dir_entry_2 *de = NULL, *de2;
30626 bh2 = ext3_append (handle, dir, &newblock, &err);
30628 diff -urNp linux-2.6.35.4/fs/ext3/xattr.c linux-2.6.35.4/fs/ext3/xattr.c
30629 --- linux-2.6.35.4/fs/ext3/xattr.c 2010-08-26 19:47:12.000000000 -0400
30630 +++ linux-2.6.35.4/fs/ext3/xattr.c 2010-09-17 20:12:09.000000000 -0400
30635 -# define ea_idebug(f...)
30636 -# define ea_bdebug(f...)
30637 +# define ea_idebug(f...) do {} while (0)
30638 +# define ea_bdebug(f...) do {} while (0)
30641 static void ext3_xattr_cache_insert(struct buffer_head *);
30642 diff -urNp linux-2.6.35.4/fs/ext4/balloc.c linux-2.6.35.4/fs/ext4/balloc.c
30643 --- linux-2.6.35.4/fs/ext4/balloc.c 2010-08-26 19:47:12.000000000 -0400
30644 +++ linux-2.6.35.4/fs/ext4/balloc.c 2010-09-17 20:12:37.000000000 -0400
30645 @@ -522,7 +522,7 @@ int ext4_has_free_blocks(struct ext4_sb_
30646 /* Hm, nope. Are (enough) root reserved blocks available? */
30647 if (sbi->s_resuid == current_fsuid() ||
30648 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
30649 - capable(CAP_SYS_RESOURCE)) {
30650 + capable_nolog(CAP_SYS_RESOURCE)) {
30651 if (free_blocks >= (nblocks + dirty_blocks))
30654 diff -urNp linux-2.6.35.4/fs/ext4/namei.c linux-2.6.35.4/fs/ext4/namei.c
30655 --- linux-2.6.35.4/fs/ext4/namei.c 2010-08-26 19:47:12.000000000 -0400
30656 +++ linux-2.6.35.4/fs/ext4/namei.c 2010-09-17 20:12:09.000000000 -0400
30657 @@ -1197,7 +1197,7 @@ static struct ext4_dir_entry_2 *do_split
30658 char *data1 = (*bh)->b_data, *data2;
30659 unsigned split, move, size;
30660 struct ext4_dir_entry_2 *de = NULL, *de2;
30664 bh2 = ext4_append (handle, dir, &newblock, &err);
30666 diff -urNp linux-2.6.35.4/fs/ext4/xattr.c linux-2.6.35.4/fs/ext4/xattr.c
30667 --- linux-2.6.35.4/fs/ext4/xattr.c 2010-08-26 19:47:12.000000000 -0400
30668 +++ linux-2.6.35.4/fs/ext4/xattr.c 2010-09-17 20:12:09.000000000 -0400
30673 -# define ea_idebug(f...)
30674 -# define ea_bdebug(f...)
30675 +# define ea_idebug(inode, f...) do {} while (0)
30676 +# define ea_bdebug(bh, f...) do {} while (0)
30679 static void ext4_xattr_cache_insert(struct buffer_head *);
30680 diff -urNp linux-2.6.35.4/fs/fcntl.c linux-2.6.35.4/fs/fcntl.c
30681 --- linux-2.6.35.4/fs/fcntl.c 2010-08-26 19:47:12.000000000 -0400
30682 +++ linux-2.6.35.4/fs/fcntl.c 2010-09-17 20:12:37.000000000 -0400
30683 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
30687 + if (gr_handle_chroot_fowner(pid, type))
30689 + if (gr_check_protected_task_fowner(pid, type))
30692 f_modown(filp, pid, type, force);
30695 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
30698 case F_DUPFD_CLOEXEC:
30699 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
30700 if (arg >= rlimit(RLIMIT_NOFILE))
30702 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
30703 diff -urNp linux-2.6.35.4/fs/fifo.c linux-2.6.35.4/fs/fifo.c
30704 --- linux-2.6.35.4/fs/fifo.c 2010-08-26 19:47:12.000000000 -0400
30705 +++ linux-2.6.35.4/fs/fifo.c 2010-09-17 20:12:09.000000000 -0400
30706 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
30708 filp->f_op = &read_pipefifo_fops;
30710 - if (pipe->readers++ == 0)
30711 + if (atomic_inc_return(&pipe->readers) == 1)
30712 wake_up_partner(inode);
30714 - if (!pipe->writers) {
30715 + if (!atomic_read(&pipe->writers)) {
30716 if ((filp->f_flags & O_NONBLOCK)) {
30717 /* suppress POLLHUP until we have
30719 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
30720 * errno=ENXIO when there is no process reading the FIFO.
30723 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
30724 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
30727 filp->f_op = &write_pipefifo_fops;
30729 - if (!pipe->writers++)
30730 + if (atomic_inc_return(&pipe->writers) == 1)
30731 wake_up_partner(inode);
30733 - if (!pipe->readers) {
30734 + if (!atomic_read(&pipe->readers)) {
30735 wait_for_partner(inode, &pipe->r_counter);
30736 if (signal_pending(current))
30738 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
30740 filp->f_op = &rdwr_pipefifo_fops;
30744 + atomic_inc(&pipe->readers);
30745 + atomic_inc(&pipe->writers);
30748 - if (pipe->readers == 1 || pipe->writers == 1)
30749 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
30750 wake_up_partner(inode);
30753 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
30757 - if (!--pipe->readers)
30758 + if (atomic_dec_and_test(&pipe->readers))
30759 wake_up_interruptible(&pipe->wait);
30760 ret = -ERESTARTSYS;
30764 - if (!--pipe->writers)
30765 + if (atomic_dec_and_test(&pipe->writers))
30766 wake_up_interruptible(&pipe->wait);
30767 ret = -ERESTARTSYS;
30771 - if (!pipe->readers && !pipe->writers)
30772 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
30773 free_pipe_info(inode);
30776 diff -urNp linux-2.6.35.4/fs/file.c linux-2.6.35.4/fs/file.c
30777 --- linux-2.6.35.4/fs/file.c 2010-08-26 19:47:12.000000000 -0400
30778 +++ linux-2.6.35.4/fs/file.c 2010-09-17 20:12:37.000000000 -0400
30780 #include <linux/slab.h>
30781 #include <linux/vmalloc.h>
30782 #include <linux/file.h>
30783 +#include <linux/security.h>
30784 #include <linux/fdtable.h>
30785 #include <linux/bitops.h>
30786 #include <linux/interrupt.h>
30787 @@ -257,6 +258,7 @@ int expand_files(struct files_struct *fi
30788 * N.B. For clone tasks sharing a files structure, this test
30789 * will limit the total number of files that can be opened.
30791 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
30792 if (nr >= rlimit(RLIMIT_NOFILE))
30795 diff -urNp linux-2.6.35.4/fs/fs_struct.c linux-2.6.35.4/fs/fs_struct.c
30796 --- linux-2.6.35.4/fs/fs_struct.c 2010-08-26 19:47:12.000000000 -0400
30797 +++ linux-2.6.35.4/fs/fs_struct.c 2010-09-17 20:12:37.000000000 -0400
30799 #include <linux/slab.h>
30800 #include <linux/fs_struct.h>
30801 #include <linux/vserver/global.h>
30802 +#include <linux/grsecurity.h>
30805 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
30806 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
30807 old_root = fs->root;
30810 + gr_set_chroot_entries(current, path);
30811 write_unlock(&fs->lock);
30812 if (old_root.dentry)
30813 path_put(&old_root);
30814 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
30815 && fs->root.mnt == old_root->mnt) {
30816 path_get(new_root);
30817 fs->root = *new_root;
30818 + gr_set_chroot_entries(p, new_root);
30821 if (fs->pwd.dentry == old_root->dentry
30822 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
30824 write_lock(&fs->lock);
30826 - kill = !--fs->users;
30827 + gr_clear_chroot_entries(tsk);
30828 + kill = !atomic_dec_return(&fs->users);
30829 write_unlock(&fs->lock);
30832 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
30833 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
30834 /* We don't need to lock fs - think why ;-) */
30837 + atomic_set(&fs->users, 1);
30839 rwlock_init(&fs->lock);
30840 fs->umask = old->umask;
30841 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
30843 task_lock(current);
30844 write_lock(&fs->lock);
30845 - kill = !--fs->users;
30846 + kill = !atomic_dec_return(&fs->users);
30847 current->fs = new_fs;
30848 + gr_set_chroot_entries(current, &new_fs->root);
30849 write_unlock(&fs->lock);
30850 task_unlock(current);
30852 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
30854 /* to be mentioned only in INIT_TASK */
30855 struct fs_struct init_fs = {
30857 + .users = ATOMIC_INIT(1),
30858 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
30861 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
30862 task_lock(current);
30864 write_lock(&init_fs.lock);
30866 + atomic_inc(&init_fs.users);
30867 write_unlock(&init_fs.lock);
30869 write_lock(&fs->lock);
30870 current->fs = &init_fs;
30871 - kill = !--fs->users;
30872 + gr_set_chroot_entries(current, ¤t->fs->root);
30873 + kill = !atomic_dec_return(&fs->users);
30874 write_unlock(&fs->lock);
30876 task_unlock(current);
30877 diff -urNp linux-2.6.35.4/fs/fuse/control.c linux-2.6.35.4/fs/fuse/control.c
30878 --- linux-2.6.35.4/fs/fuse/control.c 2010-08-26 19:47:12.000000000 -0400
30879 +++ linux-2.6.35.4/fs/fuse/control.c 2010-09-17 20:12:09.000000000 -0400
30880 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
30882 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
30884 - struct tree_descr empty_descr = {""};
30885 + struct tree_descr empty_descr = {"", NULL, 0};
30886 struct fuse_conn *fc;
30889 diff -urNp linux-2.6.35.4/fs/fuse/cuse.c linux-2.6.35.4/fs/fuse/cuse.c
30890 --- linux-2.6.35.4/fs/fuse/cuse.c 2010-08-26 19:47:12.000000000 -0400
30891 +++ linux-2.6.35.4/fs/fuse/cuse.c 2010-09-17 20:12:09.000000000 -0400
30892 @@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
30896 -static struct file_operations cuse_channel_fops; /* initialized during init */
30898 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
30899 + .owner = THIS_MODULE,
30900 + .llseek = no_llseek,
30901 + .read = do_sync_read,
30902 + .aio_read = fuse_dev_read,
30903 + .write = do_sync_write,
30904 + .aio_write = fuse_dev_write,
30905 + .poll = fuse_dev_poll,
30906 + .open = cuse_channel_open,
30907 + .release = cuse_channel_release,
30908 + .fasync = fuse_dev_fasync,
30911 /**************************************************************************
30912 * Misc stuff and module initializatiion
30913 @@ -576,12 +586,6 @@ static int __init cuse_init(void)
30914 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
30915 INIT_LIST_HEAD(&cuse_conntbl[i]);
30917 - /* inherit and extend fuse_dev_operations */
30918 - cuse_channel_fops = fuse_dev_operations;
30919 - cuse_channel_fops.owner = THIS_MODULE;
30920 - cuse_channel_fops.open = cuse_channel_open;
30921 - cuse_channel_fops.release = cuse_channel_release;
30923 cuse_class = class_create(THIS_MODULE, "cuse");
30924 if (IS_ERR(cuse_class))
30925 return PTR_ERR(cuse_class);
30926 diff -urNp linux-2.6.35.4/fs/fuse/dev.c linux-2.6.35.4/fs/fuse/dev.c
30927 --- linux-2.6.35.4/fs/fuse/dev.c 2010-08-26 19:47:12.000000000 -0400
30928 +++ linux-2.6.35.4/fs/fuse/dev.c 2010-09-17 20:12:09.000000000 -0400
30929 @@ -1031,7 +1031,7 @@ static ssize_t fuse_dev_do_read(struct f
30933 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
30934 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
30935 unsigned long nr_segs, loff_t pos)
30937 struct fuse_copy_state cs;
30938 @@ -1045,6 +1045,8 @@ static ssize_t fuse_dev_read(struct kioc
30939 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
30942 +EXPORT_SYMBOL_GPL(fuse_dev_read);
30944 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
30945 struct pipe_buffer *buf)
30947 @@ -1088,7 +1090,7 @@ static ssize_t fuse_dev_splice_read(stru
30951 - if (!pipe->readers) {
30952 + if (!atomic_read(&pipe->readers)) {
30953 send_sig(SIGPIPE, current, 0);
30956 @@ -1387,7 +1389,7 @@ static ssize_t fuse_dev_do_write(struct
30960 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
30961 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
30962 unsigned long nr_segs, loff_t pos)
30964 struct fuse_copy_state cs;
30965 @@ -1400,6 +1402,8 @@ static ssize_t fuse_dev_write(struct kio
30966 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
30969 +EXPORT_SYMBOL_GPL(fuse_dev_write);
30971 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
30972 struct file *out, loff_t *ppos,
30973 size_t len, unsigned int flags)
30974 @@ -1478,7 +1482,7 @@ out:
30978 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
30979 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
30981 unsigned mask = POLLOUT | POLLWRNORM;
30982 struct fuse_conn *fc = fuse_get_conn(file);
30983 @@ -1497,6 +1501,8 @@ static unsigned fuse_dev_poll(struct fil
30987 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
30990 * Abort all requests on the given list (pending or processing)
30992 @@ -1604,7 +1610,7 @@ int fuse_dev_release(struct inode *inode
30994 EXPORT_SYMBOL_GPL(fuse_dev_release);
30996 -static int fuse_dev_fasync(int fd, struct file *file, int on)
30997 +int fuse_dev_fasync(int fd, struct file *file, int on)
30999 struct fuse_conn *fc = fuse_get_conn(file);
31001 @@ -1614,6 +1620,8 @@ static int fuse_dev_fasync(int fd, struc
31002 return fasync_helper(fd, file, on, &fc->fasync);
31005 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31007 const struct file_operations fuse_dev_operations = {
31008 .owner = THIS_MODULE,
31009 .llseek = no_llseek,
31010 diff -urNp linux-2.6.35.4/fs/fuse/dir.c linux-2.6.35.4/fs/fuse/dir.c
31011 --- linux-2.6.35.4/fs/fuse/dir.c 2010-08-26 19:47:12.000000000 -0400
31012 +++ linux-2.6.35.4/fs/fuse/dir.c 2010-09-17 20:12:09.000000000 -0400
31013 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31017 -static void free_link(char *link)
31018 +static void free_link(const char *link)
31021 free_page((unsigned long) link);
31022 diff -urNp linux-2.6.35.4/fs/fuse/fuse_i.h linux-2.6.35.4/fs/fuse/fuse_i.h
31023 --- linux-2.6.35.4/fs/fuse/fuse_i.h 2010-08-26 19:47:12.000000000 -0400
31024 +++ linux-2.6.35.4/fs/fuse/fuse_i.h 2010-09-17 20:12:09.000000000 -0400
31025 @@ -524,6 +524,16 @@ extern const struct file_operations fuse
31027 extern const struct dentry_operations fuse_dentry_operations;
31029 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31030 + unsigned long nr_segs, loff_t pos);
31032 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31033 + unsigned long nr_segs, loff_t pos);
31035 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31037 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31040 * Inode to nodeid comparison.
31042 diff -urNp linux-2.6.35.4/fs/hfs/inode.c linux-2.6.35.4/fs/hfs/inode.c
31043 --- linux-2.6.35.4/fs/hfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31044 +++ linux-2.6.35.4/fs/hfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31045 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
31047 if (S_ISDIR(main_inode->i_mode)) {
31048 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31051 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31052 sizeof(struct hfs_cat_dir));
31053 if (rec.type != HFS_CDR_DIR ||
31054 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
31055 sizeof(struct hfs_cat_file));
31057 if (fd.entrylength < sizeof(struct hfs_cat_file))
31060 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31061 sizeof(struct hfs_cat_file));
31062 if (rec.type != HFS_CDR_FIL ||
31063 diff -urNp linux-2.6.35.4/fs/hfsplus/inode.c linux-2.6.35.4/fs/hfsplus/inode.c
31064 --- linux-2.6.35.4/fs/hfsplus/inode.c 2010-08-26 19:47:12.000000000 -0400
31065 +++ linux-2.6.35.4/fs/hfsplus/inode.c 2010-09-17 20:12:09.000000000 -0400
31066 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
31067 struct hfsplus_cat_folder *folder = &entry.folder;
31069 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31072 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31073 sizeof(struct hfsplus_cat_folder));
31074 hfsplus_get_perms(inode, &folder->permissions, 1);
31075 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
31076 struct hfsplus_cat_file *file = &entry.file;
31078 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31081 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31082 sizeof(struct hfsplus_cat_file));
31084 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
31085 struct hfsplus_cat_folder *folder = &entry.folder;
31087 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31090 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31091 sizeof(struct hfsplus_cat_folder));
31092 /* simple node checks? */
31093 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
31094 struct hfsplus_cat_file *file = &entry.file;
31096 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31099 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31100 sizeof(struct hfsplus_cat_file));
31101 hfsplus_inode_write_fork(inode, &file->data_fork);
31102 diff -urNp linux-2.6.35.4/fs/hugetlbfs/inode.c linux-2.6.35.4/fs/hugetlbfs/inode.c
31103 --- linux-2.6.35.4/fs/hugetlbfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31104 +++ linux-2.6.35.4/fs/hugetlbfs/inode.c 2010-09-17 20:12:37.000000000 -0400
31105 @@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31106 .kill_sb = kill_litter_super,
31109 -static struct vfsmount *hugetlbfs_vfsmount;
31110 +struct vfsmount *hugetlbfs_vfsmount;
31112 static int can_do_hugetlb_shm(void)
31114 diff -urNp linux-2.6.35.4/fs/ioctl.c linux-2.6.35.4/fs/ioctl.c
31115 --- linux-2.6.35.4/fs/ioctl.c 2010-08-26 19:47:12.000000000 -0400
31116 +++ linux-2.6.35.4/fs/ioctl.c 2010-09-17 20:12:09.000000000 -0400
31117 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
31118 u64 phys, u64 len, u32 flags)
31120 struct fiemap_extent extent;
31121 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31122 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31124 /* only count the extents */
31125 if (fieinfo->fi_extents_max == 0) {
31126 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
31128 fieinfo.fi_flags = fiemap.fm_flags;
31129 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31130 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31131 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31133 if (fiemap.fm_extent_count != 0 &&
31134 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31135 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
31136 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31137 fiemap.fm_flags = fieinfo.fi_flags;
31138 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31139 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31140 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31144 diff -urNp linux-2.6.35.4/fs/jffs2/debug.h linux-2.6.35.4/fs/jffs2/debug.h
31145 --- linux-2.6.35.4/fs/jffs2/debug.h 2010-08-26 19:47:12.000000000 -0400
31146 +++ linux-2.6.35.4/fs/jffs2/debug.h 2010-09-17 20:12:09.000000000 -0400
31147 @@ -52,13 +52,13 @@
31148 #if CONFIG_JFFS2_FS_DEBUG > 0
31152 +#define D1(x) do {} while (0);
31155 #if CONFIG_JFFS2_FS_DEBUG > 1
31159 +#define D2(x) do {} while (0);
31162 /* The prefixes of JFFS2 messages */
31163 @@ -114,73 +114,73 @@
31164 #ifdef JFFS2_DBG_READINODE_MESSAGES
31165 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31167 -#define dbg_readinode(fmt, ...)
31168 +#define dbg_readinode(fmt, ...) do {} while (0)
31170 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31171 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31173 -#define dbg_readinode2(fmt, ...)
31174 +#define dbg_readinode2(fmt, ...) do {} while (0)
31177 /* Fragtree build debugging messages */
31178 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31179 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31181 -#define dbg_fragtree(fmt, ...)
31182 +#define dbg_fragtree(fmt, ...) do {} while (0)
31184 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31185 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31187 -#define dbg_fragtree2(fmt, ...)
31188 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31191 /* Directory entry list manilulation debugging messages */
31192 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31193 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31195 -#define dbg_dentlist(fmt, ...)
31196 +#define dbg_dentlist(fmt, ...) do {} while (0)
31199 /* Print the messages about manipulating node_refs */
31200 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31201 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31203 -#define dbg_noderef(fmt, ...)
31204 +#define dbg_noderef(fmt, ...) do {} while (0)
31207 /* Manipulations with the list of inodes (JFFS2 inocache) */
31208 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31209 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31211 -#define dbg_inocache(fmt, ...)
31212 +#define dbg_inocache(fmt, ...) do {} while (0)
31215 /* Summary debugging messages */
31216 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31217 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31219 -#define dbg_summary(fmt, ...)
31220 +#define dbg_summary(fmt, ...) do {} while (0)
31223 /* File system build messages */
31224 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31225 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31227 -#define dbg_fsbuild(fmt, ...)
31228 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31231 /* Watch the object allocations */
31232 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31233 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31235 -#define dbg_memalloc(fmt, ...)
31236 +#define dbg_memalloc(fmt, ...) do {} while (0)
31239 /* Watch the XATTR subsystem */
31240 #ifdef JFFS2_DBG_XATTR_MESSAGES
31241 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31243 -#define dbg_xattr(fmt, ...)
31244 +#define dbg_xattr(fmt, ...) do {} while (0)
31247 /* "Sanity" checks */
31248 diff -urNp linux-2.6.35.4/fs/jffs2/erase.c linux-2.6.35.4/fs/jffs2/erase.c
31249 --- linux-2.6.35.4/fs/jffs2/erase.c 2010-08-26 19:47:12.000000000 -0400
31250 +++ linux-2.6.35.4/fs/jffs2/erase.c 2010-09-17 20:12:09.000000000 -0400
31251 @@ -438,7 +438,8 @@ static void jffs2_mark_erased_block(stru
31252 struct jffs2_unknown_node marker = {
31253 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31254 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31255 - .totlen = cpu_to_je32(c->cleanmarker_size)
31256 + .totlen = cpu_to_je32(c->cleanmarker_size),
31257 + .hdr_crc = cpu_to_je32(0)
31260 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31261 diff -urNp linux-2.6.35.4/fs/jffs2/summary.h linux-2.6.35.4/fs/jffs2/summary.h
31262 --- linux-2.6.35.4/fs/jffs2/summary.h 2010-08-26 19:47:12.000000000 -0400
31263 +++ linux-2.6.35.4/fs/jffs2/summary.h 2010-09-17 20:12:09.000000000 -0400
31264 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31266 #define jffs2_sum_active() (0)
31267 #define jffs2_sum_init(a) (0)
31268 -#define jffs2_sum_exit(a)
31269 -#define jffs2_sum_disable_collecting(a)
31270 +#define jffs2_sum_exit(a) do {} while (0)
31271 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31272 #define jffs2_sum_is_disabled(a) (0)
31273 -#define jffs2_sum_reset_collected(a)
31274 +#define jffs2_sum_reset_collected(a) do {} while (0)
31275 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31276 -#define jffs2_sum_move_collected(a,b)
31277 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31278 #define jffs2_sum_write_sumnode(a) (0)
31279 -#define jffs2_sum_add_padding_mem(a,b)
31280 -#define jffs2_sum_add_inode_mem(a,b,c)
31281 -#define jffs2_sum_add_dirent_mem(a,b,c)
31282 -#define jffs2_sum_add_xattr_mem(a,b,c)
31283 -#define jffs2_sum_add_xref_mem(a,b,c)
31284 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31285 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31286 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31287 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31288 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31289 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31291 #endif /* CONFIG_JFFS2_SUMMARY */
31292 diff -urNp linux-2.6.35.4/fs/jffs2/wbuf.c linux-2.6.35.4/fs/jffs2/wbuf.c
31293 --- linux-2.6.35.4/fs/jffs2/wbuf.c 2010-08-26 19:47:12.000000000 -0400
31294 +++ linux-2.6.35.4/fs/jffs2/wbuf.c 2010-09-17 20:12:09.000000000 -0400
31295 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31297 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31298 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31299 - .totlen = constant_cpu_to_je32(8)
31300 + .totlen = constant_cpu_to_je32(8),
31301 + .hdr_crc = constant_cpu_to_je32(0)
31305 diff -urNp linux-2.6.35.4/fs/lockd/svc.c linux-2.6.35.4/fs/lockd/svc.c
31306 --- linux-2.6.35.4/fs/lockd/svc.c 2010-08-26 19:47:12.000000000 -0400
31307 +++ linux-2.6.35.4/fs/lockd/svc.c 2010-09-17 20:12:09.000000000 -0400
31310 static struct svc_program nlmsvc_program;
31312 -struct nlmsvc_binding * nlmsvc_ops;
31313 +const struct nlmsvc_binding * nlmsvc_ops;
31314 EXPORT_SYMBOL_GPL(nlmsvc_ops);
31316 static DEFINE_MUTEX(nlmsvc_mutex);
31317 diff -urNp linux-2.6.35.4/fs/locks.c linux-2.6.35.4/fs/locks.c
31318 --- linux-2.6.35.4/fs/locks.c 2010-08-26 19:47:12.000000000 -0400
31319 +++ linux-2.6.35.4/fs/locks.c 2010-09-17 20:12:09.000000000 -0400
31320 @@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
31323 if (filp->f_op && filp->f_op->flock) {
31324 - struct file_lock fl = {
31325 + struct file_lock flock = {
31326 .fl_pid = current->tgid,
31328 .fl_flags = FL_FLOCK,
31329 .fl_type = F_UNLCK,
31330 .fl_end = OFFSET_MAX,
31332 - filp->f_op->flock(filp, F_SETLKW, &fl);
31333 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
31334 - fl.fl_ops->fl_release_private(&fl);
31335 + filp->f_op->flock(filp, F_SETLKW, &flock);
31336 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
31337 + flock.fl_ops->fl_release_private(&flock);
31341 diff -urNp linux-2.6.35.4/fs/namei.c linux-2.6.35.4/fs/namei.c
31342 --- linux-2.6.35.4/fs/namei.c 2010-08-26 19:47:12.000000000 -0400
31343 +++ linux-2.6.35.4/fs/namei.c 2010-09-17 20:12:37.000000000 -0400
31344 @@ -548,7 +548,7 @@ __do_follow_link(struct path *path, stru
31345 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
31346 error = PTR_ERR(*p);
31348 - char *s = nd_get_link(nd);
31349 + const char *s = nd_get_link(nd);
31352 error = __vfs_follow_link(nd, s);
31353 @@ -581,6 +581,13 @@ static inline int do_follow_link(struct
31354 err = security_inode_follow_link(path->dentry, nd);
31358 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
31359 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
31364 current->link_count++;
31365 current->total_link_count++;
31367 @@ -965,11 +972,18 @@ return_reval:
31371 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
31372 + path_put(&nd->path);
31377 path_put_conditional(&next, nd);
31380 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
31383 path_put(&nd->path);
31386 @@ -1506,12 +1520,19 @@ static int __open_namei_create(struct na
31388 struct dentry *dir = nd->path.dentry;
31390 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, open_flag, mode)) {
31395 if (!IS_POSIXACL(dir->d_inode))
31396 mode &= ~current_umask();
31397 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
31400 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
31402 + gr_handle_create(path->dentry, nd->path.mnt);
31404 mutex_unlock(&dir->d_inode->i_mutex);
31405 dput(nd->path.dentry);
31406 @@ -1614,6 +1635,7 @@ static struct file *do_last(struct namei
31407 int mode, const char *pathname)
31409 struct dentry *dir = nd->path.dentry;
31410 + int flag = open_to_namei_flags(open_flag);
31412 int error = -EISDIR;
31414 @@ -1662,6 +1684,22 @@ static struct file *do_last(struct namei
31416 path_to_nameidata(path, nd);
31417 audit_inode(pathname, nd->path.dentry);
31419 + if (gr_handle_rofs_blockwrite(nd->path.dentry, nd->path.mnt, acc_mode)) {
31424 + if (gr_handle_rawio(nd->path.dentry->d_inode)) {
31429 + if (!gr_acl_handle_open(nd->path.dentry, nd->path.mnt, flag)) {
31437 @@ -1714,6 +1752,24 @@ static struct file *do_last(struct namei
31439 * It already exists.
31442 + if (gr_handle_rofs_blockwrite(path->dentry, nd->path.mnt, acc_mode)) {
31444 + goto exit_mutex_unlock;
31446 + if (gr_handle_rawio(path->dentry->d_inode)) {
31448 + goto exit_mutex_unlock;
31450 + if (!gr_acl_handle_open(path->dentry, nd->path.mnt, flag)) {
31452 + goto exit_mutex_unlock;
31454 + if (gr_handle_fifo(path->dentry, nd->path.mnt, dir, flag, acc_mode)) {
31456 + goto exit_mutex_unlock;
31459 mutex_unlock(&dir->d_inode->i_mutex);
31460 audit_inode(pathname, path->dentry);
31462 @@ -2034,6 +2090,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31463 error = may_mknod(mode);
31467 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
31472 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
31477 error = mnt_want_write(nd.path.mnt);
31480 @@ -2054,6 +2121,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31483 mnt_drop_write(nd.path.mnt);
31486 + gr_handle_create(dentry, nd.path.mnt);
31490 @@ -2106,6 +2176,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31491 if (IS_ERR(dentry))
31494 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
31499 if (!IS_POSIXACL(nd.path.dentry->d_inode))
31500 mode &= ~current_umask();
31501 error = mnt_want_write(nd.path.mnt);
31502 @@ -2117,6 +2192,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31503 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
31505 mnt_drop_write(nd.path.mnt);
31508 + gr_handle_create(dentry, nd.path.mnt);
31513 @@ -2198,6 +2277,8 @@ static long do_rmdir(int dfd, const char
31515 struct dentry *dentry;
31516 struct nameidata nd;
31517 + ino_t saved_ino = 0;
31518 + dev_t saved_dev = 0;
31520 error = user_path_parent(dfd, pathname, &nd, &name);
31522 @@ -2222,6 +2303,19 @@ static long do_rmdir(int dfd, const char
31523 error = PTR_ERR(dentry);
31524 if (IS_ERR(dentry))
31527 + if (dentry->d_inode != NULL) {
31528 + if (dentry->d_inode->i_nlink <= 1) {
31529 + saved_ino = dentry->d_inode->i_ino;
31530 + saved_dev = dentry->d_inode->i_sb->s_dev;
31533 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
31539 error = mnt_want_write(nd.path.mnt);
31542 @@ -2229,6 +2323,8 @@ static long do_rmdir(int dfd, const char
31545 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
31546 + if (!error && (saved_dev || saved_ino))
31547 + gr_handle_delete(saved_ino, saved_dev);
31549 mnt_drop_write(nd.path.mnt);
31551 @@ -2291,6 +2387,8 @@ static long do_unlinkat(int dfd, const c
31552 struct dentry *dentry;
31553 struct nameidata nd;
31554 struct inode *inode = NULL;
31555 + ino_t saved_ino = 0;
31556 + dev_t saved_dev = 0;
31558 error = user_path_parent(dfd, pathname, &nd, &name);
31560 @@ -2310,8 +2408,19 @@ static long do_unlinkat(int dfd, const c
31561 if (nd.last.name[nd.last.len])
31563 inode = dentry->d_inode;
31566 + if (inode->i_nlink <= 1) {
31567 + saved_ino = inode->i_ino;
31568 + saved_dev = inode->i_sb->s_dev;
31571 atomic_inc(&inode->i_count);
31573 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
31578 error = mnt_want_write(nd.path.mnt);
31581 @@ -2319,6 +2428,8 @@ static long do_unlinkat(int dfd, const c
31584 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
31585 + if (!error && (saved_ino || saved_dev))
31586 + gr_handle_delete(saved_ino, saved_dev);
31588 mnt_drop_write(nd.path.mnt);
31590 @@ -2396,6 +2507,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
31591 if (IS_ERR(dentry))
31594 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
31599 error = mnt_want_write(nd.path.mnt);
31602 @@ -2403,6 +2519,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
31604 goto out_drop_write;
31605 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
31607 + gr_handle_create(dentry, nd.path.mnt);
31609 mnt_drop_write(nd.path.mnt);
31611 @@ -2495,6 +2613,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31612 error = PTR_ERR(new_dentry);
31613 if (IS_ERR(new_dentry))
31616 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
31617 + old_path.dentry->d_inode,
31618 + old_path.dentry->d_inode->i_mode, to)) {
31623 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
31624 + old_path.dentry, old_path.mnt, to)) {
31629 error = mnt_want_write(nd.path.mnt);
31632 @@ -2502,6 +2634,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31634 goto out_drop_write;
31635 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
31637 + gr_handle_create(new_dentry, nd.path.mnt);
31639 mnt_drop_write(nd.path.mnt);
31641 @@ -2735,6 +2869,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31642 if (new_dentry == trap)
31645 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
31646 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
31651 error = mnt_want_write(oldnd.path.mnt);
31654 @@ -2744,6 +2884,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31656 error = vfs_rename(old_dir->d_inode, old_dentry,
31657 new_dir->d_inode, new_dentry);
31659 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
31660 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
31662 mnt_drop_write(oldnd.path.mnt);
31664 diff -urNp linux-2.6.35.4/fs/namespace.c linux-2.6.35.4/fs/namespace.c
31665 --- linux-2.6.35.4/fs/namespace.c 2010-08-26 19:47:12.000000000 -0400
31666 +++ linux-2.6.35.4/fs/namespace.c 2010-09-17 20:21:58.000000000 -0400
31667 @@ -1099,6 +1099,9 @@ static int do_umount(struct vfsmount *mn
31668 if (!(sb->s_flags & MS_RDONLY))
31669 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
31670 up_write(&sb->s_umount);
31672 + gr_log_remount(mnt->mnt_devname, retval);
31677 @@ -1118,6 +1121,9 @@ static int do_umount(struct vfsmount *mn
31678 spin_unlock(&vfsmount_lock);
31679 up_write(&namespace_sem);
31680 release_mounts(&umount_list);
31682 + gr_log_unmount(mnt->mnt_devname, retval);
31687 @@ -1988,6 +1994,16 @@ long do_mount(char *dev_name, char *dir_
31688 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
31691 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
31696 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
31701 if (flags & MS_REMOUNT)
31702 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
31704 @@ -2002,6 +2018,9 @@ long do_mount(char *dev_name, char *dir_
31705 dev_name, data_page);
31709 + gr_log_mount(dev_name, dir_name, retval);
31714 @@ -2208,6 +2227,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
31718 + if (gr_handle_chroot_pivot()) {
31724 read_lock(¤t->fs->lock);
31725 root = current->fs->root;
31726 path_get(¤t->fs->root);
31727 diff -urNp linux-2.6.35.4/fs/nfs/inode.c linux-2.6.35.4/fs/nfs/inode.c
31728 --- linux-2.6.35.4/fs/nfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31729 +++ linux-2.6.35.4/fs/nfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31730 @@ -915,16 +915,16 @@ static int nfs_size_need_update(const st
31731 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
31734 -static atomic_long_t nfs_attr_generation_counter;
31735 +static atomic_long_unchecked_t nfs_attr_generation_counter;
31737 static unsigned long nfs_read_attr_generation_counter(void)
31739 - return atomic_long_read(&nfs_attr_generation_counter);
31740 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
31743 unsigned long nfs_inc_attr_generation_counter(void)
31745 - return atomic_long_inc_return(&nfs_attr_generation_counter);
31746 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
31749 void nfs_fattr_init(struct nfs_fattr *fattr)
31750 diff -urNp linux-2.6.35.4/fs/nfs/nfs4proc.c linux-2.6.35.4/fs/nfs/nfs4proc.c
31751 --- linux-2.6.35.4/fs/nfs/nfs4proc.c 2010-08-26 19:47:12.000000000 -0400
31752 +++ linux-2.6.35.4/fs/nfs/nfs4proc.c 2010-09-17 20:12:09.000000000 -0400
31753 @@ -1166,7 +1166,7 @@ static int _nfs4_do_open_reclaim(struct
31754 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
31756 struct nfs_server *server = NFS_SERVER(state->inode);
31757 - struct nfs4_exception exception = { };
31758 + struct nfs4_exception exception = {0, 0};
31761 err = _nfs4_do_open_reclaim(ctx, state);
31762 @@ -1208,7 +1208,7 @@ static int _nfs4_open_delegation_recall(
31764 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
31766 - struct nfs4_exception exception = { };
31767 + struct nfs4_exception exception = {0, 0};
31768 struct nfs_server *server = NFS_SERVER(state->inode);
31771 @@ -1581,7 +1581,7 @@ static int _nfs4_open_expired(struct nfs
31772 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
31774 struct nfs_server *server = NFS_SERVER(state->inode);
31775 - struct nfs4_exception exception = { };
31776 + struct nfs4_exception exception = {0, 0};
31780 @@ -1697,7 +1697,7 @@ out_err:
31782 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
31784 - struct nfs4_exception exception = { };
31785 + struct nfs4_exception exception = {0, 0};
31786 struct nfs4_state *res;
31789 @@ -1788,7 +1788,7 @@ static int nfs4_do_setattr(struct inode
31790 struct nfs4_state *state)
31792 struct nfs_server *server = NFS_SERVER(inode);
31793 - struct nfs4_exception exception = { };
31794 + struct nfs4_exception exception = {0, 0};
31797 err = nfs4_handle_exception(server,
31798 @@ -2166,7 +2166,7 @@ static int _nfs4_server_capabilities(str
31800 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
31802 - struct nfs4_exception exception = { };
31803 + struct nfs4_exception exception = {0, 0};
31806 err = nfs4_handle_exception(server,
31807 @@ -2200,7 +2200,7 @@ static int _nfs4_lookup_root(struct nfs_
31808 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
31809 struct nfs_fsinfo *info)
31811 - struct nfs4_exception exception = { };
31812 + struct nfs4_exception exception = {0, 0};
31815 err = nfs4_handle_exception(server,
31816 @@ -2289,7 +2289,7 @@ static int _nfs4_proc_getattr(struct nfs
31818 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
31820 - struct nfs4_exception exception = { };
31821 + struct nfs4_exception exception = {0, 0};
31824 err = nfs4_handle_exception(server,
31825 @@ -2377,7 +2377,7 @@ static int nfs4_proc_lookupfh(struct nfs
31826 struct qstr *name, struct nfs_fh *fhandle,
31827 struct nfs_fattr *fattr)
31829 - struct nfs4_exception exception = { };
31830 + struct nfs4_exception exception = {0, 0};
31833 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
31834 @@ -2406,7 +2406,7 @@ static int _nfs4_proc_lookup(struct inod
31836 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
31838 - struct nfs4_exception exception = { };
31839 + struct nfs4_exception exception = {0, 0};
31842 err = nfs4_handle_exception(NFS_SERVER(dir),
31843 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_access(struct inod
31845 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
31847 - struct nfs4_exception exception = { };
31848 + struct nfs4_exception exception = {0, 0};
31851 err = nfs4_handle_exception(NFS_SERVER(inode),
31852 @@ -2529,7 +2529,7 @@ static int _nfs4_proc_readlink(struct in
31853 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
31854 unsigned int pgbase, unsigned int pglen)
31856 - struct nfs4_exception exception = { };
31857 + struct nfs4_exception exception = {0, 0};
31860 err = nfs4_handle_exception(NFS_SERVER(inode),
31861 @@ -2625,7 +2625,7 @@ out:
31863 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
31865 - struct nfs4_exception exception = { };
31866 + struct nfs4_exception exception = {0, 0};
31869 err = nfs4_handle_exception(NFS_SERVER(dir),
31870 @@ -2700,7 +2700,7 @@ out:
31871 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
31872 struct inode *new_dir, struct qstr *new_name)
31874 - struct nfs4_exception exception = { };
31875 + struct nfs4_exception exception = {0, 0};
31878 err = nfs4_handle_exception(NFS_SERVER(old_dir),
31879 @@ -2749,7 +2749,7 @@ out:
31881 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
31883 - struct nfs4_exception exception = { };
31884 + struct nfs4_exception exception = {0, 0};
31887 err = nfs4_handle_exception(NFS_SERVER(inode),
31888 @@ -2841,7 +2841,7 @@ out:
31889 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
31890 struct page *page, unsigned int len, struct iattr *sattr)
31892 - struct nfs4_exception exception = { };
31893 + struct nfs4_exception exception = {0, 0};
31896 err = nfs4_handle_exception(NFS_SERVER(dir),
31897 @@ -2872,7 +2872,7 @@ out:
31898 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
31899 struct iattr *sattr)
31901 - struct nfs4_exception exception = { };
31902 + struct nfs4_exception exception = {0, 0};
31905 err = nfs4_handle_exception(NFS_SERVER(dir),
31906 @@ -2921,7 +2921,7 @@ static int _nfs4_proc_readdir(struct den
31907 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
31908 u64 cookie, struct page *page, unsigned int count, int plus)
31910 - struct nfs4_exception exception = { };
31911 + struct nfs4_exception exception = {0, 0};
31914 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
31915 @@ -2969,7 +2969,7 @@ out:
31916 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
31917 struct iattr *sattr, dev_t rdev)
31919 - struct nfs4_exception exception = { };
31920 + struct nfs4_exception exception = {0, 0};
31923 err = nfs4_handle_exception(NFS_SERVER(dir),
31924 @@ -3001,7 +3001,7 @@ static int _nfs4_proc_statfs(struct nfs_
31926 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
31928 - struct nfs4_exception exception = { };
31929 + struct nfs4_exception exception = {0, 0};
31932 err = nfs4_handle_exception(server,
31933 @@ -3032,7 +3032,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
31935 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
31937 - struct nfs4_exception exception = { };
31938 + struct nfs4_exception exception = {0, 0};
31942 @@ -3078,7 +3078,7 @@ static int _nfs4_proc_pathconf(struct nf
31943 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
31944 struct nfs_pathconf *pathconf)
31946 - struct nfs4_exception exception = { };
31947 + struct nfs4_exception exception = {0, 0};
31951 @@ -3399,7 +3399,7 @@ out_free:
31953 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
31955 - struct nfs4_exception exception = { };
31956 + struct nfs4_exception exception = {0, 0};
31959 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
31960 @@ -3455,7 +3455,7 @@ static int __nfs4_proc_set_acl(struct in
31962 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
31964 - struct nfs4_exception exception = { };
31965 + struct nfs4_exception exception = {0, 0};
31968 err = nfs4_handle_exception(NFS_SERVER(inode),
31969 @@ -3745,7 +3745,7 @@ out:
31970 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
31972 struct nfs_server *server = NFS_SERVER(inode);
31973 - struct nfs4_exception exception = { };
31974 + struct nfs4_exception exception = {0, 0};
31977 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
31978 @@ -3818,7 +3818,7 @@ out:
31980 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
31982 - struct nfs4_exception exception = { };
31983 + struct nfs4_exception exception = {0, 0};
31987 @@ -4232,7 +4232,7 @@ static int _nfs4_do_setlk(struct nfs4_st
31988 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
31990 struct nfs_server *server = NFS_SERVER(state->inode);
31991 - struct nfs4_exception exception = { };
31992 + struct nfs4_exception exception = {0, 0};
31996 @@ -4250,7 +4250,7 @@ static int nfs4_lock_reclaim(struct nfs4
31997 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
31999 struct nfs_server *server = NFS_SERVER(state->inode);
32000 - struct nfs4_exception exception = { };
32001 + struct nfs4_exception exception = {0, 0};
32004 err = nfs4_set_lock_state(state, request);
32005 @@ -4315,7 +4315,7 @@ out:
32007 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32009 - struct nfs4_exception exception = { };
32010 + struct nfs4_exception exception = {0, 0};
32014 @@ -4375,7 +4375,7 @@ nfs4_proc_lock(struct file *filp, int cm
32015 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32017 struct nfs_server *server = NFS_SERVER(state->inode);
32018 - struct nfs4_exception exception = { };
32019 + struct nfs4_exception exception = {0, 0};
32022 err = nfs4_set_lock_state(state, fl);
32023 diff -urNp linux-2.6.35.4/fs/nfsd/lockd.c linux-2.6.35.4/fs/nfsd/lockd.c
32024 --- linux-2.6.35.4/fs/nfsd/lockd.c 2010-08-26 19:47:12.000000000 -0400
32025 +++ linux-2.6.35.4/fs/nfsd/lockd.c 2010-09-17 20:12:09.000000000 -0400
32026 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32030 -static struct nlmsvc_binding nfsd_nlm_ops = {
32031 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32032 .fopen = nlm_fopen, /* open file for locking */
32033 .fclose = nlm_fclose, /* close file */
32035 diff -urNp linux-2.6.35.4/fs/nfsd/nfsctl.c linux-2.6.35.4/fs/nfsd/nfsctl.c
32036 --- linux-2.6.35.4/fs/nfsd/nfsctl.c 2010-08-26 19:47:12.000000000 -0400
32037 +++ linux-2.6.35.4/fs/nfsd/nfsctl.c 2010-09-17 20:12:09.000000000 -0400
32038 @@ -163,7 +163,7 @@ static int export_features_open(struct i
32039 return single_open(file, export_features_show, NULL);
32042 -static struct file_operations export_features_operations = {
32043 +static const struct file_operations export_features_operations = {
32044 .open = export_features_open,
32046 .llseek = seq_lseek,
32047 diff -urNp linux-2.6.35.4/fs/nfsd/vfs.c linux-2.6.35.4/fs/nfsd/vfs.c
32048 --- linux-2.6.35.4/fs/nfsd/vfs.c 2010-08-26 19:47:12.000000000 -0400
32049 +++ linux-2.6.35.4/fs/nfsd/vfs.c 2010-09-17 20:12:09.000000000 -0400
32050 @@ -933,7 +933,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32054 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32055 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32059 @@ -1056,7 +1056,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32061 /* Write the data. */
32062 oldfs = get_fs(); set_fs(KERNEL_DS);
32063 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32064 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32068 @@ -1541,7 +1541,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32071 oldfs = get_fs(); set_fs(KERNEL_DS);
32072 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32073 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32077 diff -urNp linux-2.6.35.4/fs/nls/nls_base.c linux-2.6.35.4/fs/nls/nls_base.c
32078 --- linux-2.6.35.4/fs/nls/nls_base.c 2010-08-26 19:47:12.000000000 -0400
32079 +++ linux-2.6.35.4/fs/nls/nls_base.c 2010-09-17 20:12:09.000000000 -0400
32080 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32081 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32082 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32083 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32084 - {0, /* end of table */}
32085 + {0, 0, 0, 0, 0, /* end of table */}
32088 #define UNICODE_MAX 0x0010ffff
32089 diff -urNp linux-2.6.35.4/fs/ntfs/file.c linux-2.6.35.4/fs/ntfs/file.c
32090 --- linux-2.6.35.4/fs/ntfs/file.c 2010-08-26 19:47:12.000000000 -0400
32091 +++ linux-2.6.35.4/fs/ntfs/file.c 2010-09-17 20:12:09.000000000 -0400
32092 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
32093 #endif /* NTFS_RW */
32096 -const struct file_operations ntfs_empty_file_ops = {};
32097 +const struct file_operations ntfs_empty_file_ops __read_only;
32099 -const struct inode_operations ntfs_empty_inode_ops = {};
32100 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32101 diff -urNp linux-2.6.35.4/fs/ocfs2/localalloc.c linux-2.6.35.4/fs/ocfs2/localalloc.c
32102 --- linux-2.6.35.4/fs/ocfs2/localalloc.c 2010-08-26 19:47:12.000000000 -0400
32103 +++ linux-2.6.35.4/fs/ocfs2/localalloc.c 2010-09-17 20:12:09.000000000 -0400
32104 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32108 - atomic_inc(&osb->alloc_stats.moves);
32109 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32113 diff -urNp linux-2.6.35.4/fs/ocfs2/ocfs2.h linux-2.6.35.4/fs/ocfs2/ocfs2.h
32114 --- linux-2.6.35.4/fs/ocfs2/ocfs2.h 2010-08-26 19:47:12.000000000 -0400
32115 +++ linux-2.6.35.4/fs/ocfs2/ocfs2.h 2010-09-17 20:12:09.000000000 -0400
32116 @@ -223,11 +223,11 @@ enum ocfs2_vol_state
32118 struct ocfs2_alloc_stats
32121 - atomic_t local_data;
32122 - atomic_t bitmap_data;
32123 - atomic_t bg_allocs;
32124 - atomic_t bg_extends;
32125 + atomic_unchecked_t moves;
32126 + atomic_unchecked_t local_data;
32127 + atomic_unchecked_t bitmap_data;
32128 + atomic_unchecked_t bg_allocs;
32129 + atomic_unchecked_t bg_extends;
32132 enum ocfs2_local_alloc_state
32133 diff -urNp linux-2.6.35.4/fs/ocfs2/suballoc.c linux-2.6.35.4/fs/ocfs2/suballoc.c
32134 --- linux-2.6.35.4/fs/ocfs2/suballoc.c 2010-08-26 19:47:12.000000000 -0400
32135 +++ linux-2.6.35.4/fs/ocfs2/suballoc.c 2010-09-17 20:12:09.000000000 -0400
32136 @@ -856,7 +856,7 @@ static int ocfs2_reserve_suballoc_bits(s
32137 mlog_errno(status);
32140 - atomic_inc(&osb->alloc_stats.bg_extends);
32141 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32143 /* You should never ask for this much metadata */
32144 BUG_ON(bits_wanted >
32145 @@ -1968,7 +1968,7 @@ int ocfs2_claim_metadata(handle_t *handl
32146 mlog_errno(status);
32149 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32150 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32152 *suballoc_loc = res.sr_bg_blkno;
32153 *suballoc_bit_start = res.sr_bit_offset;
32154 @@ -2045,7 +2045,7 @@ int ocfs2_claim_new_inode(handle_t *hand
32155 mlog_errno(status);
32158 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32159 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32161 BUG_ON(res.sr_bits != 1);
32163 @@ -2150,7 +2150,7 @@ int __ocfs2_claim_clusters(handle_t *han
32167 - atomic_inc(&osb->alloc_stats.local_data);
32168 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
32170 if (min_clusters > (osb->bitmap_cpg - 1)) {
32171 /* The only paths asking for contiguousness
32172 @@ -2176,7 +2176,7 @@ int __ocfs2_claim_clusters(handle_t *han
32173 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
32175 res.sr_bit_offset);
32176 - atomic_inc(&osb->alloc_stats.bitmap_data);
32177 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
32178 *num_clusters = res.sr_bits;
32181 diff -urNp linux-2.6.35.4/fs/ocfs2/super.c linux-2.6.35.4/fs/ocfs2/super.c
32182 --- linux-2.6.35.4/fs/ocfs2/super.c 2010-08-26 19:47:12.000000000 -0400
32183 +++ linux-2.6.35.4/fs/ocfs2/super.c 2010-09-17 20:12:09.000000000 -0400
32184 @@ -293,11 +293,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
32185 "%10s => GlobalAllocs: %d LocalAllocs: %d "
32186 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
32188 - atomic_read(&osb->alloc_stats.bitmap_data),
32189 - atomic_read(&osb->alloc_stats.local_data),
32190 - atomic_read(&osb->alloc_stats.bg_allocs),
32191 - atomic_read(&osb->alloc_stats.moves),
32192 - atomic_read(&osb->alloc_stats.bg_extends));
32193 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
32194 + atomic_read_unchecked(&osb->alloc_stats.local_data),
32195 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
32196 + atomic_read_unchecked(&osb->alloc_stats.moves),
32197 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
32199 out += snprintf(buf + out, len - out,
32200 "%10s => State: %u Descriptor: %llu Size: %u bits "
32201 @@ -2047,11 +2047,11 @@ static int ocfs2_initialize_super(struct
32202 spin_lock_init(&osb->osb_xattr_lock);
32203 ocfs2_init_steal_slots(osb);
32205 - atomic_set(&osb->alloc_stats.moves, 0);
32206 - atomic_set(&osb->alloc_stats.local_data, 0);
32207 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
32208 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
32209 - atomic_set(&osb->alloc_stats.bg_extends, 0);
32210 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
32211 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
32212 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
32213 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
32214 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
32216 /* Copy the blockcheck stats from the superblock probe */
32217 osb->osb_ecc_stats = *stats;
32218 diff -urNp linux-2.6.35.4/fs/ocfs2/symlink.c linux-2.6.35.4/fs/ocfs2/symlink.c
32219 --- linux-2.6.35.4/fs/ocfs2/symlink.c 2010-08-26 19:47:12.000000000 -0400
32220 +++ linux-2.6.35.4/fs/ocfs2/symlink.c 2010-09-17 20:12:09.000000000 -0400
32221 @@ -148,7 +148,7 @@ bail:
32223 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32225 - char *link = nd_get_link(nd);
32226 + const char *link = nd_get_link(nd);
32230 diff -urNp linux-2.6.35.4/fs/open.c linux-2.6.35.4/fs/open.c
32231 --- linux-2.6.35.4/fs/open.c 2010-08-26 19:47:12.000000000 -0400
32232 +++ linux-2.6.35.4/fs/open.c 2010-09-17 20:12:37.000000000 -0400
32233 @@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l
32237 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
32240 newattrs.ia_size = length;
32241 newattrs.ia_valid = ATTR_SIZE | time_attrs;
32243 @@ -345,6 +348,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
32244 if (__mnt_is_readonly(path.mnt))
32247 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
32253 @@ -371,6 +377,8 @@ SYSCALL_DEFINE1(chdir, const char __user
32257 + gr_log_chdir(path.dentry, path.mnt);
32259 set_fs_pwd(current->fs, &path);
32262 @@ -397,6 +405,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
32265 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
32267 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
32271 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
32274 set_fs_pwd(current->fs, &file->f_path);
32276 @@ -425,7 +440,18 @@ SYSCALL_DEFINE1(chroot, const char __use
32280 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
32281 + goto dput_and_out;
32283 + if (gr_handle_chroot_caps(&path)) {
32285 + goto dput_and_out;
32288 set_fs_root(current->fs, &path);
32290 + gr_handle_chroot_chdir(&path);
32295 @@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32296 err = mnt_want_write_file(file);
32300 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
32302 + goto out_drop_write;
32305 mutex_lock(&inode->i_mutex);
32306 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
32308 @@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32309 err = notify_change(dentry, &newattrs);
32311 mutex_unlock(&inode->i_mutex);
32313 mnt_drop_write(file->f_path.mnt);
32316 @@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
32317 error = mnt_want_write(path.mnt);
32321 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
32323 + goto out_drop_write;
32326 mutex_lock(&inode->i_mutex);
32327 error = security_path_chmod(path.dentry, path.mnt, mode);
32330 if (mode == (mode_t) -1)
32331 mode = inode->i_mode;
32333 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
32338 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
32339 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
32340 error = notify_change(path.dentry, &newattrs);
32342 mutex_unlock(&inode->i_mutex);
32344 mnt_drop_write(path.mnt);
32347 @@ -515,6 +561,9 @@ static int chown_common(struct path *pat
32349 struct iattr newattrs;
32351 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
32354 newattrs.ia_valid = ATTR_CTIME;
32355 if (user != (uid_t) -1) {
32356 newattrs.ia_valid |= ATTR_UID;
32357 diff -urNp linux-2.6.35.4/fs/pipe.c linux-2.6.35.4/fs/pipe.c
32358 --- linux-2.6.35.4/fs/pipe.c 2010-08-26 19:47:12.000000000 -0400
32359 +++ linux-2.6.35.4/fs/pipe.c 2010-09-17 20:12:37.000000000 -0400
32360 @@ -420,9 +420,9 @@ redo:
32362 if (bufs) /* More to do? */
32364 - if (!pipe->writers)
32365 + if (!atomic_read(&pipe->writers))
32367 - if (!pipe->waiting_writers) {
32368 + if (!atomic_read(&pipe->waiting_writers)) {
32369 /* syscall merging: Usually we must not sleep
32370 * if O_NONBLOCK is set, or if we got some data.
32371 * But if a writer sleeps in kernel space, then
32372 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
32373 mutex_lock(&inode->i_mutex);
32374 pipe = inode->i_pipe;
32376 - if (!pipe->readers) {
32377 + if (!atomic_read(&pipe->readers)) {
32378 send_sig(SIGPIPE, current, 0);
32381 @@ -530,7 +530,7 @@ redo1:
32385 - if (!pipe->readers) {
32386 + if (!atomic_read(&pipe->readers)) {
32387 send_sig(SIGPIPE, current, 0);
32390 @@ -616,9 +616,9 @@ redo2:
32391 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
32394 - pipe->waiting_writers++;
32395 + atomic_inc(&pipe->waiting_writers);
32397 - pipe->waiting_writers--;
32398 + atomic_dec(&pipe->waiting_writers);
32401 mutex_unlock(&inode->i_mutex);
32402 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
32404 if (filp->f_mode & FMODE_READ) {
32405 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
32406 - if (!pipe->writers && filp->f_version != pipe->w_counter)
32407 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
32411 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
32412 * Most Unices do not set POLLERR for FIFOs but on Linux they
32413 * behave exactly like pipes for poll().
32415 - if (!pipe->readers)
32416 + if (!atomic_read(&pipe->readers))
32420 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
32422 mutex_lock(&inode->i_mutex);
32423 pipe = inode->i_pipe;
32424 - pipe->readers -= decr;
32425 - pipe->writers -= decw;
32426 + atomic_sub(decr, &pipe->readers);
32427 + atomic_sub(decw, &pipe->writers);
32429 - if (!pipe->readers && !pipe->writers) {
32430 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
32431 free_pipe_info(inode);
32433 wake_up_interruptible_sync(&pipe->wait);
32434 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
32436 if (inode->i_pipe) {
32438 - inode->i_pipe->readers++;
32439 + atomic_inc(&inode->i_pipe->readers);
32442 mutex_unlock(&inode->i_mutex);
32443 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
32445 if (inode->i_pipe) {
32447 - inode->i_pipe->writers++;
32448 + atomic_inc(&inode->i_pipe->writers);
32451 mutex_unlock(&inode->i_mutex);
32452 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
32453 if (inode->i_pipe) {
32455 if (filp->f_mode & FMODE_READ)
32456 - inode->i_pipe->readers++;
32457 + atomic_inc(&inode->i_pipe->readers);
32458 if (filp->f_mode & FMODE_WRITE)
32459 - inode->i_pipe->writers++;
32460 + atomic_inc(&inode->i_pipe->writers);
32463 mutex_unlock(&inode->i_mutex);
32464 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
32465 inode->i_pipe = NULL;
32468 -static struct vfsmount *pipe_mnt __read_mostly;
32469 +struct vfsmount *pipe_mnt __read_mostly;
32472 * pipefs_dname() is called from d_path().
32473 @@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
32475 inode->i_pipe = pipe;
32477 - pipe->readers = pipe->writers = 1;
32478 + atomic_set(&pipe->readers, 1);
32479 + atomic_set(&pipe->writers, 1);
32480 inode->i_fop = &rdwr_pipefifo_fops;
32483 diff -urNp linux-2.6.35.4/fs/proc/array.c linux-2.6.35.4/fs/proc/array.c
32484 --- linux-2.6.35.4/fs/proc/array.c 2010-08-26 19:47:12.000000000 -0400
32485 +++ linux-2.6.35.4/fs/proc/array.c 2010-09-17 20:12:37.000000000 -0400
32486 @@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
32487 seq_printf(m, "\n");
32490 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32491 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
32494 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
32495 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
32496 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
32497 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
32498 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
32499 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
32501 + seq_printf(m, "PaX:\t-----\n");
32505 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
32506 struct pid *pid, struct task_struct *task)
32508 @@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
32509 task_show_regs(m, task);
32511 task_context_switch_counts(m, task);
32513 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32514 + task_pax(m, task);
32520 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32521 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32522 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32523 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32526 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
32527 struct pid *pid, struct task_struct *task, int whole)
32529 @@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
32530 gtime = task->gtime;
32533 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32534 + if (PAX_RAND_FLAGS(mm)) {
32540 +#ifdef CONFIG_GRKERNSEC_HIDESYM
32546 /* scale priority and nice values from timeslices to -20..20 */
32547 /* to make it look like a "normal" Unix priority/nice value */
32548 priority = task_prio(task);
32549 @@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
32551 mm ? get_mm_rss(mm) : 0,
32553 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32554 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
32555 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
32556 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
32558 mm ? mm->start_code : 0,
32559 mm ? mm->end_code : 0,
32560 (permitted && mm) ? mm->start_stack : 0,
32564 /* The signal information here is obsolete.
32565 @@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
32570 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
32571 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
32573 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
32576 diff -urNp linux-2.6.35.4/fs/proc/base.c linux-2.6.35.4/fs/proc/base.c
32577 --- linux-2.6.35.4/fs/proc/base.c 2010-08-26 19:47:12.000000000 -0400
32578 +++ linux-2.6.35.4/fs/proc/base.c 2010-09-17 20:12:37.000000000 -0400
32579 @@ -103,6 +103,22 @@ struct pid_entry {
32583 +struct getdents_callback {
32584 + struct linux_dirent __user * current_dir;
32585 + struct linux_dirent __user * previous;
32586 + struct file * file;
32591 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
32592 + loff_t offset, u64 ino, unsigned int d_type)
32594 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
32595 + buf->error = -EINVAL;
32599 #define NOD(NAME, MODE, IOP, FOP, OP) { \
32601 .len = sizeof(NAME) - 1, \
32602 @@ -202,6 +218,9 @@ static int check_mem_permission(struct t
32603 if (task == current)
32606 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
32610 * If current is actively ptrace'ing, and would also be
32611 * permitted to freshly attach with ptrace now, permit it.
32612 @@ -249,6 +268,9 @@ static int proc_pid_cmdline(struct task_
32614 goto out_mm; /* Shh! No looking before we're done */
32616 + if (gr_acl_handle_procpidmem(task))
32619 len = mm->arg_end - mm->arg_start;
32621 if (len > PAGE_SIZE)
32622 @@ -276,12 +298,26 @@ out:
32626 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32627 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32628 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32629 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32632 static int proc_pid_auxv(struct task_struct *task, char *buffer)
32635 struct mm_struct *mm = get_task_mm(task);
32637 unsigned int nwords = 0;
32639 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32640 + if (PAX_RAND_FLAGS(mm)) {
32648 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
32649 @@ -317,7 +353,7 @@ static int proc_pid_wchan(struct task_st
32651 #endif /* CONFIG_KALLSYMS */
32653 -#ifdef CONFIG_STACKTRACE
32654 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32656 #define MAX_STACK_TRACE_DEPTH 64
32658 @@ -511,7 +547,7 @@ static int proc_pid_limits(struct task_s
32662 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32663 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32664 static int proc_pid_syscall(struct task_struct *task, char *buffer)
32667 @@ -920,6 +956,9 @@ static ssize_t environ_read(struct file
32671 + if (gr_acl_handle_procpidmem(task))
32674 if (!ptrace_may_access(task, PTRACE_MODE_READ))
32677 @@ -1514,7 +1553,11 @@ static struct inode *proc_pid_make_inode
32679 cred = __task_cred(task);
32680 inode->i_uid = cred->euid;
32681 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32682 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32684 inode->i_gid = cred->egid;
32688 security_task_to_inode(task, inode);
32689 @@ -1532,6 +1575,9 @@ static int pid_getattr(struct vfsmount *
32690 struct inode *inode = dentry->d_inode;
32691 struct task_struct *task;
32692 const struct cred *cred;
32693 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32694 + const struct cred *tmpcred = current_cred();
32697 generic_fillattr(inode, stat);
32699 @@ -1539,12 +1585,34 @@ static int pid_getattr(struct vfsmount *
32702 task = pid_task(proc_pid(inode), PIDTYPE_PID);
32704 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
32705 + rcu_read_unlock();
32710 + cred = __task_cred(task);
32711 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32712 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
32713 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32714 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
32718 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32719 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32720 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32721 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32722 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32724 task_dumpable(task)) {
32725 - cred = __task_cred(task);
32726 stat->uid = cred->euid;
32727 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32728 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
32730 stat->gid = cred->egid;
32735 @@ -1576,11 +1644,20 @@ static int pid_revalidate(struct dentry
32738 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32739 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32740 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32741 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32742 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32744 task_dumpable(task)) {
32746 cred = __task_cred(task);
32747 inode->i_uid = cred->euid;
32748 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32749 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32751 inode->i_gid = cred->egid;
32756 @@ -1701,7 +1778,8 @@ static int proc_fd_info(struct inode *in
32757 int fd = proc_fd(inode);
32760 - files = get_files_struct(task);
32761 + if (!gr_acl_handle_procpidmem(task))
32762 + files = get_files_struct(task);
32763 put_task_struct(task);
32766 @@ -1953,12 +2031,22 @@ static const struct file_operations proc
32767 static int proc_fd_permission(struct inode *inode, int mask)
32770 + struct task_struct *task;
32772 rv = generic_permission(inode, mask, NULL);
32776 if (task_pid(current) == proc_pid(inode))
32779 + task = get_proc_task(inode);
32780 + if (task == NULL)
32783 + if (gr_acl_handle_procpidmem(task))
32786 + put_task_struct(task);
32791 @@ -2067,6 +2155,9 @@ static struct dentry *proc_pident_lookup
32795 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32799 * Yes, it does not scale. And it should not. Don't add
32800 * new entries into /proc/<tgid>/ without very good reasons.
32801 @@ -2111,6 +2202,9 @@ static int proc_pident_readdir(struct fi
32805 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32811 @@ -2380,7 +2474,7 @@ static void *proc_self_follow_link(struc
32812 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
32815 - char *s = nd_get_link(nd);
32816 + const char *s = nd_get_link(nd);
32820 @@ -2580,7 +2674,7 @@ static const struct pid_entry tgid_base_
32821 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
32823 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
32824 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32825 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32826 INF("syscall", S_IRUSR, proc_pid_syscall),
32828 INF("cmdline", S_IRUGO, proc_pid_cmdline),
32829 @@ -2608,7 +2702,7 @@ static const struct pid_entry tgid_base_
32830 #ifdef CONFIG_KALLSYMS
32831 INF("wchan", S_IRUGO, proc_pid_wchan),
32833 -#ifdef CONFIG_STACKTRACE
32834 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32835 ONE("stack", S_IRUSR, proc_pid_stack),
32837 #ifdef CONFIG_SCHEDSTATS
32838 @@ -2638,6 +2732,9 @@ static const struct pid_entry tgid_base_
32839 INF("io", S_IRUGO, proc_tgid_io_accounting),
32841 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
32842 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
32843 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
32847 static int proc_tgid_base_readdir(struct file * filp,
32848 @@ -2762,7 +2859,14 @@ static struct dentry *proc_pid_instantia
32852 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32853 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
32854 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32855 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32856 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
32858 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
32860 inode->i_op = &proc_tgid_base_inode_operations;
32861 inode->i_fop = &proc_tgid_base_operations;
32862 inode->i_flags|=S_IMMUTABLE;
32863 @@ -2804,7 +2908,11 @@ struct dentry *proc_pid_lookup(struct in
32867 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32868 + goto out_put_task;
32870 result = proc_pid_instantiate(dir, dentry, task, NULL);
32872 put_task_struct(task);
32875 @@ -2869,6 +2977,11 @@ int proc_pid_readdir(struct file * filp,
32877 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
32878 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
32879 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32880 + const struct cred *tmpcred = current_cred();
32881 + const struct cred *itercred;
32883 + filldir_t __filldir = filldir;
32884 struct tgid_iter iter;
32885 struct pid_namespace *ns;
32887 @@ -2887,8 +3000,27 @@ int proc_pid_readdir(struct file * filp,
32888 for (iter = next_tgid(ns, iter);
32890 iter.tgid += 1, iter = next_tgid(ns, iter)) {
32891 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32893 + itercred = __task_cred(iter.task);
32895 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
32896 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32897 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
32898 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32899 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
32904 + __filldir = &gr_fake_filldir;
32906 + __filldir = filldir;
32907 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32908 + rcu_read_unlock();
32910 filp->f_pos = iter.tgid + TGID_OFFSET;
32911 if (!vx_proc_task_visible(iter.task))
32913 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
32914 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
32915 put_task_struct(iter.task);
32916 @@ -2915,7 +3047,7 @@ static const struct pid_entry tid_base_s
32917 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
32919 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
32920 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32921 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32922 INF("syscall", S_IRUSR, proc_pid_syscall),
32924 INF("cmdline", S_IRUGO, proc_pid_cmdline),
32925 @@ -2942,7 +3074,7 @@ static const struct pid_entry tid_base_s
32926 #ifdef CONFIG_KALLSYMS
32927 INF("wchan", S_IRUGO, proc_pid_wchan),
32929 -#ifdef CONFIG_STACKTRACE
32930 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32931 ONE("stack", S_IRUSR, proc_pid_stack),
32933 #ifdef CONFIG_SCHEDSTATS
32934 diff -urNp linux-2.6.35.4/fs/proc/cmdline.c linux-2.6.35.4/fs/proc/cmdline.c
32935 --- linux-2.6.35.4/fs/proc/cmdline.c 2010-08-26 19:47:12.000000000 -0400
32936 +++ linux-2.6.35.4/fs/proc/cmdline.c 2010-09-17 20:12:37.000000000 -0400
32937 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
32939 static int __init proc_cmdline_init(void)
32941 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
32942 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
32944 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
32948 module_init(proc_cmdline_init);
32949 diff -urNp linux-2.6.35.4/fs/proc/devices.c linux-2.6.35.4/fs/proc/devices.c
32950 --- linux-2.6.35.4/fs/proc/devices.c 2010-08-26 19:47:12.000000000 -0400
32951 +++ linux-2.6.35.4/fs/proc/devices.c 2010-09-17 20:12:37.000000000 -0400
32952 @@ -64,7 +64,11 @@ static const struct file_operations proc
32954 static int __init proc_devices_init(void)
32956 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
32957 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
32959 proc_create("devices", 0, NULL, &proc_devinfo_operations);
32963 module_init(proc_devices_init);
32964 diff -urNp linux-2.6.35.4/fs/proc/inode.c linux-2.6.35.4/fs/proc/inode.c
32965 --- linux-2.6.35.4/fs/proc/inode.c 2010-08-26 19:47:12.000000000 -0400
32966 +++ linux-2.6.35.4/fs/proc/inode.c 2010-09-17 20:12:37.000000000 -0400
32967 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
32969 inode->i_mode = de->mode;
32970 inode->i_uid = de->uid;
32971 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32972 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32974 inode->i_gid = de->gid;
32978 inode->i_size = de->size;
32979 diff -urNp linux-2.6.35.4/fs/proc/internal.h linux-2.6.35.4/fs/proc/internal.h
32980 --- linux-2.6.35.4/fs/proc/internal.h 2010-08-26 19:47:12.000000000 -0400
32981 +++ linux-2.6.35.4/fs/proc/internal.h 2010-09-17 20:12:37.000000000 -0400
32982 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
32983 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
32984 struct pid *pid, struct task_struct *task);
32986 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
32987 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
32989 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
32991 extern const struct file_operations proc_maps_operations;
32992 diff -urNp linux-2.6.35.4/fs/proc/Kconfig linux-2.6.35.4/fs/proc/Kconfig
32993 --- linux-2.6.35.4/fs/proc/Kconfig 2010-08-26 19:47:12.000000000 -0400
32994 +++ linux-2.6.35.4/fs/proc/Kconfig 2010-09-17 20:12:37.000000000 -0400
32995 @@ -30,12 +30,12 @@ config PROC_FS
32998 bool "/proc/kcore support" if !ARM
32999 - depends on PROC_FS && MMU
33000 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33003 bool "/proc/vmcore support (EXPERIMENTAL)"
33004 - depends on PROC_FS && CRASH_DUMP
33006 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33009 Exports the dump image of crashed kernel in ELF format.
33011 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33014 config PROC_PAGE_MONITOR
33016 - depends on PROC_FS && MMU
33018 + depends on PROC_FS && MMU && !GRKERNSEC
33019 bool "Enable /proc page monitoring" if EMBEDDED
33021 Various /proc files exist to monitor process memory utilization:
33022 diff -urNp linux-2.6.35.4/fs/proc/kcore.c linux-2.6.35.4/fs/proc/kcore.c
33023 --- linux-2.6.35.4/fs/proc/kcore.c 2010-08-26 19:47:12.000000000 -0400
33024 +++ linux-2.6.35.4/fs/proc/kcore.c 2010-09-17 20:12:37.000000000 -0400
33025 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33026 * the addresses in the elf_phdr on our list.
33028 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33029 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33030 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33031 + if (tsz > buflen)
33036 struct kcore_list *m;
33038 @@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
33041 if (kern_addr_valid(start)) {
33045 - n = copy_to_user(buffer, (char *)start, tsz);
33047 - * We cannot distingush between fault on source
33048 - * and fault on destination. When this happens
33049 - * we clear too and hope it will trigger the
33053 - if (clear_user(buffer + tsz - n,
33055 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33058 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33059 + if (copy_to_user(buffer, elf_buf, tsz)) {
33066 if (clear_user(buffer, tsz))
33068 @@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
33070 static int open_kcore(struct inode *inode, struct file *filp)
33072 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33075 if (!capable(CAP_SYS_RAWIO))
33077 if (kcore_need_update)
33078 diff -urNp linux-2.6.35.4/fs/proc/meminfo.c linux-2.6.35.4/fs/proc/meminfo.c
33079 --- linux-2.6.35.4/fs/proc/meminfo.c 2010-08-26 19:47:12.000000000 -0400
33080 +++ linux-2.6.35.4/fs/proc/meminfo.c 2010-09-17 20:12:09.000000000 -0400
33081 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33083 vmi.largest_chunk >> 10
33084 #ifdef CONFIG_MEMORY_FAILURE
33085 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33086 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33090 diff -urNp linux-2.6.35.4/fs/proc/nommu.c linux-2.6.35.4/fs/proc/nommu.c
33091 --- linux-2.6.35.4/fs/proc/nommu.c 2010-08-26 19:47:12.000000000 -0400
33092 +++ linux-2.6.35.4/fs/proc/nommu.c 2010-09-17 20:12:09.000000000 -0400
33093 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
33096 seq_printf(m, "%*c", len, ' ');
33097 - seq_path(m, &file->f_path, "");
33098 + seq_path(m, &file->f_path, "\n\\");
33102 diff -urNp linux-2.6.35.4/fs/proc/proc_net.c linux-2.6.35.4/fs/proc/proc_net.c
33103 --- linux-2.6.35.4/fs/proc/proc_net.c 2010-08-26 19:47:12.000000000 -0400
33104 +++ linux-2.6.35.4/fs/proc/proc_net.c 2010-09-17 20:12:37.000000000 -0400
33105 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
33106 struct task_struct *task;
33107 struct nsproxy *ns;
33108 struct net *net = NULL;
33109 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33110 + const struct cred *cred = current_cred();
33113 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33116 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33117 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
33122 task = pid_task(proc_pid(dir), PIDTYPE_PID);
33123 diff -urNp linux-2.6.35.4/fs/proc/proc_sysctl.c linux-2.6.35.4/fs/proc/proc_sysctl.c
33124 --- linux-2.6.35.4/fs/proc/proc_sysctl.c 2010-08-26 19:47:12.000000000 -0400
33125 +++ linux-2.6.35.4/fs/proc/proc_sysctl.c 2010-09-17 20:12:37.000000000 -0400
33127 #include <linux/security.h>
33128 #include "internal.h"
33130 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
33132 static const struct dentry_operations proc_sys_dentry_operations;
33133 static const struct file_operations proc_sys_file_operations;
33134 static const struct inode_operations proc_sys_inode_operations;
33135 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
33139 + if (gr_handle_sysctl(p, MAY_EXEC))
33142 err = ERR_PTR(-ENOMEM);
33143 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
33145 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
33146 if (*pos < file->f_pos)
33149 + if (gr_handle_sysctl(table, 0))
33152 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
33155 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
33157 return PTR_ERR(head);
33159 + if (table && gr_handle_sysctl(table, MAY_EXEC))
33162 generic_fillattr(inode, stat);
33164 stat->mode = (stat->mode & S_IFMT) | table->mode;
33165 diff -urNp linux-2.6.35.4/fs/proc/root.c linux-2.6.35.4/fs/proc/root.c
33166 --- linux-2.6.35.4/fs/proc/root.c 2010-08-26 19:47:12.000000000 -0400
33167 +++ linux-2.6.35.4/fs/proc/root.c 2010-09-17 20:12:37.000000000 -0400
33168 @@ -133,7 +133,15 @@ void __init proc_root_init(void)
33169 #ifdef CONFIG_PROC_DEVICETREE
33170 proc_device_tree_init();
33172 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33173 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33174 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
33175 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33176 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33179 proc_mkdir("bus", NULL);
33184 diff -urNp linux-2.6.35.4/fs/proc/task_mmu.c linux-2.6.35.4/fs/proc/task_mmu.c
33185 --- linux-2.6.35.4/fs/proc/task_mmu.c 2010-08-26 19:47:12.000000000 -0400
33186 +++ linux-2.6.35.4/fs/proc/task_mmu.c 2010-09-17 20:12:37.000000000 -0400
33187 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
33188 "VmExe:\t%8lu kB\n"
33189 "VmLib:\t%8lu kB\n"
33190 "VmPTE:\t%8lu kB\n"
33191 - "VmSwap:\t%8lu kB\n",
33192 - hiwater_vm << (PAGE_SHIFT-10),
33193 + "VmSwap:\t%8lu kB\n"
33195 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33196 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
33199 + ,hiwater_vm << (PAGE_SHIFT-10),
33200 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
33201 mm->locked_vm << (PAGE_SHIFT-10),
33202 hiwater_rss << (PAGE_SHIFT-10),
33203 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
33204 data << (PAGE_SHIFT-10),
33205 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
33206 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
33207 - swap << (PAGE_SHIFT-10));
33208 + swap << (PAGE_SHIFT-10)
33210 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33211 + , mm->context.user_cs_base, mm->context.user_cs_limit
33217 unsigned long task_vsize(struct mm_struct *mm)
33218 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
33222 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33223 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33224 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33225 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33228 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
33230 struct mm_struct *mm = vma->vm_mm;
33231 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
33232 int flags = vma->vm_flags;
33233 unsigned long ino = 0;
33234 unsigned long long pgoff = 0;
33235 - unsigned long start;
33239 @@ -221,19 +237,24 @@ static void show_map_vma(struct seq_file
33240 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
33243 - /* We don't show the stack guard page in /proc/maps */
33244 - start = vma->vm_start;
33245 - if (vma->vm_flags & VM_GROWSDOWN)
33246 - start += PAGE_SIZE;
33248 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
33250 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33251 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
33252 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
33257 flags & VM_READ ? 'r' : '-',
33258 flags & VM_WRITE ? 'w' : '-',
33259 flags & VM_EXEC ? 'x' : '-',
33260 flags & VM_MAYSHARE ? 's' : 'p',
33261 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33262 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
33266 MAJOR(dev), MINOR(dev), ino, &len);
33269 @@ -242,16 +263,16 @@ static void show_map_vma(struct seq_file
33272 pad_len_spaces(m, len);
33273 - seq_path(m, &file->f_path, "\n");
33274 + seq_path(m, &file->f_path, "\n\\");
33276 const char *name = arch_vma_name(vma);
33279 - if (vma->vm_start <= mm->start_brk &&
33280 - vma->vm_end >= mm->brk) {
33281 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
33283 - } else if (vma->vm_start <= mm->start_stack &&
33284 - vma->vm_end >= mm->start_stack) {
33285 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
33286 + (vma->vm_start <= mm->start_stack &&
33287 + vma->vm_end >= mm->start_stack)) {
33291 @@ -393,11 +414,16 @@ static int show_smap(struct seq_file *m,
33294 memset(&mss, 0, sizeof mss);
33296 - /* mmap_sem is held in m_start */
33297 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33298 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33300 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33301 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
33304 + /* mmap_sem is held in m_start */
33305 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33306 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33307 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33310 show_map_vma(m, vma);
33313 @@ -412,7 +438,11 @@ static int show_smap(struct seq_file *m,
33315 "KernelPageSize: %8lu kB\n"
33316 "MMUPageSize: %8lu kB\n",
33317 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33318 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
33320 (vma->vm_end - vma->vm_start) >> 10,
33322 mss.resident >> 10,
33323 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
33324 mss.shared_clean >> 10,
33325 diff -urNp linux-2.6.35.4/fs/proc/task_nommu.c linux-2.6.35.4/fs/proc/task_nommu.c
33326 --- linux-2.6.35.4/fs/proc/task_nommu.c 2010-08-26 19:47:12.000000000 -0400
33327 +++ linux-2.6.35.4/fs/proc/task_nommu.c 2010-09-17 20:12:09.000000000 -0400
33328 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
33330 bytes += kobjsize(mm);
33332 - if (current->fs && current->fs->users > 1)
33333 + if (current->fs && atomic_read(¤t->fs->users) > 1)
33334 sbytes += kobjsize(current->fs);
33336 bytes += kobjsize(current->fs);
33337 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
33340 pad_len_spaces(m, len);
33341 - seq_path(m, &file->f_path, "");
33342 + seq_path(m, &file->f_path, "\n\\");
33344 if (vma->vm_start <= mm->start_stack &&
33345 vma->vm_end >= mm->start_stack) {
33346 diff -urNp linux-2.6.35.4/fs/readdir.c linux-2.6.35.4/fs/readdir.c
33347 --- linux-2.6.35.4/fs/readdir.c 2010-08-26 19:47:12.000000000 -0400
33348 +++ linux-2.6.35.4/fs/readdir.c 2010-09-17 20:12:37.000000000 -0400
33350 #include <linux/security.h>
33351 #include <linux/syscalls.h>
33352 #include <linux/unistd.h>
33353 +#include <linux/namei.h>
33355 #include <asm/uaccess.h>
33357 @@ -67,6 +68,7 @@ struct old_linux_dirent {
33359 struct readdir_callback {
33360 struct old_linux_dirent __user * dirent;
33361 + struct file * file;
33365 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
33366 buf->result = -EOVERFLOW;
33370 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33374 dirent = buf->dirent;
33375 if (!access_ok(VERIFY_WRITE, dirent,
33376 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
33379 buf.dirent = dirent;
33382 error = vfs_readdir(file, fillonedir, &buf);
33384 @@ -142,6 +149,7 @@ struct linux_dirent {
33385 struct getdents_callback {
33386 struct linux_dirent __user * current_dir;
33387 struct linux_dirent __user * previous;
33388 + struct file * file;
33392 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
33393 buf->error = -EOVERFLOW;
33397 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33400 dirent = buf->previous;
33402 if (__put_user(offset, &dirent->d_off))
33403 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
33404 buf.previous = NULL;
33409 error = vfs_readdir(file, filldir, &buf);
33411 @@ -228,6 +241,7 @@ out:
33412 struct getdents_callback64 {
33413 struct linux_dirent64 __user * current_dir;
33414 struct linux_dirent64 __user * previous;
33415 + struct file *file;
33419 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
33420 buf->error = -EINVAL; /* only used if we fail.. */
33421 if (reclen > buf->count)
33424 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33427 dirent = buf->previous;
33429 if (__put_user(offset, &dirent->d_off))
33430 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
33432 buf.current_dir = dirent;
33433 buf.previous = NULL;
33438 diff -urNp linux-2.6.35.4/fs/reiserfs/do_balan.c linux-2.6.35.4/fs/reiserfs/do_balan.c
33439 --- linux-2.6.35.4/fs/reiserfs/do_balan.c 2010-08-26 19:47:12.000000000 -0400
33440 +++ linux-2.6.35.4/fs/reiserfs/do_balan.c 2010-09-17 20:12:09.000000000 -0400
33441 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
33445 - atomic_inc(&(fs_generation(tb->tb_sb)));
33446 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
33447 do_balance_starts(tb);
33449 /* balance leaf returns 0 except if combining L R and S into
33450 diff -urNp linux-2.6.35.4/fs/reiserfs/item_ops.c linux-2.6.35.4/fs/reiserfs/item_ops.c
33451 --- linux-2.6.35.4/fs/reiserfs/item_ops.c 2010-08-26 19:47:12.000000000 -0400
33452 +++ linux-2.6.35.4/fs/reiserfs/item_ops.c 2010-09-17 20:12:09.000000000 -0400
33453 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
33454 vi->vi_index, vi->vi_type, vi->vi_ih);
33457 -static struct item_operations stat_data_ops = {
33458 +static const struct item_operations stat_data_ops = {
33459 .bytes_number = sd_bytes_number,
33460 .decrement_key = sd_decrement_key,
33461 .is_left_mergeable = sd_is_left_mergeable,
33462 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
33463 vi->vi_index, vi->vi_type, vi->vi_ih);
33466 -static struct item_operations direct_ops = {
33467 +static const struct item_operations direct_ops = {
33468 .bytes_number = direct_bytes_number,
33469 .decrement_key = direct_decrement_key,
33470 .is_left_mergeable = direct_is_left_mergeable,
33471 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
33472 vi->vi_index, vi->vi_type, vi->vi_ih);
33475 -static struct item_operations indirect_ops = {
33476 +static const struct item_operations indirect_ops = {
33477 .bytes_number = indirect_bytes_number,
33478 .decrement_key = indirect_decrement_key,
33479 .is_left_mergeable = indirect_is_left_mergeable,
33480 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
33484 -static struct item_operations direntry_ops = {
33485 +static const struct item_operations direntry_ops = {
33486 .bytes_number = direntry_bytes_number,
33487 .decrement_key = direntry_decrement_key,
33488 .is_left_mergeable = direntry_is_left_mergeable,
33489 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
33490 "Invalid item type observed, run fsck ASAP");
33493 -static struct item_operations errcatch_ops = {
33494 +static const struct item_operations errcatch_ops = {
33495 errcatch_bytes_number,
33496 errcatch_decrement_key,
33497 errcatch_is_left_mergeable,
33498 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
33499 #error Item types must use disk-format assigned values.
33502 -struct item_operations *item_ops[TYPE_ANY + 1] = {
33503 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
33507 diff -urNp linux-2.6.35.4/fs/reiserfs/procfs.c linux-2.6.35.4/fs/reiserfs/procfs.c
33508 --- linux-2.6.35.4/fs/reiserfs/procfs.c 2010-08-26 19:47:12.000000000 -0400
33509 +++ linux-2.6.35.4/fs/reiserfs/procfs.c 2010-09-17 20:12:09.000000000 -0400
33510 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
33511 "SMALL_TAILS " : "NO_TAILS ",
33512 replay_only(sb) ? "REPLAY_ONLY " : "",
33513 convert_reiserfs(sb) ? "CONV " : "",
33514 - atomic_read(&r->s_generation_counter),
33515 + atomic_read_unchecked(&r->s_generation_counter),
33516 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
33517 SF(s_do_balance), SF(s_unneeded_left_neighbor),
33518 SF(s_good_search_by_key_reada), SF(s_bmaps),
33519 diff -urNp linux-2.6.35.4/fs/select.c linux-2.6.35.4/fs/select.c
33520 --- linux-2.6.35.4/fs/select.c 2010-08-26 19:47:12.000000000 -0400
33521 +++ linux-2.6.35.4/fs/select.c 2010-09-17 20:12:37.000000000 -0400
33523 #include <linux/module.h>
33524 #include <linux/slab.h>
33525 #include <linux/poll.h>
33526 +#include <linux/security.h>
33527 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
33528 #include <linux/file.h>
33529 #include <linux/fdtable.h>
33530 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
33531 struct poll_list *walk = head;
33532 unsigned long todo = nfds;
33534 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
33535 if (nfds > rlimit(RLIMIT_NOFILE))
33538 diff -urNp linux-2.6.35.4/fs/seq_file.c linux-2.6.35.4/fs/seq_file.c
33539 --- linux-2.6.35.4/fs/seq_file.c 2010-08-26 19:47:12.000000000 -0400
33540 +++ linux-2.6.35.4/fs/seq_file.c 2010-09-17 20:12:09.000000000 -0400
33541 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
33545 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33546 + m->size = PAGE_SIZE;
33547 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33551 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
33555 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33557 + m->buf = kmalloc(m->size, GFP_KERNEL);
33558 return !m->buf ? -ENOMEM : -EAGAIN;
33561 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
33562 m->version = file->f_version;
33563 /* grab buffer if we didn't have one */
33565 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33566 + m->size = PAGE_SIZE;
33567 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33571 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
33575 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33577 + m->buf = kmalloc(m->size, GFP_KERNEL);
33581 diff -urNp linux-2.6.35.4/fs/smbfs/symlink.c linux-2.6.35.4/fs/smbfs/symlink.c
33582 --- linux-2.6.35.4/fs/smbfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33583 +++ linux-2.6.35.4/fs/smbfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33584 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
33586 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
33588 - char *s = nd_get_link(nd);
33589 + const char *s = nd_get_link(nd);
33593 diff -urNp linux-2.6.35.4/fs/splice.c linux-2.6.35.4/fs/splice.c
33594 --- linux-2.6.35.4/fs/splice.c 2010-08-26 19:47:12.000000000 -0400
33595 +++ linux-2.6.35.4/fs/splice.c 2010-09-17 20:12:09.000000000 -0400
33596 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
33600 - if (!pipe->readers) {
33601 + if (!atomic_read(&pipe->readers)) {
33602 send_sig(SIGPIPE, current, 0);
33605 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
33609 - pipe->waiting_writers++;
33610 + atomic_inc(&pipe->waiting_writers);
33612 - pipe->waiting_writers--;
33613 + atomic_dec(&pipe->waiting_writers);
33617 @@ -566,7 +566,7 @@ static ssize_t kernel_readv(struct file
33620 /* The cast to a user pointer is valid due to the set_fs() */
33621 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
33622 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
33626 @@ -581,7 +581,7 @@ static ssize_t kernel_write(struct file
33629 /* The cast to a user pointer is valid due to the set_fs() */
33630 - res = vfs_write(file, (const char __user *)buf, count, &pos);
33631 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
33635 @@ -634,7 +634,7 @@ ssize_t default_file_splice_read(struct
33638 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
33639 - vec[i].iov_base = (void __user *) page_address(page);
33640 + vec[i].iov_base = (__force void __user *) page_address(page);
33641 vec[i].iov_len = this_len;
33642 spd.pages[i] = page;
33644 @@ -861,10 +861,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
33645 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
33647 while (!pipe->nrbufs) {
33648 - if (!pipe->writers)
33649 + if (!atomic_read(&pipe->writers))
33652 - if (!pipe->waiting_writers && sd->num_spliced)
33653 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
33656 if (sd->flags & SPLICE_F_NONBLOCK)
33657 @@ -1201,7 +1201,7 @@ ssize_t splice_direct_to_actor(struct fi
33658 * out of the pipe right after the splice_to_pipe(). So set
33659 * PIPE_READERS appropriately.
33661 - pipe->readers = 1;
33662 + atomic_set(&pipe->readers, 1);
33664 current->splice_pipe = pipe;
33666 @@ -1769,9 +1769,9 @@ static int ipipe_prep(struct pipe_inode_
33667 ret = -ERESTARTSYS;
33670 - if (!pipe->writers)
33671 + if (!atomic_read(&pipe->writers))
33673 - if (!pipe->waiting_writers) {
33674 + if (!atomic_read(&pipe->waiting_writers)) {
33675 if (flags & SPLICE_F_NONBLOCK) {
33678 @@ -1803,7 +1803,7 @@ static int opipe_prep(struct pipe_inode_
33681 while (pipe->nrbufs >= pipe->buffers) {
33682 - if (!pipe->readers) {
33683 + if (!atomic_read(&pipe->readers)) {
33684 send_sig(SIGPIPE, current, 0);
33687 @@ -1816,9 +1816,9 @@ static int opipe_prep(struct pipe_inode_
33688 ret = -ERESTARTSYS;
33691 - pipe->waiting_writers++;
33692 + atomic_inc(&pipe->waiting_writers);
33694 - pipe->waiting_writers--;
33695 + atomic_dec(&pipe->waiting_writers);
33699 @@ -1854,14 +1854,14 @@ retry:
33700 pipe_double_lock(ipipe, opipe);
33703 - if (!opipe->readers) {
33704 + if (!atomic_read(&opipe->readers)) {
33705 send_sig(SIGPIPE, current, 0);
33711 - if (!ipipe->nrbufs && !ipipe->writers)
33712 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
33716 @@ -1961,7 +1961,7 @@ static int link_pipe(struct pipe_inode_i
33717 pipe_double_lock(ipipe, opipe);
33720 - if (!opipe->readers) {
33721 + if (!atomic_read(&opipe->readers)) {
33722 send_sig(SIGPIPE, current, 0);
33725 @@ -2006,7 +2006,7 @@ static int link_pipe(struct pipe_inode_i
33726 * return EAGAIN if we have the potential of some data in the
33727 * future, otherwise just return 0
33729 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
33730 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
33733 pipe_unlock(ipipe);
33734 diff -urNp linux-2.6.35.4/fs/sysfs/symlink.c linux-2.6.35.4/fs/sysfs/symlink.c
33735 --- linux-2.6.35.4/fs/sysfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33736 +++ linux-2.6.35.4/fs/sysfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33737 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
33739 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33741 - char *page = nd_get_link(nd);
33742 + const char *page = nd_get_link(nd);
33744 free_page((unsigned long)page);
33746 diff -urNp linux-2.6.35.4/fs/udf/misc.c linux-2.6.35.4/fs/udf/misc.c
33747 --- linux-2.6.35.4/fs/udf/misc.c 2010-08-26 19:47:12.000000000 -0400
33748 +++ linux-2.6.35.4/fs/udf/misc.c 2010-09-17 20:12:09.000000000 -0400
33749 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
33750 iinfo->i_lenEAttr += size;
33751 return (struct genericFormat *)&ea[offset];
33755 + if (loc & 0x02) {
33760 diff -urNp linux-2.6.35.4/fs/udf/udfdecl.h linux-2.6.35.4/fs/udf/udfdecl.h
33761 --- linux-2.6.35.4/fs/udf/udfdecl.h 2010-08-26 19:47:12.000000000 -0400
33762 +++ linux-2.6.35.4/fs/udf/udfdecl.h 2010-09-17 20:12:09.000000000 -0400
33763 @@ -26,7 +26,7 @@ do { \
33767 -#define udf_debug(f, a...) /**/
33768 +#define udf_debug(f, a...) do {} while (0)
33771 #define udf_info(f, a...) \
33772 diff -urNp linux-2.6.35.4/fs/utimes.c linux-2.6.35.4/fs/utimes.c
33773 --- linux-2.6.35.4/fs/utimes.c 2010-08-26 19:47:12.000000000 -0400
33774 +++ linux-2.6.35.4/fs/utimes.c 2010-09-17 20:12:37.000000000 -0400
33776 #include <linux/compiler.h>
33777 #include <linux/file.h>
33778 #include <linux/fs.h>
33779 +#include <linux/security.h>
33780 #include <linux/linkage.h>
33781 #include <linux/mount.h>
33782 #include <linux/namei.h>
33783 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
33784 goto mnt_drop_write_and_out;
33788 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
33790 + goto mnt_drop_write_and_out;
33793 mutex_lock(&inode->i_mutex);
33794 error = notify_change(path->dentry, &newattrs);
33795 mutex_unlock(&inode->i_mutex);
33796 diff -urNp linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c
33797 --- linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c 2010-08-26 19:47:12.000000000 -0400
33798 +++ linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c 2010-09-17 20:12:37.000000000 -0400
33799 @@ -136,7 +136,7 @@ xfs_find_handle(
33803 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
33804 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
33805 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
33808 diff -urNp linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c
33809 --- linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c 2010-08-26 19:47:12.000000000 -0400
33810 +++ linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c 2010-09-17 20:12:09.000000000 -0400
33811 @@ -480,7 +480,7 @@ xfs_vn_put_link(
33812 struct nameidata *nd,
33815 - char *s = nd_get_link(nd);
33816 + const char *s = nd_get_link(nd);
33820 diff -urNp linux-2.6.35.4/fs/xfs/xfs_bmap.c linux-2.6.35.4/fs/xfs/xfs_bmap.c
33821 --- linux-2.6.35.4/fs/xfs/xfs_bmap.c 2010-08-26 19:47:12.000000000 -0400
33822 +++ linux-2.6.35.4/fs/xfs/xfs_bmap.c 2010-09-17 20:12:09.000000000 -0400
33823 @@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
33827 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
33828 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
33832 diff -urNp linux-2.6.35.4/grsecurity/gracl_alloc.c linux-2.6.35.4/grsecurity/gracl_alloc.c
33833 --- linux-2.6.35.4/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
33834 +++ linux-2.6.35.4/grsecurity/gracl_alloc.c 2010-09-17 20:12:37.000000000 -0400
33836 +#include <linux/kernel.h>
33837 +#include <linux/mm.h>
33838 +#include <linux/slab.h>
33839 +#include <linux/vmalloc.h>
33840 +#include <linux/gracl.h>
33841 +#include <linux/grsecurity.h>
33843 +static unsigned long alloc_stack_next = 1;
33844 +static unsigned long alloc_stack_size = 1;
33845 +static void **alloc_stack;
33847 +static __inline__ int
33850 + if (alloc_stack_next == 1)
33853 + kfree(alloc_stack[alloc_stack_next - 2]);
33855 + alloc_stack_next--;
33860 +static __inline__ int
33861 +alloc_push(void *buf)
33863 + if (alloc_stack_next >= alloc_stack_size)
33866 + alloc_stack[alloc_stack_next - 1] = buf;
33868 + alloc_stack_next++;
33874 +acl_alloc(unsigned long len)
33876 + void *ret = NULL;
33878 + if (!len || len > PAGE_SIZE)
33881 + ret = kmalloc(len, GFP_KERNEL);
33884 + if (alloc_push(ret)) {
33895 +acl_alloc_num(unsigned long num, unsigned long len)
33897 + if (!len || (num > (PAGE_SIZE / len)))
33900 + return acl_alloc(num * len);
33904 +acl_free_all(void)
33906 + if (gr_acl_is_enabled() || !alloc_stack)
33909 + while (alloc_pop()) ;
33911 + if (alloc_stack) {
33912 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
33913 + kfree(alloc_stack);
33915 + vfree(alloc_stack);
33918 + alloc_stack = NULL;
33919 + alloc_stack_size = 1;
33920 + alloc_stack_next = 1;
33926 +acl_alloc_stack_init(unsigned long size)
33928 + if ((size * sizeof (void *)) <= PAGE_SIZE)
33930 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
33932 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
33934 + alloc_stack_size = size;
33936 + if (!alloc_stack)
33941 diff -urNp linux-2.6.35.4/grsecurity/gracl.c linux-2.6.35.4/grsecurity/gracl.c
33942 --- linux-2.6.35.4/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
33943 +++ linux-2.6.35.4/grsecurity/gracl.c 2010-09-17 20:18:36.000000000 -0400
33945 +#include <linux/kernel.h>
33946 +#include <linux/module.h>
33947 +#include <linux/sched.h>
33948 +#include <linux/mm.h>
33949 +#include <linux/file.h>
33950 +#include <linux/fs.h>
33951 +#include <linux/namei.h>
33952 +#include <linux/mount.h>
33953 +#include <linux/tty.h>
33954 +#include <linux/proc_fs.h>
33955 +#include <linux/smp_lock.h>
33956 +#include <linux/slab.h>
33957 +#include <linux/vmalloc.h>
33958 +#include <linux/types.h>
33959 +#include <linux/sysctl.h>
33960 +#include <linux/netdevice.h>
33961 +#include <linux/ptrace.h>
33962 +#include <linux/gracl.h>
33963 +#include <linux/gralloc.h>
33964 +#include <linux/grsecurity.h>
33965 +#include <linux/grinternal.h>
33966 +#include <linux/pid_namespace.h>
33967 +#include <linux/fdtable.h>
33968 +#include <linux/percpu.h>
33970 +#include <asm/uaccess.h>
33971 +#include <asm/errno.h>
33972 +#include <asm/mman.h>
33974 +static struct acl_role_db acl_role_set;
33975 +static struct name_db name_set;
33976 +static struct inodev_db inodev_set;
33978 +/* for keeping track of userspace pointers used for subjects, so we
33979 + can share references in the kernel as well
33982 +static struct dentry *real_root;
33983 +static struct vfsmount *real_root_mnt;
33985 +static struct acl_subj_map_db subj_map_set;
33987 +static struct acl_role_label *default_role;
33989 +static struct acl_role_label *role_list;
33991 +static u16 acl_sp_role_value;
33993 +extern char *gr_shared_page[4];
33994 +static DECLARE_MUTEX(gr_dev_sem);
33995 +DEFINE_RWLOCK(gr_inode_lock);
33997 +struct gr_arg *gr_usermode;
33999 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
34001 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34002 +extern void gr_clear_learn_entries(void);
34004 +#ifdef CONFIG_GRKERNSEC_RESLOG
34005 +extern void gr_log_resource(const struct task_struct *task,
34006 + const int res, const unsigned long wanted, const int gt);
34009 +unsigned char *gr_system_salt;
34010 +unsigned char *gr_system_sum;
34012 +static struct sprole_pw **acl_special_roles = NULL;
34013 +static __u16 num_sprole_pws = 0;
34015 +static struct acl_role_label *kernel_role = NULL;
34017 +static unsigned int gr_auth_attempts = 0;
34018 +static unsigned long gr_auth_expires = 0UL;
34020 +extern struct vfsmount *sock_mnt;
34021 +extern struct vfsmount *pipe_mnt;
34022 +extern struct vfsmount *shm_mnt;
34023 +#ifdef CONFIG_HUGETLBFS
34024 +extern struct vfsmount *hugetlbfs_vfsmount;
34027 +static struct acl_object_label *fakefs_obj;
34029 +extern int gr_init_uidset(void);
34030 +extern void gr_free_uidset(void);
34031 +extern void gr_remove_uid(uid_t uid);
34032 +extern int gr_find_uid(uid_t uid);
34034 +extern spinlock_t vfsmount_lock;
34037 +gr_acl_is_enabled(void)
34039 + return (gr_status & GR_READY);
34042 +char gr_roletype_to_char(void)
34044 + switch (current->role->roletype &
34045 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
34046 + GR_ROLE_SPECIAL)) {
34047 + case GR_ROLE_DEFAULT:
34049 + case GR_ROLE_USER:
34051 + case GR_ROLE_GROUP:
34053 + case GR_ROLE_SPECIAL:
34061 +gr_acl_tpe_check(void)
34063 + if (unlikely(!(gr_status & GR_READY)))
34065 + if (current->role->roletype & GR_ROLE_TPE)
34072 +gr_handle_rawio(const struct inode *inode)
34074 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34075 + if (inode && S_ISBLK(inode->i_mode) &&
34076 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
34077 + !capable(CAP_SYS_RAWIO))
34084 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
34086 + if (likely(lena != lenb))
34089 + return !memcmp(a, b, lena);
34092 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34093 + struct dentry *root, struct vfsmount *rootmnt,
34094 + char *buffer, int buflen)
34096 + char * end = buffer+buflen;
34100 + spin_lock(&vfsmount_lock);
34106 + /* Get '/' right */
34111 + struct dentry * parent;
34113 + if (dentry == root && vfsmnt == rootmnt)
34115 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
34116 + /* Global root? */
34117 + if (vfsmnt->mnt_parent == vfsmnt) {
34118 + goto global_root;
34120 + dentry = vfsmnt->mnt_mountpoint;
34121 + vfsmnt = vfsmnt->mnt_parent;
34124 + parent = dentry->d_parent;
34125 + prefetch(parent);
34126 + namelen = dentry->d_name.len;
34127 + buflen -= namelen + 1;
34131 + memcpy(end, dentry->d_name.name, namelen);
34138 + spin_unlock(&vfsmount_lock);
34142 + namelen = dentry->d_name.len;
34143 + buflen -= namelen;
34146 + retval -= namelen-1; /* hit the slash */
34147 + memcpy(retval, dentry->d_name.name, namelen);
34150 + retval = ERR_PTR(-ENAMETOOLONG);
34155 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34156 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
34160 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
34161 + if (unlikely(IS_ERR(retval)))
34162 + retval = strcpy(buf, "<path too long>");
34163 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
34164 + retval[1] = '\0';
34170 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34171 + char *buf, int buflen)
34175 + /* we can use real_root, real_root_mnt, because this is only called
34176 + by the RBAC system */
34177 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
34183 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34184 + char *buf, int buflen)
34187 + struct dentry *root;
34188 + struct vfsmount *rootmnt;
34189 + struct task_struct *reaper = &init_task;
34191 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
34192 + read_lock(&reaper->fs->lock);
34193 + root = dget(reaper->fs->root.dentry);
34194 + rootmnt = mntget(reaper->fs->root.mnt);
34195 + read_unlock(&reaper->fs->lock);
34197 + spin_lock(&dcache_lock);
34198 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
34199 + spin_unlock(&dcache_lock);
34207 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
34210 + spin_lock(&dcache_lock);
34211 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34213 + spin_unlock(&dcache_lock);
34218 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
34220 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34225 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
34227 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
34232 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
34234 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
34239 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
34241 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
34246 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
34248 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
34253 +to_gr_audit(const __u32 reqmode)
34255 + /* masks off auditable permission flags, then shifts them to create
34256 + auditing flags, and adds the special case of append auditing if
34257 + we're requesting write */
34258 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
34261 +struct acl_subject_label *
34262 +lookup_subject_map(const struct acl_subject_label *userp)
34264 + unsigned int index = shash(userp, subj_map_set.s_size);
34265 + struct subject_map *match;
34267 + match = subj_map_set.s_hash[index];
34269 + while (match && match->user != userp)
34270 + match = match->next;
34272 + if (match != NULL)
34273 + return match->kernel;
34279 +insert_subj_map_entry(struct subject_map *subjmap)
34281 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
34282 + struct subject_map **curr;
34284 + subjmap->prev = NULL;
34286 + curr = &subj_map_set.s_hash[index];
34287 + if (*curr != NULL)
34288 + (*curr)->prev = subjmap;
34290 + subjmap->next = *curr;
34296 +static struct acl_role_label *
34297 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
34300 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
34301 + struct acl_role_label *match;
34302 + struct role_allowed_ip *ipp;
34305 + match = acl_role_set.r_hash[index];
34308 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
34309 + for (x = 0; x < match->domain_child_num; x++) {
34310 + if (match->domain_children[x] == uid)
34313 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
34315 + match = match->next;
34318 + if (match == NULL) {
34320 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
34321 + match = acl_role_set.r_hash[index];
34324 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
34325 + for (x = 0; x < match->domain_child_num; x++) {
34326 + if (match->domain_children[x] == gid)
34329 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
34331 + match = match->next;
34334 + if (match == NULL)
34335 + match = default_role;
34336 + if (match->allowed_ips == NULL)
34339 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34341 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34342 + (ntohl(ipp->addr) & ipp->netmask)))
34345 + match = default_role;
34347 + } else if (match->allowed_ips == NULL) {
34350 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34352 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34353 + (ntohl(ipp->addr) & ipp->netmask)))
34362 +struct acl_subject_label *
34363 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
34364 + const struct acl_role_label *role)
34366 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34367 + struct acl_subject_label *match;
34369 + match = role->subj_hash[index];
34371 + while (match && (match->inode != ino || match->device != dev ||
34372 + (match->mode & GR_DELETED))) {
34373 + match = match->next;
34376 + if (match && !(match->mode & GR_DELETED))
34382 +struct acl_subject_label *
34383 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
34384 + const struct acl_role_label *role)
34386 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34387 + struct acl_subject_label *match;
34389 + match = role->subj_hash[index];
34391 + while (match && (match->inode != ino || match->device != dev ||
34392 + !(match->mode & GR_DELETED))) {
34393 + match = match->next;
34396 + if (match && (match->mode & GR_DELETED))
34402 +static struct acl_object_label *
34403 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
34404 + const struct acl_subject_label *subj)
34406 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34407 + struct acl_object_label *match;
34409 + match = subj->obj_hash[index];
34411 + while (match && (match->inode != ino || match->device != dev ||
34412 + (match->mode & GR_DELETED))) {
34413 + match = match->next;
34416 + if (match && !(match->mode & GR_DELETED))
34422 +static struct acl_object_label *
34423 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
34424 + const struct acl_subject_label *subj)
34426 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34427 + struct acl_object_label *match;
34429 + match = subj->obj_hash[index];
34431 + while (match && (match->inode != ino || match->device != dev ||
34432 + !(match->mode & GR_DELETED))) {
34433 + match = match->next;
34436 + if (match && (match->mode & GR_DELETED))
34439 + match = subj->obj_hash[index];
34441 + while (match && (match->inode != ino || match->device != dev ||
34442 + (match->mode & GR_DELETED))) {
34443 + match = match->next;
34446 + if (match && !(match->mode & GR_DELETED))
34452 +static struct name_entry *
34453 +lookup_name_entry(const char *name)
34455 + unsigned int len = strlen(name);
34456 + unsigned int key = full_name_hash(name, len);
34457 + unsigned int index = key % name_set.n_size;
34458 + struct name_entry *match;
34460 + match = name_set.n_hash[index];
34462 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
34463 + match = match->next;
34468 +static struct name_entry *
34469 +lookup_name_entry_create(const char *name)
34471 + unsigned int len = strlen(name);
34472 + unsigned int key = full_name_hash(name, len);
34473 + unsigned int index = key % name_set.n_size;
34474 + struct name_entry *match;
34476 + match = name_set.n_hash[index];
34478 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34479 + !match->deleted))
34480 + match = match->next;
34482 + if (match && match->deleted)
34485 + match = name_set.n_hash[index];
34487 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34489 + match = match->next;
34491 + if (match && !match->deleted)
34497 +static struct inodev_entry *
34498 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
34500 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
34501 + struct inodev_entry *match;
34503 + match = inodev_set.i_hash[index];
34505 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
34506 + match = match->next;
34512 +insert_inodev_entry(struct inodev_entry *entry)
34514 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
34515 + inodev_set.i_size);
34516 + struct inodev_entry **curr;
34518 + entry->prev = NULL;
34520 + curr = &inodev_set.i_hash[index];
34521 + if (*curr != NULL)
34522 + (*curr)->prev = entry;
34524 + entry->next = *curr;
34531 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
34533 + unsigned int index =
34534 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
34535 + struct acl_role_label **curr;
34536 + struct acl_role_label *tmp;
34538 + curr = &acl_role_set.r_hash[index];
34540 + /* if role was already inserted due to domains and already has
34541 + a role in the same bucket as it attached, then we need to
34542 + combine these two buckets
34544 + if (role->next) {
34545 + tmp = role->next;
34546 + while (tmp->next)
34548 + tmp->next = *curr;
34550 + role->next = *curr;
34557 +insert_acl_role_label(struct acl_role_label *role)
34561 + if (role_list == NULL) {
34562 + role_list = role;
34563 + role->prev = NULL;
34565 + role->prev = role_list;
34566 + role_list = role;
34569 + /* used for hash chains */
34570 + role->next = NULL;
34572 + if (role->roletype & GR_ROLE_DOMAIN) {
34573 + for (i = 0; i < role->domain_child_num; i++)
34574 + __insert_acl_role_label(role, role->domain_children[i]);
34576 + __insert_acl_role_label(role, role->uidgid);
34580 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
34582 + struct name_entry **curr, *nentry;
34583 + struct inodev_entry *ientry;
34584 + unsigned int len = strlen(name);
34585 + unsigned int key = full_name_hash(name, len);
34586 + unsigned int index = key % name_set.n_size;
34588 + curr = &name_set.n_hash[index];
34590 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
34591 + curr = &((*curr)->next);
34593 + if (*curr != NULL)
34596 + nentry = acl_alloc(sizeof (struct name_entry));
34597 + if (nentry == NULL)
34599 + ientry = acl_alloc(sizeof (struct inodev_entry));
34600 + if (ientry == NULL)
34602 + ientry->nentry = nentry;
34604 + nentry->key = key;
34605 + nentry->name = name;
34606 + nentry->inode = inode;
34607 + nentry->device = device;
34608 + nentry->len = len;
34609 + nentry->deleted = deleted;
34611 + nentry->prev = NULL;
34612 + curr = &name_set.n_hash[index];
34613 + if (*curr != NULL)
34614 + (*curr)->prev = nentry;
34615 + nentry->next = *curr;
34618 + /* insert us into the table searchable by inode/dev */
34619 + insert_inodev_entry(ientry);
34625 +insert_acl_obj_label(struct acl_object_label *obj,
34626 + struct acl_subject_label *subj)
34628 + unsigned int index =
34629 + fhash(obj->inode, obj->device, subj->obj_hash_size);
34630 + struct acl_object_label **curr;
34633 + obj->prev = NULL;
34635 + curr = &subj->obj_hash[index];
34636 + if (*curr != NULL)
34637 + (*curr)->prev = obj;
34639 + obj->next = *curr;
34646 +insert_acl_subj_label(struct acl_subject_label *obj,
34647 + struct acl_role_label *role)
34649 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
34650 + struct acl_subject_label **curr;
34652 + obj->prev = NULL;
34654 + curr = &role->subj_hash[index];
34655 + if (*curr != NULL)
34656 + (*curr)->prev = obj;
34658 + obj->next = *curr;
34664 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
34667 +create_table(__u32 * len, int elementsize)
34669 + unsigned int table_sizes[] = {
34670 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
34671 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
34672 + 4194301, 8388593, 16777213, 33554393, 67108859
34674 + void *newtable = NULL;
34675 + unsigned int pwr = 0;
34677 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
34678 + table_sizes[pwr] <= *len)
34681 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
34684 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
34686 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
34688 + newtable = vmalloc(table_sizes[pwr] * elementsize);
34690 + *len = table_sizes[pwr];
34696 +init_variables(const struct gr_arg *arg)
34698 + struct task_struct *reaper = &init_task;
34699 + unsigned int stacksize;
34701 + subj_map_set.s_size = arg->role_db.num_subjects;
34702 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
34703 + name_set.n_size = arg->role_db.num_objects;
34704 + inodev_set.i_size = arg->role_db.num_objects;
34706 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
34707 + !name_set.n_size || !inodev_set.i_size)
34710 + if (!gr_init_uidset())
34713 + /* set up the stack that holds allocation info */
34715 + stacksize = arg->role_db.num_pointers + 5;
34717 + if (!acl_alloc_stack_init(stacksize))
34720 + /* grab reference for the real root dentry and vfsmount */
34721 + read_lock(&reaper->fs->lock);
34722 + real_root_mnt = mntget(reaper->fs->root.mnt);
34723 + real_root = dget(reaper->fs->root.dentry);
34724 + read_unlock(&reaper->fs->lock);
34726 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
34727 + if (fakefs_obj == NULL)
34729 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
34731 + subj_map_set.s_hash =
34732 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
34733 + acl_role_set.r_hash =
34734 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
34735 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
34736 + inodev_set.i_hash =
34737 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
34739 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
34740 + !name_set.n_hash || !inodev_set.i_hash)
34743 + memset(subj_map_set.s_hash, 0,
34744 + sizeof(struct subject_map *) * subj_map_set.s_size);
34745 + memset(acl_role_set.r_hash, 0,
34746 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
34747 + memset(name_set.n_hash, 0,
34748 + sizeof (struct name_entry *) * name_set.n_size);
34749 + memset(inodev_set.i_hash, 0,
34750 + sizeof (struct inodev_entry *) * inodev_set.i_size);
34755 +/* free information not needed after startup
34756 + currently contains user->kernel pointer mappings for subjects
34760 +free_init_variables(void)
34764 + if (subj_map_set.s_hash) {
34765 + for (i = 0; i < subj_map_set.s_size; i++) {
34766 + if (subj_map_set.s_hash[i]) {
34767 + kfree(subj_map_set.s_hash[i]);
34768 + subj_map_set.s_hash[i] = NULL;
34772 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
34774 + kfree(subj_map_set.s_hash);
34776 + vfree(subj_map_set.s_hash);
34783 +free_variables(void)
34785 + struct acl_subject_label *s;
34786 + struct acl_role_label *r;
34787 + struct task_struct *task, *task2;
34790 + gr_clear_learn_entries();
34792 + read_lock(&tasklist_lock);
34793 + do_each_thread(task2, task) {
34794 + task->acl_sp_role = 0;
34795 + task->acl_role_id = 0;
34796 + task->acl = NULL;
34797 + task->role = NULL;
34798 + } while_each_thread(task2, task);
34799 + read_unlock(&tasklist_lock);
34801 + /* release the reference to the real root dentry and vfsmount */
34804 + real_root = NULL;
34805 + if (real_root_mnt)
34806 + mntput(real_root_mnt);
34807 + real_root_mnt = NULL;
34809 + /* free all object hash tables */
34811 + FOR_EACH_ROLE_START(r)
34812 + if (r->subj_hash == NULL)
34814 + FOR_EACH_SUBJECT_START(r, s, x)
34815 + if (s->obj_hash == NULL)
34817 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
34818 + kfree(s->obj_hash);
34820 + vfree(s->obj_hash);
34821 + FOR_EACH_SUBJECT_END(s, x)
34822 + FOR_EACH_NESTED_SUBJECT_START(r, s)
34823 + if (s->obj_hash == NULL)
34825 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
34826 + kfree(s->obj_hash);
34828 + vfree(s->obj_hash);
34829 + FOR_EACH_NESTED_SUBJECT_END(s)
34830 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
34831 + kfree(r->subj_hash);
34833 + vfree(r->subj_hash);
34834 + r->subj_hash = NULL;
34836 + FOR_EACH_ROLE_END(r)
34840 + if (acl_role_set.r_hash) {
34841 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
34843 + kfree(acl_role_set.r_hash);
34845 + vfree(acl_role_set.r_hash);
34847 + if (name_set.n_hash) {
34848 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
34850 + kfree(name_set.n_hash);
34852 + vfree(name_set.n_hash);
34855 + if (inodev_set.i_hash) {
34856 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
34858 + kfree(inodev_set.i_hash);
34860 + vfree(inodev_set.i_hash);
34863 + gr_free_uidset();
34865 + memset(&name_set, 0, sizeof (struct name_db));
34866 + memset(&inodev_set, 0, sizeof (struct inodev_db));
34867 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
34868 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
34870 + default_role = NULL;
34871 + role_list = NULL;
34877 +count_user_objs(struct acl_object_label *userp)
34879 + struct acl_object_label o_tmp;
34883 + if (copy_from_user(&o_tmp, userp,
34884 + sizeof (struct acl_object_label)))
34887 + userp = o_tmp.prev;
34894 +static struct acl_subject_label *
34895 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
34898 +copy_user_glob(struct acl_object_label *obj)
34900 + struct acl_object_label *g_tmp, **guser;
34901 + unsigned int len;
34904 + if (obj->globbed == NULL)
34907 + guser = &obj->globbed;
34909 + g_tmp = (struct acl_object_label *)
34910 + acl_alloc(sizeof (struct acl_object_label));
34911 + if (g_tmp == NULL)
34914 + if (copy_from_user(g_tmp, *guser,
34915 + sizeof (struct acl_object_label)))
34918 + len = strnlen_user(g_tmp->filename, PATH_MAX);
34920 + if (!len || len >= PATH_MAX)
34923 + if ((tmp = (char *) acl_alloc(len)) == NULL)
34926 + if (copy_from_user(tmp, g_tmp->filename, len))
34928 + tmp[len-1] = '\0';
34929 + g_tmp->filename = tmp;
34932 + guser = &(g_tmp->next);
34939 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
34940 + struct acl_role_label *role)
34942 + struct acl_object_label *o_tmp;
34943 + unsigned int len;
34948 + if ((o_tmp = (struct acl_object_label *)
34949 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
34952 + if (copy_from_user(o_tmp, userp,
34953 + sizeof (struct acl_object_label)))
34956 + userp = o_tmp->prev;
34958 + len = strnlen_user(o_tmp->filename, PATH_MAX);
34960 + if (!len || len >= PATH_MAX)
34963 + if ((tmp = (char *) acl_alloc(len)) == NULL)
34966 + if (copy_from_user(tmp, o_tmp->filename, len))
34968 + tmp[len-1] = '\0';
34969 + o_tmp->filename = tmp;
34971 + insert_acl_obj_label(o_tmp, subj);
34972 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
34973 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
34976 + ret = copy_user_glob(o_tmp);
34980 + if (o_tmp->nested) {
34981 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
34982 + if (IS_ERR(o_tmp->nested))
34983 + return PTR_ERR(o_tmp->nested);
34985 + /* insert into nested subject list */
34986 + o_tmp->nested->next = role->hash->first;
34987 + role->hash->first = o_tmp->nested;
34995 +count_user_subjs(struct acl_subject_label *userp)
34997 + struct acl_subject_label s_tmp;
35001 + if (copy_from_user(&s_tmp, userp,
35002 + sizeof (struct acl_subject_label)))
35005 + userp = s_tmp.prev;
35006 + /* do not count nested subjects against this count, since
35007 + they are not included in the hash table, but are
35008 + attached to objects. We have already counted
35009 + the subjects in userspace for the allocation
35012 + if (!(s_tmp.mode & GR_NESTED))
35020 +copy_user_allowedips(struct acl_role_label *rolep)
35022 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35024 + ruserip = rolep->allowed_ips;
35026 + while (ruserip) {
35029 + if ((rtmp = (struct role_allowed_ip *)
35030 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35033 + if (copy_from_user(rtmp, ruserip,
35034 + sizeof (struct role_allowed_ip)))
35037 + ruserip = rtmp->prev;
35040 + rtmp->prev = NULL;
35041 + rolep->allowed_ips = rtmp;
35043 + rlast->next = rtmp;
35044 + rtmp->prev = rlast;
35048 + rtmp->next = NULL;
35055 +copy_user_transitions(struct acl_role_label *rolep)
35057 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
35059 + unsigned int len;
35062 + rusertp = rolep->transitions;
35064 + while (rusertp) {
35067 + if ((rtmp = (struct role_transition *)
35068 + acl_alloc(sizeof (struct role_transition))) == NULL)
35071 + if (copy_from_user(rtmp, rusertp,
35072 + sizeof (struct role_transition)))
35075 + rusertp = rtmp->prev;
35077 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35079 + if (!len || len >= GR_SPROLE_LEN)
35082 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35085 + if (copy_from_user(tmp, rtmp->rolename, len))
35087 + tmp[len-1] = '\0';
35088 + rtmp->rolename = tmp;
35091 + rtmp->prev = NULL;
35092 + rolep->transitions = rtmp;
35094 + rlast->next = rtmp;
35095 + rtmp->prev = rlast;
35099 + rtmp->next = NULL;
35105 +static struct acl_subject_label *
35106 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
35108 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
35109 + unsigned int len;
35112 + struct acl_ip_label **i_tmp, *i_utmp2;
35113 + struct gr_hash_struct ghash;
35114 + struct subject_map *subjmap;
35115 + unsigned int i_num;
35118 + s_tmp = lookup_subject_map(userp);
35120 + /* we've already copied this subject into the kernel, just return
35121 + the reference to it, and don't copy it over again
35126 + if ((s_tmp = (struct acl_subject_label *)
35127 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
35128 + return ERR_PTR(-ENOMEM);
35130 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
35131 + if (subjmap == NULL)
35132 + return ERR_PTR(-ENOMEM);
35134 + subjmap->user = userp;
35135 + subjmap->kernel = s_tmp;
35136 + insert_subj_map_entry(subjmap);
35138 + if (copy_from_user(s_tmp, userp,
35139 + sizeof (struct acl_subject_label)))
35140 + return ERR_PTR(-EFAULT);
35142 + len = strnlen_user(s_tmp->filename, PATH_MAX);
35144 + if (!len || len >= PATH_MAX)
35145 + return ERR_PTR(-EINVAL);
35147 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35148 + return ERR_PTR(-ENOMEM);
35150 + if (copy_from_user(tmp, s_tmp->filename, len))
35151 + return ERR_PTR(-EFAULT);
35152 + tmp[len-1] = '\0';
35153 + s_tmp->filename = tmp;
35155 + if (!strcmp(s_tmp->filename, "/"))
35156 + role->root_label = s_tmp;
35158 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
35159 + return ERR_PTR(-EFAULT);
35161 + /* copy user and group transition tables */
35163 + if (s_tmp->user_trans_num) {
35166 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
35167 + if (uidlist == NULL)
35168 + return ERR_PTR(-ENOMEM);
35169 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
35170 + return ERR_PTR(-EFAULT);
35172 + s_tmp->user_transitions = uidlist;
35175 + if (s_tmp->group_trans_num) {
35178 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
35179 + if (gidlist == NULL)
35180 + return ERR_PTR(-ENOMEM);
35181 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
35182 + return ERR_PTR(-EFAULT);
35184 + s_tmp->group_transitions = gidlist;
35187 + /* set up object hash table */
35188 + num_objs = count_user_objs(ghash.first);
35190 + s_tmp->obj_hash_size = num_objs;
35191 + s_tmp->obj_hash =
35192 + (struct acl_object_label **)
35193 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
35195 + if (!s_tmp->obj_hash)
35196 + return ERR_PTR(-ENOMEM);
35198 + memset(s_tmp->obj_hash, 0,
35199 + s_tmp->obj_hash_size *
35200 + sizeof (struct acl_object_label *));
35202 + /* add in objects */
35203 + err = copy_user_objs(ghash.first, s_tmp, role);
35206 + return ERR_PTR(err);
35208 + /* set pointer for parent subject */
35209 + if (s_tmp->parent_subject) {
35210 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
35212 + if (IS_ERR(s_tmp2))
35215 + s_tmp->parent_subject = s_tmp2;
35218 + /* add in ip acls */
35220 + if (!s_tmp->ip_num) {
35221 + s_tmp->ips = NULL;
35226 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
35227 + sizeof (struct acl_ip_label *));
35230 + return ERR_PTR(-ENOMEM);
35232 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
35233 + *(i_tmp + i_num) =
35234 + (struct acl_ip_label *)
35235 + acl_alloc(sizeof (struct acl_ip_label));
35236 + if (!*(i_tmp + i_num))
35237 + return ERR_PTR(-ENOMEM);
35239 + if (copy_from_user
35240 + (&i_utmp2, s_tmp->ips + i_num,
35241 + sizeof (struct acl_ip_label *)))
35242 + return ERR_PTR(-EFAULT);
35244 + if (copy_from_user
35245 + (*(i_tmp + i_num), i_utmp2,
35246 + sizeof (struct acl_ip_label)))
35247 + return ERR_PTR(-EFAULT);
35249 + if ((*(i_tmp + i_num))->iface == NULL)
35252 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
35253 + if (!len || len >= IFNAMSIZ)
35254 + return ERR_PTR(-EINVAL);
35255 + tmp = acl_alloc(len);
35257 + return ERR_PTR(-ENOMEM);
35258 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
35259 + return ERR_PTR(-EFAULT);
35260 + (*(i_tmp + i_num))->iface = tmp;
35263 + s_tmp->ips = i_tmp;
35266 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
35267 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
35268 + return ERR_PTR(-ENOMEM);
35274 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
35276 + struct acl_subject_label s_pre;
35277 + struct acl_subject_label * ret;
35281 + if (copy_from_user(&s_pre, userp,
35282 + sizeof (struct acl_subject_label)))
35285 + /* do not add nested subjects here, add
35286 + while parsing objects
35289 + if (s_pre.mode & GR_NESTED) {
35290 + userp = s_pre.prev;
35294 + ret = do_copy_user_subj(userp, role);
35296 + err = PTR_ERR(ret);
35300 + insert_acl_subj_label(ret, role);
35302 + userp = s_pre.prev;
35309 +copy_user_acl(struct gr_arg *arg)
35311 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
35312 + struct sprole_pw *sptmp;
35313 + struct gr_hash_struct *ghash;
35314 + uid_t *domainlist;
35315 + unsigned int r_num;
35316 + unsigned int len;
35322 + /* we need a default and kernel role */
35323 + if (arg->role_db.num_roles < 2)
35326 + /* copy special role authentication info from userspace */
35328 + num_sprole_pws = arg->num_sprole_pws;
35329 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
35331 + if (!acl_special_roles) {
35336 + for (i = 0; i < num_sprole_pws; i++) {
35337 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
35342 + if (copy_from_user(sptmp, arg->sprole_pws + i,
35343 + sizeof (struct sprole_pw))) {
35349 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
35351 + if (!len || len >= GR_SPROLE_LEN) {
35356 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35361 + if (copy_from_user(tmp, sptmp->rolename, len)) {
35365 + tmp[len-1] = '\0';
35366 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35367 + printk(KERN_ALERT "Copying special role %s\n", tmp);
35369 + sptmp->rolename = tmp;
35370 + acl_special_roles[i] = sptmp;
35373 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
35375 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
35376 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
35383 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
35384 + sizeof (struct acl_role_label *))) {
35389 + if (copy_from_user(r_tmp, r_utmp2,
35390 + sizeof (struct acl_role_label))) {
35395 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
35397 + if (!len || len >= PATH_MAX) {
35402 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35406 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
35410 + tmp[len-1] = '\0';
35411 + r_tmp->rolename = tmp;
35413 + if (!strcmp(r_tmp->rolename, "default")
35414 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
35415 + default_role = r_tmp;
35416 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
35417 + kernel_role = r_tmp;
35420 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
35424 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
35429 + r_tmp->hash = ghash;
35431 + num_subjs = count_user_subjs(r_tmp->hash->first);
35433 + r_tmp->subj_hash_size = num_subjs;
35434 + r_tmp->subj_hash =
35435 + (struct acl_subject_label **)
35436 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
35438 + if (!r_tmp->subj_hash) {
35443 + err = copy_user_allowedips(r_tmp);
35447 + /* copy domain info */
35448 + if (r_tmp->domain_children != NULL) {
35449 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
35450 + if (domainlist == NULL) {
35454 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
35458 + r_tmp->domain_children = domainlist;
35461 + err = copy_user_transitions(r_tmp);
35465 + memset(r_tmp->subj_hash, 0,
35466 + r_tmp->subj_hash_size *
35467 + sizeof (struct acl_subject_label *));
35469 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
35474 + /* set nested subject list to null */
35475 + r_tmp->hash->first = NULL;
35477 + insert_acl_role_label(r_tmp);
35482 + free_variables();
35489 +gracl_init(struct gr_arg *args)
35493 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
35494 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
35496 + if (init_variables(args)) {
35497 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
35499 + free_variables();
35503 + error = copy_user_acl(args);
35504 + free_init_variables();
35506 + free_variables();
35510 + if ((error = gr_set_acls(0))) {
35511 + free_variables();
35515 + pax_open_kernel();
35516 + gr_status |= GR_READY;
35517 + pax_close_kernel();
35523 +/* derived from glibc fnmatch() 0: match, 1: no match*/
35526 +glob_match(const char *p, const char *n)
35530 + while ((c = *p++) != '\0') {
35535 + else if (*n == '/')
35543 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
35546 + else if (c == '?') {
35556 + const char *endp;
35558 + if ((endp = strchr(n, '/')) == NULL)
35559 + endp = n + strlen(n);
35562 + for (--p; n < endp; ++n)
35563 + if (!glob_match(p, n))
35565 + } else if (c == '/') {
35566 + while (*n != '\0' && *n != '/')
35568 + if (*n == '/' && !glob_match(p, n + 1))
35571 + for (--p; n < endp; ++n)
35572 + if (*n == c && !glob_match(p, n))
35583 + if (*n == '\0' || *n == '/')
35586 + not = (*p == '!' || *p == '^');
35592 + unsigned char fn = (unsigned char)*n;
35602 + if (c == '-' && *p != ']') {
35603 + unsigned char cend = *p++;
35605 + if (cend == '\0')
35608 + if (cold <= fn && fn <= cend)
35622 + while (c != ']') {
35649 +static struct acl_object_label *
35650 +chk_glob_label(struct acl_object_label *globbed,
35651 + struct dentry *dentry, struct vfsmount *mnt, char **path)
35653 + struct acl_object_label *tmp;
35655 + if (*path == NULL)
35656 + *path = gr_to_filename_nolock(dentry, mnt);
35661 + if (!glob_match(tmp->filename, *path))
35669 +static struct acl_object_label *
35670 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35671 + const ino_t curr_ino, const dev_t curr_dev,
35672 + const struct acl_subject_label *subj, char **path, const int checkglob)
35674 + struct acl_subject_label *tmpsubj;
35675 + struct acl_object_label *retval;
35676 + struct acl_object_label *retval2;
35678 + tmpsubj = (struct acl_subject_label *) subj;
35679 + read_lock(&gr_inode_lock);
35681 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
35683 + if (checkglob && retval->globbed) {
35684 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
35685 + (struct vfsmount *)orig_mnt, path);
35687 + retval = retval2;
35691 + } while ((tmpsubj = tmpsubj->parent_subject));
35692 + read_unlock(&gr_inode_lock);
35697 +static __inline__ struct acl_object_label *
35698 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35699 + const struct dentry *curr_dentry,
35700 + const struct acl_subject_label *subj, char **path, const int checkglob)
35702 + return __full_lookup(orig_dentry, orig_mnt,
35703 + curr_dentry->d_inode->i_ino,
35704 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
35707 +static struct acl_object_label *
35708 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35709 + const struct acl_subject_label *subj, char *path, const int checkglob)
35711 + struct dentry *dentry = (struct dentry *) l_dentry;
35712 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35713 + struct acl_object_label *retval;
35715 + spin_lock(&dcache_lock);
35717 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
35718 +#ifdef CONFIG_HUGETLBFS
35719 + mnt == hugetlbfs_vfsmount ||
35721 + /* ignore Eric Biederman */
35722 + IS_PRIVATE(l_dentry->d_inode))) {
35723 + retval = fakefs_obj;
35728 + if (dentry == real_root && mnt == real_root_mnt)
35731 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35732 + if (mnt->mnt_parent == mnt)
35735 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35736 + if (retval != NULL)
35739 + dentry = mnt->mnt_mountpoint;
35740 + mnt = mnt->mnt_parent;
35744 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35745 + if (retval != NULL)
35748 + dentry = dentry->d_parent;
35751 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35753 + if (retval == NULL)
35754 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
35756 + spin_unlock(&dcache_lock);
35760 +static __inline__ struct acl_object_label *
35761 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35762 + const struct acl_subject_label *subj)
35764 + char *path = NULL;
35765 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35768 +static __inline__ struct acl_object_label *
35769 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35770 + const struct acl_subject_label *subj)
35772 + char *path = NULL;
35773 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
35776 +static __inline__ struct acl_object_label *
35777 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35778 + const struct acl_subject_label *subj, char *path)
35780 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35783 +static struct acl_subject_label *
35784 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35785 + const struct acl_role_label *role)
35787 + struct dentry *dentry = (struct dentry *) l_dentry;
35788 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35789 + struct acl_subject_label *retval;
35791 + spin_lock(&dcache_lock);
35794 + if (dentry == real_root && mnt == real_root_mnt)
35796 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35797 + if (mnt->mnt_parent == mnt)
35800 + read_lock(&gr_inode_lock);
35802 + lookup_acl_subj_label(dentry->d_inode->i_ino,
35803 + dentry->d_inode->i_sb->s_dev, role);
35804 + read_unlock(&gr_inode_lock);
35805 + if (retval != NULL)
35808 + dentry = mnt->mnt_mountpoint;
35809 + mnt = mnt->mnt_parent;
35813 + read_lock(&gr_inode_lock);
35814 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
35815 + dentry->d_inode->i_sb->s_dev, role);
35816 + read_unlock(&gr_inode_lock);
35817 + if (retval != NULL)
35820 + dentry = dentry->d_parent;
35823 + read_lock(&gr_inode_lock);
35824 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
35825 + dentry->d_inode->i_sb->s_dev, role);
35826 + read_unlock(&gr_inode_lock);
35828 + if (unlikely(retval == NULL)) {
35829 + read_lock(&gr_inode_lock);
35830 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
35831 + real_root->d_inode->i_sb->s_dev, role);
35832 + read_unlock(&gr_inode_lock);
35835 + spin_unlock(&dcache_lock);
35841 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
35843 + struct task_struct *task = current;
35844 + const struct cred *cred = current_cred();
35846 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
35847 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
35848 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
35849 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
35855 +gr_log_learn_sysctl(const char *path, const __u32 mode)
35857 + struct task_struct *task = current;
35858 + const struct cred *cred = current_cred();
35860 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
35861 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
35862 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
35863 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
35869 +gr_log_learn_id_change(const char type, const unsigned int real,
35870 + const unsigned int effective, const unsigned int fs)
35872 + struct task_struct *task = current;
35873 + const struct cred *cred = current_cred();
35875 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
35876 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
35877 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
35878 + type, real, effective, fs, &task->signal->curr_ip);
35884 +gr_check_link(const struct dentry * new_dentry,
35885 + const struct dentry * parent_dentry,
35886 + const struct vfsmount * parent_mnt,
35887 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
35889 + struct acl_object_label *obj;
35890 + __u32 oldmode, newmode;
35893 + if (unlikely(!(gr_status & GR_READY)))
35894 + return (GR_CREATE | GR_LINK);
35896 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
35897 + oldmode = obj->mode;
35899 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
35900 + oldmode |= (GR_CREATE | GR_LINK);
35902 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
35903 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
35904 + needmode |= GR_SETID | GR_AUDIT_SETID;
35907 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
35908 + oldmode | needmode);
35910 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
35911 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
35912 + GR_INHERIT | GR_AUDIT_INHERIT);
35914 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
35917 + if ((oldmode & needmode) != needmode)
35920 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
35921 + if ((newmode & needmode) != needmode)
35924 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
35927 + needmode = oldmode;
35928 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
35929 + needmode |= GR_SETID;
35931 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
35932 + gr_log_learn(old_dentry, old_mnt, needmode);
35933 + return (GR_CREATE | GR_LINK);
35934 + } else if (newmode & GR_SUPPRESS)
35935 + return GR_SUPPRESS;
35941 +gr_search_file(const struct dentry * dentry, const __u32 mode,
35942 + const struct vfsmount * mnt)
35944 + __u32 retval = mode;
35945 + struct acl_subject_label *curracl;
35946 + struct acl_object_label *currobj;
35948 + if (unlikely(!(gr_status & GR_READY)))
35949 + return (mode & ~GR_AUDITS);
35951 + curracl = current->acl;
35953 + currobj = chk_obj_label(dentry, mnt, curracl);
35954 + retval = currobj->mode & mode;
35957 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
35958 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
35959 + __u32 new_mode = mode;
35961 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
35963 + retval = new_mode;
35965 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
35966 + new_mode |= GR_INHERIT;
35968 + if (!(mode & GR_NOLEARN))
35969 + gr_log_learn(dentry, mnt, new_mode);
35976 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
35977 + const struct vfsmount * mnt, const __u32 mode)
35979 + struct name_entry *match;
35980 + struct acl_object_label *matchpo;
35981 + struct acl_subject_label *curracl;
35985 + if (unlikely(!(gr_status & GR_READY)))
35986 + return (mode & ~GR_AUDITS);
35988 + preempt_disable();
35989 + path = gr_to_filename_rbac(new_dentry, mnt);
35990 + match = lookup_name_entry_create(path);
35993 + goto check_parent;
35995 + curracl = current->acl;
35997 + read_lock(&gr_inode_lock);
35998 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
35999 + read_unlock(&gr_inode_lock);
36002 + if ((matchpo->mode & mode) !=
36003 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
36004 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36005 + __u32 new_mode = mode;
36007 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36009 + gr_log_learn(new_dentry, mnt, new_mode);
36011 + preempt_enable();
36014 + preempt_enable();
36015 + return (matchpo->mode & mode);
36019 + curracl = current->acl;
36021 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36022 + retval = matchpo->mode & mode;
36024 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36025 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36026 + __u32 new_mode = mode;
36028 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36030 + gr_log_learn(new_dentry, mnt, new_mode);
36031 + preempt_enable();
36035 + preempt_enable();
36040 +gr_check_hidden_task(const struct task_struct *task)
36042 + if (unlikely(!(gr_status & GR_READY)))
36045 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36052 +gr_check_protected_task(const struct task_struct *task)
36054 + if (unlikely(!(gr_status & GR_READY) || !task))
36057 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36058 + task->acl != current->acl)
36065 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36067 + struct task_struct *p;
36070 + if (unlikely(!(gr_status & GR_READY) || !pid))
36073 + read_lock(&tasklist_lock);
36074 + do_each_pid_task(pid, type, p) {
36075 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36076 + p->acl != current->acl) {
36080 + } while_each_pid_task(pid, type, p);
36082 + read_unlock(&tasklist_lock);
36088 +gr_copy_label(struct task_struct *tsk)
36090 + tsk->signal->used_accept = 0;
36091 + tsk->acl_sp_role = 0;
36092 + tsk->acl_role_id = current->acl_role_id;
36093 + tsk->acl = current->acl;
36094 + tsk->role = current->role;
36095 + tsk->signal->curr_ip = current->signal->curr_ip;
36096 + if (current->exec_file)
36097 + get_file(current->exec_file);
36098 + tsk->exec_file = current->exec_file;
36099 + tsk->is_writable = current->is_writable;
36100 + if (unlikely(current->signal->used_accept))
36101 + current->signal->curr_ip = 0;
36107 +gr_set_proc_res(struct task_struct *task)
36109 + struct acl_subject_label *proc;
36110 + unsigned short i;
36112 + proc = task->acl;
36114 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
36117 + for (i = 0; i < RLIM_NLIMITS; i++) {
36118 + if (!(proc->resmask & (1 << i)))
36121 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
36122 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
36129 +gr_check_user_change(int real, int effective, int fs)
36136 + int effectiveok = 0;
36139 + if (unlikely(!(gr_status & GR_READY)))
36142 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36143 + gr_log_learn_id_change('u', real, effective, fs);
36145 + num = current->acl->user_trans_num;
36146 + uidlist = current->acl->user_transitions;
36148 + if (uidlist == NULL)
36153 + if (effective == -1)
36158 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
36159 + for (i = 0; i < num; i++) {
36160 + curuid = (int)uidlist[i];
36161 + if (real == curuid)
36163 + if (effective == curuid)
36165 + if (fs == curuid)
36168 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
36169 + for (i = 0; i < num; i++) {
36170 + curuid = (int)uidlist[i];
36171 + if (real == curuid)
36173 + if (effective == curuid)
36175 + if (fs == curuid)
36178 + /* not in deny list */
36186 + if (realok && effectiveok && fsok)
36189 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36195 +gr_check_group_change(int real, int effective, int fs)
36202 + int effectiveok = 0;
36205 + if (unlikely(!(gr_status & GR_READY)))
36208 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36209 + gr_log_learn_id_change('g', real, effective, fs);
36211 + num = current->acl->group_trans_num;
36212 + gidlist = current->acl->group_transitions;
36214 + if (gidlist == NULL)
36219 + if (effective == -1)
36224 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
36225 + for (i = 0; i < num; i++) {
36226 + curgid = (int)gidlist[i];
36227 + if (real == curgid)
36229 + if (effective == curgid)
36231 + if (fs == curgid)
36234 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
36235 + for (i = 0; i < num; i++) {
36236 + curgid = (int)gidlist[i];
36237 + if (real == curgid)
36239 + if (effective == curgid)
36241 + if (fs == curgid)
36244 + /* not in deny list */
36252 + if (realok && effectiveok && fsok)
36255 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36261 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
36263 + struct acl_role_label *role = task->role;
36264 + struct acl_subject_label *subj = NULL;
36265 + struct acl_object_label *obj;
36266 + struct file *filp;
36268 + if (unlikely(!(gr_status & GR_READY)))
36271 + filp = task->exec_file;
36273 + /* kernel process, we'll give them the kernel role */
36274 + if (unlikely(!filp)) {
36275 + task->role = kernel_role;
36276 + task->acl = kernel_role->root_label;
36278 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
36279 + role = lookup_acl_role_label(task, uid, gid);
36281 + /* perform subject lookup in possibly new role
36282 + we can use this result below in the case where role == task->role
36284 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
36286 + /* if we changed uid/gid, but result in the same role
36287 + and are using inheritance, don't lose the inherited subject
36288 + if current subject is other than what normal lookup
36289 + would result in, we arrived via inheritance, don't
36292 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
36293 + (subj == task->acl)))
36294 + task->acl = subj;
36296 + task->role = role;
36298 + task->is_writable = 0;
36300 + /* ignore additional mmap checks for processes that are writable
36301 + by the default ACL */
36302 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36303 + if (unlikely(obj->mode & GR_WRITE))
36304 + task->is_writable = 1;
36305 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
36306 + if (unlikely(obj->mode & GR_WRITE))
36307 + task->is_writable = 1;
36309 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36310 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36313 + gr_set_proc_res(task);
36319 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
36320 + const int unsafe_share)
36322 + struct task_struct *task = current;
36323 + struct acl_subject_label *newacl;
36324 + struct acl_object_label *obj;
36327 + if (unlikely(!(gr_status & GR_READY)))
36330 + newacl = chk_subj_label(dentry, mnt, task->role);
36333 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
36334 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
36335 + !(task->role->roletype & GR_ROLE_GOD) &&
36336 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
36337 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
36338 + task_unlock(task);
36339 + if (unsafe_share)
36340 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
36342 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
36345 + task_unlock(task);
36347 + obj = chk_obj_label(dentry, mnt, task->acl);
36348 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
36350 + if (!(task->acl->mode & GR_INHERITLEARN) &&
36351 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
36353 + task->acl = obj->nested;
36355 + task->acl = newacl;
36356 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
36357 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
36359 + task->is_writable = 0;
36361 + /* ignore additional mmap checks for processes that are writable
36362 + by the default ACL */
36363 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
36364 + if (unlikely(obj->mode & GR_WRITE))
36365 + task->is_writable = 1;
36366 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
36367 + if (unlikely(obj->mode & GR_WRITE))
36368 + task->is_writable = 1;
36370 + gr_set_proc_res(task);
36372 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36373 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36378 +/* always called with valid inodev ptr */
36380 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
36382 + struct acl_object_label *matchpo;
36383 + struct acl_subject_label *matchps;
36384 + struct acl_subject_label *subj;
36385 + struct acl_role_label *role;
36388 + FOR_EACH_ROLE_START(role)
36389 + FOR_EACH_SUBJECT_START(role, subj, x)
36390 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
36391 + matchpo->mode |= GR_DELETED;
36392 + FOR_EACH_SUBJECT_END(subj,x)
36393 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36394 + if (subj->inode == ino && subj->device == dev)
36395 + subj->mode |= GR_DELETED;
36396 + FOR_EACH_NESTED_SUBJECT_END(subj)
36397 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
36398 + matchps->mode |= GR_DELETED;
36399 + FOR_EACH_ROLE_END(role)
36401 + inodev->nentry->deleted = 1;
36407 +gr_handle_delete(const ino_t ino, const dev_t dev)
36409 + struct inodev_entry *inodev;
36411 + if (unlikely(!(gr_status & GR_READY)))
36414 + write_lock(&gr_inode_lock);
36415 + inodev = lookup_inodev_entry(ino, dev);
36416 + if (inodev != NULL)
36417 + do_handle_delete(inodev, ino, dev);
36418 + write_unlock(&gr_inode_lock);
36424 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
36425 + const ino_t newinode, const dev_t newdevice,
36426 + struct acl_subject_label *subj)
36428 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
36429 + struct acl_object_label *match;
36431 + match = subj->obj_hash[index];
36433 + while (match && (match->inode != oldinode ||
36434 + match->device != olddevice ||
36435 + !(match->mode & GR_DELETED)))
36436 + match = match->next;
36438 + if (match && (match->inode == oldinode)
36439 + && (match->device == olddevice)
36440 + && (match->mode & GR_DELETED)) {
36441 + if (match->prev == NULL) {
36442 + subj->obj_hash[index] = match->next;
36443 + if (match->next != NULL)
36444 + match->next->prev = NULL;
36446 + match->prev->next = match->next;
36447 + if (match->next != NULL)
36448 + match->next->prev = match->prev;
36450 + match->prev = NULL;
36451 + match->next = NULL;
36452 + match->inode = newinode;
36453 + match->device = newdevice;
36454 + match->mode &= ~GR_DELETED;
36456 + insert_acl_obj_label(match, subj);
36463 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
36464 + const ino_t newinode, const dev_t newdevice,
36465 + struct acl_role_label *role)
36467 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
36468 + struct acl_subject_label *match;
36470 + match = role->subj_hash[index];
36472 + while (match && (match->inode != oldinode ||
36473 + match->device != olddevice ||
36474 + !(match->mode & GR_DELETED)))
36475 + match = match->next;
36477 + if (match && (match->inode == oldinode)
36478 + && (match->device == olddevice)
36479 + && (match->mode & GR_DELETED)) {
36480 + if (match->prev == NULL) {
36481 + role->subj_hash[index] = match->next;
36482 + if (match->next != NULL)
36483 + match->next->prev = NULL;
36485 + match->prev->next = match->next;
36486 + if (match->next != NULL)
36487 + match->next->prev = match->prev;
36489 + match->prev = NULL;
36490 + match->next = NULL;
36491 + match->inode = newinode;
36492 + match->device = newdevice;
36493 + match->mode &= ~GR_DELETED;
36495 + insert_acl_subj_label(match, role);
36502 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
36503 + const ino_t newinode, const dev_t newdevice)
36505 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
36506 + struct inodev_entry *match;
36508 + match = inodev_set.i_hash[index];
36510 + while (match && (match->nentry->inode != oldinode ||
36511 + match->nentry->device != olddevice || !match->nentry->deleted))
36512 + match = match->next;
36514 + if (match && (match->nentry->inode == oldinode)
36515 + && (match->nentry->device == olddevice) &&
36516 + match->nentry->deleted) {
36517 + if (match->prev == NULL) {
36518 + inodev_set.i_hash[index] = match->next;
36519 + if (match->next != NULL)
36520 + match->next->prev = NULL;
36522 + match->prev->next = match->next;
36523 + if (match->next != NULL)
36524 + match->next->prev = match->prev;
36526 + match->prev = NULL;
36527 + match->next = NULL;
36528 + match->nentry->inode = newinode;
36529 + match->nentry->device = newdevice;
36530 + match->nentry->deleted = 0;
36532 + insert_inodev_entry(match);
36539 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
36540 + const struct vfsmount *mnt)
36542 + struct acl_subject_label *subj;
36543 + struct acl_role_label *role;
36546 + FOR_EACH_ROLE_START(role)
36547 + update_acl_subj_label(matchn->inode, matchn->device,
36548 + dentry->d_inode->i_ino,
36549 + dentry->d_inode->i_sb->s_dev, role);
36551 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36552 + if ((subj->inode == dentry->d_inode->i_ino) &&
36553 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
36554 + subj->inode = dentry->d_inode->i_ino;
36555 + subj->device = dentry->d_inode->i_sb->s_dev;
36557 + FOR_EACH_NESTED_SUBJECT_END(subj)
36558 + FOR_EACH_SUBJECT_START(role, subj, x)
36559 + update_acl_obj_label(matchn->inode, matchn->device,
36560 + dentry->d_inode->i_ino,
36561 + dentry->d_inode->i_sb->s_dev, subj);
36562 + FOR_EACH_SUBJECT_END(subj,x)
36563 + FOR_EACH_ROLE_END(role)
36565 + update_inodev_entry(matchn->inode, matchn->device,
36566 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
36572 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
36574 + struct name_entry *matchn;
36576 + if (unlikely(!(gr_status & GR_READY)))
36579 + preempt_disable();
36580 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
36582 + if (unlikely((unsigned long)matchn)) {
36583 + write_lock(&gr_inode_lock);
36584 + do_handle_create(matchn, dentry, mnt);
36585 + write_unlock(&gr_inode_lock);
36587 + preempt_enable();
36593 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
36594 + struct dentry *old_dentry,
36595 + struct dentry *new_dentry,
36596 + struct vfsmount *mnt, const __u8 replace)
36598 + struct name_entry *matchn;
36599 + struct inodev_entry *inodev;
36601 + /* vfs_rename swaps the name and parent link for old_dentry and
36603 + at this point, old_dentry has the new name, parent link, and inode
36604 + for the renamed file
36605 + if a file is being replaced by a rename, new_dentry has the inode
36606 + and name for the replaced file
36609 + if (unlikely(!(gr_status & GR_READY)))
36612 + preempt_disable();
36613 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
36615 + /* we wouldn't have to check d_inode if it weren't for
36616 + NFS silly-renaming
36619 + write_lock(&gr_inode_lock);
36620 + if (unlikely(replace && new_dentry->d_inode)) {
36621 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
36622 + new_dentry->d_inode->i_sb->s_dev);
36623 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
36624 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
36625 + new_dentry->d_inode->i_sb->s_dev);
36628 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
36629 + old_dentry->d_inode->i_sb->s_dev);
36630 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
36631 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
36632 + old_dentry->d_inode->i_sb->s_dev);
36634 + if (unlikely((unsigned long)matchn))
36635 + do_handle_create(matchn, old_dentry, mnt);
36637 + write_unlock(&gr_inode_lock);
36638 + preempt_enable();
36644 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
36645 + unsigned char **sum)
36647 + struct acl_role_label *r;
36648 + struct role_allowed_ip *ipp;
36649 + struct role_transition *trans;
36653 + /* check transition table */
36655 + for (trans = current->role->transitions; trans; trans = trans->next) {
36656 + if (!strcmp(rolename, trans->rolename)) {
36665 + /* handle special roles that do not require authentication
36668 + FOR_EACH_ROLE_START(r)
36669 + if (!strcmp(rolename, r->rolename) &&
36670 + (r->roletype & GR_ROLE_SPECIAL)) {
36672 + if (r->allowed_ips != NULL) {
36673 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
36674 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
36675 + (ntohl(ipp->addr) & ipp->netmask))
36683 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
36684 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
36690 + FOR_EACH_ROLE_END(r)
36692 + for (i = 0; i < num_sprole_pws; i++) {
36693 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
36694 + *salt = acl_special_roles[i]->salt;
36695 + *sum = acl_special_roles[i]->sum;
36704 +assign_special_role(char *rolename)
36706 + struct acl_object_label *obj;
36707 + struct acl_role_label *r;
36708 + struct acl_role_label *assigned = NULL;
36709 + struct task_struct *tsk;
36710 + struct file *filp;
36712 + FOR_EACH_ROLE_START(r)
36713 + if (!strcmp(rolename, r->rolename) &&
36714 + (r->roletype & GR_ROLE_SPECIAL)) {
36718 + FOR_EACH_ROLE_END(r)
36723 + read_lock(&tasklist_lock);
36724 + read_lock(&grsec_exec_file_lock);
36726 + tsk = current->parent;
36730 + filp = tsk->exec_file;
36731 + if (filp == NULL)
36734 + tsk->is_writable = 0;
36736 + tsk->acl_sp_role = 1;
36737 + tsk->acl_role_id = ++acl_sp_role_value;
36738 + tsk->role = assigned;
36739 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
36741 + /* ignore additional mmap checks for processes that are writable
36742 + by the default ACL */
36743 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36744 + if (unlikely(obj->mode & GR_WRITE))
36745 + tsk->is_writable = 1;
36746 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
36747 + if (unlikely(obj->mode & GR_WRITE))
36748 + tsk->is_writable = 1;
36750 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36751 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
36755 + read_unlock(&grsec_exec_file_lock);
36756 + read_unlock(&tasklist_lock);
36760 +int gr_check_secure_terminal(struct task_struct *task)
36762 + struct task_struct *p, *p2, *p3;
36763 + struct files_struct *files;
36764 + struct fdtable *fdt;
36765 + struct file *our_file = NULL, *file;
36768 + if (task->signal->tty == NULL)
36771 + files = get_files_struct(task);
36772 + if (files != NULL) {
36774 + fdt = files_fdtable(files);
36775 + for (i=0; i < fdt->max_fds; i++) {
36776 + file = fcheck_files(files, i);
36777 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
36782 + rcu_read_unlock();
36783 + put_files_struct(files);
36786 + if (our_file == NULL)
36789 + read_lock(&tasklist_lock);
36790 + do_each_thread(p2, p) {
36791 + files = get_files_struct(p);
36792 + if (files == NULL ||
36793 + (p->signal && p->signal->tty == task->signal->tty)) {
36794 + if (files != NULL)
36795 + put_files_struct(files);
36799 + fdt = files_fdtable(files);
36800 + for (i=0; i < fdt->max_fds; i++) {
36801 + file = fcheck_files(files, i);
36802 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
36803 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
36805 + while (p3->pid > 0) {
36812 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
36813 + gr_handle_alertkill(p);
36814 + rcu_read_unlock();
36815 + put_files_struct(files);
36816 + read_unlock(&tasklist_lock);
36821 + rcu_read_unlock();
36822 + put_files_struct(files);
36823 + } while_each_thread(p2, p);
36824 + read_unlock(&tasklist_lock);
36831 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
36833 + struct gr_arg_wrapper uwrap;
36834 + unsigned char *sprole_salt = NULL;
36835 + unsigned char *sprole_sum = NULL;
36836 + int error = sizeof (struct gr_arg_wrapper);
36839 + down(&gr_dev_sem);
36841 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
36846 + if (count != sizeof (struct gr_arg_wrapper)) {
36847 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
36853 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
36854 + gr_auth_expires = 0;
36855 + gr_auth_attempts = 0;
36858 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
36863 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
36868 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
36873 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
36874 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
36875 + time_after(gr_auth_expires, get_seconds())) {
36880 + /* if non-root trying to do anything other than use a special role,
36881 + do not attempt authentication, do not count towards authentication
36885 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
36886 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
36892 + /* ensure pw and special role name are null terminated */
36894 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
36895 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
36898 + * We have our enough of the argument structure..(we have yet
36899 + * to copy_from_user the tables themselves) . Copy the tables
36900 + * only if we need them, i.e. for loading operations. */
36902 + switch (gr_usermode->mode) {
36904 + if (gr_status & GR_READY) {
36906 + if (!gr_check_secure_terminal(current))
36911 + case GR_SHUTDOWN:
36912 + if ((gr_status & GR_READY)
36913 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
36914 + pax_open_kernel();
36915 + gr_status &= ~GR_READY;
36916 + pax_close_kernel();
36918 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
36919 + free_variables();
36920 + memset(gr_usermode, 0, sizeof (struct gr_arg));
36921 + memset(gr_system_salt, 0, GR_SALT_LEN);
36922 + memset(gr_system_sum, 0, GR_SHA_LEN);
36923 + } else if (gr_status & GR_READY) {
36924 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
36927 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
36932 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
36933 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
36935 + if (gr_status & GR_READY)
36939 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
36943 + if (!(gr_status & GR_READY)) {
36944 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
36946 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
36949 + pax_open_kernel();
36950 + gr_status &= ~GR_READY;
36951 + pax_close_kernel();
36953 + free_variables();
36954 + if (!(error2 = gracl_init(gr_usermode))) {
36956 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
36960 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
36963 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
36968 + if (unlikely(!(gr_status & GR_READY))) {
36969 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
36974 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
36975 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
36976 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
36977 + struct acl_subject_label *segvacl;
36979 + lookup_acl_subj_label(gr_usermode->segv_inode,
36980 + gr_usermode->segv_device,
36983 + segvacl->crashes = 0;
36984 + segvacl->expires = 0;
36986 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
36987 + gr_remove_uid(gr_usermode->segv_uid);
36990 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
36995 + case GR_SPROLEPAM:
36996 + if (unlikely(!(gr_status & GR_READY))) {
36997 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37002 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37003 + current->role->expires = 0;
37004 + current->role->auth_attempts = 0;
37007 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37008 + time_after(current->role->expires, get_seconds())) {
37013 + if (lookup_special_role_auth
37014 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37015 + && ((!sprole_salt && !sprole_sum)
37016 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37018 + assign_special_role(gr_usermode->sp_role);
37019 + read_lock(&tasklist_lock);
37020 + if (current->parent)
37021 + p = current->parent->role->rolename;
37022 + read_unlock(&tasklist_lock);
37023 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37024 + p, acl_sp_role_value);
37026 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37028 + if(!(current->role->auth_attempts++))
37029 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37034 + case GR_UNSPROLE:
37035 + if (unlikely(!(gr_status & GR_READY))) {
37036 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37041 + if (current->role->roletype & GR_ROLE_SPECIAL) {
37045 + read_lock(&tasklist_lock);
37046 + if (current->parent) {
37047 + p = current->parent->role->rolename;
37048 + i = current->parent->acl_role_id;
37050 + read_unlock(&tasklist_lock);
37052 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37060 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37065 + if (error != -EPERM)
37068 + if(!(gr_auth_attempts++))
37069 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37077 +gr_set_acls(const int type)
37079 + struct acl_object_label *obj;
37080 + struct task_struct *task, *task2;
37081 + struct file *filp;
37082 + struct acl_role_label *role = current->role;
37083 + __u16 acl_role_id = current->acl_role_id;
37084 + const struct cred *cred;
37086 + struct name_entry *nmatch;
37087 + struct acl_subject_label *tmpsubj;
37090 + read_lock(&tasklist_lock);
37091 + read_lock(&grsec_exec_file_lock);
37092 + do_each_thread(task2, task) {
37093 + /* check to see if we're called from the exit handler,
37094 + if so, only replace ACLs that have inherited the admin
37097 + if (type && (task->role != role ||
37098 + task->acl_role_id != acl_role_id))
37101 + task->acl_role_id = 0;
37102 + task->acl_sp_role = 0;
37104 + if ((filp = task->exec_file)) {
37105 + cred = __task_cred(task);
37106 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
37108 + /* the following is to apply the correct subject
37109 + on binaries running when the RBAC system
37110 + is enabled, when the binaries have been
37111 + replaced or deleted since their execution
37113 + when the RBAC system starts, the inode/dev
37114 + from exec_file will be one the RBAC system
37115 + is unaware of. It only knows the inode/dev
37116 + of the present file on disk, or the absence
37119 + preempt_disable();
37120 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
37122 + nmatch = lookup_name_entry(tmpname);
37123 + preempt_enable();
37126 + if (nmatch->deleted)
37127 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
37129 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
37130 + if (tmpsubj != NULL)
37131 + task->acl = tmpsubj;
37133 + if (tmpsubj == NULL)
37134 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
37137 + struct acl_subject_label *curr;
37138 + curr = task->acl;
37140 + task->is_writable = 0;
37141 + /* ignore additional mmap checks for processes that are writable
37142 + by the default ACL */
37143 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37144 + if (unlikely(obj->mode & GR_WRITE))
37145 + task->is_writable = 1;
37146 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37147 + if (unlikely(obj->mode & GR_WRITE))
37148 + task->is_writable = 1;
37150 + gr_set_proc_res(task);
37152 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37153 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37156 + read_unlock(&grsec_exec_file_lock);
37157 + read_unlock(&tasklist_lock);
37158 + rcu_read_unlock();
37159 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
37163 + // it's a kernel process
37164 + task->role = kernel_role;
37165 + task->acl = kernel_role->root_label;
37166 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
37167 + task->acl->mode &= ~GR_PROCFIND;
37170 + } while_each_thread(task2, task);
37171 + read_unlock(&grsec_exec_file_lock);
37172 + read_unlock(&tasklist_lock);
37173 + rcu_read_unlock();
37179 +gr_learn_resource(const struct task_struct *task,
37180 + const int res, const unsigned long wanted, const int gt)
37182 + struct acl_subject_label *acl;
37183 + const struct cred *cred;
37185 + if (unlikely((gr_status & GR_READY) &&
37186 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
37187 + goto skip_reslog;
37189 +#ifdef CONFIG_GRKERNSEC_RESLOG
37190 + gr_log_resource(task, res, wanted, gt);
37194 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
37199 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
37200 + !(acl->resmask & (1 << (unsigned short) res))))
37203 + if (wanted >= acl->res[res].rlim_cur) {
37204 + unsigned long res_add;
37206 + res_add = wanted;
37209 + res_add += GR_RLIM_CPU_BUMP;
37211 + case RLIMIT_FSIZE:
37212 + res_add += GR_RLIM_FSIZE_BUMP;
37214 + case RLIMIT_DATA:
37215 + res_add += GR_RLIM_DATA_BUMP;
37217 + case RLIMIT_STACK:
37218 + res_add += GR_RLIM_STACK_BUMP;
37220 + case RLIMIT_CORE:
37221 + res_add += GR_RLIM_CORE_BUMP;
37224 + res_add += GR_RLIM_RSS_BUMP;
37226 + case RLIMIT_NPROC:
37227 + res_add += GR_RLIM_NPROC_BUMP;
37229 + case RLIMIT_NOFILE:
37230 + res_add += GR_RLIM_NOFILE_BUMP;
37232 + case RLIMIT_MEMLOCK:
37233 + res_add += GR_RLIM_MEMLOCK_BUMP;
37236 + res_add += GR_RLIM_AS_BUMP;
37238 + case RLIMIT_LOCKS:
37239 + res_add += GR_RLIM_LOCKS_BUMP;
37241 + case RLIMIT_SIGPENDING:
37242 + res_add += GR_RLIM_SIGPENDING_BUMP;
37244 + case RLIMIT_MSGQUEUE:
37245 + res_add += GR_RLIM_MSGQUEUE_BUMP;
37247 + case RLIMIT_NICE:
37248 + res_add += GR_RLIM_NICE_BUMP;
37250 + case RLIMIT_RTPRIO:
37251 + res_add += GR_RLIM_RTPRIO_BUMP;
37253 + case RLIMIT_RTTIME:
37254 + res_add += GR_RLIM_RTTIME_BUMP;
37258 + acl->res[res].rlim_cur = res_add;
37260 + if (wanted > acl->res[res].rlim_max)
37261 + acl->res[res].rlim_max = res_add;
37263 + /* only log the subject filename, since resource logging is supported for
37264 + single-subject learning only */
37266 + cred = __task_cred(task);
37267 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
37268 + task->role->roletype, cred->uid, cred->gid, acl->filename,
37269 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
37270 + "", (unsigned long) res, &task->signal->curr_ip);
37271 + rcu_read_unlock();
37277 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
37279 +pax_set_initial_flags(struct linux_binprm *bprm)
37281 + struct task_struct *task = current;
37282 + struct acl_subject_label *proc;
37283 + unsigned long flags;
37285 + if (unlikely(!(gr_status & GR_READY)))
37288 + flags = pax_get_flags(task);
37290 + proc = task->acl;
37292 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
37293 + flags &= ~MF_PAX_PAGEEXEC;
37294 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
37295 + flags &= ~MF_PAX_SEGMEXEC;
37296 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
37297 + flags &= ~MF_PAX_RANDMMAP;
37298 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
37299 + flags &= ~MF_PAX_EMUTRAMP;
37300 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
37301 + flags &= ~MF_PAX_MPROTECT;
37303 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
37304 + flags |= MF_PAX_PAGEEXEC;
37305 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
37306 + flags |= MF_PAX_SEGMEXEC;
37307 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
37308 + flags |= MF_PAX_RANDMMAP;
37309 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
37310 + flags |= MF_PAX_EMUTRAMP;
37311 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
37312 + flags |= MF_PAX_MPROTECT;
37314 + pax_set_flags(task, flags);
37320 +#ifdef CONFIG_SYSCTL
37321 +/* Eric Biederman likes breaking userland ABI and every inode-based security
37322 + system to save 35kb of memory */
37324 +/* we modify the passed in filename, but adjust it back before returning */
37325 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
37327 + struct name_entry *nmatch;
37328 + char *p, *lastp = NULL;
37329 + struct acl_object_label *obj = NULL, *tmp;
37330 + struct acl_subject_label *tmpsubj;
37333 + read_lock(&gr_inode_lock);
37335 + p = name + len - 1;
37337 + nmatch = lookup_name_entry(name);
37338 + if (lastp != NULL)
37341 + if (nmatch == NULL)
37342 + goto next_component;
37343 + tmpsubj = current->acl;
37345 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
37346 + if (obj != NULL) {
37347 + tmp = obj->globbed;
37349 + if (!glob_match(tmp->filename, name)) {
37357 + } while ((tmpsubj = tmpsubj->parent_subject));
37363 + while (*p != '/')
37375 + read_unlock(&gr_inode_lock);
37376 + /* obj returned will always be non-null */
37380 +/* returns 0 when allowing, non-zero on error
37381 + op of 0 is used for readdir, so we don't log the names of hidden files
37384 +gr_handle_sysctl(const struct ctl_table *table, const int op)
37386 + struct ctl_table *tmp;
37387 + const char *proc_sys = "/proc/sys";
37389 + struct acl_object_label *obj;
37390 + unsigned short len = 0, pos = 0, depth = 0, i;
37394 + if (unlikely(!(gr_status & GR_READY)))
37397 + /* for now, ignore operations on non-sysctl entries if it's not a
37399 + if (table->child != NULL && op != 0)
37403 + /* it's only a read if it's an entry, read on dirs is for readdir */
37404 + if (op & MAY_READ)
37406 + if (op & MAY_WRITE)
37407 + mode |= GR_WRITE;
37409 + preempt_disable();
37411 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
37413 + /* it's only a read/write if it's an actual entry, not a dir
37414 + (which are opened for readdir)
37417 + /* convert the requested sysctl entry into a pathname */
37419 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37420 + len += strlen(tmp->procname);
37425 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
37430 + memset(path, 0, PAGE_SIZE);
37432 + memcpy(path, proc_sys, strlen(proc_sys));
37434 + pos += strlen(proc_sys);
37436 + for (; depth > 0; depth--) {
37439 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37440 + if (depth == i) {
37441 + memcpy(path + pos, tmp->procname,
37442 + strlen(tmp->procname));
37443 + pos += strlen(tmp->procname);
37449 + obj = gr_lookup_by_name(path, pos);
37450 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
37452 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
37453 + ((err & mode) != mode))) {
37454 + __u32 new_mode = mode;
37456 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37459 + gr_log_learn_sysctl(path, new_mode);
37460 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
37461 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
37463 + } else if (!(err & GR_FIND)) {
37465 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
37466 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
37467 + path, (mode & GR_READ) ? " reading" : "",
37468 + (mode & GR_WRITE) ? " writing" : "");
37470 + } else if ((err & mode) != mode) {
37472 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
37473 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
37474 + path, (mode & GR_READ) ? " reading" : "",
37475 + (mode & GR_WRITE) ? " writing" : "");
37481 + preempt_enable();
37488 +gr_handle_proc_ptrace(struct task_struct *task)
37490 + struct file *filp;
37491 + struct task_struct *tmp = task;
37492 + struct task_struct *curtemp = current;
37495 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37496 + if (unlikely(!(gr_status & GR_READY)))
37500 + read_lock(&tasklist_lock);
37501 + read_lock(&grsec_exec_file_lock);
37502 + filp = task->exec_file;
37504 + while (tmp->pid > 0) {
37505 + if (tmp == curtemp)
37507 + tmp = tmp->parent;
37510 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37511 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
37512 + read_unlock(&grsec_exec_file_lock);
37513 + read_unlock(&tasklist_lock);
37517 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37518 + if (!(gr_status & GR_READY)) {
37519 + read_unlock(&grsec_exec_file_lock);
37520 + read_unlock(&tasklist_lock);
37525 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
37526 + read_unlock(&grsec_exec_file_lock);
37527 + read_unlock(&tasklist_lock);
37529 + if (retmode & GR_NOPTRACE)
37532 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
37533 + && (current->acl != task->acl || (current->acl != current->role->root_label
37534 + && current->pid != task->pid)))
37541 +gr_handle_ptrace(struct task_struct *task, const long request)
37543 + struct task_struct *tmp = task;
37544 + struct task_struct *curtemp = current;
37547 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37548 + if (unlikely(!(gr_status & GR_READY)))
37552 + read_lock(&tasklist_lock);
37553 + while (tmp->pid > 0) {
37554 + if (tmp == curtemp)
37556 + tmp = tmp->parent;
37559 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37560 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
37561 + read_unlock(&tasklist_lock);
37562 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37565 + read_unlock(&tasklist_lock);
37567 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37568 + if (!(gr_status & GR_READY))
37572 + read_lock(&grsec_exec_file_lock);
37573 + if (unlikely(!task->exec_file)) {
37574 + read_unlock(&grsec_exec_file_lock);
37578 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
37579 + read_unlock(&grsec_exec_file_lock);
37581 + if (retmode & GR_NOPTRACE) {
37582 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37586 + if (retmode & GR_PTRACERD) {
37587 + switch (request) {
37588 + case PTRACE_POKETEXT:
37589 + case PTRACE_POKEDATA:
37590 + case PTRACE_POKEUSR:
37591 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
37592 + case PTRACE_SETREGS:
37593 + case PTRACE_SETFPREGS:
37596 + case PTRACE_SETFPXREGS:
37598 +#ifdef CONFIG_ALTIVEC
37599 + case PTRACE_SETVRREGS:
37605 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
37606 + !(current->role->roletype & GR_ROLE_GOD) &&
37607 + (current->acl != task->acl)) {
37608 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37615 +static int is_writable_mmap(const struct file *filp)
37617 + struct task_struct *task = current;
37618 + struct acl_object_label *obj, *obj2;
37620 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
37621 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
37622 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37623 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
37624 + task->role->root_label);
37625 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
37626 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
37634 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
37638 + if (unlikely(!file || !(prot & PROT_EXEC)))
37641 + if (is_writable_mmap(file))
37645 + gr_search_file(file->f_path.dentry,
37646 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37647 + file->f_path.mnt);
37649 + if (!gr_tpe_allow(file))
37652 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37653 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37655 + } else if (unlikely(!(mode & GR_EXEC))) {
37657 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37658 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37666 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
37670 + if (unlikely(!file || !(prot & PROT_EXEC)))
37673 + if (is_writable_mmap(file))
37677 + gr_search_file(file->f_path.dentry,
37678 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37679 + file->f_path.mnt);
37681 + if (!gr_tpe_allow(file))
37684 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37685 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37687 + } else if (unlikely(!(mode & GR_EXEC))) {
37689 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37690 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37698 +gr_acl_handle_psacct(struct task_struct *task, const long code)
37700 + unsigned long runtime;
37701 + unsigned long cputime;
37702 + unsigned int wday, cday;
37706 + struct timespec timeval;
37708 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
37709 + !(task->acl->mode & GR_PROCACCT)))
37712 + do_posix_clock_monotonic_gettime(&timeval);
37713 + runtime = timeval.tv_sec - task->start_time.tv_sec;
37714 + wday = runtime / (3600 * 24);
37715 + runtime -= wday * (3600 * 24);
37716 + whr = runtime / 3600;
37717 + runtime -= whr * 3600;
37718 + wmin = runtime / 60;
37719 + runtime -= wmin * 60;
37722 + cputime = (task->utime + task->stime) / HZ;
37723 + cday = cputime / (3600 * 24);
37724 + cputime -= cday * (3600 * 24);
37725 + chr = cputime / 3600;
37726 + cputime -= chr * 3600;
37727 + cmin = cputime / 60;
37728 + cputime -= cmin * 60;
37731 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
37736 +void gr_set_kernel_label(struct task_struct *task)
37738 + if (gr_status & GR_READY) {
37739 + task->role = kernel_role;
37740 + task->acl = kernel_role->root_label;
37745 +#ifdef CONFIG_TASKSTATS
37746 +int gr_is_taskstats_denied(int pid)
37748 + struct task_struct *task;
37749 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37750 + const struct cred *cred;
37754 + /* restrict taskstats viewing to un-chrooted root users
37755 + who have the 'view' subject flag if the RBAC system is enabled
37759 + read_lock(&tasklist_lock);
37760 + task = find_task_by_vpid(pid);
37762 +#ifdef CONFIG_GRKERNSEC_CHROOT
37763 + if (proc_is_chrooted(task))
37766 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37767 + cred = __task_cred(task);
37768 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37769 + if (cred->uid != 0)
37771 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37772 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
37776 + if (gr_status & GR_READY) {
37777 + if (!(task->acl->mode & GR_VIEW))
37783 + read_unlock(&tasklist_lock);
37784 + rcu_read_unlock();
37790 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
37792 + struct task_struct *task = current;
37793 + struct dentry *dentry = file->f_path.dentry;
37794 + struct vfsmount *mnt = file->f_path.mnt;
37795 + struct acl_object_label *obj, *tmp;
37796 + struct acl_subject_label *subj;
37797 + unsigned int bufsize;
37801 + if (unlikely(!(gr_status & GR_READY)))
37804 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37807 + /* ignore Eric Biederman */
37808 + if (IS_PRIVATE(dentry->d_inode))
37811 + subj = task->acl;
37813 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
37815 + return (obj->mode & GR_FIND) ? 1 : 0;
37816 + } while ((subj = subj->parent_subject));
37818 + /* this is purely an optimization since we're looking for an object
37819 + for the directory we're doing a readdir on
37820 + if it's possible for any globbed object to match the entry we're
37821 + filling into the directory, then the object we find here will be
37822 + an anchor point with attached globbed objects
37824 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
37825 + if (obj->globbed == NULL)
37826 + return (obj->mode & GR_FIND) ? 1 : 0;
37828 + is_not_root = ((obj->filename[0] == '/') &&
37829 + (obj->filename[1] == '\0')) ? 0 : 1;
37830 + bufsize = PAGE_SIZE - namelen - is_not_root;
37832 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
37833 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
37836 + preempt_disable();
37837 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
37840 + bufsize = strlen(path);
37842 + /* if base is "/", don't append an additional slash */
37844 + *(path + bufsize) = '/';
37845 + memcpy(path + bufsize + is_not_root, name, namelen);
37846 + *(path + bufsize + namelen + is_not_root) = '\0';
37848 + tmp = obj->globbed;
37850 + if (!glob_match(tmp->filename, path)) {
37851 + preempt_enable();
37852 + return (tmp->mode & GR_FIND) ? 1 : 0;
37856 + preempt_enable();
37857 + return (obj->mode & GR_FIND) ? 1 : 0;
37860 +EXPORT_SYMBOL(gr_learn_resource);
37861 +EXPORT_SYMBOL(gr_set_kernel_label);
37862 +#ifdef CONFIG_SECURITY
37863 +EXPORT_SYMBOL(gr_check_user_change);
37864 +EXPORT_SYMBOL(gr_check_group_change);
37867 diff -urNp linux-2.6.35.4/grsecurity/gracl_cap.c linux-2.6.35.4/grsecurity/gracl_cap.c
37868 --- linux-2.6.35.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
37869 +++ linux-2.6.35.4/grsecurity/gracl_cap.c 2010-09-17 20:12:37.000000000 -0400
37871 +#include <linux/kernel.h>
37872 +#include <linux/module.h>
37873 +#include <linux/sched.h>
37874 +#include <linux/gracl.h>
37875 +#include <linux/grsecurity.h>
37876 +#include <linux/grinternal.h>
37878 +static const char *captab_log[] = {
37880 + "CAP_DAC_OVERRIDE",
37881 + "CAP_DAC_READ_SEARCH",
37888 + "CAP_LINUX_IMMUTABLE",
37889 + "CAP_NET_BIND_SERVICE",
37890 + "CAP_NET_BROADCAST",
37895 + "CAP_SYS_MODULE",
37897 + "CAP_SYS_CHROOT",
37898 + "CAP_SYS_PTRACE",
37903 + "CAP_SYS_RESOURCE",
37905 + "CAP_SYS_TTY_CONFIG",
37908 + "CAP_AUDIT_WRITE",
37909 + "CAP_AUDIT_CONTROL",
37911 + "CAP_MAC_OVERRIDE",
37915 +EXPORT_SYMBOL(gr_is_capable);
37916 +EXPORT_SYMBOL(gr_is_capable_nolog);
37919 +gr_is_capable(const int cap)
37921 + struct task_struct *task = current;
37922 + const struct cred *cred = current_cred();
37923 + struct acl_subject_label *curracl;
37924 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
37925 + kernel_cap_t cap_audit = __cap_empty_set;
37927 + if (!gr_acl_is_enabled())
37930 + curracl = task->acl;
37932 + cap_drop = curracl->cap_lower;
37933 + cap_mask = curracl->cap_mask;
37934 + cap_audit = curracl->cap_invert_audit;
37936 + while ((curracl = curracl->parent_subject)) {
37937 + /* if the cap isn't specified in the current computed mask but is specified in the
37938 + current level subject, and is lowered in the current level subject, then add
37939 + it to the set of dropped capabilities
37940 + otherwise, add the current level subject's mask to the current computed mask
37942 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
37943 + cap_raise(cap_mask, cap);
37944 + if (cap_raised(curracl->cap_lower, cap))
37945 + cap_raise(cap_drop, cap);
37946 + if (cap_raised(curracl->cap_invert_audit, cap))
37947 + cap_raise(cap_audit, cap);
37951 + if (!cap_raised(cap_drop, cap)) {
37952 + if (cap_raised(cap_audit, cap))
37953 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
37957 + curracl = task->acl;
37959 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
37960 + && cap_raised(cred->cap_effective, cap)) {
37961 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
37962 + task->role->roletype, cred->uid,
37963 + cred->gid, task->exec_file ?
37964 + gr_to_filename(task->exec_file->f_path.dentry,
37965 + task->exec_file->f_path.mnt) : curracl->filename,
37966 + curracl->filename, 0UL,
37967 + 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
37971 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
37972 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
37977 +gr_is_capable_nolog(const int cap)
37979 + struct acl_subject_label *curracl;
37980 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
37982 + if (!gr_acl_is_enabled())
37985 + curracl = current->acl;
37987 + cap_drop = curracl->cap_lower;
37988 + cap_mask = curracl->cap_mask;
37990 + while ((curracl = curracl->parent_subject)) {
37991 + /* if the cap isn't specified in the current computed mask but is specified in the
37992 + current level subject, and is lowered in the current level subject, then add
37993 + it to the set of dropped capabilities
37994 + otherwise, add the current level subject's mask to the current computed mask
37996 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
37997 + cap_raise(cap_mask, cap);
37998 + if (cap_raised(curracl->cap_lower, cap))
37999 + cap_raise(cap_drop, cap);
38003 + if (!cap_raised(cap_drop, cap))
38009 diff -urNp linux-2.6.35.4/grsecurity/gracl_fs.c linux-2.6.35.4/grsecurity/gracl_fs.c
38010 --- linux-2.6.35.4/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38011 +++ linux-2.6.35.4/grsecurity/gracl_fs.c 2010-09-17 20:12:37.000000000 -0400
38013 +#include <linux/kernel.h>
38014 +#include <linux/sched.h>
38015 +#include <linux/types.h>
38016 +#include <linux/fs.h>
38017 +#include <linux/file.h>
38018 +#include <linux/stat.h>
38019 +#include <linux/grsecurity.h>
38020 +#include <linux/grinternal.h>
38021 +#include <linux/gracl.h>
38024 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38025 + const struct vfsmount * mnt)
38029 + if (unlikely(!dentry->d_inode))
38033 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38035 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38036 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38038 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38039 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38041 + } else if (unlikely(!(mode & GR_FIND)))
38048 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38051 + __u32 reqmode = GR_FIND;
38054 + if (unlikely(!dentry->d_inode))
38057 + if (unlikely(fmode & O_APPEND))
38058 + reqmode |= GR_APPEND;
38059 + else if (unlikely(fmode & FMODE_WRITE))
38060 + reqmode |= GR_WRITE;
38061 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38062 + reqmode |= GR_READ;
38063 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
38064 + reqmode &= ~GR_READ;
38066 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38069 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38070 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38071 + reqmode & GR_READ ? " reading" : "",
38072 + reqmode & GR_WRITE ? " writing" : reqmode &
38073 + GR_APPEND ? " appending" : "");
38076 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38078 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38079 + reqmode & GR_READ ? " reading" : "",
38080 + reqmode & GR_WRITE ? " writing" : reqmode &
38081 + GR_APPEND ? " appending" : "");
38083 + } else if (unlikely((mode & reqmode) != reqmode))
38090 +gr_acl_handle_creat(const struct dentry * dentry,
38091 + const struct dentry * p_dentry,
38092 + const struct vfsmount * p_mnt, const int fmode,
38095 + __u32 reqmode = GR_WRITE | GR_CREATE;
38098 + if (unlikely(fmode & O_APPEND))
38099 + reqmode |= GR_APPEND;
38100 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38101 + reqmode |= GR_READ;
38102 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
38103 + reqmode |= GR_SETID;
38106 + gr_check_create(dentry, p_dentry, p_mnt,
38107 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38109 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38110 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38111 + reqmode & GR_READ ? " reading" : "",
38112 + reqmode & GR_WRITE ? " writing" : reqmode &
38113 + GR_APPEND ? " appending" : "");
38116 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38118 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38119 + reqmode & GR_READ ? " reading" : "",
38120 + reqmode & GR_WRITE ? " writing" : reqmode &
38121 + GR_APPEND ? " appending" : "");
38123 + } else if (unlikely((mode & reqmode) != reqmode))
38130 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
38133 + __u32 mode, reqmode = GR_FIND;
38135 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
38136 + reqmode |= GR_EXEC;
38137 + if (fmode & S_IWOTH)
38138 + reqmode |= GR_WRITE;
38139 + if (fmode & S_IROTH)
38140 + reqmode |= GR_READ;
38143 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38146 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38147 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38148 + reqmode & GR_READ ? " reading" : "",
38149 + reqmode & GR_WRITE ? " writing" : "",
38150 + reqmode & GR_EXEC ? " executing" : "");
38153 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38155 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38156 + reqmode & GR_READ ? " reading" : "",
38157 + reqmode & GR_WRITE ? " writing" : "",
38158 + reqmode & GR_EXEC ? " executing" : "");
38160 + } else if (unlikely((mode & reqmode) != reqmode))
38166 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
38170 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
38172 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38173 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
38175 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38176 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
38178 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38181 + return (reqmode);
38185 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38187 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
38191 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
38193 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
38197 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
38199 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
38203 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
38205 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
38209 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
38212 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
38215 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38216 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38217 + GR_FCHMOD_ACL_MSG);
38219 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
38224 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
38227 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38228 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38229 + GR_CHMOD_ACL_MSG);
38231 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
38236 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
38238 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
38242 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
38244 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
38248 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
38250 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
38251 + GR_UNIXCONNECT_ACL_MSG);
38254 +/* hardlinks require at minimum create permission,
38255 + any additional privilege required is based on the
38256 + privilege of the file being linked to
38259 +gr_acl_handle_link(const struct dentry * new_dentry,
38260 + const struct dentry * parent_dentry,
38261 + const struct vfsmount * parent_mnt,
38262 + const struct dentry * old_dentry,
38263 + const struct vfsmount * old_mnt, const char *to)
38266 + __u32 needmode = GR_CREATE | GR_LINK;
38267 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
38270 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
38273 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
38274 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38276 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38277 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38279 + } else if (unlikely((mode & needmode) != needmode))
38286 +gr_acl_handle_symlink(const struct dentry * new_dentry,
38287 + const struct dentry * parent_dentry,
38288 + const struct vfsmount * parent_mnt, const char *from)
38290 + __u32 needmode = GR_WRITE | GR_CREATE;
38294 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
38295 + GR_CREATE | GR_AUDIT_CREATE |
38296 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
38298 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
38299 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38301 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38302 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38304 + } else if (unlikely((mode & needmode) != needmode))
38307 + return (GR_WRITE | GR_CREATE);
38310 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
38314 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38316 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38317 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
38319 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38320 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
38322 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38325 + return (reqmode);
38329 +gr_acl_handle_mknod(const struct dentry * new_dentry,
38330 + const struct dentry * parent_dentry,
38331 + const struct vfsmount * parent_mnt,
38334 + __u32 reqmode = GR_WRITE | GR_CREATE;
38335 + if (unlikely(mode & (S_ISUID | S_ISGID)))
38336 + reqmode |= GR_SETID;
38338 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38339 + reqmode, GR_MKNOD_ACL_MSG);
38343 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
38344 + const struct dentry *parent_dentry,
38345 + const struct vfsmount *parent_mnt)
38347 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38348 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
38351 +#define RENAME_CHECK_SUCCESS(old, new) \
38352 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
38353 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
38356 +gr_acl_handle_rename(struct dentry *new_dentry,
38357 + struct dentry *parent_dentry,
38358 + const struct vfsmount *parent_mnt,
38359 + struct dentry *old_dentry,
38360 + struct inode *old_parent_inode,
38361 + struct vfsmount *old_mnt, const char *newname)
38363 + __u32 comp1, comp2;
38366 + if (unlikely(!gr_acl_is_enabled()))
38369 + if (!new_dentry->d_inode) {
38370 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
38371 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
38372 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
38373 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
38374 + GR_DELETE | GR_AUDIT_DELETE |
38375 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38376 + GR_SUPPRESS, old_mnt);
38378 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
38379 + GR_CREATE | GR_DELETE |
38380 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
38381 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38382 + GR_SUPPRESS, parent_mnt);
38384 + gr_search_file(old_dentry,
38385 + GR_READ | GR_WRITE | GR_AUDIT_READ |
38386 + GR_DELETE | GR_AUDIT_DELETE |
38387 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
38390 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
38391 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
38392 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38393 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
38394 + && !(comp2 & GR_SUPPRESS)) {
38395 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38397 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
38404 +gr_acl_handle_exit(void)
38408 + struct file *exec_file;
38410 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
38411 + id = current->acl_role_id;
38412 + rolename = current->role->rolename;
38414 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
38417 + write_lock(&grsec_exec_file_lock);
38418 + exec_file = current->exec_file;
38419 + current->exec_file = NULL;
38420 + write_unlock(&grsec_exec_file_lock);
38427 +gr_acl_handle_procpidmem(const struct task_struct *task)
38429 + if (unlikely(!gr_acl_is_enabled()))
38432 + if (task != current && task->acl->mode & GR_PROTPROCFD)
38437 diff -urNp linux-2.6.35.4/grsecurity/gracl_ip.c linux-2.6.35.4/grsecurity/gracl_ip.c
38438 --- linux-2.6.35.4/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
38439 +++ linux-2.6.35.4/grsecurity/gracl_ip.c 2010-09-17 20:12:37.000000000 -0400
38441 +#include <linux/kernel.h>
38442 +#include <asm/uaccess.h>
38443 +#include <asm/errno.h>
38444 +#include <net/sock.h>
38445 +#include <linux/file.h>
38446 +#include <linux/fs.h>
38447 +#include <linux/net.h>
38448 +#include <linux/in.h>
38449 +#include <linux/skbuff.h>
38450 +#include <linux/ip.h>
38451 +#include <linux/udp.h>
38452 +#include <linux/smp_lock.h>
38453 +#include <linux/types.h>
38454 +#include <linux/sched.h>
38455 +#include <linux/netdevice.h>
38456 +#include <linux/inetdevice.h>
38457 +#include <linux/gracl.h>
38458 +#include <linux/grsecurity.h>
38459 +#include <linux/grinternal.h>
38461 +#define GR_BIND 0x01
38462 +#define GR_CONNECT 0x02
38463 +#define GR_INVERT 0x04
38464 +#define GR_BINDOVERRIDE 0x08
38465 +#define GR_CONNECTOVERRIDE 0x10
38467 +static const char * gr_protocols[256] = {
38468 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
38469 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
38470 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
38471 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
38472 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
38473 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
38474 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
38475 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
38476 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
38477 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
38478 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
38479 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
38480 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
38481 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
38482 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
38483 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
38484 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
38485 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
38486 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
38487 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
38488 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
38489 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
38490 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
38491 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
38492 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
38493 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
38494 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
38495 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
38496 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
38497 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
38498 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
38499 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
38502 +static const char * gr_socktypes[11] = {
38503 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
38504 + "unknown:7", "unknown:8", "unknown:9", "packet"
38508 +gr_proto_to_name(unsigned char proto)
38510 + return gr_protocols[proto];
38514 +gr_socktype_to_name(unsigned char type)
38516 + return gr_socktypes[type];
38520 +gr_search_socket(const int domain, const int type, const int protocol)
38522 + struct acl_subject_label *curr;
38523 + const struct cred *cred = current_cred();
38525 + if (unlikely(!gr_acl_is_enabled()))
38528 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
38529 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
38530 + goto exit; // let the kernel handle it
38532 + curr = current->acl;
38537 + if ((curr->ip_type & (1 << type)) &&
38538 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
38541 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38542 + /* we don't place acls on raw sockets , and sometimes
38543 + dgram/ip sockets are opened for ioctl and not
38544 + bind/connect, so we'll fake a bind learn log */
38545 + if (type == SOCK_RAW || type == SOCK_PACKET) {
38546 + __u32 fakeip = 0;
38547 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38548 + current->role->roletype, cred->uid,
38549 + cred->gid, current->exec_file ?
38550 + gr_to_filename(current->exec_file->f_path.dentry,
38551 + current->exec_file->f_path.mnt) :
38552 + curr->filename, curr->filename,
38553 + &fakeip, 0, type,
38554 + protocol, GR_CONNECT, ¤t->signal->curr_ip);
38555 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
38556 + __u32 fakeip = 0;
38557 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38558 + current->role->roletype, cred->uid,
38559 + cred->gid, current->exec_file ?
38560 + gr_to_filename(current->exec_file->f_path.dentry,
38561 + current->exec_file->f_path.mnt) :
38562 + curr->filename, curr->filename,
38563 + &fakeip, 0, type,
38564 + protocol, GR_BIND, ¤t->signal->curr_ip);
38566 + /* we'll log when they use connect or bind */
38570 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
38571 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
38578 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
38580 + if ((ip->mode & mode) &&
38581 + (ip_port >= ip->low) &&
38582 + (ip_port <= ip->high) &&
38583 + ((ntohl(ip_addr) & our_netmask) ==
38584 + (ntohl(our_addr) & our_netmask))
38585 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
38586 + && (ip->type & (1 << type))) {
38587 + if (ip->mode & GR_INVERT)
38588 + return 2; // specifically denied
38590 + return 1; // allowed
38593 + return 0; // not specifically allowed, may continue parsing
38597 +gr_search_connectbind(const int full_mode, struct sock *sk,
38598 + struct sockaddr_in *addr, const int type)
38600 + char iface[IFNAMSIZ] = {0};
38601 + struct acl_subject_label *curr;
38602 + struct acl_ip_label *ip;
38603 + struct inet_sock *isk;
38604 + struct net_device *dev;
38605 + struct in_device *idev;
38608 + int mode = full_mode & (GR_BIND | GR_CONNECT);
38609 + __u32 ip_addr = 0;
38611 + __u32 our_netmask;
38613 + __u16 ip_port = 0;
38614 + const struct cred *cred = current_cred();
38616 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
38619 + curr = current->acl;
38620 + isk = inet_sk(sk);
38622 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
38623 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
38624 + addr->sin_addr.s_addr = curr->inaddr_any_override;
38625 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
38626 + struct sockaddr_in saddr;
38629 + saddr.sin_family = AF_INET;
38630 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
38631 + saddr.sin_port = isk->inet_sport;
38633 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38637 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38645 + ip_addr = addr->sin_addr.s_addr;
38646 + ip_port = ntohs(addr->sin_port);
38648 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38649 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38650 + current->role->roletype, cred->uid,
38651 + cred->gid, current->exec_file ?
38652 + gr_to_filename(current->exec_file->f_path.dentry,
38653 + current->exec_file->f_path.mnt) :
38654 + curr->filename, curr->filename,
38655 + &ip_addr, ip_port, type,
38656 + sk->sk_protocol, mode, ¤t->signal->curr_ip);
38660 + for (i = 0; i < curr->ip_num; i++) {
38661 + ip = *(curr->ips + i);
38662 + if (ip->iface != NULL) {
38663 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
38664 + p = strchr(iface, ':');
38667 + dev = dev_get_by_name(sock_net(sk), iface);
38670 + idev = in_dev_get(dev);
38671 + if (idev == NULL) {
38677 + if (!strcmp(ip->iface, ifa->ifa_label)) {
38678 + our_addr = ifa->ifa_address;
38679 + our_netmask = 0xffffffff;
38680 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38682 + rcu_read_unlock();
38683 + in_dev_put(idev);
38686 + } else if (ret == 2) {
38687 + rcu_read_unlock();
38688 + in_dev_put(idev);
38693 + } endfor_ifa(idev);
38694 + rcu_read_unlock();
38695 + in_dev_put(idev);
38698 + our_addr = ip->addr;
38699 + our_netmask = ip->netmask;
38700 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38703 + else if (ret == 2)
38709 + if (mode == GR_BIND)
38710 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38711 + else if (mode == GR_CONNECT)
38712 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38718 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
38720 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
38724 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
38726 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
38729 +int gr_search_listen(struct socket *sock)
38731 + struct sock *sk = sock->sk;
38732 + struct sockaddr_in addr;
38734 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38735 + addr.sin_port = inet_sk(sk)->inet_sport;
38737 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38740 +int gr_search_accept(struct socket *sock)
38742 + struct sock *sk = sock->sk;
38743 + struct sockaddr_in addr;
38745 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38746 + addr.sin_port = inet_sk(sk)->inet_sport;
38748 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38752 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
38755 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
38757 + struct sockaddr_in sin;
38758 + const struct inet_sock *inet = inet_sk(sk);
38760 + sin.sin_addr.s_addr = inet->inet_daddr;
38761 + sin.sin_port = inet->inet_dport;
38763 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38768 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
38770 + struct sockaddr_in sin;
38772 + if (unlikely(skb->len < sizeof (struct udphdr)))
38773 + return 0; // skip this packet
38775 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
38776 + sin.sin_port = udp_hdr(skb)->source;
38778 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38780 diff -urNp linux-2.6.35.4/grsecurity/gracl_learn.c linux-2.6.35.4/grsecurity/gracl_learn.c
38781 --- linux-2.6.35.4/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
38782 +++ linux-2.6.35.4/grsecurity/gracl_learn.c 2010-09-17 20:12:37.000000000 -0400
38784 +#include <linux/kernel.h>
38785 +#include <linux/mm.h>
38786 +#include <linux/sched.h>
38787 +#include <linux/poll.h>
38788 +#include <linux/smp_lock.h>
38789 +#include <linux/string.h>
38790 +#include <linux/file.h>
38791 +#include <linux/types.h>
38792 +#include <linux/vmalloc.h>
38793 +#include <linux/grinternal.h>
38795 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
38796 + size_t count, loff_t *ppos);
38797 +extern int gr_acl_is_enabled(void);
38799 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
38800 +static int gr_learn_attached;
38802 +/* use a 512k buffer */
38803 +#define LEARN_BUFFER_SIZE (512 * 1024)
38805 +static DEFINE_SPINLOCK(gr_learn_lock);
38806 +static DECLARE_MUTEX(gr_learn_user_sem);
38808 +/* we need to maintain two buffers, so that the kernel context of grlearn
38809 + uses a semaphore around the userspace copying, and the other kernel contexts
38810 + use a spinlock when copying into the buffer, since they cannot sleep
38812 +static char *learn_buffer;
38813 +static char *learn_buffer_user;
38814 +static int learn_buffer_len;
38815 +static int learn_buffer_user_len;
38818 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
38820 + DECLARE_WAITQUEUE(wait, current);
38821 + ssize_t retval = 0;
38823 + add_wait_queue(&learn_wait, &wait);
38824 + set_current_state(TASK_INTERRUPTIBLE);
38826 + down(&gr_learn_user_sem);
38827 + spin_lock(&gr_learn_lock);
38828 + if (learn_buffer_len)
38830 + spin_unlock(&gr_learn_lock);
38831 + up(&gr_learn_user_sem);
38832 + if (file->f_flags & O_NONBLOCK) {
38833 + retval = -EAGAIN;
38836 + if (signal_pending(current)) {
38837 + retval = -ERESTARTSYS;
38844 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
38845 + learn_buffer_user_len = learn_buffer_len;
38846 + retval = learn_buffer_len;
38847 + learn_buffer_len = 0;
38849 + spin_unlock(&gr_learn_lock);
38851 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
38852 + retval = -EFAULT;
38854 + up(&gr_learn_user_sem);
38856 + set_current_state(TASK_RUNNING);
38857 + remove_wait_queue(&learn_wait, &wait);
38861 +static unsigned int
38862 +poll_learn(struct file * file, poll_table * wait)
38864 + poll_wait(file, &learn_wait, wait);
38866 + if (learn_buffer_len)
38867 + return (POLLIN | POLLRDNORM);
38873 +gr_clear_learn_entries(void)
38877 + down(&gr_learn_user_sem);
38878 + if (learn_buffer != NULL) {
38879 + spin_lock(&gr_learn_lock);
38880 + tmp = learn_buffer;
38881 + learn_buffer = NULL;
38882 + spin_unlock(&gr_learn_lock);
38883 + vfree(learn_buffer);
38885 + if (learn_buffer_user != NULL) {
38886 + vfree(learn_buffer_user);
38887 + learn_buffer_user = NULL;
38889 + learn_buffer_len = 0;
38890 + up(&gr_learn_user_sem);
38896 +gr_add_learn_entry(const char *fmt, ...)
38899 + unsigned int len;
38901 + if (!gr_learn_attached)
38904 + spin_lock(&gr_learn_lock);
38906 + /* leave a gap at the end so we know when it's "full" but don't have to
38907 + compute the exact length of the string we're trying to append
38909 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
38910 + spin_unlock(&gr_learn_lock);
38911 + wake_up_interruptible(&learn_wait);
38914 + if (learn_buffer == NULL) {
38915 + spin_unlock(&gr_learn_lock);
38919 + va_start(args, fmt);
38920 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
38923 + learn_buffer_len += len + 1;
38925 + spin_unlock(&gr_learn_lock);
38926 + wake_up_interruptible(&learn_wait);
38932 +open_learn(struct inode *inode, struct file *file)
38934 + if (file->f_mode & FMODE_READ && gr_learn_attached)
38936 + if (file->f_mode & FMODE_READ) {
38938 + down(&gr_learn_user_sem);
38939 + if (learn_buffer == NULL)
38940 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
38941 + if (learn_buffer_user == NULL)
38942 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
38943 + if (learn_buffer == NULL) {
38944 + retval = -ENOMEM;
38947 + if (learn_buffer_user == NULL) {
38948 + retval = -ENOMEM;
38951 + learn_buffer_len = 0;
38952 + learn_buffer_user_len = 0;
38953 + gr_learn_attached = 1;
38955 + up(&gr_learn_user_sem);
38962 +close_learn(struct inode *inode, struct file *file)
38966 + if (file->f_mode & FMODE_READ) {
38967 + down(&gr_learn_user_sem);
38968 + if (learn_buffer != NULL) {
38969 + spin_lock(&gr_learn_lock);
38970 + tmp = learn_buffer;
38971 + learn_buffer = NULL;
38972 + spin_unlock(&gr_learn_lock);
38975 + if (learn_buffer_user != NULL) {
38976 + vfree(learn_buffer_user);
38977 + learn_buffer_user = NULL;
38979 + learn_buffer_len = 0;
38980 + learn_buffer_user_len = 0;
38981 + gr_learn_attached = 0;
38982 + up(&gr_learn_user_sem);
38988 +const struct file_operations grsec_fops = {
38989 + .read = read_learn,
38990 + .write = write_grsec_handler,
38991 + .open = open_learn,
38992 + .release = close_learn,
38993 + .poll = poll_learn,
38995 diff -urNp linux-2.6.35.4/grsecurity/gracl_res.c linux-2.6.35.4/grsecurity/gracl_res.c
38996 --- linux-2.6.35.4/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
38997 +++ linux-2.6.35.4/grsecurity/gracl_res.c 2010-09-17 20:12:37.000000000 -0400
38999 +#include <linux/kernel.h>
39000 +#include <linux/sched.h>
39001 +#include <linux/gracl.h>
39002 +#include <linux/grinternal.h>
39004 +static const char *restab_log[] = {
39005 + [RLIMIT_CPU] = "RLIMIT_CPU",
39006 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39007 + [RLIMIT_DATA] = "RLIMIT_DATA",
39008 + [RLIMIT_STACK] = "RLIMIT_STACK",
39009 + [RLIMIT_CORE] = "RLIMIT_CORE",
39010 + [RLIMIT_RSS] = "RLIMIT_RSS",
39011 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
39012 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39013 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39014 + [RLIMIT_AS] = "RLIMIT_AS",
39015 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39016 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39017 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39018 + [RLIMIT_NICE] = "RLIMIT_NICE",
39019 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
39020 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
39021 + [GR_CRASH_RES] = "RLIMIT_CRASH"
39025 +gr_log_resource(const struct task_struct *task,
39026 + const int res, const unsigned long wanted, const int gt)
39028 + const struct cred *cred;
39029 + unsigned long rlim;
39031 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
39034 + // not yet supported resource
39035 + if (unlikely(!restab_log[res]))
39038 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
39039 + rlim = task_rlimit_max(task, res);
39041 + rlim = task_rlimit(task, res);
39043 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
39047 + cred = __task_cred(task);
39049 + if (res == RLIMIT_NPROC &&
39050 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
39051 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
39052 + goto out_rcu_unlock;
39053 + else if (res == RLIMIT_MEMLOCK &&
39054 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
39055 + goto out_rcu_unlock;
39056 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
39057 + goto out_rcu_unlock;
39058 + rcu_read_unlock();
39060 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
39064 + rcu_read_unlock();
39067 diff -urNp linux-2.6.35.4/grsecurity/gracl_segv.c linux-2.6.35.4/grsecurity/gracl_segv.c
39068 --- linux-2.6.35.4/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
39069 +++ linux-2.6.35.4/grsecurity/gracl_segv.c 2010-09-17 20:12:37.000000000 -0400
39071 +#include <linux/kernel.h>
39072 +#include <linux/mm.h>
39073 +#include <asm/uaccess.h>
39074 +#include <asm/errno.h>
39075 +#include <asm/mman.h>
39076 +#include <net/sock.h>
39077 +#include <linux/file.h>
39078 +#include <linux/fs.h>
39079 +#include <linux/net.h>
39080 +#include <linux/in.h>
39081 +#include <linux/smp_lock.h>
39082 +#include <linux/slab.h>
39083 +#include <linux/types.h>
39084 +#include <linux/sched.h>
39085 +#include <linux/timer.h>
39086 +#include <linux/gracl.h>
39087 +#include <linux/grsecurity.h>
39088 +#include <linux/grinternal.h>
39090 +static struct crash_uid *uid_set;
39091 +static unsigned short uid_used;
39092 +static DEFINE_SPINLOCK(gr_uid_lock);
39093 +extern rwlock_t gr_inode_lock;
39094 +extern struct acl_subject_label *
39095 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
39096 + struct acl_role_label *role);
39097 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
39100 +gr_init_uidset(void)
39103 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
39106 + return uid_set ? 1 : 0;
39110 +gr_free_uidset(void)
39119 +gr_find_uid(const uid_t uid)
39121 + struct crash_uid *tmp = uid_set;
39123 + int low = 0, high = uid_used - 1, mid;
39125 + while (high >= low) {
39126 + mid = (low + high) >> 1;
39127 + buid = tmp[mid].uid;
39139 +static __inline__ void
39140 +gr_insertsort(void)
39142 + unsigned short i, j;
39143 + struct crash_uid index;
39145 + for (i = 1; i < uid_used; i++) {
39146 + index = uid_set[i];
39148 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
39149 + uid_set[j] = uid_set[j - 1];
39152 + uid_set[j] = index;
39158 +static __inline__ void
39159 +gr_insert_uid(const uid_t uid, const unsigned long expires)
39163 + if (uid_used == GR_UIDTABLE_MAX)
39166 + loc = gr_find_uid(uid);
39169 + uid_set[loc].expires = expires;
39173 + uid_set[uid_used].uid = uid;
39174 + uid_set[uid_used].expires = expires;
39183 +gr_remove_uid(const unsigned short loc)
39185 + unsigned short i;
39187 + for (i = loc + 1; i < uid_used; i++)
39188 + uid_set[i - 1] = uid_set[i];
39196 +gr_check_crash_uid(const uid_t uid)
39201 + if (unlikely(!gr_acl_is_enabled()))
39204 + spin_lock(&gr_uid_lock);
39205 + loc = gr_find_uid(uid);
39210 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
39211 + gr_remove_uid(loc);
39216 + spin_unlock(&gr_uid_lock);
39220 +static __inline__ int
39221 +proc_is_setxid(const struct cred *cred)
39223 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
39224 + cred->uid != cred->fsuid)
39226 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
39227 + cred->gid != cred->fsgid)
39232 +static __inline__ int
39233 +gr_fake_force_sig(int sig, struct task_struct *t)
39235 + unsigned long int flags;
39236 + int ret, blocked, ignored;
39237 + struct k_sigaction *action;
39239 + spin_lock_irqsave(&t->sighand->siglock, flags);
39240 + action = &t->sighand->action[sig-1];
39241 + ignored = action->sa.sa_handler == SIG_IGN;
39242 + blocked = sigismember(&t->blocked, sig);
39243 + if (blocked || ignored) {
39244 + action->sa.sa_handler = SIG_DFL;
39246 + sigdelset(&t->blocked, sig);
39247 + recalc_sigpending_and_wake(t);
39250 + if (action->sa.sa_handler == SIG_DFL)
39251 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
39252 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
39254 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
39260 +gr_handle_crash(struct task_struct *task, const int sig)
39262 + struct acl_subject_label *curr;
39263 + struct acl_subject_label *curr2;
39264 + struct task_struct *tsk, *tsk2;
39265 + const struct cred *cred;
39266 + const struct cred *cred2;
39268 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
39271 + if (unlikely(!gr_acl_is_enabled()))
39274 + curr = task->acl;
39276 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
39279 + if (time_before_eq(curr->expires, get_seconds())) {
39280 + curr->expires = 0;
39281 + curr->crashes = 0;
39286 + if (!curr->expires)
39287 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
39289 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39290 + time_after(curr->expires, get_seconds())) {
39292 + cred = __task_cred(task);
39293 + if (cred->uid && proc_is_setxid(cred)) {
39294 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39295 + spin_lock(&gr_uid_lock);
39296 + gr_insert_uid(cred->uid, curr->expires);
39297 + spin_unlock(&gr_uid_lock);
39298 + curr->expires = 0;
39299 + curr->crashes = 0;
39300 + read_lock(&tasklist_lock);
39301 + do_each_thread(tsk2, tsk) {
39302 + cred2 = __task_cred(tsk);
39303 + if (tsk != task && cred2->uid == cred->uid)
39304 + gr_fake_force_sig(SIGKILL, tsk);
39305 + } while_each_thread(tsk2, tsk);
39306 + read_unlock(&tasklist_lock);
39308 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39309 + read_lock(&tasklist_lock);
39310 + do_each_thread(tsk2, tsk) {
39311 + if (likely(tsk != task)) {
39312 + curr2 = tsk->acl;
39314 + if (curr2->device == curr->device &&
39315 + curr2->inode == curr->inode)
39316 + gr_fake_force_sig(SIGKILL, tsk);
39318 + } while_each_thread(tsk2, tsk);
39319 + read_unlock(&tasklist_lock);
39321 + rcu_read_unlock();
39328 +gr_check_crash_exec(const struct file *filp)
39330 + struct acl_subject_label *curr;
39332 + if (unlikely(!gr_acl_is_enabled()))
39335 + read_lock(&gr_inode_lock);
39336 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
39337 + filp->f_path.dentry->d_inode->i_sb->s_dev,
39339 + read_unlock(&gr_inode_lock);
39341 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
39342 + (!curr->crashes && !curr->expires))
39345 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39346 + time_after(curr->expires, get_seconds()))
39348 + else if (time_before_eq(curr->expires, get_seconds())) {
39349 + curr->crashes = 0;
39350 + curr->expires = 0;
39357 +gr_handle_alertkill(struct task_struct *task)
39359 + struct acl_subject_label *curracl;
39361 + struct task_struct *p, *p2;
39363 + if (unlikely(!gr_acl_is_enabled()))
39366 + curracl = task->acl;
39367 + curr_ip = task->signal->curr_ip;
39369 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
39370 + read_lock(&tasklist_lock);
39371 + do_each_thread(p2, p) {
39372 + if (p->signal->curr_ip == curr_ip)
39373 + gr_fake_force_sig(SIGKILL, p);
39374 + } while_each_thread(p2, p);
39375 + read_unlock(&tasklist_lock);
39376 + } else if (curracl->mode & GR_KILLPROC)
39377 + gr_fake_force_sig(SIGKILL, task);
39381 diff -urNp linux-2.6.35.4/grsecurity/gracl_shm.c linux-2.6.35.4/grsecurity/gracl_shm.c
39382 --- linux-2.6.35.4/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
39383 +++ linux-2.6.35.4/grsecurity/gracl_shm.c 2010-09-17 20:12:37.000000000 -0400
39385 +#include <linux/kernel.h>
39386 +#include <linux/mm.h>
39387 +#include <linux/sched.h>
39388 +#include <linux/file.h>
39389 +#include <linux/ipc.h>
39390 +#include <linux/gracl.h>
39391 +#include <linux/grsecurity.h>
39392 +#include <linux/grinternal.h>
39395 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39396 + const time_t shm_createtime, const uid_t cuid, const int shmid)
39398 + struct task_struct *task;
39400 + if (!gr_acl_is_enabled())
39404 + read_lock(&tasklist_lock);
39406 + task = find_task_by_vpid(shm_cprid);
39408 + if (unlikely(!task))
39409 + task = find_task_by_vpid(shm_lapid);
39411 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
39412 + (task->pid == shm_lapid)) &&
39413 + (task->acl->mode & GR_PROTSHM) &&
39414 + (task->acl != current->acl))) {
39415 + read_unlock(&tasklist_lock);
39416 + rcu_read_unlock();
39417 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
39420 + read_unlock(&tasklist_lock);
39421 + rcu_read_unlock();
39425 diff -urNp linux-2.6.35.4/grsecurity/grsec_chdir.c linux-2.6.35.4/grsecurity/grsec_chdir.c
39426 --- linux-2.6.35.4/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
39427 +++ linux-2.6.35.4/grsecurity/grsec_chdir.c 2010-09-17 20:12:37.000000000 -0400
39429 +#include <linux/kernel.h>
39430 +#include <linux/sched.h>
39431 +#include <linux/fs.h>
39432 +#include <linux/file.h>
39433 +#include <linux/grsecurity.h>
39434 +#include <linux/grinternal.h>
39437 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
39439 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
39440 + if ((grsec_enable_chdir && grsec_enable_group &&
39441 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
39442 + !grsec_enable_group)) {
39443 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
39448 diff -urNp linux-2.6.35.4/grsecurity/grsec_chroot.c linux-2.6.35.4/grsecurity/grsec_chroot.c
39449 --- linux-2.6.35.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
39450 +++ linux-2.6.35.4/grsecurity/grsec_chroot.c 2010-09-17 20:12:37.000000000 -0400
39452 +#include <linux/kernel.h>
39453 +#include <linux/module.h>
39454 +#include <linux/sched.h>
39455 +#include <linux/file.h>
39456 +#include <linux/fs.h>
39457 +#include <linux/mount.h>
39458 +#include <linux/types.h>
39459 +#include <linux/pid_namespace.h>
39460 +#include <linux/grsecurity.h>
39461 +#include <linux/grinternal.h>
39463 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
39465 +#ifdef CONFIG_GRKERNSEC
39466 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
39467 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
39468 + task->gr_is_chrooted = 1;
39470 + task->gr_is_chrooted = 0;
39472 + task->gr_chroot_dentry = path->dentry;
39477 +void gr_clear_chroot_entries(struct task_struct *task)
39479 +#ifdef CONFIG_GRKERNSEC
39480 + task->gr_is_chrooted = 0;
39481 + task->gr_chroot_dentry = NULL;
39487 +gr_handle_chroot_unix(const pid_t pid)
39489 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39490 + struct pid *spid = NULL;
39492 + if (unlikely(!grsec_enable_chroot_unix))
39495 + if (likely(!proc_is_chrooted(current)))
39499 + read_lock(&tasklist_lock);
39501 + spid = find_vpid(pid);
39503 + struct task_struct *p;
39504 + p = pid_task(spid, PIDTYPE_PID);
39505 + if (unlikely(!have_same_root(current, p))) {
39506 + read_unlock(&tasklist_lock);
39507 + rcu_read_unlock();
39508 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
39512 + read_unlock(&tasklist_lock);
39513 + rcu_read_unlock();
39519 +gr_handle_chroot_nice(void)
39521 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39522 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
39523 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
39531 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
39533 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39534 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
39535 + && proc_is_chrooted(current)) {
39536 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
39544 +gr_handle_chroot_rawio(const struct inode *inode)
39546 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39547 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
39548 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
39555 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
39557 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39558 + struct task_struct *p;
39560 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
39563 + read_lock(&tasklist_lock);
39564 + do_each_pid_task(pid, type, p) {
39565 + if (!have_same_root(current, p)) {
39569 + } while_each_pid_task(pid, type, p);
39571 + read_unlock(&tasklist_lock);
39578 +gr_pid_is_chrooted(struct task_struct *p)
39580 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39581 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
39584 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
39585 + !have_same_root(current, p)) {
39592 +EXPORT_SYMBOL(gr_pid_is_chrooted);
39594 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
39595 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
39597 + struct dentry *dentry = (struct dentry *)u_dentry;
39598 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
39599 + struct dentry *realroot;
39600 + struct vfsmount *realrootmnt;
39601 + struct dentry *currentroot;
39602 + struct vfsmount *currentmnt;
39603 + struct task_struct *reaper = &init_task;
39606 + read_lock(&reaper->fs->lock);
39607 + realrootmnt = mntget(reaper->fs->root.mnt);
39608 + realroot = dget(reaper->fs->root.dentry);
39609 + read_unlock(&reaper->fs->lock);
39611 + read_lock(¤t->fs->lock);
39612 + currentmnt = mntget(current->fs->root.mnt);
39613 + currentroot = dget(current->fs->root.dentry);
39614 + read_unlock(¤t->fs->lock);
39616 + spin_lock(&dcache_lock);
39618 + if (unlikely((dentry == realroot && mnt == realrootmnt)
39619 + || (dentry == currentroot && mnt == currentmnt)))
39621 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
39622 + if (mnt->mnt_parent == mnt)
39624 + dentry = mnt->mnt_mountpoint;
39625 + mnt = mnt->mnt_parent;
39628 + dentry = dentry->d_parent;
39630 + spin_unlock(&dcache_lock);
39632 + dput(currentroot);
39633 + mntput(currentmnt);
39635 + /* access is outside of chroot */
39636 + if (dentry == realroot && mnt == realrootmnt)
39640 + mntput(realrootmnt);
39646 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
39648 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39649 + if (!grsec_enable_chroot_fchdir)
39652 + if (!proc_is_chrooted(current))
39654 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
39655 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
39663 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39664 + const time_t shm_createtime)
39666 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39667 + struct pid *pid = NULL;
39668 + time_t starttime;
39670 + if (unlikely(!grsec_enable_chroot_shmat))
39673 + if (likely(!proc_is_chrooted(current)))
39677 + read_lock(&tasklist_lock);
39679 + pid = find_vpid(shm_cprid);
39681 + struct task_struct *p;
39682 + p = pid_task(pid, PIDTYPE_PID);
39683 + starttime = p->start_time.tv_sec;
39684 + if (unlikely(!have_same_root(current, p) &&
39685 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
39686 + read_unlock(&tasklist_lock);
39687 + rcu_read_unlock();
39688 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39692 + pid = find_vpid(shm_lapid);
39694 + struct task_struct *p;
39695 + p = pid_task(pid, PIDTYPE_PID);
39696 + if (unlikely(!have_same_root(current, p))) {
39697 + read_unlock(&tasklist_lock);
39698 + rcu_read_unlock();
39699 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39705 + read_unlock(&tasklist_lock);
39706 + rcu_read_unlock();
39712 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
39714 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39715 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
39716 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
39722 +gr_handle_chroot_mknod(const struct dentry *dentry,
39723 + const struct vfsmount *mnt, const int mode)
39725 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39726 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
39727 + proc_is_chrooted(current)) {
39728 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
39736 +gr_handle_chroot_mount(const struct dentry *dentry,
39737 + const struct vfsmount *mnt, const char *dev_name)
39739 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39740 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
39741 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
39749 +gr_handle_chroot_pivot(void)
39751 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39752 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
39753 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
39761 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
39763 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39764 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
39765 + !gr_is_outside_chroot(dentry, mnt)) {
39766 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
39774 +gr_handle_chroot_caps(struct path *path)
39776 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39777 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
39778 + (init_task.fs->root.dentry != path->dentry) &&
39779 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
39781 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
39782 + const struct cred *old = current_cred();
39783 + struct cred *new = prepare_creds();
39787 + new->cap_permitted = cap_drop(old->cap_permitted,
39789 + new->cap_inheritable = cap_drop(old->cap_inheritable,
39791 + new->cap_effective = cap_drop(old->cap_effective,
39794 + commit_creds(new);
39803 +gr_handle_chroot_sysctl(const int op)
39805 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39806 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
39807 + proc_is_chrooted(current))
39814 +gr_handle_chroot_chdir(struct path *path)
39816 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39817 + if (grsec_enable_chroot_chdir)
39818 + set_fs_pwd(current->fs, path);
39824 +gr_handle_chroot_chmod(const struct dentry *dentry,
39825 + const struct vfsmount *mnt, const int mode)
39827 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
39828 + if (grsec_enable_chroot_chmod &&
39829 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
39830 + proc_is_chrooted(current)) {
39831 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
39838 +#ifdef CONFIG_SECURITY
39839 +EXPORT_SYMBOL(gr_handle_chroot_caps);
39841 diff -urNp linux-2.6.35.4/grsecurity/grsec_disabled.c linux-2.6.35.4/grsecurity/grsec_disabled.c
39842 --- linux-2.6.35.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
39843 +++ linux-2.6.35.4/grsecurity/grsec_disabled.c 2010-09-17 20:12:37.000000000 -0400
39845 +#include <linux/kernel.h>
39846 +#include <linux/module.h>
39847 +#include <linux/sched.h>
39848 +#include <linux/file.h>
39849 +#include <linux/fs.h>
39850 +#include <linux/kdev_t.h>
39851 +#include <linux/net.h>
39852 +#include <linux/in.h>
39853 +#include <linux/ip.h>
39854 +#include <linux/skbuff.h>
39855 +#include <linux/sysctl.h>
39857 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
39859 +pax_set_initial_flags(struct linux_binprm *bprm)
39865 +#ifdef CONFIG_SYSCTL
39867 +gr_handle_sysctl(const struct ctl_table * table, const int op)
39873 +#ifdef CONFIG_TASKSTATS
39874 +int gr_is_taskstats_denied(int pid)
39881 +gr_acl_is_enabled(void)
39887 +gr_handle_rawio(const struct inode *inode)
39893 +gr_acl_handle_psacct(struct task_struct *task, const long code)
39899 +gr_handle_ptrace(struct task_struct *task, const long request)
39905 +gr_handle_proc_ptrace(struct task_struct *task)
39911 +gr_learn_resource(const struct task_struct *task,
39912 + const int res, const unsigned long wanted, const int gt)
39918 +gr_set_acls(const int type)
39924 +gr_check_hidden_task(const struct task_struct *tsk)
39930 +gr_check_protected_task(const struct task_struct *task)
39936 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
39942 +gr_copy_label(struct task_struct *tsk)
39948 +gr_set_pax_flags(struct task_struct *task)
39954 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
39955 + const int unsafe_share)
39961 +gr_handle_delete(const ino_t ino, const dev_t dev)
39967 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
39973 +gr_handle_crash(struct task_struct *task, const int sig)
39979 +gr_check_crash_exec(const struct file *filp)
39985 +gr_check_crash_uid(const uid_t uid)
39991 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
39992 + struct dentry *old_dentry,
39993 + struct dentry *new_dentry,
39994 + struct vfsmount *mnt, const __u8 replace)
40000 +gr_search_socket(const int family, const int type, const int protocol)
40006 +gr_search_connectbind(const int mode, const struct socket *sock,
40007 + const struct sockaddr_in *addr)
40013 +gr_is_capable(const int cap)
40019 +gr_is_capable_nolog(const int cap)
40025 +gr_handle_alertkill(struct task_struct *task)
40031 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
40037 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40038 + const struct vfsmount * mnt)
40044 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40051 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40057 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
40063 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
40064 + unsigned int *vm_flags)
40070 +gr_acl_handle_truncate(const struct dentry * dentry,
40071 + const struct vfsmount * mnt)
40077 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
40083 +gr_acl_handle_access(const struct dentry * dentry,
40084 + const struct vfsmount * mnt, const int fmode)
40090 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
40097 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
40104 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
40110 +grsecurity_init(void)
40116 +gr_acl_handle_mknod(const struct dentry * new_dentry,
40117 + const struct dentry * parent_dentry,
40118 + const struct vfsmount * parent_mnt,
40125 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
40126 + const struct dentry * parent_dentry,
40127 + const struct vfsmount * parent_mnt)
40133 +gr_acl_handle_symlink(const struct dentry * new_dentry,
40134 + const struct dentry * parent_dentry,
40135 + const struct vfsmount * parent_mnt, const char *from)
40141 +gr_acl_handle_link(const struct dentry * new_dentry,
40142 + const struct dentry * parent_dentry,
40143 + const struct vfsmount * parent_mnt,
40144 + const struct dentry * old_dentry,
40145 + const struct vfsmount * old_mnt, const char *to)
40151 +gr_acl_handle_rename(const struct dentry *new_dentry,
40152 + const struct dentry *parent_dentry,
40153 + const struct vfsmount *parent_mnt,
40154 + const struct dentry *old_dentry,
40155 + const struct inode *old_parent_inode,
40156 + const struct vfsmount *old_mnt, const char *newname)
40162 +gr_acl_handle_filldir(const struct file *file, const char *name,
40163 + const int namelen, const ino_t ino)
40169 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40170 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40176 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
40182 +gr_search_accept(const struct socket *sock)
40188 +gr_search_listen(const struct socket *sock)
40194 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
40200 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
40206 +gr_acl_handle_creat(const struct dentry * dentry,
40207 + const struct dentry * p_dentry,
40208 + const struct vfsmount * p_mnt, const int fmode,
40215 +gr_acl_handle_exit(void)
40221 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
40227 +gr_set_role_label(const uid_t uid, const gid_t gid)
40233 +gr_acl_handle_procpidmem(const struct task_struct *task)
40239 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
40245 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
40251 +gr_set_kernel_label(struct task_struct *task)
40257 +gr_check_user_change(int real, int effective, int fs)
40263 +gr_check_group_change(int real, int effective, int fs)
40268 +EXPORT_SYMBOL(gr_is_capable);
40269 +EXPORT_SYMBOL(gr_is_capable_nolog);
40270 +EXPORT_SYMBOL(gr_learn_resource);
40271 +EXPORT_SYMBOL(gr_set_kernel_label);
40272 +#ifdef CONFIG_SECURITY
40273 +EXPORT_SYMBOL(gr_check_user_change);
40274 +EXPORT_SYMBOL(gr_check_group_change);
40276 diff -urNp linux-2.6.35.4/grsecurity/grsec_exec.c linux-2.6.35.4/grsecurity/grsec_exec.c
40277 --- linux-2.6.35.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
40278 +++ linux-2.6.35.4/grsecurity/grsec_exec.c 2010-09-17 20:12:37.000000000 -0400
40280 +#include <linux/kernel.h>
40281 +#include <linux/sched.h>
40282 +#include <linux/file.h>
40283 +#include <linux/binfmts.h>
40284 +#include <linux/smp_lock.h>
40285 +#include <linux/fs.h>
40286 +#include <linux/types.h>
40287 +#include <linux/grdefs.h>
40288 +#include <linux/grinternal.h>
40289 +#include <linux/capability.h>
40291 +#include <asm/uaccess.h>
40293 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40294 +static char gr_exec_arg_buf[132];
40295 +static DECLARE_MUTEX(gr_exec_arg_sem);
40299 +gr_handle_nproc(void)
40301 +#ifdef CONFIG_GRKERNSEC_EXECVE
40302 + const struct cred *cred = current_cred();
40303 + if (grsec_enable_execve && cred->user &&
40304 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
40305 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
40306 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
40314 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
40316 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40317 + char *grarg = gr_exec_arg_buf;
40318 + unsigned int i, x, execlen = 0;
40321 + if (!((grsec_enable_execlog && grsec_enable_group &&
40322 + in_group_p(grsec_audit_gid))
40323 + || (grsec_enable_execlog && !grsec_enable_group)))
40326 + down(&gr_exec_arg_sem);
40327 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
40329 + if (unlikely(argv == NULL))
40332 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
40333 + const char __user *p;
40334 + unsigned int len;
40336 + if (copy_from_user(&p, argv + i, sizeof(p)))
40340 + len = strnlen_user(p, 128 - execlen);
40341 + if (len > 128 - execlen)
40342 + len = 128 - execlen;
40343 + else if (len > 0)
40345 + if (copy_from_user(grarg + execlen, p, len))
40348 + /* rewrite unprintable characters */
40349 + for (x = 0; x < len; x++) {
40350 + c = *(grarg + execlen + x);
40351 + if (c < 32 || c > 126)
40352 + *(grarg + execlen + x) = ' ';
40356 + *(grarg + execlen) = ' ';
40357 + *(grarg + execlen + 1) = '\0';
40362 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
40363 + bprm->file->f_path.mnt, grarg);
40364 + up(&gr_exec_arg_sem);
40368 diff -urNp linux-2.6.35.4/grsecurity/grsec_fifo.c linux-2.6.35.4/grsecurity/grsec_fifo.c
40369 --- linux-2.6.35.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
40370 +++ linux-2.6.35.4/grsecurity/grsec_fifo.c 2010-09-17 20:12:37.000000000 -0400
40372 +#include <linux/kernel.h>
40373 +#include <linux/sched.h>
40374 +#include <linux/fs.h>
40375 +#include <linux/file.h>
40376 +#include <linux/grinternal.h>
40379 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
40380 + const struct dentry *dir, const int flag, const int acc_mode)
40382 +#ifdef CONFIG_GRKERNSEC_FIFO
40383 + const struct cred *cred = current_cred();
40385 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
40386 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
40387 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
40388 + (cred->fsuid != dentry->d_inode->i_uid)) {
40389 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
40390 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
40396 diff -urNp linux-2.6.35.4/grsecurity/grsec_fork.c linux-2.6.35.4/grsecurity/grsec_fork.c
40397 --- linux-2.6.35.4/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
40398 +++ linux-2.6.35.4/grsecurity/grsec_fork.c 2010-09-17 20:12:37.000000000 -0400
40400 +#include <linux/kernel.h>
40401 +#include <linux/sched.h>
40402 +#include <linux/grsecurity.h>
40403 +#include <linux/grinternal.h>
40404 +#include <linux/errno.h>
40407 +gr_log_forkfail(const int retval)
40409 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40410 + if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
40411 + gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
40415 diff -urNp linux-2.6.35.4/grsecurity/grsec_init.c linux-2.6.35.4/grsecurity/grsec_init.c
40416 --- linux-2.6.35.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
40417 +++ linux-2.6.35.4/grsecurity/grsec_init.c 2010-09-17 20:12:37.000000000 -0400
40419 +#include <linux/kernel.h>
40420 +#include <linux/sched.h>
40421 +#include <linux/mm.h>
40422 +#include <linux/smp_lock.h>
40423 +#include <linux/gracl.h>
40424 +#include <linux/slab.h>
40425 +#include <linux/vmalloc.h>
40426 +#include <linux/percpu.h>
40427 +#include <linux/module.h>
40429 +int grsec_enable_link;
40430 +int grsec_enable_dmesg;
40431 +int grsec_enable_harden_ptrace;
40432 +int grsec_enable_fifo;
40433 +int grsec_enable_execve;
40434 +int grsec_enable_execlog;
40435 +int grsec_enable_signal;
40436 +int grsec_enable_forkfail;
40437 +int grsec_enable_audit_ptrace;
40438 +int grsec_enable_time;
40439 +int grsec_enable_audit_textrel;
40440 +int grsec_enable_group;
40441 +int grsec_audit_gid;
40442 +int grsec_enable_chdir;
40443 +int grsec_enable_mount;
40444 +int grsec_enable_rofs;
40445 +int grsec_enable_chroot_findtask;
40446 +int grsec_enable_chroot_mount;
40447 +int grsec_enable_chroot_shmat;
40448 +int grsec_enable_chroot_fchdir;
40449 +int grsec_enable_chroot_double;
40450 +int grsec_enable_chroot_pivot;
40451 +int grsec_enable_chroot_chdir;
40452 +int grsec_enable_chroot_chmod;
40453 +int grsec_enable_chroot_mknod;
40454 +int grsec_enable_chroot_nice;
40455 +int grsec_enable_chroot_execlog;
40456 +int grsec_enable_chroot_caps;
40457 +int grsec_enable_chroot_sysctl;
40458 +int grsec_enable_chroot_unix;
40459 +int grsec_enable_tpe;
40460 +int grsec_tpe_gid;
40461 +int grsec_enable_blackhole;
40462 +#ifdef CONFIG_IPV6_MODULE
40463 +EXPORT_SYMBOL(grsec_enable_blackhole);
40465 +int grsec_lastack_retries;
40466 +int grsec_enable_tpe_all;
40467 +int grsec_enable_tpe_invert;
40468 +int grsec_enable_socket_all;
40469 +int grsec_socket_all_gid;
40470 +int grsec_enable_socket_client;
40471 +int grsec_socket_client_gid;
40472 +int grsec_enable_socket_server;
40473 +int grsec_socket_server_gid;
40474 +int grsec_resource_logging;
40475 +int grsec_disable_privio;
40478 +DEFINE_SPINLOCK(grsec_alert_lock);
40479 +unsigned long grsec_alert_wtime = 0;
40480 +unsigned long grsec_alert_fyet = 0;
40482 +DEFINE_SPINLOCK(grsec_audit_lock);
40484 +DEFINE_RWLOCK(grsec_exec_file_lock);
40486 +char *gr_shared_page[4];
40488 +char *gr_alert_log_fmt;
40489 +char *gr_audit_log_fmt;
40490 +char *gr_alert_log_buf;
40491 +char *gr_audit_log_buf;
40493 +extern struct gr_arg *gr_usermode;
40494 +extern unsigned char *gr_system_salt;
40495 +extern unsigned char *gr_system_sum;
40498 +grsecurity_init(void)
40501 + /* create the per-cpu shared pages */
40504 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
40507 + for (j = 0; j < 4; j++) {
40508 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
40509 + if (gr_shared_page[j] == NULL) {
40510 + panic("Unable to allocate grsecurity shared page");
40515 + /* allocate log buffers */
40516 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
40517 + if (!gr_alert_log_fmt) {
40518 + panic("Unable to allocate grsecurity alert log format buffer");
40521 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
40522 + if (!gr_audit_log_fmt) {
40523 + panic("Unable to allocate grsecurity audit log format buffer");
40526 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40527 + if (!gr_alert_log_buf) {
40528 + panic("Unable to allocate grsecurity alert log buffer");
40531 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40532 + if (!gr_audit_log_buf) {
40533 + panic("Unable to allocate grsecurity audit log buffer");
40537 + /* allocate memory for authentication structure */
40538 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
40539 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
40540 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
40542 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
40543 + panic("Unable to allocate grsecurity authentication structure");
40548 +#ifdef CONFIG_GRKERNSEC_IO
40549 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
40550 + grsec_disable_privio = 1;
40551 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40552 + grsec_disable_privio = 1;
40554 + grsec_disable_privio = 0;
40558 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40559 + /* for backward compatibility, tpe_invert always defaults to on if
40560 + enabled in the kernel
40562 + grsec_enable_tpe_invert = 1;
40565 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40566 +#ifndef CONFIG_GRKERNSEC_SYSCTL
40570 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40571 + grsec_enable_audit_textrel = 1;
40573 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40574 + grsec_enable_group = 1;
40575 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
40577 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40578 + grsec_enable_chdir = 1;
40580 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40581 + grsec_enable_harden_ptrace = 1;
40583 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40584 + grsec_enable_mount = 1;
40586 +#ifdef CONFIG_GRKERNSEC_LINK
40587 + grsec_enable_link = 1;
40589 +#ifdef CONFIG_GRKERNSEC_DMESG
40590 + grsec_enable_dmesg = 1;
40592 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
40593 + grsec_enable_blackhole = 1;
40594 + grsec_lastack_retries = 4;
40596 +#ifdef CONFIG_GRKERNSEC_FIFO
40597 + grsec_enable_fifo = 1;
40599 +#ifdef CONFIG_GRKERNSEC_EXECVE
40600 + grsec_enable_execve = 1;
40602 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40603 + grsec_enable_execlog = 1;
40605 +#ifdef CONFIG_GRKERNSEC_SIGNAL
40606 + grsec_enable_signal = 1;
40608 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40609 + grsec_enable_forkfail = 1;
40611 +#ifdef CONFIG_GRKERNSEC_TIME
40612 + grsec_enable_time = 1;
40614 +#ifdef CONFIG_GRKERNSEC_RESLOG
40615 + grsec_resource_logging = 1;
40617 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40618 + grsec_enable_chroot_findtask = 1;
40620 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40621 + grsec_enable_chroot_unix = 1;
40623 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40624 + grsec_enable_chroot_mount = 1;
40626 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40627 + grsec_enable_chroot_fchdir = 1;
40629 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40630 + grsec_enable_chroot_shmat = 1;
40632 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40633 + grsec_enable_audit_ptrace = 1;
40635 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40636 + grsec_enable_chroot_double = 1;
40638 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40639 + grsec_enable_chroot_pivot = 1;
40641 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40642 + grsec_enable_chroot_chdir = 1;
40644 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40645 + grsec_enable_chroot_chmod = 1;
40647 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40648 + grsec_enable_chroot_mknod = 1;
40650 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40651 + grsec_enable_chroot_nice = 1;
40653 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40654 + grsec_enable_chroot_execlog = 1;
40656 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40657 + grsec_enable_chroot_caps = 1;
40659 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40660 + grsec_enable_chroot_sysctl = 1;
40662 +#ifdef CONFIG_GRKERNSEC_TPE
40663 + grsec_enable_tpe = 1;
40664 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
40665 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
40666 + grsec_enable_tpe_all = 1;
40669 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
40670 + grsec_enable_socket_all = 1;
40671 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
40673 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
40674 + grsec_enable_socket_client = 1;
40675 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
40677 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
40678 + grsec_enable_socket_server = 1;
40679 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
40685 diff -urNp linux-2.6.35.4/grsecurity/grsec_link.c linux-2.6.35.4/grsecurity/grsec_link.c
40686 --- linux-2.6.35.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
40687 +++ linux-2.6.35.4/grsecurity/grsec_link.c 2010-09-17 20:12:37.000000000 -0400
40689 +#include <linux/kernel.h>
40690 +#include <linux/sched.h>
40691 +#include <linux/fs.h>
40692 +#include <linux/file.h>
40693 +#include <linux/grinternal.h>
40696 +gr_handle_follow_link(const struct inode *parent,
40697 + const struct inode *inode,
40698 + const struct dentry *dentry, const struct vfsmount *mnt)
40700 +#ifdef CONFIG_GRKERNSEC_LINK
40701 + const struct cred *cred = current_cred();
40703 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
40704 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
40705 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
40706 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
40714 +gr_handle_hardlink(const struct dentry *dentry,
40715 + const struct vfsmount *mnt,
40716 + struct inode *inode, const int mode, const char *to)
40718 +#ifdef CONFIG_GRKERNSEC_LINK
40719 + const struct cred *cred = current_cred();
40721 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
40722 + (!S_ISREG(mode) || (mode & S_ISUID) ||
40723 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
40724 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
40725 + !capable(CAP_FOWNER) && cred->uid) {
40726 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
40732 diff -urNp linux-2.6.35.4/grsecurity/grsec_log.c linux-2.6.35.4/grsecurity/grsec_log.c
40733 --- linux-2.6.35.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
40734 +++ linux-2.6.35.4/grsecurity/grsec_log.c 2010-09-17 20:12:37.000000000 -0400
40736 +#include <linux/kernel.h>
40737 +#include <linux/sched.h>
40738 +#include <linux/file.h>
40739 +#include <linux/tty.h>
40740 +#include <linux/fs.h>
40741 +#include <linux/grinternal.h>
40743 +#ifdef CONFIG_TREE_PREEMPT_RCU
40744 +#define DISABLE_PREEMPT() preempt_disable()
40745 +#define ENABLE_PREEMPT() preempt_enable()
40747 +#define DISABLE_PREEMPT()
40748 +#define ENABLE_PREEMPT()
40751 +#define BEGIN_LOCKS(x) \
40752 + DISABLE_PREEMPT(); \
40753 + rcu_read_lock(); \
40754 + read_lock(&tasklist_lock); \
40755 + read_lock(&grsec_exec_file_lock); \
40756 + if (x != GR_DO_AUDIT) \
40757 + spin_lock(&grsec_alert_lock); \
40759 + spin_lock(&grsec_audit_lock)
40761 +#define END_LOCKS(x) \
40762 + if (x != GR_DO_AUDIT) \
40763 + spin_unlock(&grsec_alert_lock); \
40765 + spin_unlock(&grsec_audit_lock); \
40766 + read_unlock(&grsec_exec_file_lock); \
40767 + read_unlock(&tasklist_lock); \
40768 + rcu_read_unlock(); \
40769 + ENABLE_PREEMPT(); \
40770 + if (x == GR_DONT_AUDIT) \
40771 + gr_handle_alertkill(current)
40778 +extern char *gr_alert_log_fmt;
40779 +extern char *gr_audit_log_fmt;
40780 +extern char *gr_alert_log_buf;
40781 +extern char *gr_audit_log_buf;
40783 +static int gr_log_start(int audit)
40785 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
40786 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
40787 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40789 + if (audit == GR_DO_AUDIT)
40792 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
40793 + grsec_alert_wtime = jiffies;
40794 + grsec_alert_fyet = 0;
40795 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
40796 + grsec_alert_fyet++;
40797 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
40798 + grsec_alert_wtime = jiffies;
40799 + grsec_alert_fyet++;
40800 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
40802 + } else return FLOODING;
40805 + memset(buf, 0, PAGE_SIZE);
40806 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
40807 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
40808 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
40809 + } else if (current->signal->curr_ip) {
40810 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
40811 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
40812 + } else if (gr_acl_is_enabled()) {
40813 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
40814 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
40816 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
40817 + strcpy(buf, fmt);
40820 + return NO_FLOODING;
40823 +static void gr_log_middle(int audit, const char *msg, va_list ap)
40824 + __attribute__ ((format (printf, 2, 0)));
40826 +static void gr_log_middle(int audit, const char *msg, va_list ap)
40828 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40829 + unsigned int len = strlen(buf);
40831 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
40836 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
40837 + __attribute__ ((format (printf, 2, 3)));
40839 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
40841 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40842 + unsigned int len = strlen(buf);
40845 + va_start(ap, msg);
40846 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
40852 +static void gr_log_end(int audit)
40854 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40855 + unsigned int len = strlen(buf);
40857 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
40858 + printk("%s\n", buf);
40863 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
40866 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
40867 + char *str1, *str2, *str3;
40870 + unsigned long ulong1, ulong2;
40871 + struct dentry *dentry;
40872 + struct vfsmount *mnt;
40873 + struct file *file;
40874 + struct task_struct *task;
40875 + const struct cred *cred, *pcred;
40878 + BEGIN_LOCKS(audit);
40879 + logtype = gr_log_start(audit);
40880 + if (logtype == FLOODING) {
40881 + END_LOCKS(audit);
40884 + va_start(ap, argtypes);
40885 + switch (argtypes) {
40886 + case GR_TTYSNIFF:
40887 + task = va_arg(ap, struct task_struct *);
40888 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
40890 + case GR_SYSCTL_HIDDEN:
40891 + str1 = va_arg(ap, char *);
40892 + gr_log_middle_varargs(audit, msg, result, str1);
40895 + dentry = va_arg(ap, struct dentry *);
40896 + mnt = va_arg(ap, struct vfsmount *);
40897 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
40899 + case GR_RBAC_STR:
40900 + dentry = va_arg(ap, struct dentry *);
40901 + mnt = va_arg(ap, struct vfsmount *);
40902 + str1 = va_arg(ap, char *);
40903 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
40905 + case GR_STR_RBAC:
40906 + str1 = va_arg(ap, char *);
40907 + dentry = va_arg(ap, struct dentry *);
40908 + mnt = va_arg(ap, struct vfsmount *);
40909 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
40911 + case GR_RBAC_MODE2:
40912 + dentry = va_arg(ap, struct dentry *);
40913 + mnt = va_arg(ap, struct vfsmount *);
40914 + str1 = va_arg(ap, char *);
40915 + str2 = va_arg(ap, char *);
40916 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
40918 + case GR_RBAC_MODE3:
40919 + dentry = va_arg(ap, struct dentry *);
40920 + mnt = va_arg(ap, struct vfsmount *);
40921 + str1 = va_arg(ap, char *);
40922 + str2 = va_arg(ap, char *);
40923 + str3 = va_arg(ap, char *);
40924 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
40926 + case GR_FILENAME:
40927 + dentry = va_arg(ap, struct dentry *);
40928 + mnt = va_arg(ap, struct vfsmount *);
40929 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
40931 + case GR_STR_FILENAME:
40932 + str1 = va_arg(ap, char *);
40933 + dentry = va_arg(ap, struct dentry *);
40934 + mnt = va_arg(ap, struct vfsmount *);
40935 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
40937 + case GR_FILENAME_STR:
40938 + dentry = va_arg(ap, struct dentry *);
40939 + mnt = va_arg(ap, struct vfsmount *);
40940 + str1 = va_arg(ap, char *);
40941 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
40943 + case GR_FILENAME_TWO_INT:
40944 + dentry = va_arg(ap, struct dentry *);
40945 + mnt = va_arg(ap, struct vfsmount *);
40946 + num1 = va_arg(ap, int);
40947 + num2 = va_arg(ap, int);
40948 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
40950 + case GR_FILENAME_TWO_INT_STR:
40951 + dentry = va_arg(ap, struct dentry *);
40952 + mnt = va_arg(ap, struct vfsmount *);
40953 + num1 = va_arg(ap, int);
40954 + num2 = va_arg(ap, int);
40955 + str1 = va_arg(ap, char *);
40956 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
40959 + file = va_arg(ap, struct file *);
40960 + ulong1 = va_arg(ap, unsigned long);
40961 + ulong2 = va_arg(ap, unsigned long);
40962 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
40965 + task = va_arg(ap, struct task_struct *);
40966 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
40968 + case GR_RESOURCE:
40969 + task = va_arg(ap, struct task_struct *);
40970 + cred = __task_cred(task);
40971 + pcred = __task_cred(task->parent);
40972 + ulong1 = va_arg(ap, unsigned long);
40973 + str1 = va_arg(ap, char *);
40974 + ulong2 = va_arg(ap, unsigned long);
40975 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
40978 + task = va_arg(ap, struct task_struct *);
40979 + cred = __task_cred(task);
40980 + pcred = __task_cred(task->parent);
40981 + str1 = va_arg(ap, char *);
40982 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
40985 + str1 = va_arg(ap, char *);
40986 + voidptr = va_arg(ap, void *);
40987 + gr_log_middle_varargs(audit, msg, str1, voidptr);
40990 + task = va_arg(ap, struct task_struct *);
40991 + cred = __task_cred(task);
40992 + pcred = __task_cred(task->parent);
40993 + num1 = va_arg(ap, int);
40994 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
40997 + task = va_arg(ap, struct task_struct *);
40998 + cred = __task_cred(task);
40999 + pcred = __task_cred(task->parent);
41000 + ulong1 = va_arg(ap, unsigned long);
41001 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
41004 + task = va_arg(ap, struct task_struct *);
41005 + cred = __task_cred(task);
41006 + pcred = __task_cred(task->parent);
41007 + ulong1 = va_arg(ap, unsigned long);
41008 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
41012 + unsigned int wday, cday;
41016 + char cur_tty[64] = { 0 };
41017 + char parent_tty[64] = { 0 };
41019 + task = va_arg(ap, struct task_struct *);
41020 + wday = va_arg(ap, unsigned int);
41021 + cday = va_arg(ap, unsigned int);
41022 + whr = va_arg(ap, int);
41023 + chr = va_arg(ap, int);
41024 + wmin = va_arg(ap, int);
41025 + cmin = va_arg(ap, int);
41026 + wsec = va_arg(ap, int);
41027 + csec = va_arg(ap, int);
41028 + ulong1 = va_arg(ap, unsigned long);
41029 + cred = __task_cred(task);
41030 + pcred = __task_cred(task->parent);
41032 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41036 + gr_log_middle(audit, msg, ap);
41039 + gr_log_end(audit);
41040 + END_LOCKS(audit);
41042 diff -urNp linux-2.6.35.4/grsecurity/grsec_mem.c linux-2.6.35.4/grsecurity/grsec_mem.c
41043 --- linux-2.6.35.4/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
41044 +++ linux-2.6.35.4/grsecurity/grsec_mem.c 2010-09-17 20:12:37.000000000 -0400
41046 +#include <linux/kernel.h>
41047 +#include <linux/sched.h>
41048 +#include <linux/mm.h>
41049 +#include <linux/mman.h>
41050 +#include <linux/grinternal.h>
41053 +gr_handle_ioperm(void)
41055 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
41060 +gr_handle_iopl(void)
41062 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
41067 +gr_handle_mem_write(void)
41069 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
41074 +gr_handle_kmem_write(void)
41076 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
41081 +gr_handle_open_port(void)
41083 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
41088 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
41090 + unsigned long start, end;
41093 + end = start + vma->vm_end - vma->vm_start;
41095 + if (start > end) {
41096 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41100 + /* allowed ranges : ISA I/O BIOS */
41101 + if ((start >= __pa(high_memory))
41102 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
41103 + || (start >= 0x000a0000 && end <= 0x00100000)
41104 + || (start >= 0x00000000 && end <= 0x00001000)
41109 + if (vma->vm_flags & VM_WRITE) {
41110 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41113 + vma->vm_flags &= ~VM_MAYWRITE;
41119 +gr_log_nonroot_mod_load(const char *modname)
41121 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
41126 +gr_handle_vm86(void)
41128 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
41131 diff -urNp linux-2.6.35.4/grsecurity/grsec_mount.c linux-2.6.35.4/grsecurity/grsec_mount.c
41132 --- linux-2.6.35.4/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
41133 +++ linux-2.6.35.4/grsecurity/grsec_mount.c 2010-09-17 20:12:37.000000000 -0400
41135 +#include <linux/kernel.h>
41136 +#include <linux/sched.h>
41137 +#include <linux/mount.h>
41138 +#include <linux/grsecurity.h>
41139 +#include <linux/grinternal.h>
41142 +gr_log_remount(const char *devname, const int retval)
41144 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41145 + if (grsec_enable_mount && (retval >= 0))
41146 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
41152 +gr_log_unmount(const char *devname, const int retval)
41154 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41155 + if (grsec_enable_mount && (retval >= 0))
41156 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
41162 +gr_log_mount(const char *from, const char *to, const int retval)
41164 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41165 + if (grsec_enable_mount && (retval >= 0))
41166 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
41172 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
41174 +#ifdef CONFIG_GRKERNSEC_ROFS
41175 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
41176 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
41185 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
41187 +#ifdef CONFIG_GRKERNSEC_ROFS
41188 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
41189 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
41190 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
41197 diff -urNp linux-2.6.35.4/grsecurity/grsec_ptrace.c linux-2.6.35.4/grsecurity/grsec_ptrace.c
41198 --- linux-2.6.35.4/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
41199 +++ linux-2.6.35.4/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
41201 +#include <linux/kernel.h>
41202 +#include <linux/sched.h>
41203 +#include <linux/grinternal.h>
41204 +#include <linux/grsecurity.h>
41207 +gr_audit_ptrace(struct task_struct *task)
41209 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41210 + if (grsec_enable_audit_ptrace)
41211 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
41215 diff -urNp linux-2.6.35.4/grsecurity/grsec_sig.c linux-2.6.35.4/grsecurity/grsec_sig.c
41216 --- linux-2.6.35.4/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
41217 +++ linux-2.6.35.4/grsecurity/grsec_sig.c 2010-09-17 20:12:37.000000000 -0400
41219 +#include <linux/kernel.h>
41220 +#include <linux/sched.h>
41221 +#include <linux/delay.h>
41222 +#include <linux/grsecurity.h>
41223 +#include <linux/grinternal.h>
41225 +char *signames[] = {
41226 + [SIGSEGV] = "Segmentation fault",
41227 + [SIGILL] = "Illegal instruction",
41228 + [SIGABRT] = "Abort",
41229 + [SIGBUS] = "Invalid alignment/Bus error"
41233 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
41235 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41236 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
41237 + (sig == SIGABRT) || (sig == SIGBUS))) {
41238 + if (t->pid == current->pid) {
41239 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
41241 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
41249 +gr_handle_signal(const struct task_struct *p, const int sig)
41251 +#ifdef CONFIG_GRKERNSEC
41252 + if (current->pid > 1 && gr_check_protected_task(p)) {
41253 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
41255 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
41262 +void gr_handle_brute_attach(struct task_struct *p)
41264 +#ifdef CONFIG_GRKERNSEC_BRUTE
41265 + read_lock(&tasklist_lock);
41266 + read_lock(&grsec_exec_file_lock);
41267 + if (p->parent && p->parent->exec_file == p->exec_file)
41268 + p->parent->brute = 1;
41269 + read_unlock(&grsec_exec_file_lock);
41270 + read_unlock(&tasklist_lock);
41275 +void gr_handle_brute_check(void)
41277 +#ifdef CONFIG_GRKERNSEC_BRUTE
41278 + if (current->brute)
41279 + msleep(30 * 1000);
41284 diff -urNp linux-2.6.35.4/grsecurity/grsec_sock.c linux-2.6.35.4/grsecurity/grsec_sock.c
41285 --- linux-2.6.35.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
41286 +++ linux-2.6.35.4/grsecurity/grsec_sock.c 2010-09-17 20:12:37.000000000 -0400
41288 +#include <linux/kernel.h>
41289 +#include <linux/module.h>
41290 +#include <linux/sched.h>
41291 +#include <linux/file.h>
41292 +#include <linux/net.h>
41293 +#include <linux/in.h>
41294 +#include <linux/ip.h>
41295 +#include <net/sock.h>
41296 +#include <net/inet_sock.h>
41297 +#include <linux/grsecurity.h>
41298 +#include <linux/grinternal.h>
41299 +#include <linux/gracl.h>
41301 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
41302 +EXPORT_SYMBOL(gr_cap_rtnetlink);
41304 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
41305 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
41307 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
41308 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
41310 +#ifdef CONFIG_UNIX_MODULE
41311 +EXPORT_SYMBOL(gr_acl_handle_unix);
41312 +EXPORT_SYMBOL(gr_acl_handle_mknod);
41313 +EXPORT_SYMBOL(gr_handle_chroot_unix);
41314 +EXPORT_SYMBOL(gr_handle_create);
41317 +#ifdef CONFIG_GRKERNSEC
41318 +#define gr_conn_table_size 32749
41319 +struct conn_table_entry {
41320 + struct conn_table_entry *next;
41321 + struct signal_struct *sig;
41324 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
41325 +DEFINE_SPINLOCK(gr_conn_table_lock);
41327 +extern const char * gr_socktype_to_name(unsigned char type);
41328 +extern const char * gr_proto_to_name(unsigned char proto);
41330 +static __inline__ int
41331 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
41333 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
41336 +static __inline__ int
41337 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
41338 + __u16 sport, __u16 dport)
41340 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
41341 + sig->gr_sport == sport && sig->gr_dport == dport))
41347 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
41349 + struct conn_table_entry **match;
41350 + unsigned int index;
41352 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41353 + sig->gr_sport, sig->gr_dport,
41354 + gr_conn_table_size);
41356 + newent->sig = sig;
41358 + match = &gr_conn_table[index];
41359 + newent->next = *match;
41365 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
41367 + struct conn_table_entry *match, *last = NULL;
41368 + unsigned int index;
41370 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41371 + sig->gr_sport, sig->gr_dport,
41372 + gr_conn_table_size);
41374 + match = gr_conn_table[index];
41375 + while (match && !conn_match(match->sig,
41376 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
41377 + sig->gr_dport)) {
41379 + match = match->next;
41384 + last->next = match->next;
41386 + gr_conn_table[index] = NULL;
41393 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
41394 + __u16 sport, __u16 dport)
41396 + struct conn_table_entry *match;
41397 + unsigned int index;
41399 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
41401 + match = gr_conn_table[index];
41402 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
41403 + match = match->next;
41406 + return match->sig;
41413 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
41415 +#ifdef CONFIG_GRKERNSEC
41416 + struct signal_struct *sig = task->signal;
41417 + struct conn_table_entry *newent;
41419 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
41420 + if (newent == NULL)
41422 + /* no bh lock needed since we are called with bh disabled */
41423 + spin_lock(&gr_conn_table_lock);
41424 + gr_del_task_from_ip_table_nolock(sig);
41425 + sig->gr_saddr = inet->inet_rcv_saddr;
41426 + sig->gr_daddr = inet->inet_daddr;
41427 + sig->gr_sport = inet->inet_sport;
41428 + sig->gr_dport = inet->inet_dport;
41429 + gr_add_to_task_ip_table_nolock(sig, newent);
41430 + spin_unlock(&gr_conn_table_lock);
41435 +void gr_del_task_from_ip_table(struct task_struct *task)
41437 +#ifdef CONFIG_GRKERNSEC
41438 + spin_lock_bh(&gr_conn_table_lock);
41439 + gr_del_task_from_ip_table_nolock(task->signal);
41440 + spin_unlock_bh(&gr_conn_table_lock);
41446 +gr_attach_curr_ip(const struct sock *sk)
41448 +#ifdef CONFIG_GRKERNSEC
41449 + struct signal_struct *p, *set;
41450 + const struct inet_sock *inet = inet_sk(sk);
41452 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
41455 + set = current->signal;
41457 + spin_lock_bh(&gr_conn_table_lock);
41458 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
41459 + inet->inet_dport, inet->inet_sport);
41460 + if (unlikely(p != NULL)) {
41461 + set->curr_ip = p->curr_ip;
41462 + set->used_accept = 1;
41463 + gr_del_task_from_ip_table_nolock(p);
41464 + spin_unlock_bh(&gr_conn_table_lock);
41467 + spin_unlock_bh(&gr_conn_table_lock);
41469 + set->curr_ip = inet->inet_daddr;
41470 + set->used_accept = 1;
41476 +gr_handle_sock_all(const int family, const int type, const int protocol)
41478 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41479 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
41480 + (family != AF_UNIX) && (family != AF_LOCAL)) {
41481 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
41489 +gr_handle_sock_server(const struct sockaddr *sck)
41491 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41492 + if (grsec_enable_socket_server &&
41493 + in_group_p(grsec_socket_server_gid) &&
41494 + sck && (sck->sa_family != AF_UNIX) &&
41495 + (sck->sa_family != AF_LOCAL)) {
41496 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41504 +gr_handle_sock_server_other(const struct sock *sck)
41506 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41507 + if (grsec_enable_socket_server &&
41508 + in_group_p(grsec_socket_server_gid) &&
41509 + sck && (sck->sk_family != AF_UNIX) &&
41510 + (sck->sk_family != AF_LOCAL)) {
41511 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41519 +gr_handle_sock_client(const struct sockaddr *sck)
41521 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41522 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
41523 + sck && (sck->sa_family != AF_UNIX) &&
41524 + (sck->sa_family != AF_LOCAL)) {
41525 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
41533 +gr_cap_rtnetlink(struct sock *sock)
41535 +#ifdef CONFIG_GRKERNSEC
41536 + if (!gr_acl_is_enabled())
41537 + return current_cap();
41538 + else if (sock->sk_protocol == NETLINK_ISCSI &&
41539 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
41540 + gr_is_capable(CAP_SYS_ADMIN))
41541 + return current_cap();
41542 + else if (sock->sk_protocol == NETLINK_AUDIT &&
41543 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
41544 + gr_is_capable(CAP_AUDIT_WRITE) &&
41545 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
41546 + gr_is_capable(CAP_AUDIT_CONTROL))
41547 + return current_cap();
41548 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
41549 + ((sock->sk_protocol == NETLINK_ROUTE) ?
41550 + gr_is_capable_nolog(CAP_NET_ADMIN) :
41551 + gr_is_capable(CAP_NET_ADMIN)))
41552 + return current_cap();
41554 + return __cap_empty_set;
41556 + return current_cap();
41559 diff -urNp linux-2.6.35.4/grsecurity/grsec_sysctl.c linux-2.6.35.4/grsecurity/grsec_sysctl.c
41560 --- linux-2.6.35.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
41561 +++ linux-2.6.35.4/grsecurity/grsec_sysctl.c 2010-09-17 20:18:57.000000000 -0400
41563 +#include <linux/kernel.h>
41564 +#include <linux/sched.h>
41565 +#include <linux/sysctl.h>
41566 +#include <linux/grsecurity.h>
41567 +#include <linux/grinternal.h>
41570 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
41572 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41573 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
41574 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
41581 +#ifdef CONFIG_GRKERNSEC_ROFS
41582 +static int __maybe_unused one = 1;
41585 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
41586 +struct ctl_table grsecurity_table[] = {
41587 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41588 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
41589 +#ifdef CONFIG_GRKERNSEC_IO
41591 + .procname = "disable_priv_io",
41592 + .data = &grsec_disable_privio,
41593 + .maxlen = sizeof(int),
41595 + .proc_handler = &proc_dointvec,
41599 +#ifdef CONFIG_GRKERNSEC_LINK
41601 + .procname = "linking_restrictions",
41602 + .data = &grsec_enable_link,
41603 + .maxlen = sizeof(int),
41605 + .proc_handler = &proc_dointvec,
41608 +#ifdef CONFIG_GRKERNSEC_FIFO
41610 + .procname = "fifo_restrictions",
41611 + .data = &grsec_enable_fifo,
41612 + .maxlen = sizeof(int),
41614 + .proc_handler = &proc_dointvec,
41617 +#ifdef CONFIG_GRKERNSEC_EXECVE
41619 + .procname = "execve_limiting",
41620 + .data = &grsec_enable_execve,
41621 + .maxlen = sizeof(int),
41623 + .proc_handler = &proc_dointvec,
41626 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41628 + .procname = "ip_blackhole",
41629 + .data = &grsec_enable_blackhole,
41630 + .maxlen = sizeof(int),
41632 + .proc_handler = &proc_dointvec,
41635 + .procname = "lastack_retries",
41636 + .data = &grsec_lastack_retries,
41637 + .maxlen = sizeof(int),
41639 + .proc_handler = &proc_dointvec,
41642 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41644 + .procname = "exec_logging",
41645 + .data = &grsec_enable_execlog,
41646 + .maxlen = sizeof(int),
41648 + .proc_handler = &proc_dointvec,
41651 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41653 + .procname = "signal_logging",
41654 + .data = &grsec_enable_signal,
41655 + .maxlen = sizeof(int),
41657 + .proc_handler = &proc_dointvec,
41660 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41662 + .procname = "forkfail_logging",
41663 + .data = &grsec_enable_forkfail,
41664 + .maxlen = sizeof(int),
41666 + .proc_handler = &proc_dointvec,
41669 +#ifdef CONFIG_GRKERNSEC_TIME
41671 + .procname = "timechange_logging",
41672 + .data = &grsec_enable_time,
41673 + .maxlen = sizeof(int),
41675 + .proc_handler = &proc_dointvec,
41678 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41680 + .procname = "chroot_deny_shmat",
41681 + .data = &grsec_enable_chroot_shmat,
41682 + .maxlen = sizeof(int),
41684 + .proc_handler = &proc_dointvec,
41687 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41689 + .procname = "chroot_deny_unix",
41690 + .data = &grsec_enable_chroot_unix,
41691 + .maxlen = sizeof(int),
41693 + .proc_handler = &proc_dointvec,
41696 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41698 + .procname = "chroot_deny_mount",
41699 + .data = &grsec_enable_chroot_mount,
41700 + .maxlen = sizeof(int),
41702 + .proc_handler = &proc_dointvec,
41705 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41707 + .procname = "chroot_deny_fchdir",
41708 + .data = &grsec_enable_chroot_fchdir,
41709 + .maxlen = sizeof(int),
41711 + .proc_handler = &proc_dointvec,
41714 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41716 + .procname = "chroot_deny_chroot",
41717 + .data = &grsec_enable_chroot_double,
41718 + .maxlen = sizeof(int),
41720 + .proc_handler = &proc_dointvec,
41723 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41725 + .procname = "chroot_deny_pivot",
41726 + .data = &grsec_enable_chroot_pivot,
41727 + .maxlen = sizeof(int),
41729 + .proc_handler = &proc_dointvec,
41732 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41734 + .procname = "chroot_enforce_chdir",
41735 + .data = &grsec_enable_chroot_chdir,
41736 + .maxlen = sizeof(int),
41738 + .proc_handler = &proc_dointvec,
41741 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41743 + .procname = "chroot_deny_chmod",
41744 + .data = &grsec_enable_chroot_chmod,
41745 + .maxlen = sizeof(int),
41747 + .proc_handler = &proc_dointvec,
41750 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41752 + .procname = "chroot_deny_mknod",
41753 + .data = &grsec_enable_chroot_mknod,
41754 + .maxlen = sizeof(int),
41756 + .proc_handler = &proc_dointvec,
41759 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41761 + .procname = "chroot_restrict_nice",
41762 + .data = &grsec_enable_chroot_nice,
41763 + .maxlen = sizeof(int),
41765 + .proc_handler = &proc_dointvec,
41768 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41770 + .procname = "chroot_execlog",
41771 + .data = &grsec_enable_chroot_execlog,
41772 + .maxlen = sizeof(int),
41774 + .proc_handler = &proc_dointvec,
41777 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41779 + .procname = "chroot_caps",
41780 + .data = &grsec_enable_chroot_caps,
41781 + .maxlen = sizeof(int),
41783 + .proc_handler = &proc_dointvec,
41786 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41788 + .procname = "chroot_deny_sysctl",
41789 + .data = &grsec_enable_chroot_sysctl,
41790 + .maxlen = sizeof(int),
41792 + .proc_handler = &proc_dointvec,
41795 +#ifdef CONFIG_GRKERNSEC_TPE
41797 + .procname = "tpe",
41798 + .data = &grsec_enable_tpe,
41799 + .maxlen = sizeof(int),
41801 + .proc_handler = &proc_dointvec,
41804 + .procname = "tpe_gid",
41805 + .data = &grsec_tpe_gid,
41806 + .maxlen = sizeof(int),
41808 + .proc_handler = &proc_dointvec,
41811 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41813 + .procname = "tpe_invert",
41814 + .data = &grsec_enable_tpe_invert,
41815 + .maxlen = sizeof(int),
41817 + .proc_handler = &proc_dointvec,
41820 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
41822 + .procname = "tpe_restrict_all",
41823 + .data = &grsec_enable_tpe_all,
41824 + .maxlen = sizeof(int),
41826 + .proc_handler = &proc_dointvec,
41829 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41831 + .procname = "socket_all",
41832 + .data = &grsec_enable_socket_all,
41833 + .maxlen = sizeof(int),
41835 + .proc_handler = &proc_dointvec,
41838 + .procname = "socket_all_gid",
41839 + .data = &grsec_socket_all_gid,
41840 + .maxlen = sizeof(int),
41842 + .proc_handler = &proc_dointvec,
41845 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41847 + .procname = "socket_client",
41848 + .data = &grsec_enable_socket_client,
41849 + .maxlen = sizeof(int),
41851 + .proc_handler = &proc_dointvec,
41854 + .procname = "socket_client_gid",
41855 + .data = &grsec_socket_client_gid,
41856 + .maxlen = sizeof(int),
41858 + .proc_handler = &proc_dointvec,
41861 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41863 + .procname = "socket_server",
41864 + .data = &grsec_enable_socket_server,
41865 + .maxlen = sizeof(int),
41867 + .proc_handler = &proc_dointvec,
41870 + .procname = "socket_server_gid",
41871 + .data = &grsec_socket_server_gid,
41872 + .maxlen = sizeof(int),
41874 + .proc_handler = &proc_dointvec,
41877 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41879 + .procname = "audit_group",
41880 + .data = &grsec_enable_group,
41881 + .maxlen = sizeof(int),
41883 + .proc_handler = &proc_dointvec,
41886 + .procname = "audit_gid",
41887 + .data = &grsec_audit_gid,
41888 + .maxlen = sizeof(int),
41890 + .proc_handler = &proc_dointvec,
41893 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41895 + .procname = "audit_chdir",
41896 + .data = &grsec_enable_chdir,
41897 + .maxlen = sizeof(int),
41899 + .proc_handler = &proc_dointvec,
41902 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41904 + .procname = "audit_mount",
41905 + .data = &grsec_enable_mount,
41906 + .maxlen = sizeof(int),
41908 + .proc_handler = &proc_dointvec,
41911 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41913 + .procname = "audit_textrel",
41914 + .data = &grsec_enable_audit_textrel,
41915 + .maxlen = sizeof(int),
41917 + .proc_handler = &proc_dointvec,
41920 +#ifdef CONFIG_GRKERNSEC_DMESG
41922 + .procname = "dmesg",
41923 + .data = &grsec_enable_dmesg,
41924 + .maxlen = sizeof(int),
41926 + .proc_handler = &proc_dointvec,
41929 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41931 + .procname = "chroot_findtask",
41932 + .data = &grsec_enable_chroot_findtask,
41933 + .maxlen = sizeof(int),
41935 + .proc_handler = &proc_dointvec,
41938 +#ifdef CONFIG_GRKERNSEC_RESLOG
41940 + .procname = "resource_logging",
41941 + .data = &grsec_resource_logging,
41942 + .maxlen = sizeof(int),
41944 + .proc_handler = &proc_dointvec,
41947 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41949 + .procname = "audit_ptrace",
41950 + .data = &grsec_enable_audit_ptrace,
41951 + .maxlen = sizeof(int),
41953 + .proc_handler = &proc_dointvec,
41956 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41958 + .procname = "harden_ptrace",
41959 + .data = &grsec_enable_harden_ptrace,
41960 + .maxlen = sizeof(int),
41962 + .proc_handler = &proc_dointvec,
41966 + .procname = "grsec_lock",
41967 + .data = &grsec_lock,
41968 + .maxlen = sizeof(int),
41970 + .proc_handler = &proc_dointvec,
41973 +#ifdef CONFIG_GRKERNSEC_ROFS
41975 + .procname = "romount_protect",
41976 + .data = &grsec_enable_rofs,
41977 + .maxlen = sizeof(int),
41979 + .proc_handler = &proc_dointvec_minmax,
41987 diff -urNp linux-2.6.35.4/grsecurity/grsec_textrel.c linux-2.6.35.4/grsecurity/grsec_textrel.c
41988 --- linux-2.6.35.4/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
41989 +++ linux-2.6.35.4/grsecurity/grsec_textrel.c 2010-09-17 20:12:37.000000000 -0400
41991 +#include <linux/kernel.h>
41992 +#include <linux/sched.h>
41993 +#include <linux/mm.h>
41994 +#include <linux/file.h>
41995 +#include <linux/grinternal.h>
41996 +#include <linux/grsecurity.h>
41999 +gr_log_textrel(struct vm_area_struct * vma)
42001 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42002 + if (grsec_enable_audit_textrel)
42003 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42007 diff -urNp linux-2.6.35.4/grsecurity/grsec_time.c linux-2.6.35.4/grsecurity/grsec_time.c
42008 --- linux-2.6.35.4/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
42009 +++ linux-2.6.35.4/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
42011 +#include <linux/kernel.h>
42012 +#include <linux/sched.h>
42013 +#include <linux/grinternal.h>
42016 +gr_log_timechange(void)
42018 +#ifdef CONFIG_GRKERNSEC_TIME
42019 + if (grsec_enable_time)
42020 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
42024 diff -urNp linux-2.6.35.4/grsecurity/grsec_tpe.c linux-2.6.35.4/grsecurity/grsec_tpe.c
42025 --- linux-2.6.35.4/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
42026 +++ linux-2.6.35.4/grsecurity/grsec_tpe.c 2010-09-17 20:12:37.000000000 -0400
42028 +#include <linux/kernel.h>
42029 +#include <linux/sched.h>
42030 +#include <linux/file.h>
42031 +#include <linux/fs.h>
42032 +#include <linux/grinternal.h>
42034 +extern int gr_acl_tpe_check(void);
42037 +gr_tpe_allow(const struct file *file)
42039 +#ifdef CONFIG_GRKERNSEC
42040 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
42041 + const struct cred *cred = current_cred();
42043 + if (cred->uid && ((grsec_enable_tpe &&
42044 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42045 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
42046 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
42048 + in_group_p(grsec_tpe_gid)
42050 + ) || gr_acl_tpe_check()) &&
42051 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
42052 + (inode->i_mode & S_IWOTH))))) {
42053 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42056 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42057 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
42058 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
42059 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
42060 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42067 diff -urNp linux-2.6.35.4/grsecurity/grsum.c linux-2.6.35.4/grsecurity/grsum.c
42068 --- linux-2.6.35.4/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
42069 +++ linux-2.6.35.4/grsecurity/grsum.c 2010-09-17 20:12:37.000000000 -0400
42071 +#include <linux/err.h>
42072 +#include <linux/kernel.h>
42073 +#include <linux/sched.h>
42074 +#include <linux/mm.h>
42075 +#include <linux/scatterlist.h>
42076 +#include <linux/crypto.h>
42077 +#include <linux/gracl.h>
42080 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
42081 +#error "crypto and sha256 must be built into the kernel"
42085 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
42088 + struct crypto_hash *tfm;
42089 + struct hash_desc desc;
42090 + struct scatterlist sg;
42091 + unsigned char temp_sum[GR_SHA_LEN];
42092 + volatile int retval = 0;
42093 + volatile int dummy = 0;
42096 + sg_init_table(&sg, 1);
42098 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
42099 + if (IS_ERR(tfm)) {
42100 + /* should never happen, since sha256 should be built in */
42107 + crypto_hash_init(&desc);
42110 + sg_set_buf(&sg, p, GR_SALT_LEN);
42111 + crypto_hash_update(&desc, &sg, sg.length);
42114 + sg_set_buf(&sg, p, strlen(p));
42116 + crypto_hash_update(&desc, &sg, sg.length);
42118 + crypto_hash_final(&desc, temp_sum);
42120 + memset(entry->pw, 0, GR_PW_LEN);
42122 + for (i = 0; i < GR_SHA_LEN; i++)
42123 + if (sum[i] != temp_sum[i])
42126 + dummy = 1; // waste a cycle
42128 + crypto_free_hash(tfm);
42132 diff -urNp linux-2.6.35.4/grsecurity/Kconfig linux-2.6.35.4/grsecurity/Kconfig
42133 --- linux-2.6.35.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
42134 +++ linux-2.6.35.4/grsecurity/Kconfig 2010-09-17 20:12:37.000000000 -0400
42137 +# grecurity configuration
42143 + bool "Grsecurity"
42145 + select CRYPTO_SHA256
42147 + If you say Y here, you will be able to configure many features
42148 + that will enhance the security of your system. It is highly
42149 + recommended that you say Y here and read through the help
42150 + for each option so that you fully understand the features and
42151 + can evaluate their usefulness for your machine.
42154 + prompt "Security Level"
42155 + depends on GRKERNSEC
42156 + default GRKERNSEC_CUSTOM
42158 +config GRKERNSEC_LOW
42160 + select GRKERNSEC_LINK
42161 + select GRKERNSEC_FIFO
42162 + select GRKERNSEC_EXECVE
42163 + select GRKERNSEC_RANDNET
42164 + select GRKERNSEC_DMESG
42165 + select GRKERNSEC_CHROOT
42166 + select GRKERNSEC_CHROOT_CHDIR
42169 + If you choose this option, several of the grsecurity options will
42170 + be enabled that will give you greater protection against a number
42171 + of attacks, while assuring that none of your software will have any
42172 + conflicts with the additional security measures. If you run a lot
42173 + of unusual software, or you are having problems with the higher
42174 + security levels, you should say Y here. With this option, the
42175 + following features are enabled:
42177 + - Linking restrictions
42178 + - FIFO restrictions
42179 + - Enforcing RLIMIT_NPROC on execve
42180 + - Restricted dmesg
42181 + - Enforced chdir("/") on chroot
42182 + - Runtime module disabling
42184 +config GRKERNSEC_MEDIUM
42187 + select PAX_EI_PAX
42188 + select PAX_PT_PAX_FLAGS
42189 + select PAX_HAVE_ACL_FLAGS
42190 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42191 + select GRKERNSEC_CHROOT
42192 + select GRKERNSEC_CHROOT_SYSCTL
42193 + select GRKERNSEC_LINK
42194 + select GRKERNSEC_FIFO
42195 + select GRKERNSEC_EXECVE
42196 + select GRKERNSEC_DMESG
42197 + select GRKERNSEC_RANDNET
42198 + select GRKERNSEC_FORKFAIL
42199 + select GRKERNSEC_TIME
42200 + select GRKERNSEC_SIGNAL
42201 + select GRKERNSEC_CHROOT
42202 + select GRKERNSEC_CHROOT_UNIX
42203 + select GRKERNSEC_CHROOT_MOUNT
42204 + select GRKERNSEC_CHROOT_PIVOT
42205 + select GRKERNSEC_CHROOT_DOUBLE
42206 + select GRKERNSEC_CHROOT_CHDIR
42207 + select GRKERNSEC_CHROOT_MKNOD
42208 + select GRKERNSEC_PROC
42209 + select GRKERNSEC_PROC_USERGROUP
42210 + select PAX_RANDUSTACK
42212 + select PAX_RANDMMAP
42213 + select PAX_REFCOUNT if (X86 || SPARC64)
42214 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
42217 + If you say Y here, several features in addition to those included
42218 + in the low additional security level will be enabled. These
42219 + features provide even more security to your system, though in rare
42220 + cases they may be incompatible with very old or poorly written
42221 + software. If you enable this option, make sure that your auth
42222 + service (identd) is running as gid 1001. With this option,
42223 + the following features (in addition to those provided in the
42224 + low additional security level) will be enabled:
42226 + - Failed fork logging
42227 + - Time change logging
42229 + - Deny mounts in chroot
42230 + - Deny double chrooting
42231 + - Deny sysctl writes in chroot
42232 + - Deny mknod in chroot
42233 + - Deny access to abstract AF_UNIX sockets out of chroot
42234 + - Deny pivot_root in chroot
42235 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
42236 + - /proc restrictions with special GID set to 10 (usually wheel)
42237 + - Address Space Layout Randomization (ASLR)
42238 + - Prevent exploitation of most refcount overflows
42239 + - Bounds checking of copying between the kernel and userland
42241 +config GRKERNSEC_HIGH
42243 + select GRKERNSEC_LINK
42244 + select GRKERNSEC_FIFO
42245 + select GRKERNSEC_EXECVE
42246 + select GRKERNSEC_DMESG
42247 + select GRKERNSEC_FORKFAIL
42248 + select GRKERNSEC_TIME
42249 + select GRKERNSEC_SIGNAL
42250 + select GRKERNSEC_CHROOT
42251 + select GRKERNSEC_CHROOT_SHMAT
42252 + select GRKERNSEC_CHROOT_UNIX
42253 + select GRKERNSEC_CHROOT_MOUNT
42254 + select GRKERNSEC_CHROOT_FCHDIR
42255 + select GRKERNSEC_CHROOT_PIVOT
42256 + select GRKERNSEC_CHROOT_DOUBLE
42257 + select GRKERNSEC_CHROOT_CHDIR
42258 + select GRKERNSEC_CHROOT_MKNOD
42259 + select GRKERNSEC_CHROOT_CAPS
42260 + select GRKERNSEC_CHROOT_SYSCTL
42261 + select GRKERNSEC_CHROOT_FINDTASK
42262 + select GRKERNSEC_PROC
42263 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42264 + select GRKERNSEC_HIDESYM
42265 + select GRKERNSEC_BRUTE
42266 + select GRKERNSEC_PROC_USERGROUP
42267 + select GRKERNSEC_KMEM
42268 + select GRKERNSEC_RESLOG
42269 + select GRKERNSEC_RANDNET
42270 + select GRKERNSEC_PROC_ADD
42271 + select GRKERNSEC_CHROOT_CHMOD
42272 + select GRKERNSEC_CHROOT_NICE
42273 + select GRKERNSEC_AUDIT_MOUNT
42274 + select GRKERNSEC_MODHARDEN if (MODULES)
42275 + select GRKERNSEC_HARDEN_PTRACE
42276 + select GRKERNSEC_VM86 if (X86_32)
42278 + select PAX_RANDUSTACK
42280 + select PAX_RANDMMAP
42281 + select PAX_NOEXEC
42282 + select PAX_MPROTECT
42283 + select PAX_EI_PAX
42284 + select PAX_PT_PAX_FLAGS
42285 + select PAX_HAVE_ACL_FLAGS
42286 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
42287 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
42288 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
42289 + select PAX_SEGMEXEC if (X86_32)
42290 + select PAX_PAGEEXEC
42291 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
42292 + select PAX_EMUTRAMP if (PARISC)
42293 + select PAX_EMUSIGRT if (PARISC)
42294 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
42295 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
42296 + select PAX_REFCOUNT if (X86 || SPARC64)
42297 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
42299 + If you say Y here, many of the features of grsecurity will be
42300 + enabled, which will protect you against many kinds of attacks
42301 + against your system. The heightened security comes at a cost
42302 + of an increased chance of incompatibilities with rare software
42303 + on your machine. Since this security level enables PaX, you should
42304 + view <http://pax.grsecurity.net> and read about the PaX
42305 + project. While you are there, download chpax and run it on
42306 + binaries that cause problems with PaX. Also remember that
42307 + since the /proc restrictions are enabled, you must run your
42308 + identd as gid 1001. This security level enables the following
42309 + features in addition to those listed in the low and medium
42312 + - Additional /proc restrictions
42313 + - Chmod restrictions in chroot
42314 + - No signals, ptrace, or viewing of processes outside of chroot
42315 + - Capability restrictions in chroot
42316 + - Deny fchdir out of chroot
42317 + - Priority restrictions in chroot
42318 + - Segmentation-based implementation of PaX
42319 + - Mprotect restrictions
42320 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
42321 + - Kernel stack randomization
42322 + - Mount/unmount/remount logging
42323 + - Kernel symbol hiding
42324 + - Prevention of memory exhaustion-based exploits
42325 + - Hardening of module auto-loading
42326 + - Ptrace restrictions
42327 + - Restricted vm86 mode
42329 +config GRKERNSEC_CUSTOM
42332 + If you say Y here, you will be able to configure every grsecurity
42333 + option, which allows you to enable many more features that aren't
42334 + covered in the basic security levels. These additional features
42335 + include TPE, socket restrictions, and the sysctl system for
42336 + grsecurity. It is advised that you read through the help for
42337 + each option to determine its usefulness in your situation.
42341 +menu "Address Space Protection"
42342 +depends on GRKERNSEC
42344 +config GRKERNSEC_KMEM
42345 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
42347 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
42348 + be written to via mmap or otherwise to modify the running kernel.
42349 + /dev/port will also not be allowed to be opened. If you have module
42350 + support disabled, enabling this will close up four ways that are
42351 + currently used to insert malicious code into the running kernel.
42352 + Even with all these features enabled, we still highly recommend that
42353 + you use the RBAC system, as it is still possible for an attacker to
42354 + modify the running kernel through privileged I/O granted by ioperm/iopl.
42355 + If you are not using XFree86, you may be able to stop this additional
42356 + case by enabling the 'Disable privileged I/O' option. Though nothing
42357 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
42358 + but only to video memory, which is the only writing we allow in this
42359 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
42360 + not be allowed to mprotect it with PROT_WRITE later.
42361 + It is highly recommended that you say Y here if you meet all the
42362 + conditions above.
42364 +config GRKERNSEC_VM86
42365 + bool "Restrict VM86 mode"
42366 + depends on X86_32
42369 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
42370 + make use of a special execution mode on 32bit x86 processors called
42371 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
42372 + video cards and will still work with this option enabled. The purpose
42373 + of the option is to prevent exploitation of emulation errors in
42374 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
42375 + Nearly all users should be able to enable this option.
42377 +config GRKERNSEC_IO
42378 + bool "Disable privileged I/O"
42381 + select RTC_INTF_DEV
42382 + select RTC_DRV_CMOS
42385 + If you say Y here, all ioperm and iopl calls will return an error.
42386 + Ioperm and iopl can be used to modify the running kernel.
42387 + Unfortunately, some programs need this access to operate properly,
42388 + the most notable of which are XFree86 and hwclock. hwclock can be
42389 + remedied by having RTC support in the kernel, so real-time
42390 + clock support is enabled if this option is enabled, to ensure
42391 + that hwclock operates correctly. XFree86 still will not
42392 + operate correctly with this option enabled, so DO NOT CHOOSE Y
42393 + IF YOU USE XFree86. If you use XFree86 and you still want to
42394 + protect your kernel against modification, use the RBAC system.
42396 +config GRKERNSEC_PROC_MEMMAP
42397 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
42398 + default y if (PAX_NOEXEC || PAX_ASLR)
42399 + depends on PAX_NOEXEC || PAX_ASLR
42401 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
42402 + give no information about the addresses of its mappings if
42403 + PaX features that rely on random addresses are enabled on the task.
42404 + If you use PaX it is greatly recommended that you say Y here as it
42405 + closes up a hole that makes the full ASLR useless for suid
42408 +config GRKERNSEC_BRUTE
42409 + bool "Deter exploit bruteforcing"
42411 + If you say Y here, attempts to bruteforce exploits against forking
42412 + daemons such as apache or sshd will be deterred. When a child of a
42413 + forking daemon is killed by PaX or crashes due to an illegal
42414 + instruction, the parent process will be delayed 30 seconds upon every
42415 + subsequent fork until the administrator is able to assess the
42416 + situation and restart the daemon. It is recommended that you also
42417 + enable signal logging in the auditing section so that logs are
42418 + generated when a process performs an illegal instruction.
42420 +config GRKERNSEC_MODHARDEN
42421 + bool "Harden module auto-loading"
42422 + depends on MODULES
42424 + If you say Y here, module auto-loading in response to use of some
42425 + feature implemented by an unloaded module will be restricted to
42426 + root users. Enabling this option helps defend against attacks
42427 + by unprivileged users who abuse the auto-loading behavior to
42428 + cause a vulnerable module to load that is then exploited.
42430 + If this option prevents a legitimate use of auto-loading for a
42431 + non-root user, the administrator can execute modprobe manually
42432 + with the exact name of the module mentioned in the alert log.
42433 + Alternatively, the administrator can add the module to the list
42434 + of modules loaded at boot by modifying init scripts.
42436 + Modification of init scripts will most likely be needed on
42437 + Ubuntu servers with encrypted home directory support enabled,
42438 + as the first non-root user logging in will cause the ecb(aes),
42439 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
42441 +config GRKERNSEC_HIDESYM
42442 + bool "Hide kernel symbols"
42444 + If you say Y here, getting information on loaded modules, and
42445 + displaying all kernel symbols through a syscall will be restricted
42446 + to users with CAP_SYS_MODULE. For software compatibility reasons,
42447 + /proc/kallsyms will be restricted to the root user. The RBAC
42448 + system can hide that entry even from root.
42450 + This option also prevents leaking of kernel addresses through
42451 + several /proc entries.
42453 + Note that this option is only effective provided the following
42454 + conditions are met:
42455 + 1) The kernel using grsecurity is not precompiled by some distribution
42456 + 2) You are using the RBAC system and hiding other files such as your
42457 + kernel image and System.map. Alternatively, enabling this option
42458 + causes the permissions on /boot, /lib/modules, and the kernel
42459 + source directory to change at compile time to prevent
42460 + reading by non-root users.
42461 + If the above conditions are met, this option will aid in providing a
42462 + useful protection against local kernel exploitation of overflows
42463 + and arbitrary read/write vulnerabilities.
42466 +menu "Role Based Access Control Options"
42467 +depends on GRKERNSEC
42469 +config GRKERNSEC_NO_RBAC
42470 + bool "Disable RBAC system"
42472 + If you say Y here, the /dev/grsec device will be removed from the kernel,
42473 + preventing the RBAC system from being enabled. You should only say Y
42474 + here if you have no intention of using the RBAC system, so as to prevent
42475 + an attacker with root access from misusing the RBAC system to hide files
42476 + and processes when loadable module support and /dev/[k]mem have been
42479 +config GRKERNSEC_ACL_HIDEKERN
42480 + bool "Hide kernel processes"
42482 + If you say Y here, all kernel threads will be hidden to all
42483 + processes but those whose subject has the "view hidden processes"
42486 +config GRKERNSEC_ACL_MAXTRIES
42487 + int "Maximum tries before password lockout"
42490 + This option enforces the maximum number of times a user can attempt
42491 + to authorize themselves with the grsecurity RBAC system before being
42492 + denied the ability to attempt authorization again for a specified time.
42493 + The lower the number, the harder it will be to brute-force a password.
42495 +config GRKERNSEC_ACL_TIMEOUT
42496 + int "Time to wait after max password tries, in seconds"
42499 + This option specifies the time the user must wait after attempting to
42500 + authorize to the RBAC system with the maximum number of invalid
42501 + passwords. The higher the number, the harder it will be to brute-force
42505 +menu "Filesystem Protections"
42506 +depends on GRKERNSEC
42508 +config GRKERNSEC_PROC
42509 + bool "Proc restrictions"
42511 + If you say Y here, the permissions of the /proc filesystem
42512 + will be altered to enhance system security and privacy. You MUST
42513 + choose either a user only restriction or a user and group restriction.
42514 + Depending upon the option you choose, you can either restrict users to
42515 + see only the processes they themselves run, or choose a group that can
42516 + view all processes and files normally restricted to root if you choose
42517 + the "restrict to user only" option. NOTE: If you're running identd as
42518 + a non-root user, you will have to run it as the group you specify here.
42520 +config GRKERNSEC_PROC_USER
42521 + bool "Restrict /proc to user only"
42522 + depends on GRKERNSEC_PROC
42524 + If you say Y here, non-root users will only be able to view their own
42525 + processes, and restricts them from viewing network-related information,
42526 + and viewing kernel symbol and module information.
42528 +config GRKERNSEC_PROC_USERGROUP
42529 + bool "Allow special group"
42530 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
42532 + If you say Y here, you will be able to select a group that will be
42533 + able to view all processes, network-related information, and
42534 + kernel and symbol information. This option is useful if you want
42535 + to run identd as a non-root user.
42537 +config GRKERNSEC_PROC_GID
42538 + int "GID for special group"
42539 + depends on GRKERNSEC_PROC_USERGROUP
42542 +config GRKERNSEC_PROC_ADD
42543 + bool "Additional restrictions"
42544 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
42546 + If you say Y here, additional restrictions will be placed on
42547 + /proc that keep normal users from viewing device information and
42548 + slabinfo information that could be useful for exploits.
42550 +config GRKERNSEC_LINK
42551 + bool "Linking restrictions"
42553 + If you say Y here, /tmp race exploits will be prevented, since users
42554 + will no longer be able to follow symlinks owned by other users in
42555 + world-writable +t directories (i.e. /tmp), unless the owner of the
42556 + symlink is the owner of the directory. users will also not be
42557 + able to hardlink to files they do not own. If the sysctl option is
42558 + enabled, a sysctl option with name "linking_restrictions" is created.
42560 +config GRKERNSEC_FIFO
42561 + bool "FIFO restrictions"
42563 + If you say Y here, users will not be able to write to FIFOs they don't
42564 + own in world-writable +t directories (i.e. /tmp), unless the owner of
42565 + the FIFO is the same owner of the directory it's held in. If the sysctl
42566 + option is enabled, a sysctl option with name "fifo_restrictions" is
42569 +config GRKERNSEC_ROFS
42570 + bool "Runtime read-only mount protection"
42572 + If you say Y here, a sysctl option with name "romount_protect" will
42573 + be created. By setting this option to 1 at runtime, filesystems
42574 + will be protected in the following ways:
42575 + * No new writable mounts will be allowed
42576 + * Existing read-only mounts won't be able to be remounted read/write
42577 + * Write operations will be denied on all block devices
42578 + This option acts independently of grsec_lock: once it is set to 1,
42579 + it cannot be turned off. Therefore, please be mindful of the resulting
42580 + behavior if this option is enabled in an init script on a read-only
42581 + filesystem. This feature is mainly intended for secure embedded systems.
42583 +config GRKERNSEC_CHROOT
42584 + bool "Chroot jail restrictions"
42586 + If you say Y here, you will be able to choose several options that will
42587 + make breaking out of a chrooted jail much more difficult. If you
42588 + encounter no software incompatibilities with the following options, it
42589 + is recommended that you enable each one.
42591 +config GRKERNSEC_CHROOT_MOUNT
42592 + bool "Deny mounts"
42593 + depends on GRKERNSEC_CHROOT
42595 + If you say Y here, processes inside a chroot will not be able to
42596 + mount or remount filesystems. If the sysctl option is enabled, a
42597 + sysctl option with name "chroot_deny_mount" is created.
42599 +config GRKERNSEC_CHROOT_DOUBLE
42600 + bool "Deny double-chroots"
42601 + depends on GRKERNSEC_CHROOT
42603 + If you say Y here, processes inside a chroot will not be able to chroot
42604 + again outside the chroot. This is a widely used method of breaking
42605 + out of a chroot jail and should not be allowed. If the sysctl
42606 + option is enabled, a sysctl option with name
42607 + "chroot_deny_chroot" is created.
42609 +config GRKERNSEC_CHROOT_PIVOT
42610 + bool "Deny pivot_root in chroot"
42611 + depends on GRKERNSEC_CHROOT
42613 + If you say Y here, processes inside a chroot will not be able to use
42614 + a function called pivot_root() that was introduced in Linux 2.3.41. It
42615 + works similar to chroot in that it changes the root filesystem. This
42616 + function could be misused in a chrooted process to attempt to break out
42617 + of the chroot, and therefore should not be allowed. If the sysctl
42618 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
42621 +config GRKERNSEC_CHROOT_CHDIR
42622 + bool "Enforce chdir(\"/\") on all chroots"
42623 + depends on GRKERNSEC_CHROOT
42625 + If you say Y here, the current working directory of all newly-chrooted
42626 + applications will be set to the the root directory of the chroot.
42627 + The man page on chroot(2) states:
42628 + Note that this call does not change the current working
42629 + directory, so that `.' can be outside the tree rooted at
42630 + `/'. In particular, the super-user can escape from a
42631 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
42633 + It is recommended that you say Y here, since it's not known to break
42634 + any software. If the sysctl option is enabled, a sysctl option with
42635 + name "chroot_enforce_chdir" is created.
42637 +config GRKERNSEC_CHROOT_CHMOD
42638 + bool "Deny (f)chmod +s"
42639 + depends on GRKERNSEC_CHROOT
42641 + If you say Y here, processes inside a chroot will not be able to chmod
42642 + or fchmod files to make them have suid or sgid bits. This protects
42643 + against another published method of breaking a chroot. If the sysctl
42644 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
42647 +config GRKERNSEC_CHROOT_FCHDIR
42648 + bool "Deny fchdir out of chroot"
42649 + depends on GRKERNSEC_CHROOT
42651 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
42652 + to a file descriptor of the chrooting process that points to a directory
42653 + outside the filesystem will be stopped. If the sysctl option
42654 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
42656 +config GRKERNSEC_CHROOT_MKNOD
42657 + bool "Deny mknod"
42658 + depends on GRKERNSEC_CHROOT
42660 + If you say Y here, processes inside a chroot will not be allowed to
42661 + mknod. The problem with using mknod inside a chroot is that it
42662 + would allow an attacker to create a device entry that is the same
42663 + as one on the physical root of your system, which could range from
42664 + anything from the console device to a device for your harddrive (which
42665 + they could then use to wipe the drive or steal data). It is recommended
42666 + that you say Y here, unless you run into software incompatibilities.
42667 + If the sysctl option is enabled, a sysctl option with name
42668 + "chroot_deny_mknod" is created.
42670 +config GRKERNSEC_CHROOT_SHMAT
42671 + bool "Deny shmat() out of chroot"
42672 + depends on GRKERNSEC_CHROOT
42674 + If you say Y here, processes inside a chroot will not be able to attach
42675 + to shared memory segments that were created outside of the chroot jail.
42676 + It is recommended that you say Y here. If the sysctl option is enabled,
42677 + a sysctl option with name "chroot_deny_shmat" is created.
42679 +config GRKERNSEC_CHROOT_UNIX
42680 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
42681 + depends on GRKERNSEC_CHROOT
42683 + If you say Y here, processes inside a chroot will not be able to
42684 + connect to abstract (meaning not belonging to a filesystem) Unix
42685 + domain sockets that were bound outside of a chroot. It is recommended
42686 + that you say Y here. If the sysctl option is enabled, a sysctl option
42687 + with name "chroot_deny_unix" is created.
42689 +config GRKERNSEC_CHROOT_FINDTASK
42690 + bool "Protect outside processes"
42691 + depends on GRKERNSEC_CHROOT
42693 + If you say Y here, processes inside a chroot will not be able to
42694 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
42695 + getsid, or view any process outside of the chroot. If the sysctl
42696 + option is enabled, a sysctl option with name "chroot_findtask" is
42699 +config GRKERNSEC_CHROOT_NICE
42700 + bool "Restrict priority changes"
42701 + depends on GRKERNSEC_CHROOT
42703 + If you say Y here, processes inside a chroot will not be able to raise
42704 + the priority of processes in the chroot, or alter the priority of
42705 + processes outside the chroot. This provides more security than simply
42706 + removing CAP_SYS_NICE from the process' capability set. If the
42707 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
42710 +config GRKERNSEC_CHROOT_SYSCTL
42711 + bool "Deny sysctl writes"
42712 + depends on GRKERNSEC_CHROOT
42714 + If you say Y here, an attacker in a chroot will not be able to
42715 + write to sysctl entries, either by sysctl(2) or through a /proc
42716 + interface. It is strongly recommended that you say Y here. If the
42717 + sysctl option is enabled, a sysctl option with name
42718 + "chroot_deny_sysctl" is created.
42720 +config GRKERNSEC_CHROOT_CAPS
42721 + bool "Capability restrictions"
42722 + depends on GRKERNSEC_CHROOT
42724 + If you say Y here, the capabilities on all root processes within a
42725 + chroot jail will be lowered to stop module insertion, raw i/o,
42726 + system and net admin tasks, rebooting the system, modifying immutable
42727 + files, modifying IPC owned by another, and changing the system time.
42728 + This is left an option because it can break some apps. Disable this
42729 + if your chrooted apps are having problems performing those kinds of
42730 + tasks. If the sysctl option is enabled, a sysctl option with
42731 + name "chroot_caps" is created.
42734 +menu "Kernel Auditing"
42735 +depends on GRKERNSEC
42737 +config GRKERNSEC_AUDIT_GROUP
42738 + bool "Single group for auditing"
42740 + If you say Y here, the exec, chdir, and (un)mount logging features
42741 + will only operate on a group you specify. This option is recommended
42742 + if you only want to watch certain users instead of having a large
42743 + amount of logs from the entire system. If the sysctl option is enabled,
42744 + a sysctl option with name "audit_group" is created.
42746 +config GRKERNSEC_AUDIT_GID
42747 + int "GID for auditing"
42748 + depends on GRKERNSEC_AUDIT_GROUP
42751 +config GRKERNSEC_EXECLOG
42752 + bool "Exec logging"
42754 + If you say Y here, all execve() calls will be logged (since the
42755 + other exec*() calls are frontends to execve(), all execution
42756 + will be logged). Useful for shell-servers that like to keep track
42757 + of their users. If the sysctl option is enabled, a sysctl option with
42758 + name "exec_logging" is created.
42759 + WARNING: This option when enabled will produce a LOT of logs, especially
42760 + on an active system.
42762 +config GRKERNSEC_RESLOG
42763 + bool "Resource logging"
42765 + If you say Y here, all attempts to overstep resource limits will
42766 + be logged with the resource name, the requested size, and the current
42767 + limit. It is highly recommended that you say Y here. If the sysctl
42768 + option is enabled, a sysctl option with name "resource_logging" is
42769 + created. If the RBAC system is enabled, the sysctl value is ignored.
42771 +config GRKERNSEC_CHROOT_EXECLOG
42772 + bool "Log execs within chroot"
42774 + If you say Y here, all executions inside a chroot jail will be logged
42775 + to syslog. This can cause a large amount of logs if certain
42776 + applications (eg. djb's daemontools) are installed on the system, and
42777 + is therefore left as an option. If the sysctl option is enabled, a
42778 + sysctl option with name "chroot_execlog" is created.
42780 +config GRKERNSEC_AUDIT_PTRACE
42781 + bool "Ptrace logging"
42783 + If you say Y here, all attempts to attach to a process via ptrace
42784 + will be logged. If the sysctl option is enabled, a sysctl option
42785 + with name "audit_ptrace" is created.
42787 +config GRKERNSEC_AUDIT_CHDIR
42788 + bool "Chdir logging"
42790 + If you say Y here, all chdir() calls will be logged. If the sysctl
42791 + option is enabled, a sysctl option with name "audit_chdir" is created.
42793 +config GRKERNSEC_AUDIT_MOUNT
42794 + bool "(Un)Mount logging"
42796 + If you say Y here, all mounts and unmounts will be logged. If the
42797 + sysctl option is enabled, a sysctl option with name "audit_mount" is
42800 +config GRKERNSEC_SIGNAL
42801 + bool "Signal logging"
42803 + If you say Y here, certain important signals will be logged, such as
42804 + SIGSEGV, which will as a result inform you of when a error in a program
42805 + occurred, which in some cases could mean a possible exploit attempt.
42806 + If the sysctl option is enabled, a sysctl option with name
42807 + "signal_logging" is created.
42809 +config GRKERNSEC_FORKFAIL
42810 + bool "Fork failure logging"
42812 + If you say Y here, all failed fork() attempts will be logged.
42813 + This could suggest a fork bomb, or someone attempting to overstep
42814 + their process limit. If the sysctl option is enabled, a sysctl option
42815 + with name "forkfail_logging" is created.
42817 +config GRKERNSEC_TIME
42818 + bool "Time change logging"
42820 + If you say Y here, any changes of the system clock will be logged.
42821 + If the sysctl option is enabled, a sysctl option with name
42822 + "timechange_logging" is created.
42824 +config GRKERNSEC_PROC_IPADDR
42825 + bool "/proc/<pid>/ipaddr support"
42827 + If you say Y here, a new entry will be added to each /proc/<pid>
42828 + directory that contains the IP address of the person using the task.
42829 + The IP is carried across local TCP and AF_UNIX stream sockets.
42830 + This information can be useful for IDS/IPSes to perform remote response
42831 + to a local attack. The entry is readable by only the owner of the
42832 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
42833 + the RBAC system), and thus does not create privacy concerns.
42835 +config GRKERNSEC_AUDIT_TEXTREL
42836 + bool 'ELF text relocations logging (READ HELP)'
42837 + depends on PAX_MPROTECT
42839 + If you say Y here, text relocations will be logged with the filename
42840 + of the offending library or binary. The purpose of the feature is
42841 + to help Linux distribution developers get rid of libraries and
42842 + binaries that need text relocations which hinder the future progress
42843 + of PaX. Only Linux distribution developers should say Y here, and
42844 + never on a production machine, as this option creates an information
42845 + leak that could aid an attacker in defeating the randomization of
42846 + a single memory region. If the sysctl option is enabled, a sysctl
42847 + option with name "audit_textrel" is created.
42851 +menu "Executable Protections"
42852 +depends on GRKERNSEC
42854 +config GRKERNSEC_EXECVE
42855 + bool "Enforce RLIMIT_NPROC on execs"
42857 + If you say Y here, users with a resource limit on processes will
42858 + have the value checked during execve() calls. The current system
42859 + only checks the system limit during fork() calls. If the sysctl option
42860 + is enabled, a sysctl option with name "execve_limiting" is created.
42862 +config GRKERNSEC_DMESG
42863 + bool "Dmesg(8) restriction"
42865 + If you say Y here, non-root users will not be able to use dmesg(8)
42866 + to view up to the last 4kb of messages in the kernel's log buffer.
42867 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
42870 +config GRKERNSEC_HARDEN_PTRACE
42871 + bool "Deter ptrace-based process snooping"
42873 + If you say Y here, TTY sniffers and other malicious monitoring
42874 + programs implemented through ptrace will be defeated. If you
42875 + have been using the RBAC system, this option has already been
42876 + enabled for several years for all users, with the ability to make
42877 + fine-grained exceptions.
42879 + This option only affects the ability of non-root users to ptrace
42880 + processes that are not a descendent of the ptracing process.
42881 + This means that strace ./binary and gdb ./binary will still work,
42882 + but attaching to arbitrary processes will not. If the sysctl
42883 + option is enabled, a sysctl option with name "harden_ptrace" is
42886 +config GRKERNSEC_TPE
42887 + bool "Trusted Path Execution (TPE)"
42889 + If you say Y here, you will be able to choose a gid to add to the
42890 + supplementary groups of users you want to mark as "untrusted."
42891 + These users will not be able to execute any files that are not in
42892 + root-owned directories writable only by root. If the sysctl option
42893 + is enabled, a sysctl option with name "tpe" is created.
42895 +config GRKERNSEC_TPE_ALL
42896 + bool "Partially restrict all non-root users"
42897 + depends on GRKERNSEC_TPE
42899 + If you say Y here, all non-root users will be covered under
42900 + a weaker TPE restriction. This is separate from, and in addition to,
42901 + the main TPE options that you have selected elsewhere. Thus, if a
42902 + "trusted" GID is chosen, this restriction applies to even that GID.
42903 + Under this restriction, all non-root users will only be allowed to
42904 + execute files in directories they own that are not group or
42905 + world-writable, or in directories owned by root and writable only by
42906 + root. If the sysctl option is enabled, a sysctl option with name
42907 + "tpe_restrict_all" is created.
42909 +config GRKERNSEC_TPE_INVERT
42910 + bool "Invert GID option"
42911 + depends on GRKERNSEC_TPE
42913 + If you say Y here, the group you specify in the TPE configuration will
42914 + decide what group TPE restrictions will be *disabled* for. This
42915 + option is useful if you want TPE restrictions to be applied to most
42916 + users on the system. If the sysctl option is enabled, a sysctl option
42917 + with name "tpe_invert" is created. Unlike other sysctl options, this
42918 + entry will default to on for backward-compatibility.
42920 +config GRKERNSEC_TPE_GID
42921 + int "GID for untrusted users"
42922 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
42925 + Setting this GID determines what group TPE restrictions will be
42926 + *enabled* for. If the sysctl option is enabled, a sysctl option
42927 + with name "tpe_gid" is created.
42929 +config GRKERNSEC_TPE_GID
42930 + int "GID for trusted users"
42931 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
42934 + Setting this GID determines what group TPE restrictions will be
42935 + *disabled* for. If the sysctl option is enabled, a sysctl option
42936 + with name "tpe_gid" is created.
42939 +menu "Network Protections"
42940 +depends on GRKERNSEC
42942 +config GRKERNSEC_RANDNET
42943 + bool "Larger entropy pools"
42945 + If you say Y here, the entropy pools used for many features of Linux
42946 + and grsecurity will be doubled in size. Since several grsecurity
42947 + features use additional randomness, it is recommended that you say Y
42948 + here. Saying Y here has a similar effect as modifying
42949 + /proc/sys/kernel/random/poolsize.
42951 +config GRKERNSEC_BLACKHOLE
42952 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
42954 + If you say Y here, neither TCP resets nor ICMP
42955 + destination-unreachable packets will be sent in response to packets
42956 + sent to ports for which no associated listening process exists.
42957 + This feature supports both IPV4 and IPV6 and exempts the
42958 + loopback interface from blackholing. Enabling this feature
42959 + makes a host more resilient to DoS attacks and reduces network
42960 + visibility against scanners.
42962 + The blackhole feature as-implemented is equivalent to the FreeBSD
42963 + blackhole feature, as it prevents RST responses to all packets, not
42964 + just SYNs. Under most application behavior this causes no
42965 + problems, but applications (like haproxy) may not close certain
42966 + connections in a way that cleanly terminates them on the remote
42967 + end, leaving the remote host in LAST_ACK state. Because of this
42968 + side-effect and to prevent intentional LAST_ACK DoSes, this
42969 + feature also adds automatic mitigation against such attacks.
42970 + The mitigation drastically reduces the amount of time a socket
42971 + can spend in LAST_ACK state. If you're using haproxy and not
42972 + all servers it connects to have this option enabled, consider
42973 + disabling this feature on the haproxy host.
42975 + If the sysctl option is enabled, two sysctl options with names
42976 + "ip_blackhole" and "lastack_retries" will be created.
42977 + While "ip_blackhole" takes the standard zero/non-zero on/off
42978 + toggle, "lastack_retries" uses the same kinds of values as
42979 + "tcp_retries1" and "tcp_retries2". The default value of 4
42980 + prevents a socket from lasting more than 45 seconds in LAST_ACK
42983 +config GRKERNSEC_SOCKET
42984 + bool "Socket restrictions"
42986 + If you say Y here, you will be able to choose from several options.
42987 + If you assign a GID on your system and add it to the supplementary
42988 + groups of users you want to restrict socket access to, this patch
42989 + will perform up to three things, based on the option(s) you choose.
42991 +config GRKERNSEC_SOCKET_ALL
42992 + bool "Deny any sockets to group"
42993 + depends on GRKERNSEC_SOCKET
42995 + If you say Y here, you will be able to choose a GID of whose users will
42996 + be unable to connect to other hosts from your machine or run server
42997 + applications from your machine. If the sysctl option is enabled, a
42998 + sysctl option with name "socket_all" is created.
43000 +config GRKERNSEC_SOCKET_ALL_GID
43001 + int "GID to deny all sockets for"
43002 + depends on GRKERNSEC_SOCKET_ALL
43005 + Here you can choose the GID to disable socket access for. Remember to
43006 + add the users you want socket access disabled for to the GID
43007 + specified here. If the sysctl option is enabled, a sysctl option
43008 + with name "socket_all_gid" is created.
43010 +config GRKERNSEC_SOCKET_CLIENT
43011 + bool "Deny client sockets to group"
43012 + depends on GRKERNSEC_SOCKET
43014 + If you say Y here, you will be able to choose a GID of whose users will
43015 + be unable to connect to other hosts from your machine, but will be
43016 + able to run servers. If this option is enabled, all users in the group
43017 + you specify will have to use passive mode when initiating ftp transfers
43018 + from the shell on your machine. If the sysctl option is enabled, a
43019 + sysctl option with name "socket_client" is created.
43021 +config GRKERNSEC_SOCKET_CLIENT_GID
43022 + int "GID to deny client sockets for"
43023 + depends on GRKERNSEC_SOCKET_CLIENT
43026 + Here you can choose the GID to disable client socket access for.
43027 + Remember to add the users you want client socket access disabled for to
43028 + the GID specified here. If the sysctl option is enabled, a sysctl
43029 + option with name "socket_client_gid" is created.
43031 +config GRKERNSEC_SOCKET_SERVER
43032 + bool "Deny server sockets to group"
43033 + depends on GRKERNSEC_SOCKET
43035 + If you say Y here, you will be able to choose a GID of whose users will
43036 + be unable to run server applications from your machine. If the sysctl
43037 + option is enabled, a sysctl option with name "socket_server" is created.
43039 +config GRKERNSEC_SOCKET_SERVER_GID
43040 + int "GID to deny server sockets for"
43041 + depends on GRKERNSEC_SOCKET_SERVER
43044 + Here you can choose the GID to disable server socket access for.
43045 + Remember to add the users you want server socket access disabled for to
43046 + the GID specified here. If the sysctl option is enabled, a sysctl
43047 + option with name "socket_server_gid" is created.
43050 +menu "Sysctl support"
43051 +depends on GRKERNSEC && SYSCTL
43053 +config GRKERNSEC_SYSCTL
43054 + bool "Sysctl support"
43056 + If you say Y here, you will be able to change the options that
43057 + grsecurity runs with at bootup, without having to recompile your
43058 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
43059 + to enable (1) or disable (0) various features. All the sysctl entries
43060 + are mutable until the "grsec_lock" entry is set to a non-zero value.
43061 + All features enabled in the kernel configuration are disabled at boot
43062 + if you do not say Y to the "Turn on features by default" option.
43063 + All options should be set at startup, and the grsec_lock entry should
43064 + be set to a non-zero value after all the options are set.
43065 + *THIS IS EXTREMELY IMPORTANT*
43067 +config GRKERNSEC_SYSCTL_DISTRO
43068 + bool "Extra sysctl support for distro makers (READ HELP)"
43069 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
43071 + If you say Y here, additional sysctl options will be created
43072 + for features that affect processes running as root. Therefore,
43073 + it is critical when using this option that the grsec_lock entry be
43074 + enabled after boot. Only distros with prebuilt kernel packages
43075 + with this option enabled that can ensure grsec_lock is enabled
43076 + after boot should use this option.
43077 + *Failure to set grsec_lock after boot makes all grsec features
43078 + this option covers useless*
43080 + Currently this option creates the following sysctl entries:
43081 + "Disable Privileged I/O": "disable_priv_io"
43083 +config GRKERNSEC_SYSCTL_ON
43084 + bool "Turn on features by default"
43085 + depends on GRKERNSEC_SYSCTL
43087 + If you say Y here, instead of having all features enabled in the
43088 + kernel configuration disabled at boot time, the features will be
43089 + enabled at boot time. It is recommended you say Y here unless
43090 + there is some reason you would want all sysctl-tunable features to
43091 + be disabled by default. As mentioned elsewhere, it is important
43092 + to enable the grsec_lock entry once you have finished modifying
43093 + the sysctl entries.
43096 +menu "Logging Options"
43097 +depends on GRKERNSEC
43099 +config GRKERNSEC_FLOODTIME
43100 + int "Seconds in between log messages (minimum)"
43103 + This option allows you to enforce the number of seconds between
43104 + grsecurity log messages. The default should be suitable for most
43105 + people, however, if you choose to change it, choose a value small enough
43106 + to allow informative logs to be produced, but large enough to
43107 + prevent flooding.
43109 +config GRKERNSEC_FLOODBURST
43110 + int "Number of messages in a burst (maximum)"
43113 + This option allows you to choose the maximum number of messages allowed
43114 + within the flood time interval you chose in a separate option. The
43115 + default should be suitable for most people, however if you find that
43116 + many of your logs are being interpreted as flooding, you may want to
43117 + raise this value.
43122 diff -urNp linux-2.6.35.4/grsecurity/Makefile linux-2.6.35.4/grsecurity/Makefile
43123 --- linux-2.6.35.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
43124 +++ linux-2.6.35.4/grsecurity/Makefile 2010-09-17 20:12:37.000000000 -0400
43126 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
43127 +# during 2001-2009 it has been completely redesigned by Brad Spengler
43128 +# into an RBAC system
43130 +# All code in this directory and various hooks inserted throughout the kernel
43131 +# are copyright Brad Spengler - Open Source Security, Inc., and released
43132 +# under the GPL v2 or higher
43134 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
43135 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
43136 + grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
43138 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
43139 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
43140 + gracl_learn.o grsec_log.o
43141 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
43143 +ifndef CONFIG_GRKERNSEC
43144 +obj-y += grsec_disabled.o
43147 +ifdef CONFIG_GRKERNSEC_HIDESYM
43148 +extra-y := grsec_hidesym.o
43149 +$(obj)/grsec_hidesym.o:
43150 + @-chmod -f 500 /boot
43151 + @-chmod -f 500 /lib/modules
43153 + @echo ' grsec: protected kernel image paths'
43155 diff -urNp linux-2.6.35.4/include/acpi/acoutput.h linux-2.6.35.4/include/acpi/acoutput.h
43156 --- linux-2.6.35.4/include/acpi/acoutput.h 2010-08-26 19:47:12.000000000 -0400
43157 +++ linux-2.6.35.4/include/acpi/acoutput.h 2010-09-17 20:12:09.000000000 -0400
43158 @@ -268,8 +268,8 @@
43159 * leaving no executable debug code!
43161 #define ACPI_FUNCTION_NAME(a)
43162 -#define ACPI_DEBUG_PRINT(pl)
43163 -#define ACPI_DEBUG_PRINT_RAW(pl)
43164 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
43165 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
43167 #endif /* ACPI_DEBUG_OUTPUT */
43169 diff -urNp linux-2.6.35.4/include/acpi/acpi_drivers.h linux-2.6.35.4/include/acpi/acpi_drivers.h
43170 --- linux-2.6.35.4/include/acpi/acpi_drivers.h 2010-08-26 19:47:12.000000000 -0400
43171 +++ linux-2.6.35.4/include/acpi/acpi_drivers.h 2010-09-17 20:12:09.000000000 -0400
43172 @@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
43174 -------------------------------------------------------------------------- */
43175 struct acpi_dock_ops {
43176 - acpi_notify_handler handler;
43177 - acpi_notify_handler uevent;
43178 + const acpi_notify_handler handler;
43179 + const acpi_notify_handler uevent;
43182 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
43183 @@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
43184 extern int register_dock_notifier(struct notifier_block *nb);
43185 extern void unregister_dock_notifier(struct notifier_block *nb);
43186 extern int register_hotplug_dock_device(acpi_handle handle,
43187 - struct acpi_dock_ops *ops,
43188 + const struct acpi_dock_ops *ops,
43190 extern void unregister_hotplug_dock_device(acpi_handle handle);
43192 @@ -146,7 +146,7 @@ static inline void unregister_dock_notif
43195 static inline int register_hotplug_dock_device(acpi_handle handle,
43196 - struct acpi_dock_ops *ops,
43197 + const struct acpi_dock_ops *ops,
43201 diff -urNp linux-2.6.35.4/include/asm-generic/atomic-long.h linux-2.6.35.4/include/asm-generic/atomic-long.h
43202 --- linux-2.6.35.4/include/asm-generic/atomic-long.h 2010-08-26 19:47:12.000000000 -0400
43203 +++ linux-2.6.35.4/include/asm-generic/atomic-long.h 2010-09-17 20:12:09.000000000 -0400
43206 typedef atomic64_t atomic_long_t;
43208 +#ifdef CONFIG_PAX_REFCOUNT
43209 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
43211 +typedef atomic64_t atomic_long_unchecked_t;
43214 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
43216 static inline long atomic_long_read(atomic_long_t *l)
43217 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
43218 return (long)atomic64_read(v);
43221 +#ifdef CONFIG_PAX_REFCOUNT
43222 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43224 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43226 + return (long)atomic64_read_unchecked(v);
43230 static inline void atomic_long_set(atomic_long_t *l, long i)
43232 atomic64_t *v = (atomic64_t *)l;
43233 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
43234 atomic64_set(v, i);
43237 +#ifdef CONFIG_PAX_REFCOUNT
43238 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43240 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43242 + atomic64_set_unchecked(v, i);
43246 static inline void atomic_long_inc(atomic_long_t *l)
43248 atomic64_t *v = (atomic64_t *)l;
43249 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
43253 +#ifdef CONFIG_PAX_REFCOUNT
43254 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43256 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43258 + atomic64_inc_unchecked(v);
43262 static inline void atomic_long_dec(atomic_long_t *l)
43264 atomic64_t *v = (atomic64_t *)l;
43265 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
43269 +#ifdef CONFIG_PAX_REFCOUNT
43270 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43272 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43274 + atomic64_dec_unchecked(v);
43278 static inline void atomic_long_add(long i, atomic_long_t *l)
43280 atomic64_t *v = (atomic64_t *)l;
43281 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
43282 atomic64_add(i, v);
43285 +#ifdef CONFIG_PAX_REFCOUNT
43286 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43288 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43290 + atomic64_add_unchecked(i, v);
43294 static inline void atomic_long_sub(long i, atomic_long_t *l)
43296 atomic64_t *v = (atomic64_t *)l;
43297 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
43298 return (long)atomic64_inc_return(v);
43301 +#ifdef CONFIG_PAX_REFCOUNT
43302 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43304 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43306 + return (long)atomic64_inc_return_unchecked(v);
43310 static inline long atomic_long_dec_return(atomic_long_t *l)
43312 atomic64_t *v = (atomic64_t *)l;
43313 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
43315 typedef atomic_t atomic_long_t;
43317 +#ifdef CONFIG_PAX_REFCOUNT
43318 +typedef atomic_unchecked_t atomic_long_unchecked_t;
43320 +typedef atomic_t atomic_long_unchecked_t;
43323 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
43324 static inline long atomic_long_read(atomic_long_t *l)
43326 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
43327 return (long)atomic_read(v);
43330 +#ifdef CONFIG_PAX_REFCOUNT
43331 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43333 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43335 + return (long)atomic_read_unchecked(v);
43339 static inline void atomic_long_set(atomic_long_t *l, long i)
43341 atomic_t *v = (atomic_t *)l;
43342 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
43346 +#ifdef CONFIG_PAX_REFCOUNT
43347 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43349 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43351 + atomic_set_unchecked(v, i);
43355 static inline void atomic_long_inc(atomic_long_t *l)
43357 atomic_t *v = (atomic_t *)l;
43358 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
43362 +#ifdef CONFIG_PAX_REFCOUNT
43363 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43365 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43367 + atomic_inc_unchecked(v);
43371 static inline void atomic_long_dec(atomic_long_t *l)
43373 atomic_t *v = (atomic_t *)l;
43374 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
43378 +#ifdef CONFIG_PAX_REFCOUNT
43379 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43381 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43383 + atomic_dec_unchecked(v);
43387 static inline void atomic_long_add(long i, atomic_long_t *l)
43389 atomic_t *v = (atomic_t *)l;
43390 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
43394 +#ifdef CONFIG_PAX_REFCOUNT
43395 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43397 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43399 + atomic_add_unchecked(i, v);
43403 static inline void atomic_long_sub(long i, atomic_long_t *l)
43405 atomic_t *v = (atomic_t *)l;
43406 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
43407 return (long)atomic_inc_return(v);
43410 +#ifdef CONFIG_PAX_REFCOUNT
43411 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43413 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43415 + return (long)atomic_inc_return_unchecked(v);
43419 static inline long atomic_long_dec_return(atomic_long_t *l)
43421 atomic_t *v = (atomic_t *)l;
43422 @@ -255,4 +375,37 @@ static inline long atomic_long_add_unles
43424 #endif /* BITS_PER_LONG == 64 */
43426 +#ifdef CONFIG_PAX_REFCOUNT
43427 +static inline void pax_refcount_needs_these_functions(void)
43429 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
43430 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
43431 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
43432 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
43433 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
43434 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
43436 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
43437 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
43438 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
43439 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
43440 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
43441 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
43444 +#define atomic_read_unchecked(v) atomic_read(v)
43445 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
43446 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
43447 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
43448 +#define atomic_inc_unchecked(v) atomic_inc(v)
43449 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
43451 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
43452 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
43453 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
43454 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
43455 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
43456 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
43459 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
43460 diff -urNp linux-2.6.35.4/include/asm-generic/dma-mapping-common.h linux-2.6.35.4/include/asm-generic/dma-mapping-common.h
43461 --- linux-2.6.35.4/include/asm-generic/dma-mapping-common.h 2010-08-26 19:47:12.000000000 -0400
43462 +++ linux-2.6.35.4/include/asm-generic/dma-mapping-common.h 2010-09-17 20:12:09.000000000 -0400
43463 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
43464 enum dma_data_direction dir,
43465 struct dma_attrs *attrs)
43467 - struct dma_map_ops *ops = get_dma_ops(dev);
43468 + const struct dma_map_ops *ops = get_dma_ops(dev);
43471 kmemcheck_mark_initialized(ptr, size);
43472 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
43473 enum dma_data_direction dir,
43474 struct dma_attrs *attrs)
43476 - struct dma_map_ops *ops = get_dma_ops(dev);
43477 + const struct dma_map_ops *ops = get_dma_ops(dev);
43479 BUG_ON(!valid_dma_direction(dir));
43480 if (ops->unmap_page)
43481 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
43482 int nents, enum dma_data_direction dir,
43483 struct dma_attrs *attrs)
43485 - struct dma_map_ops *ops = get_dma_ops(dev);
43486 + const struct dma_map_ops *ops = get_dma_ops(dev);
43488 struct scatterlist *s;
43490 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
43491 int nents, enum dma_data_direction dir,
43492 struct dma_attrs *attrs)
43494 - struct dma_map_ops *ops = get_dma_ops(dev);
43495 + const struct dma_map_ops *ops = get_dma_ops(dev);
43497 BUG_ON(!valid_dma_direction(dir));
43498 debug_dma_unmap_sg(dev, sg, nents, dir);
43499 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
43500 size_t offset, size_t size,
43501 enum dma_data_direction dir)
43503 - struct dma_map_ops *ops = get_dma_ops(dev);
43504 + const struct dma_map_ops *ops = get_dma_ops(dev);
43507 kmemcheck_mark_initialized(page_address(page) + offset, size);
43508 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
43509 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
43510 size_t size, enum dma_data_direction dir)
43512 - struct dma_map_ops *ops = get_dma_ops(dev);
43513 + const struct dma_map_ops *ops = get_dma_ops(dev);
43515 BUG_ON(!valid_dma_direction(dir));
43516 if (ops->unmap_page)
43517 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
43519 enum dma_data_direction dir)
43521 - struct dma_map_ops *ops = get_dma_ops(dev);
43522 + const struct dma_map_ops *ops = get_dma_ops(dev);
43524 BUG_ON(!valid_dma_direction(dir));
43525 if (ops->sync_single_for_cpu)
43526 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
43527 dma_addr_t addr, size_t size,
43528 enum dma_data_direction dir)
43530 - struct dma_map_ops *ops = get_dma_ops(dev);
43531 + const struct dma_map_ops *ops = get_dma_ops(dev);
43533 BUG_ON(!valid_dma_direction(dir));
43534 if (ops->sync_single_for_device)
43535 @@ -139,7 +139,7 @@ static inline void
43536 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
43537 int nelems, enum dma_data_direction dir)
43539 - struct dma_map_ops *ops = get_dma_ops(dev);
43540 + const struct dma_map_ops *ops = get_dma_ops(dev);
43542 BUG_ON(!valid_dma_direction(dir));
43543 if (ops->sync_sg_for_cpu)
43544 @@ -151,7 +151,7 @@ static inline void
43545 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
43546 int nelems, enum dma_data_direction dir)
43548 - struct dma_map_ops *ops = get_dma_ops(dev);
43549 + const struct dma_map_ops *ops = get_dma_ops(dev);
43551 BUG_ON(!valid_dma_direction(dir));
43552 if (ops->sync_sg_for_device)
43553 diff -urNp linux-2.6.35.4/include/asm-generic/futex.h linux-2.6.35.4/include/asm-generic/futex.h
43554 --- linux-2.6.35.4/include/asm-generic/futex.h 2010-08-26 19:47:12.000000000 -0400
43555 +++ linux-2.6.35.4/include/asm-generic/futex.h 2010-09-17 20:12:09.000000000 -0400
43557 #include <asm/errno.h>
43560 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
43561 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
43563 int op = (encoded_op >> 28) & 7;
43564 int cmp = (encoded_op >> 24) & 15;
43565 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
43569 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
43570 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
43574 diff -urNp linux-2.6.35.4/include/asm-generic/int-l64.h linux-2.6.35.4/include/asm-generic/int-l64.h
43575 --- linux-2.6.35.4/include/asm-generic/int-l64.h 2010-08-26 19:47:12.000000000 -0400
43576 +++ linux-2.6.35.4/include/asm-generic/int-l64.h 2010-09-17 20:12:09.000000000 -0400
43577 @@ -46,6 +46,8 @@ typedef unsigned int u32;
43578 typedef signed long s64;
43579 typedef unsigned long u64;
43581 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
43584 #define U8_C(x) x ## U
43586 diff -urNp linux-2.6.35.4/include/asm-generic/int-ll64.h linux-2.6.35.4/include/asm-generic/int-ll64.h
43587 --- linux-2.6.35.4/include/asm-generic/int-ll64.h 2010-08-26 19:47:12.000000000 -0400
43588 +++ linux-2.6.35.4/include/asm-generic/int-ll64.h 2010-09-17 20:12:09.000000000 -0400
43589 @@ -51,6 +51,8 @@ typedef unsigned int u32;
43590 typedef signed long long s64;
43591 typedef unsigned long long u64;
43593 +typedef unsigned long long intoverflow_t;
43596 #define U8_C(x) x ## U
43598 diff -urNp linux-2.6.35.4/include/asm-generic/kmap_types.h linux-2.6.35.4/include/asm-generic/kmap_types.h
43599 --- linux-2.6.35.4/include/asm-generic/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
43600 +++ linux-2.6.35.4/include/asm-generic/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
43601 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
43603 KMAP_D(18) KM_NMI_PTE,
43605 +KMAP_D(20) KM_CLEARPAGE,
43607 * Remember to update debug_kmap_atomic() when adding new kmap types!
43609 -KMAP_D(20) KM_TYPE_NR
43610 +KMAP_D(21) KM_TYPE_NR
43614 diff -urNp linux-2.6.35.4/include/asm-generic/pgtable.h linux-2.6.35.4/include/asm-generic/pgtable.h
43615 --- linux-2.6.35.4/include/asm-generic/pgtable.h 2010-08-26 19:47:12.000000000 -0400
43616 +++ linux-2.6.35.4/include/asm-generic/pgtable.h 2010-09-17 20:12:09.000000000 -0400
43617 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
43618 unsigned long size);
43621 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
43622 +static inline unsigned long pax_open_kernel(void) { return 0; }
43625 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
43626 +static inline unsigned long pax_close_kernel(void) { return 0; }
43629 #endif /* !__ASSEMBLY__ */
43631 #endif /* _ASM_GENERIC_PGTABLE_H */
43632 diff -urNp linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h
43633 --- linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h 2010-08-26 19:47:12.000000000 -0400
43634 +++ linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h 2010-09-17 20:12:09.000000000 -0400
43636 #ifndef _PGTABLE_NOPMD_H
43637 #define _PGTABLE_NOPMD_H
43639 -#ifndef __ASSEMBLY__
43641 #include <asm-generic/pgtable-nopud.h>
43645 #define __PAGETABLE_PMD_FOLDED
43647 +#define PMD_SHIFT PUD_SHIFT
43648 +#define PTRS_PER_PMD 1
43649 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
43650 +#define PMD_MASK (~(PMD_SIZE-1))
43652 +#ifndef __ASSEMBLY__
43657 * Having the pmd type consist of a pud gets the size right, and allows
43658 * us to conceptually access the pud entry that this pmd is folded into
43659 @@ -16,11 +21,6 @@ struct mm_struct;
43661 typedef struct { pud_t pud; } pmd_t;
43663 -#define PMD_SHIFT PUD_SHIFT
43664 -#define PTRS_PER_PMD 1
43665 -#define PMD_SIZE (1UL << PMD_SHIFT)
43666 -#define PMD_MASK (~(PMD_SIZE-1))
43669 * The "pud_xxx()" functions here are trivial for a folded two-level
43670 * setup: the pmd is never bad, and a pmd always exists (as it's folded
43671 diff -urNp linux-2.6.35.4/include/asm-generic/pgtable-nopud.h linux-2.6.35.4/include/asm-generic/pgtable-nopud.h
43672 --- linux-2.6.35.4/include/asm-generic/pgtable-nopud.h 2010-08-26 19:47:12.000000000 -0400
43673 +++ linux-2.6.35.4/include/asm-generic/pgtable-nopud.h 2010-09-17 20:12:09.000000000 -0400
43675 #ifndef _PGTABLE_NOPUD_H
43676 #define _PGTABLE_NOPUD_H
43678 -#ifndef __ASSEMBLY__
43680 #define __PAGETABLE_PUD_FOLDED
43682 +#define PUD_SHIFT PGDIR_SHIFT
43683 +#define PTRS_PER_PUD 1
43684 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
43685 +#define PUD_MASK (~(PUD_SIZE-1))
43687 +#ifndef __ASSEMBLY__
43690 * Having the pud type consist of a pgd gets the size right, and allows
43691 * us to conceptually access the pgd entry that this pud is folded into
43694 typedef struct { pgd_t pgd; } pud_t;
43696 -#define PUD_SHIFT PGDIR_SHIFT
43697 -#define PTRS_PER_PUD 1
43698 -#define PUD_SIZE (1UL << PUD_SHIFT)
43699 -#define PUD_MASK (~(PUD_SIZE-1))
43702 * The "pgd_xxx()" functions here are trivial for a folded two-level
43703 * setup: the pud is never bad, and a pud always exists (as it's folded
43704 diff -urNp linux-2.6.35.4/include/asm-generic/vmlinux.lds.h linux-2.6.35.4/include/asm-generic/vmlinux.lds.h
43705 --- linux-2.6.35.4/include/asm-generic/vmlinux.lds.h 2010-08-26 19:47:12.000000000 -0400
43706 +++ linux-2.6.35.4/include/asm-generic/vmlinux.lds.h 2010-09-17 20:12:09.000000000 -0400
43707 @@ -213,6 +213,7 @@
43708 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
43709 VMLINUX_SYMBOL(__start_rodata) = .; \
43710 *(.rodata) *(.rodata.*) \
43711 + *(.data..read_only) \
43712 *(__vermagic) /* Kernel version magic */ \
43713 *(__markers_strings) /* Markers: strings */ \
43714 *(__tracepoints_strings)/* Tracepoints: strings */ \
43715 @@ -670,22 +671,24 @@
43716 * section in the linker script will go there too. @phdr should have
43719 - * Note that this macros defines __per_cpu_load as an absolute symbol.
43720 + * Note that this macros defines per_cpu_load as an absolute symbol.
43721 * If there is no need to put the percpu section at a predetermined
43722 * address, use PERCPU().
43724 #define PERCPU_VADDR(vaddr, phdr) \
43725 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
43726 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
43727 + per_cpu_load = .; \
43728 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
43730 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
43731 VMLINUX_SYMBOL(__per_cpu_start) = .; \
43732 *(.data..percpu..first) \
43733 - *(.data..percpu..page_aligned) \
43735 + . = ALIGN(PAGE_SIZE); \
43736 + *(.data..percpu..page_aligned) \
43737 *(.data..percpu..shared_aligned) \
43738 VMLINUX_SYMBOL(__per_cpu_end) = .; \
43740 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
43741 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
43744 * PERCPU - define output section for percpu area, simple version
43745 diff -urNp linux-2.6.35.4/include/drm/drm_pciids.h linux-2.6.35.4/include/drm/drm_pciids.h
43746 --- linux-2.6.35.4/include/drm/drm_pciids.h 2010-08-26 19:47:12.000000000 -0400
43747 +++ linux-2.6.35.4/include/drm/drm_pciids.h 2010-09-17 20:12:09.000000000 -0400
43748 @@ -419,7 +419,7 @@
43749 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43750 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43751 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43753 + {0, 0, 0, 0, 0, 0}
43755 #define r128_PCI_IDS \
43756 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43757 @@ -459,14 +459,14 @@
43758 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43759 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43760 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43762 + {0, 0, 0, 0, 0, 0}
43764 #define mga_PCI_IDS \
43765 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43766 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43767 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
43768 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
43770 + {0, 0, 0, 0, 0, 0}
43772 #define mach64_PCI_IDS \
43773 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43774 @@ -489,7 +489,7 @@
43775 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43776 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43777 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43779 + {0, 0, 0, 0, 0, 0}
43781 #define sisdrv_PCI_IDS \
43782 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43783 @@ -500,7 +500,7 @@
43784 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43785 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43786 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43788 + {0, 0, 0, 0, 0, 0}
43790 #define tdfx_PCI_IDS \
43791 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43792 @@ -509,7 +509,7 @@
43793 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43794 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43795 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43797 + {0, 0, 0, 0, 0, 0}
43799 #define viadrv_PCI_IDS \
43800 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43801 @@ -521,14 +521,14 @@
43802 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43803 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
43804 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
43806 + {0, 0, 0, 0, 0, 0}
43808 #define i810_PCI_IDS \
43809 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43810 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43811 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43812 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43814 + {0, 0, 0, 0, 0, 0}
43816 #define i830_PCI_IDS \
43817 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43818 @@ -536,11 +536,11 @@
43819 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43820 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43821 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43823 + {0, 0, 0, 0, 0, 0}
43825 #define gamma_PCI_IDS \
43826 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43828 + {0, 0, 0, 0, 0, 0}
43830 #define savage_PCI_IDS \
43831 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
43832 @@ -566,10 +566,10 @@
43833 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
43834 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
43835 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
43837 + {0, 0, 0, 0, 0, 0}
43839 #define ffb_PCI_IDS \
43841 + {0, 0, 0, 0, 0, 0}
43843 #define i915_PCI_IDS \
43844 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
43845 @@ -603,4 +603,4 @@
43846 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
43847 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
43848 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
43850 + {0, 0, 0, 0, 0, 0}
43851 diff -urNp linux-2.6.35.4/include/drm/drmP.h linux-2.6.35.4/include/drm/drmP.h
43852 --- linux-2.6.35.4/include/drm/drmP.h 2010-08-26 19:47:12.000000000 -0400
43853 +++ linux-2.6.35.4/include/drm/drmP.h 2010-09-17 20:12:09.000000000 -0400
43854 @@ -808,7 +808,7 @@ struct drm_driver {
43855 void (*vgaarb_irq)(struct drm_device *dev, bool state);
43857 /* Driver private ops for this object */
43858 - struct vm_operations_struct *gem_vm_ops;
43859 + const struct vm_operations_struct *gem_vm_ops;
43863 @@ -917,7 +917,7 @@ struct drm_device {
43865 /** \name Usage Counters */
43867 - int open_count; /**< Outstanding files open */
43868 + atomic_t open_count; /**< Outstanding files open */
43869 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
43870 atomic_t vma_count; /**< Outstanding vma areas open */
43871 int buf_use; /**< Buffers in use -- cannot alloc */
43872 @@ -928,7 +928,7 @@ struct drm_device {
43874 unsigned long counters;
43875 enum drm_stat_type types[15];
43876 - atomic_t counts[15];
43877 + atomic_unchecked_t counts[15];
43880 struct list_head filelist;
43881 diff -urNp linux-2.6.35.4/include/linux/a.out.h linux-2.6.35.4/include/linux/a.out.h
43882 --- linux-2.6.35.4/include/linux/a.out.h 2010-08-26 19:47:12.000000000 -0400
43883 +++ linux-2.6.35.4/include/linux/a.out.h 2010-09-17 20:12:09.000000000 -0400
43884 @@ -39,6 +39,14 @@ enum machine_type {
43885 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
43888 +/* Constants for the N_FLAGS field */
43889 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
43890 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
43891 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
43892 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
43893 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
43894 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
43896 #if !defined (N_MAGIC)
43897 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
43899 diff -urNp linux-2.6.35.4/include/linux/atmdev.h linux-2.6.35.4/include/linux/atmdev.h
43900 --- linux-2.6.35.4/include/linux/atmdev.h 2010-08-26 19:47:12.000000000 -0400
43901 +++ linux-2.6.35.4/include/linux/atmdev.h 2010-09-17 20:12:09.000000000 -0400
43902 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
43905 struct k_atm_aal_stats {
43906 -#define __HANDLE_ITEM(i) atomic_t i
43907 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
43909 #undef __HANDLE_ITEM
43911 diff -urNp linux-2.6.35.4/include/linux/binfmts.h linux-2.6.35.4/include/linux/binfmts.h
43912 --- linux-2.6.35.4/include/linux/binfmts.h 2010-08-26 19:47:12.000000000 -0400
43913 +++ linux-2.6.35.4/include/linux/binfmts.h 2010-09-17 20:12:09.000000000 -0400
43914 @@ -87,6 +87,7 @@ struct linux_binfmt {
43915 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
43916 int (*load_shlib)(struct file *);
43917 int (*core_dump)(struct coredump_params *cprm);
43918 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
43919 unsigned long min_coredump; /* minimal dump size */
43922 diff -urNp linux-2.6.35.4/include/linux/blkdev.h linux-2.6.35.4/include/linux/blkdev.h
43923 --- linux-2.6.35.4/include/linux/blkdev.h 2010-08-26 19:47:12.000000000 -0400
43924 +++ linux-2.6.35.4/include/linux/blkdev.h 2010-09-17 20:12:09.000000000 -0400
43925 @@ -1331,20 +1331,20 @@ static inline int blk_integrity_rq(struc
43926 #endif /* CONFIG_BLK_DEV_INTEGRITY */
43928 struct block_device_operations {
43929 - int (*open) (struct block_device *, fmode_t);
43930 - int (*release) (struct gendisk *, fmode_t);
43931 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
43932 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
43933 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
43934 - int (*direct_access) (struct block_device *, sector_t,
43935 + int (* const open) (struct block_device *, fmode_t);
43936 + int (* const release) (struct gendisk *, fmode_t);
43937 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
43938 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
43939 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
43940 + int (* const direct_access) (struct block_device *, sector_t,
43941 void **, unsigned long *);
43942 - int (*media_changed) (struct gendisk *);
43943 - void (*unlock_native_capacity) (struct gendisk *);
43944 - int (*revalidate_disk) (struct gendisk *);
43945 - int (*getgeo)(struct block_device *, struct hd_geometry *);
43946 + int (* const media_changed) (struct gendisk *);
43947 + void (* const unlock_native_capacity) (struct gendisk *);
43948 + int (* const revalidate_disk) (struct gendisk *);
43949 + int (*const getgeo)(struct block_device *, struct hd_geometry *);
43950 /* this callback is with swap_lock and sometimes page table lock held */
43951 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
43952 - struct module *owner;
43953 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
43954 + struct module * const owner;
43957 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
43958 diff -urNp linux-2.6.35.4/include/linux/cache.h linux-2.6.35.4/include/linux/cache.h
43959 --- linux-2.6.35.4/include/linux/cache.h 2010-08-26 19:47:12.000000000 -0400
43960 +++ linux-2.6.35.4/include/linux/cache.h 2010-09-17 20:12:09.000000000 -0400
43962 #define __read_mostly
43965 +#ifndef __read_only
43966 +#define __read_only __read_mostly
43969 #ifndef ____cacheline_aligned
43970 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
43972 diff -urNp linux-2.6.35.4/include/linux/capability.h linux-2.6.35.4/include/linux/capability.h
43973 --- linux-2.6.35.4/include/linux/capability.h 2010-08-26 19:47:12.000000000 -0400
43974 +++ linux-2.6.35.4/include/linux/capability.h 2010-09-17 20:12:37.000000000 -0400
43975 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
43976 (security_real_capable_noaudit((t), (cap)) == 0)
43978 extern int capable(int cap);
43979 +int capable_nolog(int cap);
43981 /* audit system wants to get cap info from files as well */
43983 diff -urNp linux-2.6.35.4/include/linux/compiler-gcc4.h linux-2.6.35.4/include/linux/compiler-gcc4.h
43984 --- linux-2.6.35.4/include/linux/compiler-gcc4.h 2010-08-26 19:47:12.000000000 -0400
43985 +++ linux-2.6.35.4/include/linux/compiler-gcc4.h 2010-09-17 20:12:09.000000000 -0400
43990 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
43991 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
43992 +#define __bos0(ptr) __bos((ptr), 0)
43993 +#define __bos1(ptr) __bos((ptr), 1)
43996 #if __GNUC_MINOR__ > 0
43997 diff -urNp linux-2.6.35.4/include/linux/compiler.h linux-2.6.35.4/include/linux/compiler.h
43998 --- linux-2.6.35.4/include/linux/compiler.h 2010-08-26 19:47:12.000000000 -0400
43999 +++ linux-2.6.35.4/include/linux/compiler.h 2010-09-17 20:12:09.000000000 -0400
44000 @@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
44004 +#ifndef __alloc_size
44005 +#define __alloc_size
44020 /* Simple shorthand for a section definition */
44022 # define __section(S) __attribute__ ((__section__(#S)))
44023 diff -urNp linux-2.6.35.4/include/linux/decompress/mm.h linux-2.6.35.4/include/linux/decompress/mm.h
44024 --- linux-2.6.35.4/include/linux/decompress/mm.h 2010-08-26 19:47:12.000000000 -0400
44025 +++ linux-2.6.35.4/include/linux/decompress/mm.h 2010-09-17 20:12:09.000000000 -0400
44026 @@ -78,7 +78,7 @@ static void free(void *where)
44027 * warnings when not needed (indeed large_malloc / large_free are not
44028 * needed by inflate */
44030 -#define malloc(a) kmalloc(a, GFP_KERNEL)
44031 +#define malloc(a) kmalloc((a), GFP_KERNEL)
44032 #define free(a) kfree(a)
44034 #define large_malloc(a) vmalloc(a)
44035 diff -urNp linux-2.6.35.4/include/linux/dma-mapping.h linux-2.6.35.4/include/linux/dma-mapping.h
44036 --- linux-2.6.35.4/include/linux/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
44037 +++ linux-2.6.35.4/include/linux/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
44038 @@ -16,40 +16,40 @@ enum dma_data_direction {
44041 struct dma_map_ops {
44042 - void* (*alloc_coherent)(struct device *dev, size_t size,
44043 + void* (* const alloc_coherent)(struct device *dev, size_t size,
44044 dma_addr_t *dma_handle, gfp_t gfp);
44045 - void (*free_coherent)(struct device *dev, size_t size,
44046 + void (* const free_coherent)(struct device *dev, size_t size,
44047 void *vaddr, dma_addr_t dma_handle);
44048 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
44049 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
44050 unsigned long offset, size_t size,
44051 enum dma_data_direction dir,
44052 struct dma_attrs *attrs);
44053 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
44054 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
44055 size_t size, enum dma_data_direction dir,
44056 struct dma_attrs *attrs);
44057 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
44058 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
44059 int nents, enum dma_data_direction dir,
44060 struct dma_attrs *attrs);
44061 - void (*unmap_sg)(struct device *dev,
44062 + void (* const unmap_sg)(struct device *dev,
44063 struct scatterlist *sg, int nents,
44064 enum dma_data_direction dir,
44065 struct dma_attrs *attrs);
44066 - void (*sync_single_for_cpu)(struct device *dev,
44067 + void (* const sync_single_for_cpu)(struct device *dev,
44068 dma_addr_t dma_handle, size_t size,
44069 enum dma_data_direction dir);
44070 - void (*sync_single_for_device)(struct device *dev,
44071 + void (* const sync_single_for_device)(struct device *dev,
44072 dma_addr_t dma_handle, size_t size,
44073 enum dma_data_direction dir);
44074 - void (*sync_sg_for_cpu)(struct device *dev,
44075 + void (* const sync_sg_for_cpu)(struct device *dev,
44076 struct scatterlist *sg, int nents,
44077 enum dma_data_direction dir);
44078 - void (*sync_sg_for_device)(struct device *dev,
44079 + void (* const sync_sg_for_device)(struct device *dev,
44080 struct scatterlist *sg, int nents,
44081 enum dma_data_direction dir);
44082 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
44083 - int (*dma_supported)(struct device *dev, u64 mask);
44084 - int (*set_dma_mask)(struct device *dev, u64 mask);
44086 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
44087 + int (* const dma_supported)(struct device *dev, u64 mask);
44088 + int (* set_dma_mask)(struct device *dev, u64 mask);
44089 + const int is_phys;
44092 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
44093 diff -urNp linux-2.6.35.4/include/linux/elf.h linux-2.6.35.4/include/linux/elf.h
44094 --- linux-2.6.35.4/include/linux/elf.h 2010-08-26 19:47:12.000000000 -0400
44095 +++ linux-2.6.35.4/include/linux/elf.h 2010-09-17 20:12:09.000000000 -0400
44096 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
44097 #define PT_GNU_EH_FRAME 0x6474e550
44099 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
44100 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
44102 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
44104 +/* Constants for the e_flags field */
44105 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44106 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
44107 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
44108 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
44109 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44110 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44113 * Extended Numbering
44114 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
44115 #define DT_DEBUG 21
44116 #define DT_TEXTREL 22
44117 #define DT_JMPREL 23
44118 +#define DT_FLAGS 30
44119 + #define DF_TEXTREL 0x00000004
44120 #define DT_ENCODING 32
44121 #define OLD_DT_LOOS 0x60000000
44122 #define DT_LOOS 0x6000000d
44123 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
44127 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
44128 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
44129 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
44130 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
44131 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
44132 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
44133 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
44134 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
44135 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
44136 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
44137 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
44138 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
44140 typedef struct elf32_phdr{
44142 Elf32_Off p_offset;
44143 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
44149 #define ELFMAG0 0x7f /* EI_MAG */
44150 #define ELFMAG1 'E'
44151 #define ELFMAG2 'L'
44152 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
44153 #define elf_note elf32_note
44154 #define elf_addr_t Elf32_Off
44155 #define Elf_Half Elf32_Half
44156 +#define elf_dyn Elf32_Dyn
44160 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
44161 #define elf_note elf64_note
44162 #define elf_addr_t Elf64_Off
44163 #define Elf_Half Elf64_Half
44164 +#define elf_dyn Elf64_Dyn
44168 diff -urNp linux-2.6.35.4/include/linux/fs.h linux-2.6.35.4/include/linux/fs.h
44169 --- linux-2.6.35.4/include/linux/fs.h 2010-08-26 19:47:12.000000000 -0400
44170 +++ linux-2.6.35.4/include/linux/fs.h 2010-09-17 20:12:37.000000000 -0400
44171 @@ -90,6 +90,11 @@ struct inodes_stat_t {
44172 /* Expect random access pattern */
44173 #define FMODE_RANDOM ((__force fmode_t)0x1000)
44175 +/* Hack for grsec so as not to require read permission simply to execute
44178 +#define FMODE_GREXEC ((__force fmode_t)0x2000)
44181 * The below are the various read and write types that we support. Some of
44182 * them include behavioral modifiers that send information down to the
44183 @@ -571,41 +576,41 @@ typedef int (*read_actor_t)(read_descrip
44184 unsigned long, unsigned long);
44186 struct address_space_operations {
44187 - int (*writepage)(struct page *page, struct writeback_control *wbc);
44188 - int (*readpage)(struct file *, struct page *);
44189 - void (*sync_page)(struct page *);
44190 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
44191 + int (* const readpage)(struct file *, struct page *);
44192 + void (* const sync_page)(struct page *);
44194 /* Write back some dirty pages from this mapping. */
44195 - int (*writepages)(struct address_space *, struct writeback_control *);
44196 + int (* const writepages)(struct address_space *, struct writeback_control *);
44198 /* Set a page dirty. Return true if this dirtied it */
44199 - int (*set_page_dirty)(struct page *page);
44200 + int (* const set_page_dirty)(struct page *page);
44202 - int (*readpages)(struct file *filp, struct address_space *mapping,
44203 + int (* const readpages)(struct file *filp, struct address_space *mapping,
44204 struct list_head *pages, unsigned nr_pages);
44206 - int (*write_begin)(struct file *, struct address_space *mapping,
44207 + int (* const write_begin)(struct file *, struct address_space *mapping,
44208 loff_t pos, unsigned len, unsigned flags,
44209 struct page **pagep, void **fsdata);
44210 - int (*write_end)(struct file *, struct address_space *mapping,
44211 + int (* const write_end)(struct file *, struct address_space *mapping,
44212 loff_t pos, unsigned len, unsigned copied,
44213 struct page *page, void *fsdata);
44215 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
44216 - sector_t (*bmap)(struct address_space *, sector_t);
44217 - void (*invalidatepage) (struct page *, unsigned long);
44218 - int (*releasepage) (struct page *, gfp_t);
44219 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
44220 + sector_t (* const bmap)(struct address_space *, sector_t);
44221 + void (* const invalidatepage) (struct page *, unsigned long);
44222 + int (* const releasepage) (struct page *, gfp_t);
44223 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
44224 loff_t offset, unsigned long nr_segs);
44225 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
44226 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
44227 void **, unsigned long *);
44228 /* migrate the contents of a page to the specified target */
44229 - int (*migratepage) (struct address_space *,
44230 + int (* const migratepage) (struct address_space *,
44231 struct page *, struct page *);
44232 - int (*launder_page) (struct page *);
44233 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
44234 + int (* const launder_page) (struct page *);
44235 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
44237 - int (*error_remove_page)(struct address_space *, struct page *);
44238 + int (* const error_remove_page)(struct address_space *, struct page *);
44242 @@ -1035,19 +1040,19 @@ static inline int file_check_writeable(s
44243 typedef struct files_struct *fl_owner_t;
44245 struct file_lock_operations {
44246 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44247 - void (*fl_release_private)(struct file_lock *);
44248 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44249 + void (* const fl_release_private)(struct file_lock *);
44252 struct lock_manager_operations {
44253 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
44254 - void (*fl_notify)(struct file_lock *); /* unblock callback */
44255 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
44256 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44257 - void (*fl_release_private)(struct file_lock *);
44258 - void (*fl_break)(struct file_lock *);
44259 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
44260 - int (*fl_change)(struct file_lock **, int);
44261 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
44262 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
44263 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
44264 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44265 + void (* const fl_release_private)(struct file_lock *);
44266 + void (* const fl_break)(struct file_lock *);
44267 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
44268 + int (* const fl_change)(struct file_lock **, int);
44271 struct lock_manager {
44272 @@ -1440,7 +1445,7 @@ struct fiemap_extent_info {
44273 unsigned int fi_flags; /* Flags as passed from user */
44274 unsigned int fi_extents_mapped; /* Number of mapped extents */
44275 unsigned int fi_extents_max; /* Size of fiemap_extent array */
44276 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
44277 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
44280 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
44281 diff -urNp linux-2.6.35.4/include/linux/fs_struct.h linux-2.6.35.4/include/linux/fs_struct.h
44282 --- linux-2.6.35.4/include/linux/fs_struct.h 2010-08-26 19:47:12.000000000 -0400
44283 +++ linux-2.6.35.4/include/linux/fs_struct.h 2010-09-17 20:12:09.000000000 -0400
44285 #include <linux/path.h>
44293 diff -urNp linux-2.6.35.4/include/linux/genhd.h linux-2.6.35.4/include/linux/genhd.h
44294 --- linux-2.6.35.4/include/linux/genhd.h 2010-08-26 19:47:12.000000000 -0400
44295 +++ linux-2.6.35.4/include/linux/genhd.h 2010-09-17 20:12:09.000000000 -0400
44296 @@ -162,7 +162,7 @@ struct gendisk {
44298 struct timer_rand_state *random;
44300 - atomic_t sync_io; /* RAID */
44301 + atomic_unchecked_t sync_io; /* RAID */
44302 struct work_struct async_notify;
44303 #ifdef CONFIG_BLK_DEV_INTEGRITY
44304 struct blk_integrity *integrity;
44305 diff -urNp linux-2.6.35.4/include/linux/gracl.h linux-2.6.35.4/include/linux/gracl.h
44306 --- linux-2.6.35.4/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
44307 +++ linux-2.6.35.4/include/linux/gracl.h 2010-09-17 20:12:37.000000000 -0400
44312 +#include <linux/grdefs.h>
44313 +#include <linux/resource.h>
44314 +#include <linux/capability.h>
44315 +#include <linux/dcache.h>
44316 +#include <asm/resource.h>
44318 +/* Major status information */
44320 +#define GR_VERSION "grsecurity 2.2.0"
44321 +#define GRSECURITY_VERSION 0x2200
44332 + GR_SPROLEPAM = 8,
44335 +/* Password setup definitions
44336 + * kernel/grhash.c */
44339 + GR_SALT_LEN = 16,
44344 + GR_SPROLE_LEN = 64,
44347 +#define GR_NLIMITS 32
44349 +/* Begin Data Structures */
44351 +struct sprole_pw {
44352 + unsigned char *rolename;
44353 + unsigned char salt[GR_SALT_LEN];
44354 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
44357 +struct name_entry {
44364 + struct name_entry *prev;
44365 + struct name_entry *next;
44368 +struct inodev_entry {
44369 + struct name_entry *nentry;
44370 + struct inodev_entry *prev;
44371 + struct inodev_entry *next;
44374 +struct acl_role_db {
44375 + struct acl_role_label **r_hash;
44379 +struct inodev_db {
44380 + struct inodev_entry **i_hash;
44385 + struct name_entry **n_hash;
44389 +struct crash_uid {
44391 + unsigned long expires;
44394 +struct gr_hash_struct {
44396 + void **nametable;
44398 + __u32 table_size;
44403 +/* Userspace Grsecurity ACL data structures */
44405 +struct acl_subject_label {
44410 + kernel_cap_t cap_mask;
44411 + kernel_cap_t cap_lower;
44412 + kernel_cap_t cap_invert_audit;
44414 + struct rlimit res[GR_NLIMITS];
44417 + __u8 user_trans_type;
44418 + __u8 group_trans_type;
44419 + uid_t *user_transitions;
44420 + gid_t *group_transitions;
44421 + __u16 user_trans_num;
44422 + __u16 group_trans_num;
44424 + __u32 ip_proto[8];
44426 + struct acl_ip_label **ips;
44428 + __u32 inaddr_any_override;
44431 + unsigned long expires;
44433 + struct acl_subject_label *parent_subject;
44434 + struct gr_hash_struct *hash;
44435 + struct acl_subject_label *prev;
44436 + struct acl_subject_label *next;
44438 + struct acl_object_label **obj_hash;
44439 + __u32 obj_hash_size;
44443 +struct role_allowed_ip {
44447 + struct role_allowed_ip *prev;
44448 + struct role_allowed_ip *next;
44451 +struct role_transition {
44454 + struct role_transition *prev;
44455 + struct role_transition *next;
44458 +struct acl_role_label {
44463 + __u16 auth_attempts;
44464 + unsigned long expires;
44466 + struct acl_subject_label *root_label;
44467 + struct gr_hash_struct *hash;
44469 + struct acl_role_label *prev;
44470 + struct acl_role_label *next;
44472 + struct role_transition *transitions;
44473 + struct role_allowed_ip *allowed_ips;
44474 + uid_t *domain_children;
44475 + __u16 domain_child_num;
44477 + struct acl_subject_label **subj_hash;
44478 + __u32 subj_hash_size;
44481 +struct user_acl_role_db {
44482 + struct acl_role_label **r_table;
44483 + __u32 num_pointers; /* Number of allocations to track */
44484 + __u32 num_roles; /* Number of roles */
44485 + __u32 num_domain_children; /* Number of domain children */
44486 + __u32 num_subjects; /* Number of subjects */
44487 + __u32 num_objects; /* Number of objects */
44490 +struct acl_object_label {
44496 + struct acl_subject_label *nested;
44497 + struct acl_object_label *globbed;
44499 + /* next two structures not used */
44501 + struct acl_object_label *prev;
44502 + struct acl_object_label *next;
44505 +struct acl_ip_label {
44514 + /* next two structures not used */
44516 + struct acl_ip_label *prev;
44517 + struct acl_ip_label *next;
44521 + struct user_acl_role_db role_db;
44522 + unsigned char pw[GR_PW_LEN];
44523 + unsigned char salt[GR_SALT_LEN];
44524 + unsigned char sum[GR_SHA_LEN];
44525 + unsigned char sp_role[GR_SPROLE_LEN];
44526 + struct sprole_pw *sprole_pws;
44527 + dev_t segv_device;
44528 + ino_t segv_inode;
44530 + __u16 num_sprole_pws;
44534 +struct gr_arg_wrapper {
44535 + struct gr_arg *arg;
44540 +struct subject_map {
44541 + struct acl_subject_label *user;
44542 + struct acl_subject_label *kernel;
44543 + struct subject_map *prev;
44544 + struct subject_map *next;
44547 +struct acl_subj_map_db {
44548 + struct subject_map **s_hash;
44552 +/* End Data Structures Section */
44554 +/* Hash functions generated by empirical testing by Brad Spengler
44555 + Makes good use of the low bits of the inode. Generally 0-1 times
44556 + in loop for successful match. 0-3 for unsuccessful match.
44557 + Shift/add algorithm with modulus of table size and an XOR*/
44559 +static __inline__ unsigned int
44560 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
44562 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
44565 + static __inline__ unsigned int
44566 +shash(const struct acl_subject_label *userp, const unsigned int sz)
44568 + return ((const unsigned long)userp % sz);
44571 +static __inline__ unsigned int
44572 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
44574 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
44577 +static __inline__ unsigned int
44578 +nhash(const char *name, const __u16 len, const unsigned int sz)
44580 + return full_name_hash((const unsigned char *)name, len) % sz;
44583 +#define FOR_EACH_ROLE_START(role) \
44584 + role = role_list; \
44587 +#define FOR_EACH_ROLE_END(role) \
44588 + role = role->prev; \
44591 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
44594 + while (iter < role->subj_hash_size) { \
44595 + if (subj == NULL) \
44596 + subj = role->subj_hash[iter]; \
44597 + if (subj == NULL) { \
44602 +#define FOR_EACH_SUBJECT_END(subj,iter) \
44603 + subj = subj->next; \
44604 + if (subj == NULL) \
44609 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
44610 + subj = role->hash->first; \
44611 + while (subj != NULL) {
44613 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
44614 + subj = subj->next; \
44619 diff -urNp linux-2.6.35.4/include/linux/gralloc.h linux-2.6.35.4/include/linux/gralloc.h
44620 --- linux-2.6.35.4/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
44621 +++ linux-2.6.35.4/include/linux/gralloc.h 2010-09-17 20:12:37.000000000 -0400
44623 +#ifndef __GRALLOC_H
44624 +#define __GRALLOC_H
44626 +void acl_free_all(void);
44627 +int acl_alloc_stack_init(unsigned long size);
44628 +void *acl_alloc(unsigned long len);
44629 +void *acl_alloc_num(unsigned long num, unsigned long len);
44632 diff -urNp linux-2.6.35.4/include/linux/grdefs.h linux-2.6.35.4/include/linux/grdefs.h
44633 --- linux-2.6.35.4/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
44634 +++ linux-2.6.35.4/include/linux/grdefs.h 2010-09-17 20:12:37.000000000 -0400
44639 +/* Begin grsecurity status declarations */
44643 + GR_STATUS_INIT = 0x00 // disabled state
44646 +/* Begin ACL declarations */
44651 + GR_ROLE_USER = 0x0001,
44652 + GR_ROLE_GROUP = 0x0002,
44653 + GR_ROLE_DEFAULT = 0x0004,
44654 + GR_ROLE_SPECIAL = 0x0008,
44655 + GR_ROLE_AUTH = 0x0010,
44656 + GR_ROLE_NOPW = 0x0020,
44657 + GR_ROLE_GOD = 0x0040,
44658 + GR_ROLE_LEARN = 0x0080,
44659 + GR_ROLE_TPE = 0x0100,
44660 + GR_ROLE_DOMAIN = 0x0200,
44661 + GR_ROLE_PAM = 0x0400
44664 +/* ACL Subject and Object mode flags */
44666 + GR_DELETED = 0x80000000
44669 +/* ACL Object-only mode flags */
44671 + GR_READ = 0x00000001,
44672 + GR_APPEND = 0x00000002,
44673 + GR_WRITE = 0x00000004,
44674 + GR_EXEC = 0x00000008,
44675 + GR_FIND = 0x00000010,
44676 + GR_INHERIT = 0x00000020,
44677 + GR_SETID = 0x00000040,
44678 + GR_CREATE = 0x00000080,
44679 + GR_DELETE = 0x00000100,
44680 + GR_LINK = 0x00000200,
44681 + GR_AUDIT_READ = 0x00000400,
44682 + GR_AUDIT_APPEND = 0x00000800,
44683 + GR_AUDIT_WRITE = 0x00001000,
44684 + GR_AUDIT_EXEC = 0x00002000,
44685 + GR_AUDIT_FIND = 0x00004000,
44686 + GR_AUDIT_INHERIT= 0x00008000,
44687 + GR_AUDIT_SETID = 0x00010000,
44688 + GR_AUDIT_CREATE = 0x00020000,
44689 + GR_AUDIT_DELETE = 0x00040000,
44690 + GR_AUDIT_LINK = 0x00080000,
44691 + GR_PTRACERD = 0x00100000,
44692 + GR_NOPTRACE = 0x00200000,
44693 + GR_SUPPRESS = 0x00400000,
44694 + GR_NOLEARN = 0x00800000
44697 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
44698 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
44699 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
44701 +/* ACL subject-only mode flags */
44703 + GR_KILL = 0x00000001,
44704 + GR_VIEW = 0x00000002,
44705 + GR_PROTECTED = 0x00000004,
44706 + GR_LEARN = 0x00000008,
44707 + GR_OVERRIDE = 0x00000010,
44708 + /* just a placeholder, this mode is only used in userspace */
44709 + GR_DUMMY = 0x00000020,
44710 + GR_PROTSHM = 0x00000040,
44711 + GR_KILLPROC = 0x00000080,
44712 + GR_KILLIPPROC = 0x00000100,
44713 + /* just a placeholder, this mode is only used in userspace */
44714 + GR_NOTROJAN = 0x00000200,
44715 + GR_PROTPROCFD = 0x00000400,
44716 + GR_PROCACCT = 0x00000800,
44717 + GR_RELAXPTRACE = 0x00001000,
44718 + GR_NESTED = 0x00002000,
44719 + GR_INHERITLEARN = 0x00004000,
44720 + GR_PROCFIND = 0x00008000,
44721 + GR_POVERRIDE = 0x00010000,
44722 + GR_KERNELAUTH = 0x00020000,
44726 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
44727 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
44728 + GR_PAX_ENABLE_MPROTECT = 0x0004,
44729 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
44730 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
44731 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
44732 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
44733 + GR_PAX_DISABLE_MPROTECT = 0x0400,
44734 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
44735 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
44739 + GR_ID_USER = 0x01,
44740 + GR_ID_GROUP = 0x02,
44744 + GR_ID_ALLOW = 0x01,
44745 + GR_ID_DENY = 0x02,
44748 +#define GR_CRASH_RES 31
44749 +#define GR_UIDTABLE_MAX 500
44751 +/* begin resource learning section */
44753 + GR_RLIM_CPU_BUMP = 60,
44754 + GR_RLIM_FSIZE_BUMP = 50000,
44755 + GR_RLIM_DATA_BUMP = 10000,
44756 + GR_RLIM_STACK_BUMP = 1000,
44757 + GR_RLIM_CORE_BUMP = 10000,
44758 + GR_RLIM_RSS_BUMP = 500000,
44759 + GR_RLIM_NPROC_BUMP = 1,
44760 + GR_RLIM_NOFILE_BUMP = 5,
44761 + GR_RLIM_MEMLOCK_BUMP = 50000,
44762 + GR_RLIM_AS_BUMP = 500000,
44763 + GR_RLIM_LOCKS_BUMP = 2,
44764 + GR_RLIM_SIGPENDING_BUMP = 5,
44765 + GR_RLIM_MSGQUEUE_BUMP = 10000,
44766 + GR_RLIM_NICE_BUMP = 1,
44767 + GR_RLIM_RTPRIO_BUMP = 1,
44768 + GR_RLIM_RTTIME_BUMP = 1000000
44772 diff -urNp linux-2.6.35.4/include/linux/grinternal.h linux-2.6.35.4/include/linux/grinternal.h
44773 --- linux-2.6.35.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
44774 +++ linux-2.6.35.4/include/linux/grinternal.h 2010-09-17 20:12:37.000000000 -0400
44776 +#ifndef __GRINTERNAL_H
44777 +#define __GRINTERNAL_H
44779 +#ifdef CONFIG_GRKERNSEC
44781 +#include <linux/fs.h>
44782 +#include <linux/mnt_namespace.h>
44783 +#include <linux/nsproxy.h>
44784 +#include <linux/gracl.h>
44785 +#include <linux/grdefs.h>
44786 +#include <linux/grmsg.h>
44788 +void gr_add_learn_entry(const char *fmt, ...)
44789 + __attribute__ ((format (printf, 1, 2)));
44790 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
44791 + const struct vfsmount *mnt);
44792 +__u32 gr_check_create(const struct dentry *new_dentry,
44793 + const struct dentry *parent,
44794 + const struct vfsmount *mnt, const __u32 mode);
44795 +int gr_check_protected_task(const struct task_struct *task);
44796 +__u32 to_gr_audit(const __u32 reqmode);
44797 +int gr_set_acls(const int type);
44799 +int gr_acl_is_enabled(void);
44800 +char gr_roletype_to_char(void);
44802 +void gr_handle_alertkill(struct task_struct *task);
44803 +char *gr_to_filename(const struct dentry *dentry,
44804 + const struct vfsmount *mnt);
44805 +char *gr_to_filename1(const struct dentry *dentry,
44806 + const struct vfsmount *mnt);
44807 +char *gr_to_filename2(const struct dentry *dentry,
44808 + const struct vfsmount *mnt);
44809 +char *gr_to_filename3(const struct dentry *dentry,
44810 + const struct vfsmount *mnt);
44812 +extern int grsec_enable_harden_ptrace;
44813 +extern int grsec_enable_link;
44814 +extern int grsec_enable_fifo;
44815 +extern int grsec_enable_execve;
44816 +extern int grsec_enable_shm;
44817 +extern int grsec_enable_execlog;
44818 +extern int grsec_enable_signal;
44819 +extern int grsec_enable_audit_ptrace;
44820 +extern int grsec_enable_forkfail;
44821 +extern int grsec_enable_time;
44822 +extern int grsec_enable_rofs;
44823 +extern int grsec_enable_chroot_shmat;
44824 +extern int grsec_enable_chroot_findtask;
44825 +extern int grsec_enable_chroot_mount;
44826 +extern int grsec_enable_chroot_double;
44827 +extern int grsec_enable_chroot_pivot;
44828 +extern int grsec_enable_chroot_chdir;
44829 +extern int grsec_enable_chroot_chmod;
44830 +extern int grsec_enable_chroot_mknod;
44831 +extern int grsec_enable_chroot_fchdir;
44832 +extern int grsec_enable_chroot_nice;
44833 +extern int grsec_enable_chroot_execlog;
44834 +extern int grsec_enable_chroot_caps;
44835 +extern int grsec_enable_chroot_sysctl;
44836 +extern int grsec_enable_chroot_unix;
44837 +extern int grsec_enable_tpe;
44838 +extern int grsec_tpe_gid;
44839 +extern int grsec_enable_tpe_all;
44840 +extern int grsec_enable_tpe_invert;
44841 +extern int grsec_enable_socket_all;
44842 +extern int grsec_socket_all_gid;
44843 +extern int grsec_enable_socket_client;
44844 +extern int grsec_socket_client_gid;
44845 +extern int grsec_enable_socket_server;
44846 +extern int grsec_socket_server_gid;
44847 +extern int grsec_audit_gid;
44848 +extern int grsec_enable_group;
44849 +extern int grsec_enable_audit_textrel;
44850 +extern int grsec_enable_mount;
44851 +extern int grsec_enable_chdir;
44852 +extern int grsec_resource_logging;
44853 +extern int grsec_enable_blackhole;
44854 +extern int grsec_lastack_retries;
44855 +extern int grsec_lock;
44857 +extern spinlock_t grsec_alert_lock;
44858 +extern unsigned long grsec_alert_wtime;
44859 +extern unsigned long grsec_alert_fyet;
44861 +extern spinlock_t grsec_audit_lock;
44863 +extern rwlock_t grsec_exec_file_lock;
44865 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
44866 + gr_to_filename2(tsk->exec_file->f_path.dentry, \
44867 + tsk->exec_file->f_vfsmnt) : "/")
44869 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
44870 + gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
44871 + tsk->parent->exec_file->f_vfsmnt) : "/")
44873 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
44874 + gr_to_filename(tsk->exec_file->f_path.dentry, \
44875 + tsk->exec_file->f_vfsmnt) : "/")
44877 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
44878 + gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
44879 + tsk->parent->exec_file->f_vfsmnt) : "/")
44881 +#define proc_is_chrooted(tsk_a) (tsk_a->gr_is_chrooted)
44883 +#define have_same_root(tsk_a,tsk_b) (tsk_a->gr_chroot_dentry == tsk_b->gr_chroot_dentry)
44885 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
44886 + task->pid, cred->uid, \
44887 + cred->euid, cred->gid, cred->egid, \
44888 + gr_parent_task_fullpath(task), \
44889 + task->parent->comm, task->parent->pid, \
44890 + pcred->uid, pcred->euid, \
44891 + pcred->gid, pcred->egid
44893 +#define GR_CHROOT_CAPS {{ \
44894 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
44895 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
44896 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
44897 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
44898 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
44899 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
44901 +#define security_learn(normal_msg,args...) \
44903 + read_lock(&grsec_exec_file_lock); \
44904 + gr_add_learn_entry(normal_msg "\n", ## args); \
44905 + read_unlock(&grsec_exec_file_lock); \
44911 + GR_DONT_AUDIT_GOOD
44922 + GR_SYSCTL_HIDDEN,
44925 + GR_ONE_INT_TWO_STR,
44930 + GR_FIVE_INT_TWO_STR,
44936 + GR_FILENAME_TWO_INT,
44937 + GR_FILENAME_TWO_INT_STR,
44949 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
44950 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
44951 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
44952 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
44953 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
44954 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
44955 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
44956 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
44957 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
44958 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
44959 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
44960 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
44961 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
44962 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
44963 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
44964 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
44965 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
44966 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
44967 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
44968 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
44969 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
44970 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
44971 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
44972 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
44973 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
44974 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
44975 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
44976 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
44977 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
44978 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
44979 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
44980 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
44982 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
44987 diff -urNp linux-2.6.35.4/include/linux/grmsg.h linux-2.6.35.4/include/linux/grmsg.h
44988 --- linux-2.6.35.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
44989 +++ linux-2.6.35.4/include/linux/grmsg.h 2010-09-17 20:12:37.000000000 -0400
44991 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
44992 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
44993 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
44994 +#define GR_STOPMOD_MSG "denied modification of module state by "
44995 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
44996 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
44997 +#define GR_IOPERM_MSG "denied use of ioperm() by "
44998 +#define GR_IOPL_MSG "denied use of iopl() by "
44999 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
45000 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
45001 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
45002 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
45003 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
45004 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
45005 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
45006 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
45007 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
45008 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
45009 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
45010 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
45011 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
45012 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
45013 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
45014 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
45015 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
45016 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
45017 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
45018 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
45019 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
45020 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
45021 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
45022 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
45023 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
45024 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
45025 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
45026 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
45027 +#define GR_NPROC_MSG "denied overstep of process limit by "
45028 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
45029 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
45030 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
45031 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
45032 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
45033 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
45034 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
45035 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
45036 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
45037 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
45038 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
45039 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
45040 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
45041 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
45042 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
45043 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
45044 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
45045 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
45046 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
45047 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
45048 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
45049 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
45050 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
45051 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
45052 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
45053 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
45054 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
45055 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
45056 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
45057 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
45058 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
45059 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
45060 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
45061 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
45062 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
45063 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
45064 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
45065 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
45066 +#define GR_FAILFORK_MSG "failed fork with errno %d by "
45067 +#define GR_NICE_CHROOT_MSG "denied priority change by "
45068 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
45069 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
45070 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
45071 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
45072 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
45073 +#define GR_TIME_MSG "time set by "
45074 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
45075 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
45076 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
45077 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
45078 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
45079 +#define GR_BIND_MSG "denied bind() by "
45080 +#define GR_CONNECT_MSG "denied connect() by "
45081 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
45082 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
45083 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
45084 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
45085 +#define GR_CAP_ACL_MSG "use of %s denied for "
45086 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
45087 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
45088 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
45089 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
45090 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
45091 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
45092 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
45093 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
45094 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
45095 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
45096 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
45097 +#define GR_VM86_MSG "denied use of vm86 by "
45098 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
45099 diff -urNp linux-2.6.35.4/include/linux/grsecurity.h linux-2.6.35.4/include/linux/grsecurity.h
45100 --- linux-2.6.35.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
45101 +++ linux-2.6.35.4/include/linux/grsecurity.h 2010-09-17 20:12:37.000000000 -0400
45103 +#ifndef GR_SECURITY_H
45104 +#define GR_SECURITY_H
45105 +#include <linux/fs.h>
45106 +#include <linux/fs_struct.h>
45107 +#include <linux/binfmts.h>
45108 +#include <linux/gracl.h>
45110 +/* notify of brain-dead configs */
45111 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
45112 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
45114 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45115 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45117 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45118 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45120 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
45121 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
45123 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
45124 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
45127 +void gr_handle_brute_attach(struct task_struct *p);
45128 +void gr_handle_brute_check(void);
45130 +char gr_roletype_to_char(void);
45132 +int gr_check_user_change(int real, int effective, int fs);
45133 +int gr_check_group_change(int real, int effective, int fs);
45135 +void gr_del_task_from_ip_table(struct task_struct *p);
45137 +int gr_pid_is_chrooted(struct task_struct *p);
45138 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
45139 +int gr_handle_chroot_nice(void);
45140 +int gr_handle_chroot_sysctl(const int op);
45141 +int gr_handle_chroot_setpriority(struct task_struct *p,
45142 + const int niceval);
45143 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
45144 +int gr_handle_chroot_chroot(const struct dentry *dentry,
45145 + const struct vfsmount *mnt);
45146 +int gr_handle_chroot_caps(struct path *path);
45147 +void gr_handle_chroot_chdir(struct path *path);
45148 +int gr_handle_chroot_chmod(const struct dentry *dentry,
45149 + const struct vfsmount *mnt, const int mode);
45150 +int gr_handle_chroot_mknod(const struct dentry *dentry,
45151 + const struct vfsmount *mnt, const int mode);
45152 +int gr_handle_chroot_mount(const struct dentry *dentry,
45153 + const struct vfsmount *mnt,
45154 + const char *dev_name);
45155 +int gr_handle_chroot_pivot(void);
45156 +int gr_handle_chroot_unix(const pid_t pid);
45158 +int gr_handle_rawio(const struct inode *inode);
45159 +int gr_handle_nproc(void);
45161 +void gr_handle_ioperm(void);
45162 +void gr_handle_iopl(void);
45164 +int gr_tpe_allow(const struct file *file);
45166 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
45167 +void gr_clear_chroot_entries(struct task_struct *task);
45169 +void gr_log_forkfail(const int retval);
45170 +void gr_log_timechange(void);
45171 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
45172 +void gr_log_chdir(const struct dentry *dentry,
45173 + const struct vfsmount *mnt);
45174 +void gr_log_chroot_exec(const struct dentry *dentry,
45175 + const struct vfsmount *mnt);
45176 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
45177 +void gr_log_remount(const char *devname, const int retval);
45178 +void gr_log_unmount(const char *devname, const int retval);
45179 +void gr_log_mount(const char *from, const char *to, const int retval);
45180 +void gr_log_textrel(struct vm_area_struct *vma);
45182 +int gr_handle_follow_link(const struct inode *parent,
45183 + const struct inode *inode,
45184 + const struct dentry *dentry,
45185 + const struct vfsmount *mnt);
45186 +int gr_handle_fifo(const struct dentry *dentry,
45187 + const struct vfsmount *mnt,
45188 + const struct dentry *dir, const int flag,
45189 + const int acc_mode);
45190 +int gr_handle_hardlink(const struct dentry *dentry,
45191 + const struct vfsmount *mnt,
45192 + struct inode *inode,
45193 + const int mode, const char *to);
45195 +int gr_is_capable(const int cap);
45196 +int gr_is_capable_nolog(const int cap);
45197 +void gr_learn_resource(const struct task_struct *task, const int limit,
45198 + const unsigned long wanted, const int gt);
45199 +void gr_copy_label(struct task_struct *tsk);
45200 +void gr_handle_crash(struct task_struct *task, const int sig);
45201 +int gr_handle_signal(const struct task_struct *p, const int sig);
45202 +int gr_check_crash_uid(const uid_t uid);
45203 +int gr_check_protected_task(const struct task_struct *task);
45204 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
45205 +int gr_acl_handle_mmap(const struct file *file,
45206 + const unsigned long prot);
45207 +int gr_acl_handle_mprotect(const struct file *file,
45208 + const unsigned long prot);
45209 +int gr_check_hidden_task(const struct task_struct *tsk);
45210 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
45211 + const struct vfsmount *mnt);
45212 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
45213 + const struct vfsmount *mnt);
45214 +__u32 gr_acl_handle_access(const struct dentry *dentry,
45215 + const struct vfsmount *mnt, const int fmode);
45216 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
45217 + const struct vfsmount *mnt, mode_t mode);
45218 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
45219 + const struct vfsmount *mnt, mode_t mode);
45220 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
45221 + const struct vfsmount *mnt);
45222 +int gr_handle_ptrace(struct task_struct *task, const long request);
45223 +int gr_handle_proc_ptrace(struct task_struct *task);
45224 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
45225 + const struct vfsmount *mnt);
45226 +int gr_check_crash_exec(const struct file *filp);
45227 +int gr_acl_is_enabled(void);
45228 +void gr_set_kernel_label(struct task_struct *task);
45229 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
45230 + const gid_t gid);
45231 +int gr_set_proc_label(const struct dentry *dentry,
45232 + const struct vfsmount *mnt,
45233 + const int unsafe_share);
45234 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
45235 + const struct vfsmount *mnt);
45236 +__u32 gr_acl_handle_open(const struct dentry *dentry,
45237 + const struct vfsmount *mnt, const int fmode);
45238 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
45239 + const struct dentry *p_dentry,
45240 + const struct vfsmount *p_mnt, const int fmode,
45241 + const int imode);
45242 +void gr_handle_create(const struct dentry *dentry,
45243 + const struct vfsmount *mnt);
45244 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
45245 + const struct dentry *parent_dentry,
45246 + const struct vfsmount *parent_mnt,
45248 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
45249 + const struct dentry *parent_dentry,
45250 + const struct vfsmount *parent_mnt);
45251 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
45252 + const struct vfsmount *mnt);
45253 +void gr_handle_delete(const ino_t ino, const dev_t dev);
45254 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
45255 + const struct vfsmount *mnt);
45256 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
45257 + const struct dentry *parent_dentry,
45258 + const struct vfsmount *parent_mnt,
45259 + const char *from);
45260 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
45261 + const struct dentry *parent_dentry,
45262 + const struct vfsmount *parent_mnt,
45263 + const struct dentry *old_dentry,
45264 + const struct vfsmount *old_mnt, const char *to);
45265 +int gr_acl_handle_rename(struct dentry *new_dentry,
45266 + struct dentry *parent_dentry,
45267 + const struct vfsmount *parent_mnt,
45268 + struct dentry *old_dentry,
45269 + struct inode *old_parent_inode,
45270 + struct vfsmount *old_mnt, const char *newname);
45271 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
45272 + struct dentry *old_dentry,
45273 + struct dentry *new_dentry,
45274 + struct vfsmount *mnt, const __u8 replace);
45275 +__u32 gr_check_link(const struct dentry *new_dentry,
45276 + const struct dentry *parent_dentry,
45277 + const struct vfsmount *parent_mnt,
45278 + const struct dentry *old_dentry,
45279 + const struct vfsmount *old_mnt);
45280 +int gr_acl_handle_filldir(const struct file *file, const char *name,
45281 + const unsigned int namelen, const ino_t ino);
45283 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
45284 + const struct vfsmount *mnt);
45285 +void gr_acl_handle_exit(void);
45286 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
45287 +int gr_acl_handle_procpidmem(const struct task_struct *task);
45288 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
45289 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
45290 +void gr_audit_ptrace(struct task_struct *task);
45292 +#ifdef CONFIG_GRKERNSEC
45293 +void gr_log_nonroot_mod_load(const char *modname);
45294 +void gr_handle_vm86(void);
45295 +void gr_handle_mem_write(void);
45296 +void gr_handle_kmem_write(void);
45297 +void gr_handle_open_port(void);
45298 +int gr_handle_mem_mmap(const unsigned long offset,
45299 + struct vm_area_struct *vma);
45301 +extern int grsec_enable_dmesg;
45302 +extern int grsec_disable_privio;
45306 diff -urNp linux-2.6.35.4/include/linux/grsock.h linux-2.6.35.4/include/linux/grsock.h
45307 --- linux-2.6.35.4/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
45308 +++ linux-2.6.35.4/include/linux/grsock.h 2010-09-17 20:12:37.000000000 -0400
45310 +#ifndef __GRSOCK_H
45311 +#define __GRSOCK_H
45313 +extern void gr_attach_curr_ip(const struct sock *sk);
45314 +extern int gr_handle_sock_all(const int family, const int type,
45315 + const int protocol);
45316 +extern int gr_handle_sock_server(const struct sockaddr *sck);
45317 +extern int gr_handle_sock_server_other(const struct sock *sck);
45318 +extern int gr_handle_sock_client(const struct sockaddr *sck);
45319 +extern int gr_search_connect(struct socket * sock,
45320 + struct sockaddr_in * addr);
45321 +extern int gr_search_bind(struct socket * sock,
45322 + struct sockaddr_in * addr);
45323 +extern int gr_search_listen(struct socket * sock);
45324 +extern int gr_search_accept(struct socket * sock);
45325 +extern int gr_search_socket(const int domain, const int type,
45326 + const int protocol);
45329 diff -urNp linux-2.6.35.4/include/linux/highmem.h linux-2.6.35.4/include/linux/highmem.h
45330 --- linux-2.6.35.4/include/linux/highmem.h 2010-08-26 19:47:12.000000000 -0400
45331 +++ linux-2.6.35.4/include/linux/highmem.h 2010-09-17 20:12:09.000000000 -0400
45332 @@ -143,6 +143,18 @@ static inline void clear_highpage(struct
45333 kunmap_atomic(kaddr, KM_USER0);
45336 +static inline void sanitize_highpage(struct page *page)
45339 + unsigned long flags;
45341 + local_irq_save(flags);
45342 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
45343 + clear_page(kaddr);
45344 + kunmap_atomic(kaddr, KM_CLEARPAGE);
45345 + local_irq_restore(flags);
45348 static inline void zero_user_segments(struct page *page,
45349 unsigned start1, unsigned end1,
45350 unsigned start2, unsigned end2)
45351 diff -urNp linux-2.6.35.4/include/linux/interrupt.h linux-2.6.35.4/include/linux/interrupt.h
45352 --- linux-2.6.35.4/include/linux/interrupt.h 2010-08-26 19:47:12.000000000 -0400
45353 +++ linux-2.6.35.4/include/linux/interrupt.h 2010-09-17 20:12:09.000000000 -0400
45354 @@ -392,7 +392,7 @@ enum
45355 /* map softirq index to softirq name. update 'softirq_to_name' in
45356 * kernel/softirq.c when adding a new softirq.
45358 -extern char *softirq_to_name[NR_SOFTIRQS];
45359 +extern const char * const softirq_to_name[NR_SOFTIRQS];
45361 /* softirq mask and active fields moved to irq_cpustat_t in
45362 * asm/hardirq.h to get better cache usage. KAO
45363 @@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
45365 struct softirq_action
45367 - void (*action)(struct softirq_action *);
45368 + void (*action)(void);
45371 asmlinkage void do_softirq(void);
45372 asmlinkage void __do_softirq(void);
45373 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
45374 +extern void open_softirq(int nr, void (*action)(void));
45375 extern void softirq_init(void);
45376 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
45377 extern void raise_softirq_irqoff(unsigned int nr);
45378 diff -urNp linux-2.6.35.4/include/linux/jbd2.h linux-2.6.35.4/include/linux/jbd2.h
45379 --- linux-2.6.35.4/include/linux/jbd2.h 2010-08-26 19:47:12.000000000 -0400
45380 +++ linux-2.6.35.4/include/linux/jbd2.h 2010-09-17 20:12:09.000000000 -0400
45381 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
45385 -#define jbd_debug(f, a...) /**/
45386 +#define jbd_debug(f, a...) do {} while (0)
45389 extern void *jbd2_alloc(size_t size, gfp_t flags);
45390 diff -urNp linux-2.6.35.4/include/linux/jbd.h linux-2.6.35.4/include/linux/jbd.h
45391 --- linux-2.6.35.4/include/linux/jbd.h 2010-08-26 19:47:12.000000000 -0400
45392 +++ linux-2.6.35.4/include/linux/jbd.h 2010-09-17 20:12:09.000000000 -0400
45393 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
45397 -#define jbd_debug(f, a...) /**/
45398 +#define jbd_debug(f, a...) do {} while (0)
45401 static inline void *jbd_alloc(size_t size, gfp_t flags)
45402 diff -urNp linux-2.6.35.4/include/linux/kallsyms.h linux-2.6.35.4/include/linux/kallsyms.h
45403 --- linux-2.6.35.4/include/linux/kallsyms.h 2010-08-26 19:47:12.000000000 -0400
45404 +++ linux-2.6.35.4/include/linux/kallsyms.h 2010-09-17 20:12:37.000000000 -0400
45409 -#ifdef CONFIG_KALLSYMS
45410 +#ifndef __INCLUDED_BY_HIDESYM
45411 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45412 /* Lookup the address for a symbol. Returns 0 if not found. */
45413 unsigned long kallsyms_lookup_name(const char *name);
45415 @@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
45416 /* Stupid that this does nothing, but I didn't create this mess. */
45417 #define __print_symbol(fmt, addr)
45418 #endif /*CONFIG_KALLSYMS*/
45419 +#else /* when included by kallsyms.c, with HIDESYM enabled */
45420 +extern void __print_symbol(const char *fmt, unsigned long address);
45423 /* This macro allows us to keep printk typechecking */
45424 static void __check_printsym_format(const char *fmt, ...)
45425 diff -urNp linux-2.6.35.4/include/linux/kgdb.h linux-2.6.35.4/include/linux/kgdb.h
45426 --- linux-2.6.35.4/include/linux/kgdb.h 2010-08-26 19:47:12.000000000 -0400
45427 +++ linux-2.6.35.4/include/linux/kgdb.h 2010-09-17 20:12:09.000000000 -0400
45428 @@ -263,22 +263,22 @@ struct kgdb_arch {
45432 - int (*read_char) (void);
45433 - void (*write_char) (u8);
45434 - void (*flush) (void);
45435 - int (*init) (void);
45436 - void (*pre_exception) (void);
45437 - void (*post_exception) (void);
45438 + int (* const read_char) (void);
45439 + void (* const write_char) (u8);
45440 + void (* const flush) (void);
45441 + int (* const init) (void);
45442 + void (* const pre_exception) (void);
45443 + void (* const post_exception) (void);
45447 -extern struct kgdb_arch arch_kgdb_ops;
45448 +extern const struct kgdb_arch arch_kgdb_ops;
45450 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
45452 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
45453 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
45454 -extern struct kgdb_io *dbg_io_ops;
45455 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
45456 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
45457 +extern const struct kgdb_io *dbg_io_ops;
45459 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
45460 extern int kgdb_mem2hex(char *mem, char *buf, int count);
45461 diff -urNp linux-2.6.35.4/include/linux/kvm_host.h linux-2.6.35.4/include/linux/kvm_host.h
45462 --- linux-2.6.35.4/include/linux/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
45463 +++ linux-2.6.35.4/include/linux/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
45464 @@ -243,7 +243,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
45465 void vcpu_load(struct kvm_vcpu *vcpu);
45466 void vcpu_put(struct kvm_vcpu *vcpu);
45468 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45469 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45470 struct module *module);
45471 void kvm_exit(void);
45473 @@ -367,7 +367,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
45474 struct kvm_guest_debug *dbg);
45475 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
45477 -int kvm_arch_init(void *opaque);
45478 +int kvm_arch_init(const void *opaque);
45479 void kvm_arch_exit(void);
45481 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
45482 diff -urNp linux-2.6.35.4/include/linux/libata.h linux-2.6.35.4/include/linux/libata.h
45483 --- linux-2.6.35.4/include/linux/libata.h 2010-08-26 19:47:12.000000000 -0400
45484 +++ linux-2.6.35.4/include/linux/libata.h 2010-09-17 20:12:09.000000000 -0400
45485 @@ -64,11 +64,11 @@
45486 #ifdef ATA_VERBOSE_DEBUG
45487 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45489 -#define VPRINTK(fmt, args...)
45490 +#define VPRINTK(fmt, args...) do {} while (0)
45491 #endif /* ATA_VERBOSE_DEBUG */
45493 -#define DPRINTK(fmt, args...)
45494 -#define VPRINTK(fmt, args...)
45495 +#define DPRINTK(fmt, args...) do {} while (0)
45496 +#define VPRINTK(fmt, args...) do {} while (0)
45497 #endif /* ATA_DEBUG */
45499 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45500 @@ -523,11 +523,11 @@ struct ata_ioports {
45504 - struct device *dev;
45505 + struct device *dev;
45506 void __iomem * const *iomap;
45507 unsigned int n_ports;
45508 void *private_data;
45509 - struct ata_port_operations *ops;
45510 + const struct ata_port_operations *ops;
45511 unsigned long flags;
45512 #ifdef CONFIG_ATA_ACPI
45513 acpi_handle acpi_handle;
45514 @@ -709,7 +709,7 @@ struct ata_link {
45517 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
45518 - struct ata_port_operations *ops;
45519 + const struct ata_port_operations *ops;
45521 /* Flags owned by the EH context. Only EH should touch these once the
45523 @@ -894,7 +894,7 @@ struct ata_port_info {
45524 unsigned long pio_mask;
45525 unsigned long mwdma_mask;
45526 unsigned long udma_mask;
45527 - struct ata_port_operations *port_ops;
45528 + const struct ata_port_operations *port_ops;
45529 void *private_data;
45532 @@ -918,7 +918,7 @@ extern const unsigned long sata_deb_timi
45533 extern const unsigned long sata_deb_timing_hotplug[];
45534 extern const unsigned long sata_deb_timing_long[];
45536 -extern struct ata_port_operations ata_dummy_port_ops;
45537 +extern const struct ata_port_operations ata_dummy_port_ops;
45538 extern const struct ata_port_info ata_dummy_port_info;
45540 static inline const unsigned long *
45541 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
45542 struct scsi_host_template *sht);
45543 extern void ata_host_detach(struct ata_host *host);
45544 extern void ata_host_init(struct ata_host *, struct device *,
45545 - unsigned long, struct ata_port_operations *);
45546 + unsigned long, const struct ata_port_operations *);
45547 extern int ata_scsi_detect(struct scsi_host_template *sht);
45548 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
45549 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
45550 diff -urNp linux-2.6.35.4/include/linux/lockd/bind.h linux-2.6.35.4/include/linux/lockd/bind.h
45551 --- linux-2.6.35.4/include/linux/lockd/bind.h 2010-08-26 19:47:12.000000000 -0400
45552 +++ linux-2.6.35.4/include/linux/lockd/bind.h 2010-09-17 20:12:09.000000000 -0400
45553 @@ -23,13 +23,13 @@ struct svc_rqst;
45554 * This is the set of functions for lockd->nfsd communication
45556 struct nlmsvc_binding {
45557 - __be32 (*fopen)(struct svc_rqst *,
45558 + __be32 (* const fopen)(struct svc_rqst *,
45561 - void (*fclose)(struct file *);
45562 + void (* const fclose)(struct file *);
45565 -extern struct nlmsvc_binding * nlmsvc_ops;
45566 +extern const struct nlmsvc_binding * nlmsvc_ops;
45569 * Similar to nfs_client_initdata, but without the NFS-specific
45570 diff -urNp linux-2.6.35.4/include/linux/mm.h linux-2.6.35.4/include/linux/mm.h
45571 --- linux-2.6.35.4/include/linux/mm.h 2010-08-26 19:47:12.000000000 -0400
45572 +++ linux-2.6.35.4/include/linux/mm.h 2010-09-17 20:12:09.000000000 -0400
45573 @@ -103,7 +103,14 @@ extern unsigned int kobjsize(const void
45575 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
45576 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
45578 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
45579 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
45580 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
45582 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
45585 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
45586 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
45588 @@ -1010,6 +1017,8 @@ struct shrinker {
45589 extern void register_shrinker(struct shrinker *);
45590 extern void unregister_shrinker(struct shrinker *);
45592 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
45594 int vma_wants_writenotify(struct vm_area_struct *vma);
45596 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
45597 @@ -1286,6 +1295,7 @@ out:
45600 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
45601 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
45603 extern unsigned long do_brk(unsigned long, unsigned long);
45605 @@ -1340,6 +1350,10 @@ extern struct vm_area_struct * find_vma(
45606 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
45607 struct vm_area_struct **pprev);
45609 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
45610 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
45611 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
45613 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
45614 NULL if none. Assume start_addr < end_addr. */
45615 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
45616 @@ -1356,7 +1370,6 @@ static inline unsigned long vma_pages(st
45617 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
45620 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
45621 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
45622 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
45623 unsigned long pfn, unsigned long size, pgprot_t);
45624 @@ -1463,10 +1476,16 @@ extern int unpoison_memory(unsigned long
45625 extern int sysctl_memory_failure_early_kill;
45626 extern int sysctl_memory_failure_recovery;
45627 extern void shake_page(struct page *p, int access);
45628 -extern atomic_long_t mce_bad_pages;
45629 +extern atomic_long_unchecked_t mce_bad_pages;
45630 extern int soft_offline_page(struct page *page, int flags);
45632 extern void dump_page(struct page *page);
45634 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
45635 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
45637 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
45640 #endif /* __KERNEL__ */
45641 #endif /* _LINUX_MM_H */
45642 diff -urNp linux-2.6.35.4/include/linux/mm_types.h linux-2.6.35.4/include/linux/mm_types.h
45643 --- linux-2.6.35.4/include/linux/mm_types.h 2010-08-26 19:47:12.000000000 -0400
45644 +++ linux-2.6.35.4/include/linux/mm_types.h 2010-09-17 20:12:09.000000000 -0400
45645 @@ -183,6 +183,8 @@ struct vm_area_struct {
45647 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
45650 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
45653 struct core_thread {
45654 @@ -310,6 +312,24 @@ struct mm_struct {
45655 #ifdef CONFIG_MMU_NOTIFIER
45656 struct mmu_notifier_mm *mmu_notifier_mm;
45659 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45660 + unsigned long pax_flags;
45663 +#ifdef CONFIG_PAX_DLRESOLVE
45664 + unsigned long call_dl_resolve;
45667 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
45668 + unsigned long call_syscall;
45671 +#ifdef CONFIG_PAX_ASLR
45672 + unsigned long delta_mmap; /* randomized offset */
45673 + unsigned long delta_stack; /* randomized offset */
45678 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
45679 diff -urNp linux-2.6.35.4/include/linux/mmu_notifier.h linux-2.6.35.4/include/linux/mmu_notifier.h
45680 --- linux-2.6.35.4/include/linux/mmu_notifier.h 2010-08-26 19:47:12.000000000 -0400
45681 +++ linux-2.6.35.4/include/linux/mmu_notifier.h 2010-09-17 20:12:09.000000000 -0400
45682 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
45684 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
45688 struct vm_area_struct *___vma = __vma; \
45689 unsigned long ___address = __address; \
45690 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
45691 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
45692 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
45697 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
45698 diff -urNp linux-2.6.35.4/include/linux/mmzone.h linux-2.6.35.4/include/linux/mmzone.h
45699 --- linux-2.6.35.4/include/linux/mmzone.h 2010-08-26 19:47:12.000000000 -0400
45700 +++ linux-2.6.35.4/include/linux/mmzone.h 2010-09-17 20:12:09.000000000 -0400
45701 @@ -345,7 +345,7 @@ struct zone {
45702 unsigned long flags; /* zone flags, see below */
45704 /* Zone statistics */
45705 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45706 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45709 * prev_priority holds the scanning priority for this zone. It is
45710 diff -urNp linux-2.6.35.4/include/linux/mod_devicetable.h linux-2.6.35.4/include/linux/mod_devicetable.h
45711 --- linux-2.6.35.4/include/linux/mod_devicetable.h 2010-08-26 19:47:12.000000000 -0400
45712 +++ linux-2.6.35.4/include/linux/mod_devicetable.h 2010-09-17 20:12:09.000000000 -0400
45714 typedef unsigned long kernel_ulong_t;
45717 -#define PCI_ANY_ID (~0)
45718 +#define PCI_ANY_ID ((__u16)~0)
45720 struct pci_device_id {
45721 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
45722 @@ -131,7 +131,7 @@ struct usb_device_id {
45723 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
45724 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
45726 -#define HID_ANY_ID (~0)
45727 +#define HID_ANY_ID (~0U)
45729 struct hid_device_id {
45731 diff -urNp linux-2.6.35.4/include/linux/module.h linux-2.6.35.4/include/linux/module.h
45732 --- linux-2.6.35.4/include/linux/module.h 2010-08-26 19:47:12.000000000 -0400
45733 +++ linux-2.6.35.4/include/linux/module.h 2010-09-17 20:12:09.000000000 -0400
45734 @@ -297,16 +297,16 @@ struct module
45737 /* If this is non-NULL, vfree after init() returns */
45738 - void *module_init;
45739 + void *module_init_rx, *module_init_rw;
45741 /* Here is the actual code + data, vfree'd on unload. */
45742 - void *module_core;
45743 + void *module_core_rx, *module_core_rw;
45745 /* Here are the sizes of the init and core sections */
45746 - unsigned int init_size, core_size;
45747 + unsigned int init_size_rw, core_size_rw;
45749 /* The size of the executable code in each section. */
45750 - unsigned int init_text_size, core_text_size;
45751 + unsigned int init_size_rx, core_size_rx;
45753 /* Arch-specific module values */
45754 struct mod_arch_specific arch;
45755 @@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
45756 bool is_module_percpu_address(unsigned long addr);
45757 bool is_module_text_address(unsigned long addr);
45759 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
45762 +#ifdef CONFIG_PAX_KERNEXEC
45763 + if (ktla_ktva(addr) >= (unsigned long)start &&
45764 + ktla_ktva(addr) < (unsigned long)start + size)
45768 + return ((void *)addr >= start && (void *)addr < start + size);
45771 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
45773 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
45776 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
45778 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
45781 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
45783 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
45786 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
45788 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
45791 static inline int within_module_core(unsigned long addr, struct module *mod)
45793 - return (unsigned long)mod->module_core <= addr &&
45794 - addr < (unsigned long)mod->module_core + mod->core_size;
45795 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
45798 static inline int within_module_init(unsigned long addr, struct module *mod)
45800 - return (unsigned long)mod->module_init <= addr &&
45801 - addr < (unsigned long)mod->module_init + mod->init_size;
45802 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
45805 /* Search for module by name: must hold module_mutex. */
45806 diff -urNp linux-2.6.35.4/include/linux/moduleloader.h linux-2.6.35.4/include/linux/moduleloader.h
45807 --- linux-2.6.35.4/include/linux/moduleloader.h 2010-08-26 19:47:12.000000000 -0400
45808 +++ linux-2.6.35.4/include/linux/moduleloader.h 2010-09-17 20:12:09.000000000 -0400
45809 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
45810 sections. Returns NULL on failure. */
45811 void *module_alloc(unsigned long size);
45813 +#ifdef CONFIG_PAX_KERNEXEC
45814 +void *module_alloc_exec(unsigned long size);
45816 +#define module_alloc_exec(x) module_alloc(x)
45819 /* Free memory returned from module_alloc. */
45820 void module_free(struct module *mod, void *module_region);
45822 +#ifdef CONFIG_PAX_KERNEXEC
45823 +void module_free_exec(struct module *mod, void *module_region);
45825 +#define module_free_exec(x, y) module_free((x), (y))
45828 /* Apply the given relocation to the (simplified) ELF. Return -error
45830 int apply_relocate(Elf_Shdr *sechdrs,
45831 diff -urNp linux-2.6.35.4/include/linux/namei.h linux-2.6.35.4/include/linux/namei.h
45832 --- linux-2.6.35.4/include/linux/namei.h 2010-08-26 19:47:12.000000000 -0400
45833 +++ linux-2.6.35.4/include/linux/namei.h 2010-09-17 20:12:09.000000000 -0400
45834 @@ -22,7 +22,7 @@ struct nameidata {
45835 unsigned int flags;
45838 - char *saved_names[MAX_NESTED_LINKS + 1];
45839 + const char *saved_names[MAX_NESTED_LINKS + 1];
45843 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
45844 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
45845 extern void unlock_rename(struct dentry *, struct dentry *);
45847 -static inline void nd_set_link(struct nameidata *nd, char *path)
45848 +static inline void nd_set_link(struct nameidata *nd, const char *path)
45850 nd->saved_names[nd->depth] = path;
45853 -static inline char *nd_get_link(struct nameidata *nd)
45854 +static inline const char *nd_get_link(const struct nameidata *nd)
45856 return nd->saved_names[nd->depth];
45858 diff -urNp linux-2.6.35.4/include/linux/oprofile.h linux-2.6.35.4/include/linux/oprofile.h
45859 --- linux-2.6.35.4/include/linux/oprofile.h 2010-08-26 19:47:12.000000000 -0400
45860 +++ linux-2.6.35.4/include/linux/oprofile.h 2010-09-17 20:12:09.000000000 -0400
45861 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
45862 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
45863 char const * name, ulong * val);
45865 -/** Create a file for read-only access to an atomic_t. */
45866 +/** Create a file for read-only access to an atomic_unchecked_t. */
45867 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
45868 - char const * name, atomic_t * val);
45869 + char const * name, atomic_unchecked_t * val);
45871 /** create a directory */
45872 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
45873 diff -urNp linux-2.6.35.4/include/linux/pipe_fs_i.h linux-2.6.35.4/include/linux/pipe_fs_i.h
45874 --- linux-2.6.35.4/include/linux/pipe_fs_i.h 2010-08-26 19:47:12.000000000 -0400
45875 +++ linux-2.6.35.4/include/linux/pipe_fs_i.h 2010-09-17 20:12:09.000000000 -0400
45876 @@ -45,9 +45,9 @@ struct pipe_buffer {
45877 struct pipe_inode_info {
45878 wait_queue_head_t wait;
45879 unsigned int nrbufs, curbuf, buffers;
45880 - unsigned int readers;
45881 - unsigned int writers;
45882 - unsigned int waiting_writers;
45883 + atomic_t readers;
45884 + atomic_t writers;
45885 + atomic_t waiting_writers;
45886 unsigned int r_counter;
45887 unsigned int w_counter;
45888 struct page *tmp_page;
45889 diff -urNp linux-2.6.35.4/include/linux/poison.h linux-2.6.35.4/include/linux/poison.h
45890 --- linux-2.6.35.4/include/linux/poison.h 2010-08-26 19:47:12.000000000 -0400
45891 +++ linux-2.6.35.4/include/linux/poison.h 2010-09-17 20:12:09.000000000 -0400
45893 * under normal circumstances, used to verify that nobody uses
45894 * non-initialized list entries.
45896 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
45897 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
45898 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
45899 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
45901 /********** include/linux/timer.h **********/
45903 diff -urNp linux-2.6.35.4/include/linux/proc_fs.h linux-2.6.35.4/include/linux/proc_fs.h
45904 --- linux-2.6.35.4/include/linux/proc_fs.h 2010-08-26 19:47:12.000000000 -0400
45905 +++ linux-2.6.35.4/include/linux/proc_fs.h 2010-09-17 20:12:37.000000000 -0400
45906 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
45907 return proc_create_data(name, mode, parent, proc_fops, NULL);
45910 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
45911 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
45913 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45914 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
45915 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45916 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
45918 + return proc_create_data(name, mode, parent, proc_fops, NULL);
45923 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
45924 mode_t mode, struct proc_dir_entry *base,
45925 read_proc_t *read_proc, void * data)
45926 diff -urNp linux-2.6.35.4/include/linux/random.h linux-2.6.35.4/include/linux/random.h
45927 --- linux-2.6.35.4/include/linux/random.h 2010-08-26 19:47:12.000000000 -0400
45928 +++ linux-2.6.35.4/include/linux/random.h 2010-09-17 20:12:09.000000000 -0400
45929 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
45931 u32 prandom32(struct rnd_state *);
45933 +static inline unsigned long pax_get_random_long(void)
45935 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
45939 * Handle minimum values for seeds
45941 static inline u32 __seed(u32 x, u32 m)
45943 - return (x < m) ? x + m : x;
45944 + return (x <= m) ? x + m + 1 : x;
45948 diff -urNp linux-2.6.35.4/include/linux/reiserfs_fs.h linux-2.6.35.4/include/linux/reiserfs_fs.h
45949 --- linux-2.6.35.4/include/linux/reiserfs_fs.h 2010-08-26 19:47:12.000000000 -0400
45950 +++ linux-2.6.35.4/include/linux/reiserfs_fs.h 2010-09-17 20:12:09.000000000 -0400
45951 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
45952 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
45954 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
45955 -#define get_generation(s) atomic_read (&fs_generation(s))
45956 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
45957 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
45958 #define __fs_changed(gen,s) (gen != get_generation (s))
45959 #define fs_changed(gen,s) \
45960 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
45963 struct item_operations {
45964 - int (*bytes_number) (struct item_head * ih, int block_size);
45965 - void (*decrement_key) (struct cpu_key *);
45966 - int (*is_left_mergeable) (struct reiserfs_key * ih,
45967 + int (* const bytes_number) (struct item_head * ih, int block_size);
45968 + void (* const decrement_key) (struct cpu_key *);
45969 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
45970 unsigned long bsize);
45971 - void (*print_item) (struct item_head *, char *item);
45972 - void (*check_item) (struct item_head *, char *item);
45973 + void (* const print_item) (struct item_head *, char *item);
45974 + void (* const check_item) (struct item_head *, char *item);
45976 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
45977 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
45978 int is_affected, int insert_size);
45979 - int (*check_left) (struct virtual_item * vi, int free,
45980 + int (* const check_left) (struct virtual_item * vi, int free,
45981 int start_skip, int end_skip);
45982 - int (*check_right) (struct virtual_item * vi, int free);
45983 - int (*part_size) (struct virtual_item * vi, int from, int to);
45984 - int (*unit_num) (struct virtual_item * vi);
45985 - void (*print_vi) (struct virtual_item * vi);
45986 + int (* const check_right) (struct virtual_item * vi, int free);
45987 + int (* const part_size) (struct virtual_item * vi, int from, int to);
45988 + int (* const unit_num) (struct virtual_item * vi);
45989 + void (* const print_vi) (struct virtual_item * vi);
45992 -extern struct item_operations *item_ops[TYPE_ANY + 1];
45993 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
45995 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
45996 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
45997 diff -urNp linux-2.6.35.4/include/linux/reiserfs_fs_sb.h linux-2.6.35.4/include/linux/reiserfs_fs_sb.h
45998 --- linux-2.6.35.4/include/linux/reiserfs_fs_sb.h 2010-08-26 19:47:12.000000000 -0400
45999 +++ linux-2.6.35.4/include/linux/reiserfs_fs_sb.h 2010-09-17 20:12:09.000000000 -0400
46000 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
46001 /* Comment? -Hans */
46002 wait_queue_head_t s_wait;
46003 /* To be obsoleted soon by per buffer seals.. -Hans */
46004 - atomic_t s_generation_counter; // increased by one every time the
46005 + atomic_unchecked_t s_generation_counter; // increased by one every time the
46006 // tree gets re-balanced
46007 unsigned long s_properties; /* File system properties. Currently holds
46008 on-disk FS format */
46009 diff -urNp linux-2.6.35.4/include/linux/rmap.h linux-2.6.35.4/include/linux/rmap.h
46010 --- linux-2.6.35.4/include/linux/rmap.h 2010-08-26 19:47:12.000000000 -0400
46011 +++ linux-2.6.35.4/include/linux/rmap.h 2010-09-17 20:12:09.000000000 -0400
46012 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
46013 void anon_vma_init(void); /* create anon_vma_cachep */
46014 int anon_vma_prepare(struct vm_area_struct *);
46015 void unlink_anon_vmas(struct vm_area_struct *);
46016 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
46017 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
46018 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
46019 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
46020 void __anon_vma_link(struct vm_area_struct *);
46021 void anon_vma_free(struct anon_vma *);
46023 diff -urNp linux-2.6.35.4/include/linux/sched.h linux-2.6.35.4/include/linux/sched.h
46024 --- linux-2.6.35.4/include/linux/sched.h 2010-08-26 19:47:12.000000000 -0400
46025 +++ linux-2.6.35.4/include/linux/sched.h 2010-09-17 20:12:37.000000000 -0400
46026 @@ -100,6 +100,7 @@ struct robust_list_head;
46029 struct perf_event_context;
46030 +struct linux_binprm;
46033 * List of flags we want to share for kernel threads,
46034 @@ -381,10 +382,12 @@ struct user_namespace;
46035 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
46037 extern int sysctl_max_map_count;
46038 +extern unsigned long sysctl_heap_stack_gap;
46040 #include <linux/aio.h>
46043 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
46044 extern void arch_pick_mmap_layout(struct mm_struct *mm);
46045 extern unsigned long
46046 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
46047 @@ -628,6 +631,15 @@ struct signal_struct {
46048 struct tty_audit_buf *tty_audit_buf;
46051 +#ifdef CONFIG_GRKERNSEC
46057 + u8 used_accept:1;
46060 int oom_adj; /* OOM kill score adjustment (bit shift) */
46063 @@ -1166,7 +1178,7 @@ struct rcu_node;
46065 struct task_struct {
46066 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
46068 + struct thread_info *stack;
46070 unsigned int flags; /* per process flags, defined below */
46071 unsigned int ptrace;
46072 @@ -1274,8 +1286,8 @@ struct task_struct {
46073 struct list_head thread_group;
46075 struct completion *vfork_done; /* for vfork() */
46076 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
46077 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46078 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
46079 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46081 cputime_t utime, stime, utimescaled, stimescaled;
46083 @@ -1291,16 +1303,6 @@ struct task_struct {
46084 struct task_cputime cputime_expires;
46085 struct list_head cpu_timers[3];
46087 -/* process credentials */
46088 - const struct cred *real_cred; /* objective and real subjective task
46089 - * credentials (COW) */
46090 - const struct cred *cred; /* effective (overridable) subjective task
46091 - * credentials (COW) */
46092 - struct mutex cred_guard_mutex; /* guard against foreign influences on
46093 - * credential calculations
46094 - * (notably. ptrace) */
46095 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46097 char comm[TASK_COMM_LEN]; /* executable name excluding path
46098 - access with [gs]et_task_comm (which lock
46099 it with task_lock())
46100 @@ -1384,6 +1386,15 @@ struct task_struct {
46101 int softirqs_enabled;
46102 int softirq_context;
46105 +/* process credentials */
46106 + const struct cred *real_cred; /* objective and real subjective task
46107 + * credentials (COW) */
46108 + struct mutex cred_guard_mutex; /* guard against foreign influences on
46109 + * credential calculations
46110 + * (notably. ptrace) */
46111 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46113 #ifdef CONFIG_LOCKDEP
46114 # define MAX_LOCK_DEPTH 48UL
46115 u64 curr_chain_key;
46116 @@ -1404,6 +1415,9 @@ struct task_struct {
46118 struct backing_dev_info *backing_dev_info;
46120 + const struct cred *cred; /* effective (overridable) subjective task
46121 + * credentials (COW) */
46123 struct io_context *io_context;
46125 unsigned long ptrace_message;
46126 @@ -1469,6 +1483,20 @@ struct task_struct {
46127 unsigned long default_timer_slack_ns;
46129 struct list_head *scm_work_list;
46131 +#ifdef CONFIG_GRKERNSEC
46133 + struct dentry *gr_chroot_dentry;
46134 + struct acl_subject_label *acl;
46135 + struct acl_role_label *role;
46136 + struct file *exec_file;
46141 + u8 gr_is_chrooted;
46144 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
46145 /* Index of current stored address in ret_stack */
46146 int curr_ret_stack;
46147 @@ -1500,6 +1528,52 @@ struct task_struct {
46151 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
46152 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
46153 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
46154 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
46155 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
46156 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
46158 +#ifdef CONFIG_PAX_SOFTMODE
46159 +extern unsigned int pax_softmode;
46162 +extern int pax_check_flags(unsigned long *);
46164 +/* if tsk != current then task_lock must be held on it */
46165 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46166 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
46168 + if (likely(tsk->mm))
46169 + return tsk->mm->pax_flags;
46174 +/* if tsk != current then task_lock must be held on it */
46175 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
46177 + if (likely(tsk->mm)) {
46178 + tsk->mm->pax_flags = flags;
46185 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
46186 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
46187 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
46188 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
46191 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
46192 +void pax_report_insns(void *pc, void *sp);
46193 +void pax_report_refcount_overflow(struct pt_regs *regs);
46194 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
46195 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
46197 /* Future-safe accessor for struct task_struct's cpus_allowed. */
46198 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
46200 @@ -2101,7 +2175,7 @@ extern void __cleanup_sighand(struct sig
46201 extern void exit_itimers(struct signal_struct *);
46202 extern void flush_itimer_signals(void);
46204 -extern NORET_TYPE void do_group_exit(int);
46205 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
46207 extern void daemonize(const char *, ...);
46208 extern int allow_signal(int);
46209 @@ -2217,8 +2291,8 @@ static inline void unlock_task_sighand(s
46211 #ifndef __HAVE_THREAD_FUNCTIONS
46213 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
46214 -#define task_stack_page(task) ((task)->stack)
46215 +#define task_thread_info(task) ((task)->stack)
46216 +#define task_stack_page(task) ((void *)(task)->stack)
46218 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
46220 @@ -2233,13 +2307,17 @@ static inline unsigned long *end_of_stac
46224 -static inline int object_is_on_stack(void *obj)
46225 +static inline int object_starts_on_stack(void *obj)
46227 - void *stack = task_stack_page(current);
46228 + const void *stack = task_stack_page(current);
46230 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
46233 +#ifdef CONFIG_PAX_USERCOPY
46234 +extern int object_is_on_stack(const void *obj, unsigned long len);
46237 extern void thread_info_cache_init(void);
46239 #ifdef CONFIG_DEBUG_STACK_USAGE
46240 diff -urNp linux-2.6.35.4/include/linux/screen_info.h linux-2.6.35.4/include/linux/screen_info.h
46241 --- linux-2.6.35.4/include/linux/screen_info.h 2010-08-26 19:47:12.000000000 -0400
46242 +++ linux-2.6.35.4/include/linux/screen_info.h 2010-09-17 20:12:09.000000000 -0400
46243 @@ -43,7 +43,8 @@ struct screen_info {
46244 __u16 pages; /* 0x32 */
46245 __u16 vesa_attributes; /* 0x34 */
46246 __u32 capabilities; /* 0x36 */
46247 - __u8 _reserved[6]; /* 0x3a */
46248 + __u16 vesapm_size; /* 0x3a */
46249 + __u8 _reserved[4]; /* 0x3c */
46250 } __attribute__((packed));
46252 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
46253 diff -urNp linux-2.6.35.4/include/linux/security.h linux-2.6.35.4/include/linux/security.h
46254 --- linux-2.6.35.4/include/linux/security.h 2010-08-26 19:47:12.000000000 -0400
46255 +++ linux-2.6.35.4/include/linux/security.h 2010-09-17 20:12:37.000000000 -0400
46257 #include <linux/key.h>
46258 #include <linux/xfrm.h>
46259 #include <linux/slab.h>
46260 +#include <linux/grsecurity.h>
46261 #include <net/flow.h>
46263 /* Maximum number of letters for an LSM name string */
46264 diff -urNp linux-2.6.35.4/include/linux/shm.h linux-2.6.35.4/include/linux/shm.h
46265 --- linux-2.6.35.4/include/linux/shm.h 2010-08-26 19:47:12.000000000 -0400
46266 +++ linux-2.6.35.4/include/linux/shm.h 2010-09-17 20:12:37.000000000 -0400
46267 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
46270 struct user_struct *mlock_user;
46271 +#ifdef CONFIG_GRKERNSEC
46272 + time_t shm_createtime;
46277 /* shm_mode upper byte flags */
46278 diff -urNp linux-2.6.35.4/include/linux/slab.h linux-2.6.35.4/include/linux/slab.h
46279 --- linux-2.6.35.4/include/linux/slab.h 2010-08-26 19:47:12.000000000 -0400
46280 +++ linux-2.6.35.4/include/linux/slab.h 2010-09-17 20:12:09.000000000 -0400
46283 #include <linux/gfp.h>
46284 #include <linux/types.h>
46285 +#include <linux/err.h>
46288 * Flags to pass to kmem_cache_create().
46289 @@ -87,10 +88,13 @@
46290 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
46291 * Both make kfree a no-op.
46293 -#define ZERO_SIZE_PTR ((void *)16)
46294 +#define ZERO_SIZE_PTR \
46296 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
46297 + (void *)(-MAX_ERRNO-1L); \
46300 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
46301 - (unsigned long)ZERO_SIZE_PTR)
46302 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
46305 * struct kmem_cache related prototypes
46306 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
46307 void kfree(const void *);
46308 void kzfree(const void *);
46309 size_t ksize(const void *);
46310 +void check_object_size(const void *ptr, unsigned long n, bool to);
46313 * Allocator specific definitions. These are mainly used to establish optimized
46314 @@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
46316 void __init kmem_cache_init_late(void);
46318 +#define kmalloc(x, y) \
46320 + void *___retval; \
46321 + intoverflow_t ___x = (intoverflow_t)x; \
46322 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
46323 + ___retval = NULL; \
46325 + ___retval = kmalloc((size_t)___x, (y)); \
46329 +#define kmalloc_node(x, y, z) \
46331 + void *___retval; \
46332 + intoverflow_t ___x = (intoverflow_t)x; \
46333 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
46334 + ___retval = NULL; \
46336 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
46340 +#define kzalloc(x, y) \
46342 + void *___retval; \
46343 + intoverflow_t ___x = (intoverflow_t)x; \
46344 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
46345 + ___retval = NULL; \
46347 + ___retval = kzalloc((size_t)___x, (y)); \
46351 #endif /* _LINUX_SLAB_H */
46352 diff -urNp linux-2.6.35.4/include/linux/slub_def.h linux-2.6.35.4/include/linux/slub_def.h
46353 --- linux-2.6.35.4/include/linux/slub_def.h 2010-08-26 19:47:12.000000000 -0400
46354 +++ linux-2.6.35.4/include/linux/slub_def.h 2010-09-17 20:12:09.000000000 -0400
46355 @@ -79,7 +79,7 @@ struct kmem_cache {
46356 struct kmem_cache_order_objects max;
46357 struct kmem_cache_order_objects min;
46358 gfp_t allocflags; /* gfp flags to use on each alloc */
46359 - int refcount; /* Refcount for slab cache destroy */
46360 + atomic_t refcount; /* Refcount for slab cache destroy */
46361 void (*ctor)(void *);
46362 int inuse; /* Offset to metadata */
46363 int align; /* Alignment */
46364 diff -urNp linux-2.6.35.4/include/linux/sonet.h linux-2.6.35.4/include/linux/sonet.h
46365 --- linux-2.6.35.4/include/linux/sonet.h 2010-08-26 19:47:12.000000000 -0400
46366 +++ linux-2.6.35.4/include/linux/sonet.h 2010-09-17 20:12:09.000000000 -0400
46367 @@ -61,7 +61,7 @@ struct sonet_stats {
46368 #include <asm/atomic.h>
46370 struct k_sonet_stats {
46371 -#define __HANDLE_ITEM(i) atomic_t i
46372 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
46374 #undef __HANDLE_ITEM
46376 diff -urNp linux-2.6.35.4/include/linux/suspend.h linux-2.6.35.4/include/linux/suspend.h
46377 --- linux-2.6.35.4/include/linux/suspend.h 2010-08-26 19:47:12.000000000 -0400
46378 +++ linux-2.6.35.4/include/linux/suspend.h 2010-09-17 20:12:09.000000000 -0400
46379 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
46380 * which require special recovery actions in that situation.
46382 struct platform_suspend_ops {
46383 - int (*valid)(suspend_state_t state);
46384 - int (*begin)(suspend_state_t state);
46385 - int (*prepare)(void);
46386 - int (*prepare_late)(void);
46387 - int (*enter)(suspend_state_t state);
46388 - void (*wake)(void);
46389 - void (*finish)(void);
46390 - void (*end)(void);
46391 - void (*recover)(void);
46392 + int (* const valid)(suspend_state_t state);
46393 + int (* const begin)(suspend_state_t state);
46394 + int (* const prepare)(void);
46395 + int (* const prepare_late)(void);
46396 + int (* const enter)(suspend_state_t state);
46397 + void (* const wake)(void);
46398 + void (* const finish)(void);
46399 + void (* const end)(void);
46400 + void (* const recover)(void);
46403 #ifdef CONFIG_SUSPEND
46404 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
46405 * suspend_set_ops - set platform dependent suspend operations
46406 * @ops: The new suspend operations to set.
46408 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
46409 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
46410 extern int suspend_valid_only_mem(suspend_state_t state);
46413 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
46414 #else /* !CONFIG_SUSPEND */
46415 #define suspend_valid_only_mem NULL
46417 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
46418 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
46419 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
46420 #endif /* !CONFIG_SUSPEND */
46422 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
46423 * platforms which require special recovery actions in that situation.
46425 struct platform_hibernation_ops {
46426 - int (*begin)(void);
46427 - void (*end)(void);
46428 - int (*pre_snapshot)(void);
46429 - void (*finish)(void);
46430 - int (*prepare)(void);
46431 - int (*enter)(void);
46432 - void (*leave)(void);
46433 - int (*pre_restore)(void);
46434 - void (*restore_cleanup)(void);
46435 - void (*recover)(void);
46436 + int (* const begin)(void);
46437 + void (* const end)(void);
46438 + int (* const pre_snapshot)(void);
46439 + void (* const finish)(void);
46440 + int (* const prepare)(void);
46441 + int (* const enter)(void);
46442 + void (* const leave)(void);
46443 + int (* const pre_restore)(void);
46444 + void (* const restore_cleanup)(void);
46445 + void (* const recover)(void);
46448 #ifdef CONFIG_HIBERNATION
46449 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
46450 extern void swsusp_unset_page_free(struct page *);
46451 extern unsigned long get_safe_page(gfp_t gfp_mask);
46453 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
46454 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
46455 extern int hibernate(void);
46456 extern bool system_entering_hibernation(void);
46457 #else /* CONFIG_HIBERNATION */
46458 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
46459 static inline void swsusp_set_page_free(struct page *p) {}
46460 static inline void swsusp_unset_page_free(struct page *p) {}
46462 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
46463 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
46464 static inline int hibernate(void) { return -ENOSYS; }
46465 static inline bool system_entering_hibernation(void) { return false; }
46466 #endif /* CONFIG_HIBERNATION */
46467 diff -urNp linux-2.6.35.4/include/linux/sysctl.h linux-2.6.35.4/include/linux/sysctl.h
46468 --- linux-2.6.35.4/include/linux/sysctl.h 2010-08-26 19:47:12.000000000 -0400
46469 +++ linux-2.6.35.4/include/linux/sysctl.h 2010-09-17 20:12:09.000000000 -0400
46470 @@ -155,7 +155,11 @@ enum
46471 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
46475 +#ifdef CONFIG_PAX_SOFTMODE
46477 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
46481 /* CTL_VM names: */
46483 diff -urNp linux-2.6.35.4/include/linux/sysfs.h linux-2.6.35.4/include/linux/sysfs.h
46484 --- linux-2.6.35.4/include/linux/sysfs.h 2010-08-26 19:47:12.000000000 -0400
46485 +++ linux-2.6.35.4/include/linux/sysfs.h 2010-09-17 20:12:09.000000000 -0400
46486 @@ -115,8 +115,8 @@ struct bin_attribute {
46487 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
46490 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
46491 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
46492 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
46493 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
46496 struct sysfs_dirent;
46497 diff -urNp linux-2.6.35.4/include/linux/thread_info.h linux-2.6.35.4/include/linux/thread_info.h
46498 --- linux-2.6.35.4/include/linux/thread_info.h 2010-08-26 19:47:12.000000000 -0400
46499 +++ linux-2.6.35.4/include/linux/thread_info.h 2010-09-17 20:12:09.000000000 -0400
46500 @@ -23,7 +23,7 @@ struct restart_block {
46502 /* For futex_wait and futex_wait_requeue_pi */
46505 + u32 __user *uaddr;
46509 diff -urNp linux-2.6.35.4/include/linux/tty.h linux-2.6.35.4/include/linux/tty.h
46510 --- linux-2.6.35.4/include/linux/tty.h 2010-08-26 19:47:12.000000000 -0400
46511 +++ linux-2.6.35.4/include/linux/tty.h 2010-09-17 20:12:09.000000000 -0400
46513 #include <linux/tty_driver.h>
46514 #include <linux/tty_ldisc.h>
46515 #include <linux/mutex.h>
46516 +#include <linux/poll.h>
46518 #include <asm/system.h>
46520 @@ -453,7 +454,6 @@ extern int tty_perform_flush(struct tty_
46521 extern dev_t tty_devnum(struct tty_struct *tty);
46522 extern void proc_clear_tty(struct task_struct *p);
46523 extern struct tty_struct *get_current_tty(void);
46524 -extern void tty_default_fops(struct file_operations *fops);
46525 extern struct tty_struct *alloc_tty_struct(void);
46526 extern void free_tty_struct(struct tty_struct *tty);
46527 extern void initialize_tty_struct(struct tty_struct *tty,
46528 @@ -514,6 +514,18 @@ extern void tty_ldisc_begin(void);
46529 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
46530 extern void tty_ldisc_enable(struct tty_struct *tty);
46533 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
46534 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
46535 +extern unsigned int tty_poll(struct file *, poll_table *);
46536 +#ifdef CONFIG_COMPAT
46537 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
46538 + unsigned long arg);
46540 +#define tty_compat_ioctl NULL
46542 +extern int tty_release(struct inode *, struct file *);
46543 +extern int tty_fasync(int fd, struct file *filp, int on);
46546 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
46547 diff -urNp linux-2.6.35.4/include/linux/tty_ldisc.h linux-2.6.35.4/include/linux/tty_ldisc.h
46548 --- linux-2.6.35.4/include/linux/tty_ldisc.h 2010-08-26 19:47:12.000000000 -0400
46549 +++ linux-2.6.35.4/include/linux/tty_ldisc.h 2010-09-17 20:12:09.000000000 -0400
46550 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
46552 struct module *owner;
46555 + atomic_t refcount;
46559 diff -urNp linux-2.6.35.4/include/linux/types.h linux-2.6.35.4/include/linux/types.h
46560 --- linux-2.6.35.4/include/linux/types.h 2010-08-26 19:47:12.000000000 -0400
46561 +++ linux-2.6.35.4/include/linux/types.h 2010-09-17 20:12:09.000000000 -0400
46562 @@ -191,10 +191,26 @@ typedef struct {
46566 +#ifdef CONFIG_PAX_REFCOUNT
46569 +} atomic_unchecked_t;
46571 +typedef atomic_t atomic_unchecked_t;
46574 #ifdef CONFIG_64BIT
46579 +#ifdef CONFIG_PAX_REFCOUNT
46582 +} atomic64_unchecked_t;
46584 +typedef atomic64_t atomic64_unchecked_t;
46589 diff -urNp linux-2.6.35.4/include/linux/uaccess.h linux-2.6.35.4/include/linux/uaccess.h
46590 --- linux-2.6.35.4/include/linux/uaccess.h 2010-08-26 19:47:12.000000000 -0400
46591 +++ linux-2.6.35.4/include/linux/uaccess.h 2010-09-17 20:12:09.000000000 -0400
46592 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
46594 mm_segment_t old_fs = get_fs(); \
46596 - set_fs(KERNEL_DS); \
46597 pagefault_disable(); \
46598 + set_fs(KERNEL_DS); \
46599 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
46600 - pagefault_enable(); \
46602 + pagefault_enable(); \
46606 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
46607 * Safely read from address @src to the buffer at @dst. If a kernel fault
46608 * happens, handle that and return -EFAULT.
46610 -extern long probe_kernel_read(void *dst, void *src, size_t size);
46611 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
46612 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
46613 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
46616 * probe_kernel_write(): safely attempt to write to a location
46617 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
46618 * Safely write to address @dst from the buffer at @src. If a kernel fault
46619 * happens, handle that and return -EFAULT.
46621 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
46622 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
46623 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
46624 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
46626 #endif /* __LINUX_UACCESS_H__ */
46627 diff -urNp linux-2.6.35.4/include/linux/usb/hcd.h linux-2.6.35.4/include/linux/usb/hcd.h
46628 --- linux-2.6.35.4/include/linux/usb/hcd.h 2010-08-26 19:47:12.000000000 -0400
46629 +++ linux-2.6.35.4/include/linux/usb/hcd.h 2010-09-17 20:12:09.000000000 -0400
46630 @@ -559,7 +559,7 @@ struct usb_mon_operations {
46631 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
46634 -extern struct usb_mon_operations *mon_ops;
46635 +extern const struct usb_mon_operations *mon_ops;
46637 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
46639 @@ -581,7 +581,7 @@ static inline void usbmon_urb_complete(s
46640 (*mon_ops->urb_complete)(bus, urb, status);
46643 -int usb_mon_register(struct usb_mon_operations *ops);
46644 +int usb_mon_register(const struct usb_mon_operations *ops);
46645 void usb_mon_deregister(void);
46648 diff -urNp linux-2.6.35.4/include/linux/vmalloc.h linux-2.6.35.4/include/linux/vmalloc.h
46649 --- linux-2.6.35.4/include/linux/vmalloc.h 2010-08-26 19:47:12.000000000 -0400
46650 +++ linux-2.6.35.4/include/linux/vmalloc.h 2010-09-17 20:12:09.000000000 -0400
46651 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
46652 #define VM_MAP 0x00000004 /* vmap()ed pages */
46653 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
46654 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
46656 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
46657 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
46660 /* bits [20..32] reserved for arch specific ioremap internals */
46663 @@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
46665 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
46667 +#define vmalloc(x) \
46669 + void *___retval; \
46670 + intoverflow_t ___x = (intoverflow_t)x; \
46671 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
46672 + ___retval = NULL; \
46674 + ___retval = vmalloc((unsigned long)___x); \
46678 +#define __vmalloc(x, y, z) \
46680 + void *___retval; \
46681 + intoverflow_t ___x = (intoverflow_t)x; \
46682 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
46683 + ___retval = NULL; \
46685 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
46689 +#define vmalloc_user(x) \
46691 + void *___retval; \
46692 + intoverflow_t ___x = (intoverflow_t)x; \
46693 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
46694 + ___retval = NULL; \
46696 + ___retval = vmalloc_user((unsigned long)___x); \
46700 +#define vmalloc_exec(x) \
46702 + void *___retval; \
46703 + intoverflow_t ___x = (intoverflow_t)x; \
46704 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
46705 + ___retval = NULL; \
46707 + ___retval = vmalloc_exec((unsigned long)___x); \
46711 +#define vmalloc_node(x, y) \
46713 + void *___retval; \
46714 + intoverflow_t ___x = (intoverflow_t)x; \
46715 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
46716 + ___retval = NULL; \
46718 + ___retval = vmalloc_node((unsigned long)___x, (y));\
46722 +#define vmalloc_32(x) \
46724 + void *___retval; \
46725 + intoverflow_t ___x = (intoverflow_t)x; \
46726 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
46727 + ___retval = NULL; \
46729 + ___retval = vmalloc_32((unsigned long)___x); \
46733 +#define vmalloc_32_user(x) \
46735 + void *___retval; \
46736 + intoverflow_t ___x = (intoverflow_t)x; \
46737 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
46738 + ___retval = NULL; \
46740 + ___retval = vmalloc_32_user((unsigned long)___x);\
46744 #endif /* _LINUX_VMALLOC_H */
46745 diff -urNp linux-2.6.35.4/include/linux/vmstat.h linux-2.6.35.4/include/linux/vmstat.h
46746 --- linux-2.6.35.4/include/linux/vmstat.h 2010-08-26 19:47:12.000000000 -0400
46747 +++ linux-2.6.35.4/include/linux/vmstat.h 2010-09-17 20:12:09.000000000 -0400
46748 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
46750 * Zone based page accounting with per cpu differentials.
46752 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46753 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46755 static inline void zone_page_state_add(long x, struct zone *zone,
46756 enum zone_stat_item item)
46758 - atomic_long_add(x, &zone->vm_stat[item]);
46759 - atomic_long_add(x, &vm_stat[item]);
46760 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
46761 + atomic_long_add_unchecked(x, &vm_stat[item]);
46764 static inline unsigned long global_page_state(enum zone_stat_item item)
46766 - long x = atomic_long_read(&vm_stat[item]);
46767 + long x = atomic_long_read_unchecked(&vm_stat[item]);
46771 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
46772 static inline unsigned long zone_page_state(struct zone *zone,
46773 enum zone_stat_item item)
46775 - long x = atomic_long_read(&zone->vm_stat[item]);
46776 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
46780 @@ -246,8 +246,8 @@ static inline void __mod_zone_page_state
46782 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
46784 - atomic_long_inc(&zone->vm_stat[item]);
46785 - atomic_long_inc(&vm_stat[item]);
46786 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
46787 + atomic_long_inc_unchecked(&vm_stat[item]);
46790 static inline void __inc_zone_page_state(struct page *page,
46791 @@ -258,8 +258,8 @@ static inline void __inc_zone_page_state
46793 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
46795 - atomic_long_dec(&zone->vm_stat[item]);
46796 - atomic_long_dec(&vm_stat[item]);
46797 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
46798 + atomic_long_dec_unchecked(&vm_stat[item]);
46801 static inline void __dec_zone_page_state(struct page *page,
46802 diff -urNp linux-2.6.35.4/include/net/irda/ircomm_tty.h linux-2.6.35.4/include/net/irda/ircomm_tty.h
46803 --- linux-2.6.35.4/include/net/irda/ircomm_tty.h 2010-08-26 19:47:12.000000000 -0400
46804 +++ linux-2.6.35.4/include/net/irda/ircomm_tty.h 2010-09-17 20:12:09.000000000 -0400
46805 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
46806 unsigned short close_delay;
46807 unsigned short closing_wait; /* time to wait before closing */
46810 - int blocked_open; /* # of blocked opens */
46811 + atomic_t open_count;
46812 + atomic_t blocked_open; /* # of blocked opens */
46814 /* Protect concurent access to :
46815 * o self->open_count
46816 diff -urNp linux-2.6.35.4/include/net/neighbour.h linux-2.6.35.4/include/net/neighbour.h
46817 --- linux-2.6.35.4/include/net/neighbour.h 2010-08-26 19:47:12.000000000 -0400
46818 +++ linux-2.6.35.4/include/net/neighbour.h 2010-09-17 20:12:09.000000000 -0400
46819 @@ -116,12 +116,12 @@ struct neighbour {
46823 - void (*solicit)(struct neighbour *, struct sk_buff*);
46824 - void (*error_report)(struct neighbour *, struct sk_buff*);
46825 - int (*output)(struct sk_buff*);
46826 - int (*connected_output)(struct sk_buff*);
46827 - int (*hh_output)(struct sk_buff*);
46828 - int (*queue_xmit)(struct sk_buff*);
46829 + void (* const solicit)(struct neighbour *, struct sk_buff*);
46830 + void (* const error_report)(struct neighbour *, struct sk_buff*);
46831 + int (* const output)(struct sk_buff*);
46832 + int (* const connected_output)(struct sk_buff*);
46833 + int (* const hh_output)(struct sk_buff*);
46834 + int (* const queue_xmit)(struct sk_buff*);
46837 struct pneigh_entry {
46838 diff -urNp linux-2.6.35.4/include/net/sctp/sctp.h linux-2.6.35.4/include/net/sctp/sctp.h
46839 --- linux-2.6.35.4/include/net/sctp/sctp.h 2010-08-26 19:47:12.000000000 -0400
46840 +++ linux-2.6.35.4/include/net/sctp/sctp.h 2010-09-17 20:12:09.000000000 -0400
46841 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
46843 #else /* SCTP_DEBUG */
46845 -#define SCTP_DEBUG_PRINTK(whatever...)
46846 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
46847 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
46848 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
46849 #define SCTP_ENABLE_DEBUG
46850 #define SCTP_DISABLE_DEBUG
46851 #define SCTP_ASSERT(expr, str, func)
46852 diff -urNp linux-2.6.35.4/include/net/tcp.h linux-2.6.35.4/include/net/tcp.h
46853 --- linux-2.6.35.4/include/net/tcp.h 2010-08-26 19:47:12.000000000 -0400
46854 +++ linux-2.6.35.4/include/net/tcp.h 2010-09-17 20:12:09.000000000 -0400
46855 @@ -1404,6 +1404,7 @@ enum tcp_seq_states {
46856 struct tcp_seq_afinfo {
46858 sa_family_t family;
46859 + /* cannot be const */
46860 struct file_operations seq_fops;
46861 struct seq_operations seq_ops;
46863 diff -urNp linux-2.6.35.4/include/net/udp.h linux-2.6.35.4/include/net/udp.h
46864 --- linux-2.6.35.4/include/net/udp.h 2010-08-26 19:47:12.000000000 -0400
46865 +++ linux-2.6.35.4/include/net/udp.h 2010-09-17 20:12:09.000000000 -0400
46866 @@ -221,6 +221,7 @@ struct udp_seq_afinfo {
46868 sa_family_t family;
46869 struct udp_table *udp_table;
46870 + /* cannot be const */
46871 struct file_operations seq_fops;
46872 struct seq_operations seq_ops;
46874 diff -urNp linux-2.6.35.4/include/sound/ac97_codec.h linux-2.6.35.4/include/sound/ac97_codec.h
46875 --- linux-2.6.35.4/include/sound/ac97_codec.h 2010-08-26 19:47:12.000000000 -0400
46876 +++ linux-2.6.35.4/include/sound/ac97_codec.h 2010-09-17 20:12:09.000000000 -0400
46877 @@ -419,15 +419,15 @@
46880 struct snd_ac97_build_ops {
46881 - int (*build_3d) (struct snd_ac97 *ac97);
46882 - int (*build_specific) (struct snd_ac97 *ac97);
46883 - int (*build_spdif) (struct snd_ac97 *ac97);
46884 - int (*build_post_spdif) (struct snd_ac97 *ac97);
46885 + int (* const build_3d) (struct snd_ac97 *ac97);
46886 + int (* const build_specific) (struct snd_ac97 *ac97);
46887 + int (* const build_spdif) (struct snd_ac97 *ac97);
46888 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
46890 - void (*suspend) (struct snd_ac97 *ac97);
46891 - void (*resume) (struct snd_ac97 *ac97);
46892 + void (* const suspend) (struct snd_ac97 *ac97);
46893 + void (* const resume) (struct snd_ac97 *ac97);
46895 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
46896 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
46899 struct snd_ac97_bus_ops {
46900 @@ -477,7 +477,7 @@ struct snd_ac97_template {
46903 /* -- lowlevel (hardware) driver specific -- */
46904 - struct snd_ac97_build_ops * build_ops;
46905 + const struct snd_ac97_build_ops * build_ops;
46906 void *private_data;
46907 void (*private_free) (struct snd_ac97 *ac97);
46909 diff -urNp linux-2.6.35.4/include/trace/events/irq.h linux-2.6.35.4/include/trace/events/irq.h
46910 --- linux-2.6.35.4/include/trace/events/irq.h 2010-08-26 19:47:12.000000000 -0400
46911 +++ linux-2.6.35.4/include/trace/events/irq.h 2010-09-17 20:12:09.000000000 -0400
46914 TRACE_EVENT(irq_handler_entry,
46916 - TP_PROTO(int irq, struct irqaction *action),
46917 + TP_PROTO(int irq, const struct irqaction *action),
46919 TP_ARGS(irq, action),
46921 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
46923 TRACE_EVENT(irq_handler_exit,
46925 - TP_PROTO(int irq, struct irqaction *action, int ret),
46926 + TP_PROTO(int irq, const struct irqaction *action, int ret),
46928 TP_ARGS(irq, action, ret),
46930 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
46932 DECLARE_EVENT_CLASS(softirq,
46934 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
46935 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
46939 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
46941 DEFINE_EVENT(softirq, softirq_entry,
46943 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
46944 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
46948 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
46950 DEFINE_EVENT(softirq, softirq_exit,
46952 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
46953 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
46957 diff -urNp linux-2.6.35.4/include/video/uvesafb.h linux-2.6.35.4/include/video/uvesafb.h
46958 --- linux-2.6.35.4/include/video/uvesafb.h 2010-08-26 19:47:12.000000000 -0400
46959 +++ linux-2.6.35.4/include/video/uvesafb.h 2010-09-17 20:12:09.000000000 -0400
46960 @@ -177,6 +177,7 @@ struct uvesafb_par {
46961 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
46962 u8 pmi_setpal; /* PMI for palette changes */
46963 u16 *pmi_base; /* protected mode interface location */
46964 + u8 *pmi_code; /* protected mode code location */
46967 u8 *vbe_state_orig; /*
46968 diff -urNp linux-2.6.35.4/init/do_mounts.c linux-2.6.35.4/init/do_mounts.c
46969 --- linux-2.6.35.4/init/do_mounts.c 2010-08-26 19:47:12.000000000 -0400
46970 +++ linux-2.6.35.4/init/do_mounts.c 2010-09-17 20:12:09.000000000 -0400
46971 @@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
46973 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
46975 - int err = sys_mount(name, "/root", fs, flags, data);
46976 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
46980 - sys_chdir("/root");
46981 + sys_chdir((__force char __user *)"/root");
46982 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
46983 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
46984 current->fs->pwd.mnt->mnt_sb->s_type->name,
46985 @@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
46986 va_start(args, fmt);
46987 vsprintf(buf, fmt, args);
46989 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
46990 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
46992 sys_ioctl(fd, FDEJECT, 0);
46995 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
46996 - fd = sys_open("/dev/console", O_RDWR, 0);
46997 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
46999 sys_ioctl(fd, TCGETS, (long)&termios);
47000 termios.c_lflag &= ~ICANON;
47001 sys_ioctl(fd, TCSETSF, (long)&termios);
47002 - sys_read(fd, &c, 1);
47003 + sys_read(fd, (char __user *)&c, 1);
47004 termios.c_lflag |= ICANON;
47005 sys_ioctl(fd, TCSETSF, (long)&termios);
47007 @@ -417,6 +417,6 @@ void __init prepare_namespace(void)
47010 devtmpfs_mount("dev");
47011 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47013 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47014 + sys_chroot((__force char __user *)".");
47016 diff -urNp linux-2.6.35.4/init/do_mounts.h linux-2.6.35.4/init/do_mounts.h
47017 --- linux-2.6.35.4/init/do_mounts.h 2010-08-26 19:47:12.000000000 -0400
47018 +++ linux-2.6.35.4/init/do_mounts.h 2010-09-17 20:12:09.000000000 -0400
47019 @@ -15,15 +15,15 @@ extern int root_mountflags;
47021 static inline int create_dev(char *name, dev_t dev)
47023 - sys_unlink(name);
47024 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
47025 + sys_unlink((__force char __user *)name);
47026 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
47029 #if BITS_PER_LONG == 32
47030 static inline u32 bstat(char *name)
47032 struct stat64 stat;
47033 - if (sys_stat64(name, &stat) != 0)
47034 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
47036 if (!S_ISBLK(stat.st_mode))
47038 diff -urNp linux-2.6.35.4/init/do_mounts_initrd.c linux-2.6.35.4/init/do_mounts_initrd.c
47039 --- linux-2.6.35.4/init/do_mounts_initrd.c 2010-08-26 19:47:12.000000000 -0400
47040 +++ linux-2.6.35.4/init/do_mounts_initrd.c 2010-09-17 20:12:09.000000000 -0400
47041 @@ -43,13 +43,13 @@ static void __init handle_initrd(void)
47042 create_dev("/dev/root.old", Root_RAM0);
47043 /* mount initrd on rootfs' /root */
47044 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
47045 - sys_mkdir("/old", 0700);
47046 - root_fd = sys_open("/", 0, 0);
47047 - old_fd = sys_open("/old", 0, 0);
47048 + sys_mkdir((__force const char __user *)"/old", 0700);
47049 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
47050 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
47051 /* move initrd over / and chdir/chroot in initrd root */
47052 - sys_chdir("/root");
47053 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47055 + sys_chdir((__force const char __user *)"/root");
47056 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47057 + sys_chroot((__force const char __user *)".");
47060 * In case that a resume from disk is carried out by linuxrc or one of
47061 @@ -66,15 +66,15 @@ static void __init handle_initrd(void)
47063 /* move initrd to rootfs' /old */
47064 sys_fchdir(old_fd);
47065 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
47066 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
47067 /* switch root and cwd back to / of rootfs */
47068 sys_fchdir(root_fd);
47070 + sys_chroot((__force const char __user *)".");
47072 sys_close(root_fd);
47074 if (new_decode_dev(real_root_dev) == Root_RAM0) {
47075 - sys_chdir("/old");
47076 + sys_chdir((__force const char __user *)"/old");
47080 @@ -82,17 +82,17 @@ static void __init handle_initrd(void)
47083 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
47084 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
47085 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
47089 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
47090 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
47091 if (error == -ENOENT)
47092 printk("/initrd does not exist. Ignored.\n");
47094 printk("failed\n");
47095 printk(KERN_NOTICE "Unmounting old root\n");
47096 - sys_umount("/old", MNT_DETACH);
47097 + sys_umount((__force char __user *)"/old", MNT_DETACH);
47098 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
47101 @@ -115,11 +115,11 @@ int __init initrd_load(void)
47102 * mounted in the normal path.
47104 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
47105 - sys_unlink("/initrd.image");
47106 + sys_unlink((__force const char __user *)"/initrd.image");
47111 - sys_unlink("/initrd.image");
47112 + sys_unlink((__force const char __user *)"/initrd.image");
47115 diff -urNp linux-2.6.35.4/init/do_mounts_md.c linux-2.6.35.4/init/do_mounts_md.c
47116 --- linux-2.6.35.4/init/do_mounts_md.c 2010-08-26 19:47:12.000000000 -0400
47117 +++ linux-2.6.35.4/init/do_mounts_md.c 2010-09-17 20:12:09.000000000 -0400
47118 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
47119 partitioned ? "_d" : "", minor,
47120 md_setup_args[ent].device_names);
47122 - fd = sys_open(name, 0, 0);
47123 + fd = sys_open((__force char __user *)name, 0, 0);
47125 printk(KERN_ERR "md: open failed - cannot start "
47126 "array %s\n", name);
47127 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
47131 - fd = sys_open(name, 0, 0);
47132 + fd = sys_open((__force char __user *)name, 0, 0);
47133 sys_ioctl(fd, BLKRRPART, 0);
47136 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
47138 wait_for_device_probe();
47140 - fd = sys_open("/dev/md0", 0, 0);
47141 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
47143 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
47145 diff -urNp linux-2.6.35.4/init/initramfs.c linux-2.6.35.4/init/initramfs.c
47146 --- linux-2.6.35.4/init/initramfs.c 2010-08-26 19:47:12.000000000 -0400
47147 +++ linux-2.6.35.4/init/initramfs.c 2010-09-17 20:12:09.000000000 -0400
47148 @@ -74,7 +74,7 @@ static void __init free_hash(void)
47152 -static long __init do_utime(char __user *filename, time_t mtime)
47153 +static long __init do_utime(__force char __user *filename, time_t mtime)
47155 struct timespec t[2];
47157 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
47158 struct dir_entry *de, *tmp;
47159 list_for_each_entry_safe(de, tmp, &dir_list, list) {
47160 list_del(&de->list);
47161 - do_utime(de->name, de->mtime);
47162 + do_utime((__force char __user *)de->name, de->mtime);
47166 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
47168 char *old = find_link(major, minor, ino, mode, collected);
47170 - return (sys_link(old, collected) < 0) ? -1 : 1;
47171 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
47175 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
47179 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
47180 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
47181 if (S_ISDIR(st.st_mode))
47183 + sys_rmdir((__force char __user *)path);
47185 - sys_unlink(path);
47186 + sys_unlink((__force char __user *)path);
47190 @@ -305,7 +305,7 @@ static int __init do_name(void)
47191 int openflags = O_WRONLY|O_CREAT;
47193 openflags |= O_TRUNC;
47194 - wfd = sys_open(collected, openflags, mode);
47195 + wfd = sys_open((__force char __user *)collected, openflags, mode);
47198 sys_fchown(wfd, uid, gid);
47199 @@ -317,17 +317,17 @@ static int __init do_name(void)
47202 } else if (S_ISDIR(mode)) {
47203 - sys_mkdir(collected, mode);
47204 - sys_chown(collected, uid, gid);
47205 - sys_chmod(collected, mode);
47206 + sys_mkdir((__force char __user *)collected, mode);
47207 + sys_chown((__force char __user *)collected, uid, gid);
47208 + sys_chmod((__force char __user *)collected, mode);
47209 dir_add(collected, mtime);
47210 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
47211 S_ISFIFO(mode) || S_ISSOCK(mode)) {
47212 if (maybe_link() == 0) {
47213 - sys_mknod(collected, mode, rdev);
47214 - sys_chown(collected, uid, gid);
47215 - sys_chmod(collected, mode);
47216 - do_utime(collected, mtime);
47217 + sys_mknod((__force char __user *)collected, mode, rdev);
47218 + sys_chown((__force char __user *)collected, uid, gid);
47219 + sys_chmod((__force char __user *)collected, mode);
47220 + do_utime((__force char __user *)collected, mtime);
47224 @@ -336,15 +336,15 @@ static int __init do_name(void)
47225 static int __init do_copy(void)
47227 if (count >= body_len) {
47228 - sys_write(wfd, victim, body_len);
47229 + sys_write(wfd, (__force char __user *)victim, body_len);
47231 - do_utime(vcollected, mtime);
47232 + do_utime((__force char __user *)vcollected, mtime);
47238 - sys_write(wfd, victim, count);
47239 + sys_write(wfd, (__force char __user *)victim, count);
47243 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
47245 collected[N_ALIGN(name_len) + body_len] = '\0';
47246 clean_path(collected, 0);
47247 - sys_symlink(collected + N_ALIGN(name_len), collected);
47248 - sys_lchown(collected, uid, gid);
47249 - do_utime(collected, mtime);
47250 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
47251 + sys_lchown((__force char __user *)collected, uid, gid);
47252 + do_utime((__force char __user *)collected, mtime);
47254 next_state = Reset;
47256 diff -urNp linux-2.6.35.4/init/Kconfig linux-2.6.35.4/init/Kconfig
47257 --- linux-2.6.35.4/init/Kconfig 2010-08-26 19:47:12.000000000 -0400
47258 +++ linux-2.6.35.4/init/Kconfig 2010-09-17 20:12:09.000000000 -0400
47259 @@ -1063,7 +1063,7 @@ config SLUB_DEBUG
47262 bool "Disable heap randomization"
47266 Randomizing heap placement makes heap exploits harder, but it
47267 also breaks ancient binaries (including anything libc5 based).
47268 diff -urNp linux-2.6.35.4/init/main.c linux-2.6.35.4/init/main.c
47269 --- linux-2.6.35.4/init/main.c 2010-08-26 19:47:12.000000000 -0400
47270 +++ linux-2.6.35.4/init/main.c 2010-09-17 20:12:37.000000000 -0400
47271 @@ -98,6 +98,7 @@ static inline void mark_rodata_ro(void)
47273 extern void tc_init(void);
47275 +extern void grsecurity_init(void);
47277 enum system_states system_state __read_mostly;
47278 EXPORT_SYMBOL(system_state);
47279 @@ -200,6 +201,50 @@ static int __init set_reset_devices(char
47281 __setup("reset_devices", set_reset_devices);
47283 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
47284 +extern void pax_enter_kernel_user(void);
47285 +extern void pax_exit_kernel_user(void);
47286 +extern pgdval_t clone_pgd_mask;
47289 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
47290 +static int __init setup_pax_nouderef(char *str)
47292 +#ifdef CONFIG_X86_32
47293 + unsigned int cpu;
47295 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
47296 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
47297 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
47299 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
47300 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
47301 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
47304 + p = (char *)pax_enter_kernel_user;
47306 + p = (char *)pax_exit_kernel_user;
47308 + clone_pgd_mask = ~(pgdval_t)0UL;
47313 +early_param("pax_nouderef", setup_pax_nouderef);
47316 +#ifdef CONFIG_PAX_SOFTMODE
47317 +unsigned int pax_softmode;
47319 +static int __init setup_pax_softmode(char *str)
47321 + get_option(&str, &pax_softmode);
47324 +__setup("pax_softmode=", setup_pax_softmode);
47327 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
47328 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
47329 static const char *panic_later, *panic_param;
47330 @@ -725,52 +770,53 @@ int initcall_debug;
47331 core_param(initcall_debug, initcall_debug, bool, 0644);
47333 static char msgbuf[64];
47334 -static struct boot_trace_call call;
47335 -static struct boot_trace_ret ret;
47336 +static struct boot_trace_call trace_call;
47337 +static struct boot_trace_ret trace_ret;
47339 int do_one_initcall(initcall_t fn)
47341 int count = preempt_count();
47342 ktime_t calltime, delta, rettime;
47343 + const char *msg1 = "", *msg2 = "";
47345 if (initcall_debug) {
47346 - call.caller = task_pid_nr(current);
47347 - printk("calling %pF @ %i\n", fn, call.caller);
47348 + trace_call.caller = task_pid_nr(current);
47349 + printk("calling %pF @ %i\n", fn, trace_call.caller);
47350 calltime = ktime_get();
47351 - trace_boot_call(&call, fn);
47352 + trace_boot_call(&trace_call, fn);
47353 enable_boot_trace();
47356 - ret.result = fn();
47357 + trace_ret.result = fn();
47359 if (initcall_debug) {
47360 disable_boot_trace();
47361 rettime = ktime_get();
47362 delta = ktime_sub(rettime, calltime);
47363 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47364 - trace_boot_ret(&ret, fn);
47365 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47366 + trace_boot_ret(&trace_ret, fn);
47367 printk("initcall %pF returned %d after %Ld usecs\n", fn,
47368 - ret.result, ret.duration);
47369 + trace_ret.result, trace_ret.duration);
47374 - if (ret.result && ret.result != -ENODEV && initcall_debug)
47375 - sprintf(msgbuf, "error code %d ", ret.result);
47376 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
47377 + sprintf(msgbuf, "error code %d ", trace_ret.result);
47379 if (preempt_count() != count) {
47380 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
47381 + msg1 = " preemption imbalance";
47382 preempt_count() = count;
47384 if (irqs_disabled()) {
47385 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
47386 + msg2 = " disabled interrupts";
47387 local_irq_enable();
47390 - printk("initcall %pF returned with %s\n", fn, msgbuf);
47391 + if (msgbuf[0] || *msg1 || *msg2) {
47392 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
47395 - return ret.result;
47396 + return trace_ret.result;
47400 @@ -902,7 +948,7 @@ static int __init kernel_init(void * unu
47403 /* Open the /dev/console on the rootfs, this should never fail */
47404 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
47405 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
47406 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
47409 @@ -915,11 +961,13 @@ static int __init kernel_init(void * unu
47410 if (!ramdisk_execute_command)
47411 ramdisk_execute_command = "/init";
47413 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
47414 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
47415 ramdisk_execute_command = NULL;
47416 prepare_namespace();
47419 + grsecurity_init();
47422 * Ok, we have completed the initial bootup, and
47423 * we're essentially up and running. Get rid of the
47424 diff -urNp linux-2.6.35.4/init/noinitramfs.c linux-2.6.35.4/init/noinitramfs.c
47425 --- linux-2.6.35.4/init/noinitramfs.c 2010-08-26 19:47:12.000000000 -0400
47426 +++ linux-2.6.35.4/init/noinitramfs.c 2010-09-17 20:12:09.000000000 -0400
47427 @@ -29,17 +29,17 @@ static int __init default_rootfs(void)
47431 - err = sys_mkdir("/dev", 0755);
47432 + err = sys_mkdir((const char __user *)"/dev", 0755);
47436 - err = sys_mknod((const char __user *) "/dev/console",
47437 + err = sys_mknod((__force const char __user *) "/dev/console",
47438 S_IFCHR | S_IRUSR | S_IWUSR,
47439 new_encode_dev(MKDEV(5, 1)));
47443 - err = sys_mkdir("/root", 0700);
47444 + err = sys_mkdir((const char __user *)"/root", 0700);
47448 diff -urNp linux-2.6.35.4/ipc/mqueue.c linux-2.6.35.4/ipc/mqueue.c
47449 --- linux-2.6.35.4/ipc/mqueue.c 2010-08-26 19:47:12.000000000 -0400
47450 +++ linux-2.6.35.4/ipc/mqueue.c 2010-09-17 20:12:37.000000000 -0400
47451 @@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
47452 mq_bytes = (mq_msg_tblsz +
47453 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
47455 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
47456 spin_lock(&mq_lock);
47457 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
47458 u->mq_bytes + mq_bytes >
47459 diff -urNp linux-2.6.35.4/ipc/shm.c linux-2.6.35.4/ipc/shm.c
47460 --- linux-2.6.35.4/ipc/shm.c 2010-08-26 19:47:12.000000000 -0400
47461 +++ linux-2.6.35.4/ipc/shm.c 2010-09-17 20:12:37.000000000 -0400
47462 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
47463 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
47466 +#ifdef CONFIG_GRKERNSEC
47467 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47468 + const time_t shm_createtime, const uid_t cuid,
47469 + const int shmid);
47470 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47471 + const time_t shm_createtime);
47474 void shm_init_ns(struct ipc_namespace *ns)
47476 ns->shm_ctlmax = SHMMAX;
47477 @@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
47478 shp->shm_lprid = 0;
47479 shp->shm_atim = shp->shm_dtim = 0;
47480 shp->shm_ctim = get_seconds();
47481 +#ifdef CONFIG_GRKERNSEC
47483 + struct timespec timeval;
47484 + do_posix_clock_monotonic_gettime(&timeval);
47486 + shp->shm_createtime = timeval.tv_sec;
47489 shp->shm_segsz = size;
47490 shp->shm_nattch = 0;
47491 shp->shm_file = file;
47492 @@ -877,9 +893,21 @@ long do_shmat(int shmid, char __user *sh
47496 +#ifdef CONFIG_GRKERNSEC
47497 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
47498 + shp->shm_perm.cuid, shmid) ||
47499 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
47505 path = shp->shm_file->f_path;
47508 +#ifdef CONFIG_GRKERNSEC
47509 + shp->shm_lapid = current->pid;
47511 size = i_size_read(path.dentry->d_inode);
47514 diff -urNp linux-2.6.35.4/kernel/acct.c linux-2.6.35.4/kernel/acct.c
47515 --- linux-2.6.35.4/kernel/acct.c 2010-08-26 19:47:12.000000000 -0400
47516 +++ linux-2.6.35.4/kernel/acct.c 2010-09-17 20:12:09.000000000 -0400
47517 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
47519 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
47520 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
47521 - file->f_op->write(file, (char *)&ac,
47522 + file->f_op->write(file, (__force char __user *)&ac,
47523 sizeof(acct_t), &file->f_pos);
47524 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
47526 diff -urNp linux-2.6.35.4/kernel/capability.c linux-2.6.35.4/kernel/capability.c
47527 --- linux-2.6.35.4/kernel/capability.c 2010-08-26 19:47:12.000000000 -0400
47528 +++ linux-2.6.35.4/kernel/capability.c 2010-09-17 20:12:37.000000000 -0400
47529 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
47530 * before modification is attempted and the application
47533 + if (tocopy > ARRAY_SIZE(kdata))
47536 if (copy_to_user(dataptr, kdata, tocopy
47537 * sizeof(struct __user_cap_data_struct))) {
47539 @@ -306,10 +309,21 @@ int capable(int cap)
47543 - if (security_capable(cap) == 0) {
47544 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
47545 + current->flags |= PF_SUPERPRIV;
47551 +int capable_nolog(int cap)
47553 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
47554 current->flags |= PF_SUPERPRIV;
47560 EXPORT_SYMBOL(capable);
47561 +EXPORT_SYMBOL(capable_nolog);
47562 diff -urNp linux-2.6.35.4/kernel/configs.c linux-2.6.35.4/kernel/configs.c
47563 --- linux-2.6.35.4/kernel/configs.c 2010-08-26 19:47:12.000000000 -0400
47564 +++ linux-2.6.35.4/kernel/configs.c 2010-09-17 20:12:37.000000000 -0400
47565 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
47566 struct proc_dir_entry *entry;
47568 /* create the current config file */
47569 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
47570 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
47571 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
47572 + &ikconfig_file_ops);
47573 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47574 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
47575 + &ikconfig_file_ops);
47578 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
47579 &ikconfig_file_ops);
47585 diff -urNp linux-2.6.35.4/kernel/cred.c linux-2.6.35.4/kernel/cred.c
47586 --- linux-2.6.35.4/kernel/cred.c 2010-08-26 19:47:12.000000000 -0400
47587 +++ linux-2.6.35.4/kernel/cred.c 2010-09-17 20:12:37.000000000 -0400
47588 @@ -489,6 +489,8 @@ int commit_creds(struct cred *new)
47590 get_cred(new); /* we will require a ref for the subj creds too */
47592 + gr_set_role_label(task, new->uid, new->gid);
47594 /* dumpability changes */
47595 if (old->euid != new->euid ||
47596 old->egid != new->egid ||
47597 diff -urNp linux-2.6.35.4/kernel/debug/debug_core.c linux-2.6.35.4/kernel/debug/debug_core.c
47598 --- linux-2.6.35.4/kernel/debug/debug_core.c 2010-08-26 19:47:12.000000000 -0400
47599 +++ linux-2.6.35.4/kernel/debug/debug_core.c 2010-09-17 20:12:09.000000000 -0400
47600 @@ -71,7 +71,7 @@ int kgdb_io_module_registered;
47601 /* Guard for recursive entry */
47602 static int exception_level;
47604 -struct kgdb_io *dbg_io_ops;
47605 +const struct kgdb_io *dbg_io_ops;
47606 static DEFINE_SPINLOCK(kgdb_registration_lock);
47608 /* kgdb console driver is loaded */
47609 @@ -871,7 +871,7 @@ static void kgdb_initial_breakpoint(void
47611 * Register it with the KGDB core.
47613 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
47614 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
47618 @@ -916,7 +916,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
47620 * Unregister it with the KGDB core.
47622 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
47623 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
47625 BUG_ON(kgdb_connected);
47627 diff -urNp linux-2.6.35.4/kernel/debug/kdb/kdb_main.c linux-2.6.35.4/kernel/debug/kdb/kdb_main.c
47628 --- linux-2.6.35.4/kernel/debug/kdb/kdb_main.c 2010-08-26 19:47:12.000000000 -0400
47629 +++ linux-2.6.35.4/kernel/debug/kdb/kdb_main.c 2010-09-17 20:12:09.000000000 -0400
47630 @@ -1872,7 +1872,7 @@ static int kdb_lsmod(int argc, const cha
47631 list_for_each_entry(mod, kdb_modules, list) {
47633 kdb_printf("%-20s%8u 0x%p ", mod->name,
47634 - mod->core_size, (void *)mod);
47635 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
47636 #ifdef CONFIG_MODULE_UNLOAD
47637 kdb_printf("%4d ", module_refcount(mod));
47639 @@ -1882,7 +1882,7 @@ static int kdb_lsmod(int argc, const cha
47640 kdb_printf(" (Loading)");
47642 kdb_printf(" (Live)");
47643 - kdb_printf(" 0x%p", mod->module_core);
47644 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
47646 #ifdef CONFIG_MODULE_UNLOAD
47648 diff -urNp linux-2.6.35.4/kernel/exit.c linux-2.6.35.4/kernel/exit.c
47649 --- linux-2.6.35.4/kernel/exit.c 2010-08-26 19:47:12.000000000 -0400
47650 +++ linux-2.6.35.4/kernel/exit.c 2010-09-17 20:13:49.000000000 -0400
47652 #include <asm/pgtable.h>
47653 #include <asm/mmu_context.h>
47655 +#ifdef CONFIG_GRKERNSEC
47656 +extern rwlock_t grsec_exec_file_lock;
47659 static void exit_mm(struct task_struct * tsk);
47661 static void __unhash_process(struct task_struct *p, bool group_dead)
47662 @@ -162,6 +166,8 @@ void release_task(struct task_struct * p
47663 struct task_struct *leader;
47666 + gr_del_task_from_ip_table(p);
47668 tracehook_prepare_release_task(p);
47669 /* don't need to get the RCU readlock here - the process is dead and
47670 * can't be modifying its own credentials. But shut RCU-lockdep up */
47671 @@ -331,11 +337,22 @@ static void reparent_to_kthreadd(void)
47673 write_lock_irq(&tasklist_lock);
47675 +#ifdef CONFIG_GRKERNSEC
47676 + write_lock(&grsec_exec_file_lock);
47677 + if (current->exec_file) {
47678 + fput(current->exec_file);
47679 + current->exec_file = NULL;
47681 + write_unlock(&grsec_exec_file_lock);
47684 ptrace_unlink(current);
47685 /* Reparent to init */
47686 current->real_parent = current->parent = kthreadd_task;
47687 list_move_tail(¤t->sibling, ¤t->real_parent->children);
47689 + gr_set_kernel_label(current);
47691 /* Set the exit signal to SIGCHLD so we signal init on exit */
47692 current->exit_signal = SIGCHLD;
47694 @@ -387,7 +404,7 @@ int allow_signal(int sig)
47695 * know it'll be handled, so that they don't get converted to
47696 * SIGKILL or just silently dropped.
47698 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
47699 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
47700 recalc_sigpending();
47701 spin_unlock_irq(¤t->sighand->siglock);
47703 @@ -423,6 +440,17 @@ void daemonize(const char *name, ...)
47704 vsnprintf(current->comm, sizeof(current->comm), name, args);
47707 +#ifdef CONFIG_GRKERNSEC
47708 + write_lock(&grsec_exec_file_lock);
47709 + if (current->exec_file) {
47710 + fput(current->exec_file);
47711 + current->exec_file = NULL;
47713 + write_unlock(&grsec_exec_file_lock);
47716 + gr_set_kernel_label(current);
47719 * If we were started as result of loading a module, close all of the
47720 * user space pages. We don't need them, and if we didn't close them
47721 @@ -960,6 +988,9 @@ NORET_TYPE void do_exit(long code)
47722 tsk->exit_code = code;
47723 taskstats_exit(tsk, group_dead);
47725 + gr_acl_handle_psacct(tsk, code);
47726 + gr_acl_handle_exit();
47731 diff -urNp linux-2.6.35.4/kernel/fork.c linux-2.6.35.4/kernel/fork.c
47732 --- linux-2.6.35.4/kernel/fork.c 2010-08-26 19:47:12.000000000 -0400
47733 +++ linux-2.6.35.4/kernel/fork.c 2010-09-17 20:12:37.000000000 -0400
47734 @@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
47735 *stackend = STACK_END_MAGIC; /* for overflow detection */
47737 #ifdef CONFIG_CC_STACKPROTECTOR
47738 - tsk->stack_canary = get_random_int();
47739 + tsk->stack_canary = pax_get_random_long();
47742 /* One for us, one for whoever does the "release_task()" (usually parent) */
47743 @@ -298,13 +298,78 @@ out:
47747 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
47749 + struct vm_area_struct *tmp;
47750 + unsigned long charge;
47751 + struct mempolicy *pol;
47752 + struct file *file;
47755 + if (mpnt->vm_flags & VM_ACCOUNT) {
47756 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
47757 + if (security_vm_enough_memory(len))
47761 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
47766 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
47767 + pol = mpol_dup(vma_policy(mpnt));
47769 + goto fail_nomem_policy;
47770 + vma_set_policy(tmp, pol);
47771 + if (anon_vma_fork(tmp, mpnt))
47772 + goto fail_nomem_anon_vma_fork;
47773 + tmp->vm_flags &= ~VM_LOCKED;
47774 + tmp->vm_next = NULL;
47775 + tmp->vm_mirror = NULL;
47776 + file = tmp->vm_file;
47778 + struct inode *inode = file->f_path.dentry->d_inode;
47779 + struct address_space *mapping = file->f_mapping;
47782 + if (tmp->vm_flags & VM_DENYWRITE)
47783 + atomic_dec(&inode->i_writecount);
47784 + spin_lock(&mapping->i_mmap_lock);
47785 + if (tmp->vm_flags & VM_SHARED)
47786 + mapping->i_mmap_writable++;
47787 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
47788 + flush_dcache_mmap_lock(mapping);
47789 + /* insert tmp into the share list, just after mpnt */
47790 + vma_prio_tree_add(tmp, mpnt);
47791 + flush_dcache_mmap_unlock(mapping);
47792 + spin_unlock(&mapping->i_mmap_lock);
47796 + * Clear hugetlb-related page reserves for children. This only
47797 + * affects MAP_PRIVATE mappings. Faults generated by the child
47798 + * are not guaranteed to succeed, even if read-only
47800 + if (is_vm_hugetlb_page(tmp))
47801 + reset_vma_resv_huge_pages(tmp);
47805 +fail_nomem_anon_vma_fork:
47807 +fail_nomem_policy:
47808 + kmem_cache_free(vm_area_cachep, tmp);
47810 + vm_unacct_memory(charge);
47814 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
47816 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
47817 struct rb_node **rb_link, *rb_parent;
47819 - unsigned long charge;
47820 - struct mempolicy *pol;
47822 down_write(&oldmm->mmap_sem);
47823 flush_cache_dup_mm(oldmm);
47824 @@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
47827 mm->mmap_cache = NULL;
47828 - mm->free_area_cache = oldmm->mmap_base;
47829 - mm->cached_hole_size = ~0UL;
47830 + mm->free_area_cache = oldmm->free_area_cache;
47831 + mm->cached_hole_size = oldmm->cached_hole_size;
47833 cpumask_clear(mm_cpumask(mm));
47834 mm->mm_rb = RB_ROOT;
47835 @@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
47838 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
47839 - struct file *file;
47841 if (mpnt->vm_flags & VM_DONTCOPY) {
47842 long pages = vma_pages(mpnt);
47843 mm->total_vm -= pages;
47844 @@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
47849 - if (mpnt->vm_flags & VM_ACCOUNT) {
47850 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
47851 - if (security_vm_enough_memory(len))
47855 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
47859 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
47860 - pol = mpol_dup(vma_policy(mpnt));
47861 - retval = PTR_ERR(pol);
47863 - goto fail_nomem_policy;
47864 - vma_set_policy(tmp, pol);
47865 - if (anon_vma_fork(tmp, mpnt))
47866 - goto fail_nomem_anon_vma_fork;
47867 - tmp->vm_flags &= ~VM_LOCKED;
47869 - tmp->vm_next = tmp->vm_prev = NULL;
47870 - file = tmp->vm_file;
47872 - struct inode *inode = file->f_path.dentry->d_inode;
47873 - struct address_space *mapping = file->f_mapping;
47876 - if (tmp->vm_flags & VM_DENYWRITE)
47877 - atomic_dec(&inode->i_writecount);
47878 - spin_lock(&mapping->i_mmap_lock);
47879 - if (tmp->vm_flags & VM_SHARED)
47880 - mapping->i_mmap_writable++;
47881 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
47882 - flush_dcache_mmap_lock(mapping);
47883 - /* insert tmp into the share list, just after mpnt */
47884 - vma_prio_tree_add(tmp, mpnt);
47885 - flush_dcache_mmap_unlock(mapping);
47886 - spin_unlock(&mapping->i_mmap_lock);
47887 + tmp = dup_vma(mm, mpnt);
47889 + retval = -ENOMEM;
47894 - * Clear hugetlb-related page reserves for children. This only
47895 - * affects MAP_PRIVATE mappings. Faults generated by the child
47896 - * are not guaranteed to succeed, even if read-only
47898 - if (is_vm_hugetlb_page(tmp))
47899 - reset_vma_resv_huge_pages(tmp);
47902 * Link in the new vma and copy the page table entries.
47905 @@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
47910 +#ifdef CONFIG_PAX_SEGMEXEC
47911 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
47912 + struct vm_area_struct *mpnt_m;
47914 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
47915 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
47917 + if (!mpnt->vm_mirror)
47920 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
47921 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
47922 + mpnt->vm_mirror = mpnt_m;
47924 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
47925 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
47926 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
47927 + mpnt->vm_mirror->vm_mirror = mpnt;
47934 /* a new mm has just been created */
47935 arch_dup_mmap(oldmm, mm);
47937 @@ -417,14 +462,6 @@ out:
47938 flush_tlb_mm(oldmm);
47939 up_write(&oldmm->mmap_sem);
47941 -fail_nomem_anon_vma_fork:
47943 -fail_nomem_policy:
47944 - kmem_cache_free(vm_area_cachep, tmp);
47946 - retval = -ENOMEM;
47947 - vm_unacct_memory(charge);
47951 static inline int mm_alloc_pgd(struct mm_struct * mm)
47952 @@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
47953 write_unlock(&fs->lock);
47957 + atomic_inc(&fs->users);
47958 write_unlock(&fs->lock);
47961 tsk->fs = copy_fs_struct(fs);
47964 + gr_set_chroot_entries(tsk, &tsk->fs->root);
47968 @@ -1019,10 +1057,13 @@ static struct task_struct *copy_process(
47970 if (!vx_nproc_avail(1))
47971 goto bad_fork_free;
47973 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
47975 if (atomic_read(&p->real_cred->user->processes) >=
47976 task_rlimit(p, RLIMIT_NPROC)) {
47977 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
47978 - p->real_cred->user != INIT_USER)
47979 + if (p->real_cred->user != INIT_USER &&
47980 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
47981 goto bad_fork_free;
47984 @@ -1176,6 +1217,8 @@ static struct task_struct *copy_process(
47985 goto bad_fork_free_pid;
47988 + gr_copy_label(p);
47990 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
47992 * Clear TID on mm_release()?
47993 @@ -1328,6 +1371,8 @@ bad_fork_cleanup_count:
47997 + gr_log_forkfail(retval);
47999 return ERR_PTR(retval);
48002 @@ -1433,6 +1478,8 @@ long do_fork(unsigned long clone_flags,
48003 if (clone_flags & CLONE_PARENT_SETTID)
48004 put_user(nr, parent_tidptr);
48006 + gr_handle_brute_check();
48008 if (clone_flags & CLONE_VFORK) {
48009 p->vfork_done = &vfork;
48010 init_completion(&vfork);
48011 @@ -1557,7 +1604,7 @@ static int unshare_fs(unsigned long unsh
48014 /* don't need lock here; in the worst case we'll do useless copy */
48015 - if (fs->users == 1)
48016 + if (atomic_read(&fs->users) == 1)
48019 *new_fsp = copy_fs_struct(fs);
48020 @@ -1680,7 +1727,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
48022 write_lock(&fs->lock);
48023 current->fs = new_fs;
48025 + gr_set_chroot_entries(current, ¤t->fs->root);
48026 + if (atomic_dec_return(&fs->users))
48030 diff -urNp linux-2.6.35.4/kernel/futex.c linux-2.6.35.4/kernel/futex.c
48031 --- linux-2.6.35.4/kernel/futex.c 2010-08-26 19:47:12.000000000 -0400
48032 +++ linux-2.6.35.4/kernel/futex.c 2010-09-17 20:12:37.000000000 -0400
48034 #include <linux/mount.h>
48035 #include <linux/pagemap.h>
48036 #include <linux/syscalls.h>
48037 +#include <linux/ptrace.h>
48038 #include <linux/signal.h>
48039 #include <linux/module.h>
48040 #include <linux/magic.h>
48041 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
48045 +#ifdef CONFIG_PAX_SEGMEXEC
48046 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
48051 * The futex address must be "naturally" aligned.
48053 @@ -1843,7 +1849,7 @@ retry:
48055 restart = ¤t_thread_info()->restart_block;
48056 restart->fn = futex_wait_restart;
48057 - restart->futex.uaddr = (u32 *)uaddr;
48058 + restart->futex.uaddr = uaddr;
48059 restart->futex.val = val;
48060 restart->futex.time = abs_time->tv64;
48061 restart->futex.bitset = bitset;
48062 @@ -2376,7 +2382,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48064 struct robust_list_head __user *head;
48066 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48067 const struct cred *cred = current_cred(), *pcred;
48070 if (!futex_cmpxchg_enabled)
48072 @@ -2392,11 +2400,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48076 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48077 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48080 pcred = __task_cred(p);
48081 if (cred->euid != pcred->euid &&
48082 cred->euid != pcred->uid &&
48083 !capable(CAP_SYS_PTRACE))
48086 head = p->robust_list;
48089 @@ -2458,7 +2471,7 @@ retry:
48091 static inline int fetch_robust_entry(struct robust_list __user **entry,
48092 struct robust_list __user * __user *head,
48094 + unsigned int *pi)
48096 unsigned long uentry;
48098 diff -urNp linux-2.6.35.4/kernel/futex_compat.c linux-2.6.35.4/kernel/futex_compat.c
48099 --- linux-2.6.35.4/kernel/futex_compat.c 2010-08-26 19:47:12.000000000 -0400
48100 +++ linux-2.6.35.4/kernel/futex_compat.c 2010-09-17 20:12:37.000000000 -0400
48102 #include <linux/compat.h>
48103 #include <linux/nsproxy.h>
48104 #include <linux/futex.h>
48105 +#include <linux/ptrace.h>
48107 #include <asm/uaccess.h>
48109 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
48111 struct compat_robust_list_head __user *head;
48113 - const struct cred *cred = current_cred(), *pcred;
48114 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48115 + const struct cred *cred = current_cred();
48116 + const struct cred *pcred;
48119 if (!futex_cmpxchg_enabled)
48121 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
48125 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48126 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48129 pcred = __task_cred(p);
48130 if (cred->euid != pcred->euid &&
48131 cred->euid != pcred->uid &&
48132 !capable(CAP_SYS_PTRACE))
48135 head = p->compat_robust_list;
48138 diff -urNp linux-2.6.35.4/kernel/gcov/base.c linux-2.6.35.4/kernel/gcov/base.c
48139 --- linux-2.6.35.4/kernel/gcov/base.c 2010-08-26 19:47:12.000000000 -0400
48140 +++ linux-2.6.35.4/kernel/gcov/base.c 2010-09-17 20:12:09.000000000 -0400
48141 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
48144 #ifdef CONFIG_MODULES
48145 -static inline int within(void *addr, void *start, unsigned long size)
48147 - return ((addr >= start) && (addr < start + size));
48150 /* Update list and generate events when modules are unloaded. */
48151 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
48153 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
48155 /* Remove entries located in module from linked list. */
48156 for (info = gcov_info_head; info; info = info->next) {
48157 - if (within(info, mod->module_core, mod->core_size)) {
48158 + if (within_module_core_rw((unsigned long)info, mod)) {
48160 prev->next = info->next;
48162 diff -urNp linux-2.6.35.4/kernel/hrtimer.c linux-2.6.35.4/kernel/hrtimer.c
48163 --- linux-2.6.35.4/kernel/hrtimer.c 2010-08-26 19:47:12.000000000 -0400
48164 +++ linux-2.6.35.4/kernel/hrtimer.c 2010-09-17 20:12:09.000000000 -0400
48165 @@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
48166 local_irq_restore(flags);
48169 -static void run_hrtimer_softirq(struct softirq_action *h)
48170 +static void run_hrtimer_softirq(void)
48172 hrtimer_peek_ahead_timers();
48174 diff -urNp linux-2.6.35.4/kernel/kallsyms.c linux-2.6.35.4/kernel/kallsyms.c
48175 --- linux-2.6.35.4/kernel/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
48176 +++ linux-2.6.35.4/kernel/kallsyms.c 2010-09-17 20:12:37.000000000 -0400
48178 * Changed the compression method from stem compression to "table lookup"
48179 * compression (see scripts/kallsyms.c for a more complete description)
48181 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48182 +#define __INCLUDED_BY_HIDESYM 1
48184 #include <linux/kallsyms.h>
48185 #include <linux/module.h>
48186 #include <linux/init.h>
48187 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
48189 static inline int is_kernel_inittext(unsigned long addr)
48191 + if (system_state != SYSTEM_BOOTING)
48194 if (addr >= (unsigned long)_sinittext
48195 && addr <= (unsigned long)_einittext)
48200 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48201 +#ifdef CONFIG_MODULES
48202 +static inline int is_module_text(unsigned long addr)
48204 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
48207 + addr = ktla_ktva(addr);
48208 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
48211 +static inline int is_module_text(unsigned long addr)
48218 static inline int is_kernel_text(unsigned long addr)
48220 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
48221 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
48223 static inline int is_kernel(unsigned long addr)
48226 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48227 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
48230 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
48232 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
48236 return in_gate_area_no_task(addr);
48239 static int is_ksym_addr(unsigned long addr)
48242 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48243 + if (is_module_text(addr))
48248 return is_kernel(addr);
48250 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
48252 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
48254 - iter->name[0] = '\0';
48255 iter->nameoff = get_symbol_offset(new_pos);
48256 iter->pos = new_pos;
48258 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
48260 struct kallsym_iter *iter = m->private;
48262 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48263 + if (current_uid())
48267 /* Some debugging symbols have no name. Ignore them. */
48268 if (!iter->name[0])
48270 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
48271 struct kallsym_iter *iter;
48274 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
48275 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
48278 reset_iter(iter, 0);
48279 diff -urNp linux-2.6.35.4/kernel/kmod.c linux-2.6.35.4/kernel/kmod.c
48280 --- linux-2.6.35.4/kernel/kmod.c 2010-08-26 19:47:12.000000000 -0400
48281 +++ linux-2.6.35.4/kernel/kmod.c 2010-09-17 20:12:37.000000000 -0400
48282 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
48286 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
48287 + /* we could do a tighter check here, but some distros
48288 + are taking it upon themselves to remove CAP_SYS_MODULE
48289 + from even root-running apps which cause modules to be
48292 + if (current_uid()) {
48293 + gr_log_nonroot_mod_load(module_name);
48298 /* If modprobe needs a service that is in a module, we get a recursive
48299 * loop. Limit the number of running kmod threads to max_threads/2 or
48300 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
48301 diff -urNp linux-2.6.35.4/kernel/kprobes.c linux-2.6.35.4/kernel/kprobes.c
48302 --- linux-2.6.35.4/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
48303 +++ linux-2.6.35.4/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
48304 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
48305 * kernel image and loaded module images reside. This is required
48306 * so x86_64 can correctly handle the %rip-relative fixups.
48308 - kip->insns = module_alloc(PAGE_SIZE);
48309 + kip->insns = module_alloc_exec(PAGE_SIZE);
48313 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
48315 if (!list_is_singular(&kip->list)) {
48316 list_del(&kip->list);
48317 - module_free(NULL, kip->insns);
48318 + module_free_exec(NULL, kip->insns);
48322 @@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
48325 unsigned long offset = 0, size = 0;
48326 - char *modname, namebuf[128];
48327 + char *modname, namebuf[KSYM_NAME_LEN];
48328 const char *symbol_name;
48330 struct kprobe_blackpoint *kb;
48331 @@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
48332 const char *sym = NULL;
48333 unsigned int i = *(loff_t *) v;
48334 unsigned long offset = 0;
48335 - char *modname, namebuf[128];
48336 + char *modname, namebuf[KSYM_NAME_LEN];
48338 head = &kprobe_table[i];
48340 diff -urNp linux-2.6.35.4/kernel/lockdep.c linux-2.6.35.4/kernel/lockdep.c
48341 --- linux-2.6.35.4/kernel/lockdep.c 2010-08-26 19:47:12.000000000 -0400
48342 +++ linux-2.6.35.4/kernel/lockdep.c 2010-09-17 20:12:09.000000000 -0400
48343 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
48344 end = (unsigned long) &_end,
48345 addr = (unsigned long) obj;
48347 +#ifdef CONFIG_PAX_KERNEXEC
48348 + start = ktla_ktva(start);
48354 @@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
48355 if (!static_obj(lock->key)) {
48357 printk("INFO: trying to register non-static key.\n");
48358 + printk("lock:%pS key:%pS.\n", lock, lock->key);
48359 printk("the code is fine but needs lockdep annotation.\n");
48360 printk("turning off the locking correctness validator.\n");
48362 diff -urNp linux-2.6.35.4/kernel/lockdep_proc.c linux-2.6.35.4/kernel/lockdep_proc.c
48363 --- linux-2.6.35.4/kernel/lockdep_proc.c 2010-08-26 19:47:12.000000000 -0400
48364 +++ linux-2.6.35.4/kernel/lockdep_proc.c 2010-09-17 20:12:09.000000000 -0400
48365 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
48367 static void print_name(struct seq_file *m, struct lock_class *class)
48370 + char str[KSYM_NAME_LEN];
48371 const char *name = class->name;
48374 diff -urNp linux-2.6.35.4/kernel/module.c linux-2.6.35.4/kernel/module.c
48375 --- linux-2.6.35.4/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
48376 +++ linux-2.6.35.4/kernel/module.c 2010-09-17 20:12:37.000000000 -0400
48377 @@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
48379 /* Bounds of module allocation, for speeding __module_address.
48380 * Protected by module_mutex. */
48381 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
48382 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
48383 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
48385 int register_module_notifier(struct notifier_block * nb)
48387 @@ -250,7 +251,7 @@ bool each_symbol(bool (*fn)(const struct
48390 list_for_each_entry_rcu(mod, &modules, list) {
48391 - struct symsearch arr[] = {
48392 + struct symsearch modarr[] = {
48393 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
48394 NOT_GPL_ONLY, false },
48395 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
48396 @@ -272,7 +273,7 @@ bool each_symbol(bool (*fn)(const struct
48400 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
48401 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
48405 @@ -383,7 +384,7 @@ static inline void __percpu *mod_percpu(
48406 static int percpu_modalloc(struct module *mod,
48407 unsigned long size, unsigned long align)
48409 - if (align > PAGE_SIZE) {
48410 + if (align-1 >= PAGE_SIZE) {
48411 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
48412 mod->name, align, PAGE_SIZE);
48414 @@ -1562,7 +1563,8 @@ static void free_module(struct module *m
48415 destroy_params(mod->kp, mod->num_kp);
48417 /* This may be NULL, but that's OK */
48418 - module_free(mod, mod->module_init);
48419 + module_free(mod, mod->module_init_rw);
48420 + module_free_exec(mod, mod->module_init_rx);
48422 percpu_modfree(mod);
48423 #if defined(CONFIG_MODULE_UNLOAD)
48424 @@ -1570,10 +1572,12 @@ static void free_module(struct module *m
48425 free_percpu(mod->refptr);
48427 /* Free lock-classes: */
48428 - lockdep_free_key_range(mod->module_core, mod->core_size);
48429 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
48430 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
48432 /* Finally, free the core (containing the module structure) */
48433 - module_free(mod, mod->module_core);
48434 + module_free_exec(mod, mod->module_core_rx);
48435 + module_free(mod, mod->module_core_rw);
48438 update_protections(current->mm);
48439 @@ -1670,7 +1674,9 @@ static int simplify_symbols(Elf_Shdr *se
48441 /* Ok if resolved. */
48442 if (ksym && !IS_ERR(ksym)) {
48443 + pax_open_kernel();
48444 sym[i].st_value = ksym->value;
48445 + pax_close_kernel();
48449 @@ -1690,7 +1696,9 @@ static int simplify_symbols(Elf_Shdr *se
48450 secbase = (unsigned long)mod_percpu(mod);
48452 secbase = sechdrs[sym[i].st_shndx].sh_addr;
48453 + pax_open_kernel();
48454 sym[i].st_value += secbase;
48455 + pax_close_kernel();
48459 @@ -1751,11 +1759,12 @@ static void layout_sections(struct modul
48460 || s->sh_entsize != ~0UL
48461 || strstarts(secstrings + s->sh_name, ".init"))
48463 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
48464 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48465 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
48467 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
48468 DEBUGP("\t%s\n", secstrings + s->sh_name);
48471 - mod->core_text_size = mod->core_size;
48474 DEBUGP("Init section allocation order:\n");
48475 @@ -1768,12 +1777,13 @@ static void layout_sections(struct modul
48476 || s->sh_entsize != ~0UL
48477 || !strstarts(secstrings + s->sh_name, ".init"))
48479 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
48480 - | INIT_OFFSET_MASK);
48481 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48482 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
48484 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
48485 + s->sh_entsize |= INIT_OFFSET_MASK;
48486 DEBUGP("\t%s\n", secstrings + s->sh_name);
48489 - mod->init_text_size = mod->init_size;
48493 @@ -1877,9 +1887,8 @@ static int is_exported(const char *name,
48496 static char elf_type(const Elf_Sym *sym,
48497 - Elf_Shdr *sechdrs,
48498 - const char *secstrings,
48499 - struct module *mod)
48500 + const Elf_Shdr *sechdrs,
48501 + const char *secstrings)
48503 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
48504 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
48505 @@ -1954,7 +1963,7 @@ static unsigned long layout_symtab(struc
48507 /* Put symbol section at end of init part of module. */
48508 symsect->sh_flags |= SHF_ALLOC;
48509 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
48510 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
48511 symindex) | INIT_OFFSET_MASK;
48512 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
48514 @@ -1971,19 +1980,19 @@ static unsigned long layout_symtab(struc
48517 /* Append room for core symbols at end of core part. */
48518 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
48519 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
48520 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
48521 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
48523 /* Put string table section at end of init part of module. */
48524 strsect->sh_flags |= SHF_ALLOC;
48525 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
48526 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
48527 strindex) | INIT_OFFSET_MASK;
48528 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
48530 /* Append room for core symbols' strings at end of core part. */
48531 - *pstroffs = mod->core_size;
48532 + *pstroffs = mod->core_size_rx;
48533 __set_bit(0, strmap);
48534 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
48535 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
48539 @@ -2007,12 +2016,14 @@ static void add_kallsyms(struct module *
48540 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
48541 mod->strtab = (void *)sechdrs[strindex].sh_addr;
48543 + pax_open_kernel();
48545 /* Set types up while we still have access to sections. */
48546 for (i = 0; i < mod->num_symtab; i++)
48547 mod->symtab[i].st_info
48548 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
48549 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
48551 - mod->core_symtab = dst = mod->module_core + symoffs;
48552 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
48555 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
48556 @@ -2024,10 +2035,12 @@ static void add_kallsyms(struct module *
48558 mod->core_num_syms = ndst;
48560 - mod->core_strtab = s = mod->module_core + stroffs;
48561 + mod->core_strtab = s = mod->module_core_rx + stroffs;
48562 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
48563 if (test_bit(i, strmap))
48564 *++s = mod->strtab[i];
48566 + pax_close_kernel();
48569 static inline unsigned long layout_symtab(struct module *mod,
48570 @@ -2070,17 +2083,33 @@ static void dynamic_debug_remove(struct
48571 ddebug_remove_module(debug->modname);
48574 -static void *module_alloc_update_bounds(unsigned long size)
48575 +static void *module_alloc_update_bounds_rw(unsigned long size)
48577 void *ret = module_alloc(size);
48580 mutex_lock(&module_mutex);
48581 /* Update module bounds. */
48582 - if ((unsigned long)ret < module_addr_min)
48583 - module_addr_min = (unsigned long)ret;
48584 - if ((unsigned long)ret + size > module_addr_max)
48585 - module_addr_max = (unsigned long)ret + size;
48586 + if ((unsigned long)ret < module_addr_min_rw)
48587 + module_addr_min_rw = (unsigned long)ret;
48588 + if ((unsigned long)ret + size > module_addr_max_rw)
48589 + module_addr_max_rw = (unsigned long)ret + size;
48590 + mutex_unlock(&module_mutex);
48595 +static void *module_alloc_update_bounds_rx(unsigned long size)
48597 + void *ret = module_alloc_exec(size);
48600 + mutex_lock(&module_mutex);
48601 + /* Update module bounds. */
48602 + if ((unsigned long)ret < module_addr_min_rx)
48603 + module_addr_min_rx = (unsigned long)ret;
48604 + if ((unsigned long)ret + size > module_addr_max_rx)
48605 + module_addr_max_rx = (unsigned long)ret + size;
48606 mutex_unlock(&module_mutex);
48609 @@ -2284,7 +2313,7 @@ static noinline struct module *load_modu
48610 secstrings, &stroffs, strmap);
48612 /* Do the allocs. */
48613 - ptr = module_alloc_update_bounds(mod->core_size);
48614 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
48616 * The pointer to this block is stored in the module structure
48617 * which is inside the block. Just mark it as not being a
48618 @@ -2295,23 +2324,47 @@ static noinline struct module *load_modu
48622 - memset(ptr, 0, mod->core_size);
48623 - mod->module_core = ptr;
48624 + memset(ptr, 0, mod->core_size_rw);
48625 + mod->module_core_rw = ptr;
48627 - ptr = module_alloc_update_bounds(mod->init_size);
48628 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
48630 * The pointer to this block is stored in the module structure
48631 * which is inside the block. This block doesn't need to be
48632 * scanned as it contains data and code that will be freed
48633 * after the module is initialized.
48635 - kmemleak_ignore(ptr);
48636 - if (!ptr && mod->init_size) {
48637 + kmemleak_not_leak(ptr);
48638 + if (!ptr && mod->init_size_rw) {
48640 + goto free_core_rw;
48642 + memset(ptr, 0, mod->init_size_rw);
48643 + mod->module_init_rw = ptr;
48645 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
48646 + kmemleak_not_leak(ptr);
48649 + goto free_init_rw;
48652 + pax_open_kernel();
48653 + memset(ptr, 0, mod->core_size_rx);
48654 + pax_close_kernel();
48655 + mod->module_core_rx = ptr;
48657 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
48658 + kmemleak_not_leak(ptr);
48659 + if (!ptr && mod->init_size_rx) {
48662 + goto free_core_rx;
48664 - memset(ptr, 0, mod->init_size);
48665 - mod->module_init = ptr;
48667 + pax_open_kernel();
48668 + memset(ptr, 0, mod->init_size_rx);
48669 + pax_close_kernel();
48670 + mod->module_init_rx = ptr;
48672 /* Transfer each section which specifies SHF_ALLOC */
48673 DEBUGP("final section addresses:\n");
48674 @@ -2321,17 +2374,41 @@ static noinline struct module *load_modu
48675 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
48678 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
48679 - dest = mod->module_init
48680 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48682 - dest = mod->module_core + sechdrs[i].sh_entsize;
48683 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
48684 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48685 + dest = mod->module_init_rw
48686 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48688 + dest = mod->module_init_rx
48689 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48691 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48692 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
48694 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
48697 + if (sechdrs[i].sh_type != SHT_NOBITS) {
48699 - if (sechdrs[i].sh_type != SHT_NOBITS)
48700 - memcpy(dest, (void *)sechdrs[i].sh_addr,
48701 - sechdrs[i].sh_size);
48702 +#ifdef CONFIG_PAX_KERNEXEC
48703 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
48704 + pax_open_kernel();
48705 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48706 + pax_close_kernel();
48710 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48712 /* Update sh_addr to point to copy in image. */
48713 - sechdrs[i].sh_addr = (unsigned long)dest;
48715 +#ifdef CONFIG_PAX_KERNEXEC
48716 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
48717 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
48721 + sechdrs[i].sh_addr = (unsigned long)dest;
48722 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
48724 /* Module has been moved. */
48725 @@ -2342,7 +2419,7 @@ static noinline struct module *load_modu
48726 mod->refptr = alloc_percpu(struct module_ref);
48727 if (!mod->refptr) {
48730 + goto free_init_rx;
48733 /* Now we've moved module, initialize linked lists, etc. */
48734 @@ -2452,8 +2529,8 @@ static noinline struct module *load_modu
48736 /* Now do relocations. */
48737 for (i = 1; i < hdr->e_shnum; i++) {
48738 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
48739 unsigned int info = sechdrs[i].sh_info;
48740 + strtab = (char *)sechdrs[strindex].sh_addr;
48742 /* Not a valid relocation section? */
48743 if (info >= hdr->e_shnum)
48744 @@ -2503,12 +2580,12 @@ static noinline struct module *load_modu
48745 * Do it before processing of module parameters, so the module
48746 * can provide parameter accessor functions of its own.
48748 - if (mod->module_init)
48749 - flush_icache_range((unsigned long)mod->module_init,
48750 - (unsigned long)mod->module_init
48751 - + mod->init_size);
48752 - flush_icache_range((unsigned long)mod->module_core,
48753 - (unsigned long)mod->module_core + mod->core_size);
48754 + if (mod->module_init_rx)
48755 + flush_icache_range((unsigned long)mod->module_init_rx,
48756 + (unsigned long)mod->module_init_rx
48757 + + mod->init_size_rx);
48758 + flush_icache_range((unsigned long)mod->module_core_rx,
48759 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
48763 @@ -2574,12 +2651,16 @@ static noinline struct module *load_modu
48765 module_unload_free(mod);
48766 #if defined(CONFIG_MODULE_UNLOAD)
48768 free_percpu(mod->refptr);
48771 - module_free(mod, mod->module_init);
48773 - module_free(mod, mod->module_core);
48774 + module_free_exec(mod, mod->module_init_rx);
48776 + module_free_exec(mod, mod->module_core_rx);
48778 + module_free(mod, mod->module_init_rw);
48780 + module_free(mod, mod->module_core_rw);
48781 /* mod will be freed with core. Don't access it beyond this line! */
48783 free_percpu(percpu);
48784 @@ -2669,10 +2750,12 @@ SYSCALL_DEFINE3(init_module, void __user
48785 mod->symtab = mod->core_symtab;
48786 mod->strtab = mod->core_strtab;
48788 - module_free(mod, mod->module_init);
48789 - mod->module_init = NULL;
48790 - mod->init_size = 0;
48791 - mod->init_text_size = 0;
48792 + module_free(mod, mod->module_init_rw);
48793 + module_free_exec(mod, mod->module_init_rx);
48794 + mod->module_init_rw = NULL;
48795 + mod->module_init_rx = NULL;
48796 + mod->init_size_rw = 0;
48797 + mod->init_size_rx = 0;
48798 mutex_unlock(&module_mutex);
48801 @@ -2703,10 +2786,16 @@ static const char *get_ksymbol(struct mo
48802 unsigned long nextval;
48804 /* At worse, next value is at end of module */
48805 - if (within_module_init(addr, mod))
48806 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
48807 + if (within_module_init_rx(addr, mod))
48808 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
48809 + else if (within_module_init_rw(addr, mod))
48810 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
48811 + else if (within_module_core_rx(addr, mod))
48812 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
48813 + else if (within_module_core_rw(addr, mod))
48814 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
48816 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
48819 /* Scan for closest preceeding symbol, and next symbol. (ELF
48820 starts real symbols at 1). */
48821 @@ -2952,7 +3041,7 @@ static int m_show(struct seq_file *m, vo
48824 seq_printf(m, "%s %u",
48825 - mod->name, mod->init_size + mod->core_size);
48826 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
48827 print_unload_info(m, mod);
48829 /* Informative for users. */
48830 @@ -2961,7 +3050,7 @@ static int m_show(struct seq_file *m, vo
48831 mod->state == MODULE_STATE_COMING ? "Loading":
48833 /* Used by oprofile and other similar tools. */
48834 - seq_printf(m, " 0x%p", mod->module_core);
48835 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
48839 @@ -2997,7 +3086,17 @@ static const struct file_operations proc
48841 static int __init proc_modules_init(void)
48843 +#ifndef CONFIG_GRKERNSEC_HIDESYM
48844 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48845 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
48846 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48847 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
48849 proc_create("modules", 0, NULL, &proc_modules_operations);
48852 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
48856 module_init(proc_modules_init);
48857 @@ -3056,12 +3155,12 @@ struct module *__module_address(unsigned
48859 struct module *mod;
48861 - if (addr < module_addr_min || addr > module_addr_max)
48862 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
48863 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
48866 list_for_each_entry_rcu(mod, &modules, list)
48867 - if (within_module_core(addr, mod)
48868 - || within_module_init(addr, mod))
48869 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
48873 @@ -3095,11 +3194,20 @@ bool is_module_text_address(unsigned lon
48875 struct module *__module_text_address(unsigned long addr)
48877 - struct module *mod = __module_address(addr);
48878 + struct module *mod;
48880 +#ifdef CONFIG_X86_32
48881 + addr = ktla_ktva(addr);
48884 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
48887 + mod = __module_address(addr);
48890 /* Make sure it's within the text section. */
48891 - if (!within(addr, mod->module_init, mod->init_text_size)
48892 - && !within(addr, mod->module_core, mod->core_text_size))
48893 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
48897 diff -urNp linux-2.6.35.4/kernel/panic.c linux-2.6.35.4/kernel/panic.c
48898 --- linux-2.6.35.4/kernel/panic.c 2010-08-26 19:47:12.000000000 -0400
48899 +++ linux-2.6.35.4/kernel/panic.c 2010-09-17 20:12:09.000000000 -0400
48900 @@ -429,7 +429,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
48902 void __stack_chk_fail(void)
48904 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
48906 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
48907 __builtin_return_address(0));
48909 EXPORT_SYMBOL(__stack_chk_fail);
48910 diff -urNp linux-2.6.35.4/kernel/pid.c linux-2.6.35.4/kernel/pid.c
48911 --- linux-2.6.35.4/kernel/pid.c 2010-08-26 19:47:12.000000000 -0400
48912 +++ linux-2.6.35.4/kernel/pid.c 2010-09-17 20:12:37.000000000 -0400
48914 #include <linux/rculist.h>
48915 #include <linux/bootmem.h>
48916 #include <linux/hash.h>
48917 +#include <linux/security.h>
48918 #include <linux/pid_namespace.h>
48919 #include <linux/init_task.h>
48920 #include <linux/syscalls.h>
48921 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
48923 int pid_max = PID_MAX_DEFAULT;
48925 -#define RESERVED_PIDS 300
48926 +#define RESERVED_PIDS 500
48928 int pid_max_min = RESERVED_PIDS + 1;
48929 int pid_max_max = PID_MAX_LIMIT;
48930 @@ -382,7 +383,14 @@ EXPORT_SYMBOL(pid_task);
48932 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
48934 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
48935 + struct task_struct *task;
48937 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
48939 + if (gr_pid_is_chrooted(task))
48945 struct task_struct *find_task_by_vpid(pid_t vnr)
48946 diff -urNp linux-2.6.35.4/kernel/posix-cpu-timers.c linux-2.6.35.4/kernel/posix-cpu-timers.c
48947 --- linux-2.6.35.4/kernel/posix-cpu-timers.c 2010-08-26 19:47:12.000000000 -0400
48948 +++ linux-2.6.35.4/kernel/posix-cpu-timers.c 2010-09-17 20:12:37.000000000 -0400
48950 #include <linux/posix-timers.h>
48951 #include <linux/errno.h>
48952 #include <linux/math64.h>
48953 +#include <linux/security.h>
48954 #include <asm/uaccess.h>
48955 #include <linux/kernel_stat.h>
48956 #include <trace/events/timer.h>
48957 @@ -972,6 +973,7 @@ static void check_thread_timers(struct t
48958 unsigned long hard =
48959 ACCESS_ONCE(sig->rlim[RLIMIT_RTTIME].rlim_max);
48961 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout * (USEC_PER_SEC/HZ), 1);
48962 if (hard != RLIM_INFINITY &&
48963 tsk->rt.timeout > DIV_ROUND_UP(hard, USEC_PER_SEC/HZ)) {
48965 @@ -1138,6 +1140,7 @@ static void check_process_timers(struct
48966 unsigned long hard =
48967 ACCESS_ONCE(sig->rlim[RLIMIT_CPU].rlim_max);
48969 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
48970 if (psecs >= hard) {
48972 * At the hard limit, we just die.
48973 diff -urNp linux-2.6.35.4/kernel/power/hibernate.c linux-2.6.35.4/kernel/power/hibernate.c
48974 --- linux-2.6.35.4/kernel/power/hibernate.c 2010-08-26 19:47:12.000000000 -0400
48975 +++ linux-2.6.35.4/kernel/power/hibernate.c 2010-09-17 20:12:09.000000000 -0400
48976 @@ -50,14 +50,14 @@ enum {
48978 static int hibernation_mode = HIBERNATION_SHUTDOWN;
48980 -static struct platform_hibernation_ops *hibernation_ops;
48981 +static const struct platform_hibernation_ops *hibernation_ops;
48984 * hibernation_set_ops - set the global hibernate operations
48985 * @ops: the hibernation operations to use in subsequent hibernation transitions
48988 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
48989 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
48991 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
48992 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
48993 diff -urNp linux-2.6.35.4/kernel/power/poweroff.c linux-2.6.35.4/kernel/power/poweroff.c
48994 --- linux-2.6.35.4/kernel/power/poweroff.c 2010-08-26 19:47:12.000000000 -0400
48995 +++ linux-2.6.35.4/kernel/power/poweroff.c 2010-09-17 20:12:09.000000000 -0400
48996 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
48997 .enable_mask = SYSRQ_ENABLE_BOOT,
49000 -static int pm_sysrq_init(void)
49001 +static int __init pm_sysrq_init(void)
49003 register_sysrq_key('o', &sysrq_poweroff_op);
49005 diff -urNp linux-2.6.35.4/kernel/power/process.c linux-2.6.35.4/kernel/power/process.c
49006 --- linux-2.6.35.4/kernel/power/process.c 2010-08-26 19:47:12.000000000 -0400
49007 +++ linux-2.6.35.4/kernel/power/process.c 2010-09-17 20:12:09.000000000 -0400
49008 @@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
49009 struct timeval start, end;
49010 u64 elapsed_csecs64;
49011 unsigned int elapsed_csecs;
49012 + bool timedout = false;
49014 do_gettimeofday(&start);
49016 end_time = jiffies + TIMEOUT;
49019 + if (time_after(jiffies, end_time))
49021 read_lock(&tasklist_lock);
49022 do_each_thread(g, p) {
49023 if (frozen(p) || !freezeable(p))
49024 @@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
49025 * It is "frozen enough". If the task does wake
49026 * up, it will immediately call try_to_freeze.
49028 - if (!task_is_stopped_or_traced(p) &&
49029 - !freezer_should_skip(p))
49030 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
49033 + printk(KERN_ERR "Task refusing to freeze:\n");
49034 + sched_show_task(p);
49037 } while_each_thread(g, p);
49038 read_unlock(&tasklist_lock);
49039 - if (!todo || time_after(jiffies, end_time))
49040 + if (!todo || timedout)
49044 diff -urNp linux-2.6.35.4/kernel/power/suspend.c linux-2.6.35.4/kernel/power/suspend.c
49045 --- linux-2.6.35.4/kernel/power/suspend.c 2010-08-26 19:47:12.000000000 -0400
49046 +++ linux-2.6.35.4/kernel/power/suspend.c 2010-09-17 20:12:09.000000000 -0400
49047 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
49048 [PM_SUSPEND_MEM] = "mem",
49051 -static struct platform_suspend_ops *suspend_ops;
49052 +static const struct platform_suspend_ops *suspend_ops;
49055 * suspend_set_ops - Set the global suspend method table.
49056 * @ops: Pointer to ops structure.
49058 -void suspend_set_ops(struct platform_suspend_ops *ops)
49059 +void suspend_set_ops(const struct platform_suspend_ops *ops)
49061 mutex_lock(&pm_mutex);
49063 diff -urNp linux-2.6.35.4/kernel/printk.c linux-2.6.35.4/kernel/printk.c
49064 --- linux-2.6.35.4/kernel/printk.c 2010-08-26 19:47:12.000000000 -0400
49065 +++ linux-2.6.35.4/kernel/printk.c 2010-09-17 20:12:37.000000000 -0400
49066 @@ -266,6 +266,11 @@ int do_syslog(int type, char __user *buf
49070 +#ifdef CONFIG_GRKERNSEC_DMESG
49071 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
49075 error = security_syslog(type, from_file);
49078 diff -urNp linux-2.6.35.4/kernel/ptrace.c linux-2.6.35.4/kernel/ptrace.c
49079 --- linux-2.6.35.4/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
49080 +++ linux-2.6.35.4/kernel/ptrace.c 2010-09-17 20:12:37.000000000 -0400
49081 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
49082 cred->gid != tcred->egid ||
49083 cred->gid != tcred->sgid ||
49084 cred->gid != tcred->gid) &&
49085 - !capable(CAP_SYS_PTRACE)) {
49086 + !capable_nolog(CAP_SYS_PTRACE)) {
49090 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
49093 dumpable = get_dumpable(task->mm);
49094 - if (!dumpable && !capable(CAP_SYS_PTRACE))
49095 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
49098 return security_ptrace_access_check(task, mode);
49099 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
49100 goto unlock_tasklist;
49102 task->ptrace = PT_PTRACED;
49103 - if (capable(CAP_SYS_PTRACE))
49104 + if (capable_nolog(CAP_SYS_PTRACE))
49105 task->ptrace |= PT_PTRACE_CAP;
49107 __ptrace_link(task, current);
49108 @@ -361,7 +361,7 @@ int ptrace_readdata(struct task_struct *
49112 - if (copy_to_user(dst, buf, retval))
49113 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
49117 @@ -572,18 +572,18 @@ int ptrace_request(struct task_struct *c
49118 ret = ptrace_setoptions(child, data);
49120 case PTRACE_GETEVENTMSG:
49121 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
49122 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
49125 case PTRACE_GETSIGINFO:
49126 ret = ptrace_getsiginfo(child, &siginfo);
49128 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
49129 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
49133 case PTRACE_SETSIGINFO:
49134 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
49135 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
49139 @@ -703,14 +703,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
49143 + if (gr_handle_ptrace(child, request)) {
49145 + goto out_put_task_struct;
49148 if (request == PTRACE_ATTACH) {
49149 ret = ptrace_attach(child);
49151 * Some architectures need to do book-keeping after
49156 arch_ptrace_attach(child);
49157 + gr_audit_ptrace(child);
49159 goto out_put_task_struct;
49162 diff -urNp linux-2.6.35.4/kernel/rcutree.c linux-2.6.35.4/kernel/rcutree.c
49163 --- linux-2.6.35.4/kernel/rcutree.c 2010-08-26 19:47:12.000000000 -0400
49164 +++ linux-2.6.35.4/kernel/rcutree.c 2010-09-17 20:12:09.000000000 -0400
49165 @@ -1356,7 +1356,7 @@ __rcu_process_callbacks(struct rcu_state
49167 * Do softirq processing for the current CPU.
49169 -static void rcu_process_callbacks(struct softirq_action *unused)
49170 +static void rcu_process_callbacks(void)
49173 * Memory references from any prior RCU read-side critical sections
49174 diff -urNp linux-2.6.35.4/kernel/resource.c linux-2.6.35.4/kernel/resource.c
49175 --- linux-2.6.35.4/kernel/resource.c 2010-08-26 19:47:12.000000000 -0400
49176 +++ linux-2.6.35.4/kernel/resource.c 2010-09-17 20:12:37.000000000 -0400
49177 @@ -133,8 +133,18 @@ static const struct file_operations proc
49179 static int __init ioresources_init(void)
49181 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49182 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49183 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
49184 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
49185 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49186 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
49187 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
49190 proc_create("ioports", 0, NULL, &proc_ioports_operations);
49191 proc_create("iomem", 0, NULL, &proc_iomem_operations);
49195 __initcall(ioresources_init);
49196 diff -urNp linux-2.6.35.4/kernel/sched.c linux-2.6.35.4/kernel/sched.c
49197 --- linux-2.6.35.4/kernel/sched.c 2010-08-26 19:47:12.000000000 -0400
49198 +++ linux-2.6.35.4/kernel/sched.c 2010-09-17 20:12:37.000000000 -0400
49199 @@ -4266,6 +4266,8 @@ int can_nice(const struct task_struct *p
49200 /* convert nice value [19,-20] to rlimit style value [1,40] */
49201 int nice_rlim = 20 - nice;
49203 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
49205 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
49206 capable(CAP_SYS_NICE));
49208 @@ -4299,7 +4301,8 @@ SYSCALL_DEFINE1(nice, int, increment)
49212 - if (increment < 0 && !can_nice(current, nice))
49213 + if (increment < 0 && (!can_nice(current, nice) ||
49214 + gr_handle_chroot_nice()))
49215 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
49217 retval = security_task_setnice(current, nice);
49218 @@ -4446,6 +4449,7 @@ recheck:
49219 rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO);
49220 unlock_task_sighand(p, &flags);
49222 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
49223 /* can't set/change the rt policy */
49224 if (policy != p->policy && !rlim_rtprio)
49226 diff -urNp linux-2.6.35.4/kernel/sched_fair.c linux-2.6.35.4/kernel/sched_fair.c
49227 --- linux-2.6.35.4/kernel/sched_fair.c 2010-08-26 19:47:12.000000000 -0400
49228 +++ linux-2.6.35.4/kernel/sched_fair.c 2010-09-17 20:12:09.000000000 -0400
49229 @@ -3390,7 +3390,7 @@ out:
49230 * In CONFIG_NO_HZ case, the idle load balance owner will do the
49231 * rebalancing for all the cpus for whom scheduler ticks are stopped.
49233 -static void run_rebalance_domains(struct softirq_action *h)
49234 +static void run_rebalance_domains(void)
49236 int this_cpu = smp_processor_id();
49237 struct rq *this_rq = cpu_rq(this_cpu);
49238 diff -urNp linux-2.6.35.4/kernel/signal.c linux-2.6.35.4/kernel/signal.c
49239 --- linux-2.6.35.4/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
49240 +++ linux-2.6.35.4/kernel/signal.c 2010-09-17 20:20:18.000000000 -0400
49241 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
49243 int print_fatal_signals __read_mostly;
49245 -static void __user *sig_handler(struct task_struct *t, int sig)
49246 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
49248 return t->sighand->action[sig - 1].sa.sa_handler;
49251 -static int sig_handler_ignored(void __user *handler, int sig)
49252 +static int sig_handler_ignored(__sighandler_t handler, int sig)
49254 /* Is it explicitly or implicitly ignored? */
49255 return handler == SIG_IGN ||
49256 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
49257 static int sig_task_ignored(struct task_struct *t, int sig,
49258 int from_ancestor_ns)
49260 - void __user *handler;
49261 + __sighandler_t handler;
49263 handler = sig_handler(t, sig);
49265 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
49266 atomic_inc(&user->sigpending);
49269 + if (!override_rlimit)
49270 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
49272 if (override_rlimit ||
49273 atomic_read(&user->sigpending) <=
49274 task_rlimit(t, RLIMIT_SIGPENDING)) {
49275 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
49277 int unhandled_signal(struct task_struct *tsk, int sig)
49279 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
49280 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
49281 if (is_global_init(tsk))
49283 if (handler != SIG_IGN && handler != SIG_DFL)
49284 @@ -705,6 +705,10 @@ static int check_kill_permission(int sig
49285 sig, info, t, vx_task_xid(t), t->pid, current->xid);
49289 + if (gr_handle_signal(t, sig))
49293 return security_task_kill(t, info, sig, 0);
49295 @@ -1025,7 +1031,7 @@ __group_send_sig_info(int sig, struct si
49296 return send_signal(sig, info, p, 1);
49301 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
49303 return send_signal(sig, info, t, 0);
49304 @@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
49305 ret = specific_send_sig_info(sig, info, t);
49306 spin_unlock_irqrestore(&t->sighand->siglock, flags);
49308 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
49309 + gr_handle_crash(t, sig);
49314 @@ -1136,8 +1145,11 @@ int group_send_sig_info(int sig, struct
49315 ret = check_kill_permission(sig, info, p);
49319 + if (!ret && sig) {
49320 ret = do_send_sig_info(sig, info, p, true);
49322 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
49327 diff -urNp linux-2.6.35.4/kernel/smp.c linux-2.6.35.4/kernel/smp.c
49328 --- linux-2.6.35.4/kernel/smp.c 2010-08-26 19:47:12.000000000 -0400
49329 +++ linux-2.6.35.4/kernel/smp.c 2010-09-17 20:12:09.000000000 -0400
49330 @@ -499,22 +499,22 @@ int smp_call_function(void (*func)(void
49332 EXPORT_SYMBOL(smp_call_function);
49334 -void ipi_call_lock(void)
49335 +void ipi_call_lock(void) __acquires(call_function.lock)
49337 raw_spin_lock(&call_function.lock);
49340 -void ipi_call_unlock(void)
49341 +void ipi_call_unlock(void) __releases(call_function.lock)
49343 raw_spin_unlock(&call_function.lock);
49346 -void ipi_call_lock_irq(void)
49347 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
49349 raw_spin_lock_irq(&call_function.lock);
49352 -void ipi_call_unlock_irq(void)
49353 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
49355 raw_spin_unlock_irq(&call_function.lock);
49357 diff -urNp linux-2.6.35.4/kernel/softirq.c linux-2.6.35.4/kernel/softirq.c
49358 --- linux-2.6.35.4/kernel/softirq.c 2010-08-26 19:47:12.000000000 -0400
49359 +++ linux-2.6.35.4/kernel/softirq.c 2010-09-17 20:12:09.000000000 -0400
49360 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
49362 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
49364 -char *softirq_to_name[NR_SOFTIRQS] = {
49365 +const char * const softirq_to_name[NR_SOFTIRQS] = {
49366 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
49367 "TASKLET", "SCHED", "HRTIMER", "RCU"
49369 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
49371 asmlinkage void __do_softirq(void)
49373 - struct softirq_action *h;
49374 + const struct softirq_action *h;
49376 int max_restart = MAX_SOFTIRQ_RESTART;
49378 @@ -216,7 +216,7 @@ restart:
49379 kstat_incr_softirqs_this_cpu(h - softirq_vec);
49381 trace_softirq_entry(h, softirq_vec);
49384 trace_softirq_exit(h, softirq_vec);
49385 if (unlikely(prev_count != preempt_count())) {
49386 printk(KERN_ERR "huh, entered softirq %td %s %p"
49387 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
49388 local_irq_restore(flags);
49391 -void open_softirq(int nr, void (*action)(struct softirq_action *))
49392 +void open_softirq(int nr, void (*action)(void))
49394 softirq_vec[nr].action = action;
49396 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
49398 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
49400 -static void tasklet_action(struct softirq_action *a)
49401 +static void tasklet_action(void)
49403 struct tasklet_struct *list;
49405 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
49409 -static void tasklet_hi_action(struct softirq_action *a)
49410 +static void tasklet_hi_action(void)
49412 struct tasklet_struct *list;
49414 diff -urNp linux-2.6.35.4/kernel/sys.c linux-2.6.35.4/kernel/sys.c
49415 --- linux-2.6.35.4/kernel/sys.c 2010-08-26 19:47:12.000000000 -0400
49416 +++ linux-2.6.35.4/kernel/sys.c 2010-09-17 20:28:33.000000000 -0400
49417 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
49422 + if (gr_handle_chroot_setpriority(p, niceval)) {
49427 no_nice = security_task_setnice(p, niceval);
49430 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
49434 + if (gr_check_group_change(new->gid, new->egid, -1))
49437 if (rgid != (gid_t) -1 ||
49438 (egid != (gid_t) -1 && egid != old->gid))
49439 new->sgid = new->egid;
49440 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
49441 old = current_cred();
49445 + if (gr_check_group_change(gid, gid, gid))
49448 if (capable(CAP_SETGID))
49449 new->gid = new->egid = new->sgid = new->fsgid = gid;
49450 else if (gid == old->gid || gid == old->sgid)
49451 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
49455 + if (gr_check_user_change(new->uid, new->euid, -1))
49458 if (new->uid != old->uid) {
49459 retval = set_user(new);
49461 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
49462 old = current_cred();
49466 + if (gr_check_crash_uid(uid))
49468 + if (gr_check_user_change(uid, uid, uid))
49471 if (capable(CAP_SETUID)) {
49472 new->suid = new->uid = uid;
49473 if (uid != old->uid) {
49474 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
49478 + if (gr_check_user_change(ruid, euid, -1))
49481 if (ruid != (uid_t) -1) {
49483 if (ruid != old->uid) {
49484 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
49488 + if (gr_check_group_change(rgid, egid, -1))
49491 if (rgid != (gid_t) -1)
49493 if (egid != (gid_t) -1)
49494 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49495 old = current_cred();
49496 old_fsuid = old->fsuid;
49498 + if (gr_check_user_change(-1, -1, uid))
49501 if (uid == old->uid || uid == old->euid ||
49502 uid == old->suid || uid == old->fsuid ||
49503 capable(CAP_SETUID)) {
49504 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49512 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
49513 if (gid == old->gid || gid == old->egid ||
49514 gid == old->sgid || gid == old->fsgid ||
49515 capable(CAP_SETGID)) {
49516 + if (gr_check_group_change(-1, -1, gid))
49519 if (gid != old_fsgid) {
49529 @@ -1491,7 +1527,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
49530 error = get_dumpable(me->mm);
49532 case PR_SET_DUMPABLE:
49533 - if (arg2 < 0 || arg2 > 1) {
49538 diff -urNp linux-2.6.35.4/kernel/sysctl.c linux-2.6.35.4/kernel/sysctl.c
49539 --- linux-2.6.35.4/kernel/sysctl.c 2010-08-26 19:47:12.000000000 -0400
49540 +++ linux-2.6.35.4/kernel/sysctl.c 2010-09-17 20:18:09.000000000 -0400
49544 #if defined(CONFIG_SYSCTL)
49545 +#include <linux/grsecurity.h>
49546 +#include <linux/grinternal.h>
49548 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
49549 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
49551 +extern int gr_handle_chroot_sysctl(const int op);
49553 /* External variables not in a header file. */
49554 extern int sysctl_overcommit_memory;
49555 @@ -185,6 +192,7 @@ static int sysrq_sysctl_handler(ctl_tabl
49559 +extern struct ctl_table grsecurity_table[];
49561 static struct ctl_table root_table[];
49562 static struct ctl_table_root sysctl_table_root;
49563 @@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
49564 int sysctl_legacy_va_layout;
49567 +#ifdef CONFIG_PAX_SOFTMODE
49568 +static ctl_table pax_table[] = {
49570 + .procname = "softmode",
49571 + .data = &pax_softmode,
49572 + .maxlen = sizeof(unsigned int),
49574 + .proc_handler = &proc_dointvec,
49581 /* The default sysctl tables: */
49583 static struct ctl_table root_table[] = {
49584 @@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
49587 static struct ctl_table kern_table[] = {
49588 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
49590 + .procname = "grsecurity",
49592 + .child = grsecurity_table,
49596 +#ifdef CONFIG_PAX_SOFTMODE
49598 + .procname = "pax",
49600 + .child = pax_table,
49605 .procname = "sched_child_runs_first",
49606 .data = &sysctl_sched_child_runs_first,
49607 @@ -1171,6 +1209,13 @@ static struct ctl_table vm_table[] = {
49608 .proc_handler = proc_dointvec_minmax,
49612 + .procname = "heap_stack_gap",
49613 + .data = &sysctl_heap_stack_gap,
49614 + .maxlen = sizeof(sysctl_heap_stack_gap),
49616 + .proc_handler = proc_doulongvec_minmax,
49620 .procname = "nr_trim_pages",
49621 @@ -1686,6 +1731,16 @@ int sysctl_perm(struct ctl_table_root *r
49625 + if (table->parent != NULL && table->parent->procname != NULL &&
49626 + table->procname != NULL &&
49627 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
49629 + if (gr_handle_chroot_sysctl(op))
49631 + error = gr_handle_sysctl(table, op);
49635 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
49638 @@ -2201,6 +2256,8 @@ static int proc_put_long(void __user **b
49642 + if (len > sizeof(tmp))
49643 + len = sizeof(tmp);
49644 if (copy_to_user(*buf, tmp, len))
49647 diff -urNp linux-2.6.35.4/kernel/taskstats.c linux-2.6.35.4/kernel/taskstats.c
49648 --- linux-2.6.35.4/kernel/taskstats.c 2010-08-26 19:47:12.000000000 -0400
49649 +++ linux-2.6.35.4/kernel/taskstats.c 2010-09-17 20:12:37.000000000 -0400
49651 #include <linux/cgroup.h>
49652 #include <linux/fs.h>
49653 #include <linux/file.h>
49654 +#include <linux/grsecurity.h>
49655 #include <net/genetlink.h>
49656 #include <asm/atomic.h>
49658 +extern int gr_is_taskstats_denied(int pid);
49661 * Maximum length of a cpumask that can be specified in
49662 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
49663 @@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
49665 cpumask_var_t mask;
49667 + if (gr_is_taskstats_denied(current->pid))
49670 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
49673 diff -urNp linux-2.6.35.4/kernel/time/tick-broadcast.c linux-2.6.35.4/kernel/time/tick-broadcast.c
49674 --- linux-2.6.35.4/kernel/time/tick-broadcast.c 2010-08-26 19:47:12.000000000 -0400
49675 +++ linux-2.6.35.4/kernel/time/tick-broadcast.c 2010-09-17 20:12:09.000000000 -0400
49676 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
49677 * then clear the broadcast bit.
49679 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
49680 - int cpu = smp_processor_id();
49681 + cpu = smp_processor_id();
49683 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
49684 tick_broadcast_clear_oneshot(cpu);
49685 diff -urNp linux-2.6.35.4/kernel/time/timer_list.c linux-2.6.35.4/kernel/time/timer_list.c
49686 --- linux-2.6.35.4/kernel/time/timer_list.c 2010-08-26 19:47:12.000000000 -0400
49687 +++ linux-2.6.35.4/kernel/time/timer_list.c 2010-09-17 20:12:37.000000000 -0400
49688 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
49690 static void print_name_offset(struct seq_file *m, void *sym)
49692 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49693 + SEQ_printf(m, "<%p>", NULL);
49695 char symname[KSYM_NAME_LEN];
49697 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
49698 SEQ_printf(m, "<%p>", sym);
49700 SEQ_printf(m, "%s", symname);
49705 @@ -112,7 +116,11 @@ next_one:
49707 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
49709 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49710 + SEQ_printf(m, " .base: %p\n", NULL);
49712 SEQ_printf(m, " .base: %p\n", base);
49714 SEQ_printf(m, " .index: %d\n",
49716 SEQ_printf(m, " .resolution: %Lu nsecs\n",
49717 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
49719 struct proc_dir_entry *pe;
49721 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49722 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
49724 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
49729 diff -urNp linux-2.6.35.4/kernel/time/timer_stats.c linux-2.6.35.4/kernel/time/timer_stats.c
49730 --- linux-2.6.35.4/kernel/time/timer_stats.c 2010-08-26 19:47:12.000000000 -0400
49731 +++ linux-2.6.35.4/kernel/time/timer_stats.c 2010-09-17 20:12:37.000000000 -0400
49732 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
49734 static void print_name_offset(struct seq_file *m, unsigned long addr)
49736 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49737 + seq_printf(m, "<%p>", NULL);
49739 char symname[KSYM_NAME_LEN];
49741 if (lookup_symbol_name(addr, symname) < 0)
49742 seq_printf(m, "<%p>", (void *)addr);
49744 seq_printf(m, "%s", symname);
49748 static int tstats_show(struct seq_file *m, void *v)
49749 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
49751 struct proc_dir_entry *pe;
49753 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49754 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
49756 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
49761 diff -urNp linux-2.6.35.4/kernel/time.c linux-2.6.35.4/kernel/time.c
49762 --- linux-2.6.35.4/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
49763 +++ linux-2.6.35.4/kernel/time.c 2010-09-17 20:12:37.000000000 -0400
49764 @@ -94,6 +94,8 @@ SYSCALL_DEFINE1(stime, time_t __user *,
49767 vx_settimeofday(&tv);
49768 + gr_log_timechange();
49773 @@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
49777 + gr_log_timechange();
49779 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
49782 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
49783 * Avoid unnecessary multiplications/divisions in the
49784 * two most common HZ cases:
49786 -unsigned int inline jiffies_to_msecs(const unsigned long j)
49787 +inline unsigned int jiffies_to_msecs(const unsigned long j)
49789 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
49790 return (MSEC_PER_SEC / HZ) * j;
49791 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
49793 EXPORT_SYMBOL(jiffies_to_msecs);
49795 -unsigned int inline jiffies_to_usecs(const unsigned long j)
49796 +inline unsigned int jiffies_to_usecs(const unsigned long j)
49798 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
49799 return (USEC_PER_SEC / HZ) * j;
49800 diff -urNp linux-2.6.35.4/kernel/timer.c linux-2.6.35.4/kernel/timer.c
49801 --- linux-2.6.35.4/kernel/timer.c 2010-08-26 19:47:12.000000000 -0400
49802 +++ linux-2.6.35.4/kernel/timer.c 2010-09-17 20:12:09.000000000 -0400
49803 @@ -1272,7 +1272,7 @@ void update_process_times(int user_tick)
49805 * This function runs timers and the timer-tq in bottom half context.
49807 -static void run_timer_softirq(struct softirq_action *h)
49808 +static void run_timer_softirq(void)
49810 struct tvec_base *base = __get_cpu_var(tvec_bases);
49812 diff -urNp linux-2.6.35.4/kernel/trace/ftrace.c linux-2.6.35.4/kernel/trace/ftrace.c
49813 --- linux-2.6.35.4/kernel/trace/ftrace.c 2010-08-26 19:47:12.000000000 -0400
49814 +++ linux-2.6.35.4/kernel/trace/ftrace.c 2010-09-17 20:12:09.000000000 -0400
49815 @@ -1101,13 +1101,18 @@ ftrace_code_disable(struct module *mod,
49819 + ret = ftrace_arch_code_modify_prepare();
49820 + FTRACE_WARN_ON(ret);
49824 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
49825 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
49827 ftrace_bug(ret, ip);
49828 rec->flags |= FTRACE_FL_FAILED;
49832 + return ret ? 0 : 1;
49836 diff -urNp linux-2.6.35.4/kernel/trace/ring_buffer.c linux-2.6.35.4/kernel/trace/ring_buffer.c
49837 --- linux-2.6.35.4/kernel/trace/ring_buffer.c 2010-08-26 19:47:12.000000000 -0400
49838 +++ linux-2.6.35.4/kernel/trace/ring_buffer.c 2010-09-17 20:12:09.000000000 -0400
49839 @@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
49840 * the reader page). But if the next page is a header page,
49841 * its flags will be non zero.
49845 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
49846 struct buffer_page *page, struct list_head *list)
49848 diff -urNp linux-2.6.35.4/kernel/trace/trace.c linux-2.6.35.4/kernel/trace/trace.c
49849 --- linux-2.6.35.4/kernel/trace/trace.c 2010-08-26 19:47:12.000000000 -0400
49850 +++ linux-2.6.35.4/kernel/trace/trace.c 2010-09-17 20:12:09.000000000 -0400
49851 @@ -3965,10 +3965,9 @@ static const struct file_operations trac
49855 -static struct dentry *d_tracer;
49857 struct dentry *tracing_init_dentry(void)
49859 + static struct dentry *d_tracer;
49863 @@ -3988,10 +3987,9 @@ struct dentry *tracing_init_dentry(void)
49867 -static struct dentry *d_percpu;
49869 struct dentry *tracing_dentry_percpu(void)
49871 + static struct dentry *d_percpu;
49873 struct dentry *d_tracer;
49875 diff -urNp linux-2.6.35.4/kernel/trace/trace_output.c linux-2.6.35.4/kernel/trace/trace_output.c
49876 --- linux-2.6.35.4/kernel/trace/trace_output.c 2010-08-26 19:47:12.000000000 -0400
49877 +++ linux-2.6.35.4/kernel/trace/trace_output.c 2010-09-17 20:12:09.000000000 -0400
49878 @@ -281,7 +281,7 @@ int trace_seq_path(struct trace_seq *s,
49880 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
49882 - p = mangle_path(s->buffer + s->len, p, "\n");
49883 + p = mangle_path(s->buffer + s->len, p, "\n\\");
49885 s->len = p - s->buffer;
49887 diff -urNp linux-2.6.35.4/kernel/trace/trace_stack.c linux-2.6.35.4/kernel/trace/trace_stack.c
49888 --- linux-2.6.35.4/kernel/trace/trace_stack.c 2010-08-26 19:47:12.000000000 -0400
49889 +++ linux-2.6.35.4/kernel/trace/trace_stack.c 2010-09-17 20:12:09.000000000 -0400
49890 @@ -50,7 +50,7 @@ static inline void check_stack(void)
49893 /* we do not handle interrupt stacks yet */
49894 - if (!object_is_on_stack(&this_size))
49895 + if (!object_starts_on_stack(&this_size))
49898 local_irq_save(flags);
49899 diff -urNp linux-2.6.35.4/lib/bug.c linux-2.6.35.4/lib/bug.c
49900 --- linux-2.6.35.4/lib/bug.c 2010-08-26 19:47:12.000000000 -0400
49901 +++ linux-2.6.35.4/lib/bug.c 2010-09-17 20:12:09.000000000 -0400
49902 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
49903 return BUG_TRAP_TYPE_NONE;
49905 bug = find_bug(bugaddr);
49907 + return BUG_TRAP_TYPE_NONE;
49909 printk(KERN_EMERG "------------[ cut here ]------------\n");
49911 diff -urNp linux-2.6.35.4/lib/debugobjects.c linux-2.6.35.4/lib/debugobjects.c
49912 --- linux-2.6.35.4/lib/debugobjects.c 2010-08-26 19:47:12.000000000 -0400
49913 +++ linux-2.6.35.4/lib/debugobjects.c 2010-09-17 20:12:09.000000000 -0400
49914 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
49918 - is_on_stack = object_is_on_stack(addr);
49919 + is_on_stack = object_starts_on_stack(addr);
49920 if (is_on_stack == onstack)
49923 diff -urNp linux-2.6.35.4/lib/dma-debug.c linux-2.6.35.4/lib/dma-debug.c
49924 --- linux-2.6.35.4/lib/dma-debug.c 2010-08-26 19:47:12.000000000 -0400
49925 +++ linux-2.6.35.4/lib/dma-debug.c 2010-09-17 20:12:09.000000000 -0400
49926 @@ -861,7 +861,7 @@ out:
49928 static void check_for_stack(struct device *dev, void *addr)
49930 - if (object_is_on_stack(addr))
49931 + if (object_starts_on_stack(addr))
49932 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
49933 "stack [addr=%p]\n", addr);
49935 diff -urNp linux-2.6.35.4/lib/inflate.c linux-2.6.35.4/lib/inflate.c
49936 --- linux-2.6.35.4/lib/inflate.c 2010-08-26 19:47:12.000000000 -0400
49937 +++ linux-2.6.35.4/lib/inflate.c 2010-09-17 20:12:09.000000000 -0400
49938 @@ -267,7 +267,7 @@ static void free(void *where)
49939 malloc_ptr = free_mem_ptr;
49942 -#define malloc(a) kmalloc(a, GFP_KERNEL)
49943 +#define malloc(a) kmalloc((a), GFP_KERNEL)
49944 #define free(a) kfree(a)
49947 diff -urNp linux-2.6.35.4/lib/Kconfig.debug linux-2.6.35.4/lib/Kconfig.debug
49948 --- linux-2.6.35.4/lib/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
49949 +++ linux-2.6.35.4/lib/Kconfig.debug 2010-09-17 20:12:37.000000000 -0400
49950 @@ -970,7 +970,7 @@ config LATENCYTOP
49954 - depends on HAVE_LATENCYTOP_SUPPORT
49955 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
49957 Enable this option if you want to use the LatencyTOP tool
49958 to find out which userspace is blocking on what kernel operations.
49959 diff -urNp linux-2.6.35.4/lib/parser.c linux-2.6.35.4/lib/parser.c
49960 --- linux-2.6.35.4/lib/parser.c 2010-08-26 19:47:12.000000000 -0400
49961 +++ linux-2.6.35.4/lib/parser.c 2010-09-17 20:12:09.000000000 -0400
49962 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
49966 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
49967 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
49970 memcpy(buf, s->from, s->to - s->from);
49971 diff -urNp linux-2.6.35.4/lib/radix-tree.c linux-2.6.35.4/lib/radix-tree.c
49972 --- linux-2.6.35.4/lib/radix-tree.c 2010-08-26 19:47:12.000000000 -0400
49973 +++ linux-2.6.35.4/lib/radix-tree.c 2010-09-17 20:12:09.000000000 -0400
49974 @@ -80,7 +80,7 @@ struct radix_tree_preload {
49976 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
49978 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
49979 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
49981 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
49983 diff -urNp linux-2.6.35.4/localversion-grsec linux-2.6.35.4/localversion-grsec
49984 --- linux-2.6.35.4/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
49985 +++ linux-2.6.35.4/localversion-grsec 2010-09-17 20:12:37.000000000 -0400
49988 diff -urNp linux-2.6.35.4/Makefile linux-2.6.35.4/Makefile
49989 --- linux-2.6.35.4/Makefile 2010-08-26 19:47:12.000000000 -0400
49990 +++ linux-2.6.35.4/Makefile 2010-09-17 20:12:37.000000000 -0400
49991 @@ -230,8 +230,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
49995 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
49996 -HOSTCXXFLAGS = -O2
49997 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
49998 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
50000 # Decide whether to build built-in, modular, or both.
50001 # Normally, just do built-in.
50002 @@ -650,7 +650,7 @@ export mod_strip_cmd
50005 ifeq ($(KBUILD_EXTMOD),)
50006 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
50007 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
50009 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
50010 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
50011 diff -urNp linux-2.6.35.4/mm/bootmem.c linux-2.6.35.4/mm/bootmem.c
50012 --- linux-2.6.35.4/mm/bootmem.c 2010-08-26 19:47:12.000000000 -0400
50013 +++ linux-2.6.35.4/mm/bootmem.c 2010-09-17 20:12:09.000000000 -0400
50014 @@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
50015 unsigned long __init free_all_memory_core_early(int nodeid)
50019 + u64 start, end, startrange, endrange;
50020 unsigned long count = 0;
50021 - struct range *range = NULL;
50022 + struct range *range = NULL, rangerange = { 0, 0 };
50025 nr_range = get_free_all_memory_range(&range, nodeid);
50026 + startrange = __pa(range) >> PAGE_SHIFT;
50027 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
50029 for (i = 0; i < nr_range; i++) {
50030 start = range[i].start;
50031 end = range[i].end;
50032 + if (start <= endrange && startrange < end) {
50033 + BUG_ON(rangerange.start | rangerange.end);
50034 + rangerange = range[i];
50037 count += end - start;
50038 __free_pages_memory(start, end);
50040 + start = rangerange.start;
50041 + end = rangerange.end;
50042 + count += end - start;
50043 + __free_pages_memory(start, end);
50047 diff -urNp linux-2.6.35.4/mm/filemap.c linux-2.6.35.4/mm/filemap.c
50048 --- linux-2.6.35.4/mm/filemap.c 2010-08-26 19:47:12.000000000 -0400
50049 +++ linux-2.6.35.4/mm/filemap.c 2010-09-17 20:12:37.000000000 -0400
50050 @@ -1640,7 +1640,7 @@ int generic_file_mmap(struct file * file
50051 struct address_space *mapping = file->f_mapping;
50053 if (!mapping->a_ops->readpage)
50056 file_accessed(file);
50057 vma->vm_ops = &generic_file_vm_ops;
50058 vma->vm_flags |= VM_CAN_NONLINEAR;
50059 @@ -2036,6 +2036,7 @@ inline int generic_write_checks(struct f
50060 *pos = i_size_read(inode);
50062 if (limit != RLIM_INFINITY) {
50063 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
50064 if (*pos >= limit) {
50065 send_sig(SIGXFSZ, current, 0);
50067 diff -urNp linux-2.6.35.4/mm/fremap.c linux-2.6.35.4/mm/fremap.c
50068 --- linux-2.6.35.4/mm/fremap.c 2010-08-26 19:47:12.000000000 -0400
50069 +++ linux-2.6.35.4/mm/fremap.c 2010-09-17 20:12:09.000000000 -0400
50070 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50072 vma = find_vma(mm, start);
50074 +#ifdef CONFIG_PAX_SEGMEXEC
50075 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
50080 * Make sure the vma is shared, that it supports prefaulting,
50081 * and that the remapped range is valid and fully within
50082 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50084 * drop PG_Mlocked flag for over-mapped range
50086 - unsigned int saved_flags = vma->vm_flags;
50087 + unsigned long saved_flags = vma->vm_flags;
50088 munlock_vma_pages_range(vma, start, start + size);
50089 vma->vm_flags = saved_flags;
50091 diff -urNp linux-2.6.35.4/mm/highmem.c linux-2.6.35.4/mm/highmem.c
50092 --- linux-2.6.35.4/mm/highmem.c 2010-08-26 19:47:12.000000000 -0400
50093 +++ linux-2.6.35.4/mm/highmem.c 2010-09-17 20:12:09.000000000 -0400
50094 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
50095 * So no dangers, even with speculative execution.
50097 page = pte_page(pkmap_page_table[i]);
50098 + pax_open_kernel();
50099 pte_clear(&init_mm, (unsigned long)page_address(page),
50100 &pkmap_page_table[i]);
50102 + pax_close_kernel();
50103 set_page_address(page, NULL);
50106 @@ -177,9 +178,11 @@ start:
50109 vaddr = PKMAP_ADDR(last_pkmap_nr);
50111 + pax_open_kernel();
50112 set_pte_at(&init_mm, vaddr,
50113 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
50115 + pax_close_kernel();
50116 pkmap_count[last_pkmap_nr] = 1;
50117 set_page_address(page, (void *)vaddr);
50119 diff -urNp linux-2.6.35.4/mm/hugetlb.c linux-2.6.35.4/mm/hugetlb.c
50120 --- linux-2.6.35.4/mm/hugetlb.c 2010-08-26 19:47:12.000000000 -0400
50121 +++ linux-2.6.35.4/mm/hugetlb.c 2010-09-17 20:12:09.000000000 -0400
50122 @@ -2272,6 +2272,26 @@ static int unmap_ref_private(struct mm_s
50126 +#ifdef CONFIG_PAX_SEGMEXEC
50127 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
50129 + struct mm_struct *mm = vma->vm_mm;
50130 + struct vm_area_struct *vma_m;
50131 + unsigned long address_m;
50134 + vma_m = pax_find_mirror_vma(vma);
50138 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50139 + address_m = address + SEGMEXEC_TASK_SIZE;
50140 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
50141 + get_page(page_m);
50142 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
50146 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
50147 unsigned long address, pte_t *ptep, pte_t pte,
50148 struct page *pagecache_page)
50149 @@ -2352,6 +2372,11 @@ retry_avoidcopy:
50150 huge_ptep_clear_flush(vma, address, ptep);
50151 set_huge_pte_at(mm, address, ptep,
50152 make_huge_pte(vma, new_page, 1));
50154 +#ifdef CONFIG_PAX_SEGMEXEC
50155 + pax_mirror_huge_pte(vma, address, new_page);
50158 /* Make the old page be freed below */
50159 new_page = old_page;
50161 @@ -2483,6 +2508,10 @@ retry:
50162 && (vma->vm_flags & VM_SHARED)));
50163 set_huge_pte_at(mm, address, ptep, new_pte);
50165 +#ifdef CONFIG_PAX_SEGMEXEC
50166 + pax_mirror_huge_pte(vma, address, page);
50169 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
50170 /* Optimization, do the COW without a second fault */
50171 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
50172 @@ -2511,6 +2540,28 @@ int hugetlb_fault(struct mm_struct *mm,
50173 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
50174 struct hstate *h = hstate_vma(vma);
50176 +#ifdef CONFIG_PAX_SEGMEXEC
50177 + struct vm_area_struct *vma_m;
50179 + vma_m = pax_find_mirror_vma(vma);
50181 + unsigned long address_m;
50183 + if (vma->vm_start > vma_m->vm_start) {
50184 + address_m = address;
50185 + address -= SEGMEXEC_TASK_SIZE;
50187 + h = hstate_vma(vma);
50189 + address_m = address + SEGMEXEC_TASK_SIZE;
50191 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
50192 + return VM_FAULT_OOM;
50193 + address_m &= HPAGE_MASK;
50194 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
50198 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
50200 return VM_FAULT_OOM;
50201 diff -urNp linux-2.6.35.4/mm/Kconfig linux-2.6.35.4/mm/Kconfig
50202 --- linux-2.6.35.4/mm/Kconfig 2010-08-26 19:47:12.000000000 -0400
50203 +++ linux-2.6.35.4/mm/Kconfig 2010-09-17 20:12:37.000000000 -0400
50204 @@ -240,7 +240,7 @@ config KSM
50205 config DEFAULT_MMAP_MIN_ADDR
50206 int "Low address space to protect from user allocation"
50211 This is the portion of low virtual memory which should be protected
50212 from userspace allocation. Keeping a user from writing to low pages
50213 diff -urNp linux-2.6.35.4/mm/maccess.c linux-2.6.35.4/mm/maccess.c
50214 --- linux-2.6.35.4/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
50215 +++ linux-2.6.35.4/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
50216 @@ -15,10 +15,10 @@
50217 * happens, handle that and return -EFAULT.
50220 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
50221 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
50222 __attribute__((alias("__probe_kernel_read")));
50224 -long __probe_kernel_read(void *dst, void *src, size_t size)
50225 +long __probe_kernel_read(void *dst, const void *src, size_t size)
50228 mm_segment_t old_fs = get_fs();
50229 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
50230 * Safely write to address @dst from the buffer at @src. If a kernel fault
50231 * happens, handle that and return -EFAULT.
50233 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
50234 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
50235 __attribute__((alias("__probe_kernel_write")));
50237 -long __probe_kernel_write(void *dst, void *src, size_t size)
50238 +long __probe_kernel_write(void *dst, const void *src, size_t size)
50241 mm_segment_t old_fs = get_fs();
50242 diff -urNp linux-2.6.35.4/mm/madvise.c linux-2.6.35.4/mm/madvise.c
50243 --- linux-2.6.35.4/mm/madvise.c 2010-08-26 19:47:12.000000000 -0400
50244 +++ linux-2.6.35.4/mm/madvise.c 2010-09-17 20:12:09.000000000 -0400
50245 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
50247 unsigned long new_flags = vma->vm_flags;
50249 +#ifdef CONFIG_PAX_SEGMEXEC
50250 + struct vm_area_struct *vma_m;
50253 switch (behavior) {
50255 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
50256 @@ -104,6 +108,13 @@ success:
50258 * vm_flags is protected by the mmap_sem held in write mode.
50261 +#ifdef CONFIG_PAX_SEGMEXEC
50262 + vma_m = pax_find_mirror_vma(vma);
50264 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
50267 vma->vm_flags = new_flags;
50270 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
50271 struct vm_area_struct ** prev,
50272 unsigned long start, unsigned long end)
50275 +#ifdef CONFIG_PAX_SEGMEXEC
50276 + struct vm_area_struct *vma_m;
50280 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
50282 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
50283 zap_page_range(vma, start, end - start, &details);
50285 zap_page_range(vma, start, end - start, NULL);
50287 +#ifdef CONFIG_PAX_SEGMEXEC
50288 + vma_m = pax_find_mirror_vma(vma);
50290 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
50291 + struct zap_details details = {
50292 + .nonlinear_vma = vma_m,
50293 + .last_index = ULONG_MAX,
50295 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
50297 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
50304 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
50308 +#ifdef CONFIG_PAX_SEGMEXEC
50309 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50310 + if (end > SEGMEXEC_TASK_SIZE)
50315 + if (end > TASK_SIZE)
50321 diff -urNp linux-2.6.35.4/mm/memory.c linux-2.6.35.4/mm/memory.c
50322 --- linux-2.6.35.4/mm/memory.c 2010-08-26 19:47:12.000000000 -0400
50323 +++ linux-2.6.35.4/mm/memory.c 2010-09-17 20:12:09.000000000 -0400
50324 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
50327 pmd = pmd_offset(pud, start);
50329 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
50331 pmd_free_tlb(tlb, pmd, start);
50336 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
50337 @@ -292,8 +296,12 @@ static inline void free_pud_range(struct
50340 pud = pud_offset(pgd, start);
50342 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
50344 pud_free_tlb(tlb, pud, start);
50350 @@ -1363,10 +1371,10 @@ int __get_user_pages(struct task_struct
50351 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
50355 + while (nr_pages) {
50356 struct vm_area_struct *vma;
50358 - vma = find_extend_vma(mm, start);
50359 + vma = find_vma(mm, start);
50360 if (!vma && in_gate_area(tsk, start)) {
50361 unsigned long pg = start & PAGE_MASK;
50362 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
50363 @@ -1418,7 +1426,7 @@ int __get_user_pages(struct task_struct
50368 + if (!vma || start < vma->vm_start ||
50369 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
50370 !(vm_flags & vma->vm_flags))
50371 return i ? : -EFAULT;
50372 @@ -1493,7 +1501,7 @@ int __get_user_pages(struct task_struct
50373 start += PAGE_SIZE;
50375 } while (nr_pages && start < vma->vm_end);
50376 - } while (nr_pages);
50381 @@ -2089,6 +2097,186 @@ static inline void cow_user_page(struct
50382 copy_user_highpage(dst, src, va, vma);
50385 +#ifdef CONFIG_PAX_SEGMEXEC
50386 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
50388 + struct mm_struct *mm = vma->vm_mm;
50390 + pte_t *pte, entry;
50392 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
50394 + if (!pte_present(entry)) {
50395 + if (!pte_none(entry)) {
50396 + BUG_ON(pte_file(entry));
50397 + free_swap_and_cache(pte_to_swp_entry(entry));
50398 + pte_clear_not_present_full(mm, address, pte, 0);
50401 + struct page *page;
50403 + flush_cache_page(vma, address, pte_pfn(entry));
50404 + entry = ptep_clear_flush(vma, address, pte);
50405 + BUG_ON(pte_dirty(entry));
50406 + page = vm_normal_page(vma, address, entry);
50408 + update_hiwater_rss(mm);
50409 + if (PageAnon(page))
50410 + dec_mm_counter_fast(mm, MM_ANONPAGES);
50412 + dec_mm_counter_fast(mm, MM_FILEPAGES);
50413 + page_remove_rmap(page);
50414 + page_cache_release(page);
50417 + pte_unmap_unlock(pte, ptl);
50420 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
50422 + * the ptl of the lower mapped page is held on entry and is not released on exit
50423 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
50425 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50427 + struct mm_struct *mm = vma->vm_mm;
50428 + unsigned long address_m;
50429 + spinlock_t *ptl_m;
50430 + struct vm_area_struct *vma_m;
50432 + pte_t *pte_m, entry_m;
50434 + BUG_ON(!page_m || !PageAnon(page_m));
50436 + vma_m = pax_find_mirror_vma(vma);
50440 + BUG_ON(!PageLocked(page_m));
50441 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50442 + address_m = address + SEGMEXEC_TASK_SIZE;
50443 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50444 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50445 + ptl_m = pte_lockptr(mm, pmd_m);
50446 + if (ptl != ptl_m) {
50447 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50448 + if (!pte_none(*pte_m))
50452 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50453 + page_cache_get(page_m);
50454 + page_add_anon_rmap(page_m, vma_m, address_m);
50455 + inc_mm_counter_fast(mm, MM_ANONPAGES);
50456 + set_pte_at(mm, address_m, pte_m, entry_m);
50457 + update_mmu_cache(vma_m, address_m, entry_m);
50459 + if (ptl != ptl_m)
50460 + spin_unlock(ptl_m);
50461 + pte_unmap_nested(pte_m);
50462 + unlock_page(page_m);
50465 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50467 + struct mm_struct *mm = vma->vm_mm;
50468 + unsigned long address_m;
50469 + spinlock_t *ptl_m;
50470 + struct vm_area_struct *vma_m;
50472 + pte_t *pte_m, entry_m;
50474 + BUG_ON(!page_m || PageAnon(page_m));
50476 + vma_m = pax_find_mirror_vma(vma);
50480 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50481 + address_m = address + SEGMEXEC_TASK_SIZE;
50482 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50483 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50484 + ptl_m = pte_lockptr(mm, pmd_m);
50485 + if (ptl != ptl_m) {
50486 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50487 + if (!pte_none(*pte_m))
50491 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50492 + page_cache_get(page_m);
50493 + page_add_file_rmap(page_m);
50494 + inc_mm_counter_fast(mm, MM_FILEPAGES);
50495 + set_pte_at(mm, address_m, pte_m, entry_m);
50496 + update_mmu_cache(vma_m, address_m, entry_m);
50498 + if (ptl != ptl_m)
50499 + spin_unlock(ptl_m);
50500 + pte_unmap_nested(pte_m);
50503 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
50505 + struct mm_struct *mm = vma->vm_mm;
50506 + unsigned long address_m;
50507 + spinlock_t *ptl_m;
50508 + struct vm_area_struct *vma_m;
50510 + pte_t *pte_m, entry_m;
50512 + vma_m = pax_find_mirror_vma(vma);
50516 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50517 + address_m = address + SEGMEXEC_TASK_SIZE;
50518 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50519 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50520 + ptl_m = pte_lockptr(mm, pmd_m);
50521 + if (ptl != ptl_m) {
50522 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50523 + if (!pte_none(*pte_m))
50527 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
50528 + set_pte_at(mm, address_m, pte_m, entry_m);
50530 + if (ptl != ptl_m)
50531 + spin_unlock(ptl_m);
50532 + pte_unmap_nested(pte_m);
50535 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
50537 + struct page *page_m;
50540 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
50544 + page_m = vm_normal_page(vma, address, entry);
50546 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
50547 + else if (PageAnon(page_m)) {
50548 + if (pax_find_mirror_vma(vma)) {
50549 + pte_unmap_unlock(pte, ptl);
50550 + lock_page(page_m);
50551 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
50552 + if (pte_same(entry, *pte))
50553 + pax_mirror_anon_pte(vma, address, page_m, ptl);
50555 + unlock_page(page_m);
50558 + pax_mirror_file_pte(vma, address, page_m, ptl);
50561 + pte_unmap_unlock(pte, ptl);
50566 * This routine handles present pages, when users try to write
50567 * to a shared page. It is done by copying the page to a new address
50568 @@ -2275,6 +2463,12 @@ gotten:
50570 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50571 if (likely(pte_same(*page_table, orig_pte))) {
50573 +#ifdef CONFIG_PAX_SEGMEXEC
50574 + if (pax_find_mirror_vma(vma))
50575 + BUG_ON(!trylock_page(new_page));
50579 if (!PageAnon(old_page)) {
50580 dec_mm_counter_fast(mm, MM_FILEPAGES);
50581 @@ -2326,6 +2520,10 @@ gotten:
50582 page_remove_rmap(old_page);
50585 +#ifdef CONFIG_PAX_SEGMEXEC
50586 + pax_mirror_anon_pte(vma, address, new_page, ptl);
50589 /* Free the old page.. */
50590 new_page = old_page;
50591 ret |= VM_FAULT_WRITE;
50592 @@ -2734,6 +2932,11 @@ static int do_swap_page(struct mm_struct
50594 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
50595 try_to_free_swap(page);
50597 +#ifdef CONFIG_PAX_SEGMEXEC
50598 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
50603 if (flags & FAULT_FLAG_WRITE) {
50604 @@ -2745,6 +2948,11 @@ static int do_swap_page(struct mm_struct
50606 /* No need to invalidate - it was non-present before */
50607 update_mmu_cache(vma, address, page_table);
50609 +#ifdef CONFIG_PAX_SEGMEXEC
50610 + pax_mirror_anon_pte(vma, address, page, ptl);
50614 pte_unmap_unlock(page_table, ptl);
50616 @@ -2760,33 +2968,6 @@ out_release:
50620 - * This is like a special single-page "expand_downwards()",
50621 - * except we must first make sure that 'address-PAGE_SIZE'
50622 - * doesn't hit another vma.
50624 - * The "find_vma()" will do the right thing even if we wrap
50626 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
50628 - address &= PAGE_MASK;
50629 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
50630 - struct vm_area_struct *prev = vma->vm_prev;
50633 - * Is there a mapping abutting this one below?
50635 - * That's only ok if it's the same stack mapping
50636 - * that has gotten split..
50638 - if (prev && prev->vm_end == address)
50639 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
50641 - expand_stack(vma, address - PAGE_SIZE);
50647 * We enter with non-exclusive mmap_sem (to exclude vma changes,
50648 * but allow concurrent faults), and pte mapped but not yet locked.
50649 * We return with mmap_sem still held, but pte unmapped and unlocked.
50650 @@ -2795,27 +2976,23 @@ static int do_anonymous_page(struct mm_s
50651 unsigned long address, pte_t *page_table, pmd_t *pmd,
50652 unsigned int flags)
50654 - struct page *page;
50655 + struct page *page = NULL;
50659 - pte_unmap(page_table);
50661 - /* Check if we need to add a guard page to the stack */
50662 - if (check_stack_guard_page(vma, address) < 0)
50663 - return VM_FAULT_SIGBUS;
50665 - /* Use the zero-page for reads */
50666 if (!(flags & FAULT_FLAG_WRITE)) {
50667 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
50668 vma->vm_page_prot));
50669 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50670 + ptl = pte_lockptr(mm, pmd);
50672 if (!pte_none(*page_table))
50677 /* Allocate our own private page. */
50678 + pte_unmap(page_table);
50680 if (unlikely(anon_vma_prepare(vma)))
50682 page = alloc_zeroed_user_highpage_movable(vma, address);
50683 @@ -2834,6 +3011,11 @@ static int do_anonymous_page(struct mm_s
50684 if (!pte_none(*page_table))
50687 +#ifdef CONFIG_PAX_SEGMEXEC
50688 + if (pax_find_mirror_vma(vma))
50689 + BUG_ON(!trylock_page(page));
50692 inc_mm_counter_fast(mm, MM_ANONPAGES);
50693 page_add_new_anon_rmap(page, vma, address);
50695 @@ -2841,6 +3023,12 @@ setpte:
50697 /* No need to invalidate - it was non-present before */
50698 update_mmu_cache(vma, address, page_table);
50700 +#ifdef CONFIG_PAX_SEGMEXEC
50702 + pax_mirror_anon_pte(vma, address, page, ptl);
50706 pte_unmap_unlock(page_table, ptl);
50708 @@ -2983,6 +3171,12 @@ static int __do_fault(struct mm_struct *
50710 /* Only go through if we didn't race with anybody else... */
50711 if (likely(pte_same(*page_table, orig_pte))) {
50713 +#ifdef CONFIG_PAX_SEGMEXEC
50714 + if (anon && pax_find_mirror_vma(vma))
50715 + BUG_ON(!trylock_page(page));
50718 flush_icache_page(vma, page);
50719 entry = mk_pte(page, vma->vm_page_prot);
50720 if (flags & FAULT_FLAG_WRITE)
50721 @@ -3002,6 +3196,14 @@ static int __do_fault(struct mm_struct *
50723 /* no need to invalidate: a not-present page won't be cached */
50724 update_mmu_cache(vma, address, page_table);
50726 +#ifdef CONFIG_PAX_SEGMEXEC
50728 + pax_mirror_anon_pte(vma, address, page, ptl);
50730 + pax_mirror_file_pte(vma, address, page, ptl);
50735 mem_cgroup_uncharge_page(page);
50736 @@ -3149,6 +3351,12 @@ static inline int handle_pte_fault(struc
50737 if (flags & FAULT_FLAG_WRITE)
50738 flush_tlb_page(vma, address);
50741 +#ifdef CONFIG_PAX_SEGMEXEC
50742 + pax_mirror_pte(vma, address, pte, pmd, ptl);
50747 pte_unmap_unlock(pte, ptl);
50749 @@ -3165,6 +3373,10 @@ int handle_mm_fault(struct mm_struct *mm
50753 +#ifdef CONFIG_PAX_SEGMEXEC
50754 + struct vm_area_struct *vma_m;
50757 __set_current_state(TASK_RUNNING);
50759 count_vm_event(PGFAULT);
50760 @@ -3175,6 +3387,34 @@ int handle_mm_fault(struct mm_struct *mm
50761 if (unlikely(is_vm_hugetlb_page(vma)))
50762 return hugetlb_fault(mm, vma, address, flags);
50764 +#ifdef CONFIG_PAX_SEGMEXEC
50765 + vma_m = pax_find_mirror_vma(vma);
50767 + unsigned long address_m;
50772 + if (vma->vm_start > vma_m->vm_start) {
50773 + address_m = address;
50774 + address -= SEGMEXEC_TASK_SIZE;
50777 + address_m = address + SEGMEXEC_TASK_SIZE;
50779 + pgd_m = pgd_offset(mm, address_m);
50780 + pud_m = pud_alloc(mm, pgd_m, address_m);
50782 + return VM_FAULT_OOM;
50783 + pmd_m = pmd_alloc(mm, pud_m, address_m);
50785 + return VM_FAULT_OOM;
50786 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
50787 + return VM_FAULT_OOM;
50788 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
50792 pgd = pgd_offset(mm, address);
50793 pud = pud_alloc(mm, pgd, address);
50795 @@ -3272,7 +3512,7 @@ static int __init gate_vma_init(void)
50796 gate_vma.vm_start = FIXADDR_USER_START;
50797 gate_vma.vm_end = FIXADDR_USER_END;
50798 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
50799 - gate_vma.vm_page_prot = __P101;
50800 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
50802 * Make sure the vDSO gets into every core dump.
50803 * Dumping its contents makes post-mortem fully interpretable later
50804 diff -urNp linux-2.6.35.4/mm/memory-failure.c linux-2.6.35.4/mm/memory-failure.c
50805 --- linux-2.6.35.4/mm/memory-failure.c 2010-08-26 19:47:12.000000000 -0400
50806 +++ linux-2.6.35.4/mm/memory-failure.c 2010-09-17 20:12:09.000000000 -0400
50807 @@ -51,7 +51,7 @@ int sysctl_memory_failure_early_kill __r
50809 int sysctl_memory_failure_recovery __read_mostly = 1;
50811 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
50812 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
50814 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
50816 @@ -939,7 +939,7 @@ int __memory_failure(unsigned long pfn,
50820 - atomic_long_add(1, &mce_bad_pages);
50821 + atomic_long_add_unchecked(1, &mce_bad_pages);
50824 * We need/can do nothing about count=0 pages.
50825 @@ -1003,7 +1003,7 @@ int __memory_failure(unsigned long pfn,
50827 if (hwpoison_filter(p)) {
50828 if (TestClearPageHWPoison(p))
50829 - atomic_long_dec(&mce_bad_pages);
50830 + atomic_long_dec_unchecked(&mce_bad_pages);
50834 @@ -1096,7 +1096,7 @@ int unpoison_memory(unsigned long pfn)
50836 if (!get_page_unless_zero(page)) {
50837 if (TestClearPageHWPoison(p))
50838 - atomic_long_dec(&mce_bad_pages);
50839 + atomic_long_dec_unchecked(&mce_bad_pages);
50840 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
50843 @@ -1110,7 +1110,7 @@ int unpoison_memory(unsigned long pfn)
50845 if (TestClearPageHWPoison(p)) {
50846 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
50847 - atomic_long_dec(&mce_bad_pages);
50848 + atomic_long_dec_unchecked(&mce_bad_pages);
50852 @@ -1291,7 +1291,7 @@ int soft_offline_page(struct page *page,
50856 - atomic_long_add(1, &mce_bad_pages);
50857 + atomic_long_add_unchecked(1, &mce_bad_pages);
50858 SetPageHWPoison(page);
50859 /* keep elevated page count for bad page */
50861 diff -urNp linux-2.6.35.4/mm/mempolicy.c linux-2.6.35.4/mm/mempolicy.c
50862 --- linux-2.6.35.4/mm/mempolicy.c 2010-08-26 19:47:12.000000000 -0400
50863 +++ linux-2.6.35.4/mm/mempolicy.c 2010-09-17 20:12:37.000000000 -0400
50864 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
50865 unsigned long vmstart;
50866 unsigned long vmend;
50868 +#ifdef CONFIG_PAX_SEGMEXEC
50869 + struct vm_area_struct *vma_m;
50872 vma = find_vma_prev(mm, start, &prev);
50873 if (!vma || vma->vm_start > start)
50875 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
50876 err = policy_vma(vma, new_pol);
50880 +#ifdef CONFIG_PAX_SEGMEXEC
50881 + vma_m = pax_find_mirror_vma(vma);
50883 + err = policy_vma(vma_m, new_pol);
50892 @@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
50897 +#ifdef CONFIG_PAX_SEGMEXEC
50898 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
50899 + if (end > SEGMEXEC_TASK_SIZE)
50904 + if (end > TASK_SIZE)
50910 @@ -1303,6 +1328,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
50914 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50915 + if (mm != current->mm &&
50916 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
50923 * Check if this process has the right to modify the specified
50924 * process. The right exists if the process has administrative
50925 @@ -1312,8 +1345,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
50927 tcred = __task_cred(task);
50928 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
50929 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
50930 - !capable(CAP_SYS_NICE)) {
50931 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
50935 @@ -2564,7 +2596,7 @@ int show_numa_map(struct seq_file *m, vo
50938 seq_printf(m, " file=");
50939 - seq_path(m, &file->f_path, "\n\t= ");
50940 + seq_path(m, &file->f_path, "\n\t\\= ");
50941 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
50942 seq_printf(m, " heap");
50943 } else if (vma->vm_start <= mm->start_stack &&
50944 diff -urNp linux-2.6.35.4/mm/migrate.c linux-2.6.35.4/mm/migrate.c
50945 --- linux-2.6.35.4/mm/migrate.c 2010-08-26 19:47:12.000000000 -0400
50946 +++ linux-2.6.35.4/mm/migrate.c 2010-09-17 20:12:37.000000000 -0400
50947 @@ -1102,6 +1102,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
50951 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50952 + if (mm != current->mm &&
50953 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
50960 * Check if this process has the right to modify the specified
50961 * process. The right exists if the process has administrative
50962 @@ -1111,8 +1119,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
50964 tcred = __task_cred(task);
50965 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
50966 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
50967 - !capable(CAP_SYS_NICE)) {
50968 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
50972 diff -urNp linux-2.6.35.4/mm/mlock.c linux-2.6.35.4/mm/mlock.c
50973 --- linux-2.6.35.4/mm/mlock.c 2010-08-26 19:47:12.000000000 -0400
50974 +++ linux-2.6.35.4/mm/mlock.c 2010-09-17 20:12:37.000000000 -0400
50976 #include <linux/pagemap.h>
50977 #include <linux/mempolicy.h>
50978 #include <linux/syscalls.h>
50979 +#include <linux/security.h>
50980 #include <linux/sched.h>
50981 #include <linux/module.h>
50982 #include <linux/rmap.h>
50983 @@ -135,19 +136,6 @@ void munlock_vma_page(struct page *page)
50987 -/* Is the vma a continuation of the stack vma above it? */
50988 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
50990 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
50993 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
50995 - return (vma->vm_flags & VM_GROWSDOWN) &&
50996 - (vma->vm_start == addr) &&
50997 - !vma_stack_continue(vma->vm_prev, addr);
51001 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
51003 @@ -180,12 +168,6 @@ static long __mlock_vma_pages_range(stru
51004 if (vma->vm_flags & VM_WRITE)
51005 gup_flags |= FOLL_WRITE;
51007 - /* We don't try to access the guard page of a stack vma */
51008 - if (stack_guard_page(vma, start)) {
51009 - addr += PAGE_SIZE;
51013 while (nr_pages > 0) {
51016 @@ -451,6 +433,9 @@ static int do_mlock(unsigned long start,
51020 + if (end > TASK_SIZE)
51023 vma = find_vma_prev(current->mm, start, &prev);
51024 if (!vma || vma->vm_start > start)
51026 @@ -461,6 +446,11 @@ static int do_mlock(unsigned long start,
51027 for (nstart = start ; ; ) {
51028 unsigned int newflags;
51030 +#ifdef CONFIG_PAX_SEGMEXEC
51031 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51035 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
51037 newflags = vma->vm_flags | VM_LOCKED;
51038 @@ -510,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
51039 lock_limit >>= PAGE_SHIFT;
51041 /* check against resource limits */
51042 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
51043 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
51044 error = do_mlock(start, len, 1);
51045 up_write(¤t->mm->mmap_sem);
51046 @@ -531,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
51047 static int do_mlockall(int flags)
51049 struct vm_area_struct * vma, * prev = NULL;
51050 - unsigned int def_flags = 0;
51052 if (flags & MCL_FUTURE)
51053 - def_flags = VM_LOCKED;
51054 - current->mm->def_flags = def_flags;
51055 + current->mm->def_flags |= VM_LOCKED;
51057 + current->mm->def_flags &= ~VM_LOCKED;
51058 if (flags == MCL_FUTURE)
51061 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
51062 - unsigned int newflags;
51063 + unsigned long newflags;
51065 +#ifdef CONFIG_PAX_SEGMEXEC
51066 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51070 + BUG_ON(vma->vm_end > TASK_SIZE);
51071 newflags = vma->vm_flags | VM_LOCKED;
51072 if (!(flags & MCL_CURRENT))
51073 newflags &= ~VM_LOCKED;
51074 @@ -573,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
51075 lock_limit >>= PAGE_SHIFT;
51078 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
51079 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
51080 capable(CAP_IPC_LOCK))
51081 ret = do_mlockall(flags);
51082 diff -urNp linux-2.6.35.4/mm/mmap.c linux-2.6.35.4/mm/mmap.c
51083 --- linux-2.6.35.4/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
51084 +++ linux-2.6.35.4/mm/mmap.c 2010-09-17 20:12:37.000000000 -0400
51086 #define arch_rebalance_pgtables(addr, len) (addr)
51089 +static inline void verify_mm_writelocked(struct mm_struct *mm)
51091 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
51092 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
51093 + up_read(&mm->mmap_sem);
51099 static void unmap_region(struct mm_struct *mm,
51100 struct vm_area_struct *vma, struct vm_area_struct *prev,
51101 unsigned long start, unsigned long end);
51102 @@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
51103 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
51106 -pgprot_t protection_map[16] = {
51107 +pgprot_t protection_map[16] __read_only = {
51108 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
51109 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
51112 pgprot_t vm_get_page_prot(unsigned long vm_flags)
51114 - return __pgprot(pgprot_val(protection_map[vm_flags &
51115 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
51116 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
51117 pgprot_val(arch_vm_get_page_prot(vm_flags)));
51119 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51120 + if (!(__supported_pte_mask & _PAGE_NX) &&
51121 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
51122 + (vm_flags & (VM_READ | VM_WRITE)))
51123 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
51128 EXPORT_SYMBOL(vm_get_page_prot);
51130 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
51131 int sysctl_overcommit_ratio = 50; /* default is 50% */
51132 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
51133 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
51134 struct percpu_counter vm_committed_as;
51137 @@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
51138 struct vm_area_struct *next = vma->vm_next;
51141 + BUG_ON(vma->vm_mirror);
51142 if (vma->vm_ops && vma->vm_ops->close)
51143 vma->vm_ops->close(vma);
51144 if (vma->vm_file) {
51145 @@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
51146 * not page aligned -Ram Gupta
51148 rlim = rlimit(RLIMIT_DATA);
51149 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
51150 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
51151 (mm->end_data - mm->start_data) > rlim)
51153 @@ -695,6 +717,12 @@ static int
51154 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
51155 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51158 +#ifdef CONFIG_PAX_SEGMEXEC
51159 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
51163 if (is_mergeable_vma(vma, file, vm_flags) &&
51164 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51165 if (vma->vm_pgoff == vm_pgoff)
51166 @@ -714,6 +742,12 @@ static int
51167 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
51168 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51171 +#ifdef CONFIG_PAX_SEGMEXEC
51172 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
51176 if (is_mergeable_vma(vma, file, vm_flags) &&
51177 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51179 @@ -756,13 +790,20 @@ can_vma_merge_after(struct vm_area_struc
51180 struct vm_area_struct *vma_merge(struct mm_struct *mm,
51181 struct vm_area_struct *prev, unsigned long addr,
51182 unsigned long end, unsigned long vm_flags,
51183 - struct anon_vma *anon_vma, struct file *file,
51184 + struct anon_vma *anon_vma, struct file *file,
51185 pgoff_t pgoff, struct mempolicy *policy)
51187 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
51188 struct vm_area_struct *area, *next;
51191 +#ifdef CONFIG_PAX_SEGMEXEC
51192 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
51193 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
51195 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
51199 * We later require that vma->vm_flags == vm_flags,
51200 * so this tests vma->vm_flags & VM_SPECIAL, too.
51201 @@ -778,6 +819,15 @@ struct vm_area_struct *vma_merge(struct
51202 if (next && next->vm_end == end) /* cases 6, 7, 8 */
51203 next = next->vm_next;
51205 +#ifdef CONFIG_PAX_SEGMEXEC
51207 + prev_m = pax_find_mirror_vma(prev);
51209 + area_m = pax_find_mirror_vma(area);
51211 + next_m = pax_find_mirror_vma(next);
51215 * Can it merge with the predecessor?
51217 @@ -797,9 +847,24 @@ struct vm_area_struct *vma_merge(struct
51219 err = vma_adjust(prev, prev->vm_start,
51220 next->vm_end, prev->vm_pgoff, NULL);
51221 - } else /* cases 2, 5, 7 */
51223 +#ifdef CONFIG_PAX_SEGMEXEC
51224 + if (!err && prev_m)
51225 + err = vma_adjust(prev_m, prev_m->vm_start,
51226 + next_m->vm_end, prev_m->vm_pgoff, NULL);
51229 + } else { /* cases 2, 5, 7 */
51230 err = vma_adjust(prev, prev->vm_start,
51231 end, prev->vm_pgoff, NULL);
51233 +#ifdef CONFIG_PAX_SEGMEXEC
51234 + if (!err && prev_m)
51235 + err = vma_adjust(prev_m, prev_m->vm_start,
51236 + end_m, prev_m->vm_pgoff, NULL);
51243 @@ -812,12 +877,27 @@ struct vm_area_struct *vma_merge(struct
51244 mpol_equal(policy, vma_policy(next)) &&
51245 can_vma_merge_before(next, vm_flags,
51246 anon_vma, file, pgoff+pglen)) {
51247 - if (prev && addr < prev->vm_end) /* case 4 */
51248 + if (prev && addr < prev->vm_end) { /* case 4 */
51249 err = vma_adjust(prev, prev->vm_start,
51250 addr, prev->vm_pgoff, NULL);
51251 - else /* cases 3, 8 */
51253 +#ifdef CONFIG_PAX_SEGMEXEC
51254 + if (!err && prev_m)
51255 + err = vma_adjust(prev_m, prev_m->vm_start,
51256 + addr_m, prev_m->vm_pgoff, NULL);
51259 + } else { /* cases 3, 8 */
51260 err = vma_adjust(area, addr, next->vm_end,
51261 next->vm_pgoff - pglen, NULL);
51263 +#ifdef CONFIG_PAX_SEGMEXEC
51264 + if (!err && area_m)
51265 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
51266 + next_m->vm_pgoff - pglen, NULL);
51273 @@ -932,14 +1012,11 @@ none:
51274 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
51275 struct file *file, long pages)
51277 - const unsigned long stack_flags
51278 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
51281 mm->shared_vm += pages;
51282 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
51283 mm->exec_vm += pages;
51284 - } else if (flags & stack_flags)
51285 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
51286 mm->stack_vm += pages;
51287 if (flags & (VM_RESERVED|VM_IO))
51288 mm->reserved_vm += pages;
51289 @@ -966,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file
51290 * (the exception is when the underlying filesystem is noexec
51291 * mounted, in which case we dont add PROT_EXEC.)
51293 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
51294 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
51295 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
51298 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
51299 /* Obtain the address to map to. we verify (or select) it and ensure
51300 * that it represents a valid section of the address space.
51302 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
51303 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
51304 if (addr & ~PAGE_MASK)
51307 @@ -1003,6 +1080,28 @@ unsigned long do_mmap_pgoff(struct file
51308 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
51309 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
51311 +#ifdef CONFIG_PAX_MPROTECT
51312 + if (mm->pax_flags & MF_PAX_MPROTECT) {
51313 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
51315 +#ifdef CONFIG_PAX_EMUPLT
51316 + vm_flags &= ~VM_EXEC;
51321 + if (!(vm_flags & VM_EXEC))
51322 + vm_flags &= ~VM_MAYEXEC;
51324 + vm_flags &= ~VM_MAYWRITE;
51328 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51329 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
51330 + vm_flags &= ~VM_PAGEEXEC;
51333 if (flags & MAP_LOCKED)
51334 if (!can_do_mlock())
51336 @@ -1014,6 +1113,7 @@ unsigned long do_mmap_pgoff(struct file
51337 locked += mm->locked_vm;
51338 lock_limit = rlimit(RLIMIT_MEMLOCK);
51339 lock_limit >>= PAGE_SHIFT;
51340 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51341 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
51344 @@ -1084,6 +1184,9 @@ unsigned long do_mmap_pgoff(struct file
51348 + if (!gr_acl_handle_mmap(file, prot))
51351 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
51353 EXPORT_SYMBOL(do_mmap_pgoff);
51354 @@ -1160,10 +1263,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
51356 int vma_wants_writenotify(struct vm_area_struct *vma)
51358 - unsigned int vm_flags = vma->vm_flags;
51359 + unsigned long vm_flags = vma->vm_flags;
51361 /* If it was private or non-writable, the write bit is already clear */
51362 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
51363 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
51366 /* The backer wishes to know when pages are first written to? */
51367 @@ -1212,14 +1315,24 @@ unsigned long mmap_region(struct file *f
51368 unsigned long charged = 0;
51369 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
51371 +#ifdef CONFIG_PAX_SEGMEXEC
51372 + struct vm_area_struct *vma_m = NULL;
51376 + * mm->mmap_sem is required to protect against another thread
51377 + * changing the mappings in case we sleep.
51379 + verify_mm_writelocked(mm);
51381 /* Clear old maps */
51384 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51385 if (vma && vma->vm_start < addr + len) {
51386 if (do_munmap(mm, addr, len))
51388 - goto munmap_back;
51389 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51390 + BUG_ON(vma && vma->vm_start < addr + len);
51393 /* Check against address space limit. */
51394 @@ -1268,6 +1381,16 @@ munmap_back:
51398 +#ifdef CONFIG_PAX_SEGMEXEC
51399 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
51400 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
51409 vma->vm_start = addr;
51410 vma->vm_end = addr + len;
51411 @@ -1291,6 +1414,19 @@ munmap_back:
51412 error = file->f_op->mmap(file, vma);
51414 goto unmap_and_free_vma;
51416 +#ifdef CONFIG_PAX_SEGMEXEC
51417 + if (vma_m && (vm_flags & VM_EXECUTABLE))
51418 + added_exe_file_vma(mm);
51421 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51422 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
51423 + vma->vm_flags |= VM_PAGEEXEC;
51424 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
51428 if (vm_flags & VM_EXECUTABLE)
51429 added_exe_file_vma(mm);
51431 @@ -1326,6 +1462,11 @@ munmap_back:
51432 vma_link(mm, vma, prev, rb_link, rb_parent);
51433 file = vma->vm_file;
51435 +#ifdef CONFIG_PAX_SEGMEXEC
51437 + BUG_ON(pax_mirror_vma(vma_m, vma));
51440 /* Once vma denies write, undo our temporary denial count */
51441 if (correct_wcount)
51442 atomic_inc(&inode->i_writecount);
51443 @@ -1334,6 +1475,7 @@ out:
51445 mm->total_vm += len >> PAGE_SHIFT;
51446 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
51447 + track_exec_limit(mm, addr, addr + len, vm_flags);
51448 if (vm_flags & VM_LOCKED) {
51449 if (!mlock_vma_pages_range(vma, addr, addr + len))
51450 mm->locked_vm += (len >> PAGE_SHIFT);
51451 @@ -1351,6 +1493,12 @@ unmap_and_free_vma:
51452 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
51456 +#ifdef CONFIG_PAX_SEGMEXEC
51458 + kmem_cache_free(vm_area_cachep, vma_m);
51461 kmem_cache_free(vm_area_cachep, vma);
51464 @@ -1358,6 +1506,33 @@ unacct_error:
51468 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
51471 +#ifdef CONFIG_STACK_GROWSUP
51472 + if (addr > sysctl_heap_stack_gap)
51473 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
51475 + vma = find_vma(current->mm, 0);
51476 + if (vma && (vma->vm_flags & VM_GROWSUP))
51482 + if (addr + len > vma->vm_start)
51485 + if (vma->vm_flags & VM_GROWSDOWN)
51486 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
51487 +#ifdef CONFIG_STACK_GROWSUP
51488 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
51489 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
51495 /* Get an address range which is currently unmapped.
51496 * For shmat() with addr=0.
51498 @@ -1384,18 +1559,23 @@ arch_get_unmapped_area(struct file *filp
51499 if (flags & MAP_FIXED)
51502 +#ifdef CONFIG_PAX_RANDMMAP
51503 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51507 addr = PAGE_ALIGN(addr);
51508 - vma = find_vma(mm, addr);
51509 - if (TASK_SIZE - len >= addr &&
51510 - (!vma || addr + len <= vma->vm_start))
51512 + if (TASK_SIZE - len >= addr) {
51513 + vma = find_vma(mm, addr);
51514 + if (check_heap_stack_gap(vma, addr, len))
51518 if (len > mm->cached_hole_size) {
51519 - start_addr = addr = mm->free_area_cache;
51520 + start_addr = addr = mm->free_area_cache;
51522 - start_addr = addr = TASK_UNMAPPED_BASE;
51523 - mm->cached_hole_size = 0;
51524 + start_addr = addr = mm->mmap_base;
51525 + mm->cached_hole_size = 0;
51529 @@ -1406,34 +1586,40 @@ full_search:
51530 * Start a new search - just in case we missed
51533 - if (start_addr != TASK_UNMAPPED_BASE) {
51534 - addr = TASK_UNMAPPED_BASE;
51535 - start_addr = addr;
51536 + if (start_addr != mm->mmap_base) {
51537 + start_addr = addr = mm->mmap_base;
51538 mm->cached_hole_size = 0;
51543 - if (!vma || addr + len <= vma->vm_start) {
51545 - * Remember the place where we stopped the search:
51547 - mm->free_area_cache = addr + len;
51550 + if (check_heap_stack_gap(vma, addr, len))
51552 if (addr + mm->cached_hole_size < vma->vm_start)
51553 mm->cached_hole_size = vma->vm_start - addr;
51554 addr = vma->vm_end;
51558 + * Remember the place where we stopped the search:
51560 + mm->free_area_cache = addr + len;
51565 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
51568 +#ifdef CONFIG_PAX_SEGMEXEC
51569 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51574 * Is this a new hole at the lowest possible address?
51576 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
51577 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
51578 mm->free_area_cache = addr;
51579 mm->cached_hole_size = ~0UL;
51581 @@ -1451,7 +1637,7 @@ arch_get_unmapped_area_topdown(struct fi
51583 struct vm_area_struct *vma;
51584 struct mm_struct *mm = current->mm;
51585 - unsigned long addr = addr0;
51586 + unsigned long base = mm->mmap_base, addr = addr0;
51588 /* requested length too big for entire address space */
51589 if (len > TASK_SIZE)
51590 @@ -1460,13 +1646,18 @@ arch_get_unmapped_area_topdown(struct fi
51591 if (flags & MAP_FIXED)
51594 +#ifdef CONFIG_PAX_RANDMMAP
51595 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51598 /* requesting a specific address */
51600 addr = PAGE_ALIGN(addr);
51601 - vma = find_vma(mm, addr);
51602 - if (TASK_SIZE - len >= addr &&
51603 - (!vma || addr + len <= vma->vm_start))
51605 + if (TASK_SIZE - len >= addr) {
51606 + vma = find_vma(mm, addr);
51607 + if (check_heap_stack_gap(vma, addr, len))
51612 /* check if free_area_cache is useful for us */
51613 @@ -1481,7 +1672,7 @@ arch_get_unmapped_area_topdown(struct fi
51614 /* make sure it can fit in the remaining address space */
51616 vma = find_vma(mm, addr-len);
51617 - if (!vma || addr <= vma->vm_start)
51618 + if (check_heap_stack_gap(vma, addr - len, len))
51619 /* remember the address as a hint for next time */
51620 return (mm->free_area_cache = addr-len);
51622 @@ -1498,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
51623 * return with success:
51625 vma = find_vma(mm, addr);
51626 - if (!vma || addr+len <= vma->vm_start)
51627 + if (check_heap_stack_gap(vma, addr, len))
51628 /* remember the address as a hint for next time */
51629 return (mm->free_area_cache = addr);
51631 @@ -1517,13 +1708,21 @@ bottomup:
51632 * can happen with large stack limits and large mmap()
51635 + mm->mmap_base = TASK_UNMAPPED_BASE;
51637 +#ifdef CONFIG_PAX_RANDMMAP
51638 + if (mm->pax_flags & MF_PAX_RANDMMAP)
51639 + mm->mmap_base += mm->delta_mmap;
51642 + mm->free_area_cache = mm->mmap_base;
51643 mm->cached_hole_size = ~0UL;
51644 - mm->free_area_cache = TASK_UNMAPPED_BASE;
51645 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
51647 * Restore the topdown base:
51649 - mm->free_area_cache = mm->mmap_base;
51650 + mm->mmap_base = base;
51651 + mm->free_area_cache = base;
51652 mm->cached_hole_size = ~0UL;
51655 @@ -1532,6 +1731,12 @@ bottomup:
51657 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
51660 +#ifdef CONFIG_PAX_SEGMEXEC
51661 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51666 * Is this a new hole at the highest possible address?
51668 @@ -1539,8 +1744,10 @@ void arch_unmap_area_topdown(struct mm_s
51669 mm->free_area_cache = addr;
51671 /* dont allow allocations above current base */
51672 - if (mm->free_area_cache > mm->mmap_base)
51673 + if (mm->free_area_cache > mm->mmap_base) {
51674 mm->free_area_cache = mm->mmap_base;
51675 + mm->cached_hole_size = ~0UL;
51680 @@ -1648,6 +1855,34 @@ out:
51681 return prev ? prev->vm_next : vma;
51684 +#ifdef CONFIG_PAX_SEGMEXEC
51685 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
51687 + struct vm_area_struct *vma_m;
51689 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
51690 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
51691 + BUG_ON(vma->vm_mirror);
51694 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
51695 + vma_m = vma->vm_mirror;
51696 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
51697 + BUG_ON(vma->vm_file != vma_m->vm_file);
51698 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
51699 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
51700 + if (vma->anon_vma != vma_m->anon_vma) {
51701 + struct anon_vma_chain *avc, *avc_m;
51703 + avc = list_entry(vma->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51704 + avc_m = list_entry(vma_m->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51705 + BUG_ON(avc->anon_vma != avc_m->anon_vma);
51707 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
51713 * Verify that the stack growth is acceptable and
51714 * update accounting. This is shared with both the
51715 @@ -1664,6 +1899,7 @@ static int acct_stack_growth(struct vm_a
51718 /* Stack limit test */
51719 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
51720 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
51723 @@ -1674,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
51724 locked = mm->locked_vm + grow;
51725 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
51726 limit >>= PAGE_SHIFT;
51727 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51728 if (locked > limit && !capable(CAP_IPC_LOCK))
51731 @@ -1709,35 +1946,42 @@ static
51733 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
51736 + int error, locknext;
51738 if (!(vma->vm_flags & VM_GROWSUP))
51741 + /* Also guard against wrapping around to address 0. */
51742 + if (address < PAGE_ALIGN(address+1))
51743 + address = PAGE_ALIGN(address+1);
51748 * We must make sure the anon_vma is allocated
51749 * so that the anon_vma locking is not a noop.
51751 if (unlikely(anon_vma_prepare(vma)))
51753 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
51754 + if (locknext && anon_vma_prepare(vma->vm_next))
51756 anon_vma_lock(vma);
51758 + anon_vma_lock(vma->vm_next);
51761 * vma->vm_start/vm_end cannot change under us because the caller
51762 * is required to hold the mmap_sem in read mode. We need the
51763 - * anon_vma lock to serialize against concurrent expand_stacks.
51764 - * Also guard against wrapping around to address 0.
51765 + * anon_vma locks to serialize against concurrent expand_stacks
51766 + * and expand_upwards.
51768 - if (address < PAGE_ALIGN(address+4))
51769 - address = PAGE_ALIGN(address+4);
51771 - anon_vma_unlock(vma);
51776 /* Somebody else might have raced and expanded it already */
51777 - if (address > vma->vm_end) {
51778 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
51780 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
51781 unsigned long size, grow;
51783 size = address - vma->vm_start;
51784 @@ -1747,6 +1991,8 @@ int expand_upwards(struct vm_area_struct
51786 vma->vm_end = address;
51789 + anon_vma_unlock(vma->vm_next);
51790 anon_vma_unlock(vma);
51793 @@ -1758,7 +2004,8 @@ int expand_upwards(struct vm_area_struct
51794 static int expand_downwards(struct vm_area_struct *vma,
51795 unsigned long address)
51798 + int error, lockprev = 0;
51799 + struct vm_area_struct *prev;
51802 * We must make sure the anon_vma is allocated
51803 @@ -1772,6 +2019,15 @@ static int expand_downwards(struct vm_ar
51807 + prev = vma->vm_prev;
51808 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
51809 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
51811 + if (lockprev && anon_vma_prepare(prev))
51814 + anon_vma_lock(prev);
51816 anon_vma_lock(vma);
51819 @@ -1781,9 +2037,17 @@ static int expand_downwards(struct vm_ar
51822 /* Somebody else might have raced and expanded it already */
51823 - if (address < vma->vm_start) {
51824 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
51826 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
51827 unsigned long size, grow;
51829 +#ifdef CONFIG_PAX_SEGMEXEC
51830 + struct vm_area_struct *vma_m;
51832 + vma_m = pax_find_mirror_vma(vma);
51835 size = vma->vm_end - address;
51836 grow = (vma->vm_start - address) >> PAGE_SHIFT;
51838 @@ -1791,9 +2055,20 @@ static int expand_downwards(struct vm_ar
51840 vma->vm_start = address;
51841 vma->vm_pgoff -= grow;
51842 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
51844 +#ifdef CONFIG_PAX_SEGMEXEC
51846 + vma_m->vm_start -= grow << PAGE_SHIFT;
51847 + vma_m->vm_pgoff -= grow;
51853 anon_vma_unlock(vma);
51855 + anon_vma_unlock(prev);
51859 @@ -1867,6 +2142,13 @@ static void remove_vma_list(struct mm_st
51861 long nrpages = vma_pages(vma);
51863 +#ifdef CONFIG_PAX_SEGMEXEC
51864 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
51865 + vma = remove_vma(vma);
51870 mm->total_vm -= nrpages;
51871 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
51872 vma = remove_vma(vma);
51873 @@ -1912,6 +2194,16 @@ detach_vmas_to_be_unmapped(struct mm_str
51874 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
51875 vma->vm_prev = NULL;
51878 +#ifdef CONFIG_PAX_SEGMEXEC
51879 + if (vma->vm_mirror) {
51880 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
51881 + vma->vm_mirror->vm_mirror = NULL;
51882 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
51883 + vma->vm_mirror = NULL;
51887 rb_erase(&vma->vm_rb, &mm->mm_rb);
51890 @@ -1940,14 +2232,33 @@ static int __split_vma(struct mm_struct
51891 struct vm_area_struct *new;
51894 +#ifdef CONFIG_PAX_SEGMEXEC
51895 + struct vm_area_struct *vma_m, *new_m = NULL;
51896 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
51899 if (is_vm_hugetlb_page(vma) && (addr &
51900 ~(huge_page_mask(hstate_vma(vma)))))
51903 +#ifdef CONFIG_PAX_SEGMEXEC
51904 + vma_m = pax_find_mirror_vma(vma);
51907 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
51911 +#ifdef CONFIG_PAX_SEGMEXEC
51913 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
51915 + kmem_cache_free(vm_area_cachep, new);
51921 /* most fields are the same, copy all, and then fixup */
51924 @@ -1960,6 +2271,22 @@ static int __split_vma(struct mm_struct
51925 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
51928 +#ifdef CONFIG_PAX_SEGMEXEC
51931 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
51932 + new_m->vm_mirror = new;
51933 + new->vm_mirror = new_m;
51936 + new_m->vm_end = addr_m;
51938 + new_m->vm_start = addr_m;
51939 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
51944 pol = mpol_dup(vma_policy(vma));
51946 err = PTR_ERR(pol);
51947 @@ -1985,6 +2312,42 @@ static int __split_vma(struct mm_struct
51949 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
51951 +#ifdef CONFIG_PAX_SEGMEXEC
51952 + if (!err && vma_m) {
51953 + if (anon_vma_clone(new_m, vma_m))
51954 + goto out_free_mpol;
51957 + vma_set_policy(new_m, pol);
51959 + if (new_m->vm_file) {
51960 + get_file(new_m->vm_file);
51961 + if (vma_m->vm_flags & VM_EXECUTABLE)
51962 + added_exe_file_vma(mm);
51965 + if (new_m->vm_ops && new_m->vm_ops->open)
51966 + new_m->vm_ops->open(new_m);
51969 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
51970 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
51972 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
51975 + if (new_m->vm_ops && new_m->vm_ops->close)
51976 + new_m->vm_ops->close(new_m);
51977 + if (new_m->vm_file) {
51978 + if (vma_m->vm_flags & VM_EXECUTABLE)
51979 + removed_exe_file_vma(mm);
51980 + fput(new_m->vm_file);
51990 @@ -2000,6 +2363,15 @@ static int __split_vma(struct mm_struct
51995 +#ifdef CONFIG_PAX_SEGMEXEC
51997 + unlink_anon_vmas(new_m);
51998 + kmem_cache_free(vm_area_cachep, new_m);
52002 + unlink_anon_vmas(new);
52003 kmem_cache_free(vm_area_cachep, new);
52006 @@ -2012,6 +2384,15 @@ static int __split_vma(struct mm_struct
52007 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
52008 unsigned long addr, int new_below)
52011 +#ifdef CONFIG_PAX_SEGMEXEC
52012 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52013 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
52014 + if (mm->map_count >= sysctl_max_map_count-1)
52019 if (mm->map_count >= sysctl_max_map_count)
52022 @@ -2023,11 +2404,30 @@ int split_vma(struct mm_struct *mm, stru
52023 * work. This now handles partial unmappings.
52024 * Jeremy Fitzhardinge <jeremy@goop.org>
52026 +#ifdef CONFIG_PAX_SEGMEXEC
52027 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52029 + int ret = __do_munmap(mm, start, len);
52030 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
52033 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
52036 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52038 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52042 struct vm_area_struct *vma, *prev, *last;
52045 + * mm->mmap_sem is required to protect against another thread
52046 + * changing the mappings in case we sleep.
52048 + verify_mm_writelocked(mm);
52050 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
52053 @@ -2101,6 +2501,8 @@ int do_munmap(struct mm_struct *mm, unsi
52054 /* Fix up all other VM information */
52055 remove_vma_list(mm, vma);
52057 + track_exec_limit(mm, start, end, 0UL);
52062 @@ -2113,22 +2515,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
52064 profile_munmap(addr);
52066 +#ifdef CONFIG_PAX_SEGMEXEC
52067 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
52068 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
52072 down_write(&mm->mmap_sem);
52073 ret = do_munmap(mm, addr, len);
52074 up_write(&mm->mmap_sem);
52078 -static inline void verify_mm_writelocked(struct mm_struct *mm)
52080 -#ifdef CONFIG_DEBUG_VM
52081 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52083 - up_read(&mm->mmap_sem);
52089 * this is really a simplified "do_mmap". it only handles
52090 * anonymous maps. eventually we may be able to do some
52091 @@ -2142,6 +2540,7 @@ unsigned long do_brk(unsigned long addr,
52092 struct rb_node ** rb_link, * rb_parent;
52093 pgoff_t pgoff = addr >> PAGE_SHIFT;
52095 + unsigned long charged;
52097 len = PAGE_ALIGN(len);
52099 @@ -2153,16 +2552,30 @@ unsigned long do_brk(unsigned long addr,
52101 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
52103 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
52104 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52105 + flags &= ~VM_EXEC;
52107 +#ifdef CONFIG_PAX_MPROTECT
52108 + if (mm->pax_flags & MF_PAX_MPROTECT)
52109 + flags &= ~VM_MAYEXEC;
52115 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
52116 if (error & ~PAGE_MASK)
52119 + charged = len >> PAGE_SHIFT;
52122 * mlock MCL_FUTURE?
52124 if (mm->def_flags & VM_LOCKED) {
52125 unsigned long locked, lock_limit;
52126 - locked = len >> PAGE_SHIFT;
52127 + locked = charged;
52128 locked += mm->locked_vm;
52129 lock_limit = rlimit(RLIMIT_MEMLOCK);
52130 lock_limit >>= PAGE_SHIFT;
52131 @@ -2179,22 +2592,22 @@ unsigned long do_brk(unsigned long addr,
52133 * Clear old maps. this also does some error checking for us
52136 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52137 if (vma && vma->vm_start < addr + len) {
52138 if (do_munmap(mm, addr, len))
52140 - goto munmap_back;
52141 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52142 + BUG_ON(vma && vma->vm_start < addr + len);
52145 /* Check against address space limits *after* clearing old maps... */
52146 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
52147 + if (!may_expand_vm(mm, charged))
52150 if (mm->map_count > sysctl_max_map_count)
52153 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
52154 + if (security_vm_enough_memory(charged))
52157 /* Can we just expand an old private anonymous mapping? */
52158 @@ -2208,7 +2621,7 @@ unsigned long do_brk(unsigned long addr,
52160 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52162 - vm_unacct_memory(len >> PAGE_SHIFT);
52163 + vm_unacct_memory(charged);
52167 @@ -2221,11 +2634,12 @@ unsigned long do_brk(unsigned long addr,
52168 vma->vm_page_prot = vm_get_page_prot(flags);
52169 vma_link(mm, vma, prev, rb_link, rb_parent);
52171 - mm->total_vm += len >> PAGE_SHIFT;
52172 + mm->total_vm += charged;
52173 if (flags & VM_LOCKED) {
52174 if (!mlock_vma_pages_range(vma, addr, addr + len))
52175 - mm->locked_vm += (len >> PAGE_SHIFT);
52176 + mm->locked_vm += charged;
52178 + track_exec_limit(mm, addr, addr + len, flags);
52182 @@ -2272,8 +2686,10 @@ void exit_mmap(struct mm_struct *mm)
52183 * Walk the list again, actually closing and freeing it,
52184 * with preemption enabled, without holding any MM locks.
52188 + vma->vm_mirror = NULL;
52189 vma = remove_vma(vma);
52192 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
52194 @@ -2287,6 +2703,10 @@ int insert_vm_struct(struct mm_struct *
52195 struct vm_area_struct * __vma, * prev;
52196 struct rb_node ** rb_link, * rb_parent;
52198 +#ifdef CONFIG_PAX_SEGMEXEC
52199 + struct vm_area_struct *vma_m = NULL;
52203 * The vm_pgoff of a purely anonymous vma should be irrelevant
52204 * until its first write fault, when page's anon_vma and index
52205 @@ -2309,7 +2729,22 @@ int insert_vm_struct(struct mm_struct *
52206 if ((vma->vm_flags & VM_ACCOUNT) &&
52207 security_vm_enough_memory_mm(mm, vma_pages(vma)))
52210 +#ifdef CONFIG_PAX_SEGMEXEC
52211 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
52212 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52218 vma_link(mm, vma, prev, rb_link, rb_parent);
52220 +#ifdef CONFIG_PAX_SEGMEXEC
52222 + BUG_ON(pax_mirror_vma(vma_m, vma));
52228 @@ -2327,6 +2762,8 @@ struct vm_area_struct *copy_vma(struct v
52229 struct rb_node **rb_link, *rb_parent;
52230 struct mempolicy *pol;
52232 + BUG_ON(vma->vm_mirror);
52235 * If anonymous vma has not yet been faulted, update new pgoff
52236 * to match new location, to increase its chance of merging.
52237 @@ -2376,6 +2813,39 @@ struct vm_area_struct *copy_vma(struct v
52238 kmem_cache_free(vm_area_cachep, new_vma);
52242 +#ifdef CONFIG_PAX_SEGMEXEC
52243 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
52245 + struct vm_area_struct *prev_m;
52246 + struct rb_node **rb_link_m, *rb_parent_m;
52247 + struct mempolicy *pol_m;
52249 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
52250 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
52251 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
52253 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
52254 + if (anon_vma_clone(vma_m, vma))
52256 + pol_m = vma_policy(vma_m);
52258 + vma_set_policy(vma_m, pol_m);
52259 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
52260 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
52261 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
52262 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
52263 + if (vma_m->vm_file)
52264 + get_file(vma_m->vm_file);
52265 + if (vma_m->vm_ops && vma_m->vm_ops->open)
52266 + vma_m->vm_ops->open(vma_m);
52267 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
52268 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
52269 + vma_m->vm_mirror = vma;
52270 + vma->vm_mirror = vma_m;
52276 * Return true if the calling process may expand its vm space by the passed
52277 @@ -2387,7 +2857,7 @@ int may_expand_vm(struct mm_struct *mm,
52280 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
52282 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
52283 if (cur + npages > lim)
52286 @@ -2457,6 +2927,17 @@ int install_special_mapping(struct mm_st
52287 vma->vm_start = addr;
52288 vma->vm_end = addr + len;
52290 +#ifdef CONFIG_PAX_MPROTECT
52291 + if (mm->pax_flags & MF_PAX_MPROTECT) {
52292 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
52294 + if (!(vm_flags & VM_EXEC))
52295 + vm_flags &= ~VM_MAYEXEC;
52297 + vm_flags &= ~VM_MAYWRITE;
52301 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
52302 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52304 diff -urNp linux-2.6.35.4/mm/mprotect.c linux-2.6.35.4/mm/mprotect.c
52305 --- linux-2.6.35.4/mm/mprotect.c 2010-08-26 19:47:12.000000000 -0400
52306 +++ linux-2.6.35.4/mm/mprotect.c 2010-09-17 20:12:37.000000000 -0400
52307 @@ -23,10 +23,16 @@
52308 #include <linux/mmu_notifier.h>
52309 #include <linux/migrate.h>
52310 #include <linux/perf_event.h>
52312 +#ifdef CONFIG_PAX_MPROTECT
52313 +#include <linux/elf.h>
52316 #include <asm/uaccess.h>
52317 #include <asm/pgtable.h>
52318 #include <asm/cacheflush.h>
52319 #include <asm/tlbflush.h>
52320 +#include <asm/mmu_context.h>
52322 #ifndef pgprot_modify
52323 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
52324 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
52325 flush_tlb_range(vma, start, end);
52328 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52329 +/* called while holding the mmap semaphor for writing except stack expansion */
52330 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
52332 + unsigned long oldlimit, newlimit = 0UL;
52334 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
52337 + spin_lock(&mm->page_table_lock);
52338 + oldlimit = mm->context.user_cs_limit;
52339 + if ((prot & VM_EXEC) && oldlimit < end)
52340 + /* USER_CS limit moved up */
52342 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
52343 + /* USER_CS limit moved down */
52344 + newlimit = start;
52347 + mm->context.user_cs_limit = newlimit;
52351 + cpus_clear(mm->context.cpu_user_cs_mask);
52352 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
52355 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
52357 + spin_unlock(&mm->page_table_lock);
52358 + if (newlimit == end) {
52359 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
52361 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
52362 + if (is_vm_hugetlb_page(vma))
52363 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
52365 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
52371 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
52372 unsigned long start, unsigned long end, unsigned long newflags)
52373 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
52375 int dirty_accountable = 0;
52377 +#ifdef CONFIG_PAX_SEGMEXEC
52378 + struct vm_area_struct *vma_m = NULL;
52379 + unsigned long start_m, end_m;
52381 + start_m = start + SEGMEXEC_TASK_SIZE;
52382 + end_m = end + SEGMEXEC_TASK_SIZE;
52385 if (newflags == oldflags) {
52390 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
52391 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
52393 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
52396 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
52401 * If we make a private mapping writable we increase our commit;
52402 * but (without finer accounting) cannot reduce our commit if we
52403 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
52407 +#ifdef CONFIG_PAX_SEGMEXEC
52408 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
52409 + if (start != vma->vm_start) {
52410 + error = split_vma(mm, vma, start, 1);
52413 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
52414 + *pprev = (*pprev)->vm_next;
52417 + if (end != vma->vm_end) {
52418 + error = split_vma(mm, vma, end, 0);
52423 + if (pax_find_mirror_vma(vma)) {
52424 + error = __do_munmap(mm, start_m, end_m - start_m);
52428 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52433 + vma->vm_flags = newflags;
52434 + error = pax_mirror_vma(vma_m, vma);
52436 + vma->vm_flags = oldflags;
52444 * First try to merge with previous and/or next vma.
52446 @@ -194,9 +296,21 @@ success:
52447 * vm_flags and vm_page_prot are protected by the mmap_sem
52448 * held in write mode.
52451 +#ifdef CONFIG_PAX_SEGMEXEC
52452 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
52453 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
52456 vma->vm_flags = newflags;
52458 +#ifdef CONFIG_PAX_MPROTECT
52459 + if (mm->binfmt && mm->binfmt->handle_mprotect)
52460 + mm->binfmt->handle_mprotect(vma, newflags);
52463 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
52464 - vm_get_page_prot(newflags));
52465 + vm_get_page_prot(vma->vm_flags));
52467 if (vma_wants_writenotify(vma)) {
52468 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
52469 @@ -237,6 +351,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52474 +#ifdef CONFIG_PAX_SEGMEXEC
52475 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52476 + if (end > SEGMEXEC_TASK_SIZE)
52481 + if (end > TASK_SIZE)
52484 if (!arch_validate_prot(prot))
52487 @@ -244,7 +369,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52489 * Does the application expect PROT_READ to imply PROT_EXEC:
52491 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
52492 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
52495 vm_flags = calc_vm_prot_bits(prot);
52496 @@ -276,6 +401,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52497 if (start > vma->vm_start)
52500 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
52505 +#ifdef CONFIG_PAX_MPROTECT
52506 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
52507 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
52510 for (nstart = start ; ; ) {
52511 unsigned long newflags;
52513 @@ -300,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52516 perf_event_mmap(vma);
52518 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
52522 if (nstart < prev->vm_end)
52523 diff -urNp linux-2.6.35.4/mm/mremap.c linux-2.6.35.4/mm/mremap.c
52524 --- linux-2.6.35.4/mm/mremap.c 2010-08-26 19:47:12.000000000 -0400
52525 +++ linux-2.6.35.4/mm/mremap.c 2010-09-17 20:12:09.000000000 -0400
52526 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
52528 pte = ptep_clear_flush(vma, old_addr, old_pte);
52529 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
52531 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52532 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
52533 + pte = pte_exprotect(pte);
52536 set_pte_at(mm, new_addr, new_pte, pte);
52539 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
52540 if (is_vm_hugetlb_page(vma))
52543 +#ifdef CONFIG_PAX_SEGMEXEC
52544 + if (pax_find_mirror_vma(vma))
52548 /* We can't remap across vm area boundaries */
52549 if (old_len > vma->vm_end - addr)
52551 @@ -321,20 +332,23 @@ static unsigned long mremap_to(unsigned
52552 unsigned long ret = -EINVAL;
52553 unsigned long charged = 0;
52554 unsigned long map_flags;
52555 + unsigned long pax_task_size = TASK_SIZE;
52557 if (new_addr & ~PAGE_MASK)
52560 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
52561 +#ifdef CONFIG_PAX_SEGMEXEC
52562 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52563 + pax_task_size = SEGMEXEC_TASK_SIZE;
52566 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
52569 /* Check if the location we're moving into overlaps the
52570 * old location at all, and fail if it does.
52572 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
52575 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
52576 + if (addr + old_len > new_addr && new_addr + new_len > addr)
52579 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52580 @@ -406,6 +420,7 @@ unsigned long do_mremap(unsigned long ad
52581 struct vm_area_struct *vma;
52582 unsigned long ret = -EINVAL;
52583 unsigned long charged = 0;
52584 + unsigned long pax_task_size = TASK_SIZE;
52586 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
52588 @@ -424,6 +439,15 @@ unsigned long do_mremap(unsigned long ad
52592 +#ifdef CONFIG_PAX_SEGMEXEC
52593 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52594 + pax_task_size = SEGMEXEC_TASK_SIZE;
52597 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
52598 + old_len > pax_task_size || addr > pax_task_size-old_len)
52601 if (flags & MREMAP_FIXED) {
52602 if (flags & MREMAP_MAYMOVE)
52603 ret = mremap_to(addr, old_len, new_addr, new_len);
52604 @@ -473,6 +497,7 @@ unsigned long do_mremap(unsigned long ad
52608 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
52612 @@ -499,7 +524,13 @@ unsigned long do_mremap(unsigned long ad
52613 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52617 + map_flags = vma->vm_flags;
52618 ret = move_vma(vma, addr, old_len, new_len, new_addr);
52619 + if (!(ret & ~PAGE_MASK)) {
52620 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
52621 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
52625 if (ret & ~PAGE_MASK)
52626 diff -urNp linux-2.6.35.4/mm/nommu.c linux-2.6.35.4/mm/nommu.c
52627 --- linux-2.6.35.4/mm/nommu.c 2010-08-26 19:47:12.000000000 -0400
52628 +++ linux-2.6.35.4/mm/nommu.c 2010-09-17 20:12:09.000000000 -0400
52629 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
52630 int sysctl_overcommit_ratio = 50; /* default is 50% */
52631 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
52632 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
52633 -int heap_stack_gap = 0;
52635 atomic_long_t mmap_pages_allocated;
52637 @@ -762,15 +761,6 @@ struct vm_area_struct *find_vma(struct m
52638 EXPORT_SYMBOL(find_vma);
52642 - * - we don't extend stack VMAs under NOMMU conditions
52644 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
52646 - return find_vma(mm, addr);
52650 * expand a stack to a given address
52651 * - not supported under NOMMU conditions
52653 @@ -1491,6 +1481,7 @@ int split_vma(struct mm_struct *mm, stru
52655 /* most fields are the same, copy all, and then fixup */
52657 + INIT_LIST_HEAD(&new->anon_vma_chain);
52658 *region = *vma->vm_region;
52659 new->vm_region = region;
52661 diff -urNp linux-2.6.35.4/mm/page_alloc.c linux-2.6.35.4/mm/page_alloc.c
52662 --- linux-2.6.35.4/mm/page_alloc.c 2010-08-26 19:47:12.000000000 -0400
52663 +++ linux-2.6.35.4/mm/page_alloc.c 2010-09-17 20:12:09.000000000 -0400
52664 @@ -641,6 +641,10 @@ static bool free_pages_prepare(struct pa
52668 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52669 + unsigned long index = 1UL << order;
52672 trace_mm_page_free_direct(page, order);
52673 kmemcheck_free_shadow(page, order);
52675 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
52676 debug_check_no_obj_freed(page_address(page),
52677 PAGE_SIZE << order);
52680 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52681 + for (; index; --index)
52682 + sanitize_highpage(page + index - 1);
52685 arch_free_page(page, order);
52686 kernel_map_pages(page, 1 << order, 0);
52688 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
52689 arch_alloc_page(page, order);
52690 kernel_map_pages(page, 1 << order, 1);
52692 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
52693 if (gfp_flags & __GFP_ZERO)
52694 prep_zero_page(page, order, gfp_flags);
52697 if (order && (gfp_flags & __GFP_COMP))
52698 prep_compound_page(page, order);
52699 @@ -3973,7 +3985,7 @@ static void __init setup_usemap(struct p
52700 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
52703 -static void inline setup_usemap(struct pglist_data *pgdat,
52704 +static inline void setup_usemap(struct pglist_data *pgdat,
52705 struct zone *zone, unsigned long zonesize) {}
52706 #endif /* CONFIG_SPARSEMEM */
52708 diff -urNp linux-2.6.35.4/mm/percpu.c linux-2.6.35.4/mm/percpu.c
52709 --- linux-2.6.35.4/mm/percpu.c 2010-08-26 19:47:12.000000000 -0400
52710 +++ linux-2.6.35.4/mm/percpu.c 2010-09-17 20:12:09.000000000 -0400
52711 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
52712 static unsigned int pcpu_last_unit_cpu __read_mostly;
52714 /* the address of the first chunk which starts with the kernel static area */
52715 -void *pcpu_base_addr __read_mostly;
52716 +void *pcpu_base_addr __read_only;
52717 EXPORT_SYMBOL_GPL(pcpu_base_addr);
52719 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
52720 diff -urNp linux-2.6.35.4/mm/rmap.c linux-2.6.35.4/mm/rmap.c
52721 --- linux-2.6.35.4/mm/rmap.c 2010-08-26 19:47:12.000000000 -0400
52722 +++ linux-2.6.35.4/mm/rmap.c 2010-09-17 20:12:09.000000000 -0400
52723 @@ -116,6 +116,10 @@ int anon_vma_prepare(struct vm_area_stru
52724 struct anon_vma *anon_vma = vma->anon_vma;
52725 struct anon_vma_chain *avc;
52727 +#ifdef CONFIG_PAX_SEGMEXEC
52728 + struct anon_vma_chain *avc_m = NULL;
52732 if (unlikely(!anon_vma)) {
52733 struct mm_struct *mm = vma->vm_mm;
52734 @@ -125,6 +129,12 @@ int anon_vma_prepare(struct vm_area_stru
52738 +#ifdef CONFIG_PAX_SEGMEXEC
52739 + avc_m = anon_vma_chain_alloc();
52741 + goto out_enomem_free_avc;
52744 anon_vma = find_mergeable_anon_vma(vma);
52747 @@ -138,6 +148,21 @@ int anon_vma_prepare(struct vm_area_stru
52748 /* page_table_lock to protect against threads */
52749 spin_lock(&mm->page_table_lock);
52750 if (likely(!vma->anon_vma)) {
52752 +#ifdef CONFIG_PAX_SEGMEXEC
52753 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
52756 + BUG_ON(vma_m->anon_vma);
52757 + vma_m->anon_vma = anon_vma;
52758 + avc_m->anon_vma = anon_vma;
52759 + avc_m->vma = vma;
52760 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
52761 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
52766 vma->anon_vma = anon_vma;
52767 avc->anon_vma = anon_vma;
52769 @@ -151,12 +176,24 @@ int anon_vma_prepare(struct vm_area_stru
52771 if (unlikely(allocated))
52772 anon_vma_free(allocated);
52774 +#ifdef CONFIG_PAX_SEGMEXEC
52775 + if (unlikely(avc_m))
52776 + anon_vma_chain_free(avc_m);
52780 anon_vma_chain_free(avc);
52784 out_enomem_free_avc:
52786 +#ifdef CONFIG_PAX_SEGMEXEC
52788 + anon_vma_chain_free(avc_m);
52791 anon_vma_chain_free(avc);
52794 @@ -179,7 +216,7 @@ static void anon_vma_chain_link(struct v
52795 * Attach the anon_vmas from src to dst.
52796 * Returns 0 on success, -ENOMEM on failure.
52798 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
52799 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
52801 struct anon_vma_chain *avc, *pavc;
52803 @@ -201,7 +238,7 @@ int anon_vma_clone(struct vm_area_struct
52804 * the corresponding VMA in the parent process is attached to.
52805 * Returns 0 on success, non-zero on failure.
52807 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
52808 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
52810 struct anon_vma_chain *avc;
52811 struct anon_vma *anon_vma;
52812 diff -urNp linux-2.6.35.4/mm/shmem.c linux-2.6.35.4/mm/shmem.c
52813 --- linux-2.6.35.4/mm/shmem.c 2010-08-26 19:47:12.000000000 -0400
52814 +++ linux-2.6.35.4/mm/shmem.c 2010-09-17 20:12:37.000000000 -0400
52816 #include <linux/module.h>
52817 #include <linux/swap.h>
52819 -static struct vfsmount *shm_mnt;
52820 +struct vfsmount *shm_mnt;
52822 #ifdef CONFIG_SHMEM
52824 diff -urNp linux-2.6.35.4/mm/slab.c linux-2.6.35.4/mm/slab.c
52825 --- linux-2.6.35.4/mm/slab.c 2010-08-26 19:47:12.000000000 -0400
52826 +++ linux-2.6.35.4/mm/slab.c 2010-09-17 20:12:37.000000000 -0400
52827 @@ -285,7 +285,7 @@ struct kmem_list3 {
52828 * Need this for bootstrapping a per node allocator.
52830 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
52831 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
52832 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
52833 #define CACHE_CACHE 0
52834 #define SIZE_AC MAX_NUMNODES
52835 #define SIZE_L3 (2 * MAX_NUMNODES)
52836 @@ -535,7 +535,7 @@ static inline void *index_to_obj(struct
52837 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
52839 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
52840 - const struct slab *slab, void *obj)
52841 + const struct slab *slab, const void *obj)
52843 u32 offset = (obj - slab->s_mem);
52844 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
52845 @@ -561,14 +561,14 @@ struct cache_names {
52846 static struct cache_names __initdata cache_names[] = {
52847 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
52848 #include <linux/kmalloc_sizes.h>
52854 static struct arraycache_init initarray_cache __initdata =
52855 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
52856 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
52857 static struct arraycache_init initarray_generic =
52858 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
52859 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
52861 /* internal cache of cache description objs */
52862 static struct kmem_cache cache_cache = {
52863 @@ -4558,15 +4558,66 @@ static const struct file_operations proc
52865 static int __init slab_proc_init(void)
52867 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
52868 + mode_t gr_mode = S_IRUGO;
52870 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
52871 + gr_mode = S_IRUSR;
52874 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
52875 #ifdef CONFIG_DEBUG_SLAB_LEAK
52876 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
52877 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
52881 module_init(slab_proc_init);
52884 +void check_object_size(const void *ptr, unsigned long n, bool to)
52887 +#ifdef CONFIG_PAX_USERCOPY
52888 + struct kmem_cache *cachep;
52889 + struct slab *slabp;
52890 + struct page *page;
52891 + unsigned int objnr;
52892 + unsigned long offset;
52897 + if (ZERO_OR_NULL_PTR(ptr))
52900 + if (!virt_addr_valid(ptr))
52903 + page = virt_to_head_page(ptr);
52905 + if (!PageSlab(page)) {
52906 + if (object_is_on_stack(ptr, n) == -1)
52911 + cachep = page_get_cache(page);
52912 + slabp = page_get_slab(page);
52913 + objnr = obj_to_index(cachep, slabp, ptr);
52914 + BUG_ON(objnr >= cachep->num);
52915 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
52916 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
52921 + pax_report_leak_to_user(ptr, n);
52923 + pax_report_overflow_from_user(ptr, n);
52927 +EXPORT_SYMBOL(check_object_size);
52930 * ksize - get the actual amount of memory allocated for a given object
52931 * @objp: Pointer to the object
52932 diff -urNp linux-2.6.35.4/mm/slob.c linux-2.6.35.4/mm/slob.c
52933 --- linux-2.6.35.4/mm/slob.c 2010-08-26 19:47:12.000000000 -0400
52934 +++ linux-2.6.35.4/mm/slob.c 2010-09-17 20:12:09.000000000 -0400
52936 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
52937 * alloc_pages() directly, allocating compound pages so the page order
52938 * does not have to be separately tracked, and also stores the exact
52939 - * allocation size in page->private so that it can be used to accurately
52940 + * allocation size in slob_page->size so that it can be used to accurately
52941 * provide ksize(). These objects are detected in kfree() because slob_page()
52942 * is false for them.
52947 #include <linux/kernel.h>
52948 +#include <linux/sched.h>
52949 #include <linux/slab.h>
52950 #include <linux/mm.h>
52951 #include <linux/swap.h> /* struct reclaim_state */
52952 @@ -100,7 +101,8 @@ struct slob_page {
52953 unsigned long flags; /* mandatory */
52954 atomic_t _count; /* mandatory */
52955 slobidx_t units; /* free units left in page */
52956 - unsigned long pad[2];
52957 + unsigned long pad[1];
52958 + unsigned long size; /* size when >=PAGE_SIZE */
52959 slob_t *free; /* first free slob_t in page */
52960 struct list_head list; /* linked list of free pages */
52962 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
52964 static inline int is_slob_page(struct slob_page *sp)
52966 - return PageSlab((struct page *)sp);
52967 + return PageSlab((struct page *)sp) && !sp->size;
52970 static inline void set_slob_page(struct slob_page *sp)
52971 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
52973 static inline struct slob_page *slob_page(const void *addr)
52975 - return (struct slob_page *)virt_to_page(addr);
52976 + return (struct slob_page *)virt_to_head_page(addr);
52980 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
52982 * Return the size of a slob block.
52984 -static slobidx_t slob_units(slob_t *s)
52985 +static slobidx_t slob_units(const slob_t *s)
52989 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
52991 * Return the next free slob block pointer after this one.
52993 -static slob_t *slob_next(slob_t *s)
52994 +static slob_t *slob_next(const slob_t *s)
52996 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
52998 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
53000 * Returns true if s is the last free block in its page.
53002 -static int slob_last(slob_t *s)
53003 +static int slob_last(const slob_t *s)
53005 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
53007 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
53011 + set_slob_page(page);
53012 return page_address(page);
53015 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
53019 - set_slob_page(sp);
53021 spin_lock_irqsave(&slob_lock, flags);
53022 sp->units = SLOB_UNITS(PAGE_SIZE);
53025 INIT_LIST_HEAD(&sp->list);
53026 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
53027 set_slob_page_free(sp, slob_list);
53028 @@ -467,10 +470,9 @@ out:
53029 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
53032 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53033 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
53036 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53040 lockdep_trace_alloc(gfp);
53041 @@ -483,7 +485,10 @@ void *__kmalloc_node(size_t size, gfp_t
53046 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
53047 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
53048 + m[0].units = size;
53049 + m[1].units = align;
53050 ret = (void *)m + align;
53052 trace_kmalloc_node(_RET_IP_, ret,
53053 @@ -493,9 +498,9 @@ void *__kmalloc_node(size_t size, gfp_t
53055 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
53057 - struct page *page;
53058 - page = virt_to_page(ret);
53059 - page->private = size;
53060 + struct slob_page *sp;
53061 + sp = slob_page(ret);
53065 trace_kmalloc_node(_RET_IP_, ret,
53066 @@ -505,6 +510,13 @@ void *__kmalloc_node(size_t size, gfp_t
53067 kmemleak_alloc(ret, size, 1, gfp);
53071 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53073 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53075 + return __kmalloc_node_align(size, gfp, node, align);
53077 EXPORT_SYMBOL(__kmalloc_node);
53079 void kfree(const void *block)
53080 @@ -520,13 +532,84 @@ void kfree(const void *block)
53081 sp = slob_page(block);
53082 if (is_slob_page(sp)) {
53083 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53084 - unsigned int *m = (unsigned int *)(block - align);
53085 - slob_free(m, *m + align);
53087 + slob_t *m = (slob_t *)(block - align);
53088 + slob_free(m, m[0].units + align);
53090 + clear_slob_page(sp);
53091 + free_slob_page(sp);
53093 put_page(&sp->page);
53096 EXPORT_SYMBOL(kfree);
53098 +void check_object_size(const void *ptr, unsigned long n, bool to)
53101 +#ifdef CONFIG_PAX_USERCOPY
53102 + struct slob_page *sp;
53103 + const slob_t *free;
53104 + const void *base;
53109 + if (ZERO_OR_NULL_PTR(ptr))
53112 + if (!virt_addr_valid(ptr))
53115 + sp = slob_page(ptr);
53116 + if (!PageSlab((struct page*)sp)) {
53117 + if (object_is_on_stack(ptr, n) == -1)
53123 + base = page_address(&sp->page);
53124 + if (base <= ptr && n <= sp->size - (ptr - base))
53129 + /* some tricky double walking to find the chunk */
53130 + base = (void *)((unsigned long)ptr & PAGE_MASK);
53133 + while (!slob_last(free) && (void *)free <= ptr) {
53134 + base = free + slob_units(free);
53135 + free = slob_next(free);
53138 + while (base < (void *)free) {
53139 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
53140 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
53143 + if (ptr < base + align)
53146 + offset = ptr - base - align;
53147 + if (offset < m) {
53148 + if (n <= m - offset)
53157 + pax_report_leak_to_user(ptr, n);
53159 + pax_report_overflow_from_user(ptr, n);
53163 +EXPORT_SYMBOL(check_object_size);
53165 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
53166 size_t ksize(const void *block)
53168 @@ -539,10 +622,10 @@ size_t ksize(const void *block)
53169 sp = slob_page(block);
53170 if (is_slob_page(sp)) {
53171 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53172 - unsigned int *m = (unsigned int *)(block - align);
53173 - return SLOB_UNITS(*m) * SLOB_UNIT;
53174 + slob_t *m = (slob_t *)(block - align);
53175 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
53177 - return sp->page.private;
53180 EXPORT_SYMBOL(ksize);
53182 @@ -597,17 +680,25 @@ void *kmem_cache_alloc_node(struct kmem_
53186 +#ifdef CONFIG_PAX_USERCOPY
53187 + b = __kmalloc_node_align(c->size, flags, node, c->align);
53189 if (c->size < PAGE_SIZE) {
53190 b = slob_alloc(c->size, flags, c->align, node);
53191 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53192 SLOB_UNITS(c->size) * SLOB_UNIT,
53195 + struct slob_page *sp;
53197 b = slob_new_pages(flags, get_order(c->size), node);
53198 + sp = slob_page(b);
53199 + sp->size = c->size;
53200 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53201 PAGE_SIZE << get_order(c->size),
53208 @@ -619,10 +710,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
53210 static void __kmem_cache_free(void *b, int size)
53212 - if (size < PAGE_SIZE)
53213 + struct slob_page *sp = slob_page(b);
53215 + if (is_slob_page(sp))
53216 slob_free(b, size);
53219 + clear_slob_page(sp);
53220 + free_slob_page(sp);
53222 slob_free_pages(b, get_order(size));
53226 static void kmem_rcu_free(struct rcu_head *head)
53227 @@ -635,15 +732,24 @@ static void kmem_rcu_free(struct rcu_hea
53229 void kmem_cache_free(struct kmem_cache *c, void *b)
53231 + int size = c->size;
53233 +#ifdef CONFIG_PAX_USERCOPY
53234 + if (size + c->align < PAGE_SIZE) {
53235 + size += c->align;
53240 kmemleak_free_recursive(b, c->flags);
53241 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
53242 struct slob_rcu *slob_rcu;
53243 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
53244 + slob_rcu = b + (size - sizeof(struct slob_rcu));
53245 INIT_RCU_HEAD(&slob_rcu->head);
53246 - slob_rcu->size = c->size;
53247 + slob_rcu->size = size;
53248 call_rcu(&slob_rcu->head, kmem_rcu_free);
53250 - __kmem_cache_free(b, c->size);
53251 + __kmem_cache_free(b, size);
53254 trace_kmem_cache_free(_RET_IP_, b);
53255 diff -urNp linux-2.6.35.4/mm/slub.c linux-2.6.35.4/mm/slub.c
53256 --- linux-2.6.35.4/mm/slub.c 2010-08-26 19:47:12.000000000 -0400
53257 +++ linux-2.6.35.4/mm/slub.c 2010-09-17 20:12:37.000000000 -0400
53258 @@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
53260 page = virt_to_head_page(x);
53262 + BUG_ON(!PageSlab(page));
53264 slab_free(s, page, x, _RET_IP_);
53266 trace_kmem_cache_free(_RET_IP_, x);
53267 @@ -1917,7 +1919,7 @@ static int slub_min_objects;
53268 * Merge control. If this is set then no merging of slab caches will occur.
53269 * (Could be removed. This was introduced to pacify the merge skeptics.)
53271 -static int slub_nomerge;
53272 +static int slub_nomerge = 1;
53275 * Calculate the order of allocation given an slab object size.
53276 @@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
53277 * list to avoid pounding the page allocator excessively.
53279 set_min_partial(s, ilog2(s->size));
53281 + atomic_set(&s->refcount, 1);
53283 s->remote_node_defrag_ratio = 1000;
53285 @@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
53286 void kmem_cache_destroy(struct kmem_cache *s)
53288 down_write(&slub_lock);
53290 - if (!s->refcount) {
53291 + if (atomic_dec_and_test(&s->refcount)) {
53292 list_del(&s->list);
53293 up_write(&slub_lock);
53294 if (kmem_cache_close(s)) {
53295 @@ -2780,6 +2781,46 @@ void *__kmalloc_node(size_t size, gfp_t
53296 EXPORT_SYMBOL(__kmalloc_node);
53299 +void check_object_size(const void *ptr, unsigned long n, bool to)
53302 +#ifdef CONFIG_PAX_USERCOPY
53303 + struct page *page;
53304 + struct kmem_cache *s;
53305 + unsigned long offset;
53310 + if (ZERO_OR_NULL_PTR(ptr))
53313 + if (!virt_addr_valid(ptr))
53316 + page = get_object_page(ptr);
53319 + if (object_is_on_stack(ptr, n) == -1)
53325 + offset = (ptr - page_address(page)) % s->size;
53326 + if (offset <= s->objsize && n <= s->objsize - offset)
53331 + pax_report_leak_to_user(ptr, n);
53333 + pax_report_overflow_from_user(ptr, n);
53337 +EXPORT_SYMBOL(check_object_size);
53339 size_t ksize(const void *object)
53342 @@ -3049,7 +3090,7 @@ void __init kmem_cache_init(void)
53344 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
53345 sizeof(struct kmem_cache_node), GFP_NOWAIT);
53346 - kmalloc_caches[0].refcount = -1;
53347 + atomic_set(&kmalloc_caches[0].refcount, -1);
53350 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
53351 @@ -3158,7 +3199,7 @@ static int slab_unmergeable(struct kmem_
53353 * We may have set a slab to be unmergeable during bootstrap.
53355 - if (s->refcount < 0)
53356 + if (atomic_read(&s->refcount) < 0)
53360 @@ -3216,7 +3257,7 @@ struct kmem_cache *kmem_cache_create(con
53361 down_write(&slub_lock);
53362 s = find_mergeable(size, align, flags, name, ctor);
53365 + atomic_inc(&s->refcount);
53367 * Adjust the object sizes so that we clear
53368 * the complete object on kzalloc.
53369 @@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
53371 if (sysfs_slab_alias(s, name)) {
53372 down_write(&slub_lock);
53374 + atomic_dec(&s->refcount);
53375 up_write(&slub_lock);
53378 @@ -3953,7 +3994,7 @@ SLAB_ATTR_RO(ctor);
53380 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
53382 - return sprintf(buf, "%d\n", s->refcount - 1);
53383 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
53385 SLAB_ATTR_RO(aliases);
53387 @@ -4674,7 +4715,13 @@ static const struct file_operations proc
53389 static int __init slab_proc_init(void)
53391 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
53392 + mode_t gr_mode = S_IRUGO;
53394 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53395 + gr_mode = S_IRUSR;
53398 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
53401 module_init(slab_proc_init);
53402 diff -urNp linux-2.6.35.4/mm/util.c linux-2.6.35.4/mm/util.c
53403 --- linux-2.6.35.4/mm/util.c 2010-08-26 19:47:12.000000000 -0400
53404 +++ linux-2.6.35.4/mm/util.c 2010-09-17 20:12:09.000000000 -0400
53405 @@ -245,6 +245,12 @@ EXPORT_SYMBOL(strndup_user);
53406 void arch_pick_mmap_layout(struct mm_struct *mm)
53408 mm->mmap_base = TASK_UNMAPPED_BASE;
53410 +#ifdef CONFIG_PAX_RANDMMAP
53411 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53412 + mm->mmap_base += mm->delta_mmap;
53415 mm->get_unmapped_area = arch_get_unmapped_area;
53416 mm->unmap_area = arch_unmap_area;
53418 diff -urNp linux-2.6.35.4/mm/vmalloc.c linux-2.6.35.4/mm/vmalloc.c
53419 --- linux-2.6.35.4/mm/vmalloc.c 2010-08-26 19:47:12.000000000 -0400
53420 +++ linux-2.6.35.4/mm/vmalloc.c 2010-09-17 20:12:09.000000000 -0400
53421 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
53423 pte = pte_offset_kernel(pmd, addr);
53425 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53426 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53428 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53429 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
53430 + BUG_ON(!pte_exec(*pte));
53431 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
53437 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53438 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53440 } while (pte++, addr += PAGE_SIZE, addr != end);
53443 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
53444 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
53447 + int ret = -ENOMEM;
53450 * nr is a running index into the array which helps higher level
53451 @@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
53452 pte = pte_alloc_kernel(pmd, addr);
53456 + pax_open_kernel();
53458 struct page *page = pages[*nr];
53460 - if (WARN_ON(!pte_none(*pte)))
53462 - if (WARN_ON(!page))
53464 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53465 + if (pgprot_val(prot) & _PAGE_NX)
53468 + if (WARN_ON(!pte_none(*pte))) {
53472 + if (WARN_ON(!page)) {
53476 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
53478 } while (pte++, addr += PAGE_SIZE, addr != end);
53482 + pax_close_kernel();
53486 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
53487 @@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
53488 * and fall back on vmalloc() if that fails. Others
53489 * just put it in the vmalloc space.
53491 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
53492 +#ifdef CONFIG_MODULES
53493 +#ifdef MODULES_VADDR
53494 unsigned long addr = (unsigned long)x;
53495 if (addr >= MODULES_VADDR && addr < MODULES_END)
53499 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53500 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
53506 return is_vmalloc_addr(x);
53509 @@ -217,8 +251,14 @@ struct page *vmalloc_to_page(const void
53511 if (!pgd_none(*pgd)) {
53512 pud_t *pud = pud_offset(pgd, addr);
53514 + if (!pud_large(*pud))
53516 if (!pud_none(*pud)) {
53517 pmd_t *pmd = pmd_offset(pud, addr);
53519 + if (!pmd_large(*pmd))
53521 if (!pmd_none(*pmd)) {
53524 @@ -292,13 +332,13 @@ static void __insert_vmap_area(struct vm
53525 struct rb_node *tmp;
53528 - struct vmap_area *tmp;
53529 + struct vmap_area *varea;
53532 - tmp = rb_entry(parent, struct vmap_area, rb_node);
53533 - if (va->va_start < tmp->va_end)
53534 + varea = rb_entry(parent, struct vmap_area, rb_node);
53535 + if (va->va_start < varea->va_end)
53536 p = &(*p)->rb_left;
53537 - else if (va->va_end > tmp->va_start)
53538 + else if (va->va_end > varea->va_start)
53539 p = &(*p)->rb_right;
53542 @@ -1224,6 +1264,16 @@ static struct vm_struct *__get_vm_area_n
53543 struct vm_struct *area;
53545 BUG_ON(in_interrupt());
53547 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53548 + if (flags & VM_KERNEXEC) {
53549 + if (start != VMALLOC_START || end != VMALLOC_END)
53551 + start = (unsigned long)MODULES_EXEC_VADDR;
53552 + end = (unsigned long)MODULES_EXEC_END;
53556 if (flags & VM_IOREMAP) {
53557 int bit = fls(size);
53559 @@ -1449,6 +1499,11 @@ void *vmap(struct page **pages, unsigned
53560 if (count > totalram_pages)
53563 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53564 + if (!(pgprot_val(prot) & _PAGE_NX))
53565 + flags |= VM_KERNEXEC;
53568 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
53569 __builtin_return_address(0));
53571 @@ -1558,6 +1613,13 @@ static void *__vmalloc_node(unsigned lon
53572 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
53575 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53576 + if (!(pgprot_val(prot) & _PAGE_NX))
53577 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
53578 + node, gfp_mask, caller);
53582 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
53583 VMALLOC_END, node, gfp_mask, caller);
53585 @@ -1576,6 +1638,7 @@ static void *__vmalloc_node(unsigned lon
53590 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
53592 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
53593 @@ -1592,6 +1655,7 @@ EXPORT_SYMBOL(__vmalloc);
53594 * For tight control over page level allocator and protection flags
53595 * use __vmalloc() instead.
53598 void *vmalloc(unsigned long size)
53600 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53601 @@ -1606,6 +1670,7 @@ EXPORT_SYMBOL(vmalloc);
53602 * The resulting memory area is zeroed so it can be mapped to userspace
53603 * without leaking data.
53605 +#undef vmalloc_user
53606 void *vmalloc_user(unsigned long size)
53608 struct vm_struct *area;
53609 @@ -1633,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc_user);
53610 * For tight control over page level allocator and protection flags
53611 * use __vmalloc() instead.
53613 +#undef vmalloc_node
53614 void *vmalloc_node(unsigned long size, int node)
53616 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53617 @@ -1655,10 +1721,10 @@ EXPORT_SYMBOL(vmalloc_node);
53618 * For tight control over page level allocator and protection flags
53619 * use __vmalloc() instead.
53622 +#undef vmalloc_exec
53623 void *vmalloc_exec(unsigned long size)
53625 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
53626 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
53627 -1, __builtin_return_address(0));
53630 @@ -1677,6 +1743,7 @@ void *vmalloc_exec(unsigned long size)
53631 * Allocate enough 32bit PA addressable pages to cover @size from the
53632 * page level allocator and map them into contiguous kernel virtual space.
53635 void *vmalloc_32(unsigned long size)
53637 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
53638 @@ -1691,6 +1758,7 @@ EXPORT_SYMBOL(vmalloc_32);
53639 * The resulting memory area is 32bit addressable and zeroed so it can be
53640 * mapped to userspace without leaking data.
53642 +#undef vmalloc_32_user
53643 void *vmalloc_32_user(unsigned long size)
53645 struct vm_struct *area;
53646 diff -urNp linux-2.6.35.4/mm/vmstat.c linux-2.6.35.4/mm/vmstat.c
53647 --- linux-2.6.35.4/mm/vmstat.c 2010-08-26 19:47:12.000000000 -0400
53648 +++ linux-2.6.35.4/mm/vmstat.c 2010-09-17 20:12:37.000000000 -0400
53649 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
53651 * vm_stat contains the global counters
53653 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53654 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53655 EXPORT_SYMBOL(vm_stat);
53658 @@ -315,7 +315,7 @@ void refresh_cpu_vm_stats(int cpu)
53659 v = p->vm_stat_diff[i];
53660 p->vm_stat_diff[i] = 0;
53661 local_irq_restore(flags);
53662 - atomic_long_add(v, &zone->vm_stat[i]);
53663 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
53664 global_diff[i] += v;
53666 /* 3 seconds idle till flush */
53667 @@ -353,7 +353,7 @@ void refresh_cpu_vm_stats(int cpu)
53669 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
53670 if (global_diff[i])
53671 - atomic_long_add(global_diff[i], &vm_stat[i]);
53672 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
53676 @@ -1038,10 +1038,16 @@ static int __init setup_vmstat(void)
53677 start_cpu_timer(cpu);
53679 #ifdef CONFIG_PROC_FS
53680 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
53681 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
53682 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
53683 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
53685 + mode_t gr_mode = S_IRUGO;
53686 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53687 + gr_mode = S_IRUSR;
53689 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
53690 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
53691 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
53692 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
53697 diff -urNp linux-2.6.35.4/net/8021q/vlan.c linux-2.6.35.4/net/8021q/vlan.c
53698 --- linux-2.6.35.4/net/8021q/vlan.c 2010-08-26 19:47:12.000000000 -0400
53699 +++ linux-2.6.35.4/net/8021q/vlan.c 2010-09-17 20:12:09.000000000 -0400
53700 @@ -618,8 +618,7 @@ static int vlan_ioctl_handler(struct net
53702 if (!capable(CAP_NET_ADMIN))
53704 - if ((args.u.name_type >= 0) &&
53705 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
53706 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
53707 struct vlan_net *vn;
53709 vn = net_generic(net, vlan_net_id);
53710 diff -urNp linux-2.6.35.4/net/atm/atm_misc.c linux-2.6.35.4/net/atm/atm_misc.c
53711 --- linux-2.6.35.4/net/atm/atm_misc.c 2010-08-26 19:47:12.000000000 -0400
53712 +++ linux-2.6.35.4/net/atm/atm_misc.c 2010-09-17 20:12:09.000000000 -0400
53713 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
53714 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
53716 atm_return(vcc, truesize);
53717 - atomic_inc(&vcc->stats->rx_drop);
53718 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53721 EXPORT_SYMBOL(atm_charge);
53722 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
53725 atm_return(vcc, guess);
53726 - atomic_inc(&vcc->stats->rx_drop);
53727 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53730 EXPORT_SYMBOL(atm_alloc_charge);
53731 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
53733 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53735 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
53736 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
53738 #undef __HANDLE_ITEM
53740 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
53742 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53744 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
53745 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
53747 #undef __HANDLE_ITEM
53749 diff -urNp linux-2.6.35.4/net/atm/proc.c linux-2.6.35.4/net/atm/proc.c
53750 --- linux-2.6.35.4/net/atm/proc.c 2010-08-26 19:47:12.000000000 -0400
53751 +++ linux-2.6.35.4/net/atm/proc.c 2010-09-17 20:12:37.000000000 -0400
53752 @@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
53753 const struct k_atm_aal_stats *stats)
53755 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
53756 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
53757 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
53758 - atomic_read(&stats->rx_drop));
53759 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
53760 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
53761 + atomic_read_unchecked(&stats->rx_drop));
53764 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
53765 @@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
53767 struct sock *sk = sk_atm(vcc);
53769 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53770 + seq_printf(seq, "%p ", NULL);
53772 seq_printf(seq, "%p ", vcc);
53776 seq_printf(seq, "Unassigned ");
53778 diff -urNp linux-2.6.35.4/net/atm/resources.c linux-2.6.35.4/net/atm/resources.c
53779 --- linux-2.6.35.4/net/atm/resources.c 2010-08-26 19:47:12.000000000 -0400
53780 +++ linux-2.6.35.4/net/atm/resources.c 2010-09-17 20:12:09.000000000 -0400
53781 @@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
53782 static void copy_aal_stats(struct k_atm_aal_stats *from,
53783 struct atm_aal_stats *to)
53785 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
53786 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
53788 #undef __HANDLE_ITEM
53790 @@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
53791 static void subtract_aal_stats(struct k_atm_aal_stats *from,
53792 struct atm_aal_stats *to)
53794 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
53795 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
53797 #undef __HANDLE_ITEM
53799 diff -urNp linux-2.6.35.4/net/bridge/br_stp_if.c linux-2.6.35.4/net/bridge/br_stp_if.c
53800 --- linux-2.6.35.4/net/bridge/br_stp_if.c 2010-08-26 19:47:12.000000000 -0400
53801 +++ linux-2.6.35.4/net/bridge/br_stp_if.c 2010-09-17 20:12:09.000000000 -0400
53802 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
53803 char *envp[] = { NULL };
53805 if (br->stp_enabled == BR_USER_STP) {
53806 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
53807 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
53808 br_info(br, "userspace STP stopped, return code %d\n", r);
53810 /* To start timers on any ports left in blocking */
53811 diff -urNp linux-2.6.35.4/net/bridge/netfilter/ebtables.c linux-2.6.35.4/net/bridge/netfilter/ebtables.c
53812 --- linux-2.6.35.4/net/bridge/netfilter/ebtables.c 2010-08-26 19:47:12.000000000 -0400
53813 +++ linux-2.6.35.4/net/bridge/netfilter/ebtables.c 2010-09-17 20:12:09.000000000 -0400
53814 @@ -1501,7 +1501,7 @@ static int do_ebt_get_ctl(struct sock *s
53815 tmp.valid_hooks = t->table->valid_hooks;
53817 mutex_unlock(&ebt_mutex);
53818 - if (copy_to_user(user, &tmp, *len) != 0){
53819 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
53820 BUGPRINT("c2u Didn't work\n");
53823 diff -urNp linux-2.6.35.4/net/core/dev.c linux-2.6.35.4/net/core/dev.c
53824 --- linux-2.6.35.4/net/core/dev.c 2010-08-26 19:47:12.000000000 -0400
53825 +++ linux-2.6.35.4/net/core/dev.c 2010-09-17 20:12:09.000000000 -0400
53826 @@ -2541,7 +2541,7 @@ int netif_rx_ni(struct sk_buff *skb)
53828 EXPORT_SYMBOL(netif_rx_ni);
53830 -static void net_tx_action(struct softirq_action *h)
53831 +static void net_tx_action(void)
53833 struct softnet_data *sd = &__get_cpu_var(softnet_data);
53835 @@ -3474,7 +3474,7 @@ void netif_napi_del(struct napi_struct *
53837 EXPORT_SYMBOL(netif_napi_del);
53839 -static void net_rx_action(struct softirq_action *h)
53840 +static void net_rx_action(void)
53842 struct softnet_data *sd = &__get_cpu_var(softnet_data);
53843 unsigned long time_limit = jiffies + 2;
53844 diff -urNp linux-2.6.35.4/net/core/net-sysfs.c linux-2.6.35.4/net/core/net-sysfs.c
53845 --- linux-2.6.35.4/net/core/net-sysfs.c 2010-08-26 19:47:12.000000000 -0400
53846 +++ linux-2.6.35.4/net/core/net-sysfs.c 2010-09-17 20:12:09.000000000 -0400
53847 @@ -511,7 +511,7 @@ static ssize_t rx_queue_attr_store(struc
53848 return attribute->store(queue, attribute, buf, count);
53851 -static struct sysfs_ops rx_queue_sysfs_ops = {
53852 +static const struct sysfs_ops rx_queue_sysfs_ops = {
53853 .show = rx_queue_attr_show,
53854 .store = rx_queue_attr_store,
53856 diff -urNp linux-2.6.35.4/net/core/sock.c linux-2.6.35.4/net/core/sock.c
53857 --- linux-2.6.35.4/net/core/sock.c 2010-08-26 19:47:12.000000000 -0400
53858 +++ linux-2.6.35.4/net/core/sock.c 2010-09-17 20:12:09.000000000 -0400
53859 @@ -915,7 +915,7 @@ int sock_getsockopt(struct socket *sock,
53863 - if (copy_to_user(optval, address, len))
53864 + if (len > sizeof(address) || copy_to_user(optval, address, len))
53868 @@ -948,7 +948,7 @@ int sock_getsockopt(struct socket *sock,
53872 - if (copy_to_user(optval, &v, len))
53873 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
53876 if (put_user(len, optlen))
53877 diff -urNp linux-2.6.35.4/net/dccp/ccids/ccid3.c linux-2.6.35.4/net/dccp/ccids/ccid3.c
53878 --- linux-2.6.35.4/net/dccp/ccids/ccid3.c 2010-08-26 19:47:12.000000000 -0400
53879 +++ linux-2.6.35.4/net/dccp/ccids/ccid3.c 2010-09-17 20:12:09.000000000 -0400
53881 static int ccid3_debug;
53882 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
53884 -#define ccid3_pr_debug(format, a...)
53885 +#define ccid3_pr_debug(format, a...) do {} while (0)
53889 diff -urNp linux-2.6.35.4/net/dccp/dccp.h linux-2.6.35.4/net/dccp/dccp.h
53890 --- linux-2.6.35.4/net/dccp/dccp.h 2010-08-26 19:47:12.000000000 -0400
53891 +++ linux-2.6.35.4/net/dccp/dccp.h 2010-09-17 20:12:09.000000000 -0400
53892 @@ -44,9 +44,9 @@ extern int dccp_debug;
53893 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
53894 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
53896 -#define dccp_pr_debug(format, a...)
53897 -#define dccp_pr_debug_cat(format, a...)
53898 -#define dccp_debug(format, a...)
53899 +#define dccp_pr_debug(format, a...) do {} while (0)
53900 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
53901 +#define dccp_debug(format, a...) do {} while (0)
53904 extern struct inet_hashinfo dccp_hashinfo;
53905 diff -urNp linux-2.6.35.4/net/decnet/sysctl_net_decnet.c linux-2.6.35.4/net/decnet/sysctl_net_decnet.c
53906 --- linux-2.6.35.4/net/decnet/sysctl_net_decnet.c 2010-08-26 19:47:12.000000000 -0400
53907 +++ linux-2.6.35.4/net/decnet/sysctl_net_decnet.c 2010-09-17 20:12:37.000000000 -0400
53908 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
53910 if (len > *lenp) len = *lenp;
53912 - if (copy_to_user(buffer, addr, len))
53913 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
53917 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
53919 if (len > *lenp) len = *lenp;
53921 - if (copy_to_user(buffer, devname, len))
53922 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
53926 diff -urNp linux-2.6.35.4/net/ipv4/inet_hashtables.c linux-2.6.35.4/net/ipv4/inet_hashtables.c
53927 --- linux-2.6.35.4/net/ipv4/inet_hashtables.c 2010-08-26 19:47:12.000000000 -0400
53928 +++ linux-2.6.35.4/net/ipv4/inet_hashtables.c 2010-09-17 20:12:37.000000000 -0400
53929 @@ -18,11 +18,14 @@
53930 #include <linux/sched.h>
53931 #include <linux/slab.h>
53932 #include <linux/wait.h>
53933 +#include <linux/security.h>
53935 #include <net/inet_connection_sock.h>
53936 #include <net/inet_hashtables.h>
53937 #include <net/route.h>
53938 #include <net/ip.h>
53940 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
53943 * Allocate and initialize a new local port bind bucket.
53944 @@ -508,6 +511,8 @@ ok:
53945 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
53946 spin_unlock(&head->lock);
53948 + gr_update_task_in_ip_table(current, inet_sk(sk));
53951 inet_twsk_deschedule(tw, death_row);
53953 diff -urNp linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c
53954 --- linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400
53955 +++ linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400
53956 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
53960 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
53961 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
53962 if (*octets == NULL) {
53963 if (net_ratelimit())
53964 pr_notice("OOM in bsalg (%d)\n", __LINE__);
53965 diff -urNp linux-2.6.35.4/net/ipv4/tcp_ipv4.c linux-2.6.35.4/net/ipv4/tcp_ipv4.c
53966 --- linux-2.6.35.4/net/ipv4/tcp_ipv4.c 2010-08-26 19:47:12.000000000 -0400
53967 +++ linux-2.6.35.4/net/ipv4/tcp_ipv4.c 2010-09-17 20:12:37.000000000 -0400
53969 int sysctl_tcp_tw_reuse __read_mostly;
53970 int sysctl_tcp_low_latency __read_mostly;
53972 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
53973 +extern int grsec_enable_blackhole;
53976 #ifdef CONFIG_TCP_MD5SIG
53977 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
53978 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
53982 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
53983 + if (!grsec_enable_blackhole)
53985 tcp_v4_send_reset(rsk, skb);
53988 @@ -1654,12 +1660,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
53989 TCP_SKB_CB(skb)->sacked = 0;
53991 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
53994 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
53997 goto no_tcp_socket;
54001 - if (sk->sk_state == TCP_TIME_WAIT)
54002 + if (sk->sk_state == TCP_TIME_WAIT) {
54003 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54009 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
54010 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54011 @@ -1709,6 +1722,10 @@ no_tcp_socket:
54013 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54015 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54016 + if (!grsec_enable_blackhole || (ret == 1 &&
54017 + (skb->dev->flags & IFF_LOOPBACK)))
54019 tcp_v4_send_reset(NULL, skb);
54022 @@ -2316,7 +2333,11 @@ static void get_openreq4(struct sock *sk
54023 0, /* non standard timer */
54024 0, /* open_requests have no inode */
54025 atomic_read(&sk->sk_refcnt),
54026 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54034 @@ -2366,7 +2387,12 @@ static void get_tcp4_sock(struct sock *s
54036 icsk->icsk_probes_out,
54038 - atomic_read(&sk->sk_refcnt), sk,
54039 + atomic_read(&sk->sk_refcnt),
54040 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54045 jiffies_to_clock_t(icsk->icsk_rto),
54046 jiffies_to_clock_t(icsk->icsk_ack.ato),
54047 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
54048 @@ -2394,7 +2420,13 @@ static void get_timewait4_sock(struct in
54049 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
54050 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
54051 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
54052 - atomic_read(&tw->tw_refcnt), tw, len);
54053 + atomic_read(&tw->tw_refcnt),
54054 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54063 diff -urNp linux-2.6.35.4/net/ipv4/tcp_minisocks.c linux-2.6.35.4/net/ipv4/tcp_minisocks.c
54064 --- linux-2.6.35.4/net/ipv4/tcp_minisocks.c 2010-08-26 19:47:12.000000000 -0400
54065 +++ linux-2.6.35.4/net/ipv4/tcp_minisocks.c 2010-09-17 20:12:37.000000000 -0400
54067 #include <net/inet_common.h>
54068 #include <net/xfrm.h>
54070 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54071 +extern int grsec_enable_blackhole;
54074 int sysctl_tcp_syncookies __read_mostly = 1;
54075 EXPORT_SYMBOL(sysctl_tcp_syncookies);
54077 @@ -700,6 +704,10 @@ listen_overflow:
54080 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
54082 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54083 + if (!grsec_enable_blackhole)
54085 if (!(flg & TCP_FLAG_RST))
54086 req->rsk_ops->send_reset(sk, skb);
54088 diff -urNp linux-2.6.35.4/net/ipv4/tcp_probe.c linux-2.6.35.4/net/ipv4/tcp_probe.c
54089 --- linux-2.6.35.4/net/ipv4/tcp_probe.c 2010-08-26 19:47:12.000000000 -0400
54090 +++ linux-2.6.35.4/net/ipv4/tcp_probe.c 2010-09-17 20:12:37.000000000 -0400
54091 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
54092 if (cnt + width >= len)
54095 - if (copy_to_user(buf + cnt, tbuf, width))
54096 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
54100 diff -urNp linux-2.6.35.4/net/ipv4/tcp_timer.c linux-2.6.35.4/net/ipv4/tcp_timer.c
54101 --- linux-2.6.35.4/net/ipv4/tcp_timer.c 2010-08-26 19:47:12.000000000 -0400
54102 +++ linux-2.6.35.4/net/ipv4/tcp_timer.c 2010-09-17 20:12:37.000000000 -0400
54104 #include <linux/gfp.h>
54105 #include <net/tcp.h>
54107 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54108 +extern int grsec_lastack_retries;
54111 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
54112 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
54113 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
54114 @@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock
54118 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54119 + if ((sk->sk_state == TCP_LAST_ACK) &&
54120 + (grsec_lastack_retries > 0) &&
54121 + (grsec_lastack_retries < retry_until))
54122 + retry_until = grsec_lastack_retries;
54125 if (retransmits_timed_out(sk, retry_until)) {
54126 /* Has it gone just too far? */
54128 diff -urNp linux-2.6.35.4/net/ipv4/udp.c linux-2.6.35.4/net/ipv4/udp.c
54129 --- linux-2.6.35.4/net/ipv4/udp.c 2010-08-26 19:47:12.000000000 -0400
54130 +++ linux-2.6.35.4/net/ipv4/udp.c 2010-09-17 20:12:37.000000000 -0400
54132 #include <linux/types.h>
54133 #include <linux/fcntl.h>
54134 #include <linux/module.h>
54135 +#include <linux/security.h>
54136 #include <linux/socket.h>
54137 #include <linux/sockios.h>
54138 #include <linux/igmp.h>
54139 @@ -107,6 +108,10 @@
54140 #include <net/xfrm.h>
54141 #include "udp_impl.h"
54143 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54144 +extern int grsec_enable_blackhole;
54147 struct udp_table udp_table __read_mostly;
54148 EXPORT_SYMBOL(udp_table);
54150 @@ -564,6 +569,9 @@ found:
54154 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
54155 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
54158 * This routine is called by the ICMP module when it gets some
54159 * sort of error condition. If err < 0 then the socket should
54160 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
54161 dport = usin->sin_port;
54165 + err = gr_search_udp_sendmsg(sk, usin);
54169 if (sk->sk_state != TCP_ESTABLISHED)
54170 return -EDESTADDRREQ;
54172 + err = gr_search_udp_sendmsg(sk, NULL);
54176 daddr = inet->inet_daddr;
54177 dport = inet->inet_dport;
54178 /* Open fast path for connected socket.
54179 @@ -1141,6 +1158,10 @@ try_again:
54183 + err = gr_search_udp_recvmsg(sk, skb);
54187 ulen = skb->len - sizeof(struct udphdr);
54190 @@ -1582,6 +1603,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
54193 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
54194 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54195 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54197 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
54200 @@ -2007,7 +2031,12 @@ static void udp4_format_sock(struct sock
54201 sk_wmem_alloc_get(sp),
54202 sk_rmem_alloc_get(sp),
54203 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
54204 - atomic_read(&sp->sk_refcnt), sp,
54205 + atomic_read(&sp->sk_refcnt),
54206 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54211 atomic_read(&sp->sk_drops), len);
54214 diff -urNp linux-2.6.35.4/net/ipv6/exthdrs.c linux-2.6.35.4/net/ipv6/exthdrs.c
54215 --- linux-2.6.35.4/net/ipv6/exthdrs.c 2010-08-26 19:47:12.000000000 -0400
54216 +++ linux-2.6.35.4/net/ipv6/exthdrs.c 2010-09-17 20:12:09.000000000 -0400
54217 @@ -636,7 +636,7 @@ static struct tlvtype_proc tlvprochopopt
54218 .type = IPV6_TLV_JUMBO,
54219 .func = ipv6_hop_jumbo,
54225 int ipv6_parse_hopopts(struct sk_buff *skb)
54226 diff -urNp linux-2.6.35.4/net/ipv6/raw.c linux-2.6.35.4/net/ipv6/raw.c
54227 --- linux-2.6.35.4/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400
54228 +++ linux-2.6.35.4/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400
54229 @@ -601,7 +601,7 @@ out:
54233 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
54234 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
54235 struct flowi *fl, struct rt6_info *rt,
54236 unsigned int flags)
54238 diff -urNp linux-2.6.35.4/net/ipv6/tcp_ipv6.c linux-2.6.35.4/net/ipv6/tcp_ipv6.c
54239 --- linux-2.6.35.4/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400
54240 +++ linux-2.6.35.4/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400
54241 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
54245 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54246 +extern int grsec_enable_blackhole;
54249 static void tcp_v6_hash(struct sock *sk)
54251 if (sk->sk_state != TCP_CLOSE) {
54252 @@ -1641,6 +1645,9 @@ static int tcp_v6_do_rcv(struct sock *sk
54256 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54257 + if (!grsec_enable_blackhole)
54259 tcp_v6_send_reset(sk, skb);
54262 @@ -1720,12 +1727,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
54263 TCP_SKB_CB(skb)->sacked = 0;
54265 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54268 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54271 goto no_tcp_socket;
54275 - if (sk->sk_state == TCP_TIME_WAIT)
54276 + if (sk->sk_state == TCP_TIME_WAIT) {
54277 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54283 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
54284 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54285 @@ -1773,6 +1788,10 @@ no_tcp_socket:
54287 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54289 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54290 + if (!grsec_enable_blackhole || (ret == 1 &&
54291 + (skb->dev->flags & IFF_LOOPBACK)))
54293 tcp_v6_send_reset(NULL, skb);
54296 diff -urNp linux-2.6.35.4/net/ipv6/udp.c linux-2.6.35.4/net/ipv6/udp.c
54297 --- linux-2.6.35.4/net/ipv6/udp.c 2010-08-26 19:47:12.000000000 -0400
54298 +++ linux-2.6.35.4/net/ipv6/udp.c 2010-09-17 20:12:37.000000000 -0400
54300 #include <linux/seq_file.h>
54301 #include "udp_impl.h"
54303 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54304 +extern int grsec_enable_blackhole;
54307 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
54309 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
54310 @@ -756,6 +760,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
54311 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
54312 proto == IPPROTO_UDPLITE);
54314 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54315 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54317 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
54320 diff -urNp linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c
54321 --- linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400
54322 +++ linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400
54323 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
54324 add_wait_queue(&self->open_wait, &wait);
54326 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
54327 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54328 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54330 /* As far as I can see, we protect open_count - Jean II */
54331 spin_lock_irqsave(&self->spinlock, flags);
54332 if (!tty_hung_up_p(filp)) {
54334 - self->open_count--;
54335 + atomic_dec(&self->open_count);
54337 spin_unlock_irqrestore(&self->spinlock, flags);
54338 - self->blocked_open++;
54339 + atomic_inc(&self->blocked_open);
54342 if (tty->termios->c_cflag & CBAUD) {
54343 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
54346 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
54347 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54348 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54352 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
54354 /* ++ is not atomic, so this should be protected - Jean II */
54355 spin_lock_irqsave(&self->spinlock, flags);
54356 - self->open_count++;
54357 + atomic_inc(&self->open_count);
54358 spin_unlock_irqrestore(&self->spinlock, flags);
54360 - self->blocked_open--;
54361 + atomic_dec(&self->blocked_open);
54363 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
54364 - __FILE__,__LINE__, tty->driver->name, self->open_count);
54365 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
54368 self->flags |= ASYNC_NORMAL_ACTIVE;
54369 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
54371 /* ++ is not atomic, so this should be protected - Jean II */
54372 spin_lock_irqsave(&self->spinlock, flags);
54373 - self->open_count++;
54374 + atomic_inc(&self->open_count);
54376 tty->driver_data = self;
54378 spin_unlock_irqrestore(&self->spinlock, flags);
54380 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
54381 - self->line, self->open_count);
54382 + self->line, atomic_read(&self->open_count));
54384 /* Not really used by us, but lets do it anyway */
54385 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
54386 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
54390 - if ((tty->count == 1) && (self->open_count != 1)) {
54391 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
54393 * Uh, oh. tty->count is 1, which means that the tty
54394 * structure will be freed. state->count should always
54395 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
54397 IRDA_DEBUG(0, "%s(), bad serial port count; "
54398 "tty->count is 1, state->count is %d\n", __func__ ,
54399 - self->open_count);
54400 - self->open_count = 1;
54401 + atomic_read(&self->open_count));
54402 + atomic_set(&self->open_count, 1);
54405 - if (--self->open_count < 0) {
54406 + if (atomic_dec_return(&self->open_count) < 0) {
54407 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
54408 - __func__, self->line, self->open_count);
54409 - self->open_count = 0;
54410 + __func__, self->line, atomic_read(&self->open_count));
54411 + atomic_set(&self->open_count, 0);
54413 - if (self->open_count) {
54414 + if (atomic_read(&self->open_count)) {
54415 spin_unlock_irqrestore(&self->spinlock, flags);
54417 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
54418 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
54422 - if (self->blocked_open) {
54423 + if (atomic_read(&self->blocked_open)) {
54424 if (self->close_delay)
54425 schedule_timeout_interruptible(self->close_delay);
54426 wake_up_interruptible(&self->open_wait);
54427 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
54428 spin_lock_irqsave(&self->spinlock, flags);
54429 self->flags &= ~ASYNC_NORMAL_ACTIVE;
54431 - self->open_count = 0;
54432 + atomic_set(&self->open_count, 0);
54433 spin_unlock_irqrestore(&self->spinlock, flags);
54435 wake_up_interruptible(&self->open_wait);
54436 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
54439 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
54440 - seq_printf(m, "Open count: %d\n", self->open_count);
54441 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
54442 seq_printf(m, "Max data size: %d\n", self->max_data_size);
54443 seq_printf(m, "Max header size: %d\n", self->max_header_size);
54445 diff -urNp linux-2.6.35.4/net/key/af_key.c linux-2.6.35.4/net/key/af_key.c
54446 --- linux-2.6.35.4/net/key/af_key.c 2010-08-26 19:47:12.000000000 -0400
54447 +++ linux-2.6.35.4/net/key/af_key.c 2010-09-17 20:12:37.000000000 -0400
54448 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
54449 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
54451 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
54452 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54457 atomic_read(&s->sk_refcnt),
54458 sk_rmem_alloc_get(s),
54459 sk_wmem_alloc_get(s),
54460 diff -urNp linux-2.6.35.4/net/mac80211/ieee80211_i.h linux-2.6.35.4/net/mac80211/ieee80211_i.h
54461 --- linux-2.6.35.4/net/mac80211/ieee80211_i.h 2010-08-26 19:47:12.000000000 -0400
54462 +++ linux-2.6.35.4/net/mac80211/ieee80211_i.h 2010-09-17 20:12:09.000000000 -0400
54463 @@ -649,7 +649,7 @@ struct ieee80211_local {
54464 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
54465 spinlock_t queue_stop_reason_lock;
54468 + atomic_t open_count;
54469 int monitors, cooked_mntrs;
54470 /* number of interfaces with corresponding FIF_ flags */
54471 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
54472 diff -urNp linux-2.6.35.4/net/mac80211/iface.c linux-2.6.35.4/net/mac80211/iface.c
54473 --- linux-2.6.35.4/net/mac80211/iface.c 2010-08-26 19:47:12.000000000 -0400
54474 +++ linux-2.6.35.4/net/mac80211/iface.c 2010-09-17 20:12:09.000000000 -0400
54475 @@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
54479 - if (local->open_count == 0) {
54480 + if (atomic_read(&local->open_count) == 0) {
54481 res = drv_start(local);
54484 @@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
54485 * Validate the MAC address for this device.
54487 if (!is_valid_ether_addr(dev->dev_addr)) {
54488 - if (!local->open_count)
54489 + if (!atomic_read(&local->open_count))
54491 return -EADDRNOTAVAIL;
54493 @@ -308,7 +308,7 @@ static int ieee80211_open(struct net_dev
54495 hw_reconf_flags |= __ieee80211_recalc_idle(local);
54497 - local->open_count++;
54498 + atomic_inc(&local->open_count);
54499 if (hw_reconf_flags) {
54500 ieee80211_hw_config(local, hw_reconf_flags);
54502 @@ -336,7 +336,7 @@ static int ieee80211_open(struct net_dev
54504 drv_remove_interface(local, &sdata->vif);
54506 - if (!local->open_count)
54507 + if (!atomic_read(&local->open_count))
54511 @@ -439,7 +439,7 @@ static int ieee80211_stop(struct net_dev
54512 WARN_ON(!list_empty(&sdata->u.ap.vlans));
54515 - local->open_count--;
54516 + atomic_dec(&local->open_count);
54518 switch (sdata->vif.type) {
54519 case NL80211_IFTYPE_AP_VLAN:
54520 @@ -542,7 +542,7 @@ static int ieee80211_stop(struct net_dev
54522 ieee80211_recalc_ps(local, -1);
54524 - if (local->open_count == 0) {
54525 + if (atomic_read(&local->open_count) == 0) {
54526 ieee80211_clear_tx_pending(local);
54527 ieee80211_stop_device(local);
54529 diff -urNp linux-2.6.35.4/net/mac80211/main.c linux-2.6.35.4/net/mac80211/main.c
54530 --- linux-2.6.35.4/net/mac80211/main.c 2010-08-26 19:47:12.000000000 -0400
54531 +++ linux-2.6.35.4/net/mac80211/main.c 2010-09-17 20:12:09.000000000 -0400
54532 @@ -148,7 +148,7 @@ int ieee80211_hw_config(struct ieee80211
54533 local->hw.conf.power_level = power;
54536 - if (changed && local->open_count) {
54537 + if (changed && atomic_read(&local->open_count)) {
54538 ret = drv_config(local, changed);
54541 diff -urNp linux-2.6.35.4/net/mac80211/pm.c linux-2.6.35.4/net/mac80211/pm.c
54542 --- linux-2.6.35.4/net/mac80211/pm.c 2010-08-26 19:47:12.000000000 -0400
54543 +++ linux-2.6.35.4/net/mac80211/pm.c 2010-09-17 20:12:09.000000000 -0400
54544 @@ -101,7 +101,7 @@ int __ieee80211_suspend(struct ieee80211
54547 /* stop hardware - this must stop RX */
54548 - if (local->open_count)
54549 + if (atomic_read(&local->open_count))
54550 ieee80211_stop_device(local);
54552 local->suspended = true;
54553 diff -urNp linux-2.6.35.4/net/mac80211/rate.c linux-2.6.35.4/net/mac80211/rate.c
54554 --- linux-2.6.35.4/net/mac80211/rate.c 2010-08-26 19:47:12.000000000 -0400
54555 +++ linux-2.6.35.4/net/mac80211/rate.c 2010-09-17 20:12:09.000000000 -0400
54556 @@ -355,7 +355,7 @@ int ieee80211_init_rate_ctrl_alg(struct
54560 - if (local->open_count)
54561 + if (atomic_read(&local->open_count))
54564 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
54565 diff -urNp linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c
54566 --- linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c 2010-08-26 19:47:12.000000000 -0400
54567 +++ linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c 2010-09-17 20:12:09.000000000 -0400
54568 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
54570 spin_unlock_irqrestore(&events->lock, status);
54572 - if (copy_to_user(buf, pb, p))
54573 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
54577 diff -urNp linux-2.6.35.4/net/mac80211/tx.c linux-2.6.35.4/net/mac80211/tx.c
54578 --- linux-2.6.35.4/net/mac80211/tx.c 2010-08-26 19:47:12.000000000 -0400
54579 +++ linux-2.6.35.4/net/mac80211/tx.c 2010-09-17 20:12:09.000000000 -0400
54580 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
54581 return cpu_to_le16(dur);
54584 -static int inline is_ieee80211_device(struct ieee80211_local *local,
54585 +static inline int is_ieee80211_device(struct ieee80211_local *local,
54586 struct net_device *dev)
54588 return local == wdev_priv(dev->ieee80211_ptr);
54589 diff -urNp linux-2.6.35.4/net/mac80211/util.c linux-2.6.35.4/net/mac80211/util.c
54590 --- linux-2.6.35.4/net/mac80211/util.c 2010-08-26 19:47:12.000000000 -0400
54591 +++ linux-2.6.35.4/net/mac80211/util.c 2010-09-17 20:12:09.000000000 -0400
54592 @@ -1097,7 +1097,7 @@ int ieee80211_reconfig(struct ieee80211_
54593 local->resuming = true;
54595 /* restart hardware */
54596 - if (local->open_count) {
54597 + if (atomic_read(&local->open_count)) {
54599 * Upon resume hardware can sometimes be goofy due to
54600 * various platform / driver / bus issues, so restarting
54601 diff -urNp linux-2.6.35.4/net/netlink/af_netlink.c linux-2.6.35.4/net/netlink/af_netlink.c
54602 --- linux-2.6.35.4/net/netlink/af_netlink.c 2010-08-26 19:47:12.000000000 -0400
54603 +++ linux-2.6.35.4/net/netlink/af_netlink.c 2010-09-17 20:12:37.000000000 -0400
54604 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
54605 struct netlink_sock *nlk = nlk_sk(s);
54607 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
54608 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54615 nlk->groups ? (u32)nlk->groups[0] : 0,
54616 sk_rmem_alloc_get(s),
54617 sk_wmem_alloc_get(s),
54618 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54623 atomic_read(&s->sk_refcnt),
54624 atomic_read(&s->sk_drops),
54626 diff -urNp linux-2.6.35.4/net/packet/af_packet.c linux-2.6.35.4/net/packet/af_packet.c
54627 --- linux-2.6.35.4/net/packet/af_packet.c 2010-08-26 19:47:12.000000000 -0400
54628 +++ linux-2.6.35.4/net/packet/af_packet.c 2010-09-17 20:12:37.000000000 -0400
54629 @@ -2093,7 +2093,7 @@ static int packet_getsockopt(struct sock
54630 case PACKET_HDRLEN:
54631 if (len > sizeof(int))
54633 - if (copy_from_user(&val, optval, len))
54634 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
54638 @@ -2125,7 +2125,7 @@ static int packet_getsockopt(struct sock
54640 if (put_user(len, optlen))
54642 - if (copy_to_user(optval, data, len))
54643 + if (len > sizeof(st) || copy_to_user(optval, data, len))
54647 @@ -2604,7 +2604,11 @@ static int packet_seq_show(struct seq_fi
54650 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
54651 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54656 atomic_read(&s->sk_refcnt),
54659 diff -urNp linux-2.6.35.4/net/sctp/socket.c linux-2.6.35.4/net/sctp/socket.c
54660 --- linux-2.6.35.4/net/sctp/socket.c 2010-08-26 19:47:12.000000000 -0400
54661 +++ linux-2.6.35.4/net/sctp/socket.c 2010-09-17 20:12:09.000000000 -0400
54662 @@ -1483,7 +1483,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
54663 struct sctp_sndrcvinfo *sinfo;
54664 struct sctp_initmsg *sinit;
54665 sctp_assoc_t associd = 0;
54666 - sctp_cmsgs_t cmsgs = { NULL };
54667 + sctp_cmsgs_t cmsgs = { NULL, NULL };
54669 sctp_scope_t scope;
54671 @@ -4387,7 +4387,7 @@ static int sctp_getsockopt_peer_addrs(st
54672 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
54673 if (space_left < addrlen)
54675 - if (copy_to_user(to, &temp, addrlen))
54676 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
54680 diff -urNp linux-2.6.35.4/net/socket.c linux-2.6.35.4/net/socket.c
54681 --- linux-2.6.35.4/net/socket.c 2010-08-26 19:47:12.000000000 -0400
54682 +++ linux-2.6.35.4/net/socket.c 2010-09-17 20:12:37.000000000 -0400
54684 #include <linux/nsproxy.h>
54685 #include <linux/magic.h>
54686 #include <linux/slab.h>
54687 +#include <linux/in.h>
54689 #include <asm/uaccess.h>
54690 #include <asm/unistd.h>
54691 @@ -105,6 +106,8 @@
54692 #include <linux/sockios.h>
54693 #include <linux/atalk.h>
54695 +#include <linux/grsock.h>
54697 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
54698 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
54699 unsigned long nr_segs, loff_t pos);
54700 @@ -322,7 +325,7 @@ static int sockfs_get_sb(struct file_sys
54704 -static struct vfsmount *sock_mnt __read_mostly;
54705 +struct vfsmount *sock_mnt __read_mostly;
54707 static struct file_system_type sock_fs_type = {
54709 @@ -1291,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
54710 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
54711 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
54713 + if(!gr_search_socket(family, type, protocol)) {
54714 + retval = -EACCES;
54718 + if (gr_handle_sock_all(family, type, protocol)) {
54719 + retval = -EACCES;
54723 retval = sock_create(family, type, protocol, &sock);
54726 @@ -1403,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54728 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
54730 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
54734 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
54738 err = security_socket_bind(sock,
54739 (struct sockaddr *)&address,
54741 @@ -1411,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54742 (struct sockaddr *)
54743 &address, addrlen);
54746 fput_light(sock->file, fput_needed);
54749 @@ -1434,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
54750 if ((unsigned)backlog > somaxconn)
54751 backlog = somaxconn;
54753 + if (gr_handle_sock_server_other(sock->sk)) {
54758 + err = gr_search_listen(sock);
54762 err = security_socket_listen(sock, backlog);
54764 err = sock->ops->listen(sock, backlog);
54767 fput_light(sock->file, fput_needed);
54770 @@ -1480,6 +1512,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
54771 newsock->type = sock->type;
54772 newsock->ops = sock->ops;
54774 + if (gr_handle_sock_server_other(sock->sk)) {
54776 + sock_release(newsock);
54780 + err = gr_search_accept(sock);
54782 + sock_release(newsock);
54787 * We don't need try_module_get here, as the listening socket (sock)
54788 * has the protocol module (sock->ops->owner) held.
54789 @@ -1518,6 +1562,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
54790 fd_install(newfd, newfile);
54793 + gr_attach_curr_ip(newsock->sk);
54796 fput_light(sock->file, fput_needed);
54798 @@ -1550,6 +1596,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
54801 struct socket *sock;
54802 + struct sockaddr *sck;
54803 struct sockaddr_storage address;
54804 int err, fput_needed;
54806 @@ -1560,6 +1607,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
54810 + sck = (struct sockaddr *)&address;
54812 + if (gr_handle_sock_client(sck)) {
54817 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
54822 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
54824 diff -urNp linux-2.6.35.4/net/sunrpc/sched.c linux-2.6.35.4/net/sunrpc/sched.c
54825 --- linux-2.6.35.4/net/sunrpc/sched.c 2010-08-26 19:47:12.000000000 -0400
54826 +++ linux-2.6.35.4/net/sunrpc/sched.c 2010-09-17 20:12:09.000000000 -0400
54827 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
54829 static void rpc_task_set_debuginfo(struct rpc_task *task)
54831 - static atomic_t rpc_pid;
54832 + static atomic_unchecked_t rpc_pid;
54834 - task->tk_pid = atomic_inc_return(&rpc_pid);
54835 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
54838 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
54839 diff -urNp linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c
54840 --- linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-26 19:47:12.000000000 -0400
54841 +++ linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c 2010-09-17 20:12:37.000000000 -0400
54842 @@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
54846 - if (len && copy_to_user(buffer, str_buf, len))
54847 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
54851 diff -urNp linux-2.6.35.4/net/sysctl_net.c linux-2.6.35.4/net/sysctl_net.c
54852 --- linux-2.6.35.4/net/sysctl_net.c 2010-08-26 19:47:12.000000000 -0400
54853 +++ linux-2.6.35.4/net/sysctl_net.c 2010-09-17 20:12:37.000000000 -0400
54854 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
54855 struct ctl_table *table)
54857 /* Allow network administrator to have same access as root. */
54858 - if (capable(CAP_NET_ADMIN)) {
54859 + if (capable_nolog(CAP_NET_ADMIN)) {
54860 int mode = (table->mode >> 6) & 7;
54861 return (mode << 6) | (mode << 3) | mode;
54863 diff -urNp linux-2.6.35.4/net/tipc/socket.c linux-2.6.35.4/net/tipc/socket.c
54864 --- linux-2.6.35.4/net/tipc/socket.c 2010-08-26 19:47:12.000000000 -0400
54865 +++ linux-2.6.35.4/net/tipc/socket.c 2010-09-17 20:12:09.000000000 -0400
54866 @@ -1451,8 +1451,9 @@ static int connect(struct socket *sock,
54871 - ; /* leave "res" unchanged */
54873 + /* leave "res" unchanged */
54875 sock->state = SS_DISCONNECTING;
54878 diff -urNp linux-2.6.35.4/net/unix/af_unix.c linux-2.6.35.4/net/unix/af_unix.c
54879 --- linux-2.6.35.4/net/unix/af_unix.c 2010-08-26 19:47:12.000000000 -0400
54880 +++ linux-2.6.35.4/net/unix/af_unix.c 2010-09-17 20:12:37.000000000 -0400
54881 @@ -736,6 +736,12 @@ static struct sock *unix_find_other(stru
54882 err = -ECONNREFUSED;
54883 if (!S_ISSOCK(inode->i_mode))
54886 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
54891 u = unix_find_socket_byinode(net, inode);
54894 @@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
54896 struct dentry *dentry;
54897 dentry = unix_sk(u)->dentry;
54899 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
54906 touch_atime(unix_sk(u)->mnt, dentry);
54908 @@ -841,11 +854,18 @@ static int unix_bind(struct socket *sock
54909 err = security_path_mknod(&nd.path, dentry, mode, 0);
54911 goto out_mknod_drop_write;
54912 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
54914 + goto out_mknod_drop_write;
54916 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
54917 out_mknod_drop_write:
54918 mnt_drop_write(nd.path.mnt);
54920 goto out_mknod_dput;
54922 + gr_handle_create(dentry, nd.path.mnt);
54924 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
54925 dput(nd.path.dentry);
54926 nd.path.dentry = dentry;
54927 @@ -863,6 +883,10 @@ out_mknod_drop_write:
54931 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
54932 + sk->sk_peercred.pid = current->pid;
54935 list = &unix_socket_table[addr->hash];
54937 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
54938 @@ -2161,7 +2185,11 @@ static int unix_seq_show(struct seq_file
54939 unix_state_lock(s);
54941 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
54942 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54947 atomic_read(&s->sk_refcnt),
54949 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
54950 diff -urNp linux-2.6.35.4/net/wireless/reg.c linux-2.6.35.4/net/wireless/reg.c
54951 --- linux-2.6.35.4/net/wireless/reg.c 2010-08-26 19:47:12.000000000 -0400
54952 +++ linux-2.6.35.4/net/wireless/reg.c 2010-09-17 20:12:09.000000000 -0400
54954 printk(KERN_DEBUG format , ## args); \
54957 -#define REG_DBG_PRINT(args...)
54958 +#define REG_DBG_PRINT(args...) do {} while (0)
54961 /* Receipt of information from last regulatory request */
54962 diff -urNp linux-2.6.35.4/net/wireless/wext-core.c linux-2.6.35.4/net/wireless/wext-core.c
54963 --- linux-2.6.35.4/net/wireless/wext-core.c 2010-08-26 19:47:12.000000000 -0400
54964 +++ linux-2.6.35.4/net/wireless/wext-core.c 2010-09-17 20:12:09.000000000 -0400
54965 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
54968 /* Support for very large requests */
54969 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
54970 - (user_length > descr->max_tokens)) {
54971 + if (user_length > descr->max_tokens) {
54972 /* Allow userspace to GET more than max so
54973 * we can support any size GET requests.
54974 * There is still a limit : -ENOMEM.
54975 diff -urNp linux-2.6.35.4/net/xfrm/xfrm_policy.c linux-2.6.35.4/net/xfrm/xfrm_policy.c
54976 --- linux-2.6.35.4/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400
54977 +++ linux-2.6.35.4/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400
54978 @@ -1502,7 +1502,7 @@ free_dst:
54984 xfrm_dst_alloc_copy(void **target, void *src, int size)
54987 @@ -1514,7 +1514,7 @@ xfrm_dst_alloc_copy(void **target, void
54993 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
54995 #ifdef CONFIG_XFRM_SUB_POLICY
54996 @@ -1526,7 +1526,7 @@ xfrm_dst_update_parent(struct dst_entry
55002 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
55004 #ifdef CONFIG_XFRM_SUB_POLICY
55005 diff -urNp linux-2.6.35.4/scripts/basic/fixdep.c linux-2.6.35.4/scripts/basic/fixdep.c
55006 --- linux-2.6.35.4/scripts/basic/fixdep.c 2010-08-26 19:47:12.000000000 -0400
55007 +++ linux-2.6.35.4/scripts/basic/fixdep.c 2010-09-17 20:12:09.000000000 -0400
55008 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
55010 static void parse_config_file(char *map, size_t len)
55012 - int *end = (int *) (map + len);
55013 + unsigned int *end = (unsigned int *) (map + len);
55014 /* start at +1, so that p can never be < map */
55015 - int *m = (int *) map + 1;
55016 + unsigned int *m = (unsigned int *) map + 1;
55019 for (; m < end; m++) {
55020 @@ -371,7 +371,7 @@ static void print_deps(void)
55021 static void traps(void)
55023 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
55024 - int *p = (int *)test;
55025 + unsigned int *p = (unsigned int *)test;
55027 if (*p != INT_CONF) {
55028 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
55029 diff -urNp linux-2.6.35.4/scripts/kallsyms.c linux-2.6.35.4/scripts/kallsyms.c
55030 --- linux-2.6.35.4/scripts/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
55031 +++ linux-2.6.35.4/scripts/kallsyms.c 2010-09-17 20:12:09.000000000 -0400
55032 @@ -43,10 +43,10 @@ struct text_range {
55034 static unsigned long long _text;
55035 static struct text_range text_ranges[] = {
55036 - { "_stext", "_etext" },
55037 - { "_sinittext", "_einittext" },
55038 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
55039 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
55040 + { "_stext", "_etext", 0, 0 },
55041 + { "_sinittext", "_einittext", 0, 0 },
55042 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
55043 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
55045 #define text_range_text (&text_ranges[0])
55046 #define text_range_inittext (&text_ranges[1])
55047 diff -urNp linux-2.6.35.4/scripts/mod/file2alias.c linux-2.6.35.4/scripts/mod/file2alias.c
55048 --- linux-2.6.35.4/scripts/mod/file2alias.c 2010-08-26 19:47:12.000000000 -0400
55049 +++ linux-2.6.35.4/scripts/mod/file2alias.c 2010-09-17 20:12:09.000000000 -0400
55050 @@ -72,7 +72,7 @@ static void device_id_check(const char *
55051 unsigned long size, unsigned long id_size,
55057 if (size % id_size || size < id_size) {
55058 if (cross_build != 0)
55059 @@ -102,7 +102,7 @@ static void device_id_check(const char *
55060 /* USB is special because the bcdDevice can be matched against a numeric range */
55061 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
55062 static void do_usb_entry(struct usb_device_id *id,
55063 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
55064 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
55065 unsigned char range_lo, unsigned char range_hi,
55066 unsigned char max, struct module *mod)
55068 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
55069 for (i = 0; i < count; i++) {
55070 const char *id = (char *)devs[i].id;
55071 char acpi_id[sizeof(devs[0].id)];
55075 buf_printf(&mod->dev_table_buf,
55076 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55077 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
55079 for (j = 0; j < PNP_MAX_DEVICES; j++) {
55080 const char *id = (char *)card->devs[j].id;
55082 + unsigned int i2, j2;
55086 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
55087 /* add an individual alias for every device entry */
55089 char acpi_id[sizeof(card->devs[0].id)];
55093 buf_printf(&mod->dev_table_buf,
55094 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55095 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
55096 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
55100 + unsigned int i, j;
55102 sprintf(alias, "dmi*");
55104 diff -urNp linux-2.6.35.4/scripts/mod/modpost.c linux-2.6.35.4/scripts/mod/modpost.c
55105 --- linux-2.6.35.4/scripts/mod/modpost.c 2010-08-26 19:47:12.000000000 -0400
55106 +++ linux-2.6.35.4/scripts/mod/modpost.c 2010-09-17 20:12:09.000000000 -0400
55107 @@ -846,6 +846,7 @@ enum mismatch {
55108 ANY_INIT_TO_ANY_EXIT,
55109 ANY_EXIT_TO_ANY_INIT,
55110 EXPORT_TO_INIT_EXIT,
55114 struct sectioncheck {
55115 @@ -954,6 +955,12 @@ const struct sectioncheck sectioncheck[]
55116 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
55117 .mismatch = EXPORT_TO_INIT_EXIT,
55118 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
55120 +/* Do not reference code from writable data */
55122 + .fromsec = { DATA_SECTIONS, NULL },
55123 + .tosec = { TEXT_SECTIONS, NULL },
55124 + .mismatch = DATA_TO_TEXT
55128 @@ -1060,10 +1067,10 @@ static Elf_Sym *find_elf_symbol(struct e
55130 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
55132 - if (sym->st_value == addr)
55134 /* Find a symbol nearby - addr are maybe negative */
55135 d = sym->st_value - addr;
55139 d = addr - sym->st_value;
55140 if (d < distance) {
55141 @@ -1306,6 +1313,14 @@ static void report_sec_mismatch(const ch
55142 "or drop the export.\n",
55143 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
55145 + case DATA_TO_TEXT:
55148 + "The variable %s references\n"
55149 + "the %s %s%s%s\n",
55150 + fromsym, to, sec2annotation(tosec), tosym, to_p);
55154 fprintf(stderr, "\n");
55156 @@ -1629,7 +1644,7 @@ void __attribute__((format(printf, 2, 3)
55160 -void buf_write(struct buffer *buf, const char *s, int len)
55161 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
55163 if (buf->size - buf->pos < len) {
55164 buf->size += len + SZ;
55165 @@ -1841,7 +1856,7 @@ static void write_if_changed(struct buff
55166 if (fstat(fileno(file), &st) < 0)
55169 - if (st.st_size != b->pos)
55170 + if (st.st_size != (off_t)b->pos)
55173 tmp = NOFAIL(malloc(b->pos));
55174 diff -urNp linux-2.6.35.4/scripts/mod/modpost.h linux-2.6.35.4/scripts/mod/modpost.h
55175 --- linux-2.6.35.4/scripts/mod/modpost.h 2010-08-26 19:47:12.000000000 -0400
55176 +++ linux-2.6.35.4/scripts/mod/modpost.h 2010-09-17 20:12:09.000000000 -0400
55177 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
55183 + unsigned int pos;
55184 + unsigned int size;
55187 void __attribute__((format(printf, 2, 3)))
55188 buf_printf(struct buffer *buf, const char *fmt, ...);
55191 -buf_write(struct buffer *buf, const char *s, int len);
55192 +buf_write(struct buffer *buf, const char *s, unsigned int len);
55195 struct module *next;
55196 diff -urNp linux-2.6.35.4/scripts/mod/sumversion.c linux-2.6.35.4/scripts/mod/sumversion.c
55197 --- linux-2.6.35.4/scripts/mod/sumversion.c 2010-08-26 19:47:12.000000000 -0400
55198 +++ linux-2.6.35.4/scripts/mod/sumversion.c 2010-09-17 20:12:09.000000000 -0400
55199 @@ -455,7 +455,7 @@ static void write_version(const char *fi
55203 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
55204 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
55205 warn("writing sum in %s failed: %s\n",
55206 filename, strerror(errno));
55208 diff -urNp linux-2.6.35.4/scripts/pnmtologo.c linux-2.6.35.4/scripts/pnmtologo.c
55209 --- linux-2.6.35.4/scripts/pnmtologo.c 2010-08-26 19:47:12.000000000 -0400
55210 +++ linux-2.6.35.4/scripts/pnmtologo.c 2010-09-17 20:12:09.000000000 -0400
55211 @@ -237,14 +237,14 @@ static void write_header(void)
55212 fprintf(out, " * Linux logo %s\n", logoname);
55213 fputs(" */\n\n", out);
55214 fputs("#include <linux/linux_logo.h>\n\n", out);
55215 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
55216 + fprintf(out, "static unsigned char %s_data[] = {\n",
55220 static void write_footer(void)
55222 fputs("\n};\n\n", out);
55223 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
55224 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
55225 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
55226 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
55227 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
55228 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
55229 fputs("\n};\n\n", out);
55231 /* write logo clut */
55232 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
55233 + fprintf(out, "static unsigned char %s_clut[] = {\n",
55236 for (i = 0; i < logo_clutsize; i++) {
55237 diff -urNp linux-2.6.35.4/security/commoncap.c linux-2.6.35.4/security/commoncap.c
55238 --- linux-2.6.35.4/security/commoncap.c 2010-08-26 19:47:12.000000000 -0400
55239 +++ linux-2.6.35.4/security/commoncap.c 2010-09-17 20:12:37.000000000 -0400
55241 #include <linux/securebits.h>
55242 #include <linux/syslog.h>
55243 #include <linux/vs_context.h>
55244 +#include <net/sock.h>
55247 * If a non-root user executes a setuid-root binary in
55248 @@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
55252 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
55254 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
55256 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
55257 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
55261 diff -urNp linux-2.6.35.4/security/integrity/ima/ima_api.c linux-2.6.35.4/security/integrity/ima/ima_api.c
55262 --- linux-2.6.35.4/security/integrity/ima/ima_api.c 2010-08-26 19:47:12.000000000 -0400
55263 +++ linux-2.6.35.4/security/integrity/ima/ima_api.c 2010-09-17 20:12:09.000000000 -0400
55264 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
55267 /* can overflow, only indicator */
55268 - atomic_long_inc(&ima_htable.violations);
55269 + atomic_long_inc_unchecked(&ima_htable.violations);
55271 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
55273 diff -urNp linux-2.6.35.4/security/integrity/ima/ima_fs.c linux-2.6.35.4/security/integrity/ima/ima_fs.c
55274 --- linux-2.6.35.4/security/integrity/ima/ima_fs.c 2010-08-26 19:47:12.000000000 -0400
55275 +++ linux-2.6.35.4/security/integrity/ima/ima_fs.c 2010-09-17 20:12:09.000000000 -0400
55276 @@ -28,12 +28,12 @@
55277 static int valid_policy = 1;
55278 #define TMPBUFLEN 12
55279 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
55280 - loff_t *ppos, atomic_long_t *val)
55281 + loff_t *ppos, atomic_long_unchecked_t *val)
55283 char tmpbuf[TMPBUFLEN];
55286 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
55287 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
55288 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
55291 diff -urNp linux-2.6.35.4/security/integrity/ima/ima.h linux-2.6.35.4/security/integrity/ima/ima.h
55292 --- linux-2.6.35.4/security/integrity/ima/ima.h 2010-08-26 19:47:12.000000000 -0400
55293 +++ linux-2.6.35.4/security/integrity/ima/ima.h 2010-09-17 20:12:09.000000000 -0400
55294 @@ -83,8 +83,8 @@ void ima_add_violation(struct inode *ino
55295 extern spinlock_t ima_queue_lock;
55297 struct ima_h_table {
55298 - atomic_long_t len; /* number of stored measurements in the list */
55299 - atomic_long_t violations;
55300 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
55301 + atomic_long_unchecked_t violations;
55302 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
55304 extern struct ima_h_table ima_htable;
55305 diff -urNp linux-2.6.35.4/security/integrity/ima/ima_queue.c linux-2.6.35.4/security/integrity/ima/ima_queue.c
55306 --- linux-2.6.35.4/security/integrity/ima/ima_queue.c 2010-08-26 19:47:12.000000000 -0400
55307 +++ linux-2.6.35.4/security/integrity/ima/ima_queue.c 2010-09-17 20:12:09.000000000 -0400
55308 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
55309 INIT_LIST_HEAD(&qe->later);
55310 list_add_tail_rcu(&qe->later, &ima_measurements);
55312 - atomic_long_inc(&ima_htable.len);
55313 + atomic_long_inc_unchecked(&ima_htable.len);
55314 key = ima_hash_key(entry->digest);
55315 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
55317 diff -urNp linux-2.6.35.4/security/Kconfig linux-2.6.35.4/security/Kconfig
55318 --- linux-2.6.35.4/security/Kconfig 2010-08-26 19:47:12.000000000 -0400
55319 +++ linux-2.6.35.4/security/Kconfig 2010-09-17 20:12:37.000000000 -0400
55322 menu "Security options"
55324 +source grsecurity/Kconfig
55328 + config PAX_PER_CPU_PGD
55331 + config TASK_SIZE_MAX_SHIFT
55333 + depends on X86_64
55334 + default 47 if !PAX_PER_CPU_PGD
55335 + default 42 if PAX_PER_CPU_PGD
55337 + config PAX_ENABLE_PAE
55339 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
55342 + bool "Enable various PaX features"
55343 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
55345 + This allows you to enable various PaX features. PaX adds
55346 + intrusion prevention mechanisms to the kernel that reduce
55347 + the risks posed by exploitable memory corruption bugs.
55349 +menu "PaX Control"
55352 +config PAX_SOFTMODE
55353 + bool 'Support soft mode'
55354 + select PAX_PT_PAX_FLAGS
55356 + Enabling this option will allow you to run PaX in soft mode, that
55357 + is, PaX features will not be enforced by default, only on executables
55358 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
55359 + is the only way to mark executables for soft mode use.
55361 + Soft mode can be activated by using the "pax_softmode=1" kernel command
55362 + line option on boot. Furthermore you can control various PaX features
55363 + at runtime via the entries in /proc/sys/kernel/pax.
55366 + bool 'Use legacy ELF header marking'
55368 + Enabling this option will allow you to control PaX features on
55369 + a per executable basis via the 'chpax' utility available at
55370 + http://pax.grsecurity.net/. The control flags will be read from
55371 + an otherwise reserved part of the ELF header. This marking has
55372 + numerous drawbacks (no support for soft-mode, toolchain does not
55373 + know about the non-standard use of the ELF header) therefore it
55374 + has been deprecated in favour of PT_PAX_FLAGS support.
55376 + If you have applications not marked by the PT_PAX_FLAGS ELF
55377 + program header then you MUST enable this option otherwise they
55378 + will not get any protection.
55380 + Note that if you enable PT_PAX_FLAGS marking support as well,
55381 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
55383 +config PAX_PT_PAX_FLAGS
55384 + bool 'Use ELF program header marking'
55386 + Enabling this option will allow you to control PaX features on
55387 + a per executable basis via the 'paxctl' utility available at
55388 + http://pax.grsecurity.net/. The control flags will be read from
55389 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
55390 + has the benefits of supporting both soft mode and being fully
55391 + integrated into the toolchain (the binutils patch is available
55392 + from http://pax.grsecurity.net).
55394 + If you have applications not marked by the PT_PAX_FLAGS ELF
55395 + program header then you MUST enable the EI_PAX marking support
55396 + otherwise they will not get any protection.
55398 + Note that if you enable the legacy EI_PAX marking support as well,
55399 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
55402 + prompt 'MAC system integration'
55403 + default PAX_HAVE_ACL_FLAGS
55405 + Mandatory Access Control systems have the option of controlling
55406 + PaX flags on a per executable basis, choose the method supported
55407 + by your particular system.
55409 + - "none": if your MAC system does not interact with PaX,
55410 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
55411 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
55413 + NOTE: this option is for developers/integrators only.
55415 + config PAX_NO_ACL_FLAGS
55418 + config PAX_HAVE_ACL_FLAGS
55421 + config PAX_HOOK_ACL_FLAGS
55427 +menu "Non-executable pages"
55431 + bool "Enforce non-executable pages"
55432 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
55434 + By design some architectures do not allow for protecting memory
55435 + pages against execution or even if they do, Linux does not make
55436 + use of this feature. In practice this means that if a page is
55437 + readable (such as the stack or heap) it is also executable.
55439 + There is a well known exploit technique that makes use of this
55440 + fact and a common programming mistake where an attacker can
55441 + introduce code of his choice somewhere in the attacked program's
55442 + memory (typically the stack or the heap) and then execute it.
55444 + If the attacked program was running with different (typically
55445 + higher) privileges than that of the attacker, then he can elevate
55446 + his own privilege level (e.g. get a root shell, write to files for
55447 + which he does not have write access to, etc).
55449 + Enabling this option will let you choose from various features
55450 + that prevent the injection and execution of 'foreign' code in
55453 + This will also break programs that rely on the old behaviour and
55454 + expect that dynamically allocated memory via the malloc() family
55455 + of functions is executable (which it is not). Notable examples
55456 + are the XFree86 4.x server, the java runtime and wine.
55458 +config PAX_PAGEEXEC
55459 + bool "Paging based non-executable pages"
55460 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
55461 + select S390_SWITCH_AMODE if S390
55462 + select S390_EXEC_PROTECT if S390
55464 + This implementation is based on the paging feature of the CPU.
55465 + On i386 without hardware non-executable bit support there is a
55466 + variable but usually low performance impact, however on Intel's
55467 + P4 core based CPUs it is very high so you should not enable this
55468 + for kernels meant to be used on such CPUs.
55470 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
55471 + with hardware non-executable bit support there is no performance
55472 + impact, on ppc the impact is negligible.
55474 + Note that several architectures require various emulations due to
55475 + badly designed userland ABIs, this will cause a performance impact
55476 + but will disappear as soon as userland is fixed. For example, ppc
55477 + userland MUST have been built with secure-plt by a recent toolchain.
55479 +config PAX_SEGMEXEC
55480 + bool "Segmentation based non-executable pages"
55481 + depends on PAX_NOEXEC && X86_32
55483 + This implementation is based on the segmentation feature of the
55484 + CPU and has a very small performance impact, however applications
55485 + will be limited to a 1.5 GB address space instead of the normal
55488 +config PAX_EMUTRAMP
55489 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
55490 + default y if PARISC
55492 + There are some programs and libraries that for one reason or
55493 + another attempt to execute special small code snippets from
55494 + non-executable memory pages. Most notable examples are the
55495 + signal handler return code generated by the kernel itself and
55496 + the GCC trampolines.
55498 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
55499 + such programs will no longer work under your kernel.
55501 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
55502 + utilities to enable trampoline emulation for the affected programs
55503 + yet still have the protection provided by the non-executable pages.
55505 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
55506 + your system will not even boot.
55508 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
55509 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
55510 + for the affected files.
55512 + NOTE: enabling this feature *may* open up a loophole in the
55513 + protection provided by non-executable pages that an attacker
55514 + could abuse. Therefore the best solution is to not have any
55515 + files on your system that would require this option. This can
55516 + be achieved by not using libc5 (which relies on the kernel
55517 + signal handler return code) and not using or rewriting programs
55518 + that make use of the nested function implementation of GCC.
55519 + Skilled users can just fix GCC itself so that it implements
55520 + nested function calls in a way that does not interfere with PaX.
55522 +config PAX_EMUSIGRT
55523 + bool "Automatically emulate sigreturn trampolines"
55524 + depends on PAX_EMUTRAMP && PARISC
55527 + Enabling this option will have the kernel automatically detect
55528 + and emulate signal return trampolines executing on the stack
55529 + that would otherwise lead to task termination.
55531 + This solution is intended as a temporary one for users with
55532 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
55533 + Modula-3 runtime, etc) or executables linked to such, basically
55534 + everything that does not specify its own SA_RESTORER function in
55535 + normal executable memory like glibc 2.1+ does.
55537 + On parisc you MUST enable this option, otherwise your system will
55540 + NOTE: this feature cannot be disabled on a per executable basis
55541 + and since it *does* open up a loophole in the protection provided
55542 + by non-executable pages, the best solution is to not have any
55543 + files on your system that would require this option.
55545 +config PAX_MPROTECT
55546 + bool "Restrict mprotect()"
55547 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
55549 + Enabling this option will prevent programs from
55550 + - changing the executable status of memory pages that were
55551 + not originally created as executable,
55552 + - making read-only executable pages writable again,
55553 + - creating executable pages from anonymous memory,
55554 + - making read-only-after-relocations (RELRO) data pages writable again.
55556 + You should say Y here to complete the protection provided by
55557 + the enforcement of non-executable pages.
55559 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55560 + this feature on a per file basis.
55562 +config PAX_ELFRELOCS
55563 + bool "Allow ELF text relocations (read help)"
55564 + depends on PAX_MPROTECT
55567 + Non-executable pages and mprotect() restrictions are effective
55568 + in preventing the introduction of new executable code into an
55569 + attacked task's address space. There remain only two venues
55570 + for this kind of attack: if the attacker can execute already
55571 + existing code in the attacked task then he can either have it
55572 + create and mmap() a file containing his code or have it mmap()
55573 + an already existing ELF library that does not have position
55574 + independent code in it and use mprotect() on it to make it
55575 + writable and copy his code there. While protecting against
55576 + the former approach is beyond PaX, the latter can be prevented
55577 + by having only PIC ELF libraries on one's system (which do not
55578 + need to relocate their code). If you are sure this is your case,
55579 + as is the case with all modern Linux distributions, then leave
55580 + this option disabled. You should say 'n' here.
55582 +config PAX_ETEXECRELOCS
55583 + bool "Allow ELF ET_EXEC text relocations"
55584 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
55585 + select PAX_ELFRELOCS
55588 + On some architectures there are incorrectly created applications
55589 + that require text relocations and would not work without enabling
55590 + this option. If you are an alpha, ia64 or parisc user, you should
55591 + enable this option and disable it once you have made sure that
55592 + none of your applications need it.
55595 + bool "Automatically emulate ELF PLT"
55596 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
55599 + Enabling this option will have the kernel automatically detect
55600 + and emulate the Procedure Linkage Table entries in ELF files.
55601 + On some architectures such entries are in writable memory, and
55602 + become non-executable leading to task termination. Therefore
55603 + it is mandatory that you enable this option on alpha, parisc,
55604 + sparc and sparc64, otherwise your system would not even boot.
55606 + NOTE: this feature *does* open up a loophole in the protection
55607 + provided by the non-executable pages, therefore the proper
55608 + solution is to modify the toolchain to produce a PLT that does
55609 + not need to be writable.
55611 +config PAX_DLRESOLVE
55612 + bool 'Emulate old glibc resolver stub'
55613 + depends on PAX_EMUPLT && SPARC
55616 + This option is needed if userland has an old glibc (before 2.4)
55617 + that puts a 'save' instruction into the runtime generated resolver
55618 + stub that needs special emulation.
55620 +config PAX_KERNEXEC
55621 + bool "Enforce non-executable kernel pages"
55622 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
55623 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
55625 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
55626 + that is, enabling this option will make it harder to inject
55627 + and execute 'foreign' code in kernel memory itself.
55629 +config PAX_KERNEXEC_MODULE_TEXT
55630 + int "Minimum amount of memory reserved for module code"
55632 + depends on PAX_KERNEXEC && X86_32 && MODULES
55634 + Due to implementation details the kernel must reserve a fixed
55635 + amount of memory for module code at compile time that cannot be
55636 + changed at runtime. Here you can specify the minimum amount
55637 + in MB that will be reserved. Due to the same implementation
55638 + details this size will always be rounded up to the next 2/4 MB
55639 + boundary (depends on PAE) so the actually available memory for
55640 + module code will usually be more than this minimum.
55642 + The default 4 MB should be enough for most users but if you have
55643 + an excessive number of modules (e.g., most distribution configs
55644 + compile many drivers as modules) or use huge modules such as
55645 + nvidia's kernel driver, you will need to adjust this amount.
55646 + A good rule of thumb is to look at your currently loaded kernel
55647 + modules and add up their sizes.
55651 +menu "Address Space Layout Randomization"
55655 + bool "Address Space Layout Randomization"
55656 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
55658 + Many if not most exploit techniques rely on the knowledge of
55659 + certain addresses in the attacked program. The following options
55660 + will allow the kernel to apply a certain amount of randomization
55661 + to specific parts of the program thereby forcing an attacker to
55662 + guess them in most cases. Any failed guess will most likely crash
55663 + the attacked program which allows the kernel to detect such attempts
55664 + and react on them. PaX itself provides no reaction mechanisms,
55665 + instead it is strongly encouraged that you make use of Nergal's
55666 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
55667 + (http://www.grsecurity.net/) built-in crash detection features or
55668 + develop one yourself.
55670 + By saying Y here you can choose to randomize the following areas:
55671 + - top of the task's kernel stack
55672 + - top of the task's userland stack
55673 + - base address for mmap() requests that do not specify one
55674 + (this includes all libraries)
55675 + - base address of the main executable
55677 + It is strongly recommended to say Y here as address space layout
55678 + randomization has negligible impact on performance yet it provides
55679 + a very effective protection.
55681 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55682 + this feature on a per file basis.
55684 +config PAX_RANDKSTACK
55685 + bool "Randomize kernel stack base"
55686 + depends on PAX_ASLR && X86_TSC && X86_32
55688 + By saying Y here the kernel will randomize every task's kernel
55689 + stack on every system call. This will not only force an attacker
55690 + to guess it but also prevent him from making use of possible
55691 + leaked information about it.
55693 + Since the kernel stack is a rather scarce resource, randomization
55694 + may cause unexpected stack overflows, therefore you should very
55695 + carefully test your system. Note that once enabled in the kernel
55696 + configuration, this feature cannot be disabled on a per file basis.
55698 +config PAX_RANDUSTACK
55699 + bool "Randomize user stack base"
55700 + depends on PAX_ASLR
55702 + By saying Y here the kernel will randomize every task's userland
55703 + stack. The randomization is done in two steps where the second
55704 + one may apply a big amount of shift to the top of the stack and
55705 + cause problems for programs that want to use lots of memory (more
55706 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
55707 + For this reason the second step can be controlled by 'chpax' or
55708 + 'paxctl' on a per file basis.
55710 +config PAX_RANDMMAP
55711 + bool "Randomize mmap() base"
55712 + depends on PAX_ASLR
55714 + By saying Y here the kernel will use a randomized base address for
55715 + mmap() requests that do not specify one themselves. As a result
55716 + all dynamically loaded libraries will appear at random addresses
55717 + and therefore be harder to exploit by a technique where an attacker
55718 + attempts to execute library code for his purposes (e.g. spawn a
55719 + shell from an exploited program that is running at an elevated
55720 + privilege level).
55722 + Furthermore, if a program is relinked as a dynamic ELF file, its
55723 + base address will be randomized as well, completing the full
55724 + randomization of the address space layout. Attacking such programs
55725 + becomes a guess game. You can find an example of doing this at
55726 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
55727 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
55729 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
55730 + feature on a per file basis.
55734 +menu "Miscellaneous hardening features"
55736 +config PAX_MEMORY_SANITIZE
55737 + bool "Sanitize all freed memory"
55739 + By saying Y here the kernel will erase memory pages as soon as they
55740 + are freed. This in turn reduces the lifetime of data stored in the
55741 + pages, making it less likely that sensitive information such as
55742 + passwords, cryptographic secrets, etc stay in memory for too long.
55744 + This is especially useful for programs whose runtime is short, long
55745 + lived processes and the kernel itself benefit from this as long as
55746 + they operate on whole memory pages and ensure timely freeing of pages
55747 + that may hold sensitive information.
55749 + The tradeoff is performance impact, on a single CPU system kernel
55750 + compilation sees a 3% slowdown, other systems and workloads may vary
55751 + and you are advised to test this feature on your expected workload
55752 + before deploying it.
55754 + Note that this feature does not protect data stored in live pages,
55755 + e.g., process memory swapped to disk may stay there for a long time.
55757 +config PAX_MEMORY_UDEREF
55758 + bool "Prevent invalid userland pointer dereference"
55759 + depends on X86 && !UML_X86 && !XEN
55760 + select PAX_PER_CPU_PGD if X86_64
55762 + By saying Y here the kernel will be prevented from dereferencing
55763 + userland pointers in contexts where the kernel expects only kernel
55764 + pointers. This is both a useful runtime debugging feature and a
55765 + security measure that prevents exploiting a class of kernel bugs.
55767 + The tradeoff is that some virtualization solutions may experience
55768 + a huge slowdown and therefore you should not enable this feature
55769 + for kernels meant to run in such environments. Whether a given VM
55770 + solution is affected or not is best determined by simply trying it
55771 + out, the performance impact will be obvious right on boot as this
55772 + mechanism engages from very early on. A good rule of thumb is that
55773 + VMs running on CPUs without hardware virtualization support (i.e.,
55774 + the majority of IA-32 CPUs) will likely experience the slowdown.
55776 +config PAX_REFCOUNT
55777 + bool "Prevent various kernel object reference counter overflows"
55778 + depends on GRKERNSEC && (X86 || SPARC64)
55780 + By saying Y here the kernel will detect and prevent overflowing
55781 + various (but not all) kinds of object reference counters. Such
55782 + overflows can normally occur due to bugs only and are often, if
55783 + not always, exploitable.
55785 + The tradeoff is that data structures protected by an overflowed
55786 + refcount will never be freed and therefore will leak memory. Note
55787 + that this leak also happens even without this protection but in
55788 + that case the overflow can eventually trigger the freeing of the
55789 + data structure while it is still being used elsewhere, resulting
55790 + in the exploitable situation that this feature prevents.
55792 + Since this has a negligible performance impact, you should enable
55795 +config PAX_USERCOPY
55796 + bool "Bounds check heap object copies between kernel and userland"
55797 + depends on X86 || PPC || SPARC
55798 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
55800 + By saying Y here the kernel will enforce the size of heap objects
55801 + when they are copied in either direction between the kernel and
55802 + userland, even if only a part of the heap object is copied.
55804 + Specifically, this checking prevents information leaking from the
55805 + kernel heap during kernel to userland copies (if the kernel heap
55806 + object is otherwise fully initialized) and prevents kernel heap
55807 + overflows during userland to kernel copies.
55809 + Note that the current implementation provides the strictest checks
55810 + for the SLUB allocator.
55812 + If frame pointers are enabled on x86, this option will also
55813 + restrict copies into and out of the kernel stack to local variables
55814 + within a single frame.
55816 + Since this has a negligible performance impact, you should enable
55824 bool "Enable access key retention support"
55826 @@ -124,7 +623,7 @@ config INTEL_TXT
55827 config LSM_MMAP_MIN_ADDR
55828 int "Low address space for LSM to protect from user allocation"
55829 depends on SECURITY && SECURITY_SELINUX
55833 This is the portion of low virtual memory which should be protected
55834 from userspace allocation. Keeping a user from writing to low pages
55835 diff -urNp linux-2.6.35.4/security/min_addr.c linux-2.6.35.4/security/min_addr.c
55836 --- linux-2.6.35.4/security/min_addr.c 2010-08-26 19:47:12.000000000 -0400
55837 +++ linux-2.6.35.4/security/min_addr.c 2010-09-17 20:12:37.000000000 -0400
55838 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
55840 static void update_mmap_min_addr(void)
55843 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
55844 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
55845 mmap_min_addr = dac_mmap_min_addr;
55846 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
55848 mmap_min_addr = dac_mmap_min_addr;
55854 diff -urNp linux-2.6.35.4/security/security.c linux-2.6.35.4/security/security.c
55855 --- linux-2.6.35.4/security/security.c 2010-08-26 19:47:12.000000000 -0400
55856 +++ linux-2.6.35.4/security/security.c 2010-09-17 20:12:37.000000000 -0400
55857 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
55858 /* things that live in capability.c */
55859 extern void __init security_fixup_ops(struct security_operations *ops);
55861 -static struct security_operations *security_ops;
55862 -static struct security_operations default_security_ops = {
55863 +static struct security_operations *security_ops __read_only;
55864 +static struct security_operations default_security_ops __read_only = {
55868 @@ -67,7 +67,9 @@ int __init security_init(void)
55870 void reset_security_ops(void)
55872 + pax_open_kernel();
55873 security_ops = &default_security_ops;
55874 + pax_close_kernel();
55877 /* Save user chosen LSM */
55878 diff -urNp linux-2.6.35.4/security/selinux/hooks.c linux-2.6.35.4/security/selinux/hooks.c
55879 --- linux-2.6.35.4/security/selinux/hooks.c 2010-08-26 19:47:12.000000000 -0400
55880 +++ linux-2.6.35.4/security/selinux/hooks.c 2010-09-17 20:12:37.000000000 -0400
55882 #define NUM_SEL_MNT_OPTS 5
55884 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
55885 -extern struct security_operations *security_ops;
55887 /* SECMARK reference count */
55888 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
55889 @@ -5428,7 +5427,7 @@ static int selinux_key_getsecurity(struc
55893 -static struct security_operations selinux_ops = {
55894 +static struct security_operations selinux_ops __read_only = {
55897 .ptrace_access_check = selinux_ptrace_access_check,
55898 diff -urNp linux-2.6.35.4/security/smack/smack_lsm.c linux-2.6.35.4/security/smack/smack_lsm.c
55899 --- linux-2.6.35.4/security/smack/smack_lsm.c 2010-08-26 19:47:12.000000000 -0400
55900 +++ linux-2.6.35.4/security/smack/smack_lsm.c 2010-09-17 20:12:09.000000000 -0400
55901 @@ -3064,7 +3064,7 @@ static int smack_inode_getsecctx(struct
55905 -struct security_operations smack_ops = {
55906 +struct security_operations smack_ops __read_only = {
55909 .ptrace_access_check = smack_ptrace_access_check,
55910 diff -urNp linux-2.6.35.4/security/tomoyo/tomoyo.c linux-2.6.35.4/security/tomoyo/tomoyo.c
55911 --- linux-2.6.35.4/security/tomoyo/tomoyo.c 2010-08-26 19:47:12.000000000 -0400
55912 +++ linux-2.6.35.4/security/tomoyo/tomoyo.c 2010-09-17 20:12:09.000000000 -0400
55913 @@ -235,7 +235,7 @@ static int tomoyo_sb_pivotroot(struct pa
55914 * tomoyo_security_ops is a "struct security_operations" which is used for
55915 * registering TOMOYO.
55917 -static struct security_operations tomoyo_security_ops = {
55918 +static struct security_operations tomoyo_security_ops __read_only = {
55920 .cred_alloc_blank = tomoyo_cred_alloc_blank,
55921 .cred_prepare = tomoyo_cred_prepare,
55922 diff -urNp linux-2.6.35.4/sound/aoa/codecs/onyx.c linux-2.6.35.4/sound/aoa/codecs/onyx.c
55923 --- linux-2.6.35.4/sound/aoa/codecs/onyx.c 2010-08-26 19:47:12.000000000 -0400
55924 +++ linux-2.6.35.4/sound/aoa/codecs/onyx.c 2010-09-17 20:12:09.000000000 -0400
55925 @@ -54,7 +54,7 @@ struct onyx {
55930 + atomic_t open_count;
55931 struct codec_info *codec_info;
55933 /* mutex serializes concurrent access to the device
55934 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
55935 struct onyx *onyx = cii->codec_data;
55937 mutex_lock(&onyx->mutex);
55938 - onyx->open_count++;
55939 + atomic_inc(&onyx->open_count);
55940 mutex_unlock(&onyx->mutex);
55943 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
55944 struct onyx *onyx = cii->codec_data;
55946 mutex_lock(&onyx->mutex);
55947 - onyx->open_count--;
55948 - if (!onyx->open_count)
55949 + if (atomic_dec_and_test(&onyx->open_count))
55950 onyx->spdif_locked = onyx->analog_locked = 0;
55951 mutex_unlock(&onyx->mutex);
55953 diff -urNp linux-2.6.35.4/sound/core/oss/pcm_oss.c linux-2.6.35.4/sound/core/oss/pcm_oss.c
55954 --- linux-2.6.35.4/sound/core/oss/pcm_oss.c 2010-08-26 19:47:12.000000000 -0400
55955 +++ linux-2.6.35.4/sound/core/oss/pcm_oss.c 2010-09-17 20:12:09.000000000 -0400
55956 @@ -2966,8 +2966,8 @@ static void snd_pcm_oss_proc_done(struct
55959 #else /* !CONFIG_SND_VERBOSE_PROCFS */
55960 -#define snd_pcm_oss_proc_init(pcm)
55961 -#define snd_pcm_oss_proc_done(pcm)
55962 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
55963 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
55964 #endif /* CONFIG_SND_VERBOSE_PROCFS */
55967 diff -urNp linux-2.6.35.4/sound/core/seq/seq_lock.h linux-2.6.35.4/sound/core/seq/seq_lock.h
55968 --- linux-2.6.35.4/sound/core/seq/seq_lock.h 2010-08-26 19:47:12.000000000 -0400
55969 +++ linux-2.6.35.4/sound/core/seq/seq_lock.h 2010-09-17 20:12:09.000000000 -0400
55970 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
55971 #else /* SMP || CONFIG_SND_DEBUG */
55973 typedef spinlock_t snd_use_lock_t; /* dummy */
55974 -#define snd_use_lock_init(lockp) /**/
55975 -#define snd_use_lock_use(lockp) /**/
55976 -#define snd_use_lock_free(lockp) /**/
55977 -#define snd_use_lock_sync(lockp) /**/
55978 +#define snd_use_lock_init(lockp) do {} while (0)
55979 +#define snd_use_lock_use(lockp) do {} while (0)
55980 +#define snd_use_lock_free(lockp) do {} while (0)
55981 +#define snd_use_lock_sync(lockp) do {} while (0)
55983 #endif /* SMP || CONFIG_SND_DEBUG */
55985 diff -urNp linux-2.6.35.4/sound/drivers/mts64.c linux-2.6.35.4/sound/drivers/mts64.c
55986 --- linux-2.6.35.4/sound/drivers/mts64.c 2010-08-26 19:47:12.000000000 -0400
55987 +++ linux-2.6.35.4/sound/drivers/mts64.c 2010-09-17 20:12:09.000000000 -0400
55988 @@ -66,7 +66,7 @@ struct mts64 {
55989 struct pardevice *pardev;
55990 int pardev_claimed;
55993 + atomic_t open_count;
55994 int current_midi_output_port;
55995 int current_midi_input_port;
55996 u8 mode[MTS64_NUM_INPUT_PORTS];
55997 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
55999 struct mts64 *mts = substream->rmidi->private_data;
56001 - if (mts->open_count == 0) {
56002 + if (atomic_read(&mts->open_count) == 0) {
56003 /* We don't need a spinlock here, because this is just called
56004 if the device has not been opened before.
56005 So there aren't any IRQs from the device */
56006 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
56010 - ++(mts->open_count);
56011 + atomic_inc(&mts->open_count);
56015 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
56016 struct mts64 *mts = substream->rmidi->private_data;
56017 unsigned long flags;
56019 - --(mts->open_count);
56020 - if (mts->open_count == 0) {
56021 + if (atomic_dec_return(&mts->open_count) == 0) {
56022 /* We need the spinlock_irqsave here because we can still
56023 have IRQs at this point */
56024 spin_lock_irqsave(&mts->lock, flags);
56025 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
56029 - } else if (mts->open_count < 0)
56030 - mts->open_count = 0;
56031 + } else if (atomic_read(&mts->open_count) < 0)
56032 + atomic_set(&mts->open_count, 0);
56036 diff -urNp linux-2.6.35.4/sound/drivers/portman2x4.c linux-2.6.35.4/sound/drivers/portman2x4.c
56037 --- linux-2.6.35.4/sound/drivers/portman2x4.c 2010-08-26 19:47:12.000000000 -0400
56038 +++ linux-2.6.35.4/sound/drivers/portman2x4.c 2010-09-17 20:12:09.000000000 -0400
56039 @@ -84,7 +84,7 @@ struct portman {
56040 struct pardevice *pardev;
56041 int pardev_claimed;
56044 + atomic_t open_count;
56045 int mode[PORTMAN_NUM_INPUT_PORTS];
56046 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
56048 diff -urNp linux-2.6.35.4/sound/oss/sb_audio.c linux-2.6.35.4/sound/oss/sb_audio.c
56049 --- linux-2.6.35.4/sound/oss/sb_audio.c 2010-08-26 19:47:12.000000000 -0400
56050 +++ linux-2.6.35.4/sound/oss/sb_audio.c 2010-09-17 20:12:09.000000000 -0400
56051 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
56052 buf16 = (signed short *)(localbuf + localoffs);
56055 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56056 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56057 if (copy_from_user(lbuf8,
56058 userbuf+useroffs + p,
56060 diff -urNp linux-2.6.35.4/sound/pci/ac97/ac97_codec.c linux-2.6.35.4/sound/pci/ac97/ac97_codec.c
56061 --- linux-2.6.35.4/sound/pci/ac97/ac97_codec.c 2010-08-26 19:47:12.000000000 -0400
56062 +++ linux-2.6.35.4/sound/pci/ac97/ac97_codec.c 2010-09-17 20:12:09.000000000 -0400
56063 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
56066 /* build_ops to do nothing */
56067 -static struct snd_ac97_build_ops null_build_ops;
56068 +static const struct snd_ac97_build_ops null_build_ops;
56070 #ifdef CONFIG_SND_AC97_POWER_SAVE
56071 static void do_update_power(struct work_struct *work)
56072 diff -urNp linux-2.6.35.4/sound/pci/ac97/ac97_patch.c linux-2.6.35.4/sound/pci/ac97/ac97_patch.c
56073 --- linux-2.6.35.4/sound/pci/ac97/ac97_patch.c 2010-08-26 19:47:12.000000000 -0400
56074 +++ linux-2.6.35.4/sound/pci/ac97/ac97_patch.c 2010-09-17 20:12:09.000000000 -0400
56075 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
56079 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56080 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56081 .build_spdif = patch_yamaha_ymf743_build_spdif,
56082 .build_3d = patch_yamaha_ymf7x3_3d,
56084 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
56088 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56089 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56090 .build_3d = patch_yamaha_ymf7x3_3d,
56091 .build_post_spdif = patch_yamaha_ymf753_post_spdif
56093 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
56097 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56098 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56099 .build_specific = patch_wolfson_wm9703_specific,
56102 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
56106 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56107 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56108 .build_specific = patch_wolfson_wm9704_specific,
56111 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
56115 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56116 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56117 .build_specific = patch_wolfson_wm9711_specific,
56120 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
56124 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56125 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56126 .build_specific = patch_wolfson_wm9713_specific,
56127 .build_3d = patch_wolfson_wm9713_3d,
56129 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
56133 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56134 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56135 .build_3d = patch_sigmatel_stac9700_3d,
56136 .build_specific = patch_sigmatel_stac97xx_specific
56138 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
56139 return patch_sigmatel_stac97xx_specific(ac97);
56142 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56143 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56144 .build_3d = patch_sigmatel_stac9708_3d,
56145 .build_specific = patch_sigmatel_stac9708_specific
56147 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
56151 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56152 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56153 .build_3d = patch_sigmatel_stac9700_3d,
56154 .build_specific = patch_sigmatel_stac9758_specific
56156 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
56160 -static struct snd_ac97_build_ops patch_cirrus_ops = {
56161 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
56162 .build_spdif = patch_cirrus_build_spdif
56165 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
56169 -static struct snd_ac97_build_ops patch_conexant_ops = {
56170 +static const struct snd_ac97_build_ops patch_conexant_ops = {
56171 .build_spdif = patch_conexant_build_spdif
56174 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
56175 { AC97_VIDEO, 0x9f1f },
56176 { AC97_AUX, 0x9f1f },
56177 { AC97_PCM, 0x9f1f },
56178 - { } /* terminator */
56179 + { 0, 0 } /* terminator */
56182 static int patch_ad1819(struct snd_ac97 * ac97)
56183 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
56187 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
56188 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
56190 .resume = ad18xx_resume
56192 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
56196 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
56197 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
56198 .build_specific = &patch_ad1885_specific,
56200 .resume = ad18xx_resume
56201 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
56205 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
56206 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
56207 .build_specific = &patch_ad1886_specific,
56209 .resume = ad18xx_resume
56210 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
56211 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56214 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56215 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56216 .build_post_spdif = patch_ad198x_post_spdif,
56217 .build_specific = patch_ad1981a_specific,
56219 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
56220 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56223 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56224 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56225 .build_post_spdif = patch_ad198x_post_spdif,
56226 .build_specific = patch_ad1981b_specific,
56228 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
56229 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
56232 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
56233 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
56234 .build_post_spdif = patch_ad198x_post_spdif,
56235 .build_specific = patch_ad1888_specific,
56237 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
56238 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
56241 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
56242 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
56243 .build_post_spdif = patch_ad198x_post_spdif,
56244 .build_specific = patch_ad1980_specific,
56246 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
56247 ARRAY_SIZE(snd_ac97_ad1985_controls));
56250 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
56251 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
56252 .build_post_spdif = patch_ad198x_post_spdif,
56253 .build_specific = patch_ad1985_specific,
56255 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
56256 ARRAY_SIZE(snd_ac97_ad1985_controls));
56259 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
56260 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
56261 .build_post_spdif = patch_ad198x_post_spdif,
56262 .build_specific = patch_ad1986_specific,
56264 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
56268 -static struct snd_ac97_build_ops patch_alc650_ops = {
56269 +static const struct snd_ac97_build_ops patch_alc650_ops = {
56270 .build_specific = patch_alc650_specific,
56271 .update_jacks = alc650_update_jacks
56273 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
56277 -static struct snd_ac97_build_ops patch_alc655_ops = {
56278 +static const struct snd_ac97_build_ops patch_alc655_ops = {
56279 .build_specific = patch_alc655_specific,
56280 .update_jacks = alc655_update_jacks
56282 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
56286 -static struct snd_ac97_build_ops patch_alc850_ops = {
56287 +static const struct snd_ac97_build_ops patch_alc850_ops = {
56288 .build_specific = patch_alc850_specific,
56289 .update_jacks = alc850_update_jacks
56291 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
56292 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
56295 -static struct snd_ac97_build_ops patch_cm9738_ops = {
56296 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
56297 .build_specific = patch_cm9738_specific,
56298 .update_jacks = cm9738_update_jacks
56300 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
56301 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
56304 -static struct snd_ac97_build_ops patch_cm9739_ops = {
56305 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
56306 .build_specific = patch_cm9739_specific,
56307 .build_post_spdif = patch_cm9739_post_spdif,
56308 .update_jacks = cm9739_update_jacks
56309 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
56310 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
56313 -static struct snd_ac97_build_ops patch_cm9761_ops = {
56314 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
56315 .build_specific = patch_cm9761_specific,
56316 .build_post_spdif = patch_cm9761_post_spdif,
56317 .update_jacks = cm9761_update_jacks
56318 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
56319 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
56322 -static struct snd_ac97_build_ops patch_cm9780_ops = {
56323 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
56324 .build_specific = patch_cm9780_specific,
56325 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
56327 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
56331 -static struct snd_ac97_build_ops patch_vt1616_ops = {
56332 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
56333 .build_specific = patch_vt1616_specific
56336 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
56340 -static struct snd_ac97_build_ops patch_it2646_ops = {
56341 +static const struct snd_ac97_build_ops patch_it2646_ops = {
56342 .build_specific = patch_it2646_specific,
56343 .update_jacks = it2646_update_jacks
56345 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
56349 -static struct snd_ac97_build_ops patch_si3036_ops = {
56350 +static const struct snd_ac97_build_ops patch_si3036_ops = {
56351 .build_specific = patch_si3036_specific,
56354 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
56355 { AC97_AUX, 0x1f1f },
56356 { AC97_PCM, 0x1f1f },
56357 { AC97_REC_GAIN, 0x0f0f },
56358 - { } /* terminator */
56359 + { 0, 0 } /* terminator */
56362 static int patch_lm4550(struct snd_ac97 *ac97)
56363 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
56367 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
56368 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
56369 .build_specific = patch_ucb1400_specific,
56372 diff -urNp linux-2.6.35.4/sound/pci/ens1370.c linux-2.6.35.4/sound/pci/ens1370.c
56373 --- linux-2.6.35.4/sound/pci/ens1370.c 2010-08-26 19:47:12.000000000 -0400
56374 +++ linux-2.6.35.4/sound/pci/ens1370.c 2010-09-17 20:12:09.000000000 -0400
56375 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
56376 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
56377 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
56380 + { 0, 0, 0, 0, 0, 0, 0 }
56383 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
56384 diff -urNp linux-2.6.35.4/sound/pci/hda/patch_hdmi.c linux-2.6.35.4/sound/pci/hda/patch_hdmi.c
56385 --- linux-2.6.35.4/sound/pci/hda/patch_hdmi.c 2010-08-26 19:47:12.000000000 -0400
56386 +++ linux-2.6.35.4/sound/pci/hda/patch_hdmi.c 2010-09-17 20:12:09.000000000 -0400
56387 @@ -670,10 +670,10 @@ static void hdmi_non_intrinsic_event(str
56402 diff -urNp linux-2.6.35.4/sound/pci/intel8x0.c linux-2.6.35.4/sound/pci/intel8x0.c
56403 --- linux-2.6.35.4/sound/pci/intel8x0.c 2010-08-26 19:47:12.000000000 -0400
56404 +++ linux-2.6.35.4/sound/pci/intel8x0.c 2010-09-17 20:12:09.000000000 -0400
56405 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56406 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56407 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
56408 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56410 + { 0, 0, 0, 0, 0, 0, 0 }
56413 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
56414 @@ -2135,7 +2135,7 @@ static struct ac97_quirk ac97_quirks[] _
56415 .type = AC97_TUNE_HP_ONLY
56418 - { } /* terminator */
56419 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
56422 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
56423 diff -urNp linux-2.6.35.4/sound/pci/intel8x0m.c linux-2.6.35.4/sound/pci/intel8x0m.c
56424 --- linux-2.6.35.4/sound/pci/intel8x0m.c 2010-08-26 19:47:12.000000000 -0400
56425 +++ linux-2.6.35.4/sound/pci/intel8x0m.c 2010-09-17 20:12:09.000000000 -0400
56426 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56427 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56428 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56431 + { 0, 0, 0, 0, 0, 0, 0 }
56434 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
56435 @@ -1264,7 +1264,7 @@ static struct shortname_table {
56436 { 0x5455, "ALi M5455" },
56437 { 0x746d, "AMD AMD8111" },
56443 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
56444 diff -urNp linux-2.6.35.4/usr/gen_init_cpio.c linux-2.6.35.4/usr/gen_init_cpio.c
56445 --- linux-2.6.35.4/usr/gen_init_cpio.c 2010-08-26 19:47:12.000000000 -0400
56446 +++ linux-2.6.35.4/usr/gen_init_cpio.c 2010-09-17 20:12:09.000000000 -0400
56447 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
56456 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
56457 *env_var = *expanded = '\0';
56458 strncat(env_var, start + 2, end - start - 2);
56459 strncat(expanded, new_location, start - new_location);
56460 - strncat(expanded, getenv(env_var), PATH_MAX);
56461 - strncat(expanded, end + 1, PATH_MAX);
56462 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
56463 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
56464 strncpy(new_location, expanded, PATH_MAX);
56465 + new_location[PATH_MAX] = 0;
56469 diff -urNp linux-2.6.35.4/virt/kvm/kvm_main.c linux-2.6.35.4/virt/kvm/kvm_main.c
56470 --- linux-2.6.35.4/virt/kvm/kvm_main.c 2010-08-26 19:47:12.000000000 -0400
56471 +++ linux-2.6.35.4/virt/kvm/kvm_main.c 2010-09-17 20:12:09.000000000 -0400
56472 @@ -1284,6 +1284,7 @@ static int kvm_vcpu_release(struct inode
56476 +/* cannot be const */
56477 static struct file_operations kvm_vcpu_fops = {
56478 .release = kvm_vcpu_release,
56479 .unlocked_ioctl = kvm_vcpu_ioctl,
56480 @@ -1738,6 +1739,7 @@ static int kvm_vm_mmap(struct file *file
56484 +/* cannot be const */
56485 static struct file_operations kvm_vm_fops = {
56486 .release = kvm_vm_release,
56487 .unlocked_ioctl = kvm_vm_ioctl,
56488 @@ -1835,6 +1837,7 @@ out:
56492 +/* cannot be const */
56493 static struct file_operations kvm_chardev_ops = {
56494 .unlocked_ioctl = kvm_dev_ioctl,
56495 .compat_ioctl = kvm_dev_ioctl,
56496 @@ -1844,6 +1847,9 @@ static struct miscdevice kvm_dev = {
56505 static void hardware_enable(void *junk)
56506 @@ -2178,7 +2184,7 @@ static void kvm_sched_out(struct preempt
56507 kvm_arch_vcpu_put(vcpu);
56510 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56511 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56512 struct module *module)