1 diff -urNp linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3 +++ linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.35.5/arch/alpha/include/asm/elf.h linux-2.6.35.5/arch/alpha/include/asm/elf.h
17 --- linux-2.6.35.5/arch/alpha/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
18 +++ linux-2.6.35.5/arch/alpha/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.35.5/arch/alpha/include/asm/pgtable.h linux-2.6.35.5/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.35.5/arch/alpha/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
35 +++ linux-2.6.35.5/arch/alpha/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.35.5/arch/alpha/kernel/module.c linux-2.6.35.5/arch/alpha/kernel/module.c
55 --- linux-2.6.35.5/arch/alpha/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
56 +++ linux-2.6.35.5/arch/alpha/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.35.5/arch/alpha/kernel/osf_sys.c linux-2.6.35.5/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.35.5/arch/alpha/kernel/osf_sys.c 2010-08-26 19:47:12.000000000 -0400
68 +++ linux-2.6.35.5/arch/alpha/kernel/osf_sys.c 2010-09-17 20:12:09.000000000 -0400
69 @@ -1170,7 +1170,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1206,6 +1206,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1213,8 +1217,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c 2010-08-26 19:47:12.000000000 -0400
102 +++ linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c 2010-09-17 20:12:09.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.35.5/arch/alpha/kernel/pci-noop.c linux-2.6.35.5/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.35.5/arch/alpha/kernel/pci-noop.c 2010-08-26 19:47:12.000000000 -0400
121 +++ linux-2.6.35.5/arch/alpha/kernel/pci-noop.c 2010-09-17 20:12:09.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.35.5/arch/alpha/mm/fault.c linux-2.6.35.5/arch/alpha/mm/fault.c
141 --- linux-2.6.35.5/arch/alpha/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
142 +++ linux-2.6.35.5/arch/alpha/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.35.5/arch/arm/include/asm/elf.h linux-2.6.35.5/arch/arm/include/asm/elf.h
300 --- linux-2.6.35.5/arch/arm/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
301 +++ linux-2.6.35.5/arch/arm/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
302 @@ -111,7 +111,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 diff -urNp linux-2.6.35.5/arch/arm/include/asm/kmap_types.h linux-2.6.35.5/arch/arm/include/asm/kmap_types.h
319 --- linux-2.6.35.5/arch/arm/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
320 +++ linux-2.6.35.5/arch/arm/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
321 @@ -21,6 +21,7 @@ enum km_type {
329 diff -urNp linux-2.6.35.5/arch/arm/include/asm/uaccess.h linux-2.6.35.5/arch/arm/include/asm/uaccess.h
330 --- linux-2.6.35.5/arch/arm/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
331 +++ linux-2.6.35.5/arch/arm/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
332 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
334 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
339 if (access_ok(VERIFY_READ, from, n))
340 n = __copy_from_user(to, from, n);
341 else /* security hole - plug it */
342 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
344 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
349 if (access_ok(VERIFY_WRITE, to, n))
350 n = __copy_to_user(to, from, n);
352 diff -urNp linux-2.6.35.5/arch/arm/kernel/kgdb.c linux-2.6.35.5/arch/arm/kernel/kgdb.c
353 --- linux-2.6.35.5/arch/arm/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
354 +++ linux-2.6.35.5/arch/arm/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
355 @@ -208,7 +208,7 @@ void kgdb_arch_exit(void)
356 * and we handle the normal undef case within the do_undefinstr
359 -struct kgdb_arch arch_kgdb_ops = {
360 +const struct kgdb_arch arch_kgdb_ops = {
362 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
363 #else /* ! __ARMEB__ */
364 diff -urNp linux-2.6.35.5/arch/arm/mach-at91/pm.c linux-2.6.35.5/arch/arm/mach-at91/pm.c
365 --- linux-2.6.35.5/arch/arm/mach-at91/pm.c 2010-08-26 19:47:12.000000000 -0400
366 +++ linux-2.6.35.5/arch/arm/mach-at91/pm.c 2010-09-17 20:12:09.000000000 -0400
367 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
371 -static struct platform_suspend_ops at91_pm_ops ={
372 +static const struct platform_suspend_ops at91_pm_ops ={
373 .valid = at91_pm_valid_state,
374 .begin = at91_pm_begin,
375 .enter = at91_pm_enter,
376 diff -urNp linux-2.6.35.5/arch/arm/mach-davinci/pm.c linux-2.6.35.5/arch/arm/mach-davinci/pm.c
377 --- linux-2.6.35.5/arch/arm/mach-davinci/pm.c 2010-08-26 19:47:12.000000000 -0400
378 +++ linux-2.6.35.5/arch/arm/mach-davinci/pm.c 2010-09-17 20:12:09.000000000 -0400
379 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
383 -static struct platform_suspend_ops davinci_pm_ops = {
384 +static const struct platform_suspend_ops davinci_pm_ops = {
385 .enter = davinci_pm_enter,
386 .valid = suspend_valid_only_mem,
388 diff -urNp linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c
389 --- linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c 2010-08-26 19:47:12.000000000 -0400
390 +++ linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c 2010-09-17 20:12:09.000000000 -0400
391 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
395 +/* cannot be const, see msm_init_last_radio_log */
396 static struct file_operations last_radio_log_fops = {
397 .read = last_radio_log_read
399 diff -urNp linux-2.6.35.5/arch/arm/mach-omap1/pm.c linux-2.6.35.5/arch/arm/mach-omap1/pm.c
400 --- linux-2.6.35.5/arch/arm/mach-omap1/pm.c 2010-08-26 19:47:12.000000000 -0400
401 +++ linux-2.6.35.5/arch/arm/mach-omap1/pm.c 2010-09-17 20:12:09.000000000 -0400
402 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
406 -static struct platform_suspend_ops omap_pm_ops ={
407 +static const struct platform_suspend_ops omap_pm_ops ={
408 .prepare = omap_pm_prepare,
409 .enter = omap_pm_enter,
410 .finish = omap_pm_finish,
411 diff -urNp linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c
412 --- linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c 2010-08-26 19:47:12.000000000 -0400
413 +++ linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c 2010-09-17 20:12:09.000000000 -0400
414 @@ -325,7 +325,7 @@ static void omap2_pm_finish(void)
418 -static struct platform_suspend_ops omap_pm_ops = {
419 +static const struct platform_suspend_ops omap_pm_ops = {
420 .prepare = omap2_pm_prepare,
421 .enter = omap2_pm_enter,
422 .finish = omap2_pm_finish,
423 diff -urNp linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c
424 --- linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c 2010-08-26 19:47:12.000000000 -0400
425 +++ linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c 2010-09-17 20:12:09.000000000 -0400
426 @@ -669,7 +669,7 @@ static void omap3_pm_end(void)
430 -static struct platform_suspend_ops omap_pm_ops = {
431 +static const struct platform_suspend_ops omap_pm_ops = {
432 .begin = omap3_pm_begin,
434 .prepare = omap3_pm_prepare,
435 diff -urNp linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c
436 --- linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c 2010-08-26 19:47:12.000000000 -0400
437 +++ linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c 2010-09-17 20:12:09.000000000 -0400
438 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
439 (state == PM_SUSPEND_MEM);
442 -static struct platform_suspend_ops pnx4008_pm_ops = {
443 +static const struct platform_suspend_ops pnx4008_pm_ops = {
444 .enter = pnx4008_pm_enter,
445 .valid = pnx4008_pm_valid,
447 diff -urNp linux-2.6.35.5/arch/arm/mach-pxa/pm.c linux-2.6.35.5/arch/arm/mach-pxa/pm.c
448 --- linux-2.6.35.5/arch/arm/mach-pxa/pm.c 2010-08-26 19:47:12.000000000 -0400
449 +++ linux-2.6.35.5/arch/arm/mach-pxa/pm.c 2010-09-17 20:12:09.000000000 -0400
450 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
451 pxa_cpu_pm_fns->finish();
454 -static struct platform_suspend_ops pxa_pm_ops = {
455 +static const struct platform_suspend_ops pxa_pm_ops = {
456 .valid = pxa_pm_valid,
457 .enter = pxa_pm_enter,
458 .prepare = pxa_pm_prepare,
459 diff -urNp linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c
460 --- linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c 2010-08-26 19:47:12.000000000 -0400
461 +++ linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c 2010-09-17 20:12:09.000000000 -0400
462 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
466 -static struct platform_suspend_ops sharpsl_pm_ops = {
467 +static const struct platform_suspend_ops sharpsl_pm_ops = {
468 .prepare = pxa_pm_prepare,
469 .finish = pxa_pm_finish,
470 .enter = corgi_pxa_pm_enter,
471 diff -urNp linux-2.6.35.5/arch/arm/mach-sa1100/pm.c linux-2.6.35.5/arch/arm/mach-sa1100/pm.c
472 --- linux-2.6.35.5/arch/arm/mach-sa1100/pm.c 2010-08-26 19:47:12.000000000 -0400
473 +++ linux-2.6.35.5/arch/arm/mach-sa1100/pm.c 2010-09-17 20:12:09.000000000 -0400
474 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
475 return virt_to_phys(sp);
478 -static struct platform_suspend_ops sa11x0_pm_ops = {
479 +static const struct platform_suspend_ops sa11x0_pm_ops = {
480 .enter = sa11x0_pm_enter,
481 .valid = suspend_valid_only_mem,
483 diff -urNp linux-2.6.35.5/arch/arm/mm/fault.c linux-2.6.35.5/arch/arm/mm/fault.c
484 --- linux-2.6.35.5/arch/arm/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
485 +++ linux-2.6.35.5/arch/arm/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
486 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
490 +#ifdef CONFIG_PAX_PAGEEXEC
491 + if (fsr & FSR_LNX_PF) {
492 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
493 + do_group_exit(SIGKILL);
497 tsk->thread.address = addr;
498 tsk->thread.error_code = fsr;
499 tsk->thread.trap_no = 14;
500 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
502 #endif /* CONFIG_MMU */
504 +#ifdef CONFIG_PAX_PAGEEXEC
505 +void pax_report_insns(void *pc, void *sp)
509 + printk(KERN_ERR "PAX: bytes at PC: ");
510 + for (i = 0; i < 20; i++) {
512 + if (get_user(c, (__force unsigned char __user *)pc+i))
513 + printk(KERN_CONT "?? ");
515 + printk(KERN_CONT "%02x ", c);
519 + printk(KERN_ERR "PAX: bytes at SP-4: ");
520 + for (i = -1; i < 20; i++) {
522 + if (get_user(c, (__force unsigned long __user *)sp+i))
523 + printk(KERN_CONT "???????? ");
525 + printk(KERN_CONT "%08lx ", c);
532 * First Level Translation Fault Handler
534 diff -urNp linux-2.6.35.5/arch/arm/mm/mmap.c linux-2.6.35.5/arch/arm/mm/mmap.c
535 --- linux-2.6.35.5/arch/arm/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
536 +++ linux-2.6.35.5/arch/arm/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
537 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
541 +#ifdef CONFIG_PAX_RANDMMAP
542 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
547 addr = COLOUR_ALIGN(addr, pgoff);
548 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
549 addr = PAGE_ALIGN(addr);
551 vma = find_vma(mm, addr);
552 - if (TASK_SIZE - len >= addr &&
553 - (!vma || addr + len <= vma->vm_start))
554 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
557 if (len > mm->cached_hole_size) {
558 - start_addr = addr = mm->free_area_cache;
559 + start_addr = addr = mm->free_area_cache;
561 - start_addr = addr = TASK_UNMAPPED_BASE;
562 - mm->cached_hole_size = 0;
563 + start_addr = addr = mm->mmap_base;
564 + mm->cached_hole_size = 0;
568 @@ -94,14 +97,14 @@ full_search:
569 * Start a new search - just in case we missed
572 - if (start_addr != TASK_UNMAPPED_BASE) {
573 - start_addr = addr = TASK_UNMAPPED_BASE;
574 + if (start_addr != mm->mmap_base) {
575 + start_addr = addr = mm->mmap_base;
576 mm->cached_hole_size = 0;
581 - if (!vma || addr + len <= vma->vm_start) {
582 + if (check_heap_stack_gap(vma, addr, len)) {
584 * Remember the place where we stopped the search:
586 diff -urNp linux-2.6.35.5/arch/arm/plat-samsung/pm.c linux-2.6.35.5/arch/arm/plat-samsung/pm.c
587 --- linux-2.6.35.5/arch/arm/plat-samsung/pm.c 2010-08-26 19:47:12.000000000 -0400
588 +++ linux-2.6.35.5/arch/arm/plat-samsung/pm.c 2010-09-17 20:12:09.000000000 -0400
589 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
590 s3c_pm_check_cleanup();
593 -static struct platform_suspend_ops s3c_pm_ops = {
594 +static const struct platform_suspend_ops s3c_pm_ops = {
595 .enter = s3c_pm_enter,
596 .prepare = s3c_pm_prepare,
597 .finish = s3c_pm_finish,
598 diff -urNp linux-2.6.35.5/arch/avr32/include/asm/elf.h linux-2.6.35.5/arch/avr32/include/asm/elf.h
599 --- linux-2.6.35.5/arch/avr32/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
600 +++ linux-2.6.35.5/arch/avr32/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
601 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
602 the loader. We need to make sure that it is out of the way of the program
603 that it will "exec", and that there is sufficient room for the brk. */
605 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
606 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
608 +#ifdef CONFIG_PAX_ASLR
609 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
611 +#define PAX_DELTA_MMAP_LEN 15
612 +#define PAX_DELTA_STACK_LEN 15
615 /* This yields a mask that user programs can use to figure out what
616 instruction set this CPU supports. This could be done in user space,
617 diff -urNp linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h
618 --- linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
619 +++ linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
620 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
630 diff -urNp linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c
631 --- linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c 2010-08-26 19:47:12.000000000 -0400
632 +++ linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c 2010-09-17 20:12:09.000000000 -0400
633 @@ -176,7 +176,7 @@ out:
637 -static struct platform_suspend_ops avr32_pm_ops = {
638 +static const struct platform_suspend_ops avr32_pm_ops = {
639 .valid = avr32_pm_valid_state,
640 .enter = avr32_pm_enter,
642 diff -urNp linux-2.6.35.5/arch/avr32/mm/fault.c linux-2.6.35.5/arch/avr32/mm/fault.c
643 --- linux-2.6.35.5/arch/avr32/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
644 +++ linux-2.6.35.5/arch/avr32/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
645 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
647 int exception_trace = 1;
649 +#ifdef CONFIG_PAX_PAGEEXEC
650 +void pax_report_insns(void *pc, void *sp)
654 + printk(KERN_ERR "PAX: bytes at PC: ");
655 + for (i = 0; i < 20; i++) {
657 + if (get_user(c, (unsigned char *)pc+i))
658 + printk(KERN_CONT "???????? ");
660 + printk(KERN_CONT "%02x ", c);
667 * This routine handles page faults. It determines the address and the
668 * problem, and then passes it off to one of the appropriate routines.
669 @@ -157,6 +174,16 @@ bad_area:
670 up_read(&mm->mmap_sem);
672 if (user_mode(regs)) {
674 +#ifdef CONFIG_PAX_PAGEEXEC
675 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
676 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
677 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
678 + do_group_exit(SIGKILL);
683 if (exception_trace && printk_ratelimit())
684 printk("%s%s[%d]: segfault at %08lx pc %08lx "
685 "sp %08lx ecr %lu\n",
686 diff -urNp linux-2.6.35.5/arch/blackfin/kernel/kgdb.c linux-2.6.35.5/arch/blackfin/kernel/kgdb.c
687 --- linux-2.6.35.5/arch/blackfin/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
688 +++ linux-2.6.35.5/arch/blackfin/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
689 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
690 return -1; /* this means that we do not want to exit from the handler */
693 -struct kgdb_arch arch_kgdb_ops = {
694 +const struct kgdb_arch arch_kgdb_ops = {
695 .gdb_bpt_instr = {0xa1},
697 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
698 diff -urNp linux-2.6.35.5/arch/blackfin/mach-common/pm.c linux-2.6.35.5/arch/blackfin/mach-common/pm.c
699 --- linux-2.6.35.5/arch/blackfin/mach-common/pm.c 2010-08-26 19:47:12.000000000 -0400
700 +++ linux-2.6.35.5/arch/blackfin/mach-common/pm.c 2010-09-17 20:12:09.000000000 -0400
701 @@ -232,7 +232,7 @@ static int bfin_pm_enter(suspend_state_t
705 -struct platform_suspend_ops bfin_pm_ops = {
706 +const struct platform_suspend_ops bfin_pm_ops = {
707 .enter = bfin_pm_enter,
708 .valid = bfin_pm_valid,
710 diff -urNp linux-2.6.35.5/arch/blackfin/mm/maccess.c linux-2.6.35.5/arch/blackfin/mm/maccess.c
711 --- linux-2.6.35.5/arch/blackfin/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
712 +++ linux-2.6.35.5/arch/blackfin/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
713 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
714 return bfin_mem_access_type(addr, size);
717 -long probe_kernel_read(void *dst, void *src, size_t size)
718 +long probe_kernel_read(void *dst, const void *src, size_t size)
720 unsigned long lsrc = (unsigned long)src;
722 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
726 -long probe_kernel_write(void *dst, void *src, size_t size)
727 +long probe_kernel_write(void *dst, const void *src, size_t size)
729 unsigned long ldst = (unsigned long)dst;
731 diff -urNp linux-2.6.35.5/arch/frv/include/asm/kmap_types.h linux-2.6.35.5/arch/frv/include/asm/kmap_types.h
732 --- linux-2.6.35.5/arch/frv/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
733 +++ linux-2.6.35.5/arch/frv/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
734 @@ -23,6 +23,7 @@ enum km_type {
742 diff -urNp linux-2.6.35.5/arch/frv/mm/elf-fdpic.c linux-2.6.35.5/arch/frv/mm/elf-fdpic.c
743 --- linux-2.6.35.5/arch/frv/mm/elf-fdpic.c 2010-08-26 19:47:12.000000000 -0400
744 +++ linux-2.6.35.5/arch/frv/mm/elf-fdpic.c 2010-09-17 20:12:09.000000000 -0400
745 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
747 addr = PAGE_ALIGN(addr);
748 vma = find_vma(current->mm, addr);
749 - if (TASK_SIZE - len >= addr &&
750 - (!vma || addr + len <= vma->vm_start))
751 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
755 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
756 for (; vma; vma = vma->vm_next) {
759 - if (addr + len <= vma->vm_start)
760 + if (check_heap_stack_gap(vma, addr, len))
764 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
765 for (; vma; vma = vma->vm_next) {
768 - if (addr + len <= vma->vm_start)
769 + if (check_heap_stack_gap(vma, addr, len))
773 diff -urNp linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c
774 --- linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c 2010-08-26 19:47:12.000000000 -0400
775 +++ linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c 2010-09-17 20:12:09.000000000 -0400
777 #include <linux/swiotlb.h>
778 #include <asm/machvec.h>
780 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
781 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
783 /* swiotlb declarations & definitions: */
784 extern int swiotlb_late_init_with_default_size (size_t size);
785 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
786 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
789 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
790 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
792 if (use_swiotlb(dev))
793 return &swiotlb_dma_ops;
794 diff -urNp linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c
795 --- linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c 2010-08-26 19:47:12.000000000 -0400
796 +++ linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c 2010-09-17 20:12:09.000000000 -0400
797 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
801 -extern struct dma_map_ops swiotlb_dma_ops;
802 +extern const struct dma_map_ops swiotlb_dma_ops;
806 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
808 __setup("sbapagesize=",sba_page_override);
810 -struct dma_map_ops sba_dma_ops = {
811 +const struct dma_map_ops sba_dma_ops = {
812 .alloc_coherent = sba_alloc_coherent,
813 .free_coherent = sba_free_coherent,
814 .map_page = sba_map_page,
815 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h
816 --- linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
817 +++ linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
820 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
822 -extern struct dma_map_ops *dma_ops;
823 +extern const struct dma_map_ops *dma_ops;
824 extern struct ia64_machine_vector ia64_mv;
825 extern void set_iommu_machvec(void);
827 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
828 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
829 dma_addr_t *daddr, gfp_t gfp)
831 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
832 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
835 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
836 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
837 static inline void dma_free_coherent(struct device *dev, size_t size,
838 void *caddr, dma_addr_t daddr)
840 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
841 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
842 debug_dma_free_coherent(dev, size, caddr, daddr);
843 ops->free_coherent(dev, size, caddr, daddr);
845 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
847 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
849 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
850 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
851 return ops->mapping_error(dev, daddr);
854 static inline int dma_supported(struct device *dev, u64 mask)
856 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
857 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
858 return ops->dma_supported(dev, mask);
861 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/elf.h linux-2.6.35.5/arch/ia64/include/asm/elf.h
862 --- linux-2.6.35.5/arch/ia64/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
863 +++ linux-2.6.35.5/arch/ia64/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
866 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
868 +#ifdef CONFIG_PAX_ASLR
869 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
871 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
872 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
875 #define PT_IA_64_UNWIND 0x70000001
877 /* IA-64 relocations: */
878 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/machvec.h linux-2.6.35.5/arch/ia64/include/asm/machvec.h
879 --- linux-2.6.35.5/arch/ia64/include/asm/machvec.h 2010-08-26 19:47:12.000000000 -0400
880 +++ linux-2.6.35.5/arch/ia64/include/asm/machvec.h 2010-09-17 20:12:09.000000000 -0400
881 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
882 /* DMA-mapping interface: */
883 typedef void ia64_mv_dma_init (void);
884 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
885 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
886 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
889 * WARNING: The legacy I/O space is _architected_. Platforms are
890 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
891 # endif /* CONFIG_IA64_GENERIC */
893 extern void swiotlb_dma_init(void);
894 -extern struct dma_map_ops *dma_get_ops(struct device *);
895 +extern const struct dma_map_ops *dma_get_ops(struct device *);
898 * Define default versions so we can extend machvec for new platforms without having
899 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/pgtable.h linux-2.6.35.5/arch/ia64/include/asm/pgtable.h
900 --- linux-2.6.35.5/arch/ia64/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
901 +++ linux-2.6.35.5/arch/ia64/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
903 * David Mosberger-Tang <davidm@hpl.hp.com>
907 +#include <linux/const.h>
908 #include <asm/mman.h>
909 #include <asm/page.h>
910 #include <asm/processor.h>
912 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
913 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
914 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
916 +#ifdef CONFIG_PAX_PAGEEXEC
917 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
918 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
919 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
921 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
922 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
923 +# define PAGE_COPY_NOEXEC PAGE_COPY
926 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
927 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
928 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
929 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/uaccess.h linux-2.6.35.5/arch/ia64/include/asm/uaccess.h
930 --- linux-2.6.35.5/arch/ia64/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
931 +++ linux-2.6.35.5/arch/ia64/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
932 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
933 const void *__cu_from = (from); \
934 long __cu_len = (n); \
936 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
937 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
938 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
941 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
942 long __cu_len = (n); \
944 __chk_user_ptr(__cu_from); \
945 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
946 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
947 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
950 diff -urNp linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c
951 --- linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c 2010-08-26 19:47:12.000000000 -0400
952 +++ linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c 2010-09-17 20:12:09.000000000 -0400
954 /* Set this to 1 if there is a HW IOMMU in the system */
955 int iommu_detected __read_mostly;
957 -struct dma_map_ops *dma_ops;
958 +const struct dma_map_ops *dma_ops;
959 EXPORT_SYMBOL(dma_ops);
961 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
962 @@ -16,7 +16,7 @@ static int __init dma_init(void)
964 fs_initcall(dma_init);
966 -struct dma_map_ops *dma_get_ops(struct device *dev)
967 +const struct dma_map_ops *dma_get_ops(struct device *dev)
971 diff -urNp linux-2.6.35.5/arch/ia64/kernel/module.c linux-2.6.35.5/arch/ia64/kernel/module.c
972 --- linux-2.6.35.5/arch/ia64/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
973 +++ linux-2.6.35.5/arch/ia64/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
974 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
976 module_free (struct module *mod, void *module_region)
978 - if (mod && mod->arch.init_unw_table &&
979 - module_region == mod->module_init) {
980 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
981 unw_remove_unwind_table(mod->arch.init_unw_table);
982 mod->arch.init_unw_table = NULL;
984 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
988 +in_init_rx (const struct module *mod, uint64_t addr)
990 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
994 +in_init_rw (const struct module *mod, uint64_t addr)
996 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1000 in_init (const struct module *mod, uint64_t addr)
1002 - return addr - (uint64_t) mod->module_init < mod->init_size;
1003 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1007 +in_core_rx (const struct module *mod, uint64_t addr)
1009 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1013 +in_core_rw (const struct module *mod, uint64_t addr)
1015 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1019 in_core (const struct module *mod, uint64_t addr)
1021 - return addr - (uint64_t) mod->module_core < mod->core_size;
1022 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1026 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1030 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1031 + if (in_init_rx(mod, val))
1032 + val -= (uint64_t) mod->module_init_rx;
1033 + else if (in_init_rw(mod, val))
1034 + val -= (uint64_t) mod->module_init_rw;
1035 + else if (in_core_rx(mod, val))
1036 + val -= (uint64_t) mod->module_core_rx;
1037 + else if (in_core_rw(mod, val))
1038 + val -= (uint64_t) mod->module_core_rw;
1042 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1043 * addresses have been selected...
1046 - if (mod->core_size > MAX_LTOFF)
1047 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1049 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1050 * at the end of the module.
1052 - gp = mod->core_size - MAX_LTOFF / 2;
1053 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1055 - gp = mod->core_size / 2;
1056 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1057 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1058 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1060 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1062 diff -urNp linux-2.6.35.5/arch/ia64/kernel/pci-dma.c linux-2.6.35.5/arch/ia64/kernel/pci-dma.c
1063 --- linux-2.6.35.5/arch/ia64/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
1064 +++ linux-2.6.35.5/arch/ia64/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
1065 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1066 .dma_mask = &fallback_dev.coherent_dma_mask,
1069 -extern struct dma_map_ops intel_dma_ops;
1070 +extern const struct dma_map_ops intel_dma_ops;
1072 static int __init pci_iommu_init(void)
1074 diff -urNp linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c
1075 --- linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
1076 +++ linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
1077 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1078 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1081 -struct dma_map_ops swiotlb_dma_ops = {
1082 +const struct dma_map_ops swiotlb_dma_ops = {
1083 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1084 .free_coherent = swiotlb_free_coherent,
1085 .map_page = swiotlb_map_page,
1086 diff -urNp linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c
1087 --- linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c 2010-08-26 19:47:12.000000000 -0400
1088 +++ linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c 2010-09-17 20:12:09.000000000 -0400
1089 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1090 if (REGION_NUMBER(addr) == RGN_HPAGE)
1094 +#ifdef CONFIG_PAX_RANDMMAP
1095 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1096 + addr = mm->free_area_cache;
1101 addr = mm->free_area_cache;
1103 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1104 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1105 /* At this point: (!vma || addr < vma->vm_end). */
1106 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1107 - if (start_addr != TASK_UNMAPPED_BASE) {
1108 + if (start_addr != mm->mmap_base) {
1109 /* Start a new search --- just in case we missed some holes. */
1110 - addr = TASK_UNMAPPED_BASE;
1111 + addr = mm->mmap_base;
1116 - if (!vma || addr + len <= vma->vm_start) {
1117 + if (check_heap_stack_gap(vma, addr, len)) {
1118 /* Remember the address where we stopped this search: */
1119 mm->free_area_cache = addr + len;
1121 diff -urNp linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S
1122 --- linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
1123 +++ linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
1124 @@ -196,7 +196,7 @@ SECTIONS
1126 . = ALIGN(PERCPU_PAGE_SIZE);
1127 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1128 - __phys_per_cpu_start = __per_cpu_load;
1129 + __phys_per_cpu_start = per_cpu_load;
1130 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1131 * into percpu page size
1133 diff -urNp linux-2.6.35.5/arch/ia64/mm/fault.c linux-2.6.35.5/arch/ia64/mm/fault.c
1134 --- linux-2.6.35.5/arch/ia64/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1135 +++ linux-2.6.35.5/arch/ia64/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1136 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1137 return pte_present(pte);
1140 +#ifdef CONFIG_PAX_PAGEEXEC
1141 +void pax_report_insns(void *pc, void *sp)
1145 + printk(KERN_ERR "PAX: bytes at PC: ");
1146 + for (i = 0; i < 8; i++) {
1148 + if (get_user(c, (unsigned int *)pc+i))
1149 + printk(KERN_CONT "???????? ");
1151 + printk(KERN_CONT "%08x ", c);
1158 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1160 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1161 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1162 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1164 - if ((vma->vm_flags & mask) != mask)
1165 + if ((vma->vm_flags & mask) != mask) {
1167 +#ifdef CONFIG_PAX_PAGEEXEC
1168 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1169 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1172 + up_read(&mm->mmap_sem);
1173 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1174 + do_group_exit(SIGKILL);
1183 * If for any reason at all we couldn't handle the fault, make
1184 * sure we exit gracefully rather than endlessly redo the
1185 diff -urNp linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c
1186 --- linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
1187 +++ linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
1188 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1189 /* At this point: (!vmm || addr < vmm->vm_end). */
1190 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1192 - if (!vmm || (addr + len) <= vmm->vm_start)
1193 + if (check_heap_stack_gap(vmm, addr, len))
1195 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1197 diff -urNp linux-2.6.35.5/arch/ia64/mm/init.c linux-2.6.35.5/arch/ia64/mm/init.c
1198 --- linux-2.6.35.5/arch/ia64/mm/init.c 2010-08-26 19:47:12.000000000 -0400
1199 +++ linux-2.6.35.5/arch/ia64/mm/init.c 2010-09-17 20:12:09.000000000 -0400
1200 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1201 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1202 vma->vm_end = vma->vm_start + PAGE_SIZE;
1203 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1205 +#ifdef CONFIG_PAX_PAGEEXEC
1206 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1207 + vma->vm_flags &= ~VM_EXEC;
1209 +#ifdef CONFIG_PAX_MPROTECT
1210 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1211 + vma->vm_flags &= ~VM_MAYEXEC;
1217 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1218 down_write(¤t->mm->mmap_sem);
1219 if (insert_vm_struct(current->mm, vma)) {
1220 diff -urNp linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c
1221 --- linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c 2010-08-26 19:47:12.000000000 -0400
1222 +++ linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c 2010-09-17 20:12:09.000000000 -0400
1223 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1227 -static struct dma_map_ops sn_dma_ops = {
1228 +static const struct dma_map_ops sn_dma_ops = {
1229 .alloc_coherent = sn_dma_alloc_coherent,
1230 .free_coherent = sn_dma_free_coherent,
1231 .map_page = sn_dma_map_page,
1232 diff -urNp linux-2.6.35.5/arch/m32r/lib/usercopy.c linux-2.6.35.5/arch/m32r/lib/usercopy.c
1233 --- linux-2.6.35.5/arch/m32r/lib/usercopy.c 2010-08-26 19:47:12.000000000 -0400
1234 +++ linux-2.6.35.5/arch/m32r/lib/usercopy.c 2010-09-17 20:12:09.000000000 -0400
1237 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1243 if (access_ok(VERIFY_WRITE, to, n))
1244 __copy_user(to,from,n);
1245 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1247 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1253 if (access_ok(VERIFY_READ, from, n))
1254 __copy_user_zeroing(to,from,n);
1255 diff -urNp linux-2.6.35.5/arch/microblaze/include/asm/device.h linux-2.6.35.5/arch/microblaze/include/asm/device.h
1256 --- linux-2.6.35.5/arch/microblaze/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1257 +++ linux-2.6.35.5/arch/microblaze/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1258 @@ -13,7 +13,7 @@ struct device_node;
1260 struct dev_archdata {
1261 /* DMA operations on that device */
1262 - struct dma_map_ops *dma_ops;
1263 + const struct dma_map_ops *dma_ops;
1267 diff -urNp linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h
1268 --- linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1269 +++ linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1270 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1271 return 0xfffffffful;
1274 -extern struct dma_map_ops *dma_ops;
1275 +extern const struct dma_map_ops *dma_ops;
1278 * Available generic sets of operations
1280 -extern struct dma_map_ops dma_direct_ops;
1281 +extern const struct dma_map_ops dma_direct_ops;
1283 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1284 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1286 /* We don't handle the NULL dev case for ISA for now. We could
1287 * do it via an out of line call but it is not needed for now. The
1288 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1289 return dev->archdata.dma_ops;
1292 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1293 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1295 dev->archdata.dma_ops = ops;
1298 static inline int dma_supported(struct device *dev, u64 mask)
1300 - struct dma_map_ops *ops = get_dma_ops(dev);
1301 + const struct dma_map_ops *ops = get_dma_ops(dev);
1305 @@ -87,7 +87,7 @@ static inline int dma_supported(struct d
1307 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1309 - struct dma_map_ops *ops = get_dma_ops(dev);
1310 + const struct dma_map_ops *ops = get_dma_ops(dev);
1312 if (unlikely(ops == NULL))
1314 @@ -103,7 +103,7 @@ static inline int dma_set_mask(struct de
1316 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1318 - struct dma_map_ops *ops = get_dma_ops(dev);
1319 + const struct dma_map_ops *ops = get_dma_ops(dev);
1320 if (ops->mapping_error)
1321 return ops->mapping_error(dev, dma_addr);
1323 @@ -117,7 +117,7 @@ static inline int dma_mapping_error(stru
1324 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1325 dma_addr_t *dma_handle, gfp_t flag)
1327 - struct dma_map_ops *ops = get_dma_ops(dev);
1328 + const struct dma_map_ops *ops = get_dma_ops(dev);
1332 @@ -131,7 +131,7 @@ static inline void *dma_alloc_coherent(s
1333 static inline void dma_free_coherent(struct device *dev, size_t size,
1334 void *cpu_addr, dma_addr_t dma_handle)
1336 - struct dma_map_ops *ops = get_dma_ops(dev);
1337 + const struct dma_map_ops *ops = get_dma_ops(dev);
1340 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1341 diff -urNp linux-2.6.35.5/arch/microblaze/include/asm/pci.h linux-2.6.35.5/arch/microblaze/include/asm/pci.h
1342 --- linux-2.6.35.5/arch/microblaze/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
1343 +++ linux-2.6.35.5/arch/microblaze/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
1344 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1348 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1349 -extern struct dma_map_ops *get_pci_dma_ops(void);
1350 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1351 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1352 #else /* CONFIG_PCI */
1353 #define set_pci_dma_ops(d)
1354 #define get_pci_dma_ops() NULL
1355 diff -urNp linux-2.6.35.5/arch/microblaze/kernel/dma.c linux-2.6.35.5/arch/microblaze/kernel/dma.c
1356 --- linux-2.6.35.5/arch/microblaze/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
1357 +++ linux-2.6.35.5/arch/microblaze/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
1358 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1359 __dma_sync_page(dma_address, 0 , size, direction);
1362 -struct dma_map_ops dma_direct_ops = {
1363 +const struct dma_map_ops dma_direct_ops = {
1364 .alloc_coherent = dma_direct_alloc_coherent,
1365 .free_coherent = dma_direct_free_coherent,
1366 .map_sg = dma_direct_map_sg,
1367 diff -urNp linux-2.6.35.5/arch/microblaze/pci/pci-common.c linux-2.6.35.5/arch/microblaze/pci/pci-common.c
1368 --- linux-2.6.35.5/arch/microblaze/pci/pci-common.c 2010-08-26 19:47:12.000000000 -0400
1369 +++ linux-2.6.35.5/arch/microblaze/pci/pci-common.c 2010-09-17 20:12:09.000000000 -0400
1370 @@ -46,14 +46,14 @@ resource_size_t isa_mem_base;
1371 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1372 unsigned int pci_flags;
1374 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1375 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1377 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1378 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1380 pci_dma_ops = dma_ops;
1383 -struct dma_map_ops *get_pci_dma_ops(void)
1384 +const struct dma_map_ops *get_pci_dma_ops(void)
1388 diff -urNp linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c
1389 --- linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c 2010-08-26 19:47:12.000000000 -0400
1390 +++ linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c 2010-09-17 20:12:09.000000000 -0400
1391 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1395 -static struct platform_suspend_ops db1x_pm_ops = {
1396 +static const struct platform_suspend_ops db1x_pm_ops = {
1397 .valid = suspend_valid_only_mem,
1398 .begin = db1x_pm_begin,
1399 .enter = db1x_pm_enter,
1400 diff -urNp linux-2.6.35.5/arch/mips/include/asm/elf.h linux-2.6.35.5/arch/mips/include/asm/elf.h
1401 --- linux-2.6.35.5/arch/mips/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1402 +++ linux-2.6.35.5/arch/mips/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1403 @@ -368,6 +368,13 @@ extern const char *__elf_platform;
1404 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1407 +#ifdef CONFIG_PAX_ASLR
1408 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1410 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1411 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1414 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1415 struct linux_binprm;
1416 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1417 diff -urNp linux-2.6.35.5/arch/mips/include/asm/page.h linux-2.6.35.5/arch/mips/include/asm/page.h
1418 --- linux-2.6.35.5/arch/mips/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
1419 +++ linux-2.6.35.5/arch/mips/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
1420 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1421 #ifdef CONFIG_CPU_MIPS32
1422 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1423 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1424 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1425 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1427 typedef struct { unsigned long long pte; } pte_t;
1428 #define pte_val(x) ((x).pte)
1429 diff -urNp linux-2.6.35.5/arch/mips/include/asm/system.h linux-2.6.35.5/arch/mips/include/asm/system.h
1430 --- linux-2.6.35.5/arch/mips/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
1431 +++ linux-2.6.35.5/arch/mips/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
1432 @@ -234,6 +234,6 @@ extern void per_cpu_trap_init(void);
1434 #define __ARCH_WANT_UNLOCKED_CTXSW
1436 -extern unsigned long arch_align_stack(unsigned long sp);
1437 +#define arch_align_stack(x) ((x) & ALMASK)
1439 #endif /* _ASM_SYSTEM_H */
1440 diff -urNp linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c
1441 --- linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c 2010-08-26 19:47:12.000000000 -0400
1442 +++ linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c 2010-09-17 20:12:09.000000000 -0400
1443 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1444 #undef ELF_ET_DYN_BASE
1445 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1447 +#ifdef CONFIG_PAX_ASLR
1448 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1450 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1451 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1454 #include <asm/processor.h>
1455 #include <linux/module.h>
1456 #include <linux/elfcore.h>
1457 diff -urNp linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c
1458 --- linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c 2010-08-26 19:47:12.000000000 -0400
1459 +++ linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c 2010-09-17 20:12:09.000000000 -0400
1460 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1461 #undef ELF_ET_DYN_BASE
1462 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1464 +#ifdef CONFIG_PAX_ASLR
1465 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1467 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1468 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471 #include <asm/processor.h>
1474 diff -urNp linux-2.6.35.5/arch/mips/kernel/kgdb.c linux-2.6.35.5/arch/mips/kernel/kgdb.c
1475 --- linux-2.6.35.5/arch/mips/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
1476 +++ linux-2.6.35.5/arch/mips/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
1477 @@ -270,6 +270,7 @@ int kgdb_arch_handle_exception(int vecto
1481 +/* cannot be const, see kgdb_arch_init */
1482 struct kgdb_arch arch_kgdb_ops;
1485 diff -urNp linux-2.6.35.5/arch/mips/kernel/process.c linux-2.6.35.5/arch/mips/kernel/process.c
1486 --- linux-2.6.35.5/arch/mips/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
1487 +++ linux-2.6.35.5/arch/mips/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
1488 @@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
1494 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1495 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1497 -unsigned long arch_align_stack(unsigned long sp)
1499 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1500 - sp -= get_random_int() & ~PAGE_MASK;
1502 - return sp & ALMASK;
1504 diff -urNp linux-2.6.35.5/arch/mips/kernel/syscall.c linux-2.6.35.5/arch/mips/kernel/syscall.c
1505 --- linux-2.6.35.5/arch/mips/kernel/syscall.c 2010-08-26 19:47:12.000000000 -0400
1506 +++ linux-2.6.35.5/arch/mips/kernel/syscall.c 2010-09-17 20:12:09.000000000 -0400
1507 @@ -106,17 +106,21 @@ unsigned long arch_get_unmapped_area(str
1509 if (filp || (flags & MAP_SHARED))
1512 +#ifdef CONFIG_PAX_RANDMMAP
1513 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1518 addr = COLOUR_ALIGN(addr, pgoff);
1520 addr = PAGE_ALIGN(addr);
1521 vmm = find_vma(current->mm, addr);
1522 - if (task_size - len >= addr &&
1523 - (!vmm || addr + len <= vmm->vm_start))
1524 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1527 - addr = TASK_UNMAPPED_BASE;
1528 + addr = current->mm->mmap_base;
1530 addr = COLOUR_ALIGN(addr, pgoff);
1532 @@ -126,7 +130,7 @@ unsigned long arch_get_unmapped_area(str
1533 /* At this point: (!vmm || addr < vmm->vm_end). */
1534 if (task_size - len < addr)
1536 - if (!vmm || addr + len <= vmm->vm_start)
1537 + if (check_heap_stack_gap(vmm, addr, len))
1541 diff -urNp linux-2.6.35.5/arch/mips/loongson/common/pm.c linux-2.6.35.5/arch/mips/loongson/common/pm.c
1542 --- linux-2.6.35.5/arch/mips/loongson/common/pm.c 2010-08-26 19:47:12.000000000 -0400
1543 +++ linux-2.6.35.5/arch/mips/loongson/common/pm.c 2010-09-17 20:12:09.000000000 -0400
1544 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1548 -static struct platform_suspend_ops loongson_pm_ops = {
1549 +static const struct platform_suspend_ops loongson_pm_ops = {
1550 .valid = loongson_pm_valid_state,
1551 .enter = loongson_pm_enter,
1553 diff -urNp linux-2.6.35.5/arch/mips/mm/fault.c linux-2.6.35.5/arch/mips/mm/fault.c
1554 --- linux-2.6.35.5/arch/mips/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1555 +++ linux-2.6.35.5/arch/mips/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1557 #include <asm/ptrace.h>
1558 #include <asm/highmem.h> /* For VMALLOC_END */
1560 +#ifdef CONFIG_PAX_PAGEEXEC
1561 +void pax_report_insns(void *pc)
1565 + printk(KERN_ERR "PAX: bytes at PC: ");
1566 + for (i = 0; i < 5; i++) {
1568 + if (get_user(c, (unsigned int *)pc+i))
1569 + printk(KERN_CONT "???????? ");
1571 + printk(KERN_CONT "%08x ", c);
1578 * This routine handles page faults. It determines the address,
1579 * and the problem, and then passes it off to one of the appropriate
1580 diff -urNp linux-2.6.35.5/arch/parisc/include/asm/elf.h linux-2.6.35.5/arch/parisc/include/asm/elf.h
1581 --- linux-2.6.35.5/arch/parisc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1582 +++ linux-2.6.35.5/arch/parisc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1583 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1585 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1587 +#ifdef CONFIG_PAX_ASLR
1588 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1590 +#define PAX_DELTA_MMAP_LEN 16
1591 +#define PAX_DELTA_STACK_LEN 16
1594 /* This yields a mask that user programs can use to figure out what
1595 instruction set this CPU supports. This could be done in user space,
1596 but it's not easy, and we've already done it here. */
1597 diff -urNp linux-2.6.35.5/arch/parisc/include/asm/pgtable.h linux-2.6.35.5/arch/parisc/include/asm/pgtable.h
1598 --- linux-2.6.35.5/arch/parisc/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
1599 +++ linux-2.6.35.5/arch/parisc/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
1600 @@ -207,6 +207,17 @@
1601 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1602 #define PAGE_COPY PAGE_EXECREAD
1603 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1605 +#ifdef CONFIG_PAX_PAGEEXEC
1606 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1607 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1608 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1610 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1611 +# define PAGE_COPY_NOEXEC PAGE_COPY
1612 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1615 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1616 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1617 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1618 diff -urNp linux-2.6.35.5/arch/parisc/kernel/module.c linux-2.6.35.5/arch/parisc/kernel/module.c
1619 --- linux-2.6.35.5/arch/parisc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
1620 +++ linux-2.6.35.5/arch/parisc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
1623 /* three functions to determine where in the module core
1624 * or init pieces the location is */
1625 +static inline int in_init_rx(struct module *me, void *loc)
1627 + return (loc >= me->module_init_rx &&
1628 + loc < (me->module_init_rx + me->init_size_rx));
1631 +static inline int in_init_rw(struct module *me, void *loc)
1633 + return (loc >= me->module_init_rw &&
1634 + loc < (me->module_init_rw + me->init_size_rw));
1637 static inline int in_init(struct module *me, void *loc)
1639 - return (loc >= me->module_init &&
1640 - loc <= (me->module_init + me->init_size));
1641 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1644 +static inline int in_core_rx(struct module *me, void *loc)
1646 + return (loc >= me->module_core_rx &&
1647 + loc < (me->module_core_rx + me->core_size_rx));
1650 +static inline int in_core_rw(struct module *me, void *loc)
1652 + return (loc >= me->module_core_rw &&
1653 + loc < (me->module_core_rw + me->core_size_rw));
1656 static inline int in_core(struct module *me, void *loc)
1658 - return (loc >= me->module_core &&
1659 - loc <= (me->module_core + me->core_size));
1660 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1663 static inline int in_local(struct module *me, void *loc)
1664 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1667 /* align things a bit */
1668 - me->core_size = ALIGN(me->core_size, 16);
1669 - me->arch.got_offset = me->core_size;
1670 - me->core_size += gots * sizeof(struct got_entry);
1672 - me->core_size = ALIGN(me->core_size, 16);
1673 - me->arch.fdesc_offset = me->core_size;
1674 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1675 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1676 + me->arch.got_offset = me->core_size_rw;
1677 + me->core_size_rw += gots * sizeof(struct got_entry);
1679 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1680 + me->arch.fdesc_offset = me->core_size_rw;
1681 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1683 me->arch.got_max = gots;
1684 me->arch.fdesc_max = fdescs;
1685 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1689 - got = me->module_core + me->arch.got_offset;
1690 + got = me->module_core_rw + me->arch.got_offset;
1691 for (i = 0; got[i].addr; i++)
1692 if (got[i].addr == value)
1694 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1696 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1698 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1699 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1702 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1703 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1705 /* Create new one */
1706 fdesc->addr = value;
1707 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1708 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1709 return (Elf_Addr)fdesc;
1711 #endif /* CONFIG_64BIT */
1712 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1714 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1715 end = table + sechdrs[me->arch.unwind_section].sh_size;
1716 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1717 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1719 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1720 me->arch.unwind_section, table, end, gp);
1721 diff -urNp linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c
1722 --- linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c 2010-08-26 19:47:12.000000000 -0400
1723 +++ linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c 2010-09-17 20:12:09.000000000 -0400
1724 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1725 /* At this point: (!vma || addr < vma->vm_end). */
1726 if (TASK_SIZE - len < addr)
1728 - if (!vma || addr + len <= vma->vm_start)
1729 + if (check_heap_stack_gap(vma, addr, len))
1733 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1734 /* At this point: (!vma || addr < vma->vm_end). */
1735 if (TASK_SIZE - len < addr)
1737 - if (!vma || addr + len <= vma->vm_start)
1738 + if (check_heap_stack_gap(vma, addr, len))
1740 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1741 if (addr < vma->vm_end) /* handle wraparound */
1742 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1743 if (flags & MAP_FIXED)
1746 - addr = TASK_UNMAPPED_BASE;
1747 + addr = current->mm->mmap_base;
1750 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1751 diff -urNp linux-2.6.35.5/arch/parisc/kernel/traps.c linux-2.6.35.5/arch/parisc/kernel/traps.c
1752 --- linux-2.6.35.5/arch/parisc/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
1753 +++ linux-2.6.35.5/arch/parisc/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
1754 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1756 down_read(¤t->mm->mmap_sem);
1757 vma = find_vma(current->mm,regs->iaoq[0]);
1758 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1759 - && (vma->vm_flags & VM_EXEC)) {
1761 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1762 fault_address = regs->iaoq[0];
1763 fault_space = regs->iasq[0];
1765 diff -urNp linux-2.6.35.5/arch/parisc/mm/fault.c linux-2.6.35.5/arch/parisc/mm/fault.c
1766 --- linux-2.6.35.5/arch/parisc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1767 +++ linux-2.6.35.5/arch/parisc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1769 #include <linux/sched.h>
1770 #include <linux/interrupt.h>
1771 #include <linux/module.h>
1772 +#include <linux/unistd.h>
1774 #include <asm/uaccess.h>
1775 #include <asm/traps.h>
1776 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1777 static unsigned long
1778 parisc_acctyp(unsigned long code, unsigned int inst)
1780 - if (code == 6 || code == 16)
1781 + if (code == 6 || code == 7 || code == 16)
1784 switch (inst & 0xf0000000) {
1785 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1789 +#ifdef CONFIG_PAX_PAGEEXEC
1791 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1793 + * returns 1 when task should be killed
1794 + * 2 when rt_sigreturn trampoline was detected
1795 + * 3 when unpatched PLT trampoline was detected
1797 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1800 +#ifdef CONFIG_PAX_EMUPLT
1803 + do { /* PaX: unpatched PLT emulation */
1804 + unsigned int bl, depwi;
1806 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1807 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1812 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1813 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1815 + err = get_user(ldw, (unsigned int *)addr);
1816 + err |= get_user(bv, (unsigned int *)(addr+4));
1817 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1822 + if (ldw == 0x0E801096U &&
1823 + bv == 0xEAC0C000U &&
1824 + ldw2 == 0x0E881095U)
1826 + unsigned int resolver, map;
1828 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1829 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1833 + regs->gr[20] = instruction_pointer(regs)+8;
1834 + regs->gr[21] = map;
1835 + regs->gr[22] = resolver;
1836 + regs->iaoq[0] = resolver | 3UL;
1837 + regs->iaoq[1] = regs->iaoq[0] + 4;
1844 +#ifdef CONFIG_PAX_EMUTRAMP
1846 +#ifndef CONFIG_PAX_EMUSIGRT
1847 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1851 + do { /* PaX: rt_sigreturn emulation */
1852 + unsigned int ldi1, ldi2, bel, nop;
1854 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1855 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1856 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1857 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1862 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1863 + ldi2 == 0x3414015AU &&
1864 + bel == 0xE4008200U &&
1865 + nop == 0x08000240U)
1867 + regs->gr[25] = (ldi1 & 2) >> 1;
1868 + regs->gr[20] = __NR_rt_sigreturn;
1869 + regs->gr[31] = regs->iaoq[1] + 16;
1870 + regs->sr[0] = regs->iasq[1];
1871 + regs->iaoq[0] = 0x100UL;
1872 + regs->iaoq[1] = regs->iaoq[0] + 4;
1873 + regs->iasq[0] = regs->sr[2];
1874 + regs->iasq[1] = regs->sr[2];
1883 +void pax_report_insns(void *pc, void *sp)
1887 + printk(KERN_ERR "PAX: bytes at PC: ");
1888 + for (i = 0; i < 5; i++) {
1890 + if (get_user(c, (unsigned int *)pc+i))
1891 + printk(KERN_CONT "???????? ");
1893 + printk(KERN_CONT "%08x ", c);
1899 int fixup_exception(struct pt_regs *regs)
1901 const struct exception_table_entry *fix;
1902 @@ -192,8 +303,33 @@ good_area:
1904 acc_type = parisc_acctyp(code,regs->iir);
1906 - if ((vma->vm_flags & acc_type) != acc_type)
1907 + if ((vma->vm_flags & acc_type) != acc_type) {
1909 +#ifdef CONFIG_PAX_PAGEEXEC
1910 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1911 + (address & ~3UL) == instruction_pointer(regs))
1913 + up_read(&mm->mmap_sem);
1914 + switch (pax_handle_fetch_fault(regs)) {
1916 +#ifdef CONFIG_PAX_EMUPLT
1921 +#ifdef CONFIG_PAX_EMUTRAMP
1927 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1928 + do_group_exit(SIGKILL);
1936 * If for any reason at all we couldn't handle the fault, make
1937 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/device.h linux-2.6.35.5/arch/powerpc/include/asm/device.h
1938 --- linux-2.6.35.5/arch/powerpc/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1939 +++ linux-2.6.35.5/arch/powerpc/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1940 @@ -11,7 +11,7 @@ struct device_node;
1942 struct dev_archdata {
1943 /* DMA operations on that device */
1944 - struct dma_map_ops *dma_ops;
1945 + const struct dma_map_ops *dma_ops;
1948 * When an iommu is in use, dma_data is used as a ptr to the base of the
1949 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h
1950 --- linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1951 +++ linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1952 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
1954 * Available generic sets of operations
1956 +/* cannot be const */
1958 extern struct dma_map_ops dma_iommu_ops;
1960 -extern struct dma_map_ops dma_direct_ops;
1961 +extern const struct dma_map_ops dma_direct_ops;
1963 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1964 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1966 /* We don't handle the NULL dev case for ISA for now. We could
1967 * do it via an out of line call but it is not needed for now. The
1968 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
1969 return dev->archdata.dma_ops;
1972 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1973 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1975 dev->archdata.dma_ops = ops;
1977 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
1979 static inline int dma_supported(struct device *dev, u64 mask)
1981 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1982 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1984 if (unlikely(dma_ops == NULL))
1986 @@ -129,7 +130,7 @@ static inline int dma_supported(struct d
1988 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1990 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1991 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1993 if (unlikely(dma_ops == NULL))
1995 @@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
1996 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1997 dma_addr_t *dma_handle, gfp_t flag)
1999 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2000 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2004 @@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
2005 static inline void dma_free_coherent(struct device *dev, size_t size,
2006 void *cpu_addr, dma_addr_t dma_handle)
2008 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2009 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2013 @@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
2015 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2017 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2018 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2020 if (dma_ops->mapping_error)
2021 return dma_ops->mapping_error(dev, dma_addr);
2022 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/elf.h linux-2.6.35.5/arch/powerpc/include/asm/elf.h
2023 --- linux-2.6.35.5/arch/powerpc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2024 +++ linux-2.6.35.5/arch/powerpc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2025 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2026 the loader. We need to make sure that it is out of the way of the program
2027 that it will "exec", and that there is sufficient room for the brk. */
2029 -extern unsigned long randomize_et_dyn(unsigned long base);
2030 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2031 +#define ELF_ET_DYN_BASE (0x20000000)
2033 +#ifdef CONFIG_PAX_ASLR
2034 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2036 +#ifdef __powerpc64__
2037 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2038 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2040 +#define PAX_DELTA_MMAP_LEN 15
2041 +#define PAX_DELTA_STACK_LEN 15
2046 * Our registers are always unsigned longs, whether we're a 32 bit
2047 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2048 (0x7ff >> (PAGE_SHIFT - 12)) : \
2049 (0x3ffff >> (PAGE_SHIFT - 12)))
2051 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2052 -#define arch_randomize_brk arch_randomize_brk
2054 #endif /* __KERNEL__ */
2057 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/iommu.h linux-2.6.35.5/arch/powerpc/include/asm/iommu.h
2058 --- linux-2.6.35.5/arch/powerpc/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
2059 +++ linux-2.6.35.5/arch/powerpc/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
2060 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2061 extern void iommu_init_early_dart(void);
2062 extern void iommu_init_early_pasemi(void);
2065 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2068 extern void pci_iommu_init(void);
2069 extern void pci_direct_iommu_init(void);
2070 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h
2071 --- linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
2072 +++ linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
2073 @@ -27,6 +27,7 @@ enum km_type {
2081 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/page_64.h linux-2.6.35.5/arch/powerpc/include/asm/page_64.h
2082 --- linux-2.6.35.5/arch/powerpc/include/asm/page_64.h 2010-08-26 19:47:12.000000000 -0400
2083 +++ linux-2.6.35.5/arch/powerpc/include/asm/page_64.h 2010-09-17 20:12:09.000000000 -0400
2084 @@ -172,15 +172,18 @@ do { \
2085 * stack by default, so in the absense of a PT_GNU_STACK program header
2086 * we turn execute permission off.
2088 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2089 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2090 +#define VM_STACK_DEFAULT_FLAGS32 \
2091 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2092 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2094 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2095 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2097 +#ifndef CONFIG_PAX_PAGEEXEC
2098 #define VM_STACK_DEFAULT_FLAGS \
2099 (test_thread_flag(TIF_32BIT) ? \
2100 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2103 #include <asm-generic/getorder.h>
2105 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/page.h linux-2.6.35.5/arch/powerpc/include/asm/page.h
2106 --- linux-2.6.35.5/arch/powerpc/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
2107 +++ linux-2.6.35.5/arch/powerpc/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
2108 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2109 * and needs to be executable. This means the whole heap ends
2110 * up being executable.
2112 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2113 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2114 +#define VM_DATA_DEFAULT_FLAGS32 \
2115 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2116 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2118 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2119 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2120 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2121 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2124 +#define ktla_ktva(addr) (addr)
2125 +#define ktva_ktla(addr) (addr)
2127 #ifndef __ASSEMBLY__
2129 #undef STRICT_MM_TYPECHECKS
2130 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/pci.h linux-2.6.35.5/arch/powerpc/include/asm/pci.h
2131 --- linux-2.6.35.5/arch/powerpc/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
2132 +++ linux-2.6.35.5/arch/powerpc/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
2133 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2137 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2138 -extern struct dma_map_ops *get_pci_dma_ops(void);
2139 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2140 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2141 #else /* CONFIG_PCI */
2142 #define set_pci_dma_ops(d)
2143 #define get_pci_dma_ops() NULL
2144 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h
2145 --- linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h 2010-08-26 19:47:12.000000000 -0400
2146 +++ linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h 2010-09-17 20:12:09.000000000 -0400
2148 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2149 #define _PAGE_USER 0x004 /* usermode access allowed */
2150 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2151 +#define _PAGE_EXEC _PAGE_GUARDED
2152 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2153 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2154 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2155 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/reg.h linux-2.6.35.5/arch/powerpc/include/asm/reg.h
2156 --- linux-2.6.35.5/arch/powerpc/include/asm/reg.h 2010-08-26 19:47:12.000000000 -0400
2157 +++ linux-2.6.35.5/arch/powerpc/include/asm/reg.h 2010-09-17 20:12:09.000000000 -0400
2159 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2160 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2161 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2162 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2163 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2164 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2165 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2166 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h
2167 --- linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h 2010-08-26 19:47:12.000000000 -0400
2168 +++ linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h 2010-09-17 20:12:09.000000000 -0400
2171 #include <linux/swiotlb.h>
2173 -extern struct dma_map_ops swiotlb_dma_ops;
2174 +extern const struct dma_map_ops swiotlb_dma_ops;
2176 static inline void dma_mark_clean(void *addr, size_t size) {}
2178 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h
2179 --- linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
2180 +++ linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
2182 #define VERIFY_READ 0
2183 #define VERIFY_WRITE 1
2185 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2188 * The fs value determines whether argument validity checking should be
2189 * performed or not. If get_fs() == USER_DS, checking is performed, with
2190 @@ -327,52 +329,6 @@ do { \
2191 extern unsigned long __copy_tofrom_user(void __user *to,
2192 const void __user *from, unsigned long size);
2194 -#ifndef __powerpc64__
2196 -static inline unsigned long copy_from_user(void *to,
2197 - const void __user *from, unsigned long n)
2199 - unsigned long over;
2201 - if (access_ok(VERIFY_READ, from, n))
2202 - return __copy_tofrom_user((__force void __user *)to, from, n);
2203 - if ((unsigned long)from < TASK_SIZE) {
2204 - over = (unsigned long)from + n - TASK_SIZE;
2205 - return __copy_tofrom_user((__force void __user *)to, from,
2211 -static inline unsigned long copy_to_user(void __user *to,
2212 - const void *from, unsigned long n)
2214 - unsigned long over;
2216 - if (access_ok(VERIFY_WRITE, to, n))
2217 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2218 - if ((unsigned long)to < TASK_SIZE) {
2219 - over = (unsigned long)to + n - TASK_SIZE;
2220 - return __copy_tofrom_user(to, (__force void __user *)from,
2226 -#else /* __powerpc64__ */
2228 -#define __copy_in_user(to, from, size) \
2229 - __copy_tofrom_user((to), (from), (size))
2231 -extern unsigned long copy_from_user(void *to, const void __user *from,
2233 -extern unsigned long copy_to_user(void __user *to, const void *from,
2235 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2238 -#endif /* __powerpc64__ */
2240 static inline unsigned long __copy_from_user_inatomic(void *to,
2241 const void __user *from, unsigned long n)
2243 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2248 + if (!__builtin_constant_p(n))
2249 + check_object_size(to, n, false);
2251 return __copy_tofrom_user((__force void __user *)to, from, n);
2254 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2259 + if (!__builtin_constant_p(n))
2260 + check_object_size(from, n, true);
2262 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2265 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2266 return __copy_to_user_inatomic(to, from, size);
2269 +#ifndef __powerpc64__
2271 +static inline unsigned long __must_check copy_from_user(void *to,
2272 + const void __user *from, unsigned long n)
2274 + unsigned long over;
2279 + if (access_ok(VERIFY_READ, from, n)) {
2280 + if (!__builtin_constant_p(n))
2281 + check_object_size(to, n, false);
2282 + return __copy_tofrom_user((__force void __user *)to, from, n);
2284 + if ((unsigned long)from < TASK_SIZE) {
2285 + over = (unsigned long)from + n - TASK_SIZE;
2286 + if (!__builtin_constant_p(n - over))
2287 + check_object_size(to, n - over, false);
2288 + return __copy_tofrom_user((__force void __user *)to, from,
2294 +static inline unsigned long __must_check copy_to_user(void __user *to,
2295 + const void *from, unsigned long n)
2297 + unsigned long over;
2302 + if (access_ok(VERIFY_WRITE, to, n)) {
2303 + if (!__builtin_constant_p(n))
2304 + check_object_size(from, n, true);
2305 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2307 + if ((unsigned long)to < TASK_SIZE) {
2308 + over = (unsigned long)to + n - TASK_SIZE;
2309 + if (!__builtin_constant_p(n))
2310 + check_object_size(from, n - over, true);
2311 + return __copy_tofrom_user(to, (__force void __user *)from,
2317 +#else /* __powerpc64__ */
2319 +#define __copy_in_user(to, from, size) \
2320 + __copy_tofrom_user((to), (from), (size))
2322 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2324 + if ((long)n < 0 || n > INT_MAX)
2327 + if (!__builtin_constant_p(n))
2328 + check_object_size(to, n, false);
2330 + if (likely(access_ok(VERIFY_READ, from, n)))
2331 + n = __copy_from_user(to, from, n);
2337 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2339 + if ((long)n < 0 || n > INT_MAX)
2342 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2343 + if (!__builtin_constant_p(n))
2344 + check_object_size(from, n, true);
2345 + n = __copy_to_user(to, from, n);
2350 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2353 +#endif /* __powerpc64__ */
2355 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2357 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2358 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/dma.c linux-2.6.35.5/arch/powerpc/kernel/dma.c
2359 --- linux-2.6.35.5/arch/powerpc/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
2360 +++ linux-2.6.35.5/arch/powerpc/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
2361 @@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2365 -struct dma_map_ops dma_direct_ops = {
2366 +const struct dma_map_ops dma_direct_ops = {
2367 .alloc_coherent = dma_direct_alloc_coherent,
2368 .free_coherent = dma_direct_free_coherent,
2369 .map_sg = dma_direct_map_sg,
2370 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c
2371 --- linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c 2010-08-26 19:47:12.000000000 -0400
2372 +++ linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c 2010-09-17 20:12:09.000000000 -0400
2373 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2376 /* We support DMA to/from any memory page via the iommu */
2377 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2378 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2380 struct iommu_table *tbl = get_iommu_table_base(dev);
2382 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c
2383 --- linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
2384 +++ linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
2385 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2386 * map_page, and unmap_page on highmem, use normal dma_ops
2387 * for everything else.
2389 -struct dma_map_ops swiotlb_dma_ops = {
2390 +const struct dma_map_ops swiotlb_dma_ops = {
2391 .alloc_coherent = dma_direct_alloc_coherent,
2392 .free_coherent = dma_direct_free_coherent,
2393 .map_sg = swiotlb_map_sg_attrs,
2394 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S
2395 --- linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S 2010-08-26 19:47:12.000000000 -0400
2396 +++ linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S 2010-09-17 20:12:09.000000000 -0400
2397 @@ -455,6 +455,7 @@ storage_fault_common:
2400 addi r3,r1,STACK_FRAME_OVERHEAD
2404 ld r14,PACA_EXGEN+EX_R14(r13)
2405 @@ -464,8 +465,7 @@ storage_fault_common:
2408 b .ret_from_except_lite
2412 addi r3,r1,STACK_FRAME_OVERHEAD
2415 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S
2416 --- linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S 2010-08-26 19:47:12.000000000 -0400
2417 +++ linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S 2010-09-17 20:12:09.000000000 -0400
2418 @@ -840,10 +840,10 @@ handle_page_fault:
2421 addi r3,r1,STACK_FRAME_OVERHEAD
2428 addi r3,r1,STACK_FRAME_OVERHEAD
2430 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c
2431 --- linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c 2010-08-26 19:47:12.000000000 -0400
2432 +++ linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c 2010-09-17 20:12:09.000000000 -0400
2433 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2437 -static struct dma_map_ops ibmebus_dma_ops = {
2438 +static const struct dma_map_ops ibmebus_dma_ops = {
2439 .alloc_coherent = ibmebus_alloc_coherent,
2440 .free_coherent = ibmebus_free_coherent,
2441 .map_sg = ibmebus_map_sg,
2442 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/kgdb.c linux-2.6.35.5/arch/powerpc/kernel/kgdb.c
2443 --- linux-2.6.35.5/arch/powerpc/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
2444 +++ linux-2.6.35.5/arch/powerpc/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
2445 @@ -128,7 +128,7 @@ static int kgdb_handle_breakpoint(struct
2446 if (kgdb_handle_exception(1, SIGTRAP, 0, regs) != 0)
2449 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2450 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2454 @@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
2458 -struct kgdb_arch arch_kgdb_ops = {
2459 +const struct kgdb_arch arch_kgdb_ops = {
2460 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2463 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/module_32.c linux-2.6.35.5/arch/powerpc/kernel/module_32.c
2464 --- linux-2.6.35.5/arch/powerpc/kernel/module_32.c 2010-08-26 19:47:12.000000000 -0400
2465 +++ linux-2.6.35.5/arch/powerpc/kernel/module_32.c 2010-09-17 20:12:09.000000000 -0400
2466 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2467 me->arch.core_plt_section = i;
2469 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2470 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2471 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2475 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2477 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2478 /* Init, or core PLT? */
2479 - if (location >= mod->module_core
2480 - && location < mod->module_core + mod->core_size)
2481 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2482 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2483 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2485 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2486 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2487 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2489 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2493 /* Find this entry, or if that fails, the next avail. entry */
2494 while (entry->jump[0]) {
2495 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/module.c linux-2.6.35.5/arch/powerpc/kernel/module.c
2496 --- linux-2.6.35.5/arch/powerpc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
2497 +++ linux-2.6.35.5/arch/powerpc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
2500 LIST_HEAD(module_bug_list);
2502 +#ifdef CONFIG_PAX_KERNEXEC
2503 void *module_alloc(unsigned long size)
2508 + return vmalloc(size);
2511 +void *module_alloc_exec(unsigned long size)
2513 +void *module_alloc(unsigned long size)
2520 return vmalloc_exec(size);
2523 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2524 vfree(module_region);
2527 +#ifdef CONFIG_PAX_KERNEXEC
2528 +void module_free_exec(struct module *mod, void *module_region)
2530 + module_free(mod, module_region);
2534 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2535 const Elf_Shdr *sechdrs,
2537 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/pci-common.c linux-2.6.35.5/arch/powerpc/kernel/pci-common.c
2538 --- linux-2.6.35.5/arch/powerpc/kernel/pci-common.c 2010-08-26 19:47:12.000000000 -0400
2539 +++ linux-2.6.35.5/arch/powerpc/kernel/pci-common.c 2010-09-17 20:12:09.000000000 -0400
2540 @@ -51,14 +51,14 @@ resource_size_t isa_mem_base;
2541 unsigned int ppc_pci_flags = 0;
2544 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2545 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2547 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2548 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2550 pci_dma_ops = dma_ops;
2553 -struct dma_map_ops *get_pci_dma_ops(void)
2554 +const struct dma_map_ops *get_pci_dma_ops(void)
2558 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/process.c linux-2.6.35.5/arch/powerpc/kernel/process.c
2559 --- linux-2.6.35.5/arch/powerpc/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
2560 +++ linux-2.6.35.5/arch/powerpc/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
2561 @@ -1215,51 +1215,3 @@ unsigned long arch_align_stack(unsigned
2562 sp -= get_random_int() & ~PAGE_MASK;
2566 -static inline unsigned long brk_rnd(void)
2568 - unsigned long rnd = 0;
2570 - /* 8MB for 32bit, 1GB for 64bit */
2571 - if (is_32bit_task())
2572 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2574 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2576 - return rnd << PAGE_SHIFT;
2579 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2581 - unsigned long base = mm->brk;
2582 - unsigned long ret;
2584 -#ifdef CONFIG_PPC_STD_MMU_64
2586 - * If we are using 1TB segments and we are allowed to randomise
2587 - * the heap, we can put it above 1TB so it is backed by a 1TB
2588 - * segment. Otherwise the heap will be in the bottom 1TB
2589 - * which always uses 256MB segments and this may result in a
2590 - * performance penalty.
2592 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2593 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2596 - ret = PAGE_ALIGN(base + brk_rnd());
2598 - if (ret < mm->brk)
2604 -unsigned long randomize_et_dyn(unsigned long base)
2606 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2613 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/signal_32.c linux-2.6.35.5/arch/powerpc/kernel/signal_32.c
2614 --- linux-2.6.35.5/arch/powerpc/kernel/signal_32.c 2010-08-26 19:47:12.000000000 -0400
2615 +++ linux-2.6.35.5/arch/powerpc/kernel/signal_32.c 2010-09-17 20:12:09.000000000 -0400
2616 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2617 /* Save user registers on the stack */
2618 frame = &rt_sf->uc.uc_mcontext;
2620 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2621 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2622 if (save_user_regs(regs, frame, 0, 1))
2624 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2625 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/signal_64.c linux-2.6.35.5/arch/powerpc/kernel/signal_64.c
2626 --- linux-2.6.35.5/arch/powerpc/kernel/signal_64.c 2010-08-26 19:47:12.000000000 -0400
2627 +++ linux-2.6.35.5/arch/powerpc/kernel/signal_64.c 2010-09-17 20:12:09.000000000 -0400
2628 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2629 current->thread.fpscr.val = 0;
2631 /* Set up to return from userspace. */
2632 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2633 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2634 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2636 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2637 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/vdso.c linux-2.6.35.5/arch/powerpc/kernel/vdso.c
2638 --- linux-2.6.35.5/arch/powerpc/kernel/vdso.c 2010-08-26 19:47:12.000000000 -0400
2639 +++ linux-2.6.35.5/arch/powerpc/kernel/vdso.c 2010-09-17 20:12:09.000000000 -0400
2641 #include <asm/firmware.h>
2642 #include <asm/vdso.h>
2643 #include <asm/vdso_datapage.h>
2644 +#include <asm/mman.h>
2648 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2649 vdso_base = VDSO32_MBASE;
2652 - current->mm->context.vdso_base = 0;
2653 + current->mm->context.vdso_base = ~0UL;
2655 /* vDSO has a problem and was disabled, just don't "enable" it for the
2657 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2658 vdso_base = get_unmapped_area(NULL, vdso_base,
2659 (vdso_pages << PAGE_SHIFT) +
2660 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2662 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2663 if (IS_ERR_VALUE(vdso_base)) {
2666 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/vio.c linux-2.6.35.5/arch/powerpc/kernel/vio.c
2667 --- linux-2.6.35.5/arch/powerpc/kernel/vio.c 2010-08-26 19:47:12.000000000 -0400
2668 +++ linux-2.6.35.5/arch/powerpc/kernel/vio.c 2010-09-17 20:12:09.000000000 -0400
2669 @@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
2670 vio_cmo_dealloc(viodev, alloc_size);
2673 -struct dma_map_ops vio_dma_mapping_ops = {
2674 +static const struct dma_map_ops vio_dma_mapping_ops = {
2675 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2676 .free_coherent = vio_dma_iommu_free_coherent,
2677 .map_sg = vio_dma_iommu_map_sg,
2678 .unmap_sg = vio_dma_iommu_unmap_sg,
2679 + .dma_supported = dma_iommu_dma_supported,
2680 .map_page = vio_dma_iommu_map_page,
2681 .unmap_page = vio_dma_iommu_unmap_page,
2683 @@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
2685 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2687 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2688 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2691 diff -urNp linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c
2692 --- linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
2693 +++ linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
2695 #include <linux/module.h>
2696 #include <asm/uaccess.h>
2698 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2700 - if (likely(access_ok(VERIFY_READ, from, n)))
2701 - n = __copy_from_user(to, from, n);
2707 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2709 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2710 - n = __copy_to_user(to, from, n);
2714 unsigned long copy_in_user(void __user *to, const void __user *from,
2717 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2721 -EXPORT_SYMBOL(copy_from_user);
2722 -EXPORT_SYMBOL(copy_to_user);
2723 EXPORT_SYMBOL(copy_in_user);
2725 diff -urNp linux-2.6.35.5/arch/powerpc/mm/fault.c linux-2.6.35.5/arch/powerpc/mm/fault.c
2726 --- linux-2.6.35.5/arch/powerpc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
2727 +++ linux-2.6.35.5/arch/powerpc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
2729 #include <linux/kprobes.h>
2730 #include <linux/kdebug.h>
2731 #include <linux/perf_event.h>
2732 +#include <linux/slab.h>
2733 +#include <linux/pagemap.h>
2734 +#include <linux/compiler.h>
2735 +#include <linux/unistd.h>
2737 #include <asm/firmware.h>
2738 #include <asm/page.h>
2740 #include <asm/tlbflush.h>
2741 #include <asm/siginfo.h>
2742 #include <mm/mmu_decl.h>
2743 +#include <asm/ptrace.h>
2745 #ifdef CONFIG_KPROBES
2746 static inline int notify_page_fault(struct pt_regs *regs)
2747 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2751 +#ifdef CONFIG_PAX_PAGEEXEC
2753 + * PaX: decide what to do with offenders (regs->nip = fault address)
2755 + * returns 1 when task should be killed
2757 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2762 +void pax_report_insns(void *pc, void *sp)
2766 + printk(KERN_ERR "PAX: bytes at PC: ");
2767 + for (i = 0; i < 5; i++) {
2769 + if (get_user(c, (unsigned int __user *)pc+i))
2770 + printk(KERN_CONT "???????? ");
2772 + printk(KERN_CONT "%08x ", c);
2779 * Check whether the instruction at regs->nip is a store using
2780 * an update addressing form which will update r1.
2781 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2782 * indicate errors in DSISR but can validly be set in SRR1.
2785 - error_code &= 0x48200000;
2786 + error_code &= 0x58200000;
2788 is_write = error_code & DSISR_ISSTORE;
2790 @@ -257,7 +289,7 @@ good_area:
2791 * "undefined". Of those that can be set, this is the only
2792 * one which seems bad.
2794 - if (error_code & 0x10000000)
2795 + if (error_code & DSISR_GUARDED)
2796 /* Guarded storage error. */
2798 #endif /* CONFIG_8xx */
2799 @@ -272,7 +304,7 @@ good_area:
2800 * processors use the same I/D cache coherency mechanism
2803 - if (error_code & DSISR_PROTFAULT)
2804 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2806 #endif /* CONFIG_PPC_STD_MMU */
2808 @@ -341,6 +373,23 @@ bad_area:
2809 bad_area_nosemaphore:
2810 /* User mode accesses cause a SIGSEGV */
2811 if (user_mode(regs)) {
2813 +#ifdef CONFIG_PAX_PAGEEXEC
2814 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2815 +#ifdef CONFIG_PPC_STD_MMU
2816 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2818 + if (is_exec && regs->nip == address) {
2820 + switch (pax_handle_fetch_fault(regs)) {
2823 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2824 + do_group_exit(SIGKILL);
2829 _exception(SIGSEGV, regs, code, address);
2832 diff -urNp linux-2.6.35.5/arch/powerpc/mm/mmap_64.c linux-2.6.35.5/arch/powerpc/mm/mmap_64.c
2833 --- linux-2.6.35.5/arch/powerpc/mm/mmap_64.c 2010-08-26 19:47:12.000000000 -0400
2834 +++ linux-2.6.35.5/arch/powerpc/mm/mmap_64.c 2010-09-17 20:12:09.000000000 -0400
2835 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2837 if (mmap_is_legacy()) {
2838 mm->mmap_base = TASK_UNMAPPED_BASE;
2840 +#ifdef CONFIG_PAX_RANDMMAP
2841 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2842 + mm->mmap_base += mm->delta_mmap;
2845 mm->get_unmapped_area = arch_get_unmapped_area;
2846 mm->unmap_area = arch_unmap_area;
2848 mm->mmap_base = mmap_base();
2850 +#ifdef CONFIG_PAX_RANDMMAP
2851 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2852 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2855 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2856 mm->unmap_area = arch_unmap_area_topdown;
2858 diff -urNp linux-2.6.35.5/arch/powerpc/mm/slice.c linux-2.6.35.5/arch/powerpc/mm/slice.c
2859 --- linux-2.6.35.5/arch/powerpc/mm/slice.c 2010-08-26 19:47:12.000000000 -0400
2860 +++ linux-2.6.35.5/arch/powerpc/mm/slice.c 2010-09-17 20:12:09.000000000 -0400
2861 @@ -98,10 +98,9 @@ static int slice_area_is_free(struct mm_
2862 if ((mm->task_size - len) < addr)
2864 vma = find_vma(mm, addr);
2865 - return (!vma || (addr + len) <= vma->vm_start);
2866 + return check_heap_stack_gap(vma, addr, len);
2869 -static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2871 return !slice_area_is_free(mm, slice << SLICE_LOW_SHIFT,
2872 1ul << SLICE_LOW_SHIFT);
2873 @@ -256,7 +255,7 @@ full_search:
2874 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2877 - if (!vma || addr + len <= vma->vm_start) {
2878 + if (check_heap_stack_gap(vma, addr, len)) {
2880 * Remember the place where we stopped the search:
2882 @@ -336,7 +335,7 @@ static unsigned long slice_find_area_top
2883 * return with success:
2885 vma = find_vma(mm, addr);
2886 - if (!vma || (addr + len) <= vma->vm_start) {
2887 + if (check_heap_stack_gap(vma, addr, len)) {
2888 /* remember the address as a hint for next time */
2890 mm->free_area_cache = addr;
2891 @@ -426,6 +425,11 @@ unsigned long slice_get_unmapped_area(un
2892 if (fixed && addr > (mm->task_size - len))
2895 +#ifdef CONFIG_PAX_RANDMMAP
2896 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2900 /* If hint, make sure it matches our alignment restrictions */
2901 if (!fixed && addr) {
2902 addr = _ALIGN_UP(addr, 1ul << pshift);
2903 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c
2904 --- linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-08-26 19:47:12.000000000 -0400
2905 +++ linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-09-17 20:12:09.000000000 -0400
2906 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2907 lite5200_pm_target_state = PM_SUSPEND_ON;
2910 -static struct platform_suspend_ops lite5200_pm_ops = {
2911 +static const struct platform_suspend_ops lite5200_pm_ops = {
2912 .valid = lite5200_pm_valid,
2913 .begin = lite5200_pm_begin,
2914 .prepare = lite5200_pm_prepare,
2915 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2916 --- linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-08-26 19:47:12.000000000 -0400
2917 +++ linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-09-17 20:12:09.000000000 -0400
2918 @@ -189,7 +189,7 @@ void mpc52xx_pm_finish(void)
2922 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2923 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2924 .valid = mpc52xx_pm_valid,
2925 .prepare = mpc52xx_pm_prepare,
2926 .enter = mpc52xx_pm_enter,
2927 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c
2928 --- linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c 2010-08-26 19:47:12.000000000 -0400
2929 +++ linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c 2010-09-17 20:12:09.000000000 -0400
2930 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2934 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2935 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2936 .valid = mpc83xx_suspend_valid,
2937 .begin = mpc83xx_suspend_begin,
2938 .enter = mpc83xx_suspend_enter,
2939 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c
2940 --- linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c 2010-08-26 19:47:12.000000000 -0400
2941 +++ linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c 2010-09-17 20:12:09.000000000 -0400
2942 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2944 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2946 -struct dma_map_ops dma_iommu_fixed_ops = {
2947 +const struct dma_map_ops dma_iommu_fixed_ops = {
2948 .alloc_coherent = dma_fixed_alloc_coherent,
2949 .free_coherent = dma_fixed_free_coherent,
2950 .map_sg = dma_fixed_map_sg,
2951 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c
2952 --- linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c 2010-08-26 19:47:12.000000000 -0400
2953 +++ linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c 2010-09-17 20:12:09.000000000 -0400
2954 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
2955 return mask >= DMA_BIT_MASK(32);
2958 -static struct dma_map_ops ps3_sb_dma_ops = {
2959 +static const struct dma_map_ops ps3_sb_dma_ops = {
2960 .alloc_coherent = ps3_alloc_coherent,
2961 .free_coherent = ps3_free_coherent,
2962 .map_sg = ps3_sb_map_sg,
2963 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2964 .unmap_page = ps3_unmap_page,
2967 -static struct dma_map_ops ps3_ioc0_dma_ops = {
2968 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
2969 .alloc_coherent = ps3_alloc_coherent,
2970 .free_coherent = ps3_free_coherent,
2971 .map_sg = ps3_ioc0_map_sg,
2972 diff -urNp linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c
2973 --- linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c 2010-08-26 19:47:12.000000000 -0400
2974 +++ linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c 2010-09-17 20:12:09.000000000 -0400
2975 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
2979 -static struct platform_suspend_ops pmc_suspend_ops = {
2980 +static const struct platform_suspend_ops pmc_suspend_ops = {
2981 .valid = pmc_suspend_valid,
2982 .enter = pmc_suspend_enter,
2984 diff -urNp linux-2.6.35.5/arch/s390/include/asm/elf.h linux-2.6.35.5/arch/s390/include/asm/elf.h
2985 --- linux-2.6.35.5/arch/s390/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2986 +++ linux-2.6.35.5/arch/s390/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2987 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
2988 that it will "exec", and that there is sufficient room for the brk. */
2989 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2991 +#ifdef CONFIG_PAX_ASLR
2992 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2994 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2995 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2998 /* This yields a mask that user programs can use to figure out what
2999 instruction set this CPU supports. */
3001 diff -urNp linux-2.6.35.5/arch/s390/include/asm/uaccess.h linux-2.6.35.5/arch/s390/include/asm/uaccess.h
3002 --- linux-2.6.35.5/arch/s390/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3003 +++ linux-2.6.35.5/arch/s390/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3004 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3005 copy_to_user(void __user *to, const void *from, unsigned long n)
3012 if (access_ok(VERIFY_WRITE, to, n))
3013 n = __copy_to_user(to, from, n);
3015 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3016 static inline unsigned long __must_check
3017 __copy_from_user(void *to, const void __user *from, unsigned long n)
3022 if (__builtin_constant_p(n) && (n <= 256))
3023 return uaccess.copy_from_user_small(n, from, to);
3025 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3026 unsigned int sz = __compiletime_object_size(to);
3033 if (unlikely(sz != -1 && sz < n)) {
3034 copy_from_user_overflow();
3036 diff -urNp linux-2.6.35.5/arch/s390/Kconfig linux-2.6.35.5/arch/s390/Kconfig
3037 --- linux-2.6.35.5/arch/s390/Kconfig 2010-08-26 19:47:12.000000000 -0400
3038 +++ linux-2.6.35.5/arch/s390/Kconfig 2010-09-17 20:12:09.000000000 -0400
3039 @@ -230,13 +230,12 @@ config AUDIT_ARCH
3041 config S390_EXEC_PROTECT
3042 bool "Data execute protection"
3045 This option allows to enable a buffer overflow protection for user
3046 - space programs and it also selects the addressing mode option above.
3047 - The kernel parameter noexec=on will enable this feature and also
3048 - switch the addressing modes, default is disabled. Enabling this (via
3049 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3050 - will reduce system performance.
3052 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3053 + reduce system performance.
3055 comment "Code generation options"
3057 diff -urNp linux-2.6.35.5/arch/s390/kernel/module.c linux-2.6.35.5/arch/s390/kernel/module.c
3058 --- linux-2.6.35.5/arch/s390/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
3059 +++ linux-2.6.35.5/arch/s390/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
3060 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3062 /* Increase core size by size of got & plt and set start
3063 offsets for got and plt. */
3064 - me->core_size = ALIGN(me->core_size, 4);
3065 - me->arch.got_offset = me->core_size;
3066 - me->core_size += me->arch.got_size;
3067 - me->arch.plt_offset = me->core_size;
3068 - me->core_size += me->arch.plt_size;
3069 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3070 + me->arch.got_offset = me->core_size_rw;
3071 + me->core_size_rw += me->arch.got_size;
3072 + me->arch.plt_offset = me->core_size_rx;
3073 + me->core_size_rx += me->arch.plt_size;
3077 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3078 if (info->got_initialized == 0) {
3081 - gotent = me->module_core + me->arch.got_offset +
3082 + gotent = me->module_core_rw + me->arch.got_offset +
3085 info->got_initialized = 1;
3086 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3087 else if (r_type == R_390_GOTENT ||
3088 r_type == R_390_GOTPLTENT)
3089 *(unsigned int *) loc =
3090 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3091 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3092 else if (r_type == R_390_GOT64 ||
3093 r_type == R_390_GOTPLT64)
3094 *(unsigned long *) loc = val;
3095 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3096 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3097 if (info->plt_initialized == 0) {
3099 - ip = me->module_core + me->arch.plt_offset +
3100 + ip = me->module_core_rx + me->arch.plt_offset +
3102 #ifndef CONFIG_64BIT
3103 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3104 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3105 val - loc + 0xffffUL < 0x1ffffeUL) ||
3106 (r_type == R_390_PLT32DBL &&
3107 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3108 - val = (Elf_Addr) me->module_core +
3109 + val = (Elf_Addr) me->module_core_rx +
3110 me->arch.plt_offset +
3112 val += rela->r_addend - loc;
3113 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3114 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3115 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3116 val = val + rela->r_addend -
3117 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3118 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3119 if (r_type == R_390_GOTOFF16)
3120 *(unsigned short *) loc = val;
3121 else if (r_type == R_390_GOTOFF32)
3122 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3124 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3125 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3126 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3127 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3128 rela->r_addend - loc;
3129 if (r_type == R_390_GOTPC)
3130 *(unsigned int *) loc = val;
3131 diff -urNp linux-2.6.35.5/arch/s390/kernel/setup.c linux-2.6.35.5/arch/s390/kernel/setup.c
3132 --- linux-2.6.35.5/arch/s390/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
3133 +++ linux-2.6.35.5/arch/s390/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
3134 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3136 early_param("mem", early_parse_mem);
3138 -unsigned int user_mode = HOME_SPACE_MODE;
3139 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3140 EXPORT_SYMBOL_GPL(user_mode);
3142 static int set_amode_and_uaccess(unsigned long user_amode,
3143 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3148 - * Switch kernel/user addressing modes?
3150 -static int __init early_parse_switch_amode(char *p)
3152 - if (user_mode != SECONDARY_SPACE_MODE)
3153 - user_mode = PRIMARY_SPACE_MODE;
3156 -early_param("switch_amode", early_parse_switch_amode);
3158 static int __init early_parse_user_mode(char *p)
3160 if (p && strcmp(p, "primary") == 0)
3161 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3163 early_param("user_mode", early_parse_user_mode);
3165 -#ifdef CONFIG_S390_EXEC_PROTECT
3167 - * Enable execute protection?
3169 -static int __init early_parse_noexec(char *p)
3171 - if (!strncmp(p, "off", 3))
3173 - user_mode = SECONDARY_SPACE_MODE;
3176 -early_param("noexec", early_parse_noexec);
3177 -#endif /* CONFIG_S390_EXEC_PROTECT */
3179 static void setup_addressing_mode(void)
3181 if (user_mode == SECONDARY_SPACE_MODE) {
3182 diff -urNp linux-2.6.35.5/arch/s390/mm/maccess.c linux-2.6.35.5/arch/s390/mm/maccess.c
3183 --- linux-2.6.35.5/arch/s390/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
3184 +++ linux-2.6.35.5/arch/s390/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
3185 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3186 return rc ? rc : count;
3189 -long probe_kernel_write(void *dst, void *src, size_t size)
3190 +long probe_kernel_write(void *dst, const void *src, size_t size)
3194 diff -urNp linux-2.6.35.5/arch/s390/mm/mmap.c linux-2.6.35.5/arch/s390/mm/mmap.c
3195 --- linux-2.6.35.5/arch/s390/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3196 +++ linux-2.6.35.5/arch/s390/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3197 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3199 if (mmap_is_legacy()) {
3200 mm->mmap_base = TASK_UNMAPPED_BASE;
3202 +#ifdef CONFIG_PAX_RANDMMAP
3203 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3204 + mm->mmap_base += mm->delta_mmap;
3207 mm->get_unmapped_area = arch_get_unmapped_area;
3208 mm->unmap_area = arch_unmap_area;
3210 mm->mmap_base = mmap_base();
3212 +#ifdef CONFIG_PAX_RANDMMAP
3213 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3214 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3217 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3218 mm->unmap_area = arch_unmap_area_topdown;
3220 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3222 if (mmap_is_legacy()) {
3223 mm->mmap_base = TASK_UNMAPPED_BASE;
3225 +#ifdef CONFIG_PAX_RANDMMAP
3226 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3227 + mm->mmap_base += mm->delta_mmap;
3230 mm->get_unmapped_area = s390_get_unmapped_area;
3231 mm->unmap_area = arch_unmap_area;
3233 mm->mmap_base = mmap_base();
3235 +#ifdef CONFIG_PAX_RANDMMAP
3236 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3237 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3240 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3241 mm->unmap_area = arch_unmap_area_topdown;
3243 diff -urNp linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c
3244 --- linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c 2010-08-26 19:47:12.000000000 -0400
3245 +++ linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c 2010-09-17 20:12:09.000000000 -0400
3246 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3250 -static struct platform_suspend_ops hp6x0_pm_ops = {
3251 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3252 .enter = hp6x0_pm_enter,
3253 .valid = suspend_valid_only_mem,
3255 diff -urNp linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h
3256 --- linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3257 +++ linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3259 #ifndef __ASM_SH_DMA_MAPPING_H
3260 #define __ASM_SH_DMA_MAPPING_H
3262 -extern struct dma_map_ops *dma_ops;
3263 +extern const struct dma_map_ops *dma_ops;
3264 extern void no_iommu_init(void);
3266 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3267 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3271 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3273 static inline int dma_supported(struct device *dev, u64 mask)
3275 - struct dma_map_ops *ops = get_dma_ops(dev);
3276 + const struct dma_map_ops *ops = get_dma_ops(dev);
3278 if (ops->dma_supported)
3279 return ops->dma_supported(dev, mask);
3280 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3282 static inline int dma_set_mask(struct device *dev, u64 mask)
3284 - struct dma_map_ops *ops = get_dma_ops(dev);
3285 + const struct dma_map_ops *ops = get_dma_ops(dev);
3287 if (!dev->dma_mask || !dma_supported(dev, mask))
3289 @@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
3291 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3293 - struct dma_map_ops *ops = get_dma_ops(dev);
3294 + const struct dma_map_ops *ops = get_dma_ops(dev);
3296 if (ops->mapping_error)
3297 return ops->mapping_error(dev, dma_addr);
3298 @@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
3299 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3300 dma_addr_t *dma_handle, gfp_t gfp)
3302 - struct dma_map_ops *ops = get_dma_ops(dev);
3303 + const struct dma_map_ops *ops = get_dma_ops(dev);
3306 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3307 @@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3308 static inline void dma_free_coherent(struct device *dev, size_t size,
3309 void *vaddr, dma_addr_t dma_handle)
3311 - struct dma_map_ops *ops = get_dma_ops(dev);
3312 + const struct dma_map_ops *ops = get_dma_ops(dev);
3314 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3316 diff -urNp linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c
3317 --- linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c 2010-08-26 19:47:12.000000000 -0400
3318 +++ linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c 2010-09-17 20:12:09.000000000 -0400
3319 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3323 -static struct platform_suspend_ops sh_pm_ops = {
3324 +static const struct platform_suspend_ops sh_pm_ops = {
3325 .enter = sh_pm_enter,
3326 .valid = suspend_valid_only_mem,
3328 diff -urNp linux-2.6.35.5/arch/sh/kernel/dma-nommu.c linux-2.6.35.5/arch/sh/kernel/dma-nommu.c
3329 --- linux-2.6.35.5/arch/sh/kernel/dma-nommu.c 2010-08-26 19:47:12.000000000 -0400
3330 +++ linux-2.6.35.5/arch/sh/kernel/dma-nommu.c 2010-09-17 20:12:09.000000000 -0400
3331 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3335 -struct dma_map_ops nommu_dma_ops = {
3336 +const struct dma_map_ops nommu_dma_ops = {
3337 .alloc_coherent = dma_generic_alloc_coherent,
3338 .free_coherent = dma_generic_free_coherent,
3339 .map_page = nommu_map_page,
3340 diff -urNp linux-2.6.35.5/arch/sh/kernel/kgdb.c linux-2.6.35.5/arch/sh/kernel/kgdb.c
3341 --- linux-2.6.35.5/arch/sh/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
3342 +++ linux-2.6.35.5/arch/sh/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
3343 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3344 unregister_die_notifier(&kgdb_notifier);
3347 -struct kgdb_arch arch_kgdb_ops = {
3348 +const struct kgdb_arch arch_kgdb_ops = {
3349 /* Breakpoint instruction: trapa #0x3c */
3350 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3351 .gdb_bpt_instr = { 0x3c, 0xc3 },
3352 diff -urNp linux-2.6.35.5/arch/sh/mm/consistent.c linux-2.6.35.5/arch/sh/mm/consistent.c
3353 --- linux-2.6.35.5/arch/sh/mm/consistent.c 2010-08-26 19:47:12.000000000 -0400
3354 +++ linux-2.6.35.5/arch/sh/mm/consistent.c 2010-09-17 20:12:09.000000000 -0400
3357 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3359 -struct dma_map_ops *dma_ops;
3360 +const struct dma_map_ops *dma_ops;
3361 EXPORT_SYMBOL(dma_ops);
3363 static int __init dma_init(void)
3364 diff -urNp linux-2.6.35.5/arch/sh/mm/mmap.c linux-2.6.35.5/arch/sh/mm/mmap.c
3365 --- linux-2.6.35.5/arch/sh/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3366 +++ linux-2.6.35.5/arch/sh/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3367 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3368 addr = PAGE_ALIGN(addr);
3370 vma = find_vma(mm, addr);
3371 - if (TASK_SIZE - len >= addr &&
3372 - (!vma || addr + len <= vma->vm_start))
3373 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3377 @@ -106,7 +105,7 @@ full_search:
3381 - if (likely(!vma || addr + len <= vma->vm_start)) {
3382 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3384 * Remember the place where we stopped the search:
3386 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3387 addr = PAGE_ALIGN(addr);
3389 vma = find_vma(mm, addr);
3390 - if (TASK_SIZE - len >= addr &&
3391 - (!vma || addr + len <= vma->vm_start))
3392 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3396 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3397 /* make sure it can fit in the remaining address space */
3398 if (likely(addr > len)) {
3399 vma = find_vma(mm, addr-len);
3400 - if (!vma || addr <= vma->vm_start) {
3401 + if (check_heap_stack_gap(vma, addr - len, len)) {
3402 /* remember the address as a hint for next time */
3403 return (mm->free_area_cache = addr-len);
3405 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3406 * return with success:
3408 vma = find_vma(mm, addr);
3409 - if (likely(!vma || addr+len <= vma->vm_start)) {
3410 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3411 /* remember the address as a hint for next time */
3412 return (mm->free_area_cache = addr);
3414 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h
3415 --- linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h 2010-08-26 19:47:12.000000000 -0400
3416 +++ linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h 2010-09-17 20:12:09.000000000 -0400
3418 #define ATOMIC64_INIT(i) { (i) }
3420 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3421 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3423 + return v->counter;
3425 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3426 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3428 + return v->counter;
3431 #define atomic_set(v, i) (((v)->counter) = i)
3432 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3436 #define atomic64_set(v, i) (((v)->counter) = i)
3437 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3442 extern void atomic_add(int, atomic_t *);
3443 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3444 extern void atomic64_add(long, atomic64_t *);
3445 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3446 extern void atomic_sub(int, atomic_t *);
3447 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3448 extern void atomic64_sub(long, atomic64_t *);
3449 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3451 extern int atomic_add_ret(int, atomic_t *);
3452 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3453 extern long atomic64_add_ret(long, atomic64_t *);
3454 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3455 extern int atomic_sub_ret(int, atomic_t *);
3456 extern long atomic64_sub_ret(long, atomic64_t *);
3458 @@ -33,7 +55,15 @@ extern long atomic64_sub_ret(long, atomi
3459 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3461 #define atomic_inc_return(v) atomic_add_ret(1, v)
3462 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3464 + return atomic_add_ret_unchecked(1, v);
3466 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3467 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3469 + return atomic64_add_ret_unchecked(1, v);
3472 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3473 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3474 @@ -59,10 +89,26 @@ extern long atomic64_sub_ret(long, atomi
3475 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3477 #define atomic_inc(v) atomic_add(1, v)
3478 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3480 + atomic_add_unchecked(1, v);
3482 #define atomic64_inc(v) atomic64_add(1, v)
3483 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3485 + atomic64_add_unchecked(1, v);
3488 #define atomic_dec(v) atomic_sub(1, v)
3489 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3491 + atomic_sub_unchecked(1, v);
3493 #define atomic64_dec(v) atomic64_sub(1, v)
3494 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3496 + atomic64_sub_unchecked(1, v);
3499 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3500 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3501 @@ -72,17 +118,28 @@ extern long atomic64_sub_ret(long, atomi
3503 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3509 - if (unlikely(c == (u)))
3510 + if (unlikely(c == u))
3512 - old = atomic_cmpxchg((v), c, c + (a));
3514 + asm volatile("addcc %2, %0, %0\n"
3516 +#ifdef CONFIG_PAX_REFCOUNT
3521 + : "0" (c), "ir" (a)
3524 + old = atomic_cmpxchg(v, c, new);
3525 if (likely(old == c))
3533 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3534 @@ -93,17 +150,28 @@ static inline int atomic_add_unless(atom
3536 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3540 c = atomic64_read(v);
3542 - if (unlikely(c == (u)))
3543 + if (unlikely(c == u))
3545 - old = atomic64_cmpxchg((v), c, c + (a));
3547 + asm volatile("addcc %2, %0, %0\n"
3549 +#ifdef CONFIG_PAX_REFCOUNT
3554 + : "0" (c), "ir" (a)
3557 + old = atomic64_cmpxchg(v, c, new);
3558 if (likely(old == c))
3566 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3567 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h
3568 --- linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3569 +++ linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3570 @@ -13,10 +13,10 @@ extern int dma_supported(struct device *
3571 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3572 #define dma_is_consistent(d, h) (1)
3574 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3575 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3576 extern struct bus_type pci_bus_type;
3578 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3579 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3581 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3582 if (dev->bus == &pci_bus_type)
3583 @@ -30,7 +30,7 @@ static inline struct dma_map_ops *get_dm
3584 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3585 dma_addr_t *dma_handle, gfp_t flag)
3587 - struct dma_map_ops *ops = get_dma_ops(dev);
3588 + const struct dma_map_ops *ops = get_dma_ops(dev);
3591 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3592 @@ -41,7 +41,7 @@ static inline void *dma_alloc_coherent(s
3593 static inline void dma_free_coherent(struct device *dev, size_t size,
3594 void *cpu_addr, dma_addr_t dma_handle)
3596 - struct dma_map_ops *ops = get_dma_ops(dev);
3597 + const struct dma_map_ops *ops = get_dma_ops(dev);
3599 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3600 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3601 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/elf_32.h linux-2.6.35.5/arch/sparc/include/asm/elf_32.h
3602 --- linux-2.6.35.5/arch/sparc/include/asm/elf_32.h 2010-08-26 19:47:12.000000000 -0400
3603 +++ linux-2.6.35.5/arch/sparc/include/asm/elf_32.h 2010-09-17 20:12:09.000000000 -0400
3604 @@ -114,6 +114,13 @@ typedef struct {
3606 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3608 +#ifdef CONFIG_PAX_ASLR
3609 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3611 +#define PAX_DELTA_MMAP_LEN 16
3612 +#define PAX_DELTA_STACK_LEN 16
3615 /* This yields a mask that user programs can use to figure out what
3616 instruction set this cpu supports. This can NOT be done in userspace
3618 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/elf_64.h linux-2.6.35.5/arch/sparc/include/asm/elf_64.h
3619 --- linux-2.6.35.5/arch/sparc/include/asm/elf_64.h 2010-08-26 19:47:12.000000000 -0400
3620 +++ linux-2.6.35.5/arch/sparc/include/asm/elf_64.h 2010-09-17 20:12:09.000000000 -0400
3621 @@ -162,6 +162,12 @@ typedef struct {
3622 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3623 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3625 +#ifdef CONFIG_PAX_ASLR
3626 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3628 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3629 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3632 /* This yields a mask that user programs can use to figure out what
3633 instruction set this cpu supports. */
3634 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h
3635 --- linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
3636 +++ linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
3637 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3638 BTFIXUPDEF_INT(page_none)
3639 BTFIXUPDEF_INT(page_copy)
3640 BTFIXUPDEF_INT(page_readonly)
3642 +#ifdef CONFIG_PAX_PAGEEXEC
3643 +BTFIXUPDEF_INT(page_shared_noexec)
3644 +BTFIXUPDEF_INT(page_copy_noexec)
3645 +BTFIXUPDEF_INT(page_readonly_noexec)
3648 BTFIXUPDEF_INT(page_kernel)
3650 #define PMD_SHIFT SUN4C_PMD_SHIFT
3651 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3652 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3653 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3655 +#ifdef CONFIG_PAX_PAGEEXEC
3656 +extern pgprot_t PAGE_SHARED_NOEXEC;
3657 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3658 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3660 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3661 +# define PAGE_COPY_NOEXEC PAGE_COPY
3662 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3665 extern unsigned long page_kernel;
3668 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h
3669 --- linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h 2010-08-26 19:47:12.000000000 -0400
3670 +++ linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h 2010-09-17 20:12:09.000000000 -0400
3671 @@ -115,6 +115,13 @@
3672 SRMMU_EXEC | SRMMU_REF)
3673 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3674 SRMMU_EXEC | SRMMU_REF)
3676 +#ifdef CONFIG_PAX_PAGEEXEC
3677 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3678 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3679 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3682 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3683 SRMMU_DIRTY | SRMMU_REF)
3685 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h
3686 --- linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h 2010-08-26 19:47:12.000000000 -0400
3687 +++ linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h 2010-09-17 20:12:09.000000000 -0400
3688 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3689 __asm__ __volatile__ (
3690 "1: ldsw [%2], %0\n"
3692 -"4: add %0, 1, %1\n"
3693 +"4: addcc %0, 1, %1\n"
3695 +#ifdef CONFIG_PAX_REFCOUNT
3699 " cas [%2], %0, %1\n"
3701 " bne,pn %%icc, 1b\n"
3702 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3704 : "=&r" (tmp1), "=&r" (tmp2)
3707 + : "memory", "cc");
3710 static int inline arch_read_trylock(arch_rwlock_t *lock)
3711 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3712 "1: ldsw [%2], %0\n"
3713 " brlz,a,pn %0, 2f\n"
3716 +" addcc %0, 1, %1\n"
3718 +#ifdef CONFIG_PAX_REFCOUNT
3722 " cas [%2], %0, %1\n"
3724 " bne,pn %%icc, 1b\n"
3725 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3727 __asm__ __volatile__(
3728 "1: lduw [%2], %0\n"
3730 +" subcc %0, 1, %1\n"
3732 +#ifdef CONFIG_PAX_REFCOUNT
3736 " cas [%2], %0, %1\n"
3738 " bne,pn %%xcc, 1b\n"
3739 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h
3740 --- linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
3741 +++ linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
3742 @@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
3744 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3746 - if (n && __access_ok((unsigned long) to, n))
3750 + if (n && __access_ok((unsigned long) to, n)) {
3751 + if (!__builtin_constant_p(n))
3752 + check_object_size(from, n, true);
3753 return __copy_user(to, (__force void __user *) from, n);
3759 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3764 + if (!__builtin_constant_p(n))
3765 + check_object_size(from, n, true);
3767 return __copy_user(to, (__force void __user *) from, n);
3770 @@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
3772 int sz = __compiletime_object_size(to);
3777 if (unlikely(sz != -1 && sz < n)) {
3778 copy_from_user_overflow();
3782 - if (n && __access_ok((unsigned long) from, n))
3783 + if (n && __access_ok((unsigned long) from, n)) {
3784 + if (!__builtin_constant_p(n))
3785 + check_object_size(to, n, false);
3786 return __copy_user((__force void __user *) to, from, n);
3792 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3797 return __copy_user((__force void __user *) to, from, n);
3800 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h
3801 --- linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
3802 +++ linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h 2010-09-17 20:12:09.000000000 -0400
3804 #include <linux/compiler.h>
3805 #include <linux/string.h>
3806 #include <linux/thread_info.h>
3807 +#include <linux/kernel.h>
3808 #include <asm/asi.h>
3809 #include <asm/system.h>
3810 #include <asm/spitfire.h>
3811 @@ -224,6 +225,12 @@ copy_from_user(void *to, const void __us
3812 int sz = __compiletime_object_size(to);
3813 unsigned long ret = size;
3815 + if ((long)size < 0 || size > INT_MAX)
3818 + if (!__builtin_constant_p(size))
3819 + check_object_size(to, size, false);
3821 if (likely(sz == -1 || sz >= size)) {
3822 ret = ___copy_from_user(to, from, size);
3824 @@ -243,8 +250,15 @@ extern unsigned long copy_to_user_fixup(
3825 static inline unsigned long __must_check
3826 copy_to_user(void __user *to, const void *from, unsigned long size)
3828 - unsigned long ret = ___copy_to_user(to, from, size);
3829 + unsigned long ret;
3831 + if ((long)size < 0 || size > INT_MAX)
3834 + if (!__builtin_constant_p(size))
3835 + check_object_size(from, size, true);
3837 + ret = ___copy_to_user(to, from, size);
3839 ret = copy_to_user_fixup(to, from, size);
3841 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/uaccess.h linux-2.6.35.5/arch/sparc/include/asm/uaccess.h
3842 --- linux-2.6.35.5/arch/sparc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3843 +++ linux-2.6.35.5/arch/sparc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3845 #ifndef ___ASM_SPARC_UACCESS_H
3846 #define ___ASM_SPARC_UACCESS_H
3849 +#ifndef __ASSEMBLY__
3850 +#include <linux/types.h>
3851 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3855 #if defined(__sparc__) && defined(__arch64__)
3856 #include <asm/uaccess_64.h>
3858 diff -urNp linux-2.6.35.5/arch/sparc/kernel/iommu.c linux-2.6.35.5/arch/sparc/kernel/iommu.c
3859 --- linux-2.6.35.5/arch/sparc/kernel/iommu.c 2010-08-26 19:47:12.000000000 -0400
3860 +++ linux-2.6.35.5/arch/sparc/kernel/iommu.c 2010-09-17 20:12:09.000000000 -0400
3861 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3862 spin_unlock_irqrestore(&iommu->lock, flags);
3865 -static struct dma_map_ops sun4u_dma_ops = {
3866 +static const struct dma_map_ops sun4u_dma_ops = {
3867 .alloc_coherent = dma_4u_alloc_coherent,
3868 .free_coherent = dma_4u_free_coherent,
3869 .map_page = dma_4u_map_page,
3870 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
3871 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3874 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3875 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3876 EXPORT_SYMBOL(dma_ops);
3878 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3879 diff -urNp linux-2.6.35.5/arch/sparc/kernel/ioport.c linux-2.6.35.5/arch/sparc/kernel/ioport.c
3880 --- linux-2.6.35.5/arch/sparc/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
3881 +++ linux-2.6.35.5/arch/sparc/kernel/ioport.c 2010-09-17 20:12:09.000000000 -0400
3882 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3886 -struct dma_map_ops sbus_dma_ops = {
3887 +const struct dma_map_ops sbus_dma_ops = {
3888 .alloc_coherent = sbus_alloc_coherent,
3889 .free_coherent = sbus_free_coherent,
3890 .map_page = sbus_map_page,
3891 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3892 .sync_sg_for_device = sbus_sync_sg_for_device,
3895 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
3896 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3897 EXPORT_SYMBOL(dma_ops);
3899 static int __init sparc_register_ioport(void)
3900 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3904 -struct dma_map_ops pci32_dma_ops = {
3905 +const struct dma_map_ops pci32_dma_ops = {
3906 .alloc_coherent = pci32_alloc_coherent,
3907 .free_coherent = pci32_free_coherent,
3908 .map_page = pci32_map_page,
3909 diff -urNp linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c
3910 --- linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c 2010-08-26 19:47:12.000000000 -0400
3911 +++ linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c 2010-09-17 20:12:09.000000000 -0400
3912 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3913 regs->npc = regs->pc + 4;
3916 -struct kgdb_arch arch_kgdb_ops = {
3917 +const struct kgdb_arch arch_kgdb_ops = {
3918 /* Breakpoint instruction: ta 0x7d */
3919 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3921 diff -urNp linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c
3922 --- linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c 2010-08-26 19:47:12.000000000 -0400
3923 +++ linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c 2010-09-17 20:12:09.000000000 -0400
3924 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3925 regs->tnpc = regs->tpc + 4;
3928 -struct kgdb_arch arch_kgdb_ops = {
3929 +const struct kgdb_arch arch_kgdb_ops = {
3930 /* Breakpoint instruction: ta 0x72 */
3931 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3933 diff -urNp linux-2.6.35.5/arch/sparc/kernel/Makefile linux-2.6.35.5/arch/sparc/kernel/Makefile
3934 --- linux-2.6.35.5/arch/sparc/kernel/Makefile 2010-08-26 19:47:12.000000000 -0400
3935 +++ linux-2.6.35.5/arch/sparc/kernel/Makefile 2010-09-17 20:12:09.000000000 -0400
3940 -ccflags-y := -Werror
3941 +#ccflags-y := -Werror
3943 extra-y := head_$(BITS).o
3944 extra-y += init_task.o
3945 diff -urNp linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c
3946 --- linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c 2010-08-26 19:47:12.000000000 -0400
3947 +++ linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c 2010-09-17 20:12:09.000000000 -0400
3948 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3949 spin_unlock_irqrestore(&iommu->lock, flags);
3952 -static struct dma_map_ops sun4v_dma_ops = {
3953 +static const struct dma_map_ops sun4v_dma_ops = {
3954 .alloc_coherent = dma_4v_alloc_coherent,
3955 .free_coherent = dma_4v_free_coherent,
3956 .map_page = dma_4v_map_page,
3957 diff -urNp linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c
3958 --- linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c 2010-08-26 19:47:12.000000000 -0400
3959 +++ linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c 2010-09-17 20:12:09.000000000 -0400
3960 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
3961 if (ARCH_SUN4C && len > 0x20000000)
3964 - addr = TASK_UNMAPPED_BASE;
3965 + addr = current->mm->mmap_base;
3967 if (flags & MAP_SHARED)
3968 addr = COLOUR_ALIGN(addr);
3969 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
3971 if (TASK_SIZE - PAGE_SIZE - len < addr)
3973 - if (!vmm || addr + len <= vmm->vm_start)
3974 + if (check_heap_stack_gap(vmm, addr, len))
3977 if (flags & MAP_SHARED)
3978 diff -urNp linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c
3979 --- linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c 2010-08-26 19:47:12.000000000 -0400
3980 +++ linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c 2010-09-17 20:12:09.000000000 -0400
3981 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3982 /* We do not accept a shared mapping if it would violate
3983 * cache aliasing constraints.
3985 - if ((flags & MAP_SHARED) &&
3986 + if ((filp || (flags & MAP_SHARED)) &&
3987 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3990 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
3991 if (filp || (flags & MAP_SHARED))
3994 +#ifdef CONFIG_PAX_RANDMMAP
3995 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4000 addr = COLOUR_ALIGN(addr, pgoff);
4001 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4002 addr = PAGE_ALIGN(addr);
4004 vma = find_vma(mm, addr);
4005 - if (task_size - len >= addr &&
4006 - (!vma || addr + len <= vma->vm_start))
4007 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4011 if (len > mm->cached_hole_size) {
4012 - start_addr = addr = mm->free_area_cache;
4013 + start_addr = addr = mm->free_area_cache;
4015 - start_addr = addr = TASK_UNMAPPED_BASE;
4016 + start_addr = addr = mm->mmap_base;
4017 mm->cached_hole_size = 0;
4020 @@ -174,14 +177,14 @@ full_search:
4021 vma = find_vma(mm, VA_EXCLUDE_END);
4023 if (unlikely(task_size < addr)) {
4024 - if (start_addr != TASK_UNMAPPED_BASE) {
4025 - start_addr = addr = TASK_UNMAPPED_BASE;
4026 + if (start_addr != mm->mmap_base) {
4027 + start_addr = addr = mm->mmap_base;
4028 mm->cached_hole_size = 0;
4033 - if (likely(!vma || addr + len <= vma->vm_start)) {
4034 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4036 * Remember the place where we stopped the search:
4038 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4039 /* We do not accept a shared mapping if it would violate
4040 * cache aliasing constraints.
4042 - if ((flags & MAP_SHARED) &&
4043 + if ((filp || (flags & MAP_SHARED)) &&
4044 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4047 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4048 addr = PAGE_ALIGN(addr);
4050 vma = find_vma(mm, addr);
4051 - if (task_size - len >= addr &&
4052 - (!vma || addr + len <= vma->vm_start))
4053 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4057 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4058 /* make sure it can fit in the remaining address space */
4059 if (likely(addr > len)) {
4060 vma = find_vma(mm, addr-len);
4061 - if (!vma || addr <= vma->vm_start) {
4062 + if (check_heap_stack_gap(vma, addr - len, len)) {
4063 /* remember the address as a hint for next time */
4064 return (mm->free_area_cache = addr-len);
4066 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4067 * return with success:
4069 vma = find_vma(mm, addr);
4070 - if (likely(!vma || addr+len <= vma->vm_start)) {
4071 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4072 /* remember the address as a hint for next time */
4073 return (mm->free_area_cache = addr);
4075 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4076 gap == RLIM_INFINITY ||
4077 sysctl_legacy_va_layout) {
4078 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4080 +#ifdef CONFIG_PAX_RANDMMAP
4081 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4082 + mm->mmap_base += mm->delta_mmap;
4085 mm->get_unmapped_area = arch_get_unmapped_area;
4086 mm->unmap_area = arch_unmap_area;
4088 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4089 gap = (task_size / 6 * 5);
4091 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4093 +#ifdef CONFIG_PAX_RANDMMAP
4094 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4095 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4098 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4099 mm->unmap_area = arch_unmap_area_topdown;
4101 diff -urNp linux-2.6.35.5/arch/sparc/kernel/traps_64.c linux-2.6.35.5/arch/sparc/kernel/traps_64.c
4102 --- linux-2.6.35.5/arch/sparc/kernel/traps_64.c 2010-08-26 19:47:12.000000000 -0400
4103 +++ linux-2.6.35.5/arch/sparc/kernel/traps_64.c 2010-09-17 20:12:09.000000000 -0400
4104 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4107 if (regs->tstate & TSTATE_PRIV) {
4109 +#ifdef CONFIG_PAX_REFCOUNT
4111 + pax_report_refcount_overflow(regs);
4114 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4115 die_if_kernel(buffer, regs);
4117 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4118 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4123 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4124 0, lvl, SIGTRAP) == NOTIFY_STOP)
4127 +#ifdef CONFIG_PAX_REFCOUNT
4129 + pax_report_refcount_overflow(regs);
4132 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4134 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4135 diff -urNp linux-2.6.35.5/arch/sparc/lib/atomic_64.S linux-2.6.35.5/arch/sparc/lib/atomic_64.S
4136 --- linux-2.6.35.5/arch/sparc/lib/atomic_64.S 2010-08-26 19:47:12.000000000 -0400
4137 +++ linux-2.6.35.5/arch/sparc/lib/atomic_64.S 2010-09-17 20:12:37.000000000 -0400
4139 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4143 + addcc %g1, %o0, %g7
4145 +#ifdef CONFIG_PAX_REFCOUNT
4152 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4153 2: BACKOFF_SPIN(%o2, %o3, 1b)
4154 .size atomic_add, .-atomic_add
4156 + .globl atomic_add_unchecked
4157 + .type atomic_add_unchecked,#function
4158 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4159 + BACKOFF_SETUP(%o2)
4162 + cas [%o1], %g1, %g7
4168 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4169 + .size atomic_add_unchecked, .-atomic_add_unchecked
4172 .type atomic_sub,#function
4173 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4177 + subcc %g1, %o0, %g7
4179 +#ifdef CONFIG_PAX_REFCOUNT
4186 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4187 2: BACKOFF_SPIN(%o2, %o3, 1b)
4188 .size atomic_sub, .-atomic_sub
4190 + .globl atomic_sub_unchecked
4191 + .type atomic_sub_unchecked,#function
4192 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4193 + BACKOFF_SETUP(%o2)
4196 + cas [%o1], %g1, %g7
4202 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4203 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4205 .globl atomic_add_ret
4206 .type atomic_add_ret,#function
4207 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4211 + addcc %g1, %o0, %g7
4213 +#ifdef CONFIG_PAX_REFCOUNT
4220 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4221 2: BACKOFF_SPIN(%o2, %o3, 1b)
4222 .size atomic_add_ret, .-atomic_add_ret
4224 + .globl atomic_add_ret_unchecked
4225 + .type atomic_add_ret_unchecked,#function
4226 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4227 + BACKOFF_SETUP(%o2)
4229 + addcc %g1, %o0, %g7
4230 + cas [%o1], %g1, %g7
4237 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4238 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4240 .globl atomic_sub_ret
4241 .type atomic_sub_ret,#function
4242 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4246 + subcc %g1, %o0, %g7
4248 +#ifdef CONFIG_PAX_REFCOUNT
4255 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4256 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4260 + addcc %g1, %o0, %g7
4262 +#ifdef CONFIG_PAX_REFCOUNT
4266 casx [%o1], %g1, %g7
4269 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4270 2: BACKOFF_SPIN(%o2, %o3, 1b)
4271 .size atomic64_add, .-atomic64_add
4273 + .globl atomic64_add_unchecked
4274 + .type atomic64_add_unchecked,#function
4275 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4276 + BACKOFF_SETUP(%o2)
4278 + addcc %g1, %o0, %g7
4279 + casx [%o1], %g1, %g7
4285 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4286 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4289 .type atomic64_sub,#function
4290 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4294 + subcc %g1, %o0, %g7
4296 +#ifdef CONFIG_PAX_REFCOUNT
4300 casx [%o1], %g1, %g7
4303 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4304 2: BACKOFF_SPIN(%o2, %o3, 1b)
4305 .size atomic64_sub, .-atomic64_sub
4307 + .globl atomic64_sub_unchecked
4308 + .type atomic64_sub_unchecked,#function
4309 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4310 + BACKOFF_SETUP(%o2)
4312 + subcc %g1, %o0, %g7
4313 + casx [%o1], %g1, %g7
4319 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4320 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4322 .globl atomic64_add_ret
4323 .type atomic64_add_ret,#function
4324 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4328 + addcc %g1, %o0, %g7
4330 +#ifdef CONFIG_PAX_REFCOUNT
4334 casx [%o1], %g1, %g7
4337 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4338 2: BACKOFF_SPIN(%o2, %o3, 1b)
4339 .size atomic64_add_ret, .-atomic64_add_ret
4341 + .globl atomic64_add_ret_unchecked
4342 + .type atomic64_add_ret_unchecked,#function
4343 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4344 + BACKOFF_SETUP(%o2)
4346 + addcc %g1, %o0, %g7
4347 + casx [%o1], %g1, %g7
4354 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4355 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4357 .globl atomic64_sub_ret
4358 .type atomic64_sub_ret,#function
4359 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4363 + subcc %g1, %o0, %g7
4365 +#ifdef CONFIG_PAX_REFCOUNT
4369 casx [%o1], %g1, %g7
4372 diff -urNp linux-2.6.35.5/arch/sparc/lib/ksyms.c linux-2.6.35.5/arch/sparc/lib/ksyms.c
4373 --- linux-2.6.35.5/arch/sparc/lib/ksyms.c 2010-08-26 19:47:12.000000000 -0400
4374 +++ linux-2.6.35.5/arch/sparc/lib/ksyms.c 2010-09-17 20:12:09.000000000 -0400
4375 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4377 /* Atomic counter implementation. */
4378 EXPORT_SYMBOL(atomic_add);
4379 +EXPORT_SYMBOL(atomic_add_unchecked);
4380 EXPORT_SYMBOL(atomic_add_ret);
4381 EXPORT_SYMBOL(atomic_sub);
4382 +EXPORT_SYMBOL(atomic_sub_unchecked);
4383 EXPORT_SYMBOL(atomic_sub_ret);
4384 EXPORT_SYMBOL(atomic64_add);
4385 +EXPORT_SYMBOL(atomic64_add_unchecked);
4386 EXPORT_SYMBOL(atomic64_add_ret);
4387 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4388 EXPORT_SYMBOL(atomic64_sub);
4389 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4390 EXPORT_SYMBOL(atomic64_sub_ret);
4392 /* Atomic bit operations. */
4393 diff -urNp linux-2.6.35.5/arch/sparc/lib/rwsem_64.S linux-2.6.35.5/arch/sparc/lib/rwsem_64.S
4394 --- linux-2.6.35.5/arch/sparc/lib/rwsem_64.S 2010-08-26 19:47:12.000000000 -0400
4395 +++ linux-2.6.35.5/arch/sparc/lib/rwsem_64.S 2010-09-17 20:12:09.000000000 -0400
4403 +#ifdef CONFIG_PAX_REFCOUNT
4410 @@ -33,7 +38,12 @@ __down_read:
4411 .globl __down_read_trylock
4412 __down_read_trylock:
4417 +#ifdef CONFIG_PAX_REFCOUNT
4424 @@ -51,7 +61,12 @@ __down_write:
4425 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4429 + addcc %g3, %g1, %g7
4431 +#ifdef CONFIG_PAX_REFCOUNT
4438 @@ -77,7 +92,12 @@ __down_write_trylock:
4443 + addcc %g3, %g1, %g7
4445 +#ifdef CONFIG_PAX_REFCOUNT
4452 @@ -90,7 +110,12 @@ __down_write_trylock:
4459 +#ifdef CONFIG_PAX_REFCOUNT
4466 @@ -118,7 +143,12 @@ __up_write:
4467 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4471 + subcc %g3, %g1, %g7
4473 +#ifdef CONFIG_PAX_REFCOUNT
4480 @@ -143,7 +173,12 @@ __downgrade_write:
4481 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4485 + subcc %g3, %g1, %g7
4487 +#ifdef CONFIG_PAX_REFCOUNT
4494 diff -urNp linux-2.6.35.5/arch/sparc/Makefile linux-2.6.35.5/arch/sparc/Makefile
4495 --- linux-2.6.35.5/arch/sparc/Makefile 2010-08-26 19:47:12.000000000 -0400
4496 +++ linux-2.6.35.5/arch/sparc/Makefile 2010-09-17 20:12:37.000000000 -0400
4497 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4498 # Export what is needed by arch/sparc/boot/Makefile
4499 export VMLINUX_INIT VMLINUX_MAIN
4500 VMLINUX_INIT := $(head-y) $(init-y)
4501 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4502 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4503 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4504 VMLINUX_MAIN += $(drivers-y) $(net-y)
4506 diff -urNp linux-2.6.35.5/arch/sparc/mm/fault_32.c linux-2.6.35.5/arch/sparc/mm/fault_32.c
4507 --- linux-2.6.35.5/arch/sparc/mm/fault_32.c 2010-08-26 19:47:12.000000000 -0400
4508 +++ linux-2.6.35.5/arch/sparc/mm/fault_32.c 2010-09-17 20:12:09.000000000 -0400
4510 #include <linux/interrupt.h>
4511 #include <linux/module.h>
4512 #include <linux/kdebug.h>
4513 +#include <linux/slab.h>
4514 +#include <linux/pagemap.h>
4515 +#include <linux/compiler.h>
4517 #include <asm/system.h>
4518 #include <asm/page.h>
4519 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4520 return safe_compute_effective_address(regs, insn);
4523 +#ifdef CONFIG_PAX_PAGEEXEC
4524 +#ifdef CONFIG_PAX_DLRESOLVE
4525 +static void pax_emuplt_close(struct vm_area_struct *vma)
4527 + vma->vm_mm->call_dl_resolve = 0UL;
4530 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4532 + unsigned int *kaddr;
4534 + vmf->page = alloc_page(GFP_HIGHUSER);
4536 + return VM_FAULT_OOM;
4538 + kaddr = kmap(vmf->page);
4539 + memset(kaddr, 0, PAGE_SIZE);
4540 + kaddr[0] = 0x9DE3BFA8U; /* save */
4541 + flush_dcache_page(vmf->page);
4542 + kunmap(vmf->page);
4543 + return VM_FAULT_MAJOR;
4546 +static const struct vm_operations_struct pax_vm_ops = {
4547 + .close = pax_emuplt_close,
4548 + .fault = pax_emuplt_fault
4551 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4555 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4556 + vma->vm_mm = current->mm;
4557 + vma->vm_start = addr;
4558 + vma->vm_end = addr + PAGE_SIZE;
4559 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4560 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4561 + vma->vm_ops = &pax_vm_ops;
4563 + ret = insert_vm_struct(current->mm, vma);
4567 + ++current->mm->total_vm;
4573 + * PaX: decide what to do with offenders (regs->pc = fault address)
4575 + * returns 1 when task should be killed
4576 + * 2 when patched PLT trampoline was detected
4577 + * 3 when unpatched PLT trampoline was detected
4579 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4582 +#ifdef CONFIG_PAX_EMUPLT
4585 + do { /* PaX: patched PLT emulation #1 */
4586 + unsigned int sethi1, sethi2, jmpl;
4588 + err = get_user(sethi1, (unsigned int *)regs->pc);
4589 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4590 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4595 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4596 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4597 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4599 + unsigned int addr;
4601 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4602 + addr = regs->u_regs[UREG_G1];
4603 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4605 + regs->npc = addr+4;
4610 + { /* PaX: patched PLT emulation #2 */
4613 + err = get_user(ba, (unsigned int *)regs->pc);
4615 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4616 + unsigned int addr;
4618 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4620 + regs->npc = addr+4;
4625 + do { /* PaX: patched PLT emulation #3 */
4626 + unsigned int sethi, jmpl, nop;
4628 + err = get_user(sethi, (unsigned int *)regs->pc);
4629 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4630 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4635 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4636 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4637 + nop == 0x01000000U)
4639 + unsigned int addr;
4641 + addr = (sethi & 0x003FFFFFU) << 10;
4642 + regs->u_regs[UREG_G1] = addr;
4643 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4645 + regs->npc = addr+4;
4650 + do { /* PaX: unpatched PLT emulation step 1 */
4651 + unsigned int sethi, ba, nop;
4653 + err = get_user(sethi, (unsigned int *)regs->pc);
4654 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4655 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4660 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4661 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4662 + nop == 0x01000000U)
4664 + unsigned int addr, save, call;
4666 + if ((ba & 0xFFC00000U) == 0x30800000U)
4667 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4669 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4671 + err = get_user(save, (unsigned int *)addr);
4672 + err |= get_user(call, (unsigned int *)(addr+4));
4673 + err |= get_user(nop, (unsigned int *)(addr+8));
4677 +#ifdef CONFIG_PAX_DLRESOLVE
4678 + if (save == 0x9DE3BFA8U &&
4679 + (call & 0xC0000000U) == 0x40000000U &&
4680 + nop == 0x01000000U)
4682 + struct vm_area_struct *vma;
4683 + unsigned long call_dl_resolve;
4685 + down_read(¤t->mm->mmap_sem);
4686 + call_dl_resolve = current->mm->call_dl_resolve;
4687 + up_read(¤t->mm->mmap_sem);
4688 + if (likely(call_dl_resolve))
4691 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4693 + down_write(¤t->mm->mmap_sem);
4694 + if (current->mm->call_dl_resolve) {
4695 + call_dl_resolve = current->mm->call_dl_resolve;
4696 + up_write(¤t->mm->mmap_sem);
4698 + kmem_cache_free(vm_area_cachep, vma);
4702 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4703 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4704 + up_write(¤t->mm->mmap_sem);
4706 + kmem_cache_free(vm_area_cachep, vma);
4710 + if (pax_insert_vma(vma, call_dl_resolve)) {
4711 + up_write(¤t->mm->mmap_sem);
4712 + kmem_cache_free(vm_area_cachep, vma);
4716 + current->mm->call_dl_resolve = call_dl_resolve;
4717 + up_write(¤t->mm->mmap_sem);
4720 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4721 + regs->pc = call_dl_resolve;
4722 + regs->npc = addr+4;
4727 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4728 + if ((save & 0xFFC00000U) == 0x05000000U &&
4729 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4730 + nop == 0x01000000U)
4732 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4733 + regs->u_regs[UREG_G2] = addr + 4;
4734 + addr = (save & 0x003FFFFFU) << 10;
4735 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4737 + regs->npc = addr+4;
4743 + do { /* PaX: unpatched PLT emulation step 2 */
4744 + unsigned int save, call, nop;
4746 + err = get_user(save, (unsigned int *)(regs->pc-4));
4747 + err |= get_user(call, (unsigned int *)regs->pc);
4748 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4752 + if (save == 0x9DE3BFA8U &&
4753 + (call & 0xC0000000U) == 0x40000000U &&
4754 + nop == 0x01000000U)
4756 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4758 + regs->u_regs[UREG_RETPC] = regs->pc;
4759 + regs->pc = dl_resolve;
4760 + regs->npc = dl_resolve+4;
4769 +void pax_report_insns(void *pc, void *sp)
4773 + printk(KERN_ERR "PAX: bytes at PC: ");
4774 + for (i = 0; i < 8; i++) {
4776 + if (get_user(c, (unsigned int *)pc+i))
4777 + printk(KERN_CONT "???????? ");
4779 + printk(KERN_CONT "%08x ", c);
4785 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4788 @@ -282,6 +547,24 @@ good_area:
4789 if(!(vma->vm_flags & VM_WRITE))
4793 +#ifdef CONFIG_PAX_PAGEEXEC
4794 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4795 + up_read(&mm->mmap_sem);
4796 + switch (pax_handle_fetch_fault(regs)) {
4798 +#ifdef CONFIG_PAX_EMUPLT
4805 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4806 + do_group_exit(SIGKILL);
4810 /* Allow reads even for write-only mappings */
4811 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4813 diff -urNp linux-2.6.35.5/arch/sparc/mm/fault_64.c linux-2.6.35.5/arch/sparc/mm/fault_64.c
4814 --- linux-2.6.35.5/arch/sparc/mm/fault_64.c 2010-08-26 19:47:12.000000000 -0400
4815 +++ linux-2.6.35.5/arch/sparc/mm/fault_64.c 2010-09-17 20:12:09.000000000 -0400
4817 #include <linux/kprobes.h>
4818 #include <linux/kdebug.h>
4819 #include <linux/percpu.h>
4820 +#include <linux/slab.h>
4821 +#include <linux/pagemap.h>
4822 +#include <linux/compiler.h>
4824 #include <asm/page.h>
4825 #include <asm/pgtable.h>
4826 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4830 +#ifdef CONFIG_PAX_PAGEEXEC
4831 +#ifdef CONFIG_PAX_DLRESOLVE
4832 +static void pax_emuplt_close(struct vm_area_struct *vma)
4834 + vma->vm_mm->call_dl_resolve = 0UL;
4837 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4839 + unsigned int *kaddr;
4841 + vmf->page = alloc_page(GFP_HIGHUSER);
4843 + return VM_FAULT_OOM;
4845 + kaddr = kmap(vmf->page);
4846 + memset(kaddr, 0, PAGE_SIZE);
4847 + kaddr[0] = 0x9DE3BFA8U; /* save */
4848 + flush_dcache_page(vmf->page);
4849 + kunmap(vmf->page);
4850 + return VM_FAULT_MAJOR;
4853 +static const struct vm_operations_struct pax_vm_ops = {
4854 + .close = pax_emuplt_close,
4855 + .fault = pax_emuplt_fault
4858 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4862 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4863 + vma->vm_mm = current->mm;
4864 + vma->vm_start = addr;
4865 + vma->vm_end = addr + PAGE_SIZE;
4866 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4867 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4868 + vma->vm_ops = &pax_vm_ops;
4870 + ret = insert_vm_struct(current->mm, vma);
4874 + ++current->mm->total_vm;
4880 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4882 + * returns 1 when task should be killed
4883 + * 2 when patched PLT trampoline was detected
4884 + * 3 when unpatched PLT trampoline was detected
4886 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4889 +#ifdef CONFIG_PAX_EMUPLT
4892 + do { /* PaX: patched PLT emulation #1 */
4893 + unsigned int sethi1, sethi2, jmpl;
4895 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4896 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4897 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4902 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4903 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4904 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4906 + unsigned long addr;
4908 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4909 + addr = regs->u_regs[UREG_G1];
4910 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4912 + if (test_thread_flag(TIF_32BIT))
4913 + addr &= 0xFFFFFFFFUL;
4916 + regs->tnpc = addr+4;
4921 + { /* PaX: patched PLT emulation #2 */
4924 + err = get_user(ba, (unsigned int *)regs->tpc);
4926 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4927 + unsigned long addr;
4929 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4931 + if (test_thread_flag(TIF_32BIT))
4932 + addr &= 0xFFFFFFFFUL;
4935 + regs->tnpc = addr+4;
4940 + do { /* PaX: patched PLT emulation #3 */
4941 + unsigned int sethi, jmpl, nop;
4943 + err = get_user(sethi, (unsigned int *)regs->tpc);
4944 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4945 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4950 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4951 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4952 + nop == 0x01000000U)
4954 + unsigned long addr;
4956 + addr = (sethi & 0x003FFFFFU) << 10;
4957 + regs->u_regs[UREG_G1] = addr;
4958 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4960 + if (test_thread_flag(TIF_32BIT))
4961 + addr &= 0xFFFFFFFFUL;
4964 + regs->tnpc = addr+4;
4969 + do { /* PaX: patched PLT emulation #4 */
4970 + unsigned int sethi, mov1, call, mov2;
4972 + err = get_user(sethi, (unsigned int *)regs->tpc);
4973 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4974 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4975 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4980 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4981 + mov1 == 0x8210000FU &&
4982 + (call & 0xC0000000U) == 0x40000000U &&
4983 + mov2 == 0x9E100001U)
4985 + unsigned long addr;
4987 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4988 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4990 + if (test_thread_flag(TIF_32BIT))
4991 + addr &= 0xFFFFFFFFUL;
4994 + regs->tnpc = addr+4;
4999 + do { /* PaX: patched PLT emulation #5 */
5000 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5002 + err = get_user(sethi, (unsigned int *)regs->tpc);
5003 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5004 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5005 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5006 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5007 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5008 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5009 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5014 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5015 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5016 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5017 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5018 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5019 + sllx == 0x83287020U &&
5020 + jmpl == 0x81C04005U &&
5021 + nop == 0x01000000U)
5023 + unsigned long addr;
5025 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5026 + regs->u_regs[UREG_G1] <<= 32;
5027 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5028 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5030 + regs->tnpc = addr+4;
5035 + do { /* PaX: patched PLT emulation #6 */
5036 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5038 + err = get_user(sethi, (unsigned int *)regs->tpc);
5039 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5040 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5041 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5042 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5043 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5044 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5049 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5050 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5051 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5052 + sllx == 0x83287020U &&
5053 + (or & 0xFFFFE000U) == 0x8A116000U &&
5054 + jmpl == 0x81C04005U &&
5055 + nop == 0x01000000U)
5057 + unsigned long addr;
5059 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5060 + regs->u_regs[UREG_G1] <<= 32;
5061 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5062 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5064 + regs->tnpc = addr+4;
5069 + do { /* PaX: unpatched PLT emulation step 1 */
5070 + unsigned int sethi, ba, nop;
5072 + err = get_user(sethi, (unsigned int *)regs->tpc);
5073 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5074 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5079 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5080 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5081 + nop == 0x01000000U)
5083 + unsigned long addr;
5084 + unsigned int save, call;
5085 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5087 + if ((ba & 0xFFC00000U) == 0x30800000U)
5088 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5090 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5092 + if (test_thread_flag(TIF_32BIT))
5093 + addr &= 0xFFFFFFFFUL;
5095 + err = get_user(save, (unsigned int *)addr);
5096 + err |= get_user(call, (unsigned int *)(addr+4));
5097 + err |= get_user(nop, (unsigned int *)(addr+8));
5101 +#ifdef CONFIG_PAX_DLRESOLVE
5102 + if (save == 0x9DE3BFA8U &&
5103 + (call & 0xC0000000U) == 0x40000000U &&
5104 + nop == 0x01000000U)
5106 + struct vm_area_struct *vma;
5107 + unsigned long call_dl_resolve;
5109 + down_read(¤t->mm->mmap_sem);
5110 + call_dl_resolve = current->mm->call_dl_resolve;
5111 + up_read(¤t->mm->mmap_sem);
5112 + if (likely(call_dl_resolve))
5115 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5117 + down_write(¤t->mm->mmap_sem);
5118 + if (current->mm->call_dl_resolve) {
5119 + call_dl_resolve = current->mm->call_dl_resolve;
5120 + up_write(¤t->mm->mmap_sem);
5122 + kmem_cache_free(vm_area_cachep, vma);
5126 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5127 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5128 + up_write(¤t->mm->mmap_sem);
5130 + kmem_cache_free(vm_area_cachep, vma);
5134 + if (pax_insert_vma(vma, call_dl_resolve)) {
5135 + up_write(¤t->mm->mmap_sem);
5136 + kmem_cache_free(vm_area_cachep, vma);
5140 + current->mm->call_dl_resolve = call_dl_resolve;
5141 + up_write(¤t->mm->mmap_sem);
5144 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5145 + regs->tpc = call_dl_resolve;
5146 + regs->tnpc = addr+4;
5151 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5152 + if ((save & 0xFFC00000U) == 0x05000000U &&
5153 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5154 + nop == 0x01000000U)
5156 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5157 + regs->u_regs[UREG_G2] = addr + 4;
5158 + addr = (save & 0x003FFFFFU) << 10;
5159 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5161 + if (test_thread_flag(TIF_32BIT))
5162 + addr &= 0xFFFFFFFFUL;
5165 + regs->tnpc = addr+4;
5169 + /* PaX: 64-bit PLT stub */
5170 + err = get_user(sethi1, (unsigned int *)addr);
5171 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5172 + err |= get_user(or1, (unsigned int *)(addr+8));
5173 + err |= get_user(or2, (unsigned int *)(addr+12));
5174 + err |= get_user(sllx, (unsigned int *)(addr+16));
5175 + err |= get_user(add, (unsigned int *)(addr+20));
5176 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5177 + err |= get_user(nop, (unsigned int *)(addr+28));
5181 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5182 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5183 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5184 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5185 + sllx == 0x89293020U &&
5186 + add == 0x8A010005U &&
5187 + jmpl == 0x89C14000U &&
5188 + nop == 0x01000000U)
5190 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5191 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5192 + regs->u_regs[UREG_G4] <<= 32;
5193 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5194 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5195 + regs->u_regs[UREG_G4] = addr + 24;
5196 + addr = regs->u_regs[UREG_G5];
5198 + regs->tnpc = addr+4;
5204 +#ifdef CONFIG_PAX_DLRESOLVE
5205 + do { /* PaX: unpatched PLT emulation step 2 */
5206 + unsigned int save, call, nop;
5208 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5209 + err |= get_user(call, (unsigned int *)regs->tpc);
5210 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5214 + if (save == 0x9DE3BFA8U &&
5215 + (call & 0xC0000000U) == 0x40000000U &&
5216 + nop == 0x01000000U)
5218 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5220 + if (test_thread_flag(TIF_32BIT))
5221 + dl_resolve &= 0xFFFFFFFFUL;
5223 + regs->u_regs[UREG_RETPC] = regs->tpc;
5224 + regs->tpc = dl_resolve;
5225 + regs->tnpc = dl_resolve+4;
5231 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5232 + unsigned int sethi, ba, nop;
5234 + err = get_user(sethi, (unsigned int *)regs->tpc);
5235 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5236 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5241 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5242 + (ba & 0xFFF00000U) == 0x30600000U &&
5243 + nop == 0x01000000U)
5245 + unsigned long addr;
5247 + addr = (sethi & 0x003FFFFFU) << 10;
5248 + regs->u_regs[UREG_G1] = addr;
5249 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5251 + if (test_thread_flag(TIF_32BIT))
5252 + addr &= 0xFFFFFFFFUL;
5255 + regs->tnpc = addr+4;
5265 +void pax_report_insns(void *pc, void *sp)
5269 + printk(KERN_ERR "PAX: bytes at PC: ");
5270 + for (i = 0; i < 8; i++) {
5272 + if (get_user(c, (unsigned int *)pc+i))
5273 + printk(KERN_CONT "???????? ");
5275 + printk(KERN_CONT "%08x ", c);
5281 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5283 struct mm_struct *mm = current->mm;
5284 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5288 +#ifdef CONFIG_PAX_PAGEEXEC
5289 + /* PaX: detect ITLB misses on non-exec pages */
5290 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5291 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5293 + if (address != regs->tpc)
5296 + up_read(&mm->mmap_sem);
5297 + switch (pax_handle_fetch_fault(regs)) {
5299 +#ifdef CONFIG_PAX_EMUPLT
5306 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5307 + do_group_exit(SIGKILL);
5311 /* Pure DTLB misses do not tell us whether the fault causing
5312 * load/store/atomic was a write or not, it only says that there
5313 * was no match. So in such a case we (carefully) read the
5314 diff -urNp linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c
5315 --- linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
5316 +++ linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
5317 @@ -68,7 +68,7 @@ full_search:
5321 - if (likely(!vma || addr + len <= vma->vm_start)) {
5322 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5324 * Remember the place where we stopped the search:
5326 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5327 /* make sure it can fit in the remaining address space */
5328 if (likely(addr > len)) {
5329 vma = find_vma(mm, addr-len);
5330 - if (!vma || addr <= vma->vm_start) {
5331 + if (check_heap_stack_gap(vma, addr - len, len)) {
5332 /* remember the address as a hint for next time */
5333 return (mm->free_area_cache = addr-len);
5335 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5336 * return with success:
5338 vma = find_vma(mm, addr);
5339 - if (likely(!vma || addr+len <= vma->vm_start)) {
5340 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5341 /* remember the address as a hint for next time */
5342 return (mm->free_area_cache = addr);
5344 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5346 addr = ALIGN(addr, HPAGE_SIZE);
5347 vma = find_vma(mm, addr);
5348 - if (task_size - len >= addr &&
5349 - (!vma || addr + len <= vma->vm_start))
5350 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5353 if (mm->get_unmapped_area == arch_get_unmapped_area)
5354 diff -urNp linux-2.6.35.5/arch/sparc/mm/init_32.c linux-2.6.35.5/arch/sparc/mm/init_32.c
5355 --- linux-2.6.35.5/arch/sparc/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
5356 +++ linux-2.6.35.5/arch/sparc/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
5357 @@ -318,6 +318,9 @@ extern void device_scan(void);
5358 pgprot_t PAGE_SHARED __read_mostly;
5359 EXPORT_SYMBOL(PAGE_SHARED);
5361 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5362 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5364 void __init paging_init(void)
5366 switch(sparc_cpu_model) {
5367 @@ -346,17 +349,17 @@ void __init paging_init(void)
5369 /* Initialize the protection map with non-constant, MMU dependent values. */
5370 protection_map[0] = PAGE_NONE;
5371 - protection_map[1] = PAGE_READONLY;
5372 - protection_map[2] = PAGE_COPY;
5373 - protection_map[3] = PAGE_COPY;
5374 + protection_map[1] = PAGE_READONLY_NOEXEC;
5375 + protection_map[2] = PAGE_COPY_NOEXEC;
5376 + protection_map[3] = PAGE_COPY_NOEXEC;
5377 protection_map[4] = PAGE_READONLY;
5378 protection_map[5] = PAGE_READONLY;
5379 protection_map[6] = PAGE_COPY;
5380 protection_map[7] = PAGE_COPY;
5381 protection_map[8] = PAGE_NONE;
5382 - protection_map[9] = PAGE_READONLY;
5383 - protection_map[10] = PAGE_SHARED;
5384 - protection_map[11] = PAGE_SHARED;
5385 + protection_map[9] = PAGE_READONLY_NOEXEC;
5386 + protection_map[10] = PAGE_SHARED_NOEXEC;
5387 + protection_map[11] = PAGE_SHARED_NOEXEC;
5388 protection_map[12] = PAGE_READONLY;
5389 protection_map[13] = PAGE_READONLY;
5390 protection_map[14] = PAGE_SHARED;
5391 diff -urNp linux-2.6.35.5/arch/sparc/mm/Makefile linux-2.6.35.5/arch/sparc/mm/Makefile
5392 --- linux-2.6.35.5/arch/sparc/mm/Makefile 2010-08-26 19:47:12.000000000 -0400
5393 +++ linux-2.6.35.5/arch/sparc/mm/Makefile 2010-09-17 20:12:09.000000000 -0400
5398 -ccflags-y := -Werror
5399 +#ccflags-y := -Werror
5401 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5402 obj-y += fault_$(BITS).o
5403 diff -urNp linux-2.6.35.5/arch/sparc/mm/srmmu.c linux-2.6.35.5/arch/sparc/mm/srmmu.c
5404 --- linux-2.6.35.5/arch/sparc/mm/srmmu.c 2010-08-26 19:47:12.000000000 -0400
5405 +++ linux-2.6.35.5/arch/sparc/mm/srmmu.c 2010-09-17 20:12:09.000000000 -0400
5406 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
5407 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5408 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5409 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5411 +#ifdef CONFIG_PAX_PAGEEXEC
5412 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5413 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5414 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5417 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5418 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5420 diff -urNp linux-2.6.35.5/arch/um/include/asm/kmap_types.h linux-2.6.35.5/arch/um/include/asm/kmap_types.h
5421 --- linux-2.6.35.5/arch/um/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
5422 +++ linux-2.6.35.5/arch/um/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
5423 @@ -23,6 +23,7 @@ enum km_type {
5431 diff -urNp linux-2.6.35.5/arch/um/include/asm/page.h linux-2.6.35.5/arch/um/include/asm/page.h
5432 --- linux-2.6.35.5/arch/um/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
5433 +++ linux-2.6.35.5/arch/um/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
5435 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5436 #define PAGE_MASK (~(PAGE_SIZE-1))
5438 +#define ktla_ktva(addr) (addr)
5439 +#define ktva_ktla(addr) (addr)
5441 #ifndef __ASSEMBLY__
5444 diff -urNp linux-2.6.35.5/arch/um/sys-i386/syscalls.c linux-2.6.35.5/arch/um/sys-i386/syscalls.c
5445 --- linux-2.6.35.5/arch/um/sys-i386/syscalls.c 2010-08-26 19:47:12.000000000 -0400
5446 +++ linux-2.6.35.5/arch/um/sys-i386/syscalls.c 2010-09-17 20:12:09.000000000 -0400
5448 #include "asm/uaccess.h"
5449 #include "asm/unistd.h"
5451 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5453 + unsigned long pax_task_size = TASK_SIZE;
5455 +#ifdef CONFIG_PAX_SEGMEXEC
5456 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5457 + pax_task_size = SEGMEXEC_TASK_SIZE;
5460 + if (len > pax_task_size || addr > pax_task_size - len)
5467 * The prototype on i386 is:
5469 diff -urNp linux-2.6.35.5/arch/x86/boot/bitops.h linux-2.6.35.5/arch/x86/boot/bitops.h
5470 --- linux-2.6.35.5/arch/x86/boot/bitops.h 2010-08-26 19:47:12.000000000 -0400
5471 +++ linux-2.6.35.5/arch/x86/boot/bitops.h 2010-09-17 20:12:09.000000000 -0400
5472 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5474 const u32 *p = (const u32 *)addr;
5476 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5477 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5481 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5483 static inline void set_bit(int nr, void *addr)
5485 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5486 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5489 #endif /* BOOT_BITOPS_H */
5490 diff -urNp linux-2.6.35.5/arch/x86/boot/boot.h linux-2.6.35.5/arch/x86/boot/boot.h
5491 --- linux-2.6.35.5/arch/x86/boot/boot.h 2010-08-26 19:47:12.000000000 -0400
5492 +++ linux-2.6.35.5/arch/x86/boot/boot.h 2010-09-17 20:12:09.000000000 -0400
5493 @@ -82,7 +82,7 @@ static inline void io_delay(void)
5494 static inline u16 ds(void)
5497 - asm("movw %%ds,%0" : "=rm" (seg));
5498 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5502 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
5503 static inline int memcmp(const void *s1, const void *s2, size_t len)
5506 - asm("repe; cmpsb; setnz %0"
5507 + asm volatile("repe; cmpsb; setnz %0"
5508 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5511 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/head_32.S linux-2.6.35.5/arch/x86/boot/compressed/head_32.S
5512 --- linux-2.6.35.5/arch/x86/boot/compressed/head_32.S 2010-08-26 19:47:12.000000000 -0400
5513 +++ linux-2.6.35.5/arch/x86/boot/compressed/head_32.S 2010-09-17 20:12:09.000000000 -0400
5514 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5518 - movl $LOAD_PHYSICAL_ADDR, %ebx
5519 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5522 /* Target address to relocate to for decompression */
5523 @@ -149,7 +149,7 @@ relocated:
5524 * and where it was actually loaded.
5527 - subl $LOAD_PHYSICAL_ADDR, %ebx
5528 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5529 jz 2f /* Nothing to be done if loaded at compiled addr. */
5531 * Process relocations.
5532 @@ -157,8 +157,7 @@ relocated:
5539 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5542 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/head_64.S linux-2.6.35.5/arch/x86/boot/compressed/head_64.S
5543 --- linux-2.6.35.5/arch/x86/boot/compressed/head_64.S 2010-08-26 19:47:12.000000000 -0400
5544 +++ linux-2.6.35.5/arch/x86/boot/compressed/head_64.S 2010-09-17 20:12:09.000000000 -0400
5545 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5549 - movl $LOAD_PHYSICAL_ADDR, %ebx
5550 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5553 /* Target address to relocate to for decompression */
5554 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5558 - movq $LOAD_PHYSICAL_ADDR, %rbp
5559 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5562 /* Target address to relocate to for decompression */
5563 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/misc.c linux-2.6.35.5/arch/x86/boot/compressed/misc.c
5564 --- linux-2.6.35.5/arch/x86/boot/compressed/misc.c 2010-08-26 19:47:12.000000000 -0400
5565 +++ linux-2.6.35.5/arch/x86/boot/compressed/misc.c 2010-09-17 20:12:09.000000000 -0400
5566 @@ -285,7 +285,7 @@ static void parse_elf(void *output)
5568 #ifdef CONFIG_RELOCATABLE
5570 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5571 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5573 dest = (void *)(phdr->p_paddr);
5575 @@ -332,7 +332,7 @@ asmlinkage void decompress_kernel(void *
5576 error("Destination address too large");
5578 #ifndef CONFIG_RELOCATABLE
5579 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5580 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5581 error("Wrong destination address");
5584 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c
5585 --- linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c 2010-08-26 19:47:12.000000000 -0400
5586 +++ linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c 2010-09-17 20:12:09.000000000 -0400
5587 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5589 offs = (olen > ilen) ? olen - ilen : 0;
5590 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5591 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5592 + offs += 64*1024; /* Add 64K bytes slack */
5593 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5595 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5596 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/relocs.c linux-2.6.35.5/arch/x86/boot/compressed/relocs.c
5597 --- linux-2.6.35.5/arch/x86/boot/compressed/relocs.c 2010-08-26 19:47:12.000000000 -0400
5598 +++ linux-2.6.35.5/arch/x86/boot/compressed/relocs.c 2010-09-17 20:12:09.000000000 -0400
5601 static void die(char *fmt, ...);
5603 +#include "../../../../include/generated/autoconf.h"
5605 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5606 static Elf32_Ehdr ehdr;
5607 +static Elf32_Phdr *phdr;
5608 static unsigned long reloc_count, reloc_idx;
5609 static unsigned long *relocs;
5611 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5615 +static void read_phdrs(FILE *fp)
5619 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5621 + die("Unable to allocate %d program headers\n",
5624 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5625 + die("Seek to %d failed: %s\n",
5626 + ehdr.e_phoff, strerror(errno));
5628 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5629 + die("Cannot read ELF program headers: %s\n",
5632 + for(i = 0; i < ehdr.e_phnum; i++) {
5633 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5634 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5635 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5636 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5637 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5638 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5639 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5640 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5645 static void read_shdrs(FILE *fp)
5651 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5652 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5654 static void read_strtabs(FILE *fp)
5658 for (i = 0; i < ehdr.e_shnum; i++) {
5659 struct section *sec = &secs[i];
5660 if (sec->shdr.sh_type != SHT_STRTAB) {
5661 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5663 static void read_symtabs(FILE *fp)
5667 for (i = 0; i < ehdr.e_shnum; i++) {
5668 struct section *sec = &secs[i];
5669 if (sec->shdr.sh_type != SHT_SYMTAB) {
5670 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5672 static void read_relocs(FILE *fp)
5678 for (i = 0; i < ehdr.e_shnum; i++) {
5679 struct section *sec = &secs[i];
5680 if (sec->shdr.sh_type != SHT_REL) {
5681 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5682 die("Cannot read symbol table: %s\n",
5686 + for (j = 0; j < ehdr.e_phnum; j++) {
5687 + if (phdr[j].p_type != PT_LOAD )
5689 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5691 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5694 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5695 Elf32_Rel *rel = &sec->reltab[j];
5696 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5697 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5698 rel->r_info = elf32_to_cpu(rel->r_info);
5701 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5703 static void print_absolute_symbols(void)
5707 printf("Absolute symbols\n");
5708 printf(" Num: Value Size Type Bind Visibility Name\n");
5709 for (i = 0; i < ehdr.e_shnum; i++) {
5710 struct section *sec = &secs[i];
5712 Elf32_Sym *sh_symtab;
5716 if (sec->shdr.sh_type != SHT_SYMTAB) {
5718 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5720 static void print_absolute_relocs(void)
5722 - int i, printed = 0;
5723 + unsigned int i, printed = 0;
5725 for (i = 0; i < ehdr.e_shnum; i++) {
5726 struct section *sec = &secs[i];
5727 struct section *sec_applies, *sec_symtab;
5729 Elf32_Sym *sh_symtab;
5732 if (sec->shdr.sh_type != SHT_REL) {
5735 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5737 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5741 /* Walk through the relocations */
5742 for (i = 0; i < ehdr.e_shnum; i++) {
5744 Elf32_Sym *sh_symtab;
5745 struct section *sec_applies, *sec_symtab;
5748 struct section *sec = &secs[i];
5750 if (sec->shdr.sh_type != SHT_REL) {
5751 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5752 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5755 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5756 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5759 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5760 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5761 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5763 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5765 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5767 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5774 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5776 static void emit_relocs(int as_text)
5780 /* Count how many relocations I have and allocate space for them. */
5782 walk_relocs(count_reloc);
5783 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5784 fname, strerror(errno));
5791 diff -urNp linux-2.6.35.5/arch/x86/boot/cpucheck.c linux-2.6.35.5/arch/x86/boot/cpucheck.c
5792 --- linux-2.6.35.5/arch/x86/boot/cpucheck.c 2010-08-26 19:47:12.000000000 -0400
5793 +++ linux-2.6.35.5/arch/x86/boot/cpucheck.c 2010-09-17 20:12:09.000000000 -0400
5794 @@ -74,7 +74,7 @@ static int has_fpu(void)
5795 u16 fcw = -1, fsw = -1;
5798 - asm("movl %%cr0,%0" : "=r" (cr0));
5799 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5800 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5801 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5802 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5803 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5808 + asm volatile("pushfl ; "
5812 @@ -115,7 +115,7 @@ static void get_flags(void)
5813 set_bit(X86_FEATURE_FPU, cpu.flags);
5815 if (has_eflag(X86_EFLAGS_ID)) {
5817 + asm volatile("cpuid"
5818 : "=a" (max_intel_level),
5819 "=b" (cpu_vendor[0]),
5820 "=d" (cpu_vendor[1]),
5821 @@ -124,7 +124,7 @@ static void get_flags(void)
5823 if (max_intel_level >= 0x00000001 &&
5824 max_intel_level <= 0x0000ffff) {
5826 + asm volatile("cpuid"
5828 "=c" (cpu.flags[4]),
5830 @@ -136,7 +136,7 @@ static void get_flags(void)
5831 cpu.model += ((tfms >> 16) & 0xf) << 4;
5835 + asm volatile("cpuid"
5836 : "=a" (max_amd_level)
5838 : "ebx", "ecx", "edx");
5839 @@ -144,7 +144,7 @@ static void get_flags(void)
5840 if (max_amd_level >= 0x80000001 &&
5841 max_amd_level <= 0x8000ffff) {
5842 u32 eax = 0x80000001;
5844 + asm volatile("cpuid"
5846 "=c" (cpu.flags[6]),
5848 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5849 u32 ecx = MSR_K7_HWCR;
5852 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5853 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5855 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5856 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5858 get_flags(); /* Make sure it really did something */
5859 err = check_flags();
5860 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5861 u32 ecx = MSR_VIA_FCR;
5864 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5865 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5866 eax |= (1<<1)|(1<<7);
5867 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5868 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5870 set_bit(X86_FEATURE_CX8, cpu.flags);
5871 err = check_flags();
5872 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5876 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5877 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5879 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5880 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5881 + asm volatile("cpuid"
5882 : "+a" (level), "=d" (cpu.flags[0])
5884 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5885 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5887 err = check_flags();
5889 diff -urNp linux-2.6.35.5/arch/x86/boot/header.S linux-2.6.35.5/arch/x86/boot/header.S
5890 --- linux-2.6.35.5/arch/x86/boot/header.S 2010-08-26 19:47:12.000000000 -0400
5891 +++ linux-2.6.35.5/arch/x86/boot/header.S 2010-09-17 20:12:09.000000000 -0400
5892 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5893 # single linked list of
5896 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5897 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5899 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5900 #define VO_INIT_SIZE (VO__end - VO__text)
5901 diff -urNp linux-2.6.35.5/arch/x86/boot/memory.c linux-2.6.35.5/arch/x86/boot/memory.c
5902 --- linux-2.6.35.5/arch/x86/boot/memory.c 2010-08-26 19:47:12.000000000 -0400
5903 +++ linux-2.6.35.5/arch/x86/boot/memory.c 2010-09-17 20:12:09.000000000 -0400
5906 static int detect_memory_e820(void)
5909 + unsigned int count = 0;
5910 struct biosregs ireg, oreg;
5911 struct e820entry *desc = boot_params.e820_map;
5912 static struct e820entry buf; /* static so it is zeroed */
5913 diff -urNp linux-2.6.35.5/arch/x86/boot/video.c linux-2.6.35.5/arch/x86/boot/video.c
5914 --- linux-2.6.35.5/arch/x86/boot/video.c 2010-08-26 19:47:12.000000000 -0400
5915 +++ linux-2.6.35.5/arch/x86/boot/video.c 2010-09-17 20:12:09.000000000 -0400
5916 @@ -96,7 +96,7 @@ static void store_mode_params(void)
5917 static unsigned int get_entry(void)
5921 + unsigned int i, len = 0;
5925 diff -urNp linux-2.6.35.5/arch/x86/boot/video-vesa.c linux-2.6.35.5/arch/x86/boot/video-vesa.c
5926 --- linux-2.6.35.5/arch/x86/boot/video-vesa.c 2010-08-26 19:47:12.000000000 -0400
5927 +++ linux-2.6.35.5/arch/x86/boot/video-vesa.c 2010-09-17 20:12:09.000000000 -0400
5928 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5930 boot_params.screen_info.vesapm_seg = oreg.es;
5931 boot_params.screen_info.vesapm_off = oreg.di;
5932 + boot_params.screen_info.vesapm_size = oreg.cx;
5936 diff -urNp linux-2.6.35.5/arch/x86/ia32/ia32_aout.c linux-2.6.35.5/arch/x86/ia32/ia32_aout.c
5937 --- linux-2.6.35.5/arch/x86/ia32/ia32_aout.c 2010-08-26 19:47:12.000000000 -0400
5938 +++ linux-2.6.35.5/arch/x86/ia32/ia32_aout.c 2010-09-23 20:32:33.000000000 -0400
5939 @@ -168,6 +168,8 @@ static int aout_core_dump(long signr, st
5940 unsigned long dump_start, dump_size;
5943 + memset(&dump, 0, sizeof(dump));
5948 @@ -217,12 +219,6 @@ static int aout_core_dump(long signr, st
5949 dump_size = dump.u_ssize << PAGE_SHIFT;
5950 DUMP_WRITE(dump_start, dump_size);
5953 - * Finally dump the task struct. Not be used by gdb, but
5956 - set_fs(KERNEL_DS);
5957 - DUMP_WRITE(current, sizeof(*current));
5961 diff -urNp linux-2.6.35.5/arch/x86/ia32/ia32entry.S linux-2.6.35.5/arch/x86/ia32/ia32entry.S
5962 --- linux-2.6.35.5/arch/x86/ia32/ia32entry.S 2010-09-20 17:33:09.000000000 -0400
5963 +++ linux-2.6.35.5/arch/x86/ia32/ia32entry.S 2010-09-17 20:12:37.000000000 -0400
5965 #include <asm/thread_info.h>
5966 #include <asm/segment.h>
5967 #include <asm/irqflags.h>
5968 +#include <asm/pgtable.h>
5969 #include <linux/linkage.h>
5971 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
5972 @@ -120,6 +121,11 @@ ENTRY(ia32_sysenter_target)
5974 movq PER_CPU_VAR(kernel_stack), %rsp
5975 addq $(KERNEL_STACK_OFFSET),%rsp
5977 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5978 + call pax_enter_kernel_user
5982 * No need to follow this irqs on/off section: the syscall
5983 * disabled irqs, here we enable it straight after entry:
5984 @@ -150,6 +156,12 @@ ENTRY(ia32_sysenter_target)
5986 /* no need to do an access_ok check here because rbp has been
5987 32bit zero extended */
5989 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5990 + mov $PAX_USER_SHADOW_BASE,%r10
5995 .section __ex_table,"a"
5996 .quad 1b,ia32_badarg
5997 @@ -172,6 +184,11 @@ sysenter_dispatch:
5998 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6000 sysexit_from_sys_call:
6002 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6003 + call pax_exit_kernel_user
6006 andl $~TS_COMPAT,TI_status(%r10)
6007 /* clear IF, that popfq doesn't enable interrupts early */
6008 andl $~0x200,EFLAGS-R11(%rsp)
6009 @@ -290,6 +307,11 @@ ENTRY(ia32_cstar_target)
6012 movq PER_CPU_VAR(kernel_stack),%rsp
6014 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6015 + call pax_enter_kernel_user
6019 * No need to follow this irqs on/off section: the syscall
6020 * disabled irqs and here we enable it straight after entry:
6021 @@ -311,6 +333,12 @@ ENTRY(ia32_cstar_target)
6022 /* no need to do an access_ok check here because r8 has been
6023 32bit zero extended */
6024 /* hardware stack frame is complete now */
6026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6027 + mov $PAX_USER_SHADOW_BASE,%r10
6032 .section __ex_table,"a"
6033 .quad 1b,ia32_badarg
6034 @@ -333,6 +361,11 @@ cstar_dispatch:
6035 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6037 sysretl_from_sys_call:
6039 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6040 + call pax_exit_kernel_user
6043 andl $~TS_COMPAT,TI_status(%r10)
6044 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6045 movl RIP-ARGOFFSET(%rsp),%ecx
6046 @@ -415,6 +448,11 @@ ENTRY(ia32_syscall)
6047 CFI_REL_OFFSET rip,RIP-RIP
6048 PARAVIRT_ADJUST_EXCEPTION_FRAME
6051 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6052 + call pax_enter_kernel_user
6056 * No need to follow this irqs on/off section: the syscall
6057 * disabled irqs and here we enable it straight after entry:
6058 diff -urNp linux-2.6.35.5/arch/x86/ia32/ia32_signal.c linux-2.6.35.5/arch/x86/ia32/ia32_signal.c
6059 --- linux-2.6.35.5/arch/x86/ia32/ia32_signal.c 2010-08-26 19:47:12.000000000 -0400
6060 +++ linux-2.6.35.5/arch/x86/ia32/ia32_signal.c 2010-09-17 20:12:09.000000000 -0400
6061 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6063 /* Align the stack pointer according to the i386 ABI,
6064 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6065 - sp = ((sp + 4) & -16ul) - 4;
6066 + sp = ((sp - 12) & -16ul) - 4;
6067 return (void __user *) sp;
6070 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6072 __NR_ia32_rt_sigreturn,
6078 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6079 diff -urNp linux-2.6.35.5/arch/x86/include/asm/alternative.h linux-2.6.35.5/arch/x86/include/asm/alternative.h
6080 --- linux-2.6.35.5/arch/x86/include/asm/alternative.h 2010-08-26 19:47:12.000000000 -0400
6081 +++ linux-2.6.35.5/arch/x86/include/asm/alternative.h 2010-09-17 20:12:09.000000000 -0400
6082 @@ -91,7 +91,7 @@ static inline int alternatives_text_rese
6083 " .byte 664f-663f\n" /* replacementlen */ \
6084 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6086 - ".section .altinstr_replacement, \"ax\"\n" \
6087 + ".section .altinstr_replacement, \"a\"\n" \
6088 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6091 diff -urNp linux-2.6.35.5/arch/x86/include/asm/apm.h linux-2.6.35.5/arch/x86/include/asm/apm.h
6092 --- linux-2.6.35.5/arch/x86/include/asm/apm.h 2010-08-26 19:47:12.000000000 -0400
6093 +++ linux-2.6.35.5/arch/x86/include/asm/apm.h 2010-09-17 20:12:09.000000000 -0400
6094 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6095 __asm__ __volatile__(APM_DO_ZERO_SEGS
6098 - "lcall *%%cs:apm_bios_entry\n\t"
6099 + "lcall *%%ss:apm_bios_entry\n\t"
6103 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6104 __asm__ __volatile__(APM_DO_ZERO_SEGS
6107 - "lcall *%%cs:apm_bios_entry\n\t"
6108 + "lcall *%%ss:apm_bios_entry\n\t"
6112 diff -urNp linux-2.6.35.5/arch/x86/include/asm/asm.h linux-2.6.35.5/arch/x86/include/asm/asm.h
6113 --- linux-2.6.35.5/arch/x86/include/asm/asm.h 2010-08-26 19:47:12.000000000 -0400
6114 +++ linux-2.6.35.5/arch/x86/include/asm/asm.h 2010-09-17 20:12:09.000000000 -0400
6116 #define _ASM_SI __ASM_REG(si)
6117 #define _ASM_DI __ASM_REG(di)
6119 +#ifdef CONFIG_X86_32
6120 +#define _ASM_INTO "into"
6122 +#define _ASM_INTO "int $4"
6125 /* Exception table entry */
6127 # define _ASM_EXTABLE(from,to) \
6128 diff -urNp linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h
6129 --- linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h 2010-08-26 19:47:12.000000000 -0400
6130 +++ linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h 2010-09-17 20:12:09.000000000 -0400
6131 @@ -12,6 +12,14 @@ typedef struct {
6132 u64 __aligned(8) counter;
6135 +#ifdef CONFIG_PAX_REFCOUNT
6137 + u64 __aligned(8) counter;
6138 +} atomic64_unchecked_t;
6140 +typedef atomic64_t atomic64_unchecked_t;
6143 #define ATOMIC64_INIT(val) { (val) }
6145 #ifdef CONFIG_X86_CMPXCHG64
6146 diff -urNp linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h
6147 --- linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h 2010-08-26 19:47:12.000000000 -0400
6148 +++ linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h 2010-09-17 20:12:09.000000000 -0400
6149 @@ -22,6 +22,18 @@ static inline long atomic64_read(const a
6153 + * atomic64_read_unchecked - read atomic64 variable
6154 + * @v: pointer of type atomic64_unchecked_t
6156 + * Atomically reads the value of @v.
6157 + * Doesn't imply a read memory barrier.
6159 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6161 + return v->counter;
6165 * atomic64_set - set atomic64 variable
6166 * @v: pointer to type atomic64_t
6167 * @i: required value
6168 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6172 + * atomic64_set_unchecked - set atomic64 variable
6173 + * @v: pointer to type atomic64_unchecked_t
6174 + * @i: required value
6176 + * Atomically sets the value of @v to @i.
6178 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6184 * atomic64_add - add integer to atomic64 variable
6185 * @i: integer value to add
6186 * @v: pointer to type atomic64_t
6187 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6189 static inline void atomic64_add(long i, atomic64_t *v)
6191 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6193 +#ifdef CONFIG_PAX_REFCOUNT
6195 + LOCK_PREFIX "subq %1,%0\n"
6197 + _ASM_EXTABLE(0b, 0b)
6200 + : "=m" (v->counter)
6201 + : "er" (i), "m" (v->counter));
6205 + * atomic64_add_unchecked - add integer to atomic64 variable
6206 + * @i: integer value to add
6207 + * @v: pointer to type atomic64_unchecked_t
6209 + * Atomically adds @i to @v.
6211 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6213 asm volatile(LOCK_PREFIX "addq %1,%0"
6215 : "er" (i), "m" (v->counter));
6216 @@ -56,7 +102,15 @@ static inline void atomic64_add(long i,
6218 static inline void atomic64_sub(long i, atomic64_t *v)
6220 - asm volatile(LOCK_PREFIX "subq %1,%0"
6221 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6223 +#ifdef CONFIG_PAX_REFCOUNT
6225 + LOCK_PREFIX "addq %1,%0\n"
6227 + _ASM_EXTABLE(0b, 0b)
6231 : "er" (i), "m" (v->counter));
6233 @@ -74,7 +128,16 @@ static inline int atomic64_sub_and_test(
6237 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6238 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6240 +#ifdef CONFIG_PAX_REFCOUNT
6242 + LOCK_PREFIX "addq %2,%0\n"
6244 + _ASM_EXTABLE(0b, 0b)
6248 : "=m" (v->counter), "=qm" (c)
6249 : "er" (i), "m" (v->counter) : "memory");
6251 @@ -88,6 +151,31 @@ static inline int atomic64_sub_and_test(
6253 static inline void atomic64_inc(atomic64_t *v)
6255 + asm volatile(LOCK_PREFIX "incq %0\n"
6257 +#ifdef CONFIG_PAX_REFCOUNT
6260 + ".pushsection .fixup,\"ax\"\n"
6262 + LOCK_PREFIX "decq %0\n"
6265 + _ASM_EXTABLE(0b, 1b)
6268 + : "=m" (v->counter)
6269 + : "m" (v->counter));
6273 + * atomic64_inc_unchecked - increment atomic64 variable
6274 + * @v: pointer to type atomic64_unchecked_t
6276 + * Atomically increments @v by 1.
6278 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6280 asm volatile(LOCK_PREFIX "incq %0"
6282 : "m" (v->counter));
6283 @@ -101,7 +189,32 @@ static inline void atomic64_inc(atomic64
6285 static inline void atomic64_dec(atomic64_t *v)
6287 - asm volatile(LOCK_PREFIX "decq %0"
6288 + asm volatile(LOCK_PREFIX "decq %0\n"
6290 +#ifdef CONFIG_PAX_REFCOUNT
6293 + ".pushsection .fixup,\"ax\"\n"
6295 + LOCK_PREFIX "incq %0\n"
6298 + _ASM_EXTABLE(0b, 1b)
6301 + : "=m" (v->counter)
6302 + : "m" (v->counter));
6306 + * atomic64_dec_unchecked - decrement atomic64 variable
6307 + * @v: pointer to type atomic64_t
6309 + * Atomically decrements @v by 1.
6311 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6313 + asm volatile(LOCK_PREFIX "decq %0\n"
6315 : "m" (v->counter));
6317 @@ -118,7 +231,20 @@ static inline int atomic64_dec_and_test(
6321 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6322 + asm volatile(LOCK_PREFIX "decq %0\n"
6324 +#ifdef CONFIG_PAX_REFCOUNT
6327 + ".pushsection .fixup,\"ax\"\n"
6329 + LOCK_PREFIX "incq %0\n"
6332 + _ASM_EXTABLE(0b, 1b)
6336 : "=m" (v->counter), "=qm" (c)
6337 : "m" (v->counter) : "memory");
6339 @@ -136,7 +262,20 @@ static inline int atomic64_inc_and_test(
6343 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6344 + asm volatile(LOCK_PREFIX "incq %0\n"
6346 +#ifdef CONFIG_PAX_REFCOUNT
6349 + ".pushsection .fixup,\"ax\"\n"
6351 + LOCK_PREFIX "decq %0\n"
6354 + _ASM_EXTABLE(0b, 1b)
6358 : "=m" (v->counter), "=qm" (c)
6359 : "m" (v->counter) : "memory");
6361 @@ -155,7 +294,16 @@ static inline int atomic64_add_negative(
6365 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6366 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6368 +#ifdef CONFIG_PAX_REFCOUNT
6370 + LOCK_PREFIX "subq %2,%0\n"
6372 + _ASM_EXTABLE(0b, 0b)
6376 : "=m" (v->counter), "=qm" (c)
6377 : "er" (i), "m" (v->counter) : "memory");
6379 @@ -171,7 +319,31 @@ static inline int atomic64_add_negative(
6380 static inline long atomic64_add_return(long i, atomic64_t *v)
6383 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6384 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6386 +#ifdef CONFIG_PAX_REFCOUNT
6390 + _ASM_EXTABLE(0b, 0b)
6393 + : "+r" (i), "+m" (v->counter)
6399 + * atomic64_add_return_unchecked - add and return
6400 + * @i: integer value to add
6401 + * @v: pointer to type atomic64_unchecked_t
6403 + * Atomically adds @i to @v and returns @i + @v
6405 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6408 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6409 : "+r" (i), "+m" (v->counter)
6412 @@ -183,6 +355,10 @@ static inline long atomic64_sub_return(l
6415 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6416 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6418 + return atomic64_add_return_unchecked(1, v);
6420 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6422 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6423 @@ -206,17 +382,29 @@ static inline long atomic64_xchg(atomic6
6425 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6429 c = atomic64_read(v);
6431 - if (unlikely(c == (u)))
6432 + if (unlikely(c == u))
6434 - old = atomic64_cmpxchg((v), c, c + (a));
6436 + asm volatile("add %2,%0\n"
6438 +#ifdef CONFIG_PAX_REFCOUNT
6441 + _ASM_EXTABLE(0b, 0b)
6445 + : "0" (c), "ir" (a));
6447 + old = atomic64_cmpxchg(v, c, new);
6448 if (likely(old == c))
6456 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6457 diff -urNp linux-2.6.35.5/arch/x86/include/asm/atomic.h linux-2.6.35.5/arch/x86/include/asm/atomic.h
6458 --- linux-2.6.35.5/arch/x86/include/asm/atomic.h 2010-08-26 19:47:12.000000000 -0400
6459 +++ linux-2.6.35.5/arch/x86/include/asm/atomic.h 2010-09-17 20:12:09.000000000 -0400
6460 @@ -26,6 +26,17 @@ static inline int atomic_read(const atom
6464 + * atomic_read_unchecked - read atomic variable
6465 + * @v: pointer of type atomic_unchecked_t
6467 + * Atomically reads the value of @v.
6469 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6471 + return v->counter;
6475 * atomic_set - set atomic variable
6476 * @v: pointer of type atomic_t
6477 * @i: required value
6478 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6482 + * atomic_set_unchecked - set atomic variable
6483 + * @v: pointer of type atomic_unchecked_t
6484 + * @i: required value
6486 + * Atomically sets the value of @v to @i.
6488 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6494 * atomic_add - add integer to atomic variable
6495 * @i: integer value to add
6496 * @v: pointer of type atomic_t
6497 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6499 static inline void atomic_add(int i, atomic_t *v)
6501 - asm volatile(LOCK_PREFIX "addl %1,%0"
6502 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6504 +#ifdef CONFIG_PAX_REFCOUNT
6506 + LOCK_PREFIX "subl %1,%0\n"
6507 + _ASM_INTO "\n0:\n"
6508 + _ASM_EXTABLE(0b, 0b)
6511 + : "+m" (v->counter)
6516 + * atomic_add_unchecked - add integer to atomic variable
6517 + * @i: integer value to add
6518 + * @v: pointer of type atomic_unchecked_t
6520 + * Atomically adds @i to @v.
6522 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6524 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6528 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6530 static inline void atomic_sub(int i, atomic_t *v)
6532 - asm volatile(LOCK_PREFIX "subl %1,%0"
6533 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6535 +#ifdef CONFIG_PAX_REFCOUNT
6537 + LOCK_PREFIX "addl %1,%0\n"
6538 + _ASM_INTO "\n0:\n"
6539 + _ASM_EXTABLE(0b, 0b)
6542 + : "+m" (v->counter)
6547 + * atomic_sub_unchecked - subtract integer from atomic variable
6548 + * @i: integer value to subtract
6549 + * @v: pointer of type atomic_t
6551 + * Atomically subtracts @i from @v.
6553 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6555 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6559 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6563 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6564 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6566 +#ifdef CONFIG_PAX_REFCOUNT
6568 + LOCK_PREFIX "addl %2,%0\n"
6569 + _ASM_INTO "\n0:\n"
6570 + _ASM_EXTABLE(0b, 0b)
6574 : "+m" (v->counter), "=qm" (c)
6575 : "ir" (i) : "memory");
6577 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6579 static inline void atomic_inc(atomic_t *v)
6581 - asm volatile(LOCK_PREFIX "incl %0"
6582 + asm volatile(LOCK_PREFIX "incl %0\n"
6584 +#ifdef CONFIG_PAX_REFCOUNT
6586 + LOCK_PREFIX "decl %0\n"
6587 + _ASM_INTO "\n0:\n"
6588 + _ASM_EXTABLE(0b, 0b)
6591 + : "+m" (v->counter));
6595 + * atomic_inc_unchecked - increment atomic variable
6596 + * @v: pointer of type atomic_unchecked_t
6598 + * Atomically increments @v by 1.
6600 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6602 + asm volatile(LOCK_PREFIX "incl %0\n"
6603 : "+m" (v->counter));
6606 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6608 static inline void atomic_dec(atomic_t *v)
6610 - asm volatile(LOCK_PREFIX "decl %0"
6611 + asm volatile(LOCK_PREFIX "decl %0\n"
6613 +#ifdef CONFIG_PAX_REFCOUNT
6615 + LOCK_PREFIX "incl %0\n"
6616 + _ASM_INTO "\n0:\n"
6617 + _ASM_EXTABLE(0b, 0b)
6620 + : "+m" (v->counter));
6624 + * atomic_dec_unchecked - decrement atomic variable
6625 + * @v: pointer of type atomic_t
6627 + * Atomically decrements @v by 1.
6629 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6631 + asm volatile(LOCK_PREFIX "decl %0\n"
6632 : "+m" (v->counter));
6635 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6639 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6640 + asm volatile(LOCK_PREFIX "decl %0\n"
6642 +#ifdef CONFIG_PAX_REFCOUNT
6644 + LOCK_PREFIX "incl %0\n"
6645 + _ASM_INTO "\n0:\n"
6646 + _ASM_EXTABLE(0b, 0b)
6650 : "+m" (v->counter), "=qm" (c)
6653 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
6657 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6658 + asm volatile(LOCK_PREFIX "incl %0\n"
6660 +#ifdef CONFIG_PAX_REFCOUNT
6662 + LOCK_PREFIX "decl %0\n"
6663 + _ASM_INTO "\n0:\n"
6664 + _ASM_EXTABLE(0b, 0b)
6668 : "+m" (v->counter), "=qm" (c)
6671 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
6675 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6676 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6678 +#ifdef CONFIG_PAX_REFCOUNT
6680 + LOCK_PREFIX "subl %2,%0\n"
6681 + _ASM_INTO "\n0:\n"
6682 + _ASM_EXTABLE(0b, 0b)
6686 : "+m" (v->counter), "=qm" (c)
6687 : "ir" (i) : "memory");
6689 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
6691 /* Modern 486+ processor */
6693 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6695 +#ifdef CONFIG_PAX_REFCOUNT
6698 + _ASM_INTO "\n0:\n"
6699 + _ASM_EXTABLE(0b, 0b)
6702 + : "+r" (i), "+m" (v->counter)
6707 +no_xadd: /* Legacy 386 processor */
6708 + local_irq_save(flags);
6709 + __i = atomic_read(v);
6710 + atomic_set(v, i + __i);
6711 + local_irq_restore(flags);
6717 + * atomic_add_return_unchecked - add integer and return
6718 + * @v: pointer of type atomic_unchecked_t
6719 + * @i: integer value to add
6721 + * Atomically adds @i to @v and returns @i + @v
6723 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6727 + unsigned long flags;
6728 + if (unlikely(boot_cpu_data.x86 <= 3))
6731 + /* Modern 486+ processor */
6733 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6734 : "+r" (i), "+m" (v->counter)
6736 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
6739 #define atomic_inc_return(v) (atomic_add_return(1, v))
6740 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6742 + return atomic_add_return_unchecked(1, v);
6744 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6746 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6747 @@ -231,17 +418,29 @@ static inline int atomic_xchg(atomic_t *
6749 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6755 - if (unlikely(c == (u)))
6756 + if (unlikely(c == u))
6758 - old = atomic_cmpxchg((v), c, c + (a));
6760 + asm volatile("addl %2,%0\n"
6762 +#ifdef CONFIG_PAX_REFCOUNT
6764 + _ASM_INTO "\n0:\n"
6765 + _ASM_EXTABLE(0b, 0b)
6769 + : "0" (c), "ir" (a));
6771 + old = atomic_cmpxchg(v, c, new);
6772 if (likely(old == c))
6780 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6781 diff -urNp linux-2.6.35.5/arch/x86/include/asm/boot.h linux-2.6.35.5/arch/x86/include/asm/boot.h
6782 --- linux-2.6.35.5/arch/x86/include/asm/boot.h 2010-08-26 19:47:12.000000000 -0400
6783 +++ linux-2.6.35.5/arch/x86/include/asm/boot.h 2010-09-17 20:12:09.000000000 -0400
6785 #include <asm/pgtable_types.h>
6787 /* Physical address where kernel should be loaded. */
6788 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6789 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6790 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6791 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6793 +#ifndef __ASSEMBLY__
6794 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6795 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6798 /* Minimum kernel alignment, as a power of two */
6799 #ifdef CONFIG_X86_64
6800 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6801 diff -urNp linux-2.6.35.5/arch/x86/include/asm/cacheflush.h linux-2.6.35.5/arch/x86/include/asm/cacheflush.h
6802 --- linux-2.6.35.5/arch/x86/include/asm/cacheflush.h 2010-08-26 19:47:12.000000000 -0400
6803 +++ linux-2.6.35.5/arch/x86/include/asm/cacheflush.h 2010-09-17 20:12:09.000000000 -0400
6804 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
6805 unsigned long pg_flags = pg->flags & _PGMT_MASK;
6807 if (pg_flags == _PGMT_DEFAULT)
6810 else if (pg_flags == _PGMT_WC)
6811 return _PAGE_CACHE_WC;
6812 else if (pg_flags == _PGMT_UC_MINUS)
6813 diff -urNp linux-2.6.35.5/arch/x86/include/asm/cache.h linux-2.6.35.5/arch/x86/include/asm/cache.h
6814 --- linux-2.6.35.5/arch/x86/include/asm/cache.h 2010-08-26 19:47:12.000000000 -0400
6815 +++ linux-2.6.35.5/arch/x86/include/asm/cache.h 2010-09-17 20:12:09.000000000 -0400
6817 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6819 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
6820 +#define __read_only __attribute__((__section__(".data..read_only")))
6822 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6823 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6824 diff -urNp linux-2.6.35.5/arch/x86/include/asm/checksum_32.h linux-2.6.35.5/arch/x86/include/asm/checksum_32.h
6825 --- linux-2.6.35.5/arch/x86/include/asm/checksum_32.h 2010-08-26 19:47:12.000000000 -0400
6826 +++ linux-2.6.35.5/arch/x86/include/asm/checksum_32.h 2010-09-17 20:12:09.000000000 -0400
6827 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6828 int len, __wsum sum,
6829 int *src_err_ptr, int *dst_err_ptr);
6831 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6832 + int len, __wsum sum,
6833 + int *src_err_ptr, int *dst_err_ptr);
6835 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6836 + int len, __wsum sum,
6837 + int *src_err_ptr, int *dst_err_ptr);
6840 * Note: when you get a NULL pointer exception here this means someone
6841 * passed in an incorrect kernel address to one of these functions.
6842 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6846 - return csum_partial_copy_generic((__force void *)src, dst,
6847 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
6848 len, sum, err_ptr, NULL);
6851 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6854 if (access_ok(VERIFY_WRITE, dst, len))
6855 - return csum_partial_copy_generic(src, (__force void *)dst,
6856 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6857 len, sum, NULL, err_ptr);
6860 diff -urNp linux-2.6.35.5/arch/x86/include/asm/cpufeature.h linux-2.6.35.5/arch/x86/include/asm/cpufeature.h
6861 --- linux-2.6.35.5/arch/x86/include/asm/cpufeature.h 2010-08-26 19:47:12.000000000 -0400
6862 +++ linux-2.6.35.5/arch/x86/include/asm/cpufeature.h 2010-09-17 20:12:09.000000000 -0400
6863 @@ -323,7 +323,7 @@ static __always_inline __pure bool __sta
6864 " .byte 4f - 3f\n" /* replacement len */
6865 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* padding */
6867 - ".section .altinstr_replacement,\"ax\"\n"
6868 + ".section .altinstr_replacement,\"a\"\n"
6872 diff -urNp linux-2.6.35.5/arch/x86/include/asm/desc.h linux-2.6.35.5/arch/x86/include/asm/desc.h
6873 --- linux-2.6.35.5/arch/x86/include/asm/desc.h 2010-08-26 19:47:12.000000000 -0400
6874 +++ linux-2.6.35.5/arch/x86/include/asm/desc.h 2010-09-17 20:12:09.000000000 -0400
6876 #include <asm/desc_defs.h>
6877 #include <asm/ldt.h>
6878 #include <asm/mmu.h>
6879 +#include <asm/pgtable.h>
6880 #include <linux/smp.h>
6882 static inline void fill_ldt(struct desc_struct *desc,
6883 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
6884 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6885 desc->type = (info->read_exec_only ^ 1) << 1;
6886 desc->type |= info->contents << 2;
6887 + desc->type |= info->seg_not_present ^ 1;
6890 desc->p = info->seg_not_present ^ 1;
6891 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
6894 extern struct desc_ptr idt_descr;
6895 -extern gate_desc idt_table[];
6898 - struct desc_struct gdt[GDT_ENTRIES];
6899 -} __attribute__((aligned(PAGE_SIZE)));
6900 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6901 +extern gate_desc idt_table[256];
6903 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6904 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6906 - return per_cpu(gdt_page, cpu).gdt;
6907 + return cpu_gdt_table[cpu];
6910 #ifdef CONFIG_X86_64
6911 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
6912 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6913 const gate_desc *gate)
6915 + pax_open_kernel();
6916 memcpy(&idt[entry], gate, sizeof(*gate));
6917 + pax_close_kernel();
6920 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6923 + pax_open_kernel();
6924 memcpy(&ldt[entry], desc, 8);
6925 + pax_close_kernel();
6928 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6929 const void *desc, int type)
6935 size = sizeof(tss_desc);
6936 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
6937 size = sizeof(struct desc_struct);
6941 + pax_open_kernel();
6942 memcpy(&gdt[entry], desc, size);
6943 + pax_close_kernel();
6946 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
6947 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
6949 static inline void native_load_tr_desc(void)
6951 + pax_open_kernel();
6952 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
6953 + pax_close_kernel();
6956 static inline void native_load_gdt(const struct desc_ptr *dtr)
6957 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
6959 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6961 + pax_open_kernel();
6962 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6963 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
6964 + pax_close_kernel();
6967 #define _LDT_empty(info) \
6968 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
6969 desc->limit = (limit >> 16) & 0xf;
6972 -static inline void _set_gate(int gate, unsigned type, void *addr,
6973 +static inline void _set_gate(int gate, unsigned type, const void *addr,
6974 unsigned dpl, unsigned ist, unsigned seg)
6977 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
6978 * Pentium F0 0F bugfix can have resulted in the mapped
6979 * IDT being write-protected.
6981 -static inline void set_intr_gate(unsigned int n, void *addr)
6982 +static inline void set_intr_gate(unsigned int n, const void *addr)
6984 BUG_ON((unsigned)n > 0xFF);
6985 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
6986 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
6988 * This routine sets up an interrupt gate at directory privilege level 3.
6990 -static inline void set_system_intr_gate(unsigned int n, void *addr)
6991 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
6993 BUG_ON((unsigned)n > 0xFF);
6994 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
6997 -static inline void set_system_trap_gate(unsigned int n, void *addr)
6998 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7000 BUG_ON((unsigned)n > 0xFF);
7001 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7004 -static inline void set_trap_gate(unsigned int n, void *addr)
7005 +static inline void set_trap_gate(unsigned int n, const void *addr)
7007 BUG_ON((unsigned)n > 0xFF);
7008 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7009 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7010 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7012 BUG_ON((unsigned)n > 0xFF);
7013 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7014 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7017 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7018 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7020 BUG_ON((unsigned)n > 0xFF);
7021 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7024 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7025 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7027 BUG_ON((unsigned)n > 0xFF);
7028 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7031 +#ifdef CONFIG_X86_32
7032 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7034 + struct desc_struct d;
7036 + if (likely(limit))
7037 + limit = (limit - 1UL) >> PAGE_SHIFT;
7038 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7039 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7043 #endif /* _ASM_X86_DESC_H */
7044 diff -urNp linux-2.6.35.5/arch/x86/include/asm/device.h linux-2.6.35.5/arch/x86/include/asm/device.h
7045 --- linux-2.6.35.5/arch/x86/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
7046 +++ linux-2.6.35.5/arch/x86/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
7047 @@ -6,7 +6,7 @@ struct dev_archdata {
7050 #ifdef CONFIG_X86_64
7051 -struct dma_map_ops *dma_ops;
7052 + const struct dma_map_ops *dma_ops;
7054 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7055 void *iommu; /* hook for IOMMU specific extension */
7056 diff -urNp linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h
7057 --- linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
7058 +++ linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
7059 @@ -26,9 +26,9 @@ extern int iommu_merge;
7060 extern struct device x86_dma_fallback_dev;
7061 extern int panic_on_overflow;
7063 -extern struct dma_map_ops *dma_ops;
7064 +extern const struct dma_map_ops *dma_ops;
7066 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7067 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7069 #ifdef CONFIG_X86_32
7071 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7072 /* Make sure we keep the same behaviour */
7073 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7075 - struct dma_map_ops *ops = get_dma_ops(dev);
7076 + const struct dma_map_ops *ops = get_dma_ops(dev);
7077 if (ops->mapping_error)
7078 return ops->mapping_error(dev, dma_addr);
7080 @@ -123,7 +123,7 @@ static inline void *
7081 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7084 - struct dma_map_ops *ops = get_dma_ops(dev);
7085 + const struct dma_map_ops *ops = get_dma_ops(dev);
7088 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7089 @@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
7090 static inline void dma_free_coherent(struct device *dev, size_t size,
7091 void *vaddr, dma_addr_t bus)
7093 - struct dma_map_ops *ops = get_dma_ops(dev);
7094 + const struct dma_map_ops *ops = get_dma_ops(dev);
7096 WARN_ON(irqs_disabled()); /* for portability */
7098 diff -urNp linux-2.6.35.5/arch/x86/include/asm/e820.h linux-2.6.35.5/arch/x86/include/asm/e820.h
7099 --- linux-2.6.35.5/arch/x86/include/asm/e820.h 2010-08-26 19:47:12.000000000 -0400
7100 +++ linux-2.6.35.5/arch/x86/include/asm/e820.h 2010-09-17 20:12:09.000000000 -0400
7101 @@ -69,7 +69,7 @@ struct e820map {
7102 #define ISA_START_ADDRESS 0xa0000
7103 #define ISA_END_ADDRESS 0x100000
7105 -#define BIOS_BEGIN 0x000a0000
7106 +#define BIOS_BEGIN 0x000c0000
7107 #define BIOS_END 0x00100000
7110 diff -urNp linux-2.6.35.5/arch/x86/include/asm/elf.h linux-2.6.35.5/arch/x86/include/asm/elf.h
7111 --- linux-2.6.35.5/arch/x86/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
7112 +++ linux-2.6.35.5/arch/x86/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
7113 @@ -237,7 +237,25 @@ extern int force_personality32;
7114 the loader. We need to make sure that it is out of the way of the program
7115 that it will "exec", and that there is sufficient room for the brk. */
7117 +#ifdef CONFIG_PAX_SEGMEXEC
7118 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7120 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7123 +#ifdef CONFIG_PAX_ASLR
7124 +#ifdef CONFIG_X86_32
7125 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7127 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7128 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7130 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7132 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7133 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7137 /* This yields a mask that user programs can use to figure out what
7138 instruction set this CPU supports. This could be done in user space,
7139 @@ -291,8 +309,7 @@ do { \
7140 #define ARCH_DLINFO \
7143 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7144 - (unsigned long)current->mm->context.vdso); \
7145 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7148 #define AT_SYSINFO 32
7149 @@ -303,7 +320,7 @@ do { \
7151 #endif /* !CONFIG_X86_32 */
7153 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7154 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7156 #define VDSO_ENTRY \
7157 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7158 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7159 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7160 #define compat_arch_setup_additional_pages syscall32_setup_pages
7162 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7163 -#define arch_randomize_brk arch_randomize_brk
7165 #endif /* _ASM_X86_ELF_H */
7166 diff -urNp linux-2.6.35.5/arch/x86/include/asm/futex.h linux-2.6.35.5/arch/x86/include/asm/futex.h
7167 --- linux-2.6.35.5/arch/x86/include/asm/futex.h 2010-08-26 19:47:12.000000000 -0400
7168 +++ linux-2.6.35.5/arch/x86/include/asm/futex.h 2010-09-17 20:12:09.000000000 -0400
7170 #include <asm/processor.h>
7171 #include <asm/system.h>
7173 +#ifdef CONFIG_X86_32
7174 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7176 + "movw\t%w6, %%ds\n" \
7177 + "1:\t" insn "\n" \
7178 + "2:\tpushl\t%%ss\n" \
7179 + "\tpopl\t%%ds\n" \
7180 + "\t.section .fixup,\"ax\"\n" \
7181 + "3:\tmov\t%3, %1\n" \
7184 + _ASM_EXTABLE(1b, 3b) \
7185 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7186 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7188 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7189 + asm volatile("movw\t%w7, %%es\n" \
7190 + "1:\tmovl\t%%es:%2, %0\n" \
7191 + "\tmovl\t%0, %3\n" \
7193 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7195 + "3:\tpushl\t%%ss\n" \
7196 + "\tpopl\t%%es\n" \
7197 + "\t.section .fixup,\"ax\"\n" \
7198 + "4:\tmov\t%5, %1\n" \
7201 + _ASM_EXTABLE(1b, 4b) \
7202 + _ASM_EXTABLE(2b, 4b) \
7203 + : "=&a" (oldval), "=&r" (ret), \
7204 + "+m" (*uaddr), "=&r" (tem) \
7205 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7207 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7208 + typecheck(u32 *, uaddr); \
7209 asm volatile("1:\t" insn "\n" \
7210 "2:\t.section .fixup,\"ax\"\n" \
7211 "3:\tmov\t%3, %1\n" \
7214 _ASM_EXTABLE(1b, 3b) \
7215 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7216 + : "=r" (oldval), "=r" (ret), \
7217 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7218 : "i" (-EFAULT), "0" (oparg), "1" (0))
7220 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7221 + typecheck(u32 *, uaddr); \
7222 asm volatile("1:\tmovl %2, %0\n" \
7223 "\tmovl\t%0, %3\n" \
7226 _ASM_EXTABLE(1b, 4b) \
7227 _ASM_EXTABLE(2b, 4b) \
7228 : "=&a" (oldval), "=&r" (ret), \
7229 - "+m" (*uaddr), "=&r" (tem) \
7230 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7232 : "r" (oparg), "i" (-EFAULT), "1" (0))
7235 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7236 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7238 int op = (encoded_op >> 28) & 7;
7239 int cmp = (encoded_op >> 24) & 15;
7240 @@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
7244 +#ifdef CONFIG_X86_32
7245 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7247 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7251 +#ifdef CONFIG_X86_32
7252 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7255 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7260 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
7261 @@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
7265 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7266 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7270 @@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7274 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7275 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7278 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7279 - "2:\t.section .fixup, \"ax\"\n"
7281 +#ifdef CONFIG_X86_32
7282 + "\tmovw %w5, %%ds\n"
7283 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
7284 + "2:\tpushl %%ss\n"
7287 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7290 + "\t.section .fixup, \"ax\"\n"
7294 _ASM_EXTABLE(1b, 3b)
7295 +#ifdef CONFIG_X86_32
7296 : "=a" (oldval), "+m" (*uaddr)
7297 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7299 + : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
7300 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7305 diff -urNp linux-2.6.35.5/arch/x86/include/asm/i387.h linux-2.6.35.5/arch/x86/include/asm/i387.h
7306 --- linux-2.6.35.5/arch/x86/include/asm/i387.h 2010-08-26 19:47:12.000000000 -0400
7307 +++ linux-2.6.35.5/arch/x86/include/asm/i387.h 2010-09-17 20:12:09.000000000 -0400
7308 @@ -77,6 +77,11 @@ static inline int fxrstor_checking(struc
7312 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7313 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7314 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7317 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7319 ".section .fixup,\"ax\"\n"
7320 @@ -127,6 +132,11 @@ static inline int fxsave_user(struct i38
7324 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7325 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7326 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7329 asm volatile("1: rex64/fxsave (%[fx])\n\t"
7331 ".section .fixup,\"ax\"\n"
7332 @@ -220,13 +230,8 @@ static inline int fxrstor_checking(struc
7335 /* We need a safe address that is cheap to find and that is already
7336 - in L1 during context switch. The best choices are unfortunately
7337 - different for UP and SMP */
7339 -#define safe_address (__per_cpu_offset[0])
7341 -#define safe_address (kstat_cpu(0).cpustat.user)
7343 + in L1 during context switch. */
7344 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7347 * These must be called with preempt disabled
7348 diff -urNp linux-2.6.35.5/arch/x86/include/asm/io.h linux-2.6.35.5/arch/x86/include/asm/io.h
7349 --- linux-2.6.35.5/arch/x86/include/asm/io.h 2010-08-26 19:47:12.000000000 -0400
7350 +++ linux-2.6.35.5/arch/x86/include/asm/io.h 2010-09-17 20:12:09.000000000 -0400
7351 @@ -213,6 +213,17 @@ extern void iounmap(volatile void __iome
7353 #include <linux/vmalloc.h>
7355 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7356 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7358 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7361 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7363 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7367 * Convert a virtual cached pointer to an uncached pointer
7369 diff -urNp linux-2.6.35.5/arch/x86/include/asm/iommu.h linux-2.6.35.5/arch/x86/include/asm/iommu.h
7370 --- linux-2.6.35.5/arch/x86/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
7371 +++ linux-2.6.35.5/arch/x86/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
7373 #ifndef _ASM_X86_IOMMU_H
7374 #define _ASM_X86_IOMMU_H
7376 -extern struct dma_map_ops nommu_dma_ops;
7377 +extern const struct dma_map_ops nommu_dma_ops;
7378 extern int force_iommu, no_iommu;
7379 extern int iommu_detected;
7380 extern int iommu_pass_through;
7381 diff -urNp linux-2.6.35.5/arch/x86/include/asm/irqflags.h linux-2.6.35.5/arch/x86/include/asm/irqflags.h
7382 --- linux-2.6.35.5/arch/x86/include/asm/irqflags.h 2010-08-26 19:47:12.000000000 -0400
7383 +++ linux-2.6.35.5/arch/x86/include/asm/irqflags.h 2010-09-17 20:12:09.000000000 -0400
7384 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
7388 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7389 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7390 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7391 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7394 #define INTERRUPT_RETURN iret
7395 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7396 diff -urNp linux-2.6.35.5/arch/x86/include/asm/kvm_host.h linux-2.6.35.5/arch/x86/include/asm/kvm_host.h
7397 --- linux-2.6.35.5/arch/x86/include/asm/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
7398 +++ linux-2.6.35.5/arch/x86/include/asm/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
7399 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
7400 const struct trace_print_flags *exit_reasons_str;
7403 -extern struct kvm_x86_ops *kvm_x86_ops;
7404 +extern const struct kvm_x86_ops *kvm_x86_ops;
7406 int kvm_mmu_module_init(void);
7407 void kvm_mmu_module_exit(void);
7408 diff -urNp linux-2.6.35.5/arch/x86/include/asm/local.h linux-2.6.35.5/arch/x86/include/asm/local.h
7409 --- linux-2.6.35.5/arch/x86/include/asm/local.h 2010-08-26 19:47:12.000000000 -0400
7410 +++ linux-2.6.35.5/arch/x86/include/asm/local.h 2010-09-17 20:12:09.000000000 -0400
7411 @@ -18,26 +18,90 @@ typedef struct {
7413 static inline void local_inc(local_t *l)
7415 - asm volatile(_ASM_INC "%0"
7416 + asm volatile(_ASM_INC "%0\n"
7418 +#ifdef CONFIG_PAX_REFCOUNT
7419 +#ifdef CONFIG_X86_32
7425 + ".pushsection .fixup,\"ax\"\n"
7430 + _ASM_EXTABLE(0b, 1b)
7433 : "+m" (l->a.counter));
7436 static inline void local_dec(local_t *l)
7438 - asm volatile(_ASM_DEC "%0"
7439 + asm volatile(_ASM_DEC "%0\n"
7441 +#ifdef CONFIG_PAX_REFCOUNT
7442 +#ifdef CONFIG_X86_32
7448 + ".pushsection .fixup,\"ax\"\n"
7453 + _ASM_EXTABLE(0b, 1b)
7456 : "+m" (l->a.counter));
7459 static inline void local_add(long i, local_t *l)
7461 - asm volatile(_ASM_ADD "%1,%0"
7462 + asm volatile(_ASM_ADD "%1,%0\n"
7464 +#ifdef CONFIG_PAX_REFCOUNT
7465 +#ifdef CONFIG_X86_32
7471 + ".pushsection .fixup,\"ax\"\n"
7473 + _ASM_SUB "%1,%0\n"
7476 + _ASM_EXTABLE(0b, 1b)
7479 : "+m" (l->a.counter)
7483 static inline void local_sub(long i, local_t *l)
7485 - asm volatile(_ASM_SUB "%1,%0"
7486 + asm volatile(_ASM_SUB "%1,%0\n"
7488 +#ifdef CONFIG_PAX_REFCOUNT
7489 +#ifdef CONFIG_X86_32
7495 + ".pushsection .fixup,\"ax\"\n"
7497 + _ASM_ADD "%1,%0\n"
7500 + _ASM_EXTABLE(0b, 1b)
7503 : "+m" (l->a.counter)
7506 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7510 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7511 + asm volatile(_ASM_SUB "%2,%0\n"
7513 +#ifdef CONFIG_PAX_REFCOUNT
7514 +#ifdef CONFIG_X86_32
7520 + ".pushsection .fixup,\"ax\"\n"
7522 + _ASM_ADD "%2,%0\n"
7525 + _ASM_EXTABLE(0b, 1b)
7529 : "+m" (l->a.counter), "=qm" (c)
7530 : "ir" (i) : "memory");
7532 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7536 - asm volatile(_ASM_DEC "%0; sete %1"
7537 + asm volatile(_ASM_DEC "%0\n"
7539 +#ifdef CONFIG_PAX_REFCOUNT
7540 +#ifdef CONFIG_X86_32
7546 + ".pushsection .fixup,\"ax\"\n"
7551 + _ASM_EXTABLE(0b, 1b)
7555 : "+m" (l->a.counter), "=qm" (c)
7558 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7562 - asm volatile(_ASM_INC "%0; sete %1"
7563 + asm volatile(_ASM_INC "%0\n"
7565 +#ifdef CONFIG_PAX_REFCOUNT
7566 +#ifdef CONFIG_X86_32
7572 + ".pushsection .fixup,\"ax\"\n"
7577 + _ASM_EXTABLE(0b, 1b)
7581 : "+m" (l->a.counter), "=qm" (c)
7584 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7588 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7589 + asm volatile(_ASM_ADD "%2,%0\n"
7591 +#ifdef CONFIG_PAX_REFCOUNT
7592 +#ifdef CONFIG_X86_32
7598 + ".pushsection .fixup,\"ax\"\n"
7600 + _ASM_SUB "%2,%0\n"
7603 + _ASM_EXTABLE(0b, 1b)
7607 : "+m" (l->a.counter), "=qm" (c)
7608 : "ir" (i) : "memory");
7610 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7612 /* Modern 486+ processor */
7614 - asm volatile(_ASM_XADD "%0, %1;"
7615 + asm volatile(_ASM_XADD "%0, %1\n"
7617 +#ifdef CONFIG_PAX_REFCOUNT
7618 +#ifdef CONFIG_X86_32
7624 + ".pushsection .fixup,\"ax\"\n"
7626 + _ASM_MOV "%0,%1\n"
7629 + _ASM_EXTABLE(0b, 1b)
7632 : "+r" (i), "+m" (l->a.counter)
7635 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h
7636 --- linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h 2010-08-26 19:47:12.000000000 -0400
7637 +++ linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h 2010-09-17 20:12:09.000000000 -0400
7638 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7640 #define lock_cmos_prefix(reg) do {} while (0)
7641 #define lock_cmos_suffix(reg) do {} while (0)
7642 -#define lock_cmos(reg)
7643 -#define unlock_cmos()
7644 +#define lock_cmos(reg) do {} while (0)
7645 +#define unlock_cmos() do {} while (0)
7646 #define do_i_have_lock_cmos() 0
7647 #define current_lock_cmos_reg() 0
7649 diff -urNp linux-2.6.35.5/arch/x86/include/asm/microcode.h linux-2.6.35.5/arch/x86/include/asm/microcode.h
7650 --- linux-2.6.35.5/arch/x86/include/asm/microcode.h 2010-08-26 19:47:12.000000000 -0400
7651 +++ linux-2.6.35.5/arch/x86/include/asm/microcode.h 2010-09-17 20:12:09.000000000 -0400
7652 @@ -12,13 +12,13 @@ struct device;
7653 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7655 struct microcode_ops {
7656 - enum ucode_state (*request_microcode_user) (int cpu,
7657 + enum ucode_state (* const request_microcode_user) (int cpu,
7658 const void __user *buf, size_t size);
7660 - enum ucode_state (*request_microcode_fw) (int cpu,
7661 + enum ucode_state (* const request_microcode_fw) (int cpu,
7662 struct device *device);
7664 - void (*microcode_fini_cpu) (int cpu);
7665 + void (* const microcode_fini_cpu) (int cpu);
7668 * The generic 'microcode_core' part guarantees that
7669 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7670 extern struct ucode_cpu_info ucode_cpu_info[];
7672 #ifdef CONFIG_MICROCODE_INTEL
7673 -extern struct microcode_ops * __init init_intel_microcode(void);
7674 +extern const struct microcode_ops * __init init_intel_microcode(void);
7676 -static inline struct microcode_ops * __init init_intel_microcode(void)
7677 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7681 #endif /* CONFIG_MICROCODE_INTEL */
7683 #ifdef CONFIG_MICROCODE_AMD
7684 -extern struct microcode_ops * __init init_amd_microcode(void);
7685 +extern const struct microcode_ops * __init init_amd_microcode(void);
7687 -static inline struct microcode_ops * __init init_amd_microcode(void)
7688 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7692 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mman.h linux-2.6.35.5/arch/x86/include/asm/mman.h
7693 --- linux-2.6.35.5/arch/x86/include/asm/mman.h 2010-08-26 19:47:12.000000000 -0400
7694 +++ linux-2.6.35.5/arch/x86/include/asm/mman.h 2010-09-17 20:12:09.000000000 -0400
7697 #include <asm-generic/mman.h>
7700 +#ifndef __ASSEMBLY__
7701 +#ifdef CONFIG_X86_32
7702 +#define arch_mmap_check i386_mmap_check
7703 +int i386_mmap_check(unsigned long addr, unsigned long len,
7704 + unsigned long flags);
7709 #endif /* _ASM_X86_MMAN_H */
7710 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mmu_context.h linux-2.6.35.5/arch/x86/include/asm/mmu_context.h
7711 --- linux-2.6.35.5/arch/x86/include/asm/mmu_context.h 2010-08-26 19:47:12.000000000 -0400
7712 +++ linux-2.6.35.5/arch/x86/include/asm/mmu_context.h 2010-09-17 20:12:09.000000000 -0400
7713 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
7715 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7718 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7722 + pax_open_kernel();
7723 + pgd = get_cpu_pgd(smp_processor_id());
7724 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7725 + if (paravirt_enabled())
7726 + set_pgd(pgd+i, native_make_pgd(0));
7728 + pgd[i] = native_make_pgd(0);
7729 + pax_close_kernel();
7733 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7734 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7735 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
7736 struct task_struct *tsk)
7738 unsigned cpu = smp_processor_id();
7739 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7740 + int tlbstate = TLBSTATE_OK;
7743 if (likely(prev != next)) {
7744 /* stop flush ipis for the previous mm */
7745 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7747 +#ifdef CONFIG_X86_32
7748 + tlbstate = percpu_read(cpu_tlbstate.state);
7750 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7751 percpu_write(cpu_tlbstate.active_mm, next);
7753 cpumask_set_cpu(cpu, mm_cpumask(next));
7755 /* Re-load page tables */
7756 +#ifdef CONFIG_PAX_PER_CPU_PGD
7757 + pax_open_kernel();
7758 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7759 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7760 + pax_close_kernel();
7761 + load_cr3(get_cpu_pgd(cpu));
7763 load_cr3(next->pgd);
7767 * load the LDT, if the LDT is different:
7769 if (unlikely(prev->context.ldt != next->context.ldt))
7770 load_LDT_nolock(&next->context);
7773 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7774 + if (!(__supported_pte_mask & _PAGE_NX)) {
7775 + smp_mb__before_clear_bit();
7776 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7777 + smp_mb__after_clear_bit();
7778 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7782 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7783 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7784 + prev->context.user_cs_limit != next->context.user_cs_limit))
7785 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7787 + else if (unlikely(tlbstate != TLBSTATE_OK))
7788 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7795 +#ifdef CONFIG_PAX_PER_CPU_PGD
7796 + pax_open_kernel();
7797 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7798 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7799 + pax_close_kernel();
7800 + load_cr3(get_cpu_pgd(cpu));
7804 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7805 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7807 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
7808 * tlb flush IPI delivery. We must reload CR3
7809 * to make sure to use no freed page tables.
7812 +#ifndef CONFIG_PAX_PER_CPU_PGD
7813 load_cr3(next->pgd);
7816 load_LDT_nolock(&next->context);
7818 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7819 + if (!(__supported_pte_mask & _PAGE_NX))
7820 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7823 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7824 +#ifdef CONFIG_PAX_PAGEEXEC
7825 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7827 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7836 #define activate_mm(prev, next) \
7837 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mmu.h linux-2.6.35.5/arch/x86/include/asm/mmu.h
7838 --- linux-2.6.35.5/arch/x86/include/asm/mmu.h 2010-08-26 19:47:12.000000000 -0400
7839 +++ linux-2.6.35.5/arch/x86/include/asm/mmu.h 2010-09-17 20:12:09.000000000 -0400
7841 * we put the segment information here.
7845 + struct desc_struct *ldt;
7849 + unsigned long vdso;
7851 +#ifdef CONFIG_X86_32
7852 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7853 + unsigned long user_cs_base;
7854 + unsigned long user_cs_limit;
7856 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7857 + cpumask_t cpu_user_cs_mask;
7866 diff -urNp linux-2.6.35.5/arch/x86/include/asm/module.h linux-2.6.35.5/arch/x86/include/asm/module.h
7867 --- linux-2.6.35.5/arch/x86/include/asm/module.h 2010-08-26 19:47:12.000000000 -0400
7868 +++ linux-2.6.35.5/arch/x86/include/asm/module.h 2010-09-17 20:12:37.000000000 -0400
7870 #error unknown processor family
7873 +#ifdef CONFIG_PAX_MEMORY_UDEREF
7874 +#define MODULE_PAX_UDEREF "UDEREF "
7876 +#define MODULE_PAX_UDEREF ""
7879 #ifdef CONFIG_X86_32
7880 # ifdef CONFIG_4KSTACKS
7881 # define MODULE_STACKSIZE "4KSTACKS "
7883 # define MODULE_STACKSIZE ""
7885 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7886 +# ifdef CONFIG_PAX_KERNEXEC
7887 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
7889 +# define MODULE_PAX_KERNEXEC ""
7891 +# ifdef CONFIG_GRKERNSEC
7892 +# define MODULE_GRSEC "GRSECURITY "
7894 +# define MODULE_GRSEC ""
7896 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
7898 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
7901 #endif /* _ASM_X86_MODULE_H */
7902 diff -urNp linux-2.6.35.5/arch/x86/include/asm/page_32_types.h linux-2.6.35.5/arch/x86/include/asm/page_32_types.h
7903 --- linux-2.6.35.5/arch/x86/include/asm/page_32_types.h 2010-08-26 19:47:12.000000000 -0400
7904 +++ linux-2.6.35.5/arch/x86/include/asm/page_32_types.h 2010-09-17 20:12:09.000000000 -0400
7907 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7909 +#ifdef CONFIG_PAX_PAGEEXEC
7910 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7913 #ifdef CONFIG_4KSTACKS
7914 #define THREAD_ORDER 0
7916 diff -urNp linux-2.6.35.5/arch/x86/include/asm/paravirt.h linux-2.6.35.5/arch/x86/include/asm/paravirt.h
7917 --- linux-2.6.35.5/arch/x86/include/asm/paravirt.h 2010-08-26 19:47:12.000000000 -0400
7918 +++ linux-2.6.35.5/arch/x86/include/asm/paravirt.h 2010-09-17 20:12:09.000000000 -0400
7919 @@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
7920 pv_mmu_ops.set_fixmap(idx, phys, flags);
7923 +#ifdef CONFIG_PAX_KERNEXEC
7924 +static inline unsigned long pax_open_kernel(void)
7926 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
7929 +static inline unsigned long pax_close_kernel(void)
7931 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
7934 +static inline unsigned long pax_open_kernel(void) { return 0; }
7935 +static inline unsigned long pax_close_kernel(void) { return 0; }
7938 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7940 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7941 @@ -936,7 +951,7 @@ extern void default_banner(void);
7943 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7944 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7945 -#define PARA_INDIRECT(addr) *%cs:addr
7946 +#define PARA_INDIRECT(addr) *%ss:addr
7949 #define INTERRUPT_RETURN \
7950 @@ -1013,6 +1028,21 @@ extern void default_banner(void);
7951 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
7953 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7955 +#define GET_CR0_INTO_RDI \
7956 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7959 +#define SET_RDI_INTO_CR0 \
7960 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
7962 +#define GET_CR3_INTO_RDI \
7963 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
7966 +#define SET_RDI_INTO_CR3 \
7967 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
7969 #endif /* CONFIG_X86_32 */
7971 #endif /* __ASSEMBLY__ */
7972 diff -urNp linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h
7973 --- linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h 2010-08-26 19:47:12.000000000 -0400
7974 +++ linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h 2010-09-17 20:12:09.000000000 -0400
7975 @@ -312,6 +312,12 @@ struct pv_mmu_ops {
7976 an mfn. We can tell which is which from the index. */
7977 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7978 phys_addr_t phys, pgprot_t flags);
7980 +#ifdef CONFIG_PAX_KERNEXEC
7981 + unsigned long (*pax_open_kernel)(void);
7982 + unsigned long (*pax_close_kernel)(void);
7987 struct arch_spinlock;
7988 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pci_x86.h linux-2.6.35.5/arch/x86/include/asm/pci_x86.h
7989 --- linux-2.6.35.5/arch/x86/include/asm/pci_x86.h 2010-08-26 19:47:12.000000000 -0400
7990 +++ linux-2.6.35.5/arch/x86/include/asm/pci_x86.h 2010-09-17 20:12:09.000000000 -0400
7991 @@ -91,16 +91,16 @@ extern int (*pcibios_enable_irq)(struct
7992 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
7994 struct pci_raw_ops {
7995 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7996 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7997 int reg, int len, u32 *val);
7998 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7999 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8000 int reg, int len, u32 val);
8003 -extern struct pci_raw_ops *raw_pci_ops;
8004 -extern struct pci_raw_ops *raw_pci_ext_ops;
8005 +extern const struct pci_raw_ops *raw_pci_ops;
8006 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8008 -extern struct pci_raw_ops pci_direct_conf1;
8009 +extern const struct pci_raw_ops pci_direct_conf1;
8010 extern bool port_cf9_safe;
8012 /* arch_initcall level */
8013 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgalloc.h linux-2.6.35.5/arch/x86/include/asm/pgalloc.h
8014 --- linux-2.6.35.5/arch/x86/include/asm/pgalloc.h 2010-08-26 19:47:12.000000000 -0400
8015 +++ linux-2.6.35.5/arch/x86/include/asm/pgalloc.h 2010-09-17 20:12:09.000000000 -0400
8016 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8017 pmd_t *pmd, pte_t *pte)
8019 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8020 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8023 +static inline void pmd_populate_user(struct mm_struct *mm,
8024 + pmd_t *pmd, pte_t *pte)
8026 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8027 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8030 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h
8031 --- linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h 2010-08-26 19:47:12.000000000 -0400
8032 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h 2010-09-17 20:12:09.000000000 -0400
8033 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8035 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8037 + pax_open_kernel();
8039 + pax_close_kernel();
8042 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8043 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h
8044 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
8045 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
8048 struct vm_area_struct;
8050 -extern pgd_t swapper_pg_dir[1024];
8052 static inline void pgtable_cache_init(void) { }
8053 static inline void check_pgt_cache(void) { }
8054 void paging_init(void);
8055 @@ -47,6 +45,11 @@ extern void set_pmd_pfn(unsigned long, u
8056 # include <asm/pgtable-2level.h>
8059 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8060 +#ifdef CONFIG_X86_PAE
8061 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8064 #if defined(CONFIG_HIGHPTE)
8066 (in_nmi() ? KM_NMI_PTE : \
8067 @@ -71,7 +74,9 @@ extern void set_pmd_pfn(unsigned long, u
8068 /* Clear a kernel PTE and flush it from the TLB */
8069 #define kpte_clear_flush(ptep, vaddr) \
8071 + pax_open_kernel(); \
8072 pte_clear(&init_mm, (vaddr), (ptep)); \
8073 + pax_close_kernel(); \
8074 __flush_tlb_one((vaddr)); \
8077 @@ -83,6 +88,9 @@ do { \
8079 #endif /* !__ASSEMBLY__ */
8081 +#define HAVE_ARCH_UNMAPPED_AREA
8082 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8085 * kern_addr_valid() is (1) for FLATMEM and (0) for
8086 * SPARSEMEM and DISCONTIGMEM
8087 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h
8088 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h 2010-08-26 19:47:12.000000000 -0400
8089 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h 2010-09-17 20:12:09.000000000 -0400
8092 #ifdef CONFIG_X86_PAE
8093 # include <asm/pgtable-3level_types.h>
8094 -# define PMD_SIZE (1UL << PMD_SHIFT)
8095 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8096 # define PMD_MASK (~(PMD_SIZE - 1))
8098 # include <asm/pgtable-2level_types.h>
8099 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8100 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8103 +#ifdef CONFIG_PAX_KERNEXEC
8104 +#ifndef __ASSEMBLY__
8105 +extern unsigned char MODULES_EXEC_VADDR[];
8106 +extern unsigned char MODULES_EXEC_END[];
8108 +#include <asm/boot.h>
8109 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8110 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8112 +#define ktla_ktva(addr) (addr)
8113 +#define ktva_ktla(addr) (addr)
8116 #define MODULES_VADDR VMALLOC_START
8117 #define MODULES_END VMALLOC_END
8118 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8119 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h
8120 --- linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h 2010-08-26 19:47:12.000000000 -0400
8121 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h 2010-09-17 20:12:09.000000000 -0400
8122 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8124 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8126 + pax_open_kernel();
8127 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8128 + pax_close_kernel();
8131 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8133 + pax_open_kernel();
8134 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8135 + pax_close_kernel();
8139 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h
8140 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h 2010-08-26 19:47:12.000000000 -0400
8141 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h 2010-09-17 20:12:09.000000000 -0400
8144 extern pud_t level3_kernel_pgt[512];
8145 extern pud_t level3_ident_pgt[512];
8146 +extern pud_t level3_vmalloc_pgt[512];
8147 +extern pud_t level3_vmemmap_pgt[512];
8148 +extern pud_t level2_vmemmap_pgt[512];
8149 extern pmd_t level2_kernel_pgt[512];
8150 extern pmd_t level2_fixmap_pgt[512];
8151 -extern pmd_t level2_ident_pgt[512];
8152 -extern pgd_t init_level4_pgt[];
8153 +extern pmd_t level2_ident_pgt[512*2];
8154 +extern pgd_t init_level4_pgt[512];
8156 #define swapper_pg_dir init_level4_pgt
8158 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8160 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8162 + pax_open_kernel();
8164 + pax_close_kernel();
8167 static inline void native_pmd_clear(pmd_t *pmd)
8168 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8170 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8172 + pax_open_kernel();
8174 + pax_close_kernel();
8177 static inline void native_pgd_clear(pgd_t *pgd)
8178 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h
8179 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h 2010-08-26 19:47:12.000000000 -0400
8180 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h 2010-09-17 20:12:09.000000000 -0400
8181 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8182 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8183 #define MODULES_END _AC(0xffffffffff000000, UL)
8184 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8185 +#define MODULES_EXEC_VADDR MODULES_VADDR
8186 +#define MODULES_EXEC_END MODULES_END
8188 +#define ktla_ktva(addr) (addr)
8189 +#define ktva_ktla(addr) (addr)
8191 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8192 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable.h linux-2.6.35.5/arch/x86/include/asm/pgtable.h
8193 --- linux-2.6.35.5/arch/x86/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
8194 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
8195 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8197 #define arch_end_context_switch(prev) do {} while(0)
8199 +#define pax_open_kernel() native_pax_open_kernel()
8200 +#define pax_close_kernel() native_pax_close_kernel()
8201 #endif /* CONFIG_PARAVIRT */
8203 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8204 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8206 +#ifdef CONFIG_PAX_KERNEXEC
8207 +static inline unsigned long native_pax_open_kernel(void)
8209 + unsigned long cr0;
8211 + preempt_disable();
8213 + cr0 = read_cr0() ^ X86_CR0_WP;
8214 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8216 + return cr0 ^ X86_CR0_WP;
8219 +static inline unsigned long native_pax_close_kernel(void)
8221 + unsigned long cr0;
8223 + cr0 = read_cr0() ^ X86_CR0_WP;
8224 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8227 + preempt_enable_no_resched();
8228 + return cr0 ^ X86_CR0_WP;
8231 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8232 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8236 * The following only work if pte_present() is true.
8237 * Undefined behaviour if not..
8239 +static inline int pte_user(pte_t pte)
8241 + return pte_val(pte) & _PAGE_USER;
8244 static inline int pte_dirty(pte_t pte)
8246 return pte_flags(pte) & _PAGE_DIRTY;
8247 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
8248 return pte_clear_flags(pte, _PAGE_RW);
8251 +static inline pte_t pte_mkread(pte_t pte)
8253 + return __pte(pte_val(pte) | _PAGE_USER);
8256 static inline pte_t pte_mkexec(pte_t pte)
8258 - return pte_clear_flags(pte, _PAGE_NX);
8259 +#ifdef CONFIG_X86_PAE
8260 + if (__supported_pte_mask & _PAGE_NX)
8261 + return pte_clear_flags(pte, _PAGE_NX);
8264 + return pte_set_flags(pte, _PAGE_USER);
8267 +static inline pte_t pte_exprotect(pte_t pte)
8269 +#ifdef CONFIG_X86_PAE
8270 + if (__supported_pte_mask & _PAGE_NX)
8271 + return pte_set_flags(pte, _PAGE_NX);
8274 + return pte_clear_flags(pte, _PAGE_USER);
8277 static inline pte_t pte_mkdirty(pte_t pte)
8278 @@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8281 #ifndef __ASSEMBLY__
8283 +#ifdef CONFIG_PAX_PER_CPU_PGD
8284 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8285 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8287 + return cpu_pgd[cpu];
8291 #include <linux/mm_types.h>
8293 static inline int pte_none(pte_t pte)
8294 @@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
8296 static inline int pgd_bad(pgd_t pgd)
8298 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8299 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8302 static inline int pgd_none(pgd_t pgd)
8303 @@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8304 * pgd_offset() returns a (pgd_t *)
8305 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8307 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8308 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8310 +#ifdef CONFIG_PAX_PER_CPU_PGD
8311 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8315 * a shortcut which implies the use of the kernel's pgd, instead
8317 @@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8318 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8319 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8321 +#ifdef CONFIG_X86_32
8322 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8324 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8325 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8327 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8328 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8330 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8335 #ifndef __ASSEMBLY__
8337 extern int direct_gbpages;
8338 @@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
8339 * dst and src can be on the same page, but the range must not overlap,
8340 * and must not cross a page boundary.
8342 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8343 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8345 - memcpy(dst, src, count * sizeof(pgd_t));
8346 + pax_open_kernel();
8349 + pax_close_kernel();
8352 +#ifdef CONFIG_PAX_PER_CPU_PGD
8353 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8356 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8357 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8359 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8362 #include <asm-generic/pgtable.h>
8363 #endif /* __ASSEMBLY__ */
8364 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h
8365 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h 2010-08-26 19:47:12.000000000 -0400
8366 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h 2010-09-17 20:12:09.000000000 -0400
8368 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8369 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8370 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8371 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8372 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8373 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8374 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8375 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8376 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8377 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8378 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8379 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8381 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8383 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8384 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8385 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8386 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8387 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8388 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8389 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8392 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8393 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8395 +#elif defined(CONFIG_KMEMCHECK)
8396 #define _PAGE_NX (_AT(pteval_t, 0))
8398 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8401 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8403 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8406 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8407 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8409 #define __PAGE_KERNEL_EXEC \
8410 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8411 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8413 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8414 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8415 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8416 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8417 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8418 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8419 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8420 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8421 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8422 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8424 * bits are combined, this will alow user to access the high address mapped
8425 * VDSO in the presence of CONFIG_COMPAT_VDSO
8427 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8428 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8429 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8430 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8431 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8434 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8436 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8440 +#if PAGETABLE_LEVELS == 3
8441 +#include <asm-generic/pgtable-nopud.h>
8444 +#if PAGETABLE_LEVELS == 2
8445 +#include <asm-generic/pgtable-nopmd.h>
8448 +#ifndef __ASSEMBLY__
8449 #if PAGETABLE_LEVELS > 3
8450 typedef struct { pudval_t pud; } pud_t;
8452 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8456 -#include <asm-generic/pgtable-nopud.h>
8458 static inline pudval_t native_pud_val(pud_t pud)
8460 return native_pgd_val(pud.pgd);
8461 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8465 -#include <asm-generic/pgtable-nopmd.h>
8467 static inline pmdval_t native_pmd_val(pmd_t pmd)
8469 return native_pgd_val(pmd.pud.pgd);
8470 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8472 extern pteval_t __supported_pte_mask;
8473 extern void set_nx(void);
8474 -extern int nx_enabled;
8476 #define pgprot_writecombine pgprot_writecombine
8477 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8478 diff -urNp linux-2.6.35.5/arch/x86/include/asm/processor.h linux-2.6.35.5/arch/x86/include/asm/processor.h
8479 --- linux-2.6.35.5/arch/x86/include/asm/processor.h 2010-08-26 19:47:12.000000000 -0400
8480 +++ linux-2.6.35.5/arch/x86/include/asm/processor.h 2010-09-17 20:12:09.000000000 -0400
8481 @@ -269,7 +269,7 @@ struct tss_struct {
8483 } ____cacheline_aligned;
8485 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8486 +extern struct tss_struct init_tss[NR_CPUS];
8489 * Save the original ist values for checking stack pointers during debugging
8490 @@ -884,8 +884,15 @@ static inline void spin_lock_prefetch(co
8492 #define TASK_SIZE PAGE_OFFSET
8493 #define TASK_SIZE_MAX TASK_SIZE
8495 +#ifdef CONFIG_PAX_SEGMEXEC
8496 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8497 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8499 #define STACK_TOP TASK_SIZE
8500 -#define STACK_TOP_MAX STACK_TOP
8503 +#define STACK_TOP_MAX TASK_SIZE
8505 #define INIT_THREAD { \
8506 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8507 @@ -902,7 +909,7 @@ static inline void spin_lock_prefetch(co
8509 #define INIT_TSS { \
8511 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8512 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8513 .ss0 = __KERNEL_DS, \
8514 .ss1 = __KERNEL_CS, \
8515 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8516 @@ -913,11 +920,7 @@ static inline void spin_lock_prefetch(co
8517 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8519 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8520 -#define KSTK_TOP(info) \
8522 - unsigned long *__ptr = (unsigned long *)(info); \
8523 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8525 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8528 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8529 @@ -932,7 +935,7 @@ extern unsigned long thread_saved_pc(str
8530 #define task_pt_regs(task) \
8532 struct pt_regs *__regs__; \
8533 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8534 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8538 @@ -942,13 +945,13 @@ extern unsigned long thread_saved_pc(str
8540 * User space process size. 47bits minus one guard page.
8542 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8543 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8545 /* This decides where the kernel will search for a free chunk of vm
8546 * space during mmap's.
8548 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8549 - 0xc0000000 : 0xFFFFe000)
8550 + 0xc0000000 : 0xFFFFf000)
8552 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8553 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8554 @@ -985,6 +988,10 @@ extern void start_thread(struct pt_regs
8556 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8558 +#ifdef CONFIG_PAX_SEGMEXEC
8559 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8562 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8564 /* Get/set a process' ability to use the timestamp counter instruction */
8565 diff -urNp linux-2.6.35.5/arch/x86/include/asm/ptrace.h linux-2.6.35.5/arch/x86/include/asm/ptrace.h
8566 --- linux-2.6.35.5/arch/x86/include/asm/ptrace.h 2010-08-26 19:47:12.000000000 -0400
8567 +++ linux-2.6.35.5/arch/x86/include/asm/ptrace.h 2010-09-17 20:12:09.000000000 -0400
8568 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8572 - * user_mode_vm(regs) determines whether a register set came from user mode.
8573 + * user_mode(regs) determines whether a register set came from user mode.
8574 * This is true if V8086 mode was enabled OR if the register set was from
8575 * protected mode with RPL-3 CS value. This tricky test checks that with
8576 * one comparison. Many places in the kernel can bypass this full check
8577 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8578 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8581 -static inline int user_mode(struct pt_regs *regs)
8582 +static inline int user_mode_novm(struct pt_regs *regs)
8584 #ifdef CONFIG_X86_32
8585 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8587 - return !!(regs->cs & 3);
8588 + return !!(regs->cs & SEGMENT_RPL_MASK);
8592 -static inline int user_mode_vm(struct pt_regs *regs)
8593 +static inline int user_mode(struct pt_regs *regs)
8595 #ifdef CONFIG_X86_32
8596 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8599 - return user_mode(regs);
8600 + return user_mode_novm(regs);
8604 diff -urNp linux-2.6.35.5/arch/x86/include/asm/reboot.h linux-2.6.35.5/arch/x86/include/asm/reboot.h
8605 --- linux-2.6.35.5/arch/x86/include/asm/reboot.h 2010-08-26 19:47:12.000000000 -0400
8606 +++ linux-2.6.35.5/arch/x86/include/asm/reboot.h 2010-09-17 20:12:09.000000000 -0400
8607 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8609 void native_machine_crash_shutdown(struct pt_regs *regs);
8610 void native_machine_shutdown(void);
8611 -void machine_real_restart(const unsigned char *code, int length);
8612 +void machine_real_restart(const unsigned char *code, unsigned int length);
8614 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8615 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8616 diff -urNp linux-2.6.35.5/arch/x86/include/asm/rwsem.h linux-2.6.35.5/arch/x86/include/asm/rwsem.h
8617 --- linux-2.6.35.5/arch/x86/include/asm/rwsem.h 2010-08-26 19:47:12.000000000 -0400
8618 +++ linux-2.6.35.5/arch/x86/include/asm/rwsem.h 2010-09-17 20:12:09.000000000 -0400
8619 @@ -118,10 +118,26 @@ static inline void __down_read(struct rw
8621 asm volatile("# beginning down_read\n\t"
8622 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8624 +#ifdef CONFIG_PAX_REFCOUNT
8625 +#ifdef CONFIG_X86_32
8631 + ".pushsection .fixup,\"ax\"\n"
8633 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8636 + _ASM_EXTABLE(0b, 1b)
8639 /* adds 0x00000001, returns the old value */
8642 " call call_rwsem_down_read_failed\n"
8645 "# ending down_read\n\t"
8648 @@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
8649 rwsem_count_t result, tmp;
8650 asm volatile("# beginning __down_read_trylock\n\t"
8658 +#ifdef CONFIG_PAX_REFCOUNT
8659 +#ifdef CONFIG_X86_32
8665 + ".pushsection .fixup,\"ax\"\n"
8670 + _ASM_EXTABLE(0b, 1b)
8674 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8679 "# ending __down_read_trylock\n\t"
8680 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8681 : "i" (RWSEM_ACTIVE_READ_BIAS)
8682 @@ -160,12 +192,28 @@ static inline void __down_write_nested(s
8683 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8684 asm volatile("# beginning down_write\n\t"
8685 LOCK_PREFIX " xadd %1,(%2)\n\t"
8687 +#ifdef CONFIG_PAX_REFCOUNT
8688 +#ifdef CONFIG_X86_32
8694 + ".pushsection .fixup,\"ax\"\n"
8699 + _ASM_EXTABLE(0b, 1b)
8702 /* subtract 0x0000ffff, returns the old value */
8704 /* was the count 0 before? */
8707 " call call_rwsem_down_write_failed\n"
8710 "# ending down_write"
8711 : "+m" (sem->count), "=d" (tmp)
8712 : "a" (sem), "1" (tmp)
8713 @@ -198,10 +246,26 @@ static inline void __up_read(struct rw_s
8714 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
8715 asm volatile("# beginning __up_read\n\t"
8716 LOCK_PREFIX " xadd %1,(%2)\n\t"
8718 +#ifdef CONFIG_PAX_REFCOUNT
8719 +#ifdef CONFIG_X86_32
8725 + ".pushsection .fixup,\"ax\"\n"
8730 + _ASM_EXTABLE(0b, 1b)
8733 /* subtracts 1, returns the old value */
8736 " call call_rwsem_wake\n"
8739 "# ending __up_read\n"
8740 : "+m" (sem->count), "=d" (tmp)
8741 : "a" (sem), "1" (tmp)
8742 @@ -216,11 +280,27 @@ static inline void __up_write(struct rw_
8744 asm volatile("# beginning __up_write\n\t"
8745 LOCK_PREFIX " xadd %1,(%2)\n\t"
8747 +#ifdef CONFIG_PAX_REFCOUNT
8748 +#ifdef CONFIG_X86_32
8754 + ".pushsection .fixup,\"ax\"\n"
8759 + _ASM_EXTABLE(0b, 1b)
8762 /* tries to transition
8763 0xffff0001 -> 0x00000000 */
8766 " call call_rwsem_wake\n"
8769 "# ending __up_write\n"
8770 : "+m" (sem->count), "=d" (tmp)
8771 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
8772 @@ -234,13 +314,29 @@ static inline void __downgrade_write(str
8774 asm volatile("# beginning __downgrade_write\n\t"
8775 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8777 +#ifdef CONFIG_PAX_REFCOUNT
8778 +#ifdef CONFIG_X86_32
8784 + ".pushsection .fixup,\"ax\"\n"
8786 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8789 + _ASM_EXTABLE(0b, 1b)
8793 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8794 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8798 " call call_rwsem_downgrade_wake\n"
8801 "# ending __downgrade_write\n"
8803 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
8804 @@ -253,7 +349,23 @@ static inline void __downgrade_write(str
8805 static inline void rwsem_atomic_add(rwsem_count_t delta,
8806 struct rw_semaphore *sem)
8808 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8809 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8811 +#ifdef CONFIG_PAX_REFCOUNT
8812 +#ifdef CONFIG_X86_32
8818 + ".pushsection .fixup,\"ax\"\n"
8820 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
8823 + _ASM_EXTABLE(0b, 1b)
8829 @@ -266,7 +378,23 @@ static inline rwsem_count_t rwsem_atomic
8831 rwsem_count_t tmp = delta;
8833 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8834 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8836 +#ifdef CONFIG_PAX_REFCOUNT
8837 +#ifdef CONFIG_X86_32
8843 + ".pushsection .fixup,\"ax\"\n"
8848 + _ASM_EXTABLE(0b, 1b)
8851 : "+r" (tmp), "+m" (sem->count)
8854 diff -urNp linux-2.6.35.5/arch/x86/include/asm/segment.h linux-2.6.35.5/arch/x86/include/asm/segment.h
8855 --- linux-2.6.35.5/arch/x86/include/asm/segment.h 2010-08-26 19:47:12.000000000 -0400
8856 +++ linux-2.6.35.5/arch/x86/include/asm/segment.h 2010-09-17 20:12:09.000000000 -0400
8858 * 26 - ESPFIX small SS
8859 * 27 - per-cpu [ offset to per-cpu data area ]
8860 * 28 - stack_canary-20 [ for stack protector ]
8863 + * 29 - PCI BIOS CS
8864 + * 30 - PCI BIOS DS
8865 * 31 - TSS for double fault handler
8867 #define GDT_ENTRY_TLS_MIN 6
8870 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8872 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8874 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8876 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8878 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8879 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8881 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8882 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8884 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8886 @@ -102,6 +104,12 @@
8887 #define __KERNEL_STACK_CANARY 0
8890 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8891 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8893 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8894 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8896 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8902 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8903 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8904 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8909 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8910 #define __USER32_DS __USER_DS
8912 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8914 #define GDT_ENTRY_TSS 8 /* needs two entries */
8915 #define GDT_ENTRY_LDT 10 /* needs two entries */
8916 #define GDT_ENTRY_TLS_MIN 12
8920 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8921 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8922 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8923 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8924 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8925 diff -urNp linux-2.6.35.5/arch/x86/include/asm/spinlock.h linux-2.6.35.5/arch/x86/include/asm/spinlock.h
8926 --- linux-2.6.35.5/arch/x86/include/asm/spinlock.h 2010-08-26 19:47:12.000000000 -0400
8927 +++ linux-2.6.35.5/arch/x86/include/asm/spinlock.h 2010-09-17 20:12:09.000000000 -0400
8928 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
8929 static inline void arch_read_lock(arch_rwlock_t *rw)
8931 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8933 - "call __read_lock_failed\n\t"
8935 +#ifdef CONFIG_PAX_REFCOUNT
8936 +#ifdef CONFIG_X86_32
8942 + ".pushsection .fixup,\"ax\"\n"
8944 + LOCK_PREFIX " addl $1,(%0)\n"
8947 + _ASM_EXTABLE(0b, 1b)
8951 + "call __read_lock_failed\n\t"
8953 ::LOCK_PTR_REG (rw) : "memory");
8956 static inline void arch_write_lock(arch_rwlock_t *rw)
8958 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8960 - "call __write_lock_failed\n\t"
8962 +#ifdef CONFIG_PAX_REFCOUNT
8963 +#ifdef CONFIG_X86_32
8969 + ".pushsection .fixup,\"ax\"\n"
8971 + LOCK_PREFIX " addl %1,(%0)\n"
8974 + _ASM_EXTABLE(0b, 1b)
8978 + "call __write_lock_failed\n\t"
8980 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
8983 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
8985 static inline void arch_read_unlock(arch_rwlock_t *rw)
8987 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
8988 + asm volatile(LOCK_PREFIX "incl %0\n"
8990 +#ifdef CONFIG_PAX_REFCOUNT
8991 +#ifdef CONFIG_X86_32
8997 + ".pushsection .fixup,\"ax\"\n"
8999 + LOCK_PREFIX "decl %0\n"
9002 + _ASM_EXTABLE(0b, 1b)
9005 + :"+m" (rw->lock) : : "memory");
9008 static inline void arch_write_unlock(arch_rwlock_t *rw)
9010 - asm volatile(LOCK_PREFIX "addl %1, %0"
9011 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9013 +#ifdef CONFIG_PAX_REFCOUNT
9014 +#ifdef CONFIG_X86_32
9020 + ".pushsection .fixup,\"ax\"\n"
9022 + LOCK_PREFIX "subl %1,%0\n"
9025 + _ASM_EXTABLE(0b, 1b)
9028 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9031 diff -urNp linux-2.6.35.5/arch/x86/include/asm/system.h linux-2.6.35.5/arch/x86/include/asm/system.h
9032 --- linux-2.6.35.5/arch/x86/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
9033 +++ linux-2.6.35.5/arch/x86/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
9034 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9036 unsigned long __limit;
9037 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9038 - return __limit + 1;
9042 static inline void native_clts(void)
9043 @@ -342,7 +342,7 @@ void enable_hlt(void);
9045 void cpu_idle_wait(void);
9047 -extern unsigned long arch_align_stack(unsigned long sp);
9048 +#define arch_align_stack(x) ((x) & ~0xfUL)
9049 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9051 void default_idle(void);
9052 diff -urNp linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h
9053 --- linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
9054 +++ linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
9055 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9056 static __always_inline unsigned long __must_check
9057 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9062 if (__builtin_constant_p(n)) {
9065 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9069 + if (!__builtin_constant_p(n))
9070 + check_object_size(from, n, true);
9071 return __copy_to_user_ll(to, from, n);
9074 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9075 static __always_inline unsigned long
9076 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9081 /* Avoid zeroing the tail if the copy fails..
9082 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9083 * but as the zeroing behaviour is only significant when n is not
9084 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9085 __copy_from_user(void *to, const void __user *from, unsigned long n)
9092 if (__builtin_constant_p(n)) {
9095 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9099 + if (!__builtin_constant_p(n))
9100 + check_object_size(to, n, false);
9101 return __copy_from_user_ll(to, from, n);
9104 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9105 const void __user *from, unsigned long n)
9112 if (__builtin_constant_p(n)) {
9115 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9116 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9119 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9124 -unsigned long __must_check copy_to_user(void __user *to,
9125 - const void *from, unsigned long n);
9126 -unsigned long __must_check _copy_from_user(void *to,
9127 - const void __user *from,
9129 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9132 +extern void copy_to_user_overflow(void)
9133 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9134 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9136 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9140 extern void copy_from_user_overflow(void)
9141 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9142 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9146 -static inline unsigned long __must_check copy_from_user(void *to,
9147 - const void __user *from,
9150 + * copy_to_user: - Copy a block of data into user space.
9151 + * @to: Destination address, in user space.
9152 + * @from: Source address, in kernel space.
9153 + * @n: Number of bytes to copy.
9155 + * Context: User context only. This function may sleep.
9157 + * Copy data from kernel space to user space.
9159 + * Returns number of bytes that could not be copied.
9160 + * On success, this will be zero.
9162 +static inline unsigned long __must_check
9163 +copy_to_user(void __user *to, const void *from, unsigned long n)
9165 + int sz = __compiletime_object_size(from);
9167 + if (unlikely(sz != -1 && sz < n))
9168 + copy_to_user_overflow();
9169 + else if (access_ok(VERIFY_WRITE, to, n))
9170 + n = __copy_to_user(to, from, n);
9175 + * copy_from_user: - Copy a block of data from user space.
9176 + * @to: Destination address, in kernel space.
9177 + * @from: Source address, in user space.
9178 + * @n: Number of bytes to copy.
9180 + * Context: User context only. This function may sleep.
9182 + * Copy data from user space to kernel space.
9184 + * Returns number of bytes that could not be copied.
9185 + * On success, this will be zero.
9187 + * If some data could not be copied, this function will pad the copied
9188 + * data to the requested size using zero bytes.
9190 +static inline unsigned long __must_check
9191 +copy_from_user(void *to, const void __user *from, unsigned long n)
9193 int sz = __compiletime_object_size(to);
9195 - if (likely(sz == -1 || sz >= n))
9196 - n = _copy_from_user(to, from, n);
9198 + if (unlikely(sz != -1 && sz < n))
9199 copy_from_user_overflow();
9201 + else if (access_ok(VERIFY_READ, from, n))
9202 + n = __copy_from_user(to, from, n);
9203 + else if ((long)n > 0) {
9204 + if (!__builtin_constant_p(n))
9205 + check_object_size(to, n, false);
9211 diff -urNp linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h
9212 --- linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
9213 +++ linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h 2010-09-17 20:12:37.000000000 -0400
9215 #include <asm/alternative.h>
9216 #include <asm/cpufeature.h>
9217 #include <asm/page.h>
9218 +#include <asm/pgtable.h>
9220 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9222 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9225 * Copy To/From Userspace
9226 @@ -37,26 +42,26 @@ copy_user_generic(void *to, const void *
9230 -__must_check unsigned long
9231 -_copy_to_user(void __user *to, const void *from, unsigned len);
9232 -__must_check unsigned long
9233 -_copy_from_user(void *to, const void __user *from, unsigned len);
9234 +static __always_inline __must_check unsigned long
9235 +__copy_to_user(void __user *to, const void *from, unsigned len);
9236 +static __always_inline __must_check unsigned long
9237 +__copy_from_user(void *to, const void __user *from, unsigned len);
9238 __must_check unsigned long
9239 copy_in_user(void __user *to, const void __user *from, unsigned len);
9241 static inline unsigned long __must_check copy_from_user(void *to,
9242 const void __user *from,
9246 - int sz = __compiletime_object_size(to);
9249 - if (likely(sz == -1 || sz >= n))
9250 - n = _copy_from_user(to, from, n);
9251 -#ifdef CONFIG_DEBUG_VM
9253 - WARN(1, "Buffer overflow detected!\n");
9256 + if (access_ok(VERIFY_READ, from, n))
9257 + n = __copy_from_user(to, from, n);
9258 + else if ((int)n > 0) {
9259 + if (!__builtin_constant_p(n))
9260 + check_object_size(to, n, false);
9266 @@ -65,17 +70,35 @@ int copy_to_user(void __user *dst, const
9270 - return _copy_to_user(dst, src, size);
9271 + if (access_ok(VERIFY_WRITE, dst, size))
9272 + size = __copy_to_user(dst, src, size);
9276 static __always_inline __must_check
9277 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9278 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9281 + int sz = __compiletime_object_size(dst);
9285 - if (!__builtin_constant_p(size))
9287 + if ((int)size < 0)
9290 + if (unlikely(sz != -1 && sz < size)) {
9291 +#ifdef CONFIG_DEBUG_VM
9292 + WARN(1, "Buffer overflow detected!\n");
9297 + if (!__builtin_constant_p(size)) {
9298 + check_object_size(dst, size, false);
9299 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9300 + src += PAX_USER_SHADOW_BASE;
9301 return copy_user_generic(dst, (__force void *)src, size);
9304 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9305 ret, "b", "b", "=q", 1);
9306 @@ -108,18 +131,36 @@ int __copy_from_user(void *dst, const vo
9307 ret, "q", "", "=r", 8);
9310 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9311 + src += PAX_USER_SHADOW_BASE;
9312 return copy_user_generic(dst, (__force void *)src, size);
9316 static __always_inline __must_check
9317 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9318 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9321 + int sz = __compiletime_object_size(src);
9325 - if (!__builtin_constant_p(size))
9327 + if ((int)size < 0)
9330 + if (unlikely(sz != -1 && sz < size)) {
9331 +#ifdef CONFIG_DEBUG_VM
9332 + WARN(1, "Buffer overflow detected!\n");
9337 + if (!__builtin_constant_p(size)) {
9338 + check_object_size(src, size, true);
9339 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9340 + dst += PAX_USER_SHADOW_BASE;
9341 return copy_user_generic((__force void *)dst, src, size);
9344 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9345 ret, "b", "b", "iq", 1);
9346 @@ -152,19 +193,30 @@ int __copy_to_user(void __user *dst, con
9347 ret, "q", "", "er", 8);
9350 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9351 + dst += PAX_USER_SHADOW_BASE;
9352 return copy_user_generic((__force void *)dst, src, size);
9356 static __always_inline __must_check
9357 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9358 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9364 - if (!__builtin_constant_p(size))
9366 + if ((int)size < 0)
9369 + if (!__builtin_constant_p(size)) {
9370 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9371 + src += PAX_USER_SHADOW_BASE;
9372 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9373 + dst += PAX_USER_SHADOW_BASE;
9374 return copy_user_generic((__force void *)dst,
9375 (__force void *)src, size);
9380 @@ -204,6 +256,10 @@ int __copy_in_user(void __user *dst, con
9384 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9385 + src += PAX_USER_SHADOW_BASE;
9386 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9387 + dst += PAX_USER_SHADOW_BASE;
9388 return copy_user_generic((__force void *)dst,
9389 (__force void *)src, size);
9391 @@ -222,33 +278,45 @@ __must_check unsigned long __clear_user(
9392 static __must_check __always_inline int
9393 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9395 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9396 + src += PAX_USER_SHADOW_BASE;
9397 return copy_user_generic(dst, (__force const void *)src, size);
9400 -static __must_check __always_inline int
9401 +static __must_check __always_inline unsigned long
9402 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9404 + if ((int)size < 0)
9407 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9408 + dst += PAX_USER_SHADOW_BASE;
9409 return copy_user_generic((__force void *)dst, src, size);
9412 -extern long __copy_user_nocache(void *dst, const void __user *src,
9413 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9414 unsigned size, int zerorest);
9417 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9418 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9422 + if ((int)size < 0)
9425 return __copy_user_nocache(dst, src, size, 1);
9429 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9430 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9433 + if ((int)size < 0)
9436 return __copy_user_nocache(dst, src, size, 0);
9440 +extern unsigned long
9441 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9443 #endif /* _ASM_X86_UACCESS_64_H */
9444 diff -urNp linux-2.6.35.5/arch/x86/include/asm/uaccess.h linux-2.6.35.5/arch/x86/include/asm/uaccess.h
9445 --- linux-2.6.35.5/arch/x86/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
9446 +++ linux-2.6.35.5/arch/x86/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
9448 #include <linux/thread_info.h>
9449 #include <linux/prefetch.h>
9450 #include <linux/string.h>
9451 +#include <linux/sched.h>
9452 #include <asm/asm.h>
9453 #include <asm/page.h>
9455 #define VERIFY_READ 0
9456 #define VERIFY_WRITE 1
9458 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9461 * The fs value determines whether argument validity checking should be
9462 * performed or not. If get_fs() == USER_DS, checking is performed, with
9465 #define get_ds() (KERNEL_DS)
9466 #define get_fs() (current_thread_info()->addr_limit)
9467 +#ifdef CONFIG_X86_32
9468 +void __set_fs(mm_segment_t x, int cpu);
9469 +void set_fs(mm_segment_t x);
9471 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9474 #define segment_eq(a, b) ((a).seg == (b).seg)
9477 * checks that the pointer is in the user space range - after calling
9478 * this function, memory access functions may still return -EFAULT.
9480 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9481 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9482 +#define access_ok(type, addr, size) \
9484 + long __size = size; \
9485 + unsigned long __addr = (unsigned long)addr; \
9486 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9487 + unsigned long __end_ao = __addr + __size - 1; \
9488 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9489 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9490 + while(__addr_ao <= __end_ao) { \
9492 + __addr_ao += PAGE_SIZE; \
9493 + if (__size > PAGE_SIZE) \
9495 + if (__get_user(__c_ao, (char __user *)__addr)) \
9497 + if (type != VERIFY_WRITE) { \
9498 + __addr = __addr_ao; \
9501 + if (__put_user(__c_ao, (char __user *)__addr)) \
9503 + __addr = __addr_ao; \
9510 * The exception table consists of pairs of addresses: the first is the
9511 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
9512 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9513 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9516 +#ifdef CONFIG_X86_32
9517 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
9518 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
9520 +#define _ASM_LOAD_USER_DS(ds)
9521 +#define _ASM_LOAD_KERNEL_DS
9524 #ifdef CONFIG_X86_32
9525 #define __put_user_asm_u64(x, addr, err, errret) \
9526 - asm volatile("1: movl %%eax,0(%2)\n" \
9527 - "2: movl %%edx,4(%2)\n" \
9528 + asm volatile(_ASM_LOAD_USER_DS(5) \
9529 + "1: movl %%eax,%%ds:0(%2)\n" \
9530 + "2: movl %%edx,%%ds:4(%2)\n" \
9532 + _ASM_LOAD_KERNEL_DS \
9533 ".section .fixup,\"ax\"\n" \
9536 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
9537 _ASM_EXTABLE(1b, 4b) \
9538 _ASM_EXTABLE(2b, 4b) \
9540 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
9541 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
9544 #define __put_user_asm_ex_u64(x, addr) \
9545 - asm volatile("1: movl %%eax,0(%1)\n" \
9546 - "2: movl %%edx,4(%1)\n" \
9547 + asm volatile(_ASM_LOAD_USER_DS(2) \
9548 + "1: movl %%eax,%%ds:0(%1)\n" \
9549 + "2: movl %%edx,%%ds:4(%1)\n" \
9551 + _ASM_LOAD_KERNEL_DS \
9552 _ASM_EXTABLE(1b, 2b - 1b) \
9553 _ASM_EXTABLE(2b, 3b - 2b) \
9554 - : : "A" (x), "r" (addr))
9555 + : : "A" (x), "r" (addr), "r"(__USER_DS))
9557 #define __put_user_x8(x, ptr, __ret_pu) \
9558 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
9559 @@ -374,16 +419,18 @@ do { \
9562 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9563 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9564 + asm volatile(_ASM_LOAD_USER_DS(5) \
9565 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
9567 + _ASM_LOAD_KERNEL_DS \
9568 ".section .fixup,\"ax\"\n" \
9570 " xor"itype" %"rtype"1,%"rtype"1\n" \
9573 _ASM_EXTABLE(1b, 3b) \
9574 - : "=r" (err), ltype(x) \
9575 - : "m" (__m(addr)), "i" (errret), "0" (err))
9576 + : "=r" (err), ltype (x) \
9577 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
9579 #define __get_user_size_ex(x, ptr, size) \
9581 @@ -407,10 +454,12 @@ do { \
9584 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9585 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9586 + asm volatile(_ASM_LOAD_USER_DS(2) \
9587 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
9589 + _ASM_LOAD_KERNEL_DS \
9590 _ASM_EXTABLE(1b, 2b - 1b) \
9591 - : ltype(x) : "m" (__m(addr)))
9592 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
9594 #define __put_user_nocheck(x, ptr, size) \
9596 @@ -424,13 +473,24 @@ do { \
9598 unsigned long __gu_val; \
9599 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9600 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9601 + (x) = (__typeof__(*(ptr)))__gu_val; \
9605 /* FIXME: this hack is definitely wrong -AK */
9606 struct __large_struct { unsigned long buf[100]; };
9607 -#define __m(x) (*(struct __large_struct __user *)(x))
9608 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9611 + unsigned long ____x = (unsigned long)(x); \
9612 + if (____x < PAX_USER_SHADOW_BASE) \
9613 + ____x += PAX_USER_SHADOW_BASE; \
9614 + (void __user *)____x; \
9617 +#define ____m(x) (x)
9619 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9622 * Tell gcc we read from memory instead of writing: this is because
9623 @@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
9626 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9627 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9628 + asm volatile(_ASM_LOAD_USER_DS(5) \
9629 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
9631 + _ASM_LOAD_KERNEL_DS \
9632 ".section .fixup,\"ax\"\n" \
9636 _ASM_EXTABLE(1b, 3b) \
9638 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9639 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
9642 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9643 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9644 + asm volatile(_ASM_LOAD_USER_DS(2) \
9645 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
9647 + _ASM_LOAD_KERNEL_DS \
9648 _ASM_EXTABLE(1b, 2b - 1b) \
9649 - : : ltype(x), "m" (__m(addr)))
9650 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
9653 * uaccess_try and catch
9654 @@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
9655 #define get_user_ex(x, ptr) do { \
9656 unsigned long __gue_val; \
9657 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9658 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9659 + (x) = (__typeof__(*(ptr)))__gue_val; \
9662 #ifdef CONFIG_X86_WP_WORKS_OK
9663 @@ -567,6 +632,7 @@ extern struct movsl_mask {
9665 #define ARCH_HAS_NOCACHE_UACCESS 1
9667 +#define ARCH_HAS_SORT_EXTABLE
9668 #ifdef CONFIG_X86_32
9669 # include "uaccess_32.h"
9671 diff -urNp linux-2.6.35.5/arch/x86/include/asm/vgtod.h linux-2.6.35.5/arch/x86/include/asm/vgtod.h
9672 --- linux-2.6.35.5/arch/x86/include/asm/vgtod.h 2010-08-26 19:47:12.000000000 -0400
9673 +++ linux-2.6.35.5/arch/x86/include/asm/vgtod.h 2010-09-17 20:12:09.000000000 -0400
9674 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
9676 struct timezone sys_tz;
9677 struct { /* extract of a clocksource struct */
9679 cycle_t (*vread)(void);
9682 diff -urNp linux-2.6.35.5/arch/x86/include/asm/vmi.h linux-2.6.35.5/arch/x86/include/asm/vmi.h
9683 --- linux-2.6.35.5/arch/x86/include/asm/vmi.h 2010-08-26 19:47:12.000000000 -0400
9684 +++ linux-2.6.35.5/arch/x86/include/asm/vmi.h 2010-09-17 20:12:09.000000000 -0400
9685 @@ -191,6 +191,7 @@ struct vrom_header {
9686 u8 reserved[96]; /* Reserved for headers */
9687 char vmi_init[8]; /* VMI_Init jump point */
9688 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
9689 + char rom_data[8048]; /* rest of the option ROM */
9690 } __attribute__((packed));
9693 diff -urNp linux-2.6.35.5/arch/x86/include/asm/vsyscall.h linux-2.6.35.5/arch/x86/include/asm/vsyscall.h
9694 --- linux-2.6.35.5/arch/x86/include/asm/vsyscall.h 2010-08-26 19:47:12.000000000 -0400
9695 +++ linux-2.6.35.5/arch/x86/include/asm/vsyscall.h 2010-09-17 20:12:09.000000000 -0400
9696 @@ -15,9 +15,10 @@ enum vsyscall_num {
9699 #include <linux/seqlock.h>
9700 +#include <linux/getcpu.h>
9701 +#include <linux/time.h>
9703 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9704 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9706 /* Definitions for CONFIG_GENERIC_TIME definitions */
9707 #define __section_vsyscall_gtod_data __attribute__ \
9708 @@ -31,7 +32,6 @@ enum vsyscall_num {
9709 #define VGETCPU_LSL 2
9711 extern int __vgetcpu_mode;
9712 -extern volatile unsigned long __jiffies;
9714 /* kernel space (writeable) */
9715 extern int vgetcpu_mode;
9716 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9718 extern void map_vsyscall(void);
9720 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9721 +extern time_t vtime(time_t *t);
9722 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9723 #endif /* __KERNEL__ */
9725 #endif /* _ASM_X86_VSYSCALL_H */
9726 diff -urNp linux-2.6.35.5/arch/x86/include/asm/xsave.h linux-2.6.35.5/arch/x86/include/asm/xsave.h
9727 --- linux-2.6.35.5/arch/x86/include/asm/xsave.h 2010-08-26 19:47:12.000000000 -0400
9728 +++ linux-2.6.35.5/arch/x86/include/asm/xsave.h 2010-09-17 20:12:09.000000000 -0400
9729 @@ -59,6 +59,12 @@ static inline int fpu_xrstor_checking(st
9730 static inline int xsave_user(struct xsave_struct __user *buf)
9734 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9735 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
9736 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
9739 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
9741 ".section .fixup,\"ax\"\n"
9742 @@ -85,6 +91,11 @@ static inline int xrestore_user(struct x
9744 u32 hmask = mask >> 32;
9746 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9747 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
9748 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
9751 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
9753 ".section .fixup,\"ax\"\n"
9754 diff -urNp linux-2.6.35.5/arch/x86/Kconfig linux-2.6.35.5/arch/x86/Kconfig
9755 --- linux-2.6.35.5/arch/x86/Kconfig 2010-08-26 19:47:12.000000000 -0400
9756 +++ linux-2.6.35.5/arch/x86/Kconfig 2010-09-17 20:12:37.000000000 -0400
9757 @@ -1038,7 +1038,7 @@ choice
9761 - depends on !X86_NUMAQ
9762 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9764 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
9765 However, the address space of 32-bit x86 processors is only 4
9766 @@ -1075,7 +1075,7 @@ config NOHIGHMEM
9770 - depends on !X86_NUMAQ
9771 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9773 Select this if you have a 32-bit processor and between 1 and 4
9774 gigabytes of physical RAM.
9775 @@ -1129,7 +1129,7 @@ config PAGE_OFFSET
9777 default 0xB0000000 if VMSPLIT_3G_OPT
9778 default 0x80000000 if VMSPLIT_2G
9779 - default 0x78000000 if VMSPLIT_2G_OPT
9780 + default 0x70000000 if VMSPLIT_2G_OPT
9781 default 0x40000000 if VMSPLIT_1G
9784 @@ -1461,7 +1461,7 @@ config ARCH_USES_PG_UNCACHED
9787 bool "EFI runtime service support"
9789 + depends on ACPI && !PAX_KERNEXEC
9791 This enables the kernel to use EFI runtime services that are
9792 available (such as the EFI variable services).
9793 @@ -1548,6 +1548,7 @@ config KEXEC_JUMP
9794 config PHYSICAL_START
9795 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9797 + range 0x400000 0x40000000
9799 This gives the physical address where the kernel is loaded.
9801 @@ -1611,6 +1612,7 @@ config X86_NEED_RELOCS
9802 config PHYSICAL_ALIGN
9803 hex "Alignment value to which kernel should be aligned" if X86_32
9805 + range 0x400000 0x1000000 if PAX_KERNEXEC
9806 range 0x2000 0x1000000
9808 This value puts the alignment restrictions on physical address
9809 @@ -1642,9 +1644,10 @@ config HOTPLUG_CPU
9810 Say N if you want to disable CPU hotplug.
9815 prompt "Compat VDSO support"
9816 depends on X86_32 || IA32_EMULATION
9817 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9819 Map the 32-bit VDSO to the predictable old-style address too.
9821 diff -urNp linux-2.6.35.5/arch/x86/Kconfig.cpu linux-2.6.35.5/arch/x86/Kconfig.cpu
9822 --- linux-2.6.35.5/arch/x86/Kconfig.cpu 2010-08-26 19:47:12.000000000 -0400
9823 +++ linux-2.6.35.5/arch/x86/Kconfig.cpu 2010-09-17 20:12:09.000000000 -0400
9824 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9828 - depends on M586MMX || M586TSC || M586 || M486 || M386
9829 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9833 @@ -360,7 +360,7 @@ config X86_POPAD_OK
9835 config X86_ALIGNMENT_16
9837 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9838 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9840 config X86_INTEL_USERCOPY
9842 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
9846 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9847 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9849 config X86_MINIMUM_CPU_FAMILY
9851 diff -urNp linux-2.6.35.5/arch/x86/Kconfig.debug linux-2.6.35.5/arch/x86/Kconfig.debug
9852 --- linux-2.6.35.5/arch/x86/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
9853 +++ linux-2.6.35.5/arch/x86/Kconfig.debug 2010-09-17 20:12:09.000000000 -0400
9854 @@ -97,7 +97,7 @@ config X86_PTDUMP
9856 bool "Write protect kernel read-only data structures"
9858 - depends on DEBUG_KERNEL
9859 + depends on DEBUG_KERNEL && BROKEN
9861 Mark the kernel read-only data as write-protected in the pagetables,
9862 in order to catch accidental (and incorrect) writes to such const
9863 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/boot.c linux-2.6.35.5/arch/x86/kernel/acpi/boot.c
9864 --- linux-2.6.35.5/arch/x86/kernel/acpi/boot.c 2010-08-26 19:47:12.000000000 -0400
9865 +++ linux-2.6.35.5/arch/x86/kernel/acpi/boot.c 2010-09-17 20:12:09.000000000 -0400
9866 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
9867 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
9871 + { NULL, NULL, {{0, {0}}}, NULL}
9875 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S
9876 --- linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S 2010-08-26 19:47:12.000000000 -0400
9877 +++ linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S 2010-09-17 20:12:09.000000000 -0400
9878 @@ -104,7 +104,7 @@ _start:
9882 - movl $0xc0000080, %ecx
9883 + mov $MSR_EFER, %ecx
9887 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c
9888 --- linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
9889 +++ linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
9891 #include <linux/cpumask.h>
9892 #include <asm/segment.h>
9893 #include <asm/desc.h>
9894 +#include <asm/e820.h>
9896 #include "realmode/wakeup.h"
9899 -unsigned long acpi_wakeup_address;
9900 +unsigned long acpi_wakeup_address = 0x2000;
9901 unsigned long acpi_realmode_flags;
9903 /* address in low memory of the wakeup routine. */
9904 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
9905 header->trampoline_segment = setup_trampoline() >> 4;
9907 stack_start.sp = temp_stack + sizeof(temp_stack);
9909 + pax_open_kernel();
9910 early_gdt_descr.address =
9911 (unsigned long)get_cpu_gdt_table(smp_processor_id());
9912 + pax_close_kernel();
9914 initial_gs = per_cpu_offset(smp_processor_id());
9916 initial_code = (unsigned long)wakeup_long64;
9917 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S
9918 --- linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S 2010-08-26 19:47:12.000000000 -0400
9919 +++ linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S 2010-09-17 20:12:09.000000000 -0400
9920 @@ -30,13 +30,11 @@ wakeup_pmode_return:
9921 # and restore the stack ... but you need gdt for this to work
9922 movl saved_context_esp, %esp
9924 - movl %cs:saved_magic, %eax
9925 - cmpl $0x12345678, %eax
9926 + cmpl $0x12345678, saved_magic
9929 # jump to place where we left off
9930 - movl saved_eip, %eax
9936 diff -urNp linux-2.6.35.5/arch/x86/kernel/alternative.c linux-2.6.35.5/arch/x86/kernel/alternative.c
9937 --- linux-2.6.35.5/arch/x86/kernel/alternative.c 2010-08-26 19:47:12.000000000 -0400
9938 +++ linux-2.6.35.5/arch/x86/kernel/alternative.c 2010-09-17 20:12:09.000000000 -0400
9939 @@ -247,7 +247,7 @@ static void alternatives_smp_lock(const
9940 if (!*poff || ptr < text || ptr >= text_end)
9942 /* turn DS segment override prefix into lock prefix */
9944 + if (*ktla_ktva(ptr) == 0x3e)
9945 text_poke(ptr, ((unsigned char []){0xf0}), 1);
9947 mutex_unlock(&text_mutex);
9948 @@ -268,7 +268,7 @@ static void alternatives_smp_unlock(cons
9949 if (!*poff || ptr < text || ptr >= text_end)
9951 /* turn lock prefix into DS segment override prefix */
9953 + if (*ktla_ktva(ptr) == 0xf0)
9954 text_poke(ptr, ((unsigned char []){0x3E}), 1);
9956 mutex_unlock(&text_mutex);
9957 @@ -436,7 +436,7 @@ void __init_or_module apply_paravirt(str
9959 BUG_ON(p->len > MAX_PATCH_LEN);
9960 /* prep the buffer with the original instructions */
9961 - memcpy(insnbuf, p->instr, p->len);
9962 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9963 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9964 (unsigned long)p->instr, p->len);
9966 @@ -504,7 +504,7 @@ void __init alternative_instructions(voi
9968 free_init_pages("SMP alternatives",
9969 (unsigned long)__smp_locks,
9970 - (unsigned long)__smp_locks_end);
9971 + PAGE_ALIGN((unsigned long)__smp_locks_end));
9975 @@ -521,13 +521,17 @@ void __init alternative_instructions(voi
9976 * instructions. And on the local CPU you need to be protected again NMI or MCE
9977 * handlers seeing an inconsistent instruction while you patch.
9979 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9980 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
9983 unsigned long flags;
9984 local_irq_save(flags);
9985 - memcpy(addr, opcode, len);
9987 + pax_open_kernel();
9988 + memcpy(ktla_ktva(addr), opcode, len);
9990 + pax_close_kernel();
9992 local_irq_restore(flags);
9993 /* Could also do a CLFLUSH here to speed up CPU recovery; but
9994 that causes hangs on some VIA CPUs. */
9995 @@ -549,36 +553,22 @@ static void *__init_or_module text_poke_
9997 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
9999 - unsigned long flags;
10001 + unsigned char *vaddr = ktla_ktva(addr);
10002 struct page *pages[2];
10006 if (!core_kernel_text((unsigned long)addr)) {
10007 - pages[0] = vmalloc_to_page(addr);
10008 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10009 + pages[0] = vmalloc_to_page(vaddr);
10010 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10012 - pages[0] = virt_to_page(addr);
10013 + pages[0] = virt_to_page(vaddr);
10014 WARN_ON(!PageReserved(pages[0]));
10015 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10016 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10019 - local_irq_save(flags);
10020 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10022 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10023 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10024 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10025 - clear_fixmap(FIX_TEXT_POKE0);
10027 - clear_fixmap(FIX_TEXT_POKE1);
10028 - local_flush_tlb();
10030 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10031 - that causes hangs on some VIA CPUs. */
10032 + text_poke_early(addr, opcode, len);
10033 for (i = 0; i < len; i++)
10034 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10035 - local_irq_restore(flags);
10036 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
10040 diff -urNp linux-2.6.35.5/arch/x86/kernel/amd_iommu.c linux-2.6.35.5/arch/x86/kernel/amd_iommu.c
10041 --- linux-2.6.35.5/arch/x86/kernel/amd_iommu.c 2010-08-26 19:47:12.000000000 -0400
10042 +++ linux-2.6.35.5/arch/x86/kernel/amd_iommu.c 2010-09-17 20:12:09.000000000 -0400
10043 @@ -2284,7 +2284,7 @@ static void prealloc_protection_domains(
10047 -static struct dma_map_ops amd_iommu_dma_ops = {
10048 +static const struct dma_map_ops amd_iommu_dma_ops = {
10049 .alloc_coherent = alloc_coherent,
10050 .free_coherent = free_coherent,
10051 .map_page = map_page,
10052 diff -urNp linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c
10053 --- linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c 2010-09-20 17:33:09.000000000 -0400
10054 +++ linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c 2010-09-20 17:33:32.000000000 -0400
10055 @@ -691,7 +691,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10056 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10058 if (!ioapic_entries)
10062 for (apic = 0; apic < nr_ioapics; apic++) {
10063 ioapic_entries[apic] =
10064 @@ -708,7 +708,7 @@ nomem:
10065 kfree(ioapic_entries[apic]);
10066 kfree(ioapic_entries);
10073 @@ -1118,7 +1118,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10075 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10077 -void lock_vector_lock(void)
10078 +void lock_vector_lock(void) __acquires(vector_lock)
10080 /* Used to the online set of cpus does not change
10081 * during assign_irq_vector.
10082 @@ -1126,7 +1126,7 @@ void lock_vector_lock(void)
10083 raw_spin_lock(&vector_lock);
10086 -void unlock_vector_lock(void)
10087 +void unlock_vector_lock(void) __releases(vector_lock)
10089 raw_spin_unlock(&vector_lock);
10091 diff -urNp linux-2.6.35.5/arch/x86/kernel/apm_32.c linux-2.6.35.5/arch/x86/kernel/apm_32.c
10092 --- linux-2.6.35.5/arch/x86/kernel/apm_32.c 2010-08-26 19:47:12.000000000 -0400
10093 +++ linux-2.6.35.5/arch/x86/kernel/apm_32.c 2010-09-17 20:12:09.000000000 -0400
10094 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10095 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10096 * even though they are called in protected mode.
10098 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10099 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10100 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10102 static const char driver_version[] = "1.16ac"; /* no spaces */
10103 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10105 gdt = get_cpu_gdt_table(cpu);
10106 save_desc_40 = gdt[0x40 / 8];
10108 + pax_open_kernel();
10109 gdt[0x40 / 8] = bad_bios_desc;
10110 + pax_close_kernel();
10112 apm_irq_save(flags);
10114 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10116 APM_DO_RESTORE_SEGS;
10117 apm_irq_restore(flags);
10119 + pax_open_kernel();
10120 gdt[0x40 / 8] = save_desc_40;
10121 + pax_close_kernel();
10125 return call->eax & 0xff;
10126 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10128 gdt = get_cpu_gdt_table(cpu);
10129 save_desc_40 = gdt[0x40 / 8];
10131 + pax_open_kernel();
10132 gdt[0x40 / 8] = bad_bios_desc;
10133 + pax_close_kernel();
10135 apm_irq_save(flags);
10137 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10139 APM_DO_RESTORE_SEGS;
10140 apm_irq_restore(flags);
10142 + pax_open_kernel();
10143 gdt[0x40 / 8] = save_desc_40;
10144 + pax_close_kernel();
10149 @@ -975,7 +989,7 @@ recalc:
10151 static void apm_power_off(void)
10153 - unsigned char po_bios_call[] = {
10154 + const unsigned char po_bios_call[] = {
10155 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10156 0x8e, 0xd0, /* movw ax,ss */
10157 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10158 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
10159 static struct miscdevice apm_device = {
10170 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
10171 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10175 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10179 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
10180 * code to that CPU.
10182 gdt = get_cpu_gdt_table(0);
10184 + pax_open_kernel();
10185 set_desc_base(&gdt[APM_CS >> 3],
10186 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10187 set_desc_base(&gdt[APM_CS_16 >> 3],
10188 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10189 set_desc_base(&gdt[APM_DS >> 3],
10190 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10191 + pax_close_kernel();
10193 proc_create("apm", 0, NULL, &apm_file_ops);
10195 diff -urNp linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c
10196 --- linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c 2010-08-26 19:47:12.000000000 -0400
10197 +++ linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c 2010-09-17 20:12:09.000000000 -0400
10198 @@ -115,6 +115,11 @@ void foo(void)
10199 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10200 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10201 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10203 +#ifdef CONFIG_PAX_KERNEXEC
10204 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10210 diff -urNp linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c
10211 --- linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c 2010-08-26 19:47:12.000000000 -0400
10212 +++ linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c 2010-09-17 20:12:09.000000000 -0400
10213 @@ -63,6 +63,18 @@ int main(void)
10214 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10215 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10216 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10218 +#ifdef CONFIG_PAX_KERNEXEC
10219 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10220 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10223 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10224 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10225 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10226 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10232 @@ -115,6 +127,7 @@ int main(void)
10236 + DEFINE(TSS_size, sizeof(struct tss_struct));
10237 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10239 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10240 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/common.c linux-2.6.35.5/arch/x86/kernel/cpu/common.c
10241 --- linux-2.6.35.5/arch/x86/kernel/cpu/common.c 2010-08-26 19:47:12.000000000 -0400
10242 +++ linux-2.6.35.5/arch/x86/kernel/cpu/common.c 2010-09-17 20:12:09.000000000 -0400
10243 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10245 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10247 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10248 -#ifdef CONFIG_X86_64
10250 - * We need valid kernel segments for data and code in long mode too
10251 - * IRET will check the segment types kkeil 2000/10/28
10252 - * Also sysret mandates a special GDT layout
10254 - * TLS descriptors are currently at a different place compared to i386.
10255 - * Hopefully nobody expects them at a fixed place (Wine?)
10257 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10258 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10259 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10260 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10261 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10262 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10264 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10265 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10266 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10267 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10269 - * Segments used for calling PnP BIOS have byte granularity.
10270 - * They code segments and data segments have fixed 64k limits,
10271 - * the transfer segment sizes are set at run time.
10273 - /* 32-bit code */
10274 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10275 - /* 16-bit code */
10276 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10277 - /* 16-bit data */
10278 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10279 - /* 16-bit data */
10280 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10281 - /* 16-bit data */
10282 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10284 - * The APM segments have byte granularity and their bases
10285 - * are set at run time. All have 64k limits.
10287 - /* 32-bit code */
10288 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10289 - /* 16-bit code */
10290 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10292 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10294 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10295 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10296 - GDT_STACK_CANARY_INIT
10299 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10301 static int __init x86_xsave_setup(char *s)
10303 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10304 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
10306 struct desc_ptr gdt_descr;
10308 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10309 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10310 gdt_descr.size = GDT_SIZE - 1;
10311 load_gdt(&gdt_descr);
10312 /* Reload the per-cpu base */
10313 @@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
10314 /* Filter out anything that depends on CPUID levels we don't have */
10315 filter_cpuid_features(c, true);
10317 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10318 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10321 /* If the model name is still unset, do table lookup. */
10322 if (!c->x86_model_id[0]) {
10324 @@ -1117,7 +1067,7 @@ void __cpuinit cpu_init(void)
10327 cpu = stack_smp_processor_id();
10328 - t = &per_cpu(init_tss, cpu);
10329 + t = init_tss + cpu;
10330 oist = &per_cpu(orig_ist, cpu);
10333 @@ -1143,7 +1093,7 @@ void __cpuinit cpu_init(void)
10334 switch_to_new_gdt(cpu);
10335 loadsegment(fs, 0);
10337 - load_idt((const struct desc_ptr *)&idt_descr);
10338 + load_idt(&idt_descr);
10340 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10342 @@ -1205,7 +1155,7 @@ void __cpuinit cpu_init(void)
10344 int cpu = smp_processor_id();
10345 struct task_struct *curr = current;
10346 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10347 + struct tss_struct *t = init_tss + cpu;
10348 struct thread_struct *thread = &curr->thread;
10350 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10351 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10352 --- linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-08-26 19:47:12.000000000 -0400
10353 +++ linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-09-17 20:12:09.000000000 -0400
10354 @@ -484,7 +484,7 @@ static const struct dmi_system_id sw_any
10355 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10359 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10362 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10363 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10364 --- linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-08-26 19:47:12.000000000 -0400
10365 +++ linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-09-17 20:12:09.000000000 -0400
10366 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10367 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10368 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10371 + { NULL, NULL, 0, NULL}
10375 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/intel.c linux-2.6.35.5/arch/x86/kernel/cpu/intel.c
10376 --- linux-2.6.35.5/arch/x86/kernel/cpu/intel.c 2010-08-26 19:47:12.000000000 -0400
10377 +++ linux-2.6.35.5/arch/x86/kernel/cpu/intel.c 2010-09-17 20:12:09.000000000 -0400
10378 @@ -160,7 +160,7 @@ static void __cpuinit trap_init_f00f_bug
10379 * Update the IDT descriptor and reload the IDT so that
10380 * it uses the read-only mapped virtual address.
10382 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10383 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10384 load_idt(&idt_descr);
10387 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/Makefile linux-2.6.35.5/arch/x86/kernel/cpu/Makefile
10388 --- linux-2.6.35.5/arch/x86/kernel/cpu/Makefile 2010-08-26 19:47:12.000000000 -0400
10389 +++ linux-2.6.35.5/arch/x86/kernel/cpu/Makefile 2010-09-17 20:12:09.000000000 -0400
10390 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10391 CFLAGS_REMOVE_perf_event.o = -pg
10394 -# Make sure load_percpu_segment has no stackprotector
10395 -nostackp := $(call cc-option, -fno-stack-protector)
10396 -CFLAGS_common.o := $(nostackp)
10398 obj-y := intel_cacheinfo.o addon_cpuid_features.o
10399 obj-y += proc.o capflags.o powerflags.o common.o
10400 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10401 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c
10402 --- linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c 2010-08-26 19:47:12.000000000 -0400
10403 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c 2010-09-17 20:12:09.000000000 -0400
10404 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10405 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10408 - if (m->cs == __KERNEL_CS)
10409 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10410 print_symbol("{%s}", m->ip);
10413 @@ -1471,14 +1471,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10416 static DEFINE_SPINLOCK(mce_state_lock);
10417 -static int open_count; /* #times opened */
10418 +static atomic_t open_count; /* #times opened */
10419 static int open_exclu; /* already open exclusive? */
10421 static int mce_open(struct inode *inode, struct file *file)
10423 spin_lock(&mce_state_lock);
10425 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10426 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10427 spin_unlock(&mce_state_lock);
10430 @@ -1486,7 +1486,7 @@ static int mce_open(struct inode *inode,
10432 if (file->f_flags & O_EXCL)
10435 + atomic_inc(&open_count);
10437 spin_unlock(&mce_state_lock);
10439 @@ -1497,7 +1497,7 @@ static int mce_release(struct inode *ino
10441 spin_lock(&mce_state_lock);
10444 + atomic_dec(&open_count);
10447 spin_unlock(&mce_state_lock);
10448 @@ -1683,6 +1683,7 @@ static struct miscdevice mce_log_device
10452 + {NULL, NULL}, NULL, NULL
10456 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c
10457 --- linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c 2010-08-26 19:47:12.000000000 -0400
10458 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c 2010-09-17 20:12:09.000000000 -0400
10459 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10460 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10461 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10462 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10467 static unsigned long smp_changes_mask;
10468 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c
10469 --- linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c 2010-08-26 19:47:12.000000000 -0400
10470 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c 2010-09-17 20:12:09.000000000 -0400
10471 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10472 u64 size_or_mask, size_and_mask;
10473 static bool mtrr_aps_delayed_init;
10475 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10476 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10478 const struct mtrr_ops *mtrr_if;
10480 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h
10481 --- linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-08-26 19:47:12.000000000 -0400
10482 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-09-17 20:12:09.000000000 -0400
10483 @@ -12,19 +12,19 @@
10484 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10488 - u32 use_intel_if;
10489 - void (*set)(unsigned int reg, unsigned long base,
10490 + const u32 vendor;
10491 + const u32 use_intel_if;
10492 + void (* const set)(unsigned int reg, unsigned long base,
10493 unsigned long size, mtrr_type type);
10494 - void (*set_all)(void);
10495 + void (* const set_all)(void);
10497 - void (*get)(unsigned int reg, unsigned long *base,
10498 + void (* const get)(unsigned int reg, unsigned long *base,
10499 unsigned long *size, mtrr_type *type);
10500 - int (*get_free_region)(unsigned long base, unsigned long size,
10501 + int (* const get_free_region)(unsigned long base, unsigned long size,
10503 - int (*validate_add_page)(unsigned long base, unsigned long size,
10504 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10505 unsigned int type);
10506 - int (*have_wrcomb)(void);
10507 + int (* const have_wrcomb)(void);
10510 extern int generic_get_free_region(unsigned long base, unsigned long size,
10511 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c
10512 --- linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-08-26 19:47:12.000000000 -0400
10513 +++ linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-09-17 20:12:09.000000000 -0400
10514 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10516 /* Interface defining a CPU specific perfctr watchdog */
10518 - int (*reserve)(void);
10519 - void (*unreserve)(void);
10520 - int (*setup)(unsigned nmi_hz);
10521 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10522 - void (*stop)(void);
10523 + int (* const reserve)(void);
10524 + void (* const unreserve)(void);
10525 + int (* const setup)(unsigned nmi_hz);
10526 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10527 + void (* const stop)(void);
10531 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10532 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10533 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10535 +/* cannot be const, see probe_nmi_watchdog */
10536 static struct wd_ops intel_arch_wd_ops;
10538 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10539 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10543 +/* cannot be const */
10544 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10545 .reserve = single_msr_reserve,
10546 .unreserve = single_msr_unreserve,
10547 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c
10548 --- linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c 2010-08-26 19:47:12.000000000 -0400
10549 +++ linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c 2010-09-17 20:12:09.000000000 -0400
10550 @@ -1685,7 +1685,7 @@ perf_callchain_user(struct pt_regs *regs
10553 callchain_store(entry, frame.return_address);
10554 - fp = frame.next_frame;
10555 + fp = (__force const void __user *)frame.next_frame;
10559 diff -urNp linux-2.6.35.5/arch/x86/kernel/crash.c linux-2.6.35.5/arch/x86/kernel/crash.c
10560 --- linux-2.6.35.5/arch/x86/kernel/crash.c 2010-08-26 19:47:12.000000000 -0400
10561 +++ linux-2.6.35.5/arch/x86/kernel/crash.c 2010-09-17 20:12:09.000000000 -0400
10562 @@ -40,7 +40,7 @@ static void kdump_nmi_callback(int cpu,
10565 #ifdef CONFIG_X86_32
10566 - if (!user_mode_vm(regs)) {
10567 + if (!user_mode(regs)) {
10568 crash_fixup_ss_esp(&fixed_regs, regs);
10569 regs = &fixed_regs;
10571 diff -urNp linux-2.6.35.5/arch/x86/kernel/doublefault_32.c linux-2.6.35.5/arch/x86/kernel/doublefault_32.c
10572 --- linux-2.6.35.5/arch/x86/kernel/doublefault_32.c 2010-08-26 19:47:12.000000000 -0400
10573 +++ linux-2.6.35.5/arch/x86/kernel/doublefault_32.c 2010-09-17 20:12:09.000000000 -0400
10576 #define DOUBLEFAULT_STACKSIZE (1024)
10577 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10578 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10579 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10581 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10583 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10584 unsigned long gdt, tss;
10586 store_gdt(&gdt_desc);
10587 - gdt = gdt_desc.address;
10588 + gdt = (unsigned long)gdt_desc.address;
10590 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10592 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10593 /* 0x2 bit is always set */
10594 .flags = X86_EFLAGS_SF | 0x2,
10597 + .es = __KERNEL_DS,
10601 + .ds = __KERNEL_DS,
10602 .fs = __KERNEL_PERCPU,
10604 .__cr3 = __pa_nodebug(swapper_pg_dir),
10605 diff -urNp linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c
10606 --- linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c 2010-08-26 19:47:12.000000000 -0400
10607 +++ linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c 2010-09-17 20:12:09.000000000 -0400
10608 @@ -107,11 +107,12 @@ void show_registers(struct pt_regs *regs
10609 * When in-kernel, we also print out the stack and code at the
10610 * time of the fault..
10612 - if (!user_mode_vm(regs)) {
10613 + if (!user_mode(regs)) {
10614 unsigned int code_prologue = code_bytes * 43 / 64;
10615 unsigned int code_len = code_bytes;
10618 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10620 printk(KERN_EMERG "Stack:\n");
10621 show_stack_log_lvl(NULL, regs, ®s->sp,
10622 @@ -119,10 +120,10 @@ void show_registers(struct pt_regs *regs
10624 printk(KERN_EMERG "Code: ");
10626 - ip = (u8 *)regs->ip - code_prologue;
10627 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10628 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10629 /* try starting at IP */
10630 - ip = (u8 *)regs->ip;
10631 + ip = (u8 *)regs->ip + cs_base;
10632 code_len = code_len - code_prologue + 1;
10634 for (i = 0; i < code_len; i++, ip++) {
10635 @@ -131,7 +132,7 @@ void show_registers(struct pt_regs *regs
10636 printk(" Bad EIP value.");
10639 - if (ip == (u8 *)regs->ip)
10640 + if (ip == (u8 *)regs->ip + cs_base)
10641 printk("<%02x> ", c);
10643 printk("%02x ", c);
10644 @@ -144,6 +145,7 @@ int is_valid_bugaddr(unsigned long ip)
10646 unsigned short ud2;
10648 + ip = ktla_ktva(ip);
10649 if (ip < PAGE_OFFSET)
10651 if (probe_kernel_address((unsigned short *)ip, ud2))
10652 diff -urNp linux-2.6.35.5/arch/x86/kernel/dumpstack.c linux-2.6.35.5/arch/x86/kernel/dumpstack.c
10653 --- linux-2.6.35.5/arch/x86/kernel/dumpstack.c 2010-08-26 19:47:12.000000000 -0400
10654 +++ linux-2.6.35.5/arch/x86/kernel/dumpstack.c 2010-09-17 20:12:09.000000000 -0400
10655 @@ -207,7 +207,7 @@ void dump_stack(void)
10658 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
10659 - current->pid, current->comm, current->xid, print_tainted(),
10660 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
10661 init_utsname()->release,
10662 (int)strcspn(init_utsname()->version, " "),
10663 init_utsname()->version);
10664 @@ -263,7 +263,7 @@ void __kprobes oops_end(unsigned long fl
10665 panic("Fatal exception in interrupt");
10667 panic("Fatal exception");
10669 + do_group_exit(signr);
10672 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
10673 @@ -290,7 +290,7 @@ int __kprobes __die(const char *str, str
10675 show_registers(regs);
10676 #ifdef CONFIG_X86_32
10677 - if (user_mode_vm(regs)) {
10678 + if (user_mode(regs)) {
10680 ss = regs->ss & 0xffff;
10682 @@ -318,7 +318,7 @@ void die(const char *str, struct pt_regs
10683 unsigned long flags = oops_begin();
10686 - if (!user_mode_vm(regs))
10687 + if (!user_mode(regs))
10688 report_bug(regs->ip, regs);
10690 if (__die(str, regs, err))
10691 diff -urNp linux-2.6.35.5/arch/x86/kernel/efi_32.c linux-2.6.35.5/arch/x86/kernel/efi_32.c
10692 --- linux-2.6.35.5/arch/x86/kernel/efi_32.c 2010-08-26 19:47:12.000000000 -0400
10693 +++ linux-2.6.35.5/arch/x86/kernel/efi_32.c 2010-09-17 20:12:09.000000000 -0400
10694 @@ -38,70 +38,38 @@
10697 static unsigned long efi_rt_eflags;
10698 -static pgd_t efi_bak_pg_dir_pointer[2];
10699 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10701 -void efi_call_phys_prelog(void)
10702 +void __init efi_call_phys_prelog(void)
10704 - unsigned long cr4;
10705 - unsigned long temp;
10706 struct desc_ptr gdt_descr;
10708 local_irq_save(efi_rt_eflags);
10711 - * If I don't have PAE, I should just duplicate two entries in page
10712 - * directory. If I have PAE, I just need to duplicate one entry in
10713 - * page directory.
10715 - cr4 = read_cr4_safe();
10717 - if (cr4 & X86_CR4_PAE) {
10718 - efi_bak_pg_dir_pointer[0].pgd =
10719 - swapper_pg_dir[pgd_index(0)].pgd;
10720 - swapper_pg_dir[0].pgd =
10721 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10723 - efi_bak_pg_dir_pointer[0].pgd =
10724 - swapper_pg_dir[pgd_index(0)].pgd;
10725 - efi_bak_pg_dir_pointer[1].pgd =
10726 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10727 - swapper_pg_dir[pgd_index(0)].pgd =
10728 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10729 - temp = PAGE_OFFSET + 0x400000;
10730 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10731 - swapper_pg_dir[pgd_index(temp)].pgd;
10733 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10734 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10735 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10738 * After the lock is released, the original page table is restored.
10742 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10743 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10744 gdt_descr.size = GDT_SIZE - 1;
10745 load_gdt(&gdt_descr);
10748 -void efi_call_phys_epilog(void)
10749 +void __init efi_call_phys_epilog(void)
10751 - unsigned long cr4;
10752 struct desc_ptr gdt_descr;
10754 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10755 + gdt_descr.address = get_cpu_gdt_table(0);
10756 gdt_descr.size = GDT_SIZE - 1;
10757 load_gdt(&gdt_descr);
10759 - cr4 = read_cr4_safe();
10761 - if (cr4 & X86_CR4_PAE) {
10762 - swapper_pg_dir[pgd_index(0)].pgd =
10763 - efi_bak_pg_dir_pointer[0].pgd;
10765 - swapper_pg_dir[pgd_index(0)].pgd =
10766 - efi_bak_pg_dir_pointer[0].pgd;
10767 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10768 - efi_bak_pg_dir_pointer[1].pgd;
10770 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10773 * After the lock is released, the original page table is restored.
10774 diff -urNp linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S
10775 --- linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S 2010-08-26 19:47:12.000000000 -0400
10776 +++ linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S 2010-09-17 20:12:09.000000000 -0400
10780 #include <linux/linkage.h>
10781 +#include <linux/init.h>
10782 #include <asm/page_types.h>
10786 * service functions will comply with gcc calling convention, too.
10791 ENTRY(efi_call_phys)
10793 * 0. The function can only be called in Linux kernel. So CS has been
10794 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10795 * The mapping of lower virtual memory has been created in prelog and
10799 - subl $__PAGE_OFFSET, %edx
10801 + jmp 1f-__PAGE_OFFSET
10805 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10806 * parameter 2, ..., param n. To make things easy, we save the return
10807 * address of efi_call_phys in a global variable.
10810 - movl %edx, saved_return_addr
10811 - /* get the function pointer into ECX*/
10813 - movl %ecx, efi_rt_function_ptr
10815 - subl $__PAGE_OFFSET, %edx
10817 + popl (saved_return_addr)
10818 + popl (efi_rt_function_ptr)
10821 * 3. Clear PG bit in %CR0.
10822 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10824 * 5. Call the physical function.
10827 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
10831 * 6. After EFI runtime service returns, control will return to
10832 * following instruction. We'd better readjust stack pointer first.
10833 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10835 orl $0x80000000, %edx
10841 * 8. Now restore the virtual mode from flat mode by
10842 * adding EIP with PAGE_OFFSET.
10846 + jmp 1f+__PAGE_OFFSET
10850 * 9. Balance the stack. And because EAX contain the return value,
10851 * we'd better not clobber it.
10853 - leal efi_rt_function_ptr, %edx
10854 - movl (%edx), %ecx
10856 + pushl (efi_rt_function_ptr)
10859 - * 10. Push the saved return address onto the stack and return.
10860 + * 10. Return to the saved return address.
10862 - leal saved_return_addr, %edx
10863 - movl (%edx), %ecx
10866 + jmpl *(saved_return_addr)
10867 ENDPROC(efi_call_phys)
10874 efi_rt_function_ptr:
10875 diff -urNp linux-2.6.35.5/arch/x86/kernel/entry_32.S linux-2.6.35.5/arch/x86/kernel/entry_32.S
10876 --- linux-2.6.35.5/arch/x86/kernel/entry_32.S 2010-08-26 19:47:12.000000000 -0400
10877 +++ linux-2.6.35.5/arch/x86/kernel/entry_32.S 2010-09-17 20:12:09.000000000 -0400
10878 @@ -192,7 +192,67 @@
10880 #endif /* CONFIG_X86_32_LAZY_GS */
10883 +.macro PAX_EXIT_KERNEL
10884 +#ifdef CONFIG_PAX_KERNEXEC
10885 +#ifdef CONFIG_PARAVIRT
10886 + push %eax; push %ecx;
10889 + cmp $__KERNEXEC_KERNEL_CS, %esi
10891 +#ifdef CONFIG_PARAVIRT
10892 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
10898 + ljmp $__KERNEL_CS, $1f
10900 +#ifdef CONFIG_PARAVIRT
10902 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
10907 +#ifdef CONFIG_PARAVIRT
10908 + pop %ecx; pop %eax
10913 +.macro PAX_ENTER_KERNEL
10914 +#ifdef CONFIG_PAX_KERNEXEC
10915 +#ifdef CONFIG_PARAVIRT
10916 + push %eax; push %ecx;
10917 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
10925 + cmp $__KERNEL_CS, %esi
10927 + ljmp $__KERNEL_CS, $3f
10928 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
10930 +#ifdef CONFIG_PARAVIRT
10932 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10937 +#ifdef CONFIG_PARAVIRT
10938 + pop %ecx; pop %eax
10943 +.macro __SAVE_ALL _DS
10947 @@ -225,7 +285,7 @@
10949 CFI_ADJUST_CFA_OFFSET 4
10950 CFI_REL_OFFSET ebx, 0
10951 - movl $(__USER_DS), %edx
10955 movl $(__KERNEL_PERCPU), %edx
10956 @@ -233,6 +293,15 @@
10961 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
10962 + __SAVE_ALL __KERNEL_DS
10965 + __SAVE_ALL __USER_DS
10969 .macro RESTORE_INT_REGS
10971 CFI_ADJUST_CFA_OFFSET -4
10972 @@ -357,7 +426,15 @@ check_userspace:
10973 movb PT_CS(%esp), %al
10974 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10975 cmpl $USER_RPL, %eax
10977 +#ifdef CONFIG_PAX_KERNEXEC
10978 + jae resume_userspace
10981 + jmp resume_kernel
10983 jb resume_kernel # not returning to v8086 or userspace
10986 ENTRY(resume_userspace)
10988 @@ -423,10 +500,9 @@ sysenter_past_esp:
10989 /*CFI_REL_OFFSET cs, 0*/
10991 * Push current_thread_info()->sysenter_return to the stack.
10992 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
10993 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
10995 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
10996 + GET_THREAD_INFO(%ebp)
10997 + pushl TI_sysenter_return(%ebp)
10998 CFI_ADJUST_CFA_OFFSET 4
10999 CFI_REL_OFFSET eip, 0
11001 @@ -439,9 +515,19 @@ sysenter_past_esp:
11002 * Load the potential sixth argument from user stack.
11003 * Careful about security.
11005 + movl PT_OLDESP(%esp),%ebp
11007 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11008 + mov PT_OLDSS(%esp),%ds
11009 +1: movl %ds:(%ebp),%ebp
11013 cmpl $__PAGE_OFFSET-3,%ebp
11015 1: movl (%ebp),%ebp
11018 movl %ebp,PT_EBP(%esp)
11019 .section __ex_table,"a"
11021 @@ -464,12 +550,23 @@ sysenter_do_call:
11022 testl $_TIF_ALLWORK_MASK, %ecx
11026 +#ifdef CONFIG_PAX_RANDKSTACK
11028 + CFI_ADJUST_CFA_OFFSET 4
11029 + call pax_randomize_kstack
11031 + CFI_ADJUST_CFA_OFFSET -4
11034 /* if something modifies registers it must also disable sysexit */
11035 movl PT_EIP(%esp), %edx
11036 movl PT_OLDESP(%esp), %ecx
11039 1: mov PT_FS(%esp), %fs
11040 +2: mov PT_DS(%esp), %ds
11041 +3: mov PT_ES(%esp), %es
11043 ENABLE_INTERRUPTS_SYSEXIT
11045 @@ -513,11 +610,17 @@ sysexit_audit:
11048 .pushsection .fixup,"ax"
11049 -2: movl $0,PT_FS(%esp)
11050 +4: movl $0,PT_FS(%esp)
11052 +5: movl $0,PT_DS(%esp)
11054 +6: movl $0,PT_ES(%esp)
11056 .section __ex_table,"a"
11064 ENDPROC(ia32_sysenter_target)
11065 @@ -551,6 +654,10 @@ syscall_exit:
11066 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11067 jne syscall_exit_work
11069 +#ifdef CONFIG_PAX_RANDKSTACK
11070 + call pax_randomize_kstack
11075 restore_all_notrace:
11076 @@ -615,7 +722,13 @@ ldt_ss:
11077 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11078 mov %dx, %ax /* eax: new kernel esp */
11079 sub %eax, %edx /* offset (low word is 0) */
11080 - PER_CPU(gdt_page, %ebx)
11082 + movl PER_CPU_VAR(cpu_number), %ebx
11083 + shll $PAGE_SHIFT_asm, %ebx
11084 + addl $cpu_gdt_table, %ebx
11086 + movl $cpu_gdt_table, %ebx
11089 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
11090 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
11091 @@ -655,25 +768,19 @@ work_resched:
11093 work_notifysig: # deal with pending signals and
11094 # notify-resume requests
11097 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11099 - jne work_notifysig_v86 # returning to kernel-space or
11100 + jz 1f # returning to kernel-space or
11103 - call do_notify_resume
11104 - jmp resume_userspace_sig
11107 -work_notifysig_v86:
11108 pushl %ecx # save ti_flags for do_notify_resume
11109 CFI_ADJUST_CFA_OFFSET 4
11110 call save_v86_state # %eax contains pt_regs pointer
11112 CFI_ADJUST_CFA_OFFSET -4
11119 call do_notify_resume
11120 @@ -708,6 +815,10 @@ END(syscall_exit_work)
11122 RING0_INT_FRAME # can't unwind into user space anyway
11124 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11128 GET_THREAD_INFO(%ebp)
11129 movl $-EFAULT,PT_EAX(%esp)
11130 jmp resume_userspace
11131 @@ -791,7 +902,13 @@ ptregs_clone:
11132 * normal stack and adjusts ESP with the matching offset.
11134 /* fixup the stack */
11135 - PER_CPU(gdt_page, %ebx)
11137 + movl PER_CPU_VAR(cpu_number), %ebx
11138 + shll $PAGE_SHIFT_asm, %ebx
11139 + addl $cpu_gdt_table, %ebx
11141 + movl $cpu_gdt_table, %ebx
11143 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
11144 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
11146 @@ -1273,7 +1390,6 @@ return_to_handler:
11150 -.section .rodata,"a"
11151 #include "syscall_table_32.S"
11153 syscall_table_size=(.-sys_call_table)
11154 @@ -1330,9 +1446,12 @@ error_code:
11155 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11158 - movl $(__USER_DS), %ecx
11159 + movl $(__KERNEL_DS), %ecx
11166 movl %esp,%eax # pt_regs pointer
11168 @@ -1426,6 +1545,9 @@ nmi_stack_correct:
11169 xorl %edx,%edx # zero error code
11170 movl %esp,%eax # pt_regs pointer
11175 jmp restore_all_notrace
11178 @@ -1466,6 +1588,9 @@ nmi_espfix_stack:
11179 FIXUP_ESPFIX_STACK # %eax == %esp
11180 xorl %edx,%edx # zero error code
11186 lss 12+4(%esp), %esp # back to espfix stack
11187 CFI_ADJUST_CFA_OFFSET -24
11188 diff -urNp linux-2.6.35.5/arch/x86/kernel/entry_64.S linux-2.6.35.5/arch/x86/kernel/entry_64.S
11189 --- linux-2.6.35.5/arch/x86/kernel/entry_64.S 2010-08-26 19:47:12.000000000 -0400
11190 +++ linux-2.6.35.5/arch/x86/kernel/entry_64.S 2010-09-17 20:12:09.000000000 -0400
11192 #include <asm/paravirt.h>
11193 #include <asm/ftrace.h>
11194 #include <asm/percpu.h>
11195 +#include <asm/pgtable.h>
11197 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11198 #include <linux/elf-em.h>
11199 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11200 ENDPROC(native_usergs_sysret64)
11201 #endif /* CONFIG_PARAVIRT */
11203 + .macro ljmpq sel, off
11204 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11205 + .byte 0x48; ljmp *1234f(%rip)
11206 + .pushsection .rodata
11208 + 1234: .quad \off; .word \sel
11217 +ENTRY(pax_enter_kernel)
11219 +#ifdef CONFIG_PAX_KERNEXEC
11222 +#ifdef CONFIG_PARAVIRT
11223 + PV_SAVE_REGS(CLBR_RDI)
11230 + cmp $__KERNEL_CS,%edi
11232 + ljmpq __KERNEL_CS,3f
11233 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11234 +2: SET_RDI_INTO_CR0
11237 +#ifdef CONFIG_PARAVIRT
11238 + PV_RESTORE_REGS(CLBR_RDI)
11245 +ENDPROC(pax_enter_kernel)
11247 +ENTRY(pax_exit_kernel)
11249 +#ifdef CONFIG_PAX_KERNEXEC
11252 +#ifdef CONFIG_PARAVIRT
11253 + PV_SAVE_REGS(CLBR_RDI)
11257 + cmp $__KERNEXEC_KERNEL_CS,%edi
11261 + ljmpq __KERNEL_CS,1f
11262 +1: SET_RDI_INTO_CR0
11265 +#ifdef CONFIG_PARAVIRT
11266 + PV_RESTORE_REGS(CLBR_RDI);
11273 +ENDPROC(pax_exit_kernel)
11275 +ENTRY(pax_enter_kernel_user)
11277 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11281 +#ifdef CONFIG_PARAVIRT
11282 + PV_SAVE_REGS(CLBR_RDI)
11287 + add $__START_KERNEL_map,%rbx
11288 + sub phys_base(%rip),%rbx
11290 +#ifdef CONFIG_PARAVIRT
11292 + cmpl $0, pv_info+PARAVIRT_enabled
11295 + .rept USER_PGD_PTRS
11296 + mov i*8(%rbx),%rsi
11298 + lea i*8(%rbx),%rdi
11299 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11307 + .rept USER_PGD_PTRS
11308 + movb $0,i*8(%rbx)
11312 +#ifdef CONFIG_PARAVIRT
11317 +#ifdef CONFIG_PAX_KERNEXEC
11323 +#ifdef CONFIG_PARAVIRT
11324 + PV_RESTORE_REGS(CLBR_RDI)
11332 +ENDPROC(pax_enter_kernel_user)
11334 +ENTRY(pax_exit_kernel_user)
11336 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11339 +#ifdef CONFIG_PARAVIRT
11341 + PV_SAVE_REGS(CLBR_RDI)
11344 +#ifdef CONFIG_PAX_KERNEXEC
11351 + add $__START_KERNEL_map,%rdi
11352 + sub phys_base(%rip),%rdi
11354 +#ifdef CONFIG_PARAVIRT
11355 + cmpl $0, pv_info+PARAVIRT_enabled
11359 + .rept USER_PGD_PTRS
11360 + mov i*8(%rbx),%rsi
11362 + lea i*8(%rbx),%rdi
11363 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11371 + .rept USER_PGD_PTRS
11372 + movb $0x67,i*8(%rdi)
11376 +#ifdef CONFIG_PARAVIRT
11377 +2: PV_RESTORE_REGS(CLBR_RDI)
11385 +ENDPROC(pax_exit_kernel_user)
11387 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11388 #ifdef CONFIG_TRACE_IRQFLAGS
11389 @@ -317,7 +501,7 @@ ENTRY(save_args)
11390 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11391 movq_cfi rbp, 8 /* push %rbp */
11392 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11393 - testl $3, CS(%rdi)
11394 + testb $3, CS(%rdi)
11398 @@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11402 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11403 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11404 je int_ret_from_sys_call
11406 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11407 @@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11409 movq %rsp,PER_CPU_VAR(old_rsp)
11410 movq PER_CPU_VAR(kernel_stack),%rsp
11412 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11413 + call pax_enter_kernel_user
11417 * No need to follow this irqs off/on section - it's straight
11419 @@ -502,6 +691,11 @@ sysret_check:
11424 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11425 + call pax_exit_kernel_user
11429 * sysretq will re-enable interrupts:
11431 @@ -613,7 +807,7 @@ tracesys:
11432 GLOBAL(int_ret_from_sys_call)
11433 DISABLE_INTERRUPTS(CLBR_NONE)
11435 - testl $3,CS-ARGOFFSET(%rsp)
11436 + testb $3,CS-ARGOFFSET(%rsp)
11437 je retint_restore_args
11438 movl $_TIF_ALLWORK_MASK,%edi
11439 /* edi: mask to check */
11440 @@ -800,6 +994,16 @@ END(interrupt)
11441 CFI_ADJUST_CFA_OFFSET 10*8
11444 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11445 + testb $3, CS(%rdi)
11447 + call pax_enter_kernel
11449 +1: call pax_enter_kernel_user
11452 + call pax_enter_kernel
11457 @@ -826,7 +1030,7 @@ ret_from_intr:
11458 CFI_ADJUST_CFA_OFFSET -8
11460 GET_THREAD_INFO(%rcx)
11461 - testl $3,CS-ARGOFFSET(%rsp)
11462 + testb $3,CS-ARGOFFSET(%rsp)
11465 /* Interrupt came from user space */
11466 @@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11467 * The iretq could re-enable interrupts:
11469 DISABLE_INTERRUPTS(CLBR_ANY)
11471 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11472 + call pax_exit_kernel_user
11479 retint_restore_args: /* return to kernel space */
11480 DISABLE_INTERRUPTS(CLBR_ANY)
11481 + call pax_exit_kernel
11483 * The iretq could re-enable interrupts:
11485 @@ -1040,6 +1250,16 @@ ENTRY(\sym)
11486 CFI_ADJUST_CFA_OFFSET 15*8
11489 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11490 + testb $3, CS(%rsp)
11492 + call pax_enter_kernel
11494 +1: call pax_enter_kernel_user
11497 + call pax_enter_kernel
11499 movq %rsp,%rdi /* pt_regs pointer */
11500 xorl %esi,%esi /* no error code */
11502 @@ -1057,6 +1277,16 @@ ENTRY(\sym)
11506 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11507 + testb $3, CS(%rsp)
11509 + call pax_enter_kernel
11511 +1: call pax_enter_kernel_user
11514 + call pax_enter_kernel
11516 movq %rsp,%rdi /* pt_regs pointer */
11517 xorl %esi,%esi /* no error code */
11519 @@ -1074,9 +1304,24 @@ ENTRY(\sym)
11523 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11524 + testb $3, CS(%rsp)
11526 + call pax_enter_kernel
11528 +1: call pax_enter_kernel_user
11531 + call pax_enter_kernel
11533 movq %rsp,%rdi /* pt_regs pointer */
11534 xorl %esi,%esi /* no error code */
11535 - PER_CPU(init_tss, %r12)
11537 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11538 + lea init_tss(%r12), %r12
11540 + lea init_tss(%rip), %r12
11542 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11544 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11545 @@ -1093,6 +1338,16 @@ ENTRY(\sym)
11546 CFI_ADJUST_CFA_OFFSET 15*8
11549 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11550 + testb $3, CS(%rsp)
11552 + call pax_enter_kernel
11554 +1: call pax_enter_kernel_user
11557 + call pax_enter_kernel
11559 movq %rsp,%rdi /* pt_regs pointer */
11560 movq ORIG_RAX(%rsp),%rsi /* get error code */
11561 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11562 @@ -1112,6 +1367,16 @@ ENTRY(\sym)
11566 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11567 + testb $3, CS(%rsp)
11569 + call pax_enter_kernel
11571 +1: call pax_enter_kernel_user
11574 + call pax_enter_kernel
11576 movq %rsp,%rdi /* pt_regs pointer */
11577 movq ORIG_RAX(%rsp),%rsi /* get error code */
11578 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11579 @@ -1370,14 +1635,27 @@ ENTRY(paranoid_exit)
11581 testl %ebx,%ebx /* swapgs needed? */
11582 jnz paranoid_restore
11583 - testl $3,CS(%rsp)
11584 + testb $3,CS(%rsp)
11585 jnz paranoid_userspace
11586 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11587 + call pax_exit_kernel
11588 + TRACE_IRQS_IRETQ 0
11589 + SWAPGS_UNSAFE_STACK
11594 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11595 + call pax_exit_kernel_user
11597 + call pax_exit_kernel
11600 SWAPGS_UNSAFE_STACK
11604 + call pax_exit_kernel
11608 @@ -1435,7 +1713,7 @@ ENTRY(error_entry)
11609 movq_cfi r14, R14+8
11610 movq_cfi r15, R15+8
11612 - testl $3,CS+8(%rsp)
11613 + testb $3,CS+8(%rsp)
11614 je error_kernelspace
11617 @@ -1499,6 +1777,16 @@ ENTRY(nmi)
11618 CFI_ADJUST_CFA_OFFSET 15*8
11621 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11622 + testb $3, CS(%rsp)
11624 + call pax_enter_kernel
11626 +1: call pax_enter_kernel_user
11629 + call pax_enter_kernel
11631 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11634 @@ -1509,11 +1797,12 @@ ENTRY(nmi)
11635 DISABLE_INTERRUPTS(CLBR_NONE)
11636 testl %ebx,%ebx /* swapgs needed? */
11638 - testl $3,CS(%rsp)
11639 + testb $3,CS(%rsp)
11642 SWAPGS_UNSAFE_STACK
11644 + call pax_exit_kernel
11648 diff -urNp linux-2.6.35.5/arch/x86/kernel/ftrace.c linux-2.6.35.5/arch/x86/kernel/ftrace.c
11649 --- linux-2.6.35.5/arch/x86/kernel/ftrace.c 2010-08-26 19:47:12.000000000 -0400
11650 +++ linux-2.6.35.5/arch/x86/kernel/ftrace.c 2010-09-17 20:12:09.000000000 -0400
11651 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11653 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11655 + pax_open_kernel();
11657 + pax_close_kernel();
11658 atomic_inc(&nmi_update_count);
11660 /* Must have previous changes seen before executions */
11661 @@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
11665 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
11666 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
11668 static unsigned char *ftrace_nop_replace(void)
11670 @@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
11672 unsigned char replaced[MCOUNT_INSN_SIZE];
11674 + ip = ktla_ktva(ip);
11677 * Note: Due to modules and __init, code can
11678 * disappear and change, we need to protect against faulting
11679 @@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11680 unsigned char old[MCOUNT_INSN_SIZE], *new;
11683 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11684 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11685 new = ftrace_call_replace(ip, (unsigned long)func);
11686 ret = ftrace_modify_code(ip, old, new);
11688 @@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
11691 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
11692 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
11693 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
11696 pr_info("converting mcount calls to 66 66 66 66 90\n");
11697 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
11698 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
11701 pr_info("converting mcount calls to jmp . + 5\n");
11702 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
11703 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
11707 @@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
11709 unsigned char code[MCOUNT_INSN_SIZE];
11711 + ip = ktla_ktva(ip);
11713 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11716 diff -urNp linux-2.6.35.5/arch/x86/kernel/head32.c linux-2.6.35.5/arch/x86/kernel/head32.c
11717 --- linux-2.6.35.5/arch/x86/kernel/head32.c 2010-08-26 19:47:12.000000000 -0400
11718 +++ linux-2.6.35.5/arch/x86/kernel/head32.c 2010-09-17 20:12:09.000000000 -0400
11720 #include <asm/apic.h>
11721 #include <asm/io_apic.h>
11722 #include <asm/bios_ebda.h>
11723 +#include <asm/boot.h>
11725 static void __init i386_default_early_setup(void)
11727 @@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
11731 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11732 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11734 #ifdef CONFIG_BLK_DEV_INITRD
11735 /* Reserve INITRD */
11736 diff -urNp linux-2.6.35.5/arch/x86/kernel/head_32.S linux-2.6.35.5/arch/x86/kernel/head_32.S
11737 --- linux-2.6.35.5/arch/x86/kernel/head_32.S 2010-08-26 19:47:12.000000000 -0400
11738 +++ linux-2.6.35.5/arch/x86/kernel/head_32.S 2010-09-17 20:12:09.000000000 -0400
11740 /* Physical address */
11741 #define pa(X) ((X) - __PAGE_OFFSET)
11743 +#ifdef CONFIG_PAX_KERNEXEC
11746 +#define ta(X) ((X) - __PAGE_OFFSET)
11750 * References to members of the new_cpu_data structure.
11753 * and small than max_low_pfn, otherwise will waste some page table entries
11756 -#if PTRS_PER_PMD > 1
11757 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11759 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11761 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11763 /* Enough space to fit pagetables for the low memory linear map */
11764 MAPPING_BEYOND_END = \
11765 @@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
11766 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11769 + * Real beginning of normal "text" segment
11775 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
11776 * %esi points to the real-mode code as a 32-bit pointer.
11777 * CS and DS must be 4 GB flat segments, but we don't depend on
11778 @@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11783 +#ifdef CONFIG_PAX_KERNEXEC
11785 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
11786 +.fill PAGE_SIZE-5,1,0xcc
11790 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
11791 us to not reload segments */
11792 @@ -99,6 +114,55 @@ ENTRY(startup_32)
11797 + movl $pa(cpu_gdt_table),%edi
11798 + movl $__per_cpu_load,%eax
11799 + movw %ax,__KERNEL_PERCPU + 2(%edi)
11801 + movb %al,__KERNEL_PERCPU + 4(%edi)
11802 + movb %ah,__KERNEL_PERCPU + 7(%edi)
11803 + movl $__per_cpu_end - 1,%eax
11804 + subl $__per_cpu_start,%eax
11805 + movw %ax,__KERNEL_PERCPU + 0(%edi)
11808 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11809 + movl $NR_CPUS,%ecx
11810 + movl $pa(cpu_gdt_table),%edi
11812 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
11813 + addl $PAGE_SIZE_asm,%edi
11817 +#ifdef CONFIG_PAX_KERNEXEC
11818 + movl $pa(boot_gdt),%edi
11819 + movl $__LOAD_PHYSICAL_ADDR,%eax
11820 + movw %ax,__BOOT_CS + 2(%edi)
11822 + movb %al,__BOOT_CS + 4(%edi)
11823 + movb %ah,__BOOT_CS + 7(%edi)
11826 + ljmp $(__BOOT_CS),$1f
11829 + movl $NR_CPUS,%ecx
11830 + movl $pa(cpu_gdt_table),%edi
11831 + addl $__PAGE_OFFSET,%eax
11833 + movw %ax,__KERNEL_CS + 2(%edi)
11834 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
11836 + movb %al,__KERNEL_CS + 4(%edi)
11837 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
11838 + movb %ah,__KERNEL_CS + 7(%edi)
11839 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
11841 + addl $PAGE_SIZE_asm,%edi
11846 * Clear BSS first so that there are no surprises...
11848 @@ -142,9 +206,7 @@ ENTRY(startup_32)
11849 cmpl $num_subarch_entries, %eax
11852 - movl pa(subarch_entries)(,%eax,4), %eax
11853 - subl $__PAGE_OFFSET, %eax
11855 + jmp *pa(subarch_entries)(,%eax,4)
11859 @@ -156,10 +218,10 @@ WEAK(xen_entry)
11863 - .long default_entry /* normal x86/PC */
11864 - .long lguest_entry /* lguest hypervisor */
11865 - .long xen_entry /* Xen hypervisor */
11866 - .long default_entry /* Moorestown MID */
11867 + .long ta(default_entry) /* normal x86/PC */
11868 + .long ta(lguest_entry) /* lguest hypervisor */
11869 + .long ta(xen_entry) /* Xen hypervisor */
11870 + .long ta(default_entry) /* Moorestown MID */
11871 num_subarch_entries = (. - subarch_entries) / 4
11873 #endif /* CONFIG_PARAVIRT */
11874 @@ -220,8 +282,11 @@ default_entry:
11875 movl %eax, pa(max_pfn_mapped)
11877 /* Do early initialization of the fixmap area */
11878 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11879 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11880 +#ifdef CONFIG_COMPAT_VDSO
11881 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11883 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11885 #else /* Not PAE */
11887 page_pde_offset = (__PAGE_OFFSET >> 20);
11888 @@ -251,8 +316,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
11889 movl %eax, pa(max_pfn_mapped)
11891 /* Do early initialization of the fixmap area */
11892 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11893 - movl %eax,pa(swapper_pg_dir+0xffc)
11894 +#ifdef CONFIG_COMPAT_VDSO
11895 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
11897 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
11902 @@ -299,6 +367,7 @@ ENTRY(startup_32_smp)
11906 +#ifdef CONFIG_X86_PAE
11907 testb $X86_CR4_PAE, %al # check if PAE is enabled
11910 @@ -323,6 +392,9 @@ ENTRY(startup_32_smp)
11911 /* Make changes effective */
11914 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
11920 @@ -348,9 +420,7 @@ ENTRY(startup_32_smp)
11924 - jz 1f /* Initial CPU cleans BSS */
11927 + jnz checkCPUtype /* Initial CPU cleans BSS */
11928 #endif /* CONFIG_SMP */
11931 @@ -428,7 +498,7 @@ is386: movl $2,%ecx # set MP
11932 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
11933 movl %eax,%ss # after changing gdt.
11935 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
11936 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
11940 @@ -442,8 +512,11 @@ is386: movl $2,%ecx # set MP
11944 - movl $gdt_page,%eax
11945 + movl $cpu_gdt_table,%eax
11946 movl $stack_canary,%ecx
11948 + addl $__per_cpu_load,%ecx
11950 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
11952 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
11953 @@ -461,10 +534,6 @@ is386: movl $2,%ecx # set MP
11957 - cmpb $0,%cl # the first CPU calls start_kernel
11959 - movl (stack_start), %esp
11961 #endif /* CONFIG_SMP */
11962 jmp *(initial_code)
11964 @@ -550,22 +619,22 @@ early_page_fault:
11969 #ifdef CONFIG_PRINTK
11970 + cmpl $1,%ss:early_recursion_flag
11972 + incl %ss:early_recursion_flag
11975 movl $(__KERNEL_DS),%eax
11978 - cmpl $2,early_recursion_flag
11980 - incl early_recursion_flag
11983 pushl %edx /* trapno */
11992 @@ -573,8 +642,11 @@ hlt_loop:
11993 /* This is the default interrupt "handler" :-) */
11997 #ifdef CONFIG_PRINTK
11998 + cmpl $2,%ss:early_recursion_flag
12000 + incl %ss:early_recursion_flag
12005 @@ -583,9 +655,6 @@ ignore_int:
12006 movl $(__KERNEL_DS),%eax
12009 - cmpl $2,early_recursion_flag
12011 - incl early_recursion_flag
12015 @@ -612,27 +681,38 @@ ENTRY(initial_code)
12019 -__PAGE_ALIGNED_BSS
12020 - .align PAGE_SIZE_asm
12021 #ifdef CONFIG_X86_PAE
12022 +.section .swapper_pg_pmd,"a",@progbits
12024 .fill 1024*KPMDS,4,0
12026 +.section .swapper_pg_dir,"a",@progbits
12027 ENTRY(swapper_pg_dir)
12034 +.section .empty_zero_page,"a",@progbits
12035 ENTRY(empty_zero_page)
12039 + * The IDT has to be page-aligned to simplify the Pentium
12040 + * F0 0F bug workaround.. We have a special link segment
12043 +.section .idt,"a",@progbits
12048 * This starts the data section.
12050 #ifdef CONFIG_X86_PAE
12051 -__PAGE_ALIGNED_DATA
12052 - /* Page-aligned for the benefit of paravirt? */
12053 - .align PAGE_SIZE_asm
12054 +.section .swapper_pg_dir,"a",@progbits
12056 ENTRY(swapper_pg_dir)
12057 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12059 @@ -651,15 +731,24 @@ ENTRY(swapper_pg_dir)
12060 # error "Kernel PMDs should be 1, 2 or 3"
12062 .align PAGE_SIZE_asm /* needs to be page-sized too */
12064 +#ifdef CONFIG_PAX_PER_CPU_PGD
12075 - .long init_thread_union+THREAD_SIZE
12076 + .long init_thread_union+THREAD_SIZE-8
12081 +.section .rodata,"a",@progbits
12082 early_recursion_flag:
12085 @@ -695,7 +784,7 @@ fault_msg:
12086 .word 0 # 32 bit align gdt_desc.address
12089 - .long boot_gdt - __PAGE_OFFSET
12090 + .long pa(boot_gdt)
12092 .word 0 # 32-bit align idt_desc.address
12094 @@ -706,7 +795,7 @@ idt_descr:
12095 .word 0 # 32 bit align gdt_desc.address
12096 ENTRY(early_gdt_descr)
12097 .word GDT_ENTRIES*8-1
12098 - .long gdt_page /* Overwritten for secondary CPUs */
12099 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12102 * The boot_gdt must mirror the equivalent in setup.S and is
12103 @@ -715,5 +804,65 @@ ENTRY(early_gdt_descr)
12104 .align L1_CACHE_BYTES
12106 .fill GDT_ENTRY_BOOT_CS,8,0
12107 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12108 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12109 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12110 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12112 + .align PAGE_SIZE_asm
12113 +ENTRY(cpu_gdt_table)
12115 + .quad 0x0000000000000000 /* NULL descriptor */
12116 + .quad 0x0000000000000000 /* 0x0b reserved */
12117 + .quad 0x0000000000000000 /* 0x13 reserved */
12118 + .quad 0x0000000000000000 /* 0x1b reserved */
12120 +#ifdef CONFIG_PAX_KERNEXEC
12121 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12123 + .quad 0x0000000000000000 /* 0x20 unused */
12126 + .quad 0x0000000000000000 /* 0x28 unused */
12127 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12128 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12129 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12130 + .quad 0x0000000000000000 /* 0x4b reserved */
12131 + .quad 0x0000000000000000 /* 0x53 reserved */
12132 + .quad 0x0000000000000000 /* 0x5b reserved */
12134 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12135 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12136 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12137 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12139 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12140 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12143 + * Segments used for calling PnP BIOS have byte granularity.
12144 + * The code segments and data segments have fixed 64k limits,
12145 + * the transfer segment sizes are set at run time.
12147 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12148 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12149 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12150 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12151 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12154 + * The APM segments have byte granularity and their bases
12155 + * are set at run time. All have 64k limits.
12157 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12158 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12159 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12161 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12162 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12163 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12164 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12165 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12166 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12168 + /* Be sure this is zeroed to avoid false validations in Xen */
12169 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12171 diff -urNp linux-2.6.35.5/arch/x86/kernel/head_64.S linux-2.6.35.5/arch/x86/kernel/head_64.S
12172 --- linux-2.6.35.5/arch/x86/kernel/head_64.S 2010-08-26 19:47:12.000000000 -0400
12173 +++ linux-2.6.35.5/arch/x86/kernel/head_64.S 2010-09-17 20:12:09.000000000 -0400
12175 #include <asm/cache.h>
12176 #include <asm/processor-flags.h>
12177 #include <asm/percpu.h>
12178 +#include <asm/cpufeature.h>
12180 #ifdef CONFIG_PARAVIRT
12181 #include <asm/asm-offsets.h>
12182 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12183 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12184 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12185 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12186 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12187 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12188 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12189 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12193 @@ -85,35 +90,22 @@ startup_64:
12195 addq %rbp, init_level4_pgt + 0(%rip)
12196 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12197 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12198 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12199 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12201 addq %rbp, level3_ident_pgt + 0(%rip)
12202 +#ifndef CONFIG_XEN
12203 + addq %rbp, level3_ident_pgt + 8(%rip)
12206 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12207 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12208 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12210 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12211 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12212 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12214 - /* Add an Identity mapping if I am above 1G */
12215 - leaq _text(%rip), %rdi
12216 - andq $PMD_PAGE_MASK, %rdi
12219 - shrq $PUD_SHIFT, %rax
12220 - andq $(PTRS_PER_PUD - 1), %rax
12221 - jz ident_complete
12223 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12224 - leaq level3_ident_pgt(%rip), %rbx
12225 - movq %rdx, 0(%rbx, %rax, 8)
12228 - shrq $PMD_SHIFT, %rax
12229 - andq $(PTRS_PER_PMD - 1), %rax
12230 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12231 - leaq level2_spare_pgt(%rip), %rbx
12232 - movq %rdx, 0(%rbx, %rax, 8)
12234 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12235 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12238 * Fixup the kernel text+data virtual addresses. Note that
12239 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12240 * after the boot processor executes this code.
12243 - /* Enable PAE mode and PGE */
12244 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12245 + /* Enable PAE mode and PSE/PGE */
12246 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12249 /* Setup early boot stage 4 level pagetables. */
12250 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12251 movl $MSR_EFER, %ecx
12253 btsl $_EFER_SCE, %eax /* Enable System Call */
12254 - btl $20,%edi /* No Execute supported? */
12255 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12257 btsl $_EFER_NX, %eax
12258 + leaq init_level4_pgt(%rip), %rdi
12259 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12260 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12261 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12262 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12263 1: wrmsr /* Make changes effective */
12266 @@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
12270 - .section ".init.text","ax"
12272 #ifdef CONFIG_EARLY_PRINTK
12273 .globl early_idt_handlers
12274 early_idt_handlers:
12275 @@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
12276 #endif /* EARLY_PRINTK */
12281 #ifdef CONFIG_EARLY_PRINTK
12283 early_recursion_flag:
12287 + .section .rodata,"a",@progbits
12289 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12292 -#endif /* CONFIG_EARLY_PRINTK */
12294 +#endif /* CONFIG_EARLY_PRINTK */
12296 + .section .rodata,"a",@progbits
12297 #define NEXT_PAGE(name) \
12298 .balign PAGE_SIZE; \
12300 @@ -351,13 +353,36 @@ NEXT_PAGE(init_level4_pgt)
12301 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12302 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12303 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12304 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12305 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12306 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12307 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12308 .org init_level4_pgt + L4_START_KERNEL*8, 0
12309 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12310 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12312 +#ifdef CONFIG_PAX_PER_CPU_PGD
12313 +NEXT_PAGE(cpu_pgd)
12319 NEXT_PAGE(level3_ident_pgt)
12320 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12324 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12328 +NEXT_PAGE(level3_vmalloc_pgt)
12331 +NEXT_PAGE(level3_vmemmap_pgt)
12332 + .fill L3_VMEMMAP_START,8,0
12333 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12335 NEXT_PAGE(level3_kernel_pgt)
12336 .fill L3_START_KERNEL,8,0
12337 @@ -365,20 +390,23 @@ NEXT_PAGE(level3_kernel_pgt)
12338 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12339 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12341 +NEXT_PAGE(level2_vmemmap_pgt)
12344 NEXT_PAGE(level2_fixmap_pgt)
12346 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12347 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12350 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12351 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12354 -NEXT_PAGE(level1_fixmap_pgt)
12355 +NEXT_PAGE(level1_vsyscall_pgt)
12358 -NEXT_PAGE(level2_ident_pgt)
12359 - /* Since I easily can, map the first 1G.
12360 + /* Since I easily can, map the first 2G.
12361 * Don't set NX because code runs from these pages.
12363 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12364 +NEXT_PAGE(level2_ident_pgt)
12365 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12367 NEXT_PAGE(level2_kernel_pgt)
12369 @@ -391,33 +419,55 @@ NEXT_PAGE(level2_kernel_pgt)
12370 * If you want to increase this then increase MODULES_VADDR
12373 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12374 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12376 -NEXT_PAGE(level2_spare_pgt)
12378 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12385 +ENTRY(cpu_gdt_table)
12387 + .quad 0x0000000000000000 /* NULL descriptor */
12388 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12389 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12390 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12391 + .quad 0x00cffb000000ffff /* __USER32_CS */
12392 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12393 + .quad 0x00affb000000ffff /* __USER_CS */
12395 +#ifdef CONFIG_PAX_KERNEXEC
12396 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12398 + .quad 0x0 /* unused */
12401 + .quad 0,0 /* TSS */
12402 + .quad 0,0 /* LDT */
12403 + .quad 0,0,0 /* three TLS descriptors */
12404 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12405 + /* asm/segment.h:GDT_ENTRIES must match this */
12407 + /* zero the remaining page */
12408 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12412 .globl early_gdt_descr
12414 .word GDT_ENTRIES*8-1
12415 early_gdt_descr_base:
12416 - .quad INIT_PER_CPU_VAR(gdt_page)
12417 + .quad cpu_gdt_table
12420 /* This must match the first entry in level2_kernel_pgt */
12421 .quad 0x0000000000000000
12423 #include "../../x86/xen/xen-head.S"
12425 - .section .bss, "aw", @nobits
12427 + .section .rodata,"a",@progbits
12428 .align L1_CACHE_BYTES
12430 - .skip IDT_ENTRIES * 16
12435 diff -urNp linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c
12436 --- linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c 2010-08-26 19:47:12.000000000 -0400
12437 +++ linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c 2010-09-17 20:12:09.000000000 -0400
12438 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12439 EXPORT_SYMBOL(cmpxchg8b_emu);
12442 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12444 /* Networking helper routines. */
12445 EXPORT_SYMBOL(csum_partial_copy_generic);
12446 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12447 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12449 EXPORT_SYMBOL(__get_user_1);
12450 EXPORT_SYMBOL(__get_user_2);
12451 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12453 EXPORT_SYMBOL(csum_partial);
12454 EXPORT_SYMBOL(empty_zero_page);
12456 +#ifdef CONFIG_PAX_KERNEXEC
12457 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12459 diff -urNp linux-2.6.35.5/arch/x86/kernel/init_task.c linux-2.6.35.5/arch/x86/kernel/init_task.c
12460 --- linux-2.6.35.5/arch/x86/kernel/init_task.c 2010-08-26 19:47:12.000000000 -0400
12461 +++ linux-2.6.35.5/arch/x86/kernel/init_task.c 2010-09-17 20:12:09.000000000 -0400
12462 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12463 * section. Since TSS's are completely CPU-local, we want them
12464 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12466 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12468 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12469 +EXPORT_SYMBOL(init_tss);
12470 diff -urNp linux-2.6.35.5/arch/x86/kernel/ioport.c linux-2.6.35.5/arch/x86/kernel/ioport.c
12471 --- linux-2.6.35.5/arch/x86/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
12472 +++ linux-2.6.35.5/arch/x86/kernel/ioport.c 2010-09-17 20:12:37.000000000 -0400
12474 #include <linux/sched.h>
12475 #include <linux/kernel.h>
12476 #include <linux/capability.h>
12477 +#include <linux/security.h>
12478 #include <linux/errno.h>
12479 #include <linux/types.h>
12480 #include <linux/ioport.h>
12481 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12483 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12485 +#ifdef CONFIG_GRKERNSEC_IO
12486 + if (turn_on && grsec_disable_privio) {
12487 + gr_handle_ioperm();
12491 if (turn_on && !capable(CAP_SYS_RAWIO))
12494 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12495 * because the ->io_bitmap_max value must match the bitmap
12498 - tss = &per_cpu(init_tss, get_cpu());
12499 + tss = init_tss + get_cpu();
12501 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12503 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12505 /* Trying to gain more privileges? */
12507 +#ifdef CONFIG_GRKERNSEC_IO
12508 + if (grsec_disable_privio) {
12509 + gr_handle_iopl();
12513 if (!capable(CAP_SYS_RAWIO))
12516 diff -urNp linux-2.6.35.5/arch/x86/kernel/irq_32.c linux-2.6.35.5/arch/x86/kernel/irq_32.c
12517 --- linux-2.6.35.5/arch/x86/kernel/irq_32.c 2010-08-26 19:47:12.000000000 -0400
12518 +++ linux-2.6.35.5/arch/x86/kernel/irq_32.c 2010-09-17 20:12:09.000000000 -0400
12519 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
12522 /* build the stack frame on the IRQ stack */
12523 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12524 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12525 irqctx->tinfo.task = curctx->tinfo.task;
12526 irqctx->tinfo.previous_esp = current_stack_pointer;
12528 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
12529 irqctx->tinfo.previous_esp = current_stack_pointer;
12531 /* build the stack frame on the softirq stack */
12532 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12533 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12535 call_on_stack(__do_softirq, isp);
12537 diff -urNp linux-2.6.35.5/arch/x86/kernel/kgdb.c linux-2.6.35.5/arch/x86/kernel/kgdb.c
12538 --- linux-2.6.35.5/arch/x86/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
12539 +++ linux-2.6.35.5/arch/x86/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
12540 @@ -77,7 +77,7 @@ void pt_regs_to_gdb_regs(unsigned long *
12541 gdb_regs[GDB_CS] = regs->cs;
12542 gdb_regs[GDB_FS] = 0xFFFF;
12543 gdb_regs[GDB_GS] = 0xFFFF;
12544 - if (user_mode_vm(regs)) {
12545 + if (user_mode(regs)) {
12546 gdb_regs[GDB_SS] = regs->ss;
12547 gdb_regs[GDB_SP] = regs->sp;
12549 @@ -720,7 +720,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12553 -struct kgdb_arch arch_kgdb_ops = {
12554 +const struct kgdb_arch arch_kgdb_ops = {
12555 /* Breakpoint instruction: */
12556 .gdb_bpt_instr = { 0xcc },
12557 .flags = KGDB_HW_BREAKPOINT,
12558 diff -urNp linux-2.6.35.5/arch/x86/kernel/kprobes.c linux-2.6.35.5/arch/x86/kernel/kprobes.c
12559 --- linux-2.6.35.5/arch/x86/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
12560 +++ linux-2.6.35.5/arch/x86/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
12561 @@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
12563 } __attribute__((packed)) *insn;
12565 - insn = (struct __arch_relative_insn *)from;
12566 + insn = (struct __arch_relative_insn *)(ktla_ktva(from));
12568 + pax_open_kernel();
12569 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12571 + pax_close_kernel();
12574 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12575 @@ -315,7 +318,9 @@ static int __kprobes __copy_instruction(
12578 insn_get_length(&insn);
12579 + pax_open_kernel();
12580 memcpy(dest, insn.kaddr, insn.length);
12581 + pax_close_kernel();
12583 #ifdef CONFIG_X86_64
12584 if (insn_rip_relative(&insn)) {
12585 @@ -339,7 +344,9 @@ static int __kprobes __copy_instruction(
12587 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12588 disp = (u8 *) dest + insn_offset_displacement(&insn);
12589 + pax_open_kernel();
12590 *(s32 *) disp = (s32) newdisp;
12591 + pax_close_kernel();
12594 return insn.length;
12595 @@ -353,12 +360,12 @@ static void __kprobes arch_copy_kprobe(s
12597 __copy_instruction(p->ainsn.insn, p->addr, 0);
12599 - if (can_boost(p->addr))
12600 + if (can_boost(ktla_ktva(p->addr)))
12601 p->ainsn.boostable = 0;
12603 p->ainsn.boostable = -1;
12605 - p->opcode = *p->addr;
12606 + p->opcode = *(ktla_ktva(p->addr));
12609 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12610 @@ -475,7 +482,7 @@ static void __kprobes setup_singlestep(s
12611 * nor set current_kprobe, because it doesn't use single
12614 - regs->ip = (unsigned long)p->ainsn.insn;
12615 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12616 preempt_enable_no_resched();
12619 @@ -494,7 +501,7 @@ static void __kprobes setup_singlestep(s
12620 if (p->opcode == BREAKPOINT_INSTRUCTION)
12621 regs->ip = (unsigned long)p->addr;
12623 - regs->ip = (unsigned long)p->ainsn.insn;
12624 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12628 @@ -573,7 +580,7 @@ static int __kprobes kprobe_handler(stru
12629 setup_singlestep(p, regs, kcb, 0);
12632 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12633 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12635 * The breakpoint instruction was removed right
12636 * after we hit it. Another cpu has removed
12637 @@ -799,7 +806,7 @@ static void __kprobes resume_execution(s
12638 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12640 unsigned long *tos = stack_addr(regs);
12641 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12642 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12643 unsigned long orig_ip = (unsigned long)p->addr;
12644 kprobe_opcode_t *insn = p->ainsn.insn;
12646 @@ -982,7 +989,7 @@ int __kprobes kprobe_exceptions_notify(s
12647 struct die_args *args = data;
12648 int ret = NOTIFY_DONE;
12650 - if (args->regs && user_mode_vm(args->regs))
12651 + if (args->regs && user_mode(args->regs))
12655 diff -urNp linux-2.6.35.5/arch/x86/kernel/ldt.c linux-2.6.35.5/arch/x86/kernel/ldt.c
12656 --- linux-2.6.35.5/arch/x86/kernel/ldt.c 2010-08-26 19:47:12.000000000 -0400
12657 +++ linux-2.6.35.5/arch/x86/kernel/ldt.c 2010-09-17 20:12:09.000000000 -0400
12658 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12663 + load_LDT_nolock(pc);
12664 if (!cpumask_equal(mm_cpumask(current->mm),
12665 cpumask_of(smp_processor_id())))
12666 smp_call_function(flush_ldt, current->mm, 1);
12670 + load_LDT_nolock(pc);
12674 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
12677 for (i = 0; i < old->size; i++)
12678 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12679 + write_ldt_entry(new->ldt, i, old->ldt + i);
12683 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
12684 retval = copy_ldt(&mm->context, &old_mm->context);
12685 mutex_unlock(&old_mm->context.lock);
12688 + if (tsk == current) {
12689 + mm->context.vdso = ~0UL;
12691 +#ifdef CONFIG_X86_32
12692 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
12693 + mm->context.user_cs_base = 0UL;
12694 + mm->context.user_cs_limit = ~0UL;
12696 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
12697 + cpus_clear(mm->context.cpu_user_cs_mask);
12708 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
12712 +#ifdef CONFIG_PAX_SEGMEXEC
12713 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
12719 fill_ldt(&ldt, &ldt_info);
12722 diff -urNp linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c
12723 --- linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c 2010-08-26 19:47:12.000000000 -0400
12724 +++ linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c 2010-09-17 20:12:09.000000000 -0400
12726 #include <asm/cacheflush.h>
12727 #include <asm/debugreg.h>
12729 -static void set_idt(void *newidt, __u16 limit)
12730 +static void set_idt(struct desc_struct *newidt, __u16 limit)
12732 struct desc_ptr curidt;
12734 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
12738 -static void set_gdt(void *newgdt, __u16 limit)
12739 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
12741 struct desc_ptr curgdt;
12743 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
12746 control_page = page_address(image->control_code_page);
12747 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
12748 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
12750 relocate_kernel_ptr = control_page;
12751 page_list[PA_CONTROL_PAGE] = __pa(control_page);
12752 diff -urNp linux-2.6.35.5/arch/x86/kernel/microcode_amd.c linux-2.6.35.5/arch/x86/kernel/microcode_amd.c
12753 --- linux-2.6.35.5/arch/x86/kernel/microcode_amd.c 2010-08-26 19:47:12.000000000 -0400
12754 +++ linux-2.6.35.5/arch/x86/kernel/microcode_amd.c 2010-09-17 20:12:09.000000000 -0400
12755 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
12759 -static struct microcode_ops microcode_amd_ops = {
12760 +static const struct microcode_ops microcode_amd_ops = {
12761 .request_microcode_user = request_microcode_user,
12762 .request_microcode_fw = request_microcode_fw,
12763 .collect_cpu_info = collect_cpu_info_amd,
12764 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
12765 .microcode_fini_cpu = microcode_fini_cpu_amd,
12768 -struct microcode_ops * __init init_amd_microcode(void)
12769 +const struct microcode_ops * __init init_amd_microcode(void)
12771 return µcode_amd_ops;
12773 diff -urNp linux-2.6.35.5/arch/x86/kernel/microcode_core.c linux-2.6.35.5/arch/x86/kernel/microcode_core.c
12774 --- linux-2.6.35.5/arch/x86/kernel/microcode_core.c 2010-08-26 19:47:12.000000000 -0400
12775 +++ linux-2.6.35.5/arch/x86/kernel/microcode_core.c 2010-09-17 20:12:09.000000000 -0400
12776 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
12778 #define MICROCODE_VERSION "2.00"
12780 -static struct microcode_ops *microcode_ops;
12781 +static const struct microcode_ops *microcode_ops;
12785 diff -urNp linux-2.6.35.5/arch/x86/kernel/microcode_intel.c linux-2.6.35.5/arch/x86/kernel/microcode_intel.c
12786 --- linux-2.6.35.5/arch/x86/kernel/microcode_intel.c 2010-08-26 19:47:12.000000000 -0400
12787 +++ linux-2.6.35.5/arch/x86/kernel/microcode_intel.c 2010-09-17 20:12:09.000000000 -0400
12788 @@ -446,13 +446,13 @@ static enum ucode_state request_microcod
12790 static int get_ucode_user(void *to, const void *from, size_t n)
12792 - return copy_from_user(to, from, n);
12793 + return copy_from_user(to, (__force const void __user *)from, n);
12796 static enum ucode_state
12797 request_microcode_user(int cpu, const void __user *buf, size_t size)
12799 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
12800 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
12803 static void microcode_fini_cpu(int cpu)
12804 @@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
12808 -static struct microcode_ops microcode_intel_ops = {
12809 +static const struct microcode_ops microcode_intel_ops = {
12810 .request_microcode_user = request_microcode_user,
12811 .request_microcode_fw = request_microcode_fw,
12812 .collect_cpu_info = collect_cpu_info,
12813 @@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
12814 .microcode_fini_cpu = microcode_fini_cpu,
12817 -struct microcode_ops * __init init_intel_microcode(void)
12818 +const struct microcode_ops * __init init_intel_microcode(void)
12820 return µcode_intel_ops;
12822 diff -urNp linux-2.6.35.5/arch/x86/kernel/module.c linux-2.6.35.5/arch/x86/kernel/module.c
12823 --- linux-2.6.35.5/arch/x86/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
12824 +++ linux-2.6.35.5/arch/x86/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
12826 #define DEBUGP(fmt...)
12829 -void *module_alloc(unsigned long size)
12830 +static void *__module_alloc(unsigned long size, pgprot_t prot)
12832 struct vm_struct *area;
12834 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
12838 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
12839 - PAGE_KERNEL_EXEC);
12840 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
12843 +void *module_alloc(unsigned long size)
12846 +#ifdef CONFIG_PAX_KERNEXEC
12847 + return __module_alloc(size, PAGE_KERNEL);
12849 + return __module_alloc(size, PAGE_KERNEL_EXEC);
12854 /* Free memory returned from module_alloc */
12855 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
12856 vfree(module_region);
12859 +#ifdef CONFIG_PAX_KERNEXEC
12860 +#ifdef CONFIG_X86_32
12861 +void *module_alloc_exec(unsigned long size)
12863 + struct vm_struct *area;
12868 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
12869 + return area ? area->addr : NULL;
12871 +EXPORT_SYMBOL(module_alloc_exec);
12873 +void module_free_exec(struct module *mod, void *module_region)
12875 + vunmap(module_region);
12877 +EXPORT_SYMBOL(module_free_exec);
12879 +void module_free_exec(struct module *mod, void *module_region)
12881 + module_free(mod, module_region);
12883 +EXPORT_SYMBOL(module_free_exec);
12885 +void *module_alloc_exec(unsigned long size)
12887 + return __module_alloc(size, PAGE_KERNEL_RX);
12889 +EXPORT_SYMBOL(module_alloc_exec);
12893 /* We don't need anything special. */
12894 int module_frob_arch_sections(Elf_Ehdr *hdr,
12896 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12898 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
12900 - uint32_t *location;
12901 + uint32_t *plocation, location;
12903 DEBUGP("Applying relocate section %u to %u\n", relsec,
12904 sechdrs[relsec].sh_info);
12905 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
12906 /* This is where to make the change */
12907 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
12908 - + rel[i].r_offset;
12909 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
12910 + location = (uint32_t)plocation;
12911 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
12912 + plocation = ktla_ktva((void *)plocation);
12913 /* This is the symbol it is referring to. Note that all
12914 undefined symbols have been resolved. */
12915 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
12916 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12917 switch (ELF32_R_TYPE(rel[i].r_info)) {
12919 /* We add the value into the location given */
12920 - *location += sym->st_value;
12921 + pax_open_kernel();
12922 + *plocation += sym->st_value;
12923 + pax_close_kernel();
12926 /* Add the value, subtract its postition */
12927 - *location += sym->st_value - (uint32_t)location;
12928 + pax_open_kernel();
12929 + *plocation += sym->st_value - location;
12930 + pax_close_kernel();
12933 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
12934 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
12935 case R_X86_64_NONE:
12938 + pax_open_kernel();
12940 + pax_close_kernel();
12943 + pax_open_kernel();
12945 + pax_close_kernel();
12946 if (val != *(u32 *)loc)
12950 + pax_open_kernel();
12952 + pax_close_kernel();
12953 if ((s64)val != *(s32 *)loc)
12956 case R_X86_64_PC32:
12958 + pax_open_kernel();
12960 + pax_close_kernel();
12963 if ((s64)val != *(s32 *)loc)
12965 diff -urNp linux-2.6.35.5/arch/x86/kernel/paravirt.c linux-2.6.35.5/arch/x86/kernel/paravirt.c
12966 --- linux-2.6.35.5/arch/x86/kernel/paravirt.c 2010-08-26 19:47:12.000000000 -0400
12967 +++ linux-2.6.35.5/arch/x86/kernel/paravirt.c 2010-09-17 20:12:09.000000000 -0400
12968 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
12969 * corresponding structure. */
12970 static void *get_call_destination(u8 type)
12972 - struct paravirt_patch_template tmpl = {
12973 + const struct paravirt_patch_template tmpl = {
12974 .pv_init_ops = pv_init_ops,
12975 .pv_time_ops = pv_time_ops,
12976 .pv_cpu_ops = pv_cpu_ops,
12977 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
12978 if (opfunc == NULL)
12979 /* If there's no function, patch it with a ud2a (BUG) */
12980 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
12981 - else if (opfunc == _paravirt_nop)
12982 + else if (opfunc == (void *)_paravirt_nop)
12983 /* If the operation is a nop, then nop the callsite */
12984 ret = paravirt_patch_nop();
12986 /* identity functions just return their single argument */
12987 - else if (opfunc == _paravirt_ident_32)
12988 + else if (opfunc == (void *)_paravirt_ident_32)
12989 ret = paravirt_patch_ident_32(insnbuf, len);
12990 - else if (opfunc == _paravirt_ident_64)
12991 + else if (opfunc == (void *)_paravirt_ident_64)
12992 ret = paravirt_patch_ident_64(insnbuf, len);
12994 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
12995 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
12996 if (insn_len > len || start == NULL)
12999 - memcpy(insnbuf, start, insn_len);
13000 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13004 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13008 -struct pv_info pv_info = {
13009 +struct pv_info pv_info __read_only = {
13010 .name = "bare hardware",
13011 .paravirt_enabled = 0,
13013 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13016 -struct pv_init_ops pv_init_ops = {
13017 +struct pv_init_ops pv_init_ops __read_only = {
13018 .patch = native_patch,
13021 -struct pv_time_ops pv_time_ops = {
13022 +struct pv_time_ops pv_time_ops __read_only = {
13023 .sched_clock = native_sched_clock,
13026 -struct pv_irq_ops pv_irq_ops = {
13027 +struct pv_irq_ops pv_irq_ops __read_only = {
13028 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13029 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13030 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13031 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13035 -struct pv_cpu_ops pv_cpu_ops = {
13036 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13037 .cpuid = native_cpuid,
13038 .get_debugreg = native_get_debugreg,
13039 .set_debugreg = native_set_debugreg,
13040 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13041 .end_context_switch = paravirt_nop,
13044 -struct pv_apic_ops pv_apic_ops = {
13045 +struct pv_apic_ops pv_apic_ops __read_only = {
13046 #ifdef CONFIG_X86_LOCAL_APIC
13047 .startup_ipi_hook = paravirt_nop,
13049 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13050 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13053 -struct pv_mmu_ops pv_mmu_ops = {
13054 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13056 .read_cr2 = native_read_cr2,
13057 .write_cr2 = native_write_cr2,
13058 @@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13061 .set_fixmap = native_set_fixmap,
13063 +#ifdef CONFIG_PAX_KERNEXEC
13064 + .pax_open_kernel = native_pax_open_kernel,
13065 + .pax_close_kernel = native_pax_close_kernel,
13070 EXPORT_SYMBOL_GPL(pv_time_ops);
13071 diff -urNp linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c
13072 --- linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c 2010-08-26 19:47:12.000000000 -0400
13073 +++ linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c 2010-09-17 20:12:09.000000000 -0400
13074 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13075 arch_spin_lock(lock);
13078 -struct pv_lock_ops pv_lock_ops = {
13079 +struct pv_lock_ops pv_lock_ops __read_only = {
13081 .spin_is_locked = __ticket_spin_is_locked,
13082 .spin_is_contended = __ticket_spin_is_contended,
13083 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c
13084 --- linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c 2010-08-26 19:47:12.000000000 -0400
13085 +++ linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c 2010-09-17 20:12:09.000000000 -0400
13086 @@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
13087 free_pages((unsigned long)vaddr, get_order(size));
13090 -static struct dma_map_ops calgary_dma_ops = {
13091 +static const struct dma_map_ops calgary_dma_ops = {
13092 .alloc_coherent = calgary_alloc_coherent,
13093 .free_coherent = calgary_free_coherent,
13094 .map_sg = calgary_map_sg,
13095 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-dma.c linux-2.6.35.5/arch/x86/kernel/pci-dma.c
13096 --- linux-2.6.35.5/arch/x86/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
13097 +++ linux-2.6.35.5/arch/x86/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
13100 static int forbid_dac __read_mostly;
13102 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13103 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13104 EXPORT_SYMBOL(dma_ops);
13106 static int iommu_sac_force __read_mostly;
13107 @@ -248,7 +248,7 @@ early_param("iommu", iommu_setup);
13109 int dma_supported(struct device *dev, u64 mask)
13111 - struct dma_map_ops *ops = get_dma_ops(dev);
13112 + const struct dma_map_ops *ops = get_dma_ops(dev);
13115 if (mask > 0xffffffff && forbid_dac > 0) {
13116 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c
13117 --- linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c 2010-08-26 19:47:12.000000000 -0400
13118 +++ linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c 2010-09-17 20:12:09.000000000 -0400
13119 @@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
13123 -static struct dma_map_ops gart_dma_ops = {
13124 +static const struct dma_map_ops gart_dma_ops = {
13125 .map_sg = gart_map_sg,
13126 .unmap_sg = gart_unmap_sg,
13127 .map_page = gart_map_page,
13128 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-nommu.c linux-2.6.35.5/arch/x86/kernel/pci-nommu.c
13129 --- linux-2.6.35.5/arch/x86/kernel/pci-nommu.c 2010-08-26 19:47:12.000000000 -0400
13130 +++ linux-2.6.35.5/arch/x86/kernel/pci-nommu.c 2010-09-17 20:12:09.000000000 -0400
13131 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13132 flush_write_buffers();
13135 -struct dma_map_ops nommu_dma_ops = {
13136 +const struct dma_map_ops nommu_dma_ops = {
13137 .alloc_coherent = dma_generic_alloc_coherent,
13138 .free_coherent = nommu_free_coherent,
13139 .map_sg = nommu_map_sg,
13140 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c
13141 --- linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
13142 +++ linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
13143 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13144 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13147 -static struct dma_map_ops swiotlb_dma_ops = {
13148 +static const struct dma_map_ops swiotlb_dma_ops = {
13149 .mapping_error = swiotlb_dma_mapping_error,
13150 .alloc_coherent = x86_swiotlb_alloc_coherent,
13151 .free_coherent = swiotlb_free_coherent,
13152 diff -urNp linux-2.6.35.5/arch/x86/kernel/process_32.c linux-2.6.35.5/arch/x86/kernel/process_32.c
13153 --- linux-2.6.35.5/arch/x86/kernel/process_32.c 2010-08-26 19:47:12.000000000 -0400
13154 +++ linux-2.6.35.5/arch/x86/kernel/process_32.c 2010-09-17 20:12:09.000000000 -0400
13155 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13156 unsigned long thread_saved_pc(struct task_struct *tsk)
13158 return ((unsigned long *)tsk->thread.sp)[3];
13159 +//XXX return tsk->thread.eip;
13163 @@ -126,7 +127,7 @@ void __show_regs(struct pt_regs *regs, i
13165 unsigned short ss, gs;
13167 - if (user_mode_vm(regs)) {
13168 + if (user_mode(regs)) {
13170 ss = regs->ss & 0xffff;
13171 gs = get_user_gs(regs);
13172 @@ -196,7 +197,7 @@ int copy_thread(unsigned long clone_flag
13173 struct task_struct *tsk;
13176 - childregs = task_pt_regs(p);
13177 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13178 *childregs = *regs;
13180 childregs->sp = sp;
13181 @@ -230,6 +231,7 @@ int copy_thread(unsigned long clone_flag
13182 * Set a new TLS for the child thread?
13184 if (clone_flags & CLONE_SETTLS)
13185 +//XXX needs set_fs()?
13186 err = do_set_thread_area(p, -1,
13187 (struct user_desc __user *)childregs->si, 0);
13189 @@ -293,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
13190 struct thread_struct *prev = &prev_p->thread,
13191 *next = &next_p->thread;
13192 int cpu = smp_processor_id();
13193 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13194 + struct tss_struct *tss = init_tss + cpu;
13197 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13198 @@ -328,6 +330,11 @@ __switch_to(struct task_struct *prev_p,
13200 lazy_save_gs(prev->gs);
13202 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13203 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13204 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13208 * Load the per-thread Thread-Local Storage descriptor.
13210 @@ -404,3 +411,27 @@ unsigned long get_wchan(struct task_stru
13214 +#ifdef CONFIG_PAX_RANDKSTACK
13215 +asmlinkage void pax_randomize_kstack(void)
13217 + struct thread_struct *thread = ¤t->thread;
13218 + unsigned long time;
13220 + if (!randomize_va_space)
13225 + /* P4 seems to return a 0 LSB, ignore it */
13226 +#ifdef CONFIG_MPENTIUM4
13234 + thread->sp0 ^= time;
13235 + load_sp0(init_tss + smp_processor_id(), thread);
13238 diff -urNp linux-2.6.35.5/arch/x86/kernel/process_64.c linux-2.6.35.5/arch/x86/kernel/process_64.c
13239 --- linux-2.6.35.5/arch/x86/kernel/process_64.c 2010-08-26 19:47:12.000000000 -0400
13240 +++ linux-2.6.35.5/arch/x86/kernel/process_64.c 2010-09-17 20:12:09.000000000 -0400
13241 @@ -87,7 +87,7 @@ static void __exit_idle(void)
13242 void exit_idle(void)
13244 /* idle loop has pid 0 */
13245 - if (current->pid)
13246 + if (task_pid_nr(current))
13250 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
13251 struct thread_struct *prev = &prev_p->thread;
13252 struct thread_struct *next = &next_p->thread;
13253 int cpu = smp_processor_id();
13254 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13255 + struct tss_struct *tss = init_tss + cpu;
13256 unsigned fsindex, gsindex;
13259 @@ -528,12 +528,11 @@ unsigned long get_wchan(struct task_stru
13260 if (!p || p == current || p->state == TASK_RUNNING)
13262 stack = (unsigned long)task_stack_page(p);
13263 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13264 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13266 fp = *(u64 *)(p->thread.sp);
13268 - if (fp < (unsigned long)stack ||
13269 - fp >= (unsigned long)stack+THREAD_SIZE)
13270 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13272 ip = *(u64 *)(fp+8);
13273 if (!in_sched_functions(ip))
13274 diff -urNp linux-2.6.35.5/arch/x86/kernel/process.c linux-2.6.35.5/arch/x86/kernel/process.c
13275 --- linux-2.6.35.5/arch/x86/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
13276 +++ linux-2.6.35.5/arch/x86/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
13277 @@ -73,7 +73,7 @@ void exit_thread(void)
13278 unsigned long *bp = t->io_bitmap_ptr;
13281 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13282 + struct tss_struct *tss = init_tss + get_cpu();
13284 t->io_bitmap_ptr = NULL;
13285 clear_thread_flag(TIF_IO_BITMAP);
13286 @@ -117,6 +117,9 @@ void flush_thread(void)
13288 struct task_struct *tsk = current;
13290 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13291 + loadsegment(gs, 0);
13293 flush_ptrace_hw_breakpoint(tsk);
13294 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13296 @@ -279,8 +282,8 @@ int kernel_thread(int (*fn)(void *), voi
13297 regs.di = (unsigned long) arg;
13299 #ifdef CONFIG_X86_32
13300 - regs.ds = __USER_DS;
13301 - regs.es = __USER_DS;
13302 + regs.ds = __KERNEL_DS;
13303 + regs.es = __KERNEL_DS;
13304 regs.fs = __KERNEL_PERCPU;
13305 regs.gs = __KERNEL_STACK_CANARY;
13307 @@ -689,17 +692,3 @@ static int __init idle_setup(char *str)
13310 early_param("idle", idle_setup);
13312 -unsigned long arch_align_stack(unsigned long sp)
13314 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13315 - sp -= get_random_int() % 8192;
13316 - return sp & ~0xf;
13319 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13321 - unsigned long range_end = mm->brk + 0x02000000;
13322 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13325 diff -urNp linux-2.6.35.5/arch/x86/kernel/ptrace.c linux-2.6.35.5/arch/x86/kernel/ptrace.c
13326 --- linux-2.6.35.5/arch/x86/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
13327 +++ linux-2.6.35.5/arch/x86/kernel/ptrace.c 2010-09-17 20:12:09.000000000 -0400
13328 @@ -804,7 +804,7 @@ static const struct user_regset_view use
13329 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13332 - unsigned long __user *datap = (unsigned long __user *)data;
13333 + unsigned long __user *datap = (__force unsigned long __user *)data;
13336 /* read the word at location addr in the USER area. */
13337 @@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
13340 ret = do_get_thread_area(child, addr,
13341 - (struct user_desc __user *) data);
13342 + (__force struct user_desc __user *) data);
13345 case PTRACE_SET_THREAD_AREA:
13348 ret = do_set_thread_area(child, addr,
13349 - (struct user_desc __user *) data, 0);
13350 + (__force struct user_desc __user *) data, 0);
13354 @@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
13355 memset(info, 0, sizeof(*info));
13356 info->si_signo = SIGTRAP;
13357 info->si_code = si_code;
13358 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13359 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13362 void user_single_step_siginfo(struct task_struct *tsk,
13363 diff -urNp linux-2.6.35.5/arch/x86/kernel/reboot.c linux-2.6.35.5/arch/x86/kernel/reboot.c
13364 --- linux-2.6.35.5/arch/x86/kernel/reboot.c 2010-08-26 19:47:12.000000000 -0400
13365 +++ linux-2.6.35.5/arch/x86/kernel/reboot.c 2010-09-17 20:12:09.000000000 -0400
13366 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13367 EXPORT_SYMBOL(pm_power_off);
13369 static const struct desc_ptr no_idt = {};
13370 -static int reboot_mode;
13371 +static unsigned short reboot_mode;
13372 enum reboot_type reboot_type = BOOT_KBD;
13375 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13376 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13380 + { NULL, NULL, {{0, {0}}}, NULL}
13383 static int __init reboot_init(void)
13384 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13385 controller to pulse the CPU reset line, which is more thorough, but
13386 doesn't work with at least one type of 486 motherboard. It is easy
13387 to stop this code working; hence the copious comments. */
13388 -static const unsigned long long
13389 -real_mode_gdt_entries [3] =
13390 +static struct desc_struct
13391 +real_mode_gdt_entries [3] __read_only =
13393 - 0x0000000000000000ULL, /* Null descriptor */
13394 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13395 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13396 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13397 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13398 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13401 static const struct desc_ptr
13402 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13403 * specified by the code and length parameters.
13404 * We assume that length will aways be less that 100!
13406 -void machine_real_restart(const unsigned char *code, int length)
13407 +void machine_real_restart(const unsigned char *code, unsigned int length)
13409 local_irq_disable();
13411 @@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
13412 /* Remap the kernel at virtual address zero, as well as offset zero
13413 from the kernel segment. This assumes the kernel segment starts at
13414 virtual address PAGE_OFFSET. */
13415 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13416 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13417 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13418 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13421 * Use `swapper_pg_dir' as our page directory.
13422 @@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
13423 boot)". This seems like a fairly standard thing that gets set by
13424 REBOOT.COM programs, and the previous reset routine did this
13426 - *((unsigned short *)0x472) = reboot_mode;
13427 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13429 /* For the switch to real mode, copy some code to low memory. It has
13430 to be in the first 64k because it is running in 16-bit mode, and it
13431 has to have the same physical and virtual address, because it turns
13432 off paging. Copy it near the end of the first page, out of the way
13433 of BIOS variables. */
13434 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13435 - real_mode_switch, sizeof (real_mode_switch));
13436 - memcpy((void *)(0x1000 - 100), code, length);
13437 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13438 + memcpy(__va(0x1000 - 100), code, length);
13440 /* Set up the IDT for real mode. */
13441 load_idt(&real_mode_idt);
13442 diff -urNp linux-2.6.35.5/arch/x86/kernel/setup.c linux-2.6.35.5/arch/x86/kernel/setup.c
13443 --- linux-2.6.35.5/arch/x86/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
13444 +++ linux-2.6.35.5/arch/x86/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
13445 @@ -704,7 +704,7 @@ static void __init trim_bios_range(void)
13446 * area (640->1Mb) as ram even though it is not.
13449 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13450 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13451 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13454 @@ -791,14 +791,14 @@ void __init setup_arch(char **cmdline_p)
13456 if (!boot_params.hdr.root_flags)
13457 root_mountflags &= ~MS_RDONLY;
13458 - init_mm.start_code = (unsigned long) _text;
13459 - init_mm.end_code = (unsigned long) _etext;
13460 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13461 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13462 init_mm.end_data = (unsigned long) _edata;
13463 init_mm.brk = _brk_end;
13465 - code_resource.start = virt_to_phys(_text);
13466 - code_resource.end = virt_to_phys(_etext)-1;
13467 - data_resource.start = virt_to_phys(_etext);
13468 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13469 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13470 + data_resource.start = virt_to_phys(_sdata);
13471 data_resource.end = virt_to_phys(_edata)-1;
13472 bss_resource.start = virt_to_phys(&__bss_start);
13473 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13474 diff -urNp linux-2.6.35.5/arch/x86/kernel/setup_percpu.c linux-2.6.35.5/arch/x86/kernel/setup_percpu.c
13475 --- linux-2.6.35.5/arch/x86/kernel/setup_percpu.c 2010-08-26 19:47:12.000000000 -0400
13476 +++ linux-2.6.35.5/arch/x86/kernel/setup_percpu.c 2010-09-17 20:12:09.000000000 -0400
13477 @@ -21,19 +21,17 @@
13478 #include <asm/cpu.h>
13479 #include <asm/stackprotector.h>
13482 DEFINE_PER_CPU(int, cpu_number);
13483 EXPORT_PER_CPU_SYMBOL(cpu_number);
13486 -#ifdef CONFIG_X86_64
13487 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13489 -#define BOOT_PERCPU_OFFSET 0
13492 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13493 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13495 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13496 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13497 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13499 EXPORT_SYMBOL(__per_cpu_offset);
13500 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
13502 #ifdef CONFIG_X86_32
13503 struct desc_struct gdt;
13504 + unsigned long base = per_cpu_offset(cpu);
13506 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13507 - 0x2 | DESCTYPE_S, 0x8);
13509 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13510 + 0x83 | DESCTYPE_S, 0xC);
13511 write_gdt_entry(get_cpu_gdt_table(cpu),
13512 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13514 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
13515 /* alrighty, percpu areas up and running */
13516 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13517 for_each_possible_cpu(cpu) {
13518 +#ifdef CONFIG_CC_STACKPROTECTOR
13519 +#ifdef CONFIG_x86_32
13520 + unsigned long canary = per_cpu(stack_canary, cpu);
13523 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13524 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13525 per_cpu(cpu_number, cpu) = cpu;
13526 @@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
13527 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13530 +#ifdef CONFIG_CC_STACKPROTECTOR
13531 +#ifdef CONFIG_x86_32
13532 + if (cpu == boot_cpu_id)
13533 + per_cpu(stack_canary, cpu) = canary;
13537 * Up to this point, the boot CPU has been using .init.data
13538 * area. Reload any changed state for the boot CPU.
13539 diff -urNp linux-2.6.35.5/arch/x86/kernel/signal.c linux-2.6.35.5/arch/x86/kernel/signal.c
13540 --- linux-2.6.35.5/arch/x86/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
13541 +++ linux-2.6.35.5/arch/x86/kernel/signal.c 2010-09-17 20:12:09.000000000 -0400
13542 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13543 * Align the stack pointer according to the i386 ABI,
13544 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13546 - sp = ((sp + 4) & -16ul) - 4;
13547 + sp = ((sp - 12) & -16ul) - 4;
13548 #else /* !CONFIG_X86_32 */
13549 sp = round_down(sp, 16) - 8;
13551 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13552 * Return an always-bogus address instead so we will die with SIGSEGV.
13554 if (onsigstack && !likely(on_sig_stack(sp)))
13555 - return (void __user *)-1L;
13556 + return (__force void __user *)-1L;
13558 /* save i387 state */
13559 if (used_math() && save_i387_xstate(*fpstate) < 0)
13560 - return (void __user *)-1L;
13561 + return (__force void __user *)-1L;
13563 return (void __user *)sp;
13565 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13568 if (current->mm->context.vdso)
13569 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13570 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13572 - restorer = &frame->retcode;
13573 + restorer = (void __user *)&frame->retcode;
13574 if (ka->sa.sa_flags & SA_RESTORER)
13575 restorer = ka->sa.sa_restorer;
13577 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13578 * reasons and because gdb uses it as a signature to notice
13579 * signal handler stack frames.
13581 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13582 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13586 @@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
13587 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13589 /* Set up to return from userspace. */
13590 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13591 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13592 if (ka->sa.sa_flags & SA_RESTORER)
13593 restorer = ka->sa.sa_restorer;
13594 put_user_ex(restorer, &frame->pretcode);
13595 @@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
13596 * reasons and because gdb uses it as a signature to notice
13597 * signal handler stack frames.
13599 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13600 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13601 } put_user_catch(err);
13604 @@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
13605 * X86_32: vm86 regs switched out by assembly code before reaching
13606 * here, so testing against kernel CS suffices.
13608 - if (!user_mode(regs))
13609 + if (!user_mode_novm(regs))
13612 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13613 diff -urNp linux-2.6.35.5/arch/x86/kernel/smpboot.c linux-2.6.35.5/arch/x86/kernel/smpboot.c
13614 --- linux-2.6.35.5/arch/x86/kernel/smpboot.c 2010-08-26 19:47:12.000000000 -0400
13615 +++ linux-2.6.35.5/arch/x86/kernel/smpboot.c 2010-09-17 20:12:09.000000000 -0400
13616 @@ -780,7 +780,11 @@ do_rest:
13617 (unsigned long)task_stack_page(c_idle.idle) -
13618 KERNEL_STACK_OFFSET + THREAD_SIZE;
13621 + pax_open_kernel();
13622 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13623 + pax_close_kernel();
13625 initial_code = (unsigned long)start_secondary;
13626 stack_start.sp = (void *) c_idle.idle->thread.sp;
13628 @@ -920,6 +924,12 @@ int __cpuinit native_cpu_up(unsigned int
13630 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13632 +#ifdef CONFIG_PAX_PER_CPU_PGD
13633 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13634 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13635 + KERNEL_PGD_PTRS);
13638 #ifdef CONFIG_X86_32
13639 /* init low mem mapping */
13640 clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13641 diff -urNp linux-2.6.35.5/arch/x86/kernel/step.c linux-2.6.35.5/arch/x86/kernel/step.c
13642 --- linux-2.6.35.5/arch/x86/kernel/step.c 2010-08-26 19:47:12.000000000 -0400
13643 +++ linux-2.6.35.5/arch/x86/kernel/step.c 2010-09-17 20:12:09.000000000 -0400
13644 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13645 struct desc_struct *desc;
13646 unsigned long base;
13651 mutex_lock(&child->mm->context.lock);
13652 - if (unlikely((seg >> 3) >= child->mm->context.size))
13653 + if (unlikely(seg >= child->mm->context.size))
13654 addr = -1L; /* bogus selector, access would fault */
13656 desc = child->mm->context.ldt + seg;
13657 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
13658 unsigned char opcode[15];
13659 unsigned long addr = convert_ip_to_linear(child, regs);
13661 + if (addr == -EINVAL)
13664 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
13665 for (i = 0; i < copied; i++) {
13666 switch (opcode[i]) {
13667 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
13669 #ifdef CONFIG_X86_64
13670 case 0x40 ... 0x4f:
13671 - if (regs->cs != __USER_CS)
13672 + if ((regs->cs & 0xffff) != __USER_CS)
13673 /* 32-bit mode: register increment */
13675 /* 64-bit mode: REX prefix */
13676 diff -urNp linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S
13677 --- linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S 2010-08-26 19:47:12.000000000 -0400
13678 +++ linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S 2010-09-17 20:12:09.000000000 -0400
13680 +.section .rodata,"a",@progbits
13681 ENTRY(sys_call_table)
13682 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
13684 diff -urNp linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c
13685 --- linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c 2010-08-26 19:47:12.000000000 -0400
13686 +++ linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c 2010-09-17 20:12:09.000000000 -0400
13687 @@ -24,6 +24,224 @@
13689 #include <asm/syscalls.h>
13691 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
13693 + unsigned long pax_task_size = TASK_SIZE;
13695 +#ifdef CONFIG_PAX_SEGMEXEC
13696 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13697 + pax_task_size = SEGMEXEC_TASK_SIZE;
13700 + if (len > pax_task_size || addr > pax_task_size - len)
13707 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
13708 + unsigned long len, unsigned long pgoff, unsigned long flags)
13710 + struct mm_struct *mm = current->mm;
13711 + struct vm_area_struct *vma;
13712 + unsigned long start_addr, pax_task_size = TASK_SIZE;
13714 +#ifdef CONFIG_PAX_SEGMEXEC
13715 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13716 + pax_task_size = SEGMEXEC_TASK_SIZE;
13719 + if (len > pax_task_size)
13722 + if (flags & MAP_FIXED)
13725 +#ifdef CONFIG_PAX_RANDMMAP
13726 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13730 + addr = PAGE_ALIGN(addr);
13731 + if (pax_task_size - len >= addr) {
13732 + vma = find_vma(mm, addr);
13733 + if (check_heap_stack_gap(vma, addr, len))
13737 + if (len > mm->cached_hole_size) {
13738 + start_addr = addr = mm->free_area_cache;
13740 + start_addr = addr = mm->mmap_base;
13741 + mm->cached_hole_size = 0;
13744 +#ifdef CONFIG_PAX_PAGEEXEC
13745 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
13746 + start_addr = 0x00110000UL;
13748 +#ifdef CONFIG_PAX_RANDMMAP
13749 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13750 + start_addr += mm->delta_mmap & 0x03FFF000UL;
13753 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
13754 + start_addr = addr = mm->mmap_base;
13756 + addr = start_addr;
13761 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
13762 + /* At this point: (!vma || addr < vma->vm_end). */
13763 + if (pax_task_size - len < addr) {
13765 + * Start a new search - just in case we missed
13768 + if (start_addr != mm->mmap_base) {
13769 + start_addr = addr = mm->mmap_base;
13770 + mm->cached_hole_size = 0;
13771 + goto full_search;
13775 + if (check_heap_stack_gap(vma, addr, len))
13777 + if (addr + mm->cached_hole_size < vma->vm_start)
13778 + mm->cached_hole_size = vma->vm_start - addr;
13779 + addr = vma->vm_end;
13780 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
13781 + start_addr = addr = mm->mmap_base;
13782 + mm->cached_hole_size = 0;
13783 + goto full_search;
13788 + * Remember the place where we stopped the search:
13790 + mm->free_area_cache = addr + len;
13795 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
13796 + const unsigned long len, const unsigned long pgoff,
13797 + const unsigned long flags)
13799 + struct vm_area_struct *vma;
13800 + struct mm_struct *mm = current->mm;
13801 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
13803 +#ifdef CONFIG_PAX_SEGMEXEC
13804 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13805 + pax_task_size = SEGMEXEC_TASK_SIZE;
13808 + /* requested length too big for entire address space */
13809 + if (len > pax_task_size)
13812 + if (flags & MAP_FIXED)
13815 +#ifdef CONFIG_PAX_PAGEEXEC
13816 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
13820 +#ifdef CONFIG_PAX_RANDMMAP
13821 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13824 + /* requesting a specific address */
13826 + addr = PAGE_ALIGN(addr);
13827 + if (pax_task_size - len >= addr) {
13828 + vma = find_vma(mm, addr);
13829 + if (check_heap_stack_gap(vma, addr, len))
13834 + /* check if free_area_cache is useful for us */
13835 + if (len <= mm->cached_hole_size) {
13836 + mm->cached_hole_size = 0;
13837 + mm->free_area_cache = mm->mmap_base;
13840 + /* either no address requested or can't fit in requested address hole */
13841 + addr = mm->free_area_cache;
13843 + /* make sure it can fit in the remaining address space */
13844 + if (addr > len) {
13845 + vma = find_vma(mm, addr-len);
13846 + if (check_heap_stack_gap(vma, addr - len, len))
13847 + /* remember the address as a hint for next time */
13848 + return (mm->free_area_cache = addr-len);
13851 + if (mm->mmap_base < len)
13854 + addr = mm->mmap_base-len;
13858 + * Lookup failure means no vma is above this address,
13859 + * else if new region fits below vma->vm_start,
13860 + * return with success:
13862 + vma = find_vma(mm, addr);
13863 + if (check_heap_stack_gap(vma, addr, len))
13864 + /* remember the address as a hint for next time */
13865 + return (mm->free_area_cache = addr);
13867 + /* remember the largest hole we saw so far */
13868 + if (addr + mm->cached_hole_size < vma->vm_start)
13869 + mm->cached_hole_size = vma->vm_start - addr;
13871 + /* try just below the current vma->vm_start */
13872 + addr = vma->vm_start-len;
13873 + } while (len < vma->vm_start);
13877 + * A failed mmap() very likely causes application failure,
13878 + * so fall back to the bottom-up function here. This scenario
13879 + * can happen with large stack limits and large mmap()
13883 +#ifdef CONFIG_PAX_SEGMEXEC
13884 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13885 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
13889 + mm->mmap_base = TASK_UNMAPPED_BASE;
13891 +#ifdef CONFIG_PAX_RANDMMAP
13892 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13893 + mm->mmap_base += mm->delta_mmap;
13896 + mm->free_area_cache = mm->mmap_base;
13897 + mm->cached_hole_size = ~0UL;
13898 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
13900 + * Restore the topdown base:
13902 + mm->mmap_base = base;
13903 + mm->free_area_cache = base;
13904 + mm->cached_hole_size = ~0UL;
13910 * Do a system call from kernel instead of calling sys_execve so we
13911 * end up with proper pt_regs.
13912 diff -urNp linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c
13913 --- linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c 2010-08-26 19:47:12.000000000 -0400
13914 +++ linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c 2010-09-17 20:12:09.000000000 -0400
13915 @@ -32,8 +32,8 @@ out:
13919 -static void find_start_end(unsigned long flags, unsigned long *begin,
13920 - unsigned long *end)
13921 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
13922 + unsigned long *begin, unsigned long *end)
13924 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
13925 unsigned long new_begin;
13926 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
13927 *begin = new_begin;
13930 - *begin = TASK_UNMAPPED_BASE;
13931 + *begin = mm->mmap_base;
13935 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
13936 if (flags & MAP_FIXED)
13939 - find_start_end(flags, &begin, &end);
13940 + find_start_end(mm, flags, &begin, &end);
13945 +#ifdef CONFIG_PAX_RANDMMAP
13946 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13950 addr = PAGE_ALIGN(addr);
13951 vma = find_vma(mm, addr);
13952 - if (end - len >= addr &&
13953 - (!vma || addr + len <= vma->vm_start))
13954 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
13957 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
13958 @@ -106,7 +109,7 @@ full_search:
13962 - if (!vma || addr + len <= vma->vm_start) {
13963 + if (check_heap_stack_gap(vma, addr, len)) {
13965 * Remember the place where we stopped the search:
13967 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
13969 struct vm_area_struct *vma;
13970 struct mm_struct *mm = current->mm;
13971 - unsigned long addr = addr0;
13972 + unsigned long base = mm->mmap_base, addr = addr0;
13974 /* requested length too big for entire address space */
13975 if (len > TASK_SIZE)
13976 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
13977 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
13980 +#ifdef CONFIG_PAX_RANDMMAP
13981 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13984 /* requesting a specific address */
13986 addr = PAGE_ALIGN(addr);
13987 vma = find_vma(mm, addr);
13988 - if (TASK_SIZE - len >= addr &&
13989 - (!vma || addr + len <= vma->vm_start))
13990 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
13994 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
13995 /* make sure it can fit in the remaining address space */
13997 vma = find_vma(mm, addr-len);
13998 - if (!vma || addr <= vma->vm_start)
13999 + if (check_heap_stack_gap(vma, addr - len, len))
14000 /* remember the address as a hint for next time */
14001 return mm->free_area_cache = addr-len;
14003 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14004 * return with success:
14006 vma = find_vma(mm, addr);
14007 - if (!vma || addr+len <= vma->vm_start)
14008 + if (check_heap_stack_gap(vma, addr, len))
14009 /* remember the address as a hint for next time */
14010 return mm->free_area_cache = addr;
14012 @@ -198,13 +204,21 @@ bottomup:
14013 * can happen with large stack limits and large mmap()
14016 + mm->mmap_base = TASK_UNMAPPED_BASE;
14018 +#ifdef CONFIG_PAX_RANDMMAP
14019 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14020 + mm->mmap_base += mm->delta_mmap;
14023 + mm->free_area_cache = mm->mmap_base;
14024 mm->cached_hole_size = ~0UL;
14025 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14026 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14028 * Restore the topdown base:
14030 - mm->free_area_cache = mm->mmap_base;
14031 + mm->mmap_base = base;
14032 + mm->free_area_cache = base;
14033 mm->cached_hole_size = ~0UL;
14036 diff -urNp linux-2.6.35.5/arch/x86/kernel/time.c linux-2.6.35.5/arch/x86/kernel/time.c
14037 --- linux-2.6.35.5/arch/x86/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
14038 +++ linux-2.6.35.5/arch/x86/kernel/time.c 2010-09-17 20:12:09.000000000 -0400
14039 @@ -26,17 +26,13 @@
14043 -#ifdef CONFIG_X86_64
14044 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14047 unsigned long profile_pc(struct pt_regs *regs)
14049 unsigned long pc = instruction_pointer(regs);
14051 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14052 + if (!user_mode(regs) && in_lock_functions(pc)) {
14053 #ifdef CONFIG_FRAME_POINTER
14054 - return *(unsigned long *)(regs->bp + sizeof(long));
14055 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14057 unsigned long *sp =
14058 (unsigned long *)kernel_stack_pointer(regs);
14059 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14060 * or above a saved flags. Eflags has bits 22-31 zero,
14061 * kernel addresses don't.
14064 +#ifdef CONFIG_PAX_KERNEXEC
14065 + return ktla_ktva(sp[0]);
14077 diff -urNp linux-2.6.35.5/arch/x86/kernel/tls.c linux-2.6.35.5/arch/x86/kernel/tls.c
14078 --- linux-2.6.35.5/arch/x86/kernel/tls.c 2010-08-26 19:47:12.000000000 -0400
14079 +++ linux-2.6.35.5/arch/x86/kernel/tls.c 2010-09-17 20:12:09.000000000 -0400
14080 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14081 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14084 +#ifdef CONFIG_PAX_SEGMEXEC
14085 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14089 set_tls_desc(p, idx, &info, 1);
14092 diff -urNp linux-2.6.35.5/arch/x86/kernel/trampoline_32.S linux-2.6.35.5/arch/x86/kernel/trampoline_32.S
14093 --- linux-2.6.35.5/arch/x86/kernel/trampoline_32.S 2010-08-26 19:47:12.000000000 -0400
14094 +++ linux-2.6.35.5/arch/x86/kernel/trampoline_32.S 2010-09-17 20:12:09.000000000 -0400
14096 #include <asm/segment.h>
14097 #include <asm/page_types.h>
14099 +#ifdef CONFIG_PAX_KERNEXEC
14102 +#define ta(X) ((X) - __PAGE_OFFSET)
14105 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14108 @@ -60,7 +66,7 @@ r_base = .
14109 inc %ax # protected mode (PE) bit
14110 lmsw %ax # into protected mode
14111 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14112 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14113 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14115 # These need to be in the same 64K segment as the above;
14116 # hence we don't use the boot_gdt_descr defined in head.S
14117 diff -urNp linux-2.6.35.5/arch/x86/kernel/traps.c linux-2.6.35.5/arch/x86/kernel/traps.c
14118 --- linux-2.6.35.5/arch/x86/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
14119 +++ linux-2.6.35.5/arch/x86/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
14120 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14122 /* Do we ignore FPU interrupts ? */
14123 char ignore_fpu_irq;
14126 - * The IDT has to be page-aligned to simplify the Pentium
14127 - * F0 0F bug workaround.
14129 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14132 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14133 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14136 static void __kprobes
14137 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14138 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14139 long error_code, siginfo_t *info)
14141 struct task_struct *tsk = current;
14143 #ifdef CONFIG_X86_32
14144 - if (regs->flags & X86_VM_MASK) {
14145 + if (v8086_mode(regs)) {
14147 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14148 * On nmi (interrupt 2), do_trap should not be called.
14149 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14153 - if (!user_mode(regs))
14154 + if (!user_mode_novm(regs))
14157 #ifdef CONFIG_X86_32
14158 @@ -150,7 +144,7 @@ trap_signal:
14159 printk_ratelimit()) {
14161 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14162 - tsk->comm, tsk->pid, str,
14163 + tsk->comm, task_pid_nr(tsk), str,
14164 regs->ip, regs->sp, error_code);
14165 print_vma_addr(" in ", regs->ip);
14167 @@ -167,8 +161,20 @@ kernel_trap:
14168 if (!fixup_exception(regs)) {
14169 tsk->thread.error_code = error_code;
14170 tsk->thread.trap_no = trapnr;
14172 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14173 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14174 + str = "PAX: suspicious stack segment fault";
14177 die(str, regs, error_code);
14180 +#ifdef CONFIG_PAX_REFCOUNT
14182 + pax_report_refcount_overflow(regs);
14187 #ifdef CONFIG_X86_32
14188 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14189 conditional_sti(regs);
14191 #ifdef CONFIG_X86_32
14192 - if (regs->flags & X86_VM_MASK)
14193 + if (v8086_mode(regs))
14198 - if (!user_mode(regs))
14199 + if (!user_mode_novm(regs))
14202 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14203 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14204 + struct mm_struct *mm = tsk->mm;
14205 + unsigned long limit;
14207 + down_write(&mm->mmap_sem);
14208 + limit = mm->context.user_cs_limit;
14209 + if (limit < TASK_SIZE) {
14210 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14211 + up_write(&mm->mmap_sem);
14214 + up_write(&mm->mmap_sem);
14218 tsk->thread.error_code = error_code;
14219 tsk->thread.trap_no = 13;
14221 @@ -297,6 +319,13 @@ gp_in_kernel:
14222 if (notify_die(DIE_GPF, "general protection fault", regs,
14223 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14226 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14227 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14228 + die("PAX: suspicious general protection fault", regs, error_code);
14232 die("general protection fault", regs, error_code);
14235 @@ -565,7 +594,7 @@ dotraplinkage void __kprobes do_debug(st
14236 /* It's safe to allow irq's after DR6 has been saved */
14237 preempt_conditional_sti(regs);
14239 - if (regs->flags & X86_VM_MASK) {
14240 + if (v8086_mode(regs)) {
14241 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14244 @@ -578,7 +607,7 @@ dotraplinkage void __kprobes do_debug(st
14245 * We already checked v86 mode above, so we can check for kernel mode
14246 * by just checking the CPL of CS.
14248 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14249 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14250 tsk->thread.debugreg6 &= ~DR_STEP;
14251 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14252 regs->flags &= ~X86_EFLAGS_TF;
14253 @@ -607,7 +636,7 @@ void math_error(struct pt_regs *regs, in
14255 conditional_sti(regs);
14257 - if (!user_mode_vm(regs))
14258 + if (!user_mode(regs))
14260 if (!fixup_exception(regs)) {
14261 task->thread.error_code = error_code;
14262 diff -urNp linux-2.6.35.5/arch/x86/kernel/tsc.c linux-2.6.35.5/arch/x86/kernel/tsc.c
14263 --- linux-2.6.35.5/arch/x86/kernel/tsc.c 2010-09-20 17:33:09.000000000 -0400
14264 +++ linux-2.6.35.5/arch/x86/kernel/tsc.c 2010-09-20 17:33:32.000000000 -0400
14265 @@ -833,7 +833,7 @@ static struct dmi_system_id __initdata b
14266 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14270 + { NULL, NULL, {{0, {0}}}, NULL}
14273 static void __init check_system_tsc_reliable(void)
14274 diff -urNp linux-2.6.35.5/arch/x86/kernel/vm86_32.c linux-2.6.35.5/arch/x86/kernel/vm86_32.c
14275 --- linux-2.6.35.5/arch/x86/kernel/vm86_32.c 2010-08-26 19:47:12.000000000 -0400
14276 +++ linux-2.6.35.5/arch/x86/kernel/vm86_32.c 2010-09-17 20:12:37.000000000 -0400
14278 #include <linux/ptrace.h>
14279 #include <linux/audit.h>
14280 #include <linux/stddef.h>
14281 +#include <linux/grsecurity.h>
14283 #include <asm/uaccess.h>
14284 #include <asm/io.h>
14285 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14289 - tss = &per_cpu(init_tss, get_cpu());
14290 + tss = init_tss + get_cpu();
14291 current->thread.sp0 = current->thread.saved_sp0;
14292 current->thread.sysenter_cs = __KERNEL_CS;
14293 load_sp0(tss, ¤t->thread);
14294 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14295 struct task_struct *tsk;
14296 int tmp, ret = -EPERM;
14298 +#ifdef CONFIG_GRKERNSEC_VM86
14299 + if (!capable(CAP_SYS_RAWIO)) {
14300 + gr_handle_vm86();
14306 if (tsk->thread.saved_sp0)
14308 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14310 struct vm86plus_struct __user *v86;
14312 +#ifdef CONFIG_GRKERNSEC_VM86
14313 + if (!capable(CAP_SYS_RAWIO)) {
14314 + gr_handle_vm86();
14322 case VM86_REQUEST_IRQ:
14323 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14324 tsk->thread.saved_fs = info->regs32->fs;
14325 tsk->thread.saved_gs = get_user_gs(info->regs32);
14327 - tss = &per_cpu(init_tss, get_cpu());
14328 + tss = init_tss + get_cpu();
14329 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14331 tsk->thread.sysenter_cs = 0;
14332 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14333 goto cannot_handle;
14334 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14335 goto cannot_handle;
14336 - intr_ptr = (unsigned long __user *) (i << 2);
14337 + intr_ptr = (__force unsigned long __user *) (i << 2);
14338 if (get_user(segoffs, intr_ptr))
14339 goto cannot_handle;
14340 if ((segoffs >> 16) == BIOSSEG)
14341 diff -urNp linux-2.6.35.5/arch/x86/kernel/vmi_32.c linux-2.6.35.5/arch/x86/kernel/vmi_32.c
14342 --- linux-2.6.35.5/arch/x86/kernel/vmi_32.c 2010-08-26 19:47:12.000000000 -0400
14343 +++ linux-2.6.35.5/arch/x86/kernel/vmi_32.c 2010-09-17 20:12:09.000000000 -0400
14344 @@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
14345 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14347 #define call_vrom_func(rom,func) \
14348 - (((VROMFUNC *)(rom->func))())
14349 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
14351 #define call_vrom_long_func(rom,func,arg) \
14352 - (((VROMLONGFUNC *)(rom->func)) (arg))
14354 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14355 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14356 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14360 -static struct vrom_header *vmi_rom;
14361 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14362 static int disable_pge;
14363 static int disable_pse;
14364 static int disable_sep;
14365 @@ -78,10 +83,10 @@ static struct {
14366 void (*set_initial_ap_state)(int, int);
14367 void (*halt)(void);
14368 void (*set_lazy_mode)(int mode);
14370 +} vmi_ops __read_only;
14372 /* Cached VMI operations */
14373 -struct vmi_timer_ops vmi_timer_ops;
14374 +struct vmi_timer_ops vmi_timer_ops __read_only;
14377 * VMI patching routines.
14378 @@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
14379 static inline void patch_offset(void *insnbuf,
14380 unsigned long ip, unsigned long dest)
14382 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
14383 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
14386 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
14387 @@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
14390 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
14392 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14393 switch(rel->type) {
14394 case VMI_RELOCATION_CALL_REL:
14395 @@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
14397 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
14399 - const pte_t pte = { .pte = 0 };
14400 + const pte_t pte = __pte(0ULL);
14401 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
14404 static void vmi_pmd_clear(pmd_t *pmd)
14406 - const pte_t pte = { .pte = 0 };
14407 + const pte_t pte = __pte(0ULL);
14408 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
14411 @@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
14412 ap.ss = __KERNEL_DS;
14413 ap.esp = (unsigned long) start_esp;
14415 - ap.ds = __USER_DS;
14416 - ap.es = __USER_DS;
14417 + ap.ds = __KERNEL_DS;
14418 + ap.es = __KERNEL_DS;
14419 ap.fs = __KERNEL_PERCPU;
14420 ap.gs = __KERNEL_STACK_CANARY;
14422 @@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
14423 paravirt_leave_lazy_mmu();
14426 +#ifdef CONFIG_PAX_KERNEXEC
14427 +static unsigned long vmi_pax_open_kernel(void)
14432 +static unsigned long vmi_pax_close_kernel(void)
14438 static inline int __init check_vmi_rom(struct vrom_header *rom)
14440 struct pci_header *pci;
14441 @@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
14443 if (rom->vrom_signature != VMI_SIGNATURE)
14445 + if (rom->rom_length * 512 > sizeof(*rom)) {
14446 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
14449 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
14450 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
14451 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
14452 @@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
14453 struct vrom_header *romstart;
14454 romstart = (struct vrom_header *)isa_bus_to_virt(base);
14455 if (check_vmi_rom(romstart)) {
14456 - vmi_rom = romstart;
14457 + vmi_rom = *romstart;
14461 @@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
14463 para_fill(pv_irq_ops.safe_halt, Halt);
14465 +#ifdef CONFIG_PAX_KERNEXEC
14466 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
14467 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
14471 * Alternative instruction rewriting doesn't happen soon enough
14472 * to convert VMI_IRET to a call instead of a jump; so we have
14473 @@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
14475 void __init vmi_init(void)
14478 + if (!vmi_rom.rom_signature)
14481 - check_vmi_rom(vmi_rom);
14482 + check_vmi_rom(&vmi_rom);
14484 /* In case probing for or validating the ROM failed, basil */
14486 + if (!vmi_rom.rom_signature)
14489 - reserve_top_address(-vmi_rom->virtual_top);
14490 + reserve_top_address(-vmi_rom.virtual_top);
14492 #ifdef CONFIG_X86_IO_APIC
14493 /* This is virtual hardware; timer routing is wired correctly */
14494 @@ -854,7 +881,7 @@ void __init vmi_activate(void)
14496 unsigned long flags;
14499 + if (!vmi_rom.rom_signature)
14502 local_irq_save(flags);
14503 diff -urNp linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S
14504 --- linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
14505 +++ linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
14507 #include <asm/page_types.h>
14508 #include <asm/cache.h>
14509 #include <asm/boot.h>
14510 +#include <asm/segment.h>
14512 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14513 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14515 +#define __KERNEL_TEXT_OFFSET 0
14518 #undef i386 /* in case the preprocessor is a 32bit one */
14520 @@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14521 #ifdef CONFIG_X86_32
14523 ENTRY(phys_startup_32)
14524 -jiffies = jiffies_64;
14526 OUTPUT_ARCH(i386:x86-64)
14527 ENTRY(phys_startup_64)
14528 -jiffies_64 = jiffies;
14531 +jiffies = jiffies_64;
14533 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14535 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
14536 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
14539 text PT_LOAD FLAGS(5); /* R_E */
14540 - data PT_LOAD FLAGS(7); /* RWE */
14541 +#ifdef CONFIG_X86_32
14542 + module PT_LOAD FLAGS(5); /* R_E */
14545 + rodata PT_LOAD FLAGS(5); /* R_E */
14547 + rodata PT_LOAD FLAGS(4); /* R__ */
14549 + data PT_LOAD FLAGS(6); /* RW_ */
14550 #ifdef CONFIG_X86_64
14551 user PT_LOAD FLAGS(5); /* R_E */
14553 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14555 percpu PT_LOAD FLAGS(6); /* RW_ */
14557 + text.init PT_LOAD FLAGS(5); /* R_E */
14558 + text.exit PT_LOAD FLAGS(5); /* R_E */
14559 init PT_LOAD FLAGS(7); /* RWE */
14561 note PT_NOTE FLAGS(0); /* ___ */
14566 #ifdef CONFIG_X86_32
14567 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14568 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14569 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14571 - . = __START_KERNEL;
14572 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14573 + . = __START_KERNEL;
14576 /* Text and read-only data */
14577 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14579 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14580 /* bootstrapping code */
14581 +#ifdef CONFIG_X86_32
14582 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14584 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14586 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14589 #ifdef CONFIG_X86_32
14590 . = ALIGN(PAGE_SIZE);
14591 @@ -108,13 +130,50 @@ SECTIONS
14595 - /* End of text section */
14599 - NOTES :text :note
14600 + . += __KERNEL_TEXT_OFFSET;
14602 +#ifdef CONFIG_X86_32
14603 + . = ALIGN(PAGE_SIZE);
14604 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
14608 + . = ALIGN(PAGE_SIZE);
14609 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14611 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14612 + MODULES_EXEC_VADDR = .;
14614 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14615 + . = ALIGN(HPAGE_SIZE);
14616 + MODULES_EXEC_END = . - 1;
14622 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14623 + /* End of text section */
14624 + _etext = . - __KERNEL_TEXT_OFFSET;
14627 +#ifdef CONFIG_X86_32
14628 + . = ALIGN(PAGE_SIZE);
14629 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14631 + . = ALIGN(PAGE_SIZE);
14632 + *(.empty_zero_page)
14633 + *(.swapper_pg_pmd)
14634 + *(.swapper_pg_dir)
14638 + . = ALIGN(PAGE_SIZE);
14639 + NOTES :rodata :note
14641 - EXCEPTION_TABLE(16) :text = 0x9090
14642 + EXCEPTION_TABLE(16) :rodata
14644 X64_ALIGN_DEBUG_RODATA_BEGIN
14646 @@ -122,16 +181,20 @@ SECTIONS
14649 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14651 +#ifdef CONFIG_PAX_KERNEXEC
14652 + . = ALIGN(HPAGE_SIZE);
14654 + . = ALIGN(PAGE_SIZE);
14657 /* Start of data section */
14661 INIT_TASK_DATA(THREAD_SIZE)
14663 -#ifdef CONFIG_X86_32
14664 - /* 32 bit has nosave before _edata */
14668 PAGE_ALIGNED_DATA(PAGE_SIZE)
14670 @@ -194,12 +257,6 @@ SECTIONS
14672 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14674 - . = ALIGN(L1_CACHE_BYTES);
14675 - .jiffies : AT(VLOAD(.jiffies)) {
14678 - jiffies = VVIRT(.jiffies);
14680 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14683 @@ -215,12 +272,19 @@ SECTIONS
14684 #endif /* CONFIG_X86_64 */
14686 /* Init code and data - will be freed after init */
14687 - . = ALIGN(PAGE_SIZE);
14688 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14691 +#ifdef CONFIG_PAX_KERNEXEC
14692 + . = ALIGN(HPAGE_SIZE);
14694 + . = ALIGN(PAGE_SIZE);
14697 __init_begin = .; /* paired with __init_end */
14701 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14704 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14705 * output PHDR, so the next output section - .init.text - should
14706 @@ -229,12 +293,27 @@ SECTIONS
14707 PERCPU_VADDR(0, :percpu)
14710 - INIT_TEXT_SECTION(PAGE_SIZE)
14711 -#ifdef CONFIG_X86_64
14714 + . = ALIGN(PAGE_SIZE);
14716 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14717 + VMLINUX_SYMBOL(_sinittext) = .;
14719 + VMLINUX_SYMBOL(_einittext) = .;
14720 + . = ALIGN(PAGE_SIZE);
14724 + * .exit.text is discard at runtime, not link time, to deal with
14725 + * references from .altinstructions and .eh_frame
14727 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14731 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14733 - INIT_DATA_SECTION(16)
14734 + . = ALIGN(PAGE_SIZE);
14735 + INIT_DATA_SECTION(16) :init
14737 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14738 __x86_cpu_dev_start = .;
14739 @@ -260,19 +339,11 @@ SECTIONS
14740 *(.altinstr_replacement)
14744 - * .exit.text is discard at runtime, not link time, to deal with
14745 - * references from .altinstructions and .eh_frame
14747 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14751 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14755 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14756 +#ifndef CONFIG_SMP
14760 @@ -291,16 +362,10 @@ SECTIONS
14761 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
14764 - . = ALIGN(PAGE_SIZE);
14765 __smp_locks_end = .;
14766 + . = ALIGN(PAGE_SIZE);
14769 -#ifdef CONFIG_X86_64
14770 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
14776 . = ALIGN(PAGE_SIZE);
14777 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
14778 @@ -316,6 +381,7 @@ SECTIONS
14780 . += 64 * 1024; /* 64k alignment slop space */
14781 *(.brk_reservation) /* areas brk users have reserved */
14782 + . = ALIGN(HPAGE_SIZE);
14786 @@ -342,13 +408,12 @@ SECTIONS
14787 * for the boot processor.
14789 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
14790 -INIT_PER_CPU(gdt_page);
14791 INIT_PER_CPU(irq_stack_union);
14794 * Build-time check on the image size:
14796 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
14797 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
14798 "kernel image bigger than KERNEL_IMAGE_SIZE");
14801 diff -urNp linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c
14802 --- linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c 2010-08-26 19:47:12.000000000 -0400
14803 +++ linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c 2010-09-17 20:12:09.000000000 -0400
14804 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
14806 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
14807 /* copy vsyscall data */
14808 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
14809 vsyscall_gtod_data.clock.vread = clock->vread;
14810 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
14811 vsyscall_gtod_data.clock.mask = clock->mask;
14812 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
14813 We do this here because otherwise user space would do it on
14814 its own in a likely inferior way (no access to jiffies).
14815 If you don't like it pass NULL. */
14816 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
14817 + if (tcache && tcache->blob[0] == (j = jiffies)) {
14818 p = tcache->blob[1];
14819 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
14820 /* Load per CPU data from RDTSCP */
14821 diff -urNp linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c
14822 --- linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c 2010-08-26 19:47:12.000000000 -0400
14823 +++ linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c 2010-09-17 20:12:09.000000000 -0400
14824 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
14825 EXPORT_SYMBOL(copy_user_generic_string);
14826 EXPORT_SYMBOL(copy_user_generic_unrolled);
14827 EXPORT_SYMBOL(__copy_user_nocache);
14828 -EXPORT_SYMBOL(_copy_from_user);
14829 -EXPORT_SYMBOL(_copy_to_user);
14831 EXPORT_SYMBOL(copy_page);
14832 EXPORT_SYMBOL(clear_page);
14833 diff -urNp linux-2.6.35.5/arch/x86/kernel/xsave.c linux-2.6.35.5/arch/x86/kernel/xsave.c
14834 --- linux-2.6.35.5/arch/x86/kernel/xsave.c 2010-08-26 19:47:12.000000000 -0400
14835 +++ linux-2.6.35.5/arch/x86/kernel/xsave.c 2010-09-17 20:12:09.000000000 -0400
14836 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
14837 fx_sw_user->xstate_size > fx_sw_user->extended_size)
14840 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
14841 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
14842 fx_sw_user->extended_size -
14843 FP_XSTATE_MAGIC2_SIZE));
14845 @@ -196,7 +196,7 @@ fx_only:
14846 * the other extended state.
14848 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
14849 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
14850 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
14854 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
14856 err = restore_user_xstate(buf);
14858 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
14859 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
14861 if (unlikely(err)) {
14863 diff -urNp linux-2.6.35.5/arch/x86/kvm/emulate.c linux-2.6.35.5/arch/x86/kvm/emulate.c
14864 --- linux-2.6.35.5/arch/x86/kvm/emulate.c 2010-08-26 19:47:12.000000000 -0400
14865 +++ linux-2.6.35.5/arch/x86/kvm/emulate.c 2010-09-17 20:12:09.000000000 -0400
14866 @@ -88,11 +88,11 @@
14867 #define Src2CL (1<<29)
14868 #define Src2ImmByte (2<<29)
14869 #define Src2One (3<<29)
14870 -#define Src2Imm16 (4<<29)
14871 -#define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
14872 +#define Src2Imm16 (4U<<29)
14873 +#define Src2Mem16 (5U<<29) /* Used for Ep encoding. First argument has to be
14874 in memory and second argument is located
14875 immediately after the first one in memory. */
14876 -#define Src2Mask (7<<29)
14877 +#define Src2Mask (7U<<29)
14880 Group1_80, Group1_81, Group1_82, Group1_83,
14881 @@ -446,6 +446,7 @@ static u32 group2_table[] = {
14883 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
14885 + unsigned long _tmp; \
14886 __asm__ __volatile__ ( \
14887 _PRE_EFLAGS("0", "4", "2") \
14888 _op _suffix " %"_x"3,%1; " \
14889 @@ -459,8 +460,6 @@ static u32 group2_table[] = {
14890 /* Raw emulation: instruction has two explicit operands. */
14891 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
14893 - unsigned long _tmp; \
14895 switch ((_dst).bytes) { \
14897 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
14898 @@ -476,7 +475,6 @@ static u32 group2_table[] = {
14900 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
14902 - unsigned long _tmp; \
14903 switch ((_dst).bytes) { \
14905 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
14906 diff -urNp linux-2.6.35.5/arch/x86/kvm/lapic.c linux-2.6.35.5/arch/x86/kvm/lapic.c
14907 --- linux-2.6.35.5/arch/x86/kvm/lapic.c 2010-08-26 19:47:12.000000000 -0400
14908 +++ linux-2.6.35.5/arch/x86/kvm/lapic.c 2010-09-17 20:12:09.000000000 -0400
14910 #define APIC_BUS_CYCLE_NS 1
14912 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
14913 -#define apic_debug(fmt, arg...)
14914 +#define apic_debug(fmt, arg...) do {} while (0)
14916 #define APIC_LVT_NUM 6
14917 /* 14 is the version for Xeon and Pentium 8.4.8*/
14918 diff -urNp linux-2.6.35.5/arch/x86/kvm/svm.c linux-2.6.35.5/arch/x86/kvm/svm.c
14919 --- linux-2.6.35.5/arch/x86/kvm/svm.c 2010-08-26 19:47:12.000000000 -0400
14920 +++ linux-2.6.35.5/arch/x86/kvm/svm.c 2010-09-17 20:12:09.000000000 -0400
14921 @@ -2796,7 +2796,11 @@ static void reload_tss(struct kvm_vcpu *
14922 int cpu = raw_smp_processor_id();
14924 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
14926 + pax_open_kernel();
14927 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
14928 + pax_close_kernel();
14933 @@ -3337,7 +3341,7 @@ static void svm_fpu_deactivate(struct kv
14934 update_cr0_intercept(svm);
14937 -static struct kvm_x86_ops svm_x86_ops = {
14938 +static const struct kvm_x86_ops svm_x86_ops = {
14939 .cpu_has_kvm_support = has_svm,
14940 .disabled_by_bios = is_disabled,
14941 .hardware_setup = svm_hardware_setup,
14942 diff -urNp linux-2.6.35.5/arch/x86/kvm/vmx.c linux-2.6.35.5/arch/x86/kvm/vmx.c
14943 --- linux-2.6.35.5/arch/x86/kvm/vmx.c 2010-08-26 19:47:12.000000000 -0400
14944 +++ linux-2.6.35.5/arch/x86/kvm/vmx.c 2010-09-17 20:12:09.000000000 -0400
14945 @@ -653,7 +653,11 @@ static void reload_tss(void)
14947 native_store_gdt(&gdt);
14948 descs = (void *)gdt.address;
14950 + pax_open_kernel();
14951 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
14952 + pax_close_kernel();
14957 @@ -1550,8 +1554,11 @@ static __init int hardware_setup(void)
14958 if (!cpu_has_vmx_flexpriority())
14959 flexpriority_enabled = 0;
14961 - if (!cpu_has_vmx_tpr_shadow())
14962 - kvm_x86_ops->update_cr8_intercept = NULL;
14963 + if (!cpu_has_vmx_tpr_shadow()) {
14964 + pax_open_kernel();
14965 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
14966 + pax_close_kernel();
14969 if (enable_ept && !cpu_has_vmx_ept_2m_page())
14970 kvm_disable_largepages();
14971 @@ -2533,7 +2540,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
14972 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
14974 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
14975 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
14976 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
14977 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
14978 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
14979 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
14980 @@ -3909,6 +3916,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
14981 "jmp .Lkvm_vmx_return \n\t"
14982 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
14983 ".Lkvm_vmx_return: "
14985 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14986 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
14987 + ".Lkvm_vmx_return2: "
14990 /* Save guest registers, load host registers, keep flags */
14991 "xchg %0, (%%"R"sp) \n\t"
14992 "mov %%"R"ax, %c[rax](%0) \n\t"
14993 @@ -3955,8 +3968,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
14994 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
14996 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
14998 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14999 + ,[cs]"i"(__KERNEL_CS)
15003 - , R"bx", R"di", R"si"
15004 + , R"ax", R"bx", R"di", R"si"
15005 #ifdef CONFIG_X86_64
15006 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
15008 @@ -3970,7 +3988,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15009 if (vmx->rmode.irq.pending)
15010 fixup_rmode_irq(vmx);
15012 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15013 + asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
15016 vmx_complete_interrupts(vmx);
15017 @@ -4191,7 +4209,7 @@ static void vmx_set_supported_cpuid(u32
15021 -static struct kvm_x86_ops vmx_x86_ops = {
15022 +static const struct kvm_x86_ops vmx_x86_ops = {
15023 .cpu_has_kvm_support = cpu_has_kvm_support,
15024 .disabled_by_bios = vmx_disabled_by_bios,
15025 .hardware_setup = hardware_setup,
15026 diff -urNp linux-2.6.35.5/arch/x86/kvm/x86.c linux-2.6.35.5/arch/x86/kvm/x86.c
15027 --- linux-2.6.35.5/arch/x86/kvm/x86.c 2010-08-26 19:47:12.000000000 -0400
15028 +++ linux-2.6.35.5/arch/x86/kvm/x86.c 2010-09-17 20:12:09.000000000 -0400
15029 @@ -86,7 +86,7 @@ static void update_cr8_intercept(struct
15030 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15031 struct kvm_cpuid_entry2 __user *entries);
15033 -struct kvm_x86_ops *kvm_x86_ops;
15034 +const struct kvm_x86_ops *kvm_x86_ops;
15035 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15037 int ignore_msrs = 0;
15038 @@ -112,38 +112,38 @@ static struct kvm_shared_msrs_global __r
15039 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15041 struct kvm_stats_debugfs_item debugfs_entries[] = {
15042 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15043 - { "pf_guest", VCPU_STAT(pf_guest) },
15044 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15045 - { "invlpg", VCPU_STAT(invlpg) },
15046 - { "exits", VCPU_STAT(exits) },
15047 - { "io_exits", VCPU_STAT(io_exits) },
15048 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15049 - { "signal_exits", VCPU_STAT(signal_exits) },
15050 - { "irq_window", VCPU_STAT(irq_window_exits) },
15051 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15052 - { "halt_exits", VCPU_STAT(halt_exits) },
15053 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15054 - { "hypercalls", VCPU_STAT(hypercalls) },
15055 - { "request_irq", VCPU_STAT(request_irq_exits) },
15056 - { "irq_exits", VCPU_STAT(irq_exits) },
15057 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15058 - { "efer_reload", VCPU_STAT(efer_reload) },
15059 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15060 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15061 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15062 - { "irq_injections", VCPU_STAT(irq_injections) },
15063 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15064 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15065 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15066 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15067 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15068 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15069 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15070 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15071 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15072 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15073 - { "largepages", VM_STAT(lpages) },
15074 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15075 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15076 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15077 + { "invlpg", VCPU_STAT(invlpg), NULL },
15078 + { "exits", VCPU_STAT(exits), NULL },
15079 + { "io_exits", VCPU_STAT(io_exits), NULL },
15080 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15081 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15082 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15083 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15084 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15085 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15086 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15087 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15088 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15089 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15090 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15091 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15092 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15093 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15094 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15095 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15096 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15097 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15098 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15099 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15100 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15101 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15102 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15103 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15104 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15105 + { "largepages", VM_STAT(lpages), NULL },
15109 @@ -1672,6 +1672,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15110 if (n < msr_list.nmsrs)
15113 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15115 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15116 num_msrs_to_save * sizeof(u32)))
15118 @@ -2103,7 +2105,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15119 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15120 struct kvm_interrupt *irq)
15122 - if (irq->irq < 0 || irq->irq >= 256)
15123 + if (irq->irq >= 256)
15125 if (irqchip_in_kernel(vcpu->kvm))
15127 @@ -4070,10 +4072,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15129 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15131 -int kvm_arch_init(void *opaque)
15132 +int kvm_arch_init(const void *opaque)
15135 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15136 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15139 printk(KERN_ERR "kvm: already loaded the other module\n");
15140 diff -urNp linux-2.6.35.5/arch/x86/lib/checksum_32.S linux-2.6.35.5/arch/x86/lib/checksum_32.S
15141 --- linux-2.6.35.5/arch/x86/lib/checksum_32.S 2010-08-26 19:47:12.000000000 -0400
15142 +++ linux-2.6.35.5/arch/x86/lib/checksum_32.S 2010-09-17 20:12:09.000000000 -0400
15144 #include <linux/linkage.h>
15145 #include <asm/dwarf2.h>
15146 #include <asm/errno.h>
15148 +#include <asm/segment.h>
15151 * computes a partial checksum, e.g. for TCP/UDP fragments
15153 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15158 -ENTRY(csum_partial_copy_generic)
15160 +ENTRY(csum_partial_copy_generic_to_user)
15162 + pushl $(__USER_DS)
15163 + CFI_ADJUST_CFA_OFFSET 4
15165 + CFI_ADJUST_CFA_OFFSET -4
15166 + jmp csum_partial_copy_generic
15168 +ENTRY(csum_partial_copy_generic_from_user)
15169 + pushl $(__USER_DS)
15170 + CFI_ADJUST_CFA_OFFSET 4
15172 + CFI_ADJUST_CFA_OFFSET -4
15174 +ENTRY(csum_partial_copy_generic)
15176 CFI_ADJUST_CFA_OFFSET 4
15178 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15180 SRC(1: movw (%esi), %bx )
15182 -DST( movw %bx, (%edi) )
15183 +DST( movw %bx, %es:(%edi) )
15187 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15188 SRC(1: movl (%esi), %ebx )
15189 SRC( movl 4(%esi), %edx )
15191 -DST( movl %ebx, (%edi) )
15192 +DST( movl %ebx, %es:(%edi) )
15194 -DST( movl %edx, 4(%edi) )
15195 +DST( movl %edx, %es:4(%edi) )
15197 SRC( movl 8(%esi), %ebx )
15198 SRC( movl 12(%esi), %edx )
15200 -DST( movl %ebx, 8(%edi) )
15201 +DST( movl %ebx, %es:8(%edi) )
15203 -DST( movl %edx, 12(%edi) )
15204 +DST( movl %edx, %es:12(%edi) )
15206 SRC( movl 16(%esi), %ebx )
15207 SRC( movl 20(%esi), %edx )
15209 -DST( movl %ebx, 16(%edi) )
15210 +DST( movl %ebx, %es:16(%edi) )
15212 -DST( movl %edx, 20(%edi) )
15213 +DST( movl %edx, %es:20(%edi) )
15215 SRC( movl 24(%esi), %ebx )
15216 SRC( movl 28(%esi), %edx )
15218 -DST( movl %ebx, 24(%edi) )
15219 +DST( movl %ebx, %es:24(%edi) )
15221 -DST( movl %edx, 28(%edi) )
15222 +DST( movl %edx, %es:28(%edi) )
15226 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15227 shrl $2, %edx # This clears CF
15228 SRC(3: movl (%esi), %ebx )
15230 -DST( movl %ebx, (%edi) )
15231 +DST( movl %ebx, %es:(%edi) )
15235 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15237 SRC( movw (%esi), %cx )
15239 -DST( movw %cx, (%edi) )
15240 +DST( movw %cx, %es:(%edi) )
15244 SRC(5: movb (%esi), %cl )
15245 -DST( movb %cl, (%edi) )
15246 +DST( movb %cl, %es:(%edi) )
15250 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15253 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15254 - movl $-EFAULT, (%ebx)
15255 + movl $-EFAULT, %ss:(%ebx)
15257 # zero the complete destination - computing the rest
15259 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15262 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15263 - movl $-EFAULT,(%ebx)
15264 + movl $-EFAULT,%ss:(%ebx)
15270 + CFI_ADJUST_CFA_OFFSET 4
15272 + CFI_ADJUST_CFA_OFFSET -4
15274 + CFI_ADJUST_CFA_OFFSET 4
15276 + CFI_ADJUST_CFA_OFFSET -4
15278 CFI_ADJUST_CFA_OFFSET -4
15280 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15281 CFI_ADJUST_CFA_OFFSET -4
15284 -ENDPROC(csum_partial_copy_generic)
15285 +ENDPROC(csum_partial_copy_generic_to_user)
15289 /* Version for PentiumII/PPro */
15291 #define ROUND1(x) \
15293 SRC(movl x(%esi), %ebx ) ; \
15294 addl %ebx, %eax ; \
15295 - DST(movl %ebx, x(%edi) ) ;
15296 + DST(movl %ebx, %es:x(%edi)) ;
15300 SRC(movl x(%esi), %ebx ) ; \
15301 adcl %ebx, %eax ; \
15302 - DST(movl %ebx, x(%edi) ) ;
15303 + DST(movl %ebx, %es:x(%edi)) ;
15307 -ENTRY(csum_partial_copy_generic)
15309 +ENTRY(csum_partial_copy_generic_to_user)
15311 + pushl $(__USER_DS)
15312 + CFI_ADJUST_CFA_OFFSET 4
15314 + CFI_ADJUST_CFA_OFFSET -4
15315 + jmp csum_partial_copy_generic
15317 +ENTRY(csum_partial_copy_generic_from_user)
15318 + pushl $(__USER_DS)
15319 + CFI_ADJUST_CFA_OFFSET 4
15321 + CFI_ADJUST_CFA_OFFSET -4
15323 +ENTRY(csum_partial_copy_generic)
15325 CFI_ADJUST_CFA_OFFSET 4
15326 CFI_REL_OFFSET ebx, 0
15327 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
15331 - lea 3f(%ebx,%ebx), %ebx
15332 + lea 3f(%ebx,%ebx,2), %ebx
15336 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
15338 SRC( movw (%esi), %dx )
15340 -DST( movw %dx, (%edi) )
15341 +DST( movw %dx, %es:(%edi) )
15346 SRC( movb (%esi), %dl )
15347 -DST( movb %dl, (%edi) )
15348 +DST( movb %dl, %es:(%edi) )
15352 .section .fixup, "ax"
15353 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15354 - movl $-EFAULT, (%ebx)
15355 + movl $-EFAULT, %ss:(%ebx)
15356 # zero the complete destination (computing the rest is too much work)
15357 movl ARGBASE+8(%esp),%edi # dst
15358 movl ARGBASE+12(%esp),%ecx # len
15359 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
15362 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15363 - movl $-EFAULT, (%ebx)
15364 + movl $-EFAULT, %ss:(%ebx)
15369 + CFI_ADJUST_CFA_OFFSET 4
15371 + CFI_ADJUST_CFA_OFFSET -4
15373 + CFI_ADJUST_CFA_OFFSET 4
15375 + CFI_ADJUST_CFA_OFFSET -4
15377 CFI_ADJUST_CFA_OFFSET -4
15379 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
15383 -ENDPROC(csum_partial_copy_generic)
15384 +ENDPROC(csum_partial_copy_generic_to_user)
15388 diff -urNp linux-2.6.35.5/arch/x86/lib/clear_page_64.S linux-2.6.35.5/arch/x86/lib/clear_page_64.S
15389 --- linux-2.6.35.5/arch/x86/lib/clear_page_64.S 2010-08-26 19:47:12.000000000 -0400
15390 +++ linux-2.6.35.5/arch/x86/lib/clear_page_64.S 2010-09-17 20:12:09.000000000 -0400
15391 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15393 #include <asm/cpufeature.h>
15395 - .section .altinstr_replacement,"ax"
15396 + .section .altinstr_replacement,"a"
15397 1: .byte 0xeb /* jmp <disp8> */
15398 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15400 diff -urNp linux-2.6.35.5/arch/x86/lib/copy_page_64.S linux-2.6.35.5/arch/x86/lib/copy_page_64.S
15401 --- linux-2.6.35.5/arch/x86/lib/copy_page_64.S 2010-08-26 19:47:12.000000000 -0400
15402 +++ linux-2.6.35.5/arch/x86/lib/copy_page_64.S 2010-09-17 20:12:09.000000000 -0400
15403 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15405 #include <asm/cpufeature.h>
15407 - .section .altinstr_replacement,"ax"
15408 + .section .altinstr_replacement,"a"
15409 1: .byte 0xeb /* jmp <disp8> */
15410 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15412 diff -urNp linux-2.6.35.5/arch/x86/lib/copy_user_64.S linux-2.6.35.5/arch/x86/lib/copy_user_64.S
15413 --- linux-2.6.35.5/arch/x86/lib/copy_user_64.S 2010-08-26 19:47:12.000000000 -0400
15414 +++ linux-2.6.35.5/arch/x86/lib/copy_user_64.S 2010-09-17 20:12:09.000000000 -0400
15415 @@ -15,13 +15,14 @@
15416 #include <asm/asm-offsets.h>
15417 #include <asm/thread_info.h>
15418 #include <asm/cpufeature.h>
15419 +#include <asm/pgtable.h>
15421 .macro ALTERNATIVE_JUMP feature,orig,alt
15423 .byte 0xe9 /* 32bit jump */
15424 .long \orig-1f /* by default jump to orig */
15426 - .section .altinstr_replacement,"ax"
15427 + .section .altinstr_replacement,"a"
15428 2: .byte 0xe9 /* near jump with 32bit immediate */
15429 .long \alt-1b /* offset */ /* or alternatively to alt */
15431 @@ -64,37 +65,13 @@
15435 -/* Standard copy_to_user with segment limit checking */
15436 -ENTRY(_copy_to_user)
15438 - GET_THREAD_INFO(%rax)
15442 - cmpq TI_addr_limit(%rax),%rcx
15444 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15446 -ENDPROC(_copy_to_user)
15448 -/* Standard copy_from_user with segment limit checking */
15449 -ENTRY(_copy_from_user)
15451 - GET_THREAD_INFO(%rax)
15455 - cmpq TI_addr_limit(%rax),%rcx
15456 - jae bad_from_user
15457 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15459 -ENDPROC(_copy_from_user)
15461 .section .fixup,"ax"
15462 /* must zero dest */
15463 ENTRY(bad_from_user)
15471 diff -urNp linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S
15472 --- linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S 2010-08-26 19:47:12.000000000 -0400
15473 +++ linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S 2010-09-17 20:12:09.000000000 -0400
15475 #include <asm/current.h>
15476 #include <asm/asm-offsets.h>
15477 #include <asm/thread_info.h>
15478 +#include <asm/pgtable.h>
15480 .macro ALIGN_DESTINATION
15481 #ifdef FIX_ALIGNMENT
15484 ENTRY(__copy_user_nocache)
15487 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15488 + mov $PAX_USER_SHADOW_BASE,%rcx
15496 jb 20f /* less then 8 bytes, go to byte copy loop */
15498 diff -urNp linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c
15499 --- linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c 2010-08-26 19:47:12.000000000 -0400
15500 +++ linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c 2010-09-17 20:12:09.000000000 -0400
15501 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15505 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15506 + src += PAX_USER_SHADOW_BASE;
15507 isum = csum_partial_copy_generic((__force const void *)src,
15508 dst, len, isum, errp, NULL);
15509 if (unlikely(*errp))
15510 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15514 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15515 + dst += PAX_USER_SHADOW_BASE;
15516 return csum_partial_copy_generic(src, (void __force *)dst,
15517 len, isum, NULL, errp);
15519 diff -urNp linux-2.6.35.5/arch/x86/lib/getuser.S linux-2.6.35.5/arch/x86/lib/getuser.S
15520 --- linux-2.6.35.5/arch/x86/lib/getuser.S 2010-08-26 19:47:12.000000000 -0400
15521 +++ linux-2.6.35.5/arch/x86/lib/getuser.S 2010-09-17 20:12:09.000000000 -0400
15522 @@ -33,14 +33,38 @@
15523 #include <asm/asm-offsets.h>
15524 #include <asm/thread_info.h>
15525 #include <asm/asm.h>
15526 +#include <asm/segment.h>
15527 +#include <asm/pgtable.h>
15530 ENTRY(__get_user_1)
15533 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15534 + pushl $(__USER_DS)
15537 GET_THREAD_INFO(%_ASM_DX)
15538 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15541 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15542 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15543 + cmp %_ASM_DX,%_ASM_AX
15545 + add %_ASM_DX,%_ASM_AX
15551 1: movzb (%_ASM_AX),%edx
15553 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15561 @@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
15562 ENTRY(__get_user_2)
15566 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15567 + pushl $(__USER_DS)
15571 GET_THREAD_INFO(%_ASM_DX)
15572 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15575 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15576 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15577 + cmp %_ASM_DX,%_ASM_AX
15579 + add %_ASM_DX,%_ASM_AX
15585 2: movzwl -1(%_ASM_AX),%edx
15587 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15595 @@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
15596 ENTRY(__get_user_4)
15600 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15601 + pushl $(__USER_DS)
15605 GET_THREAD_INFO(%_ASM_DX)
15606 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15609 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15610 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15611 + cmp %_ASM_DX,%_ASM_AX
15613 + add %_ASM_DX,%_ASM_AX
15619 3: mov -3(%_ASM_AX),%edx
15621 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15629 @@ -80,6 +148,15 @@ ENTRY(__get_user_8)
15630 GET_THREAD_INFO(%_ASM_DX)
15631 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15634 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15635 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15636 + cmp %_ASM_DX,%_ASM_AX
15638 + add %_ASM_DX,%_ASM_AX
15642 4: movq -7(%_ASM_AX),%_ASM_DX
15645 @@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
15650 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15656 mov $(-EFAULT),%_ASM_AX
15658 diff -urNp linux-2.6.35.5/arch/x86/lib/insn.c linux-2.6.35.5/arch/x86/lib/insn.c
15659 --- linux-2.6.35.5/arch/x86/lib/insn.c 2010-08-26 19:47:12.000000000 -0400
15660 +++ linux-2.6.35.5/arch/x86/lib/insn.c 2010-09-17 20:12:09.000000000 -0400
15662 #include <linux/string.h>
15663 #include <asm/inat.h>
15664 #include <asm/insn.h>
15665 +#include <asm/pgtable_types.h>
15667 #define get_next(t, insn) \
15668 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15670 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15672 memset(insn, 0, sizeof(*insn));
15673 - insn->kaddr = kaddr;
15674 - insn->next_byte = kaddr;
15675 + insn->kaddr = ktla_ktva(kaddr);
15676 + insn->next_byte = ktla_ktva(kaddr);
15677 insn->x86_64 = x86_64 ? 1 : 0;
15678 insn->opnd_bytes = 4;
15680 diff -urNp linux-2.6.35.5/arch/x86/lib/mmx_32.c linux-2.6.35.5/arch/x86/lib/mmx_32.c
15681 --- linux-2.6.35.5/arch/x86/lib/mmx_32.c 2010-08-26 19:47:12.000000000 -0400
15682 +++ linux-2.6.35.5/arch/x86/lib/mmx_32.c 2010-09-17 20:12:09.000000000 -0400
15683 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15687 + unsigned long cr0;
15689 if (unlikely(in_interrupt()))
15690 return __memcpy(to, from, len);
15691 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15692 kernel_fpu_begin();
15694 __asm__ __volatile__ (
15695 - "1: prefetch (%0)\n" /* This set is 28 bytes */
15696 - " prefetch 64(%0)\n"
15697 - " prefetch 128(%0)\n"
15698 - " prefetch 192(%0)\n"
15699 - " prefetch 256(%0)\n"
15700 + "1: prefetch (%1)\n" /* This set is 28 bytes */
15701 + " prefetch 64(%1)\n"
15702 + " prefetch 128(%1)\n"
15703 + " prefetch 192(%1)\n"
15704 + " prefetch 256(%1)\n"
15706 ".section .fixup, \"ax\"\n"
15707 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15710 +#ifdef CONFIG_PAX_KERNEXEC
15711 + " movl %%cr0, %0\n"
15712 + " movl %0, %%eax\n"
15713 + " andl $0xFFFEFFFF, %%eax\n"
15714 + " movl %%eax, %%cr0\n"
15717 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15719 +#ifdef CONFIG_PAX_KERNEXEC
15720 + " movl %0, %%cr0\n"
15725 _ASM_EXTABLE(1b, 3b)
15727 + : "=&r" (cr0) : "r" (from) : "ax");
15729 for ( ; i > 5; i--) {
15730 __asm__ __volatile__ (
15731 - "1: prefetch 320(%0)\n"
15732 - "2: movq (%0), %%mm0\n"
15733 - " movq 8(%0), %%mm1\n"
15734 - " movq 16(%0), %%mm2\n"
15735 - " movq 24(%0), %%mm3\n"
15736 - " movq %%mm0, (%1)\n"
15737 - " movq %%mm1, 8(%1)\n"
15738 - " movq %%mm2, 16(%1)\n"
15739 - " movq %%mm3, 24(%1)\n"
15740 - " movq 32(%0), %%mm0\n"
15741 - " movq 40(%0), %%mm1\n"
15742 - " movq 48(%0), %%mm2\n"
15743 - " movq 56(%0), %%mm3\n"
15744 - " movq %%mm0, 32(%1)\n"
15745 - " movq %%mm1, 40(%1)\n"
15746 - " movq %%mm2, 48(%1)\n"
15747 - " movq %%mm3, 56(%1)\n"
15748 + "1: prefetch 320(%1)\n"
15749 + "2: movq (%1), %%mm0\n"
15750 + " movq 8(%1), %%mm1\n"
15751 + " movq 16(%1), %%mm2\n"
15752 + " movq 24(%1), %%mm3\n"
15753 + " movq %%mm0, (%2)\n"
15754 + " movq %%mm1, 8(%2)\n"
15755 + " movq %%mm2, 16(%2)\n"
15756 + " movq %%mm3, 24(%2)\n"
15757 + " movq 32(%1), %%mm0\n"
15758 + " movq 40(%1), %%mm1\n"
15759 + " movq 48(%1), %%mm2\n"
15760 + " movq 56(%1), %%mm3\n"
15761 + " movq %%mm0, 32(%2)\n"
15762 + " movq %%mm1, 40(%2)\n"
15763 + " movq %%mm2, 48(%2)\n"
15764 + " movq %%mm3, 56(%2)\n"
15765 ".section .fixup, \"ax\"\n"
15766 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15769 +#ifdef CONFIG_PAX_KERNEXEC
15770 + " movl %%cr0, %0\n"
15771 + " movl %0, %%eax\n"
15772 + " andl $0xFFFEFFFF, %%eax\n"
15773 + " movl %%eax, %%cr0\n"
15776 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15778 +#ifdef CONFIG_PAX_KERNEXEC
15779 + " movl %0, %%cr0\n"
15784 _ASM_EXTABLE(1b, 3b)
15785 - : : "r" (from), "r" (to) : "memory");
15786 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15790 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
15791 static void fast_copy_page(void *to, void *from)
15794 + unsigned long cr0;
15796 kernel_fpu_begin();
15798 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
15799 * but that is for later. -AV
15801 __asm__ __volatile__(
15802 - "1: prefetch (%0)\n"
15803 - " prefetch 64(%0)\n"
15804 - " prefetch 128(%0)\n"
15805 - " prefetch 192(%0)\n"
15806 - " prefetch 256(%0)\n"
15807 + "1: prefetch (%1)\n"
15808 + " prefetch 64(%1)\n"
15809 + " prefetch 128(%1)\n"
15810 + " prefetch 192(%1)\n"
15811 + " prefetch 256(%1)\n"
15813 ".section .fixup, \"ax\"\n"
15814 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15817 +#ifdef CONFIG_PAX_KERNEXEC
15818 + " movl %%cr0, %0\n"
15819 + " movl %0, %%eax\n"
15820 + " andl $0xFFFEFFFF, %%eax\n"
15821 + " movl %%eax, %%cr0\n"
15824 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15826 +#ifdef CONFIG_PAX_KERNEXEC
15827 + " movl %0, %%cr0\n"
15832 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15833 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15835 for (i = 0; i < (4096-320)/64; i++) {
15836 __asm__ __volatile__ (
15837 - "1: prefetch 320(%0)\n"
15838 - "2: movq (%0), %%mm0\n"
15839 - " movntq %%mm0, (%1)\n"
15840 - " movq 8(%0), %%mm1\n"
15841 - " movntq %%mm1, 8(%1)\n"
15842 - " movq 16(%0), %%mm2\n"
15843 - " movntq %%mm2, 16(%1)\n"
15844 - " movq 24(%0), %%mm3\n"
15845 - " movntq %%mm3, 24(%1)\n"
15846 - " movq 32(%0), %%mm4\n"
15847 - " movntq %%mm4, 32(%1)\n"
15848 - " movq 40(%0), %%mm5\n"
15849 - " movntq %%mm5, 40(%1)\n"
15850 - " movq 48(%0), %%mm6\n"
15851 - " movntq %%mm6, 48(%1)\n"
15852 - " movq 56(%0), %%mm7\n"
15853 - " movntq %%mm7, 56(%1)\n"
15854 + "1: prefetch 320(%1)\n"
15855 + "2: movq (%1), %%mm0\n"
15856 + " movntq %%mm0, (%2)\n"
15857 + " movq 8(%1), %%mm1\n"
15858 + " movntq %%mm1, 8(%2)\n"
15859 + " movq 16(%1), %%mm2\n"
15860 + " movntq %%mm2, 16(%2)\n"
15861 + " movq 24(%1), %%mm3\n"
15862 + " movntq %%mm3, 24(%2)\n"
15863 + " movq 32(%1), %%mm4\n"
15864 + " movntq %%mm4, 32(%2)\n"
15865 + " movq 40(%1), %%mm5\n"
15866 + " movntq %%mm5, 40(%2)\n"
15867 + " movq 48(%1), %%mm6\n"
15868 + " movntq %%mm6, 48(%2)\n"
15869 + " movq 56(%1), %%mm7\n"
15870 + " movntq %%mm7, 56(%2)\n"
15871 ".section .fixup, \"ax\"\n"
15872 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15875 +#ifdef CONFIG_PAX_KERNEXEC
15876 + " movl %%cr0, %0\n"
15877 + " movl %0, %%eax\n"
15878 + " andl $0xFFFEFFFF, %%eax\n"
15879 + " movl %%eax, %%cr0\n"
15882 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15884 +#ifdef CONFIG_PAX_KERNEXEC
15885 + " movl %0, %%cr0\n"
15890 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
15891 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15895 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
15896 static void fast_copy_page(void *to, void *from)
15899 + unsigned long cr0;
15901 kernel_fpu_begin();
15903 __asm__ __volatile__ (
15904 - "1: prefetch (%0)\n"
15905 - " prefetch 64(%0)\n"
15906 - " prefetch 128(%0)\n"
15907 - " prefetch 192(%0)\n"
15908 - " prefetch 256(%0)\n"
15909 + "1: prefetch (%1)\n"
15910 + " prefetch 64(%1)\n"
15911 + " prefetch 128(%1)\n"
15912 + " prefetch 192(%1)\n"
15913 + " prefetch 256(%1)\n"
15915 ".section .fixup, \"ax\"\n"
15916 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15919 +#ifdef CONFIG_PAX_KERNEXEC
15920 + " movl %%cr0, %0\n"
15921 + " movl %0, %%eax\n"
15922 + " andl $0xFFFEFFFF, %%eax\n"
15923 + " movl %%eax, %%cr0\n"
15926 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15928 +#ifdef CONFIG_PAX_KERNEXEC
15929 + " movl %0, %%cr0\n"
15934 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15935 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15937 for (i = 0; i < 4096/64; i++) {
15938 __asm__ __volatile__ (
15939 - "1: prefetch 320(%0)\n"
15940 - "2: movq (%0), %%mm0\n"
15941 - " movq 8(%0), %%mm1\n"
15942 - " movq 16(%0), %%mm2\n"
15943 - " movq 24(%0), %%mm3\n"
15944 - " movq %%mm0, (%1)\n"
15945 - " movq %%mm1, 8(%1)\n"
15946 - " movq %%mm2, 16(%1)\n"
15947 - " movq %%mm3, 24(%1)\n"
15948 - " movq 32(%0), %%mm0\n"
15949 - " movq 40(%0), %%mm1\n"
15950 - " movq 48(%0), %%mm2\n"
15951 - " movq 56(%0), %%mm3\n"
15952 - " movq %%mm0, 32(%1)\n"
15953 - " movq %%mm1, 40(%1)\n"
15954 - " movq %%mm2, 48(%1)\n"
15955 - " movq %%mm3, 56(%1)\n"
15956 + "1: prefetch 320(%1)\n"
15957 + "2: movq (%1), %%mm0\n"
15958 + " movq 8(%1), %%mm1\n"
15959 + " movq 16(%1), %%mm2\n"
15960 + " movq 24(%1), %%mm3\n"
15961 + " movq %%mm0, (%2)\n"
15962 + " movq %%mm1, 8(%2)\n"
15963 + " movq %%mm2, 16(%2)\n"
15964 + " movq %%mm3, 24(%2)\n"
15965 + " movq 32(%1), %%mm0\n"
15966 + " movq 40(%1), %%mm1\n"
15967 + " movq 48(%1), %%mm2\n"
15968 + " movq 56(%1), %%mm3\n"
15969 + " movq %%mm0, 32(%2)\n"
15970 + " movq %%mm1, 40(%2)\n"
15971 + " movq %%mm2, 48(%2)\n"
15972 + " movq %%mm3, 56(%2)\n"
15973 ".section .fixup, \"ax\"\n"
15974 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15977 +#ifdef CONFIG_PAX_KERNEXEC
15978 + " movl %%cr0, %0\n"
15979 + " movl %0, %%eax\n"
15980 + " andl $0xFFFEFFFF, %%eax\n"
15981 + " movl %%eax, %%cr0\n"
15984 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15986 +#ifdef CONFIG_PAX_KERNEXEC
15987 + " movl %0, %%cr0\n"
15992 _ASM_EXTABLE(1b, 3b)
15993 - : : "r" (from), "r" (to) : "memory");
15994 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15998 diff -urNp linux-2.6.35.5/arch/x86/lib/putuser.S linux-2.6.35.5/arch/x86/lib/putuser.S
15999 --- linux-2.6.35.5/arch/x86/lib/putuser.S 2010-08-26 19:47:12.000000000 -0400
16000 +++ linux-2.6.35.5/arch/x86/lib/putuser.S 2010-09-17 20:12:09.000000000 -0400
16002 #include <asm/thread_info.h>
16003 #include <asm/errno.h>
16004 #include <asm/asm.h>
16006 +#include <asm/segment.h>
16007 +#include <asm/pgtable.h>
16011 @@ -29,59 +30,162 @@
16012 * as they get called from within inline assembly.
16015 -#define ENTER CFI_STARTPROC ; \
16016 - GET_THREAD_INFO(%_ASM_BX)
16017 +#define ENTER CFI_STARTPROC
16018 #define EXIT ret ; \
16021 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16022 +#define _DEST %_ASM_CX,%_ASM_BX
16024 +#define _DEST %_ASM_CX
16028 ENTRY(__put_user_1)
16031 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16032 + pushl $(__USER_DS)
16035 + GET_THREAD_INFO(%_ASM_BX)
16036 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16038 -1: movb %al,(%_ASM_CX)
16040 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16041 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16042 + cmp %_ASM_BX,%_ASM_CX
16050 +1: movb %al,(_DEST)
16052 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16059 ENDPROC(__put_user_1)
16061 ENTRY(__put_user_2)
16064 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16065 + pushl $(__USER_DS)
16068 + GET_THREAD_INFO(%_ASM_BX)
16069 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16071 cmp %_ASM_BX,%_ASM_CX
16073 -2: movw %ax,(%_ASM_CX)
16075 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16076 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16077 + cmp %_ASM_BX,%_ASM_CX
16085 +2: movw %ax,(_DEST)
16087 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16094 ENDPROC(__put_user_2)
16096 ENTRY(__put_user_4)
16099 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16100 + pushl $(__USER_DS)
16103 + GET_THREAD_INFO(%_ASM_BX)
16104 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16106 cmp %_ASM_BX,%_ASM_CX
16108 -3: movl %eax,(%_ASM_CX)
16110 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16111 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16112 + cmp %_ASM_BX,%_ASM_CX
16120 +3: movl %eax,(_DEST)
16122 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16129 ENDPROC(__put_user_4)
16131 ENTRY(__put_user_8)
16134 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16135 + pushl $(__USER_DS)
16138 + GET_THREAD_INFO(%_ASM_BX)
16139 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16141 cmp %_ASM_BX,%_ASM_CX
16143 -4: mov %_ASM_AX,(%_ASM_CX)
16145 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16146 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16147 + cmp %_ASM_BX,%_ASM_CX
16155 +4: mov %_ASM_AX,(_DEST)
16156 #ifdef CONFIG_X86_32
16157 -5: movl %edx,4(%_ASM_CX)
16158 +5: movl %edx,4(_DEST)
16161 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16168 ENDPROC(__put_user_8)
16173 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16181 diff -urNp linux-2.6.35.5/arch/x86/lib/usercopy_32.c linux-2.6.35.5/arch/x86/lib/usercopy_32.c
16182 --- linux-2.6.35.5/arch/x86/lib/usercopy_32.c 2010-08-26 19:47:12.000000000 -0400
16183 +++ linux-2.6.35.5/arch/x86/lib/usercopy_32.c 2010-09-17 20:12:09.000000000 -0400
16184 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16185 * Copy a null terminated string from userspace.
16188 -#define __do_strncpy_from_user(dst, src, count, res) \
16190 - int __d0, __d1, __d2; \
16192 - __asm__ __volatile__( \
16193 - " testl %1,%1\n" \
16197 - " testb %%al,%%al\n" \
16201 - "1: subl %1,%0\n" \
16203 - ".section .fixup,\"ax\"\n" \
16204 - "3: movl %5,%0\n" \
16207 - _ASM_EXTABLE(0b,3b) \
16208 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16210 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16213 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16215 + int __d0, __d1, __d2;
16216 + long res = -EFAULT;
16219 + __asm__ __volatile__(
16220 + " movw %w10,%%ds\n"
16225 + " testb %%al,%%al\n"
16229 + "1: subl %1,%0\n"
16233 + ".section .fixup,\"ax\"\n"
16234 + "3: movl %5,%0\n"
16237 + _ASM_EXTABLE(0b,3b)
16238 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16240 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16247 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16248 @@ -85,9 +92,7 @@ do { \
16250 __strncpy_from_user(char *dst, const char __user *src, long count)
16253 - __do_strncpy_from_user(dst, src, count, res);
16255 + return __do_strncpy_from_user(dst, src, count);
16257 EXPORT_SYMBOL(__strncpy_from_user);
16259 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16261 long res = -EFAULT;
16262 if (access_ok(VERIFY_READ, src, 1))
16263 - __do_strncpy_from_user(dst, src, count, res);
16264 + res = __do_strncpy_from_user(dst, src, count);
16267 EXPORT_SYMBOL(strncpy_from_user);
16268 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16272 -#define __do_clear_user(addr,size) \
16276 - __asm__ __volatile__( \
16277 - "0: rep; stosl\n" \
16278 - " movl %2,%0\n" \
16279 - "1: rep; stosb\n" \
16281 - ".section .fixup,\"ax\"\n" \
16282 - "3: lea 0(%2,%0,4),%0\n" \
16285 - _ASM_EXTABLE(0b,3b) \
16286 - _ASM_EXTABLE(1b,2b) \
16287 - : "=&c"(size), "=&D" (__d0) \
16288 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16290 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16295 + __asm__ __volatile__(
16296 + " movw %w6,%%es\n"
16297 + "0: rep; stosl\n"
16299 + "1: rep; stosb\n"
16303 + ".section .fixup,\"ax\"\n"
16304 + "3: lea 0(%2,%0,4),%0\n"
16307 + _ASM_EXTABLE(0b,3b)
16308 + _ASM_EXTABLE(1b,2b)
16309 + : "=&c"(size), "=&D" (__d0)
16310 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16316 * clear_user: - Zero a block of memory in user space.
16317 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
16320 if (access_ok(VERIFY_WRITE, to, n))
16321 - __do_clear_user(to, n);
16322 + n = __do_clear_user(to, n);
16325 EXPORT_SYMBOL(clear_user);
16326 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
16328 __clear_user(void __user *to, unsigned long n)
16330 - __do_clear_user(to, n);
16332 + return __do_clear_user(to, n);
16334 EXPORT_SYMBOL(__clear_user);
16336 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
16339 __asm__ __volatile__(
16340 + " movw %w8,%%es\n"
16343 - " andl %0,%%ecx\n"
16344 + " movl %0,%%ecx\n"
16345 "0: repne; scasb\n"
16352 ".section .fixup,\"ax\"\n"
16353 "2: xorl %%eax,%%eax\n"
16355 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
16358 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
16359 - :"0" (n), "1" (s), "2" (0), "3" (mask)
16360 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
16364 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
16366 #ifdef CONFIG_X86_INTEL_USERCOPY
16367 static unsigned long
16368 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16369 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16372 + __asm__ __volatile__(
16373 + " movw %w6, %%es\n"
16374 + " .align 2,0x90\n"
16375 + "1: movl 32(%4), %%eax\n"
16376 + " cmpl $67, %0\n"
16378 + "2: movl 64(%4), %%eax\n"
16379 + " .align 2,0x90\n"
16380 + "3: movl 0(%4), %%eax\n"
16381 + "4: movl 4(%4), %%edx\n"
16382 + "5: movl %%eax, %%es:0(%3)\n"
16383 + "6: movl %%edx, %%es:4(%3)\n"
16384 + "7: movl 8(%4), %%eax\n"
16385 + "8: movl 12(%4),%%edx\n"
16386 + "9: movl %%eax, %%es:8(%3)\n"
16387 + "10: movl %%edx, %%es:12(%3)\n"
16388 + "11: movl 16(%4), %%eax\n"
16389 + "12: movl 20(%4), %%edx\n"
16390 + "13: movl %%eax, %%es:16(%3)\n"
16391 + "14: movl %%edx, %%es:20(%3)\n"
16392 + "15: movl 24(%4), %%eax\n"
16393 + "16: movl 28(%4), %%edx\n"
16394 + "17: movl %%eax, %%es:24(%3)\n"
16395 + "18: movl %%edx, %%es:28(%3)\n"
16396 + "19: movl 32(%4), %%eax\n"
16397 + "20: movl 36(%4), %%edx\n"
16398 + "21: movl %%eax, %%es:32(%3)\n"
16399 + "22: movl %%edx, %%es:36(%3)\n"
16400 + "23: movl 40(%4), %%eax\n"
16401 + "24: movl 44(%4), %%edx\n"
16402 + "25: movl %%eax, %%es:40(%3)\n"
16403 + "26: movl %%edx, %%es:44(%3)\n"
16404 + "27: movl 48(%4), %%eax\n"
16405 + "28: movl 52(%4), %%edx\n"
16406 + "29: movl %%eax, %%es:48(%3)\n"
16407 + "30: movl %%edx, %%es:52(%3)\n"
16408 + "31: movl 56(%4), %%eax\n"
16409 + "32: movl 60(%4), %%edx\n"
16410 + "33: movl %%eax, %%es:56(%3)\n"
16411 + "34: movl %%edx, %%es:60(%3)\n"
16412 + " addl $-64, %0\n"
16413 + " addl $64, %4\n"
16414 + " addl $64, %3\n"
16415 + " cmpl $63, %0\n"
16417 + "35: movl %0, %%eax\n"
16419 + " andl $3, %%eax\n"
16421 + "99: rep; movsl\n"
16422 + "36: movl %%eax, %0\n"
16423 + "37: rep; movsb\n"
16427 + ".section .fixup,\"ax\"\n"
16428 + "101: lea 0(%%eax,%0,4),%0\n"
16431 + ".section __ex_table,\"a\"\n"
16433 + " .long 1b,100b\n"
16434 + " .long 2b,100b\n"
16435 + " .long 3b,100b\n"
16436 + " .long 4b,100b\n"
16437 + " .long 5b,100b\n"
16438 + " .long 6b,100b\n"
16439 + " .long 7b,100b\n"
16440 + " .long 8b,100b\n"
16441 + " .long 9b,100b\n"
16442 + " .long 10b,100b\n"
16443 + " .long 11b,100b\n"
16444 + " .long 12b,100b\n"
16445 + " .long 13b,100b\n"
16446 + " .long 14b,100b\n"
16447 + " .long 15b,100b\n"
16448 + " .long 16b,100b\n"
16449 + " .long 17b,100b\n"
16450 + " .long 18b,100b\n"
16451 + " .long 19b,100b\n"
16452 + " .long 20b,100b\n"
16453 + " .long 21b,100b\n"
16454 + " .long 22b,100b\n"
16455 + " .long 23b,100b\n"
16456 + " .long 24b,100b\n"
16457 + " .long 25b,100b\n"
16458 + " .long 26b,100b\n"
16459 + " .long 27b,100b\n"
16460 + " .long 28b,100b\n"
16461 + " .long 29b,100b\n"
16462 + " .long 30b,100b\n"
16463 + " .long 31b,100b\n"
16464 + " .long 32b,100b\n"
16465 + " .long 33b,100b\n"
16466 + " .long 34b,100b\n"
16467 + " .long 35b,100b\n"
16468 + " .long 36b,100b\n"
16469 + " .long 37b,100b\n"
16470 + " .long 99b,101b\n"
16472 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16473 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16474 + : "eax", "edx", "memory");
16478 +static unsigned long
16479 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16482 __asm__ __volatile__(
16483 + " movw %w6, %%ds\n"
16485 "1: movl 32(%4), %%eax\n"
16487 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
16489 "3: movl 0(%4), %%eax\n"
16490 "4: movl 4(%4), %%edx\n"
16491 - "5: movl %%eax, 0(%3)\n"
16492 - "6: movl %%edx, 4(%3)\n"
16493 + "5: movl %%eax, %%es:0(%3)\n"
16494 + "6: movl %%edx, %%es:4(%3)\n"
16495 "7: movl 8(%4), %%eax\n"
16496 "8: movl 12(%4),%%edx\n"
16497 - "9: movl %%eax, 8(%3)\n"
16498 - "10: movl %%edx, 12(%3)\n"
16499 + "9: movl %%eax, %%es:8(%3)\n"
16500 + "10: movl %%edx, %%es:12(%3)\n"
16501 "11: movl 16(%4), %%eax\n"
16502 "12: movl 20(%4), %%edx\n"
16503 - "13: movl %%eax, 16(%3)\n"
16504 - "14: movl %%edx, 20(%3)\n"
16505 + "13: movl %%eax, %%es:16(%3)\n"
16506 + "14: movl %%edx, %%es:20(%3)\n"
16507 "15: movl 24(%4), %%eax\n"
16508 "16: movl 28(%4), %%edx\n"
16509 - "17: movl %%eax, 24(%3)\n"
16510 - "18: movl %%edx, 28(%3)\n"
16511 + "17: movl %%eax, %%es:24(%3)\n"
16512 + "18: movl %%edx, %%es:28(%3)\n"
16513 "19: movl 32(%4), %%eax\n"
16514 "20: movl 36(%4), %%edx\n"
16515 - "21: movl %%eax, 32(%3)\n"
16516 - "22: movl %%edx, 36(%3)\n"
16517 + "21: movl %%eax, %%es:32(%3)\n"
16518 + "22: movl %%edx, %%es:36(%3)\n"
16519 "23: movl 40(%4), %%eax\n"
16520 "24: movl 44(%4), %%edx\n"
16521 - "25: movl %%eax, 40(%3)\n"
16522 - "26: movl %%edx, 44(%3)\n"
16523 + "25: movl %%eax, %%es:40(%3)\n"
16524 + "26: movl %%edx, %%es:44(%3)\n"
16525 "27: movl 48(%4), %%eax\n"
16526 "28: movl 52(%4), %%edx\n"
16527 - "29: movl %%eax, 48(%3)\n"
16528 - "30: movl %%edx, 52(%3)\n"
16529 + "29: movl %%eax, %%es:48(%3)\n"
16530 + "30: movl %%edx, %%es:52(%3)\n"
16531 "31: movl 56(%4), %%eax\n"
16532 "32: movl 60(%4), %%edx\n"
16533 - "33: movl %%eax, 56(%3)\n"
16534 - "34: movl %%edx, 60(%3)\n"
16535 + "33: movl %%eax, %%es:56(%3)\n"
16536 + "34: movl %%edx, %%es:60(%3)\n"
16540 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
16541 "36: movl %%eax, %0\n"
16546 ".section .fixup,\"ax\"\n"
16547 "101: lea 0(%%eax,%0,4),%0\n"
16549 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
16550 " .long 99b,101b\n"
16552 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16553 - : "1"(to), "2"(from), "0"(size)
16554 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16555 : "eax", "edx", "memory");
16558 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
16561 __asm__ __volatile__(
16562 + " movw %w6, %%ds\n"
16564 "0: movl 32(%4), %%eax\n"
16566 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
16568 "2: movl 0(%4), %%eax\n"
16569 "21: movl 4(%4), %%edx\n"
16570 - " movl %%eax, 0(%3)\n"
16571 - " movl %%edx, 4(%3)\n"
16572 + " movl %%eax, %%es:0(%3)\n"
16573 + " movl %%edx, %%es:4(%3)\n"
16574 "3: movl 8(%4), %%eax\n"
16575 "31: movl 12(%4),%%edx\n"
16576 - " movl %%eax, 8(%3)\n"
16577 - " movl %%edx, 12(%3)\n"
16578 + " movl %%eax, %%es:8(%3)\n"
16579 + " movl %%edx, %%es:12(%3)\n"
16580 "4: movl 16(%4), %%eax\n"
16581 "41: movl 20(%4), %%edx\n"
16582 - " movl %%eax, 16(%3)\n"
16583 - " movl %%edx, 20(%3)\n"
16584 + " movl %%eax, %%es:16(%3)\n"
16585 + " movl %%edx, %%es:20(%3)\n"
16586 "10: movl 24(%4), %%eax\n"
16587 "51: movl 28(%4), %%edx\n"
16588 - " movl %%eax, 24(%3)\n"
16589 - " movl %%edx, 28(%3)\n"
16590 + " movl %%eax, %%es:24(%3)\n"
16591 + " movl %%edx, %%es:28(%3)\n"
16592 "11: movl 32(%4), %%eax\n"
16593 "61: movl 36(%4), %%edx\n"
16594 - " movl %%eax, 32(%3)\n"
16595 - " movl %%edx, 36(%3)\n"
16596 + " movl %%eax, %%es:32(%3)\n"
16597 + " movl %%edx, %%es:36(%3)\n"
16598 "12: movl 40(%4), %%eax\n"
16599 "71: movl 44(%4), %%edx\n"
16600 - " movl %%eax, 40(%3)\n"
16601 - " movl %%edx, 44(%3)\n"
16602 + " movl %%eax, %%es:40(%3)\n"
16603 + " movl %%edx, %%es:44(%3)\n"
16604 "13: movl 48(%4), %%eax\n"
16605 "81: movl 52(%4), %%edx\n"
16606 - " movl %%eax, 48(%3)\n"
16607 - " movl %%edx, 52(%3)\n"
16608 + " movl %%eax, %%es:48(%3)\n"
16609 + " movl %%edx, %%es:52(%3)\n"
16610 "14: movl 56(%4), %%eax\n"
16611 "91: movl 60(%4), %%edx\n"
16612 - " movl %%eax, 56(%3)\n"
16613 - " movl %%edx, 60(%3)\n"
16614 + " movl %%eax, %%es:56(%3)\n"
16615 + " movl %%edx, %%es:60(%3)\n"
16619 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
16625 ".section .fixup,\"ax\"\n"
16626 "9: lea 0(%%eax,%0,4),%0\n"
16628 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
16631 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16632 - : "1"(to), "2"(from), "0"(size)
16633 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16634 : "eax", "edx", "memory");
16637 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
16640 __asm__ __volatile__(
16641 + " movw %w6, %%ds\n"
16643 "0: movl 32(%4), %%eax\n"
16645 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
16647 "2: movl 0(%4), %%eax\n"
16648 "21: movl 4(%4), %%edx\n"
16649 - " movnti %%eax, 0(%3)\n"
16650 - " movnti %%edx, 4(%3)\n"
16651 + " movnti %%eax, %%es:0(%3)\n"
16652 + " movnti %%edx, %%es:4(%3)\n"
16653 "3: movl 8(%4), %%eax\n"
16654 "31: movl 12(%4),%%edx\n"
16655 - " movnti %%eax, 8(%3)\n"
16656 - " movnti %%edx, 12(%3)\n"
16657 + " movnti %%eax, %%es:8(%3)\n"
16658 + " movnti %%edx, %%es:12(%3)\n"
16659 "4: movl 16(%4), %%eax\n"
16660 "41: movl 20(%4), %%edx\n"
16661 - " movnti %%eax, 16(%3)\n"
16662 - " movnti %%edx, 20(%3)\n"
16663 + " movnti %%eax, %%es:16(%3)\n"
16664 + " movnti %%edx, %%es:20(%3)\n"
16665 "10: movl 24(%4), %%eax\n"
16666 "51: movl 28(%4), %%edx\n"
16667 - " movnti %%eax, 24(%3)\n"
16668 - " movnti %%edx, 28(%3)\n"
16669 + " movnti %%eax, %%es:24(%3)\n"
16670 + " movnti %%edx, %%es:28(%3)\n"
16671 "11: movl 32(%4), %%eax\n"
16672 "61: movl 36(%4), %%edx\n"
16673 - " movnti %%eax, 32(%3)\n"
16674 - " movnti %%edx, 36(%3)\n"
16675 + " movnti %%eax, %%es:32(%3)\n"
16676 + " movnti %%edx, %%es:36(%3)\n"
16677 "12: movl 40(%4), %%eax\n"
16678 "71: movl 44(%4), %%edx\n"
16679 - " movnti %%eax, 40(%3)\n"
16680 - " movnti %%edx, 44(%3)\n"
16681 + " movnti %%eax, %%es:40(%3)\n"
16682 + " movnti %%edx, %%es:44(%3)\n"
16683 "13: movl 48(%4), %%eax\n"
16684 "81: movl 52(%4), %%edx\n"
16685 - " movnti %%eax, 48(%3)\n"
16686 - " movnti %%edx, 52(%3)\n"
16687 + " movnti %%eax, %%es:48(%3)\n"
16688 + " movnti %%edx, %%es:52(%3)\n"
16689 "14: movl 56(%4), %%eax\n"
16690 "91: movl 60(%4), %%edx\n"
16691 - " movnti %%eax, 56(%3)\n"
16692 - " movnti %%edx, 60(%3)\n"
16693 + " movnti %%eax, %%es:56(%3)\n"
16694 + " movnti %%edx, %%es:60(%3)\n"
16698 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
16704 ".section .fixup,\"ax\"\n"
16705 "9: lea 0(%%eax,%0,4),%0\n"
16707 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
16710 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16711 - : "1"(to), "2"(from), "0"(size)
16712 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16713 : "eax", "edx", "memory");
16716 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
16719 __asm__ __volatile__(
16720 + " movw %w6, %%ds\n"
16722 "0: movl 32(%4), %%eax\n"
16724 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
16726 "2: movl 0(%4), %%eax\n"
16727 "21: movl 4(%4), %%edx\n"
16728 - " movnti %%eax, 0(%3)\n"
16729 - " movnti %%edx, 4(%3)\n"
16730 + " movnti %%eax, %%es:0(%3)\n"
16731 + " movnti %%edx, %%es:4(%3)\n"
16732 "3: movl 8(%4), %%eax\n"
16733 "31: movl 12(%4),%%edx\n"
16734 - " movnti %%eax, 8(%3)\n"
16735 - " movnti %%edx, 12(%3)\n"
16736 + " movnti %%eax, %%es:8(%3)\n"
16737 + " movnti %%edx, %%es:12(%3)\n"
16738 "4: movl 16(%4), %%eax\n"
16739 "41: movl 20(%4), %%edx\n"
16740 - " movnti %%eax, 16(%3)\n"
16741 - " movnti %%edx, 20(%3)\n"
16742 + " movnti %%eax, %%es:16(%3)\n"
16743 + " movnti %%edx, %%es:20(%3)\n"
16744 "10: movl 24(%4), %%eax\n"
16745 "51: movl 28(%4), %%edx\n"
16746 - " movnti %%eax, 24(%3)\n"
16747 - " movnti %%edx, 28(%3)\n"
16748 + " movnti %%eax, %%es:24(%3)\n"
16749 + " movnti %%edx, %%es:28(%3)\n"
16750 "11: movl 32(%4), %%eax\n"
16751 "61: movl 36(%4), %%edx\n"
16752 - " movnti %%eax, 32(%3)\n"
16753 - " movnti %%edx, 36(%3)\n"
16754 + " movnti %%eax, %%es:32(%3)\n"
16755 + " movnti %%edx, %%es:36(%3)\n"
16756 "12: movl 40(%4), %%eax\n"
16757 "71: movl 44(%4), %%edx\n"
16758 - " movnti %%eax, 40(%3)\n"
16759 - " movnti %%edx, 44(%3)\n"
16760 + " movnti %%eax, %%es:40(%3)\n"
16761 + " movnti %%edx, %%es:44(%3)\n"
16762 "13: movl 48(%4), %%eax\n"
16763 "81: movl 52(%4), %%edx\n"
16764 - " movnti %%eax, 48(%3)\n"
16765 - " movnti %%edx, 52(%3)\n"
16766 + " movnti %%eax, %%es:48(%3)\n"
16767 + " movnti %%edx, %%es:52(%3)\n"
16768 "14: movl 56(%4), %%eax\n"
16769 "91: movl 60(%4), %%edx\n"
16770 - " movnti %%eax, 56(%3)\n"
16771 - " movnti %%edx, 60(%3)\n"
16772 + " movnti %%eax, %%es:56(%3)\n"
16773 + " movnti %%edx, %%es:60(%3)\n"
16777 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
16783 ".section .fixup,\"ax\"\n"
16784 "9: lea 0(%%eax,%0,4),%0\n"
16786 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
16789 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16790 - : "1"(to), "2"(from), "0"(size)
16791 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16792 : "eax", "edx", "memory");
16795 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
16797 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16798 unsigned long size);
16799 -unsigned long __copy_user_intel(void __user *to, const void *from,
16800 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16801 + unsigned long size);
16802 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16803 unsigned long size);
16804 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16805 const void __user *from, unsigned long size);
16806 #endif /* CONFIG_X86_INTEL_USERCOPY */
16808 /* Generic arbitrary sized copy. */
16809 -#define __copy_user(to, from, size) \
16811 - int __d0, __d1, __d2; \
16812 - __asm__ __volatile__( \
16815 - " movl %1,%0\n" \
16817 - " andl $7,%0\n" \
16818 - " subl %0,%3\n" \
16819 - "4: rep; movsb\n" \
16820 - " movl %3,%0\n" \
16821 - " shrl $2,%0\n" \
16822 - " andl $3,%3\n" \
16823 - " .align 2,0x90\n" \
16824 - "0: rep; movsl\n" \
16825 - " movl %3,%0\n" \
16826 - "1: rep; movsb\n" \
16828 - ".section .fixup,\"ax\"\n" \
16829 - "5: addl %3,%0\n" \
16831 - "3: lea 0(%3,%0,4),%0\n" \
16834 - ".section __ex_table,\"a\"\n" \
16836 - " .long 4b,5b\n" \
16837 - " .long 0b,3b\n" \
16838 - " .long 1b,2b\n" \
16840 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16841 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16845 -#define __copy_user_zeroing(to, from, size) \
16847 - int __d0, __d1, __d2; \
16848 - __asm__ __volatile__( \
16851 - " movl %1,%0\n" \
16853 - " andl $7,%0\n" \
16854 - " subl %0,%3\n" \
16855 - "4: rep; movsb\n" \
16856 - " movl %3,%0\n" \
16857 - " shrl $2,%0\n" \
16858 - " andl $3,%3\n" \
16859 - " .align 2,0x90\n" \
16860 - "0: rep; movsl\n" \
16861 - " movl %3,%0\n" \
16862 - "1: rep; movsb\n" \
16864 - ".section .fixup,\"ax\"\n" \
16865 - "5: addl %3,%0\n" \
16867 - "3: lea 0(%3,%0,4),%0\n" \
16868 - "6: pushl %0\n" \
16869 - " pushl %%eax\n" \
16870 - " xorl %%eax,%%eax\n" \
16871 - " rep; stosb\n" \
16872 - " popl %%eax\n" \
16876 - ".section __ex_table,\"a\"\n" \
16878 - " .long 4b,5b\n" \
16879 - " .long 0b,3b\n" \
16880 - " .long 1b,6b\n" \
16882 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16883 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16886 +static unsigned long
16887 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
16889 + int __d0, __d1, __d2;
16891 + __asm__ __volatile__(
16892 + " movw %w8,%%es\n"
16899 + "4: rep; movsb\n"
16903 + " .align 2,0x90\n"
16904 + "0: rep; movsl\n"
16906 + "1: rep; movsb\n"
16910 + ".section .fixup,\"ax\"\n"
16911 + "5: addl %3,%0\n"
16913 + "3: lea 0(%3,%0,4),%0\n"
16916 + ".section __ex_table,\"a\"\n"
16922 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
16923 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
16928 +static unsigned long
16929 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
16931 + int __d0, __d1, __d2;
16933 + __asm__ __volatile__(
16934 + " movw %w8,%%ds\n"
16941 + "4: rep; movsb\n"
16945 + " .align 2,0x90\n"
16946 + "0: rep; movsl\n"
16948 + "1: rep; movsb\n"
16952 + ".section .fixup,\"ax\"\n"
16953 + "5: addl %3,%0\n"
16955 + "3: lea 0(%3,%0,4),%0\n"
16958 + ".section __ex_table,\"a\"\n"
16964 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
16965 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
16970 +static unsigned long
16971 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
16973 + int __d0, __d1, __d2;
16975 + __asm__ __volatile__(
16976 + " movw %w8,%%ds\n"
16983 + "4: rep; movsb\n"
16987 + " .align 2,0x90\n"
16988 + "0: rep; movsl\n"
16990 + "1: rep; movsb\n"
16994 + ".section .fixup,\"ax\"\n"
16995 + "5: addl %3,%0\n"
16997 + "3: lea 0(%3,%0,4),%0\n"
17000 + " xorl %%eax,%%eax\n"
17006 + ".section __ex_table,\"a\"\n"
17012 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17013 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17018 unsigned long __copy_to_user_ll(void __user *to, const void *from,
17020 @@ -775,9 +966,9 @@ survive:
17023 if (movsl_is_ok(to, from, n))
17024 - __copy_user(to, from, n);
17025 + n = __generic_copy_to_user(to, from, n);
17027 - n = __copy_user_intel(to, from, n);
17028 + n = __generic_copy_to_user_intel(to, from, n);
17031 EXPORT_SYMBOL(__copy_to_user_ll);
17032 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17035 if (movsl_is_ok(to, from, n))
17036 - __copy_user_zeroing(to, from, n);
17037 + n = __copy_user_zeroing(to, from, n);
17039 n = __copy_user_zeroing_intel(to, from, n);
17041 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17044 if (movsl_is_ok(to, from, n))
17045 - __copy_user(to, from, n);
17046 + n = __generic_copy_from_user(to, from, n);
17048 - n = __copy_user_intel((void __user *)to,
17049 - (const void *)from, n);
17050 + n = __generic_copy_from_user_intel(to, from, n);
17053 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17054 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17055 if (n > 64 && cpu_has_xmm2)
17056 n = __copy_user_zeroing_intel_nocache(to, from, n);
17058 - __copy_user_zeroing(to, from, n);
17059 + n = __copy_user_zeroing(to, from, n);
17061 - __copy_user_zeroing(to, from, n);
17062 + n = __copy_user_zeroing(to, from, n);
17066 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
17067 if (n > 64 && cpu_has_xmm2)
17068 n = __copy_user_intel_nocache(to, from, n);
17070 - __copy_user(to, from, n);
17071 + n = __generic_copy_from_user(to, from, n);
17073 - __copy_user(to, from, n);
17074 + n = __generic_copy_from_user(to, from, n);
17078 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17081 - * copy_to_user: - Copy a block of data into user space.
17082 - * @to: Destination address, in user space.
17083 - * @from: Source address, in kernel space.
17084 - * @n: Number of bytes to copy.
17086 - * Context: User context only. This function may sleep.
17088 - * Copy data from kernel space to user space.
17090 - * Returns number of bytes that could not be copied.
17091 - * On success, this will be zero.
17094 -copy_to_user(void __user *to, const void *from, unsigned long n)
17095 +void copy_from_user_overflow(void)
17097 - if (access_ok(VERIFY_WRITE, to, n))
17098 - n = __copy_to_user(to, from, n);
17100 + WARN(1, "Buffer overflow detected!\n");
17102 -EXPORT_SYMBOL(copy_to_user);
17103 +EXPORT_SYMBOL(copy_from_user_overflow);
17106 - * copy_from_user: - Copy a block of data from user space.
17107 - * @to: Destination address, in kernel space.
17108 - * @from: Source address, in user space.
17109 - * @n: Number of bytes to copy.
17111 - * Context: User context only. This function may sleep.
17113 - * Copy data from user space to kernel space.
17115 - * Returns number of bytes that could not be copied.
17116 - * On success, this will be zero.
17118 - * If some data could not be copied, this function will pad the copied
17119 - * data to the requested size using zero bytes.
17122 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17123 +void copy_to_user_overflow(void)
17125 - if (access_ok(VERIFY_READ, from, n))
17126 - n = __copy_from_user(to, from, n);
17128 - memset(to, 0, n);
17130 + WARN(1, "Buffer overflow detected!\n");
17132 -EXPORT_SYMBOL(_copy_from_user);
17133 +EXPORT_SYMBOL(copy_to_user_overflow);
17135 -void copy_from_user_overflow(void)
17136 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17137 +void __set_fs(mm_segment_t x, int cpu)
17139 - WARN(1, "Buffer overflow detected!\n");
17140 + unsigned long limit = x.seg;
17141 + struct desc_struct d;
17143 + current_thread_info()->addr_limit = x;
17144 + if (unlikely(paravirt_enabled()))
17147 + if (likely(limit))
17148 + limit = (limit - 1UL) >> PAGE_SHIFT;
17149 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17150 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17152 -EXPORT_SYMBOL(copy_from_user_overflow);
17154 +void set_fs(mm_segment_t x)
17156 + __set_fs(x, get_cpu());
17159 +EXPORT_SYMBOL(copy_from_user);
17161 +void set_fs(mm_segment_t x)
17163 + current_thread_info()->addr_limit = x;
17167 +EXPORT_SYMBOL(set_fs);
17168 diff -urNp linux-2.6.35.5/arch/x86/lib/usercopy_64.c linux-2.6.35.5/arch/x86/lib/usercopy_64.c
17169 --- linux-2.6.35.5/arch/x86/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
17170 +++ linux-2.6.35.5/arch/x86/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
17171 @@ -42,6 +42,8 @@ long
17172 __strncpy_from_user(char *dst, const char __user *src, long count)
17175 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17176 + src += PAX_USER_SHADOW_BASE;
17177 __do_strncpy_from_user(dst, src, count, res);
17180 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17184 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17185 + addr += PAX_USER_SHADOW_BASE;
17186 /* no memory constraint because it doesn't change any memory gcc knows
17189 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17191 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17193 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17194 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17195 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17196 + to += PAX_USER_SHADOW_BASE;
17197 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17198 + from += PAX_USER_SHADOW_BASE;
17199 return copy_user_generic((__force void *)to, (__force void *)from, len);
17205 EXPORT_SYMBOL(copy_in_user);
17207 diff -urNp linux-2.6.35.5/arch/x86/Makefile linux-2.6.35.5/arch/x86/Makefile
17208 --- linux-2.6.35.5/arch/x86/Makefile 2010-08-26 19:47:12.000000000 -0400
17209 +++ linux-2.6.35.5/arch/x86/Makefile 2010-09-17 20:12:09.000000000 -0400
17210 @@ -191,3 +191,12 @@ define archhelp
17211 echo ' FDARGS="..." arguments for the booted kernel'
17212 echo ' FDINITRD=file initrd for the booted kernel'
17217 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17218 +*** Please upgrade your binutils to 2.18 or newer
17222 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17223 diff -urNp linux-2.6.35.5/arch/x86/mm/extable.c linux-2.6.35.5/arch/x86/mm/extable.c
17224 --- linux-2.6.35.5/arch/x86/mm/extable.c 2010-08-26 19:47:12.000000000 -0400
17225 +++ linux-2.6.35.5/arch/x86/mm/extable.c 2010-09-17 20:12:09.000000000 -0400
17227 #include <linux/module.h>
17228 #include <linux/spinlock.h>
17229 +#include <linux/sort.h>
17230 #include <asm/uaccess.h>
17231 +#include <asm/pgtable.h>
17234 + * The exception table needs to be sorted so that the binary
17235 + * search that we use to find entries in it works properly.
17236 + * This is used both for the kernel exception table and for
17237 + * the exception tables of modules that get loaded.
17239 +static int cmp_ex(const void *a, const void *b)
17241 + const struct exception_table_entry *x = a, *y = b;
17243 + /* avoid overflow */
17244 + if (x->insn > y->insn)
17246 + if (x->insn < y->insn)
17251 +static void swap_ex(void *a, void *b, int size)
17253 + struct exception_table_entry t, *x = a, *y = b;
17257 + pax_open_kernel();
17260 + pax_close_kernel();
17263 +void sort_extable(struct exception_table_entry *start,
17264 + struct exception_table_entry *finish)
17266 + sort(start, finish - start, sizeof(struct exception_table_entry),
17267 + cmp_ex, swap_ex);
17270 +#ifdef CONFIG_MODULES
17272 + * If the exception table is sorted, any referring to the module init
17273 + * will be at the beginning or the end.
17275 +void trim_init_extable(struct module *m)
17277 + /*trim the beginning*/
17278 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17280 + m->num_exentries--;
17283 + while (m->num_exentries &&
17284 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17285 + m->num_exentries--;
17287 +#endif /* CONFIG_MODULES */
17289 int fixup_exception(struct pt_regs *regs)
17291 const struct exception_table_entry *fixup;
17293 #ifdef CONFIG_PNPBIOS
17294 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17295 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17296 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17297 extern u32 pnp_bios_is_utter_crap;
17298 pnp_bios_is_utter_crap = 1;
17299 diff -urNp linux-2.6.35.5/arch/x86/mm/fault.c linux-2.6.35.5/arch/x86/mm/fault.c
17300 --- linux-2.6.35.5/arch/x86/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
17301 +++ linux-2.6.35.5/arch/x86/mm/fault.c 2010-09-17 20:12:37.000000000 -0400
17302 @@ -11,10 +11,19 @@
17303 #include <linux/kprobes.h> /* __kprobes, ... */
17304 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17305 #include <linux/perf_event.h> /* perf_sw_event */
17306 +#include <linux/unistd.h>
17307 +#include <linux/compiler.h>
17309 #include <asm/traps.h> /* dotraplinkage, ... */
17310 #include <asm/pgalloc.h> /* pgd_*(), ... */
17311 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17312 +#include <asm/vsyscall.h>
17313 +#include <asm/tlbflush.h>
17315 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17316 +#include <asm/stacktrace.h>
17317 +#include "../kernel/dumpstack.h"
17321 * Page fault error code bits:
17322 @@ -52,7 +61,7 @@ static inline int __kprobes notify_page_
17325 /* kprobe_running() needs smp_processor_id() */
17326 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17327 + if (kprobes_built_in() && !user_mode(regs)) {
17329 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17331 @@ -173,6 +182,30 @@ force_sig_info_fault(int si_signo, int s
17332 force_sig_info(si_signo, &info, tsk);
17335 +#ifdef CONFIG_PAX_EMUTRAMP
17336 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17339 +#ifdef CONFIG_PAX_PAGEEXEC
17340 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17346 + pgd = pgd_offset(mm, address);
17347 + if (!pgd_present(*pgd))
17349 + pud = pud_offset(pgd, address);
17350 + if (!pud_present(*pud))
17352 + pmd = pmd_offset(pud, address);
17353 + if (!pmd_present(*pmd))
17359 DEFINE_SPINLOCK(pgd_lock);
17360 LIST_HEAD(pgd_list);
17362 @@ -225,11 +258,24 @@ void vmalloc_sync_all(void)
17363 address += PMD_SIZE) {
17365 unsigned long flags;
17367 +#ifdef CONFIG_PAX_PER_CPU_PGD
17368 + unsigned long cpu;
17373 spin_lock_irqsave(&pgd_lock, flags);
17375 +#ifdef CONFIG_PAX_PER_CPU_PGD
17376 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17377 + pgd_t *pgd = get_cpu_pgd(cpu);
17379 list_for_each_entry(page, &pgd_list, lru) {
17380 - if (!vmalloc_sync_one(page_address(page), address))
17381 + pgd_t *pgd = page_address(page);
17384 + if (!vmalloc_sync_one(pgd, address))
17387 spin_unlock_irqrestore(&pgd_lock, flags);
17388 @@ -259,6 +305,11 @@ static noinline __kprobes int vmalloc_fa
17389 * an interrupt in the middle of a task switch..
17391 pgd_paddr = read_cr3();
17393 +#ifdef CONFIG_PAX_PER_CPU_PGD
17394 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17397 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17400 @@ -333,15 +384,27 @@ void vmalloc_sync_all(void)
17402 const pgd_t *pgd_ref = pgd_offset_k(address);
17403 unsigned long flags;
17405 +#ifdef CONFIG_PAX_PER_CPU_PGD
17406 + unsigned long cpu;
17411 if (pgd_none(*pgd_ref))
17414 spin_lock_irqsave(&pgd_lock, flags);
17416 +#ifdef CONFIG_PAX_PER_CPU_PGD
17417 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17418 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
17420 list_for_each_entry(page, &pgd_list, lru) {
17422 pgd = (pgd_t *)page_address(page) + pgd_index(address);
17425 if (pgd_none(*pgd))
17426 set_pgd(pgd, *pgd_ref);
17428 @@ -374,7 +437,14 @@ static noinline __kprobes int vmalloc_fa
17429 * happen within a race in page table update. In the later
17433 +#ifdef CONFIG_PAX_PER_CPU_PGD
17434 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17435 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17437 pgd = pgd_offset(current->active_mm, address);
17440 pgd_ref = pgd_offset_k(address);
17441 if (pgd_none(*pgd_ref))
17443 @@ -536,7 +606,7 @@ static int is_errata93(struct pt_regs *r
17444 static int is_errata100(struct pt_regs *regs, unsigned long address)
17446 #ifdef CONFIG_X86_64
17447 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17448 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17452 @@ -563,7 +633,7 @@ static int is_f00f_bug(struct pt_regs *r
17455 static const char nx_warning[] = KERN_CRIT
17456 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17457 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17460 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17461 @@ -572,15 +642,26 @@ show_fault_oops(struct pt_regs *regs, un
17462 if (!oops_may_print())
17465 - if (error_code & PF_INSTR) {
17466 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17467 unsigned int level;
17469 pte_t *pte = lookup_address(address, &level);
17471 if (pte && pte_present(*pte) && !pte_exec(*pte))
17472 - printk(nx_warning, current_uid());
17473 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17476 +#ifdef CONFIG_PAX_KERNEXEC
17477 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17478 + if (current->signal->curr_ip)
17479 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17480 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17482 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17483 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17487 printk(KERN_ALERT "BUG: unable to handle kernel ");
17488 if (address < PAGE_SIZE)
17489 printk(KERN_CONT "NULL pointer dereference");
17490 @@ -705,6 +786,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17491 unsigned long address, int si_code)
17493 struct task_struct *tsk = current;
17494 + struct mm_struct *mm = tsk->mm;
17496 +#ifdef CONFIG_X86_64
17497 + if (mm && (error_code & PF_INSTR)) {
17498 + if (regs->ip == (unsigned long)vgettimeofday) {
17499 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17501 + } else if (regs->ip == (unsigned long)vtime) {
17502 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17504 + } else if (regs->ip == (unsigned long)vgetcpu) {
17505 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17511 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17512 + if (mm && (error_code & PF_USER)) {
17513 + unsigned long ip = regs->ip;
17515 + if (v8086_mode(regs))
17516 + ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
17519 + * It's possible to have interrupts off here:
17521 + local_irq_enable();
17523 +#ifdef CONFIG_PAX_PAGEEXEC
17524 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17525 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
17527 +#ifdef CONFIG_PAX_EMUTRAMP
17528 + switch (pax_handle_fetch_fault(regs)) {
17534 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17535 + do_group_exit(SIGKILL);
17539 +#ifdef CONFIG_PAX_SEGMEXEC
17540 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
17542 +#ifdef CONFIG_PAX_EMUTRAMP
17543 + switch (pax_handle_fetch_fault(regs)) {
17549 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17550 + do_group_exit(SIGKILL);
17557 /* User mode accesses just cause a SIGSEGV */
17558 if (error_code & PF_USER) {
17559 @@ -851,6 +994,106 @@ static int spurious_fault_check(unsigned
17563 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17564 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17569 + unsigned char pte_mask;
17571 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17572 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17575 + /* PaX: it's our fault, let's handle it if we can */
17577 + /* PaX: take a look at read faults before acquiring any locks */
17578 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17579 + /* instruction fetch attempt from a protected page in user mode */
17580 + up_read(&mm->mmap_sem);
17582 +#ifdef CONFIG_PAX_EMUTRAMP
17583 + switch (pax_handle_fetch_fault(regs)) {
17589 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17590 + do_group_exit(SIGKILL);
17593 + pmd = pax_get_pmd(mm, address);
17594 + if (unlikely(!pmd))
17597 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17598 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17599 + pte_unmap_unlock(pte, ptl);
17603 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17604 + /* write attempt to a protected page in user mode */
17605 + pte_unmap_unlock(pte, ptl);
17610 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17612 + if (likely(address > get_limit(regs->cs)))
17615 + set_pte(pte, pte_mkread(*pte));
17616 + __flush_tlb_one(address);
17617 + pte_unmap_unlock(pte, ptl);
17618 + up_read(&mm->mmap_sem);
17622 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17625 + * PaX: fill DTLB with user rights and retry
17627 + __asm__ __volatile__ (
17628 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17629 + "movw %w4,%%es\n"
17632 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17634 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17635 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17636 + * page fault when examined during a TLB load attempt. this is true not only
17637 + * for PTEs holding a non-present entry but also present entries that will
17638 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17639 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17640 + * for our target pages since their PTEs are simply not in the TLBs at all.
17642 + * the best thing in omitting it is that we gain around 15-20% speed in the
17643 + * fast path of the page fault handler and can get rid of tracing since we
17644 + * can no longer flush unintended entries.
17648 + "testb $0,%%es:(%0)\n"
17650 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17655 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
17656 + : "memory", "cc");
17657 + pte_unmap_unlock(pte, ptl);
17658 + up_read(&mm->mmap_sem);
17664 * Handle a spurious fault caused by a stale TLB entry.
17666 @@ -917,6 +1160,9 @@ int show_unhandled_signals = 1;
17668 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
17670 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17674 /* write, present and write, not present: */
17675 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17676 @@ -950,17 +1196,31 @@ do_page_fault(struct pt_regs *regs, unsi
17678 struct vm_area_struct *vma;
17679 struct task_struct *tsk;
17680 - unsigned long address;
17681 struct mm_struct *mm;
17685 + /* Get the faulting address: */
17686 + unsigned long address = read_cr2();
17688 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17689 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17690 + if (!search_exception_tables(regs->ip)) {
17691 + bad_area_nosemaphore(regs, error_code, address);
17694 + if (address < PAX_USER_SHADOW_BASE) {
17695 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17696 + printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
17697 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17699 + address -= PAX_USER_SHADOW_BASE;
17706 - /* Get the faulting address: */
17707 - address = read_cr2();
17710 * Detect and handle instructions that would cause a page fault for
17711 * both a tracked kernel page and a userspace page.
17712 @@ -1020,7 +1280,7 @@ do_page_fault(struct pt_regs *regs, unsi
17713 * User-mode registers count as a user access even for any
17714 * potential system fault or CPU buglet:
17716 - if (user_mode_vm(regs)) {
17717 + if (user_mode(regs)) {
17718 local_irq_enable();
17719 error_code |= PF_USER;
17721 @@ -1074,6 +1334,11 @@ do_page_fault(struct pt_regs *regs, unsi
17725 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17726 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17730 vma = find_vma(mm, address);
17731 if (unlikely(!vma)) {
17732 bad_area(regs, error_code, address);
17733 @@ -1085,18 +1350,24 @@ do_page_fault(struct pt_regs *regs, unsi
17734 bad_area(regs, error_code, address);
17737 - if (error_code & PF_USER) {
17739 - * Accessing the stack below %sp is always a bug.
17740 - * The large cushion allows instructions like enter
17741 - * and pusha to work. ("enter $65535, $31" pushes
17742 - * 32 pointers and then decrements %sp by 65535.)
17744 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17745 - bad_area(regs, error_code, address);
17749 + * Accessing the stack below %sp is always a bug.
17750 + * The large cushion allows instructions like enter
17751 + * and pusha to work. ("enter $65535, $31" pushes
17752 + * 32 pointers and then decrements %sp by 65535.)
17754 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17755 + bad_area(regs, error_code, address);
17759 +#ifdef CONFIG_PAX_SEGMEXEC
17760 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17761 + bad_area(regs, error_code, address);
17766 if (unlikely(expand_stack(vma, address))) {
17767 bad_area(regs, error_code, address);
17769 @@ -1140,3 +1411,199 @@ good_area:
17771 up_read(&mm->mmap_sem);
17774 +#ifdef CONFIG_PAX_EMUTRAMP
17775 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17779 + do { /* PaX: gcc trampoline emulation #1 */
17780 + unsigned char mov1, mov2;
17781 + unsigned short jmp;
17782 + unsigned int addr1, addr2;
17784 +#ifdef CONFIG_X86_64
17785 + if ((regs->ip + 11) >> 32)
17789 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17790 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17791 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17792 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17793 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17798 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17799 + regs->cx = addr1;
17800 + regs->ax = addr2;
17801 + regs->ip = addr2;
17806 + do { /* PaX: gcc trampoline emulation #2 */
17807 + unsigned char mov, jmp;
17808 + unsigned int addr1, addr2;
17810 +#ifdef CONFIG_X86_64
17811 + if ((regs->ip + 9) >> 32)
17815 + err = get_user(mov, (unsigned char __user *)regs->ip);
17816 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17817 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17818 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17823 + if (mov == 0xB9 && jmp == 0xE9) {
17824 + regs->cx = addr1;
17825 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17830 + return 1; /* PaX in action */
17833 +#ifdef CONFIG_X86_64
17834 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17838 + do { /* PaX: gcc trampoline emulation #1 */
17839 + unsigned short mov1, mov2, jmp1;
17840 + unsigned char jmp2;
17841 + unsigned int addr1;
17842 + unsigned long addr2;
17844 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17845 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17846 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17847 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17848 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17849 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17854 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17855 + regs->r11 = addr1;
17856 + regs->r10 = addr2;
17857 + regs->ip = addr1;
17862 + do { /* PaX: gcc trampoline emulation #2 */
17863 + unsigned short mov1, mov2, jmp1;
17864 + unsigned char jmp2;
17865 + unsigned long addr1, addr2;
17867 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17868 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
17869 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
17870 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
17871 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
17872 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
17877 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17878 + regs->r11 = addr1;
17879 + regs->r10 = addr2;
17880 + regs->ip = addr1;
17885 + return 1; /* PaX in action */
17890 + * PaX: decide what to do with offenders (regs->ip = fault address)
17892 + * returns 1 when task should be killed
17893 + * 2 when gcc trampoline was detected
17895 +static int pax_handle_fetch_fault(struct pt_regs *regs)
17897 + if (v8086_mode(regs))
17900 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
17903 +#ifdef CONFIG_X86_32
17904 + return pax_handle_fetch_fault_32(regs);
17906 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
17907 + return pax_handle_fetch_fault_32(regs);
17909 + return pax_handle_fetch_fault_64(regs);
17914 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17915 +void pax_report_insns(void *pc, void *sp)
17919 + printk(KERN_ERR "PAX: bytes at PC: ");
17920 + for (i = 0; i < 20; i++) {
17922 + if (get_user(c, (__force unsigned char __user *)pc+i))
17923 + printk(KERN_CONT "?? ");
17925 + printk(KERN_CONT "%02x ", c);
17929 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
17930 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
17932 + if (get_user(c, (__force unsigned long __user *)sp+i))
17933 +#ifdef CONFIG_X86_32
17934 + printk(KERN_CONT "???????? ");
17936 + printk(KERN_CONT "???????????????? ");
17939 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
17946 + * probe_kernel_write(): safely attempt to write to a location
17947 + * @dst: address to write to
17948 + * @src: pointer to the data that shall be written
17949 + * @size: size of the data chunk
17951 + * Safely write to address @dst from the buffer at @src. If a kernel fault
17952 + * happens, handle that and return -EFAULT.
17954 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
17957 + mm_segment_t old_fs = get_fs();
17959 + set_fs(KERNEL_DS);
17960 + pagefault_disable();
17961 + pax_open_kernel();
17962 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
17963 + pax_close_kernel();
17964 + pagefault_enable();
17967 + return ret ? -EFAULT : 0;
17969 diff -urNp linux-2.6.35.5/arch/x86/mm/gup.c linux-2.6.35.5/arch/x86/mm/gup.c
17970 --- linux-2.6.35.5/arch/x86/mm/gup.c 2010-08-26 19:47:12.000000000 -0400
17971 +++ linux-2.6.35.5/arch/x86/mm/gup.c 2010-09-17 20:12:09.000000000 -0400
17972 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
17974 len = (unsigned long) nr_pages << PAGE_SHIFT;
17976 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17977 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17978 (void __user *)start, len)))
17981 diff -urNp linux-2.6.35.5/arch/x86/mm/highmem_32.c linux-2.6.35.5/arch/x86/mm/highmem_32.c
17982 --- linux-2.6.35.5/arch/x86/mm/highmem_32.c 2010-08-26 19:47:12.000000000 -0400
17983 +++ linux-2.6.35.5/arch/x86/mm/highmem_32.c 2010-09-17 20:12:09.000000000 -0400
17984 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
17985 idx = type + KM_TYPE_NR*smp_processor_id();
17986 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17987 BUG_ON(!pte_none(*(kmap_pte-idx)));
17989 + pax_open_kernel();
17990 set_pte(kmap_pte-idx, mk_pte(page, prot));
17991 + pax_close_kernel();
17993 return (void *)vaddr;
17995 diff -urNp linux-2.6.35.5/arch/x86/mm/hugetlbpage.c linux-2.6.35.5/arch/x86/mm/hugetlbpage.c
17996 --- linux-2.6.35.5/arch/x86/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
17997 +++ linux-2.6.35.5/arch/x86/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
17998 @@ -266,13 +266,18 @@ static unsigned long hugetlb_get_unmappe
17999 struct hstate *h = hstate_file(file);
18000 struct mm_struct *mm = current->mm;
18001 struct vm_area_struct *vma;
18002 - unsigned long start_addr;
18003 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18005 +#ifdef CONFIG_PAX_SEGMEXEC
18006 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18007 + pax_task_size = SEGMEXEC_TASK_SIZE;
18010 if (len > mm->cached_hole_size) {
18011 - start_addr = mm->free_area_cache;
18012 + start_addr = mm->free_area_cache;
18014 - start_addr = TASK_UNMAPPED_BASE;
18015 - mm->cached_hole_size = 0;
18016 + start_addr = mm->mmap_base;
18017 + mm->cached_hole_size = 0;
18021 @@ -280,26 +285,27 @@ full_search:
18023 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18024 /* At this point: (!vma || addr < vma->vm_end). */
18025 - if (TASK_SIZE - len < addr) {
18026 + if (pax_task_size - len < addr) {
18028 * Start a new search - just in case we missed
18031 - if (start_addr != TASK_UNMAPPED_BASE) {
18032 - start_addr = TASK_UNMAPPED_BASE;
18033 + if (start_addr != mm->mmap_base) {
18034 + start_addr = mm->mmap_base;
18035 mm->cached_hole_size = 0;
18040 - if (!vma || addr + len <= vma->vm_start) {
18041 - mm->free_area_cache = addr + len;
18044 + if (check_heap_stack_gap(vma, addr, len))
18046 if (addr + mm->cached_hole_size < vma->vm_start)
18047 mm->cached_hole_size = vma->vm_start - addr;
18048 addr = ALIGN(vma->vm_end, huge_page_size(h));
18051 + mm->free_area_cache = addr + len;
18055 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18056 @@ -308,10 +314,9 @@ static unsigned long hugetlb_get_unmappe
18058 struct hstate *h = hstate_file(file);
18059 struct mm_struct *mm = current->mm;
18060 - struct vm_area_struct *vma, *prev_vma;
18061 - unsigned long base = mm->mmap_base, addr = addr0;
18062 + struct vm_area_struct *vma;
18063 + unsigned long base = mm->mmap_base, addr;
18064 unsigned long largest_hole = mm->cached_hole_size;
18065 - int first_time = 1;
18067 /* don't allow allocations above current base */
18068 if (mm->free_area_cache > base)
18069 @@ -321,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
18071 mm->free_area_cache = base;
18075 /* make sure it can fit in the remaining address space */
18076 if (mm->free_area_cache < len)
18078 @@ -329,33 +334,27 @@ try_again:
18079 /* either no address requested or cant fit in requested address hole */
18080 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18082 + vma = find_vma(mm, addr);
18084 * Lookup failure means no vma is above this address,
18085 * i.e. return with success:
18087 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18091 * new region fits between prev_vma->vm_end and
18092 * vma->vm_start, use it:
18094 - if (addr + len <= vma->vm_start &&
18095 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18096 + if (check_heap_stack_gap(vma, addr, len)) {
18097 /* remember the address as a hint for next time */
18098 - mm->cached_hole_size = largest_hole;
18099 - return (mm->free_area_cache = addr);
18101 - /* pull free_area_cache down to the first hole */
18102 - if (mm->free_area_cache == vma->vm_end) {
18103 - mm->free_area_cache = vma->vm_start;
18104 - mm->cached_hole_size = largest_hole;
18106 + mm->cached_hole_size = largest_hole;
18107 + return (mm->free_area_cache = addr);
18109 + /* pull free_area_cache down to the first hole */
18110 + if (mm->free_area_cache == vma->vm_end) {
18111 + mm->free_area_cache = vma->vm_start;
18112 + mm->cached_hole_size = largest_hole;
18115 /* remember the largest hole we saw so far */
18116 if (addr + largest_hole < vma->vm_start)
18117 - largest_hole = vma->vm_start - addr;
18118 + largest_hole = vma->vm_start - addr;
18120 /* try just below the current vma->vm_start */
18121 addr = (vma->vm_start - len) & huge_page_mask(h);
18122 @@ -363,22 +362,26 @@ try_again:
18126 - * if hint left us with no space for the requested
18127 - * mapping then try again:
18129 - if (first_time) {
18130 - mm->free_area_cache = base;
18131 - largest_hole = 0;
18136 * A failed mmap() very likely causes application failure,
18137 * so fall back to the bottom-up function here. This scenario
18138 * can happen with large stack limits and large mmap()
18141 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18143 +#ifdef CONFIG_PAX_SEGMEXEC
18144 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18145 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18149 + mm->mmap_base = TASK_UNMAPPED_BASE;
18151 +#ifdef CONFIG_PAX_RANDMMAP
18152 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18153 + mm->mmap_base += mm->delta_mmap;
18156 + mm->free_area_cache = mm->mmap_base;
18157 mm->cached_hole_size = ~0UL;
18158 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18159 len, pgoff, flags);
18160 @@ -386,6 +389,7 @@ fail:
18162 * Restore the topdown base:
18164 + mm->mmap_base = base;
18165 mm->free_area_cache = base;
18166 mm->cached_hole_size = ~0UL;
18168 @@ -399,10 +403,17 @@ hugetlb_get_unmapped_area(struct file *f
18169 struct hstate *h = hstate_file(file);
18170 struct mm_struct *mm = current->mm;
18171 struct vm_area_struct *vma;
18172 + unsigned long pax_task_size = TASK_SIZE;
18174 if (len & ~huge_page_mask(h))
18176 - if (len > TASK_SIZE)
18178 +#ifdef CONFIG_PAX_SEGMEXEC
18179 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18180 + pax_task_size = SEGMEXEC_TASK_SIZE;
18183 + if (len > pax_task_size)
18186 if (flags & MAP_FIXED) {
18187 @@ -414,8 +425,7 @@ hugetlb_get_unmapped_area(struct file *f
18189 addr = ALIGN(addr, huge_page_size(h));
18190 vma = find_vma(mm, addr);
18191 - if (TASK_SIZE - len >= addr &&
18192 - (!vma || addr + len <= vma->vm_start))
18193 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18196 if (mm->get_unmapped_area == arch_get_unmapped_area)
18197 diff -urNp linux-2.6.35.5/arch/x86/mm/init_32.c linux-2.6.35.5/arch/x86/mm/init_32.c
18198 --- linux-2.6.35.5/arch/x86/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
18199 +++ linux-2.6.35.5/arch/x86/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
18200 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
18204 - * Creates a middle page table and puts a pointer to it in the
18205 - * given global directory entry. This only returns the gd entry
18206 - * in non-PAE compilation mode, since the middle layer is folded.
18208 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18211 - pmd_t *pmd_table;
18213 -#ifdef CONFIG_X86_PAE
18214 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18215 - if (after_bootmem)
18216 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18218 - pmd_table = (pmd_t *)alloc_low_page();
18219 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18220 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18221 - pud = pud_offset(pgd, 0);
18222 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18224 - return pmd_table;
18227 - pud = pud_offset(pgd, 0);
18228 - pmd_table = pmd_offset(pud, 0);
18230 - return pmd_table;
18234 * Create a page table and place a pointer to it in a middle page
18237 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
18238 page_table = (pte_t *)alloc_low_page();
18240 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18241 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18242 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18244 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18246 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18249 return pte_offset_kernel(pmd, 0);
18252 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18255 + pmd_t *pmd_table;
18257 + pud = pud_offset(pgd, 0);
18258 + pmd_table = pmd_offset(pud, 0);
18260 + return pmd_table;
18263 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18265 int pgd_idx = pgd_index(vaddr);
18266 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
18267 int pgd_idx, pmd_idx;
18268 unsigned long vaddr;
18274 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
18275 pgd = pgd_base + pgd_idx;
18277 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18278 - pmd = one_md_table_init(pgd);
18279 - pmd = pmd + pmd_index(vaddr);
18280 + pud = pud_offset(pgd, vaddr);
18281 + pmd = pmd_offset(pud, vaddr);
18283 +#ifdef CONFIG_X86_PAE
18284 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18287 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18288 pmd++, pmd_idx++) {
18289 pte = page_table_kmap_check(one_page_table_init(pmd),
18290 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
18294 -static inline int is_kernel_text(unsigned long addr)
18295 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18297 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18300 + if ((start > ktla_ktva((unsigned long)_etext) ||
18301 + end <= ktla_ktva((unsigned long)_stext)) &&
18302 + (start > ktla_ktva((unsigned long)_einittext) ||
18303 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18305 +#ifdef CONFIG_ACPI_SLEEP
18306 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18309 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18315 @@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
18316 unsigned long last_map_addr = end;
18317 unsigned long start_pfn, end_pfn;
18318 pgd_t *pgd_base = swapper_pg_dir;
18319 - int pgd_idx, pmd_idx, pte_ofs;
18320 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18326 unsigned pages_2m, pages_4k;
18327 @@ -279,8 +280,13 @@ repeat:
18329 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18330 pgd = pgd_base + pgd_idx;
18331 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18332 - pmd = one_md_table_init(pgd);
18333 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18334 + pud = pud_offset(pgd, 0);
18335 + pmd = pmd_offset(pud, 0);
18337 +#ifdef CONFIG_X86_PAE
18338 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18341 if (pfn >= end_pfn)
18343 @@ -292,14 +298,13 @@ repeat:
18345 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18346 pmd++, pmd_idx++) {
18347 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18348 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18351 * Map with big pages if possible, otherwise
18352 * create normal page tables:
18355 - unsigned int addr2;
18356 pgprot_t prot = PAGE_KERNEL_LARGE;
18358 * first pass will use the same initial
18359 @@ -309,11 +314,7 @@ repeat:
18360 __pgprot(PTE_IDENT_ATTR |
18363 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18364 - PAGE_OFFSET + PAGE_SIZE-1;
18366 - if (is_kernel_text(addr) ||
18367 - is_kernel_text(addr2))
18368 + if (is_kernel_text(address, address + PMD_SIZE))
18369 prot = PAGE_KERNEL_LARGE_EXEC;
18372 @@ -330,7 +331,7 @@ repeat:
18373 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18375 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18376 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18377 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18378 pgprot_t prot = PAGE_KERNEL;
18380 * first pass will use the same initial
18381 @@ -338,7 +339,7 @@ repeat:
18383 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18385 - if (is_kernel_text(addr))
18386 + if (is_kernel_text(address, address + PAGE_SIZE))
18387 prot = PAGE_KERNEL_EXEC;
18390 @@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
18392 pud = pud_offset(pgd, va);
18393 pmd = pmd_offset(pud, va);
18394 - if (!pmd_present(*pmd))
18395 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18398 pte = pte_offset_kernel(pmd, va);
18399 @@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
18401 static void __init pagetable_init(void)
18403 - pgd_t *pgd_base = swapper_pg_dir;
18405 - permanent_kmaps_init(pgd_base);
18406 + permanent_kmaps_init(swapper_pg_dir);
18409 #ifdef CONFIG_ACPI_SLEEP
18410 @@ -553,12 +552,12 @@ static void __init pagetable_init(void)
18411 * ACPI suspend needs this for resume, because things like the intel-agp
18412 * driver might have split up a kernel 4MB mapping.
18414 -char swsusp_pg_dir[PAGE_SIZE]
18415 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
18416 __attribute__ ((aligned(PAGE_SIZE)));
18418 static inline void save_pg_dir(void)
18420 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
18421 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
18423 #else /* !CONFIG_ACPI_SLEEP */
18424 static inline void save_pg_dir(void)
18425 @@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
18429 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18430 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18431 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18433 /* user-defined highmem size */
18434 @@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
18435 * Initialize the boot-time allocator (with low memory only):
18437 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
18438 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18439 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18441 if (bootmap == -1L)
18442 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
18443 @@ -871,6 +870,12 @@ void __init mem_init(void)
18447 +#ifdef CONFIG_PAX_PER_CPU_PGD
18448 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18449 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18450 + KERNEL_PGD_PTRS);
18453 #ifdef CONFIG_FLATMEM
18456 @@ -888,7 +893,7 @@ void __init mem_init(void)
18457 set_highmem_pages_init();
18459 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18460 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18461 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18462 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18464 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18465 @@ -929,10 +934,10 @@ void __init mem_init(void)
18466 ((unsigned long)&__init_end -
18467 (unsigned long)&__init_begin) >> 10,
18469 - (unsigned long)&_etext, (unsigned long)&_edata,
18470 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18471 + (unsigned long)&_sdata, (unsigned long)&_edata,
18472 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18474 - (unsigned long)&_text, (unsigned long)&_etext,
18475 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18476 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18479 @@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
18480 if (!kernel_set_to_readonly)
18483 + start = ktla_ktva(start);
18484 pr_debug("Set kernel text: %lx - %lx for read write\n",
18485 start, start+size);
18487 @@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
18488 if (!kernel_set_to_readonly)
18491 + start = ktla_ktva(start);
18492 pr_debug("Set kernel text: %lx - %lx for read only\n",
18493 start, start+size);
18495 @@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
18496 unsigned long start = PFN_ALIGN(_text);
18497 unsigned long size = PFN_ALIGN(_etext) - start;
18499 + start = ktla_ktva(start);
18500 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18501 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18503 diff -urNp linux-2.6.35.5/arch/x86/mm/init_64.c linux-2.6.35.5/arch/x86/mm/init_64.c
18504 --- linux-2.6.35.5/arch/x86/mm/init_64.c 2010-08-26 19:47:12.000000000 -0400
18505 +++ linux-2.6.35.5/arch/x86/mm/init_64.c 2010-09-17 20:12:09.000000000 -0400
18507 #include <asm/numa.h>
18508 #include <asm/cacheflush.h>
18509 #include <asm/init.h>
18510 -#include <linux/bootmem.h>
18512 static unsigned long dma_reserve __initdata;
18514 @@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
18515 * around without checking the pgd every time.
18518 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18519 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18520 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18522 int force_personality32;
18523 @@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18524 pmd = fill_pmd(pud, vaddr);
18525 pte = fill_pte(pmd, vaddr);
18527 + pax_open_kernel();
18528 set_pte(pte, new_pte);
18529 + pax_close_kernel();
18532 * It's enough to flush this one mapping.
18533 @@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
18534 pgd = pgd_offset_k((unsigned long)__va(phys));
18535 if (pgd_none(*pgd)) {
18536 pud = (pud_t *) spp_getpage();
18537 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18539 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18541 pud = pud_offset(pgd, (unsigned long)__va(phys));
18542 if (pud_none(*pud)) {
18543 pmd = (pmd_t *) spp_getpage();
18544 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18546 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18548 pmd = pmd_offset(pud, phys);
18549 BUG_ON(!pmd_none(*pmd));
18550 @@ -680,6 +679,12 @@ void __init mem_init(void)
18554 +#ifdef CONFIG_PAX_PER_CPU_PGD
18555 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18556 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18557 + KERNEL_PGD_PTRS);
18560 /* clear_bss() already clear the empty_zero_page */
18563 @@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
18564 static struct vm_area_struct gate_vma = {
18565 .vm_start = VSYSCALL_START,
18566 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18567 - .vm_page_prot = PAGE_READONLY_EXEC,
18568 - .vm_flags = VM_READ | VM_EXEC
18569 + .vm_page_prot = PAGE_READONLY,
18570 + .vm_flags = VM_READ
18573 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18574 @@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
18576 const char *arch_vma_name(struct vm_area_struct *vma)
18578 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18579 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18581 if (vma == &gate_vma)
18582 return "[vsyscall]";
18583 diff -urNp linux-2.6.35.5/arch/x86/mm/init.c linux-2.6.35.5/arch/x86/mm/init.c
18584 --- linux-2.6.35.5/arch/x86/mm/init.c 2010-08-26 19:47:12.000000000 -0400
18585 +++ linux-2.6.35.5/arch/x86/mm/init.c 2010-09-17 20:12:09.000000000 -0400
18586 @@ -70,11 +70,7 @@ static void __init find_early_table_spac
18587 * cause a hotspot and fill up ZONE_DMA. The page tables
18588 * need roughly 0.5KB per GB.
18590 -#ifdef CONFIG_X86_32
18595 + start = 0x100000;
18596 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
18597 tables, PAGE_SIZE);
18598 if (e820_table_start == -1UL)
18599 @@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
18601 int devmem_is_allowed(unsigned long pagenr)
18603 - if (pagenr <= 256)
18606 +#ifdef CONFIG_VM86
18607 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18610 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18612 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18614 @@ -380,6 +382,88 @@ void free_init_pages(char *what, unsigne
18616 void free_initmem(void)
18619 +#ifdef CONFIG_PAX_KERNEXEC
18620 +#ifdef CONFIG_X86_32
18621 + /* PaX: limit KERNEL_CS to actual size */
18622 + unsigned long addr, limit;
18623 + struct desc_struct d;
18626 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18627 + limit = (limit - 1UL) >> PAGE_SHIFT;
18629 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18630 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18631 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18632 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18635 + /* PaX: make KERNEL_CS read-only */
18636 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18637 + if (!paravirt_enabled())
18638 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18640 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18641 + pgd = pgd_offset_k(addr);
18642 + pud = pud_offset(pgd, addr);
18643 + pmd = pmd_offset(pud, addr);
18644 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18647 +#ifdef CONFIG_X86_PAE
18648 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18650 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18651 + pgd = pgd_offset_k(addr);
18652 + pud = pud_offset(pgd, addr);
18653 + pmd = pmd_offset(pud, addr);
18654 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18659 +#ifdef CONFIG_MODULES
18660 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18667 + unsigned long addr, end;
18669 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18670 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18671 + pgd = pgd_offset_k(addr);
18672 + pud = pud_offset(pgd, addr);
18673 + pmd = pmd_offset(pud, addr);
18674 + if (!pmd_present(*pmd))
18676 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18677 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18679 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18682 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18683 + end = addr + KERNEL_IMAGE_SIZE;
18684 + for (; addr < end; addr += PMD_SIZE) {
18685 + pgd = pgd_offset_k(addr);
18686 + pud = pud_offset(pgd, addr);
18687 + pmd = pmd_offset(pud, addr);
18688 + if (!pmd_present(*pmd))
18690 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18691 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18693 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18700 free_init_pages("unused kernel memory",
18701 (unsigned long)(&__init_begin),
18702 (unsigned long)(&__init_end));
18703 diff -urNp linux-2.6.35.5/arch/x86/mm/iomap_32.c linux-2.6.35.5/arch/x86/mm/iomap_32.c
18704 --- linux-2.6.35.5/arch/x86/mm/iomap_32.c 2010-08-26 19:47:12.000000000 -0400
18705 +++ linux-2.6.35.5/arch/x86/mm/iomap_32.c 2010-09-17 20:12:09.000000000 -0400
18706 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18707 debug_kmap_atomic(type);
18708 idx = type + KM_TYPE_NR * smp_processor_id();
18709 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18711 + pax_open_kernel();
18712 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18713 + pax_close_kernel();
18715 arch_flush_lazy_mmu_mode();
18717 return (void *)vaddr;
18718 diff -urNp linux-2.6.35.5/arch/x86/mm/ioremap.c linux-2.6.35.5/arch/x86/mm/ioremap.c
18719 --- linux-2.6.35.5/arch/x86/mm/ioremap.c 2010-08-26 19:47:12.000000000 -0400
18720 +++ linux-2.6.35.5/arch/x86/mm/ioremap.c 2010-09-17 20:12:09.000000000 -0400
18721 @@ -100,13 +100,10 @@ static void __iomem *__ioremap_caller(re
18723 * Don't allow anybody to remap normal RAM that we're using..
18725 - for (pfn = phys_addr >> PAGE_SHIFT;
18726 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
18729 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
18730 int is_ram = page_is_ram(pfn);
18732 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18733 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18735 WARN_ON_ONCE(is_ram);
18737 @@ -346,7 +343,7 @@ static int __init early_ioremap_debug_se
18738 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18740 static __initdata int after_paging_init;
18741 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18742 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18744 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18746 @@ -378,8 +375,7 @@ void __init early_ioremap_init(void)
18747 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18749 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18750 - memset(bm_pte, 0, sizeof(bm_pte));
18751 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18752 + pmd_populate_user(&init_mm, pmd, bm_pte);
18755 * The boot-ioremap range spans multiple pmds, for which
18756 diff -urNp linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c
18757 --- linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c 2010-08-26 19:47:12.000000000 -0400
18758 +++ linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c 2010-09-17 20:12:09.000000000 -0400
18759 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18760 * memory (e.g. tracked pages)? For now, we need this to avoid
18761 * invoking kmemcheck for PnP BIOS calls.
18763 - if (regs->flags & X86_VM_MASK)
18764 + if (v8086_mode(regs))
18766 - if (regs->cs != __KERNEL_CS)
18767 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18770 pte = kmemcheck_pte_lookup(address);
18771 diff -urNp linux-2.6.35.5/arch/x86/mm/mmap.c linux-2.6.35.5/arch/x86/mm/mmap.c
18772 --- linux-2.6.35.5/arch/x86/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
18773 +++ linux-2.6.35.5/arch/x86/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
18774 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18775 * Leave an at least ~128 MB hole with possible stack randomization.
18777 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18778 -#define MAX_GAP (TASK_SIZE/6*5)
18779 +#define MAX_GAP (pax_task_size/6*5)
18782 * True on X86_32 or when emulating IA32 on X86_64
18783 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18784 return rnd << PAGE_SHIFT;
18787 -static unsigned long mmap_base(void)
18788 +static unsigned long mmap_base(struct mm_struct *mm)
18790 unsigned long gap = rlimit(RLIMIT_STACK);
18791 + unsigned long pax_task_size = TASK_SIZE;
18793 +#ifdef CONFIG_PAX_SEGMEXEC
18794 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18795 + pax_task_size = SEGMEXEC_TASK_SIZE;
18800 else if (gap > MAX_GAP)
18803 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18804 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18808 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18809 * does, but not when emulating X86_32
18811 -static unsigned long mmap_legacy_base(void)
18812 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18814 - if (mmap_is_ia32())
18815 + if (mmap_is_ia32()) {
18817 +#ifdef CONFIG_PAX_SEGMEXEC
18818 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18819 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18823 return TASK_UNMAPPED_BASE;
18826 return TASK_UNMAPPED_BASE + mmap_rnd();
18829 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18830 void arch_pick_mmap_layout(struct mm_struct *mm)
18832 if (mmap_is_legacy()) {
18833 - mm->mmap_base = mmap_legacy_base();
18834 + mm->mmap_base = mmap_legacy_base(mm);
18836 +#ifdef CONFIG_PAX_RANDMMAP
18837 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18838 + mm->mmap_base += mm->delta_mmap;
18841 mm->get_unmapped_area = arch_get_unmapped_area;
18842 mm->unmap_area = arch_unmap_area;
18844 - mm->mmap_base = mmap_base();
18845 + mm->mmap_base = mmap_base(mm);
18847 +#ifdef CONFIG_PAX_RANDMMAP
18848 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18849 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18852 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18853 mm->unmap_area = arch_unmap_area_topdown;
18855 diff -urNp linux-2.6.35.5/arch/x86/mm/numa_32.c linux-2.6.35.5/arch/x86/mm/numa_32.c
18856 --- linux-2.6.35.5/arch/x86/mm/numa_32.c 2010-08-26 19:47:12.000000000 -0400
18857 +++ linux-2.6.35.5/arch/x86/mm/numa_32.c 2010-09-17 20:12:09.000000000 -0400
18858 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
18862 -extern unsigned long find_max_low_pfn(void);
18863 extern unsigned long highend_pfn, highstart_pfn;
18865 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
18866 diff -urNp linux-2.6.35.5/arch/x86/mm/pageattr.c linux-2.6.35.5/arch/x86/mm/pageattr.c
18867 --- linux-2.6.35.5/arch/x86/mm/pageattr.c 2010-08-26 19:47:12.000000000 -0400
18868 +++ linux-2.6.35.5/arch/x86/mm/pageattr.c 2010-09-17 20:12:09.000000000 -0400
18869 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
18870 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
18872 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
18873 - pgprot_val(forbidden) |= _PAGE_NX;
18874 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18877 * The kernel text needs to be executable for obvious reasons
18878 * Does not cover __inittext since that is gone later on. On
18879 * 64bit we do not enforce !NX on the low mapping
18881 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
18882 - pgprot_val(forbidden) |= _PAGE_NX;
18883 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
18884 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18886 +#ifdef CONFIG_DEBUG_RODATA
18888 * The .rodata section needs to be read-only. Using the pfn
18889 * catches all aliases.
18890 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
18891 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
18892 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
18893 pgprot_val(forbidden) |= _PAGE_RW;
18896 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18898 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
18902 +#ifdef CONFIG_PAX_KERNEXEC
18903 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
18904 + pgprot_val(forbidden) |= _PAGE_RW;
18905 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18909 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
18912 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
18913 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
18915 /* change init_mm */
18916 + pax_open_kernel();
18917 set_pte_atomic(kpte, pte);
18919 #ifdef CONFIG_X86_32
18920 if (!SHARED_KERNEL_PMD) {
18922 +#ifdef CONFIG_PAX_PER_CPU_PGD
18923 + unsigned long cpu;
18928 +#ifdef CONFIG_PAX_PER_CPU_PGD
18929 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18930 + pgd_t *pgd = get_cpu_pgd(cpu);
18932 list_for_each_entry(page, &pgd_list, lru) {
18934 + pgd_t *pgd = (pgd_t *)page_address(page);
18940 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
18941 + pgd += pgd_index(address);
18942 pud = pud_offset(pgd, address);
18943 pmd = pmd_offset(pud, address);
18944 set_pte_atomic((pte_t *)pmd, pte);
18948 + pax_close_kernel();
18952 diff -urNp linux-2.6.35.5/arch/x86/mm/pageattr-test.c linux-2.6.35.5/arch/x86/mm/pageattr-test.c
18953 --- linux-2.6.35.5/arch/x86/mm/pageattr-test.c 2010-08-26 19:47:12.000000000 -0400
18954 +++ linux-2.6.35.5/arch/x86/mm/pageattr-test.c 2010-09-17 20:12:09.000000000 -0400
18955 @@ -36,7 +36,7 @@ enum {
18957 static int pte_testbit(pte_t pte)
18959 - return pte_flags(pte) & _PAGE_UNUSED1;
18960 + return pte_flags(pte) & _PAGE_CPA_TEST;
18963 struct split_state {
18964 diff -urNp linux-2.6.35.5/arch/x86/mm/pat.c linux-2.6.35.5/arch/x86/mm/pat.c
18965 --- linux-2.6.35.5/arch/x86/mm/pat.c 2010-08-26 19:47:12.000000000 -0400
18966 +++ linux-2.6.35.5/arch/x86/mm/pat.c 2010-09-17 20:12:09.000000000 -0400
18967 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
18970 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
18971 - current->comm, current->pid, start, end);
18972 + current->comm, task_pid_nr(current), start, end);
18976 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
18977 while (cursor < to) {
18978 if (!devmem_is_allowed(pfn)) {
18980 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
18981 - current->comm, from, to);
18982 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
18983 + current->comm, from, to, cursor);
18986 cursor += PAGE_SIZE;
18987 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
18989 "%s:%d ioremap_change_attr failed %s "
18991 - current->comm, current->pid,
18992 + current->comm, task_pid_nr(current),
18994 base, (unsigned long long)(base + size));
18996 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
18997 if (want_flags != flags) {
18998 printk(KERN_WARNING
18999 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19000 - current->comm, current->pid,
19001 + current->comm, task_pid_nr(current),
19002 cattr_name(want_flags),
19003 (unsigned long long)paddr,
19004 (unsigned long long)(paddr + size),
19005 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19006 free_memtype(paddr, paddr + size);
19007 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19008 " for %Lx-%Lx, got %s\n",
19009 - current->comm, current->pid,
19010 + current->comm, task_pid_nr(current),
19011 cattr_name(want_flags),
19012 (unsigned long long)paddr,
19013 (unsigned long long)(paddr + size),
19014 diff -urNp linux-2.6.35.5/arch/x86/mm/pgtable_32.c linux-2.6.35.5/arch/x86/mm/pgtable_32.c
19015 --- linux-2.6.35.5/arch/x86/mm/pgtable_32.c 2010-08-26 19:47:12.000000000 -0400
19016 +++ linux-2.6.35.5/arch/x86/mm/pgtable_32.c 2010-09-17 20:12:09.000000000 -0400
19017 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19020 pte = pte_offset_kernel(pmd, vaddr);
19022 + pax_open_kernel();
19023 if (pte_val(pteval))
19024 set_pte_at(&init_mm, vaddr, pte, pteval);
19026 pte_clear(&init_mm, vaddr, pte);
19027 + pax_close_kernel();
19030 * It's enough to flush this one mapping.
19031 diff -urNp linux-2.6.35.5/arch/x86/mm/pgtable.c linux-2.6.35.5/arch/x86/mm/pgtable.c
19032 --- linux-2.6.35.5/arch/x86/mm/pgtable.c 2010-08-26 19:47:12.000000000 -0400
19033 +++ linux-2.6.35.5/arch/x86/mm/pgtable.c 2010-09-17 20:12:09.000000000 -0400
19034 @@ -84,8 +84,59 @@ static inline void pgd_list_del(pgd_t *p
19035 list_del(&page->lru);
19038 -#define UNSHARED_PTRS_PER_PGD \
19039 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19040 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19041 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19043 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19046 + *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
19051 +#ifdef CONFIG_PAX_PER_CPU_PGD
19052 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19057 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19065 +#ifdef CONFIG_PAX_PER_CPU_PGD
19066 +static inline void pgd_ctor(pgd_t *pgd) {}
19067 +static inline void pgd_dtor(pgd_t *pgd) {}
19068 +#ifdef CONFIG_X86_64
19069 +#define pxd_t pud_t
19070 +#define pyd_t pgd_t
19071 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19072 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19073 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19074 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19075 +#define PYD_SIZE PGDIR_SIZE
19077 +#define pxd_t pmd_t
19078 +#define pyd_t pud_t
19079 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19080 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19081 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19082 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19083 +#define PYD_SIZE PUD_SIZE
19086 +#define pxd_t pmd_t
19087 +#define pyd_t pud_t
19088 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19089 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19090 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19091 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19092 +#define PYD_SIZE PUD_SIZE
19094 static void pgd_ctor(pgd_t *pgd)
19096 @@ -120,6 +171,7 @@ static void pgd_dtor(pgd_t *pgd)
19098 spin_unlock_irqrestore(&pgd_lock, flags);
19103 * List of all pgd's needed for non-PAE so it can invalidate entries
19104 @@ -132,7 +184,7 @@ static void pgd_dtor(pgd_t *pgd)
19108 -#ifdef CONFIG_X86_PAE
19109 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19111 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19112 * updating the top-level pagetable entries to guarantee the
19113 @@ -144,7 +196,7 @@ static void pgd_dtor(pgd_t *pgd)
19114 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19115 * and initialize the kernel pmds here.
19117 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19118 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19120 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19122 @@ -163,36 +215,38 @@ void pud_populate(struct mm_struct *mm,
19123 if (mm == current->active_mm)
19124 write_cr3(read_cr3());
19126 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19127 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19128 #else /* !CONFIG_X86_PAE */
19130 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19131 -#define PREALLOCATED_PMDS 0
19132 +#define PREALLOCATED_PXDS 0
19134 #endif /* CONFIG_X86_PAE */
19136 -static void free_pmds(pmd_t *pmds[])
19137 +static void free_pxds(pxd_t *pxds[])
19141 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19143 - free_page((unsigned long)pmds[i]);
19144 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19146 + free_page((unsigned long)pxds[i]);
19149 -static int preallocate_pmds(pmd_t *pmds[])
19150 +static int preallocate_pxds(pxd_t *pxds[])
19153 bool failed = false;
19155 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19156 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19158 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19159 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19172 @@ -205,51 +259,56 @@ static int preallocate_pmds(pmd_t *pmds[
19173 * preallocate which never got a corresponding vma will need to be
19176 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19177 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19181 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19182 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19183 pgd_t pgd = pgdp[i];
19185 if (pgd_val(pgd) != 0) {
19186 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19187 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19189 - pgdp[i] = native_make_pgd(0);
19190 + set_pgd(pgdp + i, native_make_pgd(0));
19192 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19193 - pmd_free(mm, pmd);
19194 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19195 + pxd_free(mm, pxd);
19200 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19201 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19205 unsigned long addr;
19208 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19209 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19212 - pud = pud_offset(pgd, 0);
19213 +#ifdef CONFIG_X86_64
19214 + pyd = pyd_offset(mm, 0L);
19216 + pyd = pyd_offset(pgd, 0L);
19219 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19220 - i++, pud++, addr += PUD_SIZE) {
19221 - pmd_t *pmd = pmds[i];
19222 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19223 + i++, pyd++, addr += PYD_SIZE) {
19224 + pxd_t *pxd = pxds[i];
19226 if (i >= KERNEL_PGD_BOUNDARY)
19227 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19228 - sizeof(pmd_t) * PTRS_PER_PMD);
19229 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19230 + sizeof(pxd_t) * PTRS_PER_PMD);
19232 - pud_populate(mm, pud, pmd);
19233 + pyd_populate(mm, pyd, pxd);
19237 pgd_t *pgd_alloc(struct mm_struct *mm)
19240 - pmd_t *pmds[PREALLOCATED_PMDS];
19241 + pxd_t *pxds[PREALLOCATED_PXDS];
19243 unsigned long flags;
19245 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19246 @@ -259,11 +318,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19250 - if (preallocate_pmds(pmds) != 0)
19251 + if (preallocate_pxds(pxds) != 0)
19254 if (paravirt_pgd_alloc(mm) != 0)
19255 - goto out_free_pmds;
19256 + goto out_free_pxds;
19259 * Make sure that pre-populating the pmds is atomic with
19260 @@ -273,14 +332,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19261 spin_lock_irqsave(&pgd_lock, flags);
19264 - pgd_prepopulate_pmd(mm, pgd, pmds);
19265 + pgd_prepopulate_pxd(mm, pgd, pxds);
19267 spin_unlock_irqrestore(&pgd_lock, flags);
19276 free_page((unsigned long)pgd);
19278 @@ -289,7 +348,7 @@ out:
19280 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19282 - pgd_mop_up_pmds(mm, pgd);
19283 + pgd_mop_up_pxds(mm, pgd);
19285 paravirt_pgd_free(mm, pgd);
19286 free_page((unsigned long)pgd);
19287 diff -urNp linux-2.6.35.5/arch/x86/mm/setup_nx.c linux-2.6.35.5/arch/x86/mm/setup_nx.c
19288 --- linux-2.6.35.5/arch/x86/mm/setup_nx.c 2010-08-26 19:47:12.000000000 -0400
19289 +++ linux-2.6.35.5/arch/x86/mm/setup_nx.c 2010-09-17 20:12:09.000000000 -0400
19291 #include <asm/pgtable.h>
19292 #include <asm/proto.h>
19294 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19295 static int disable_nx __cpuinitdata;
19297 +#ifndef CONFIG_PAX_PAGEEXEC
19301 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19304 early_param("noexec", noexec_setup);
19309 void __cpuinit x86_configure_nx(void)
19311 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19312 if (cpu_has_nx && !disable_nx)
19313 __supported_pte_mask |= _PAGE_NX;
19316 __supported_pte_mask &= ~_PAGE_NX;
19319 diff -urNp linux-2.6.35.5/arch/x86/mm/tlb.c linux-2.6.35.5/arch/x86/mm/tlb.c
19320 --- linux-2.6.35.5/arch/x86/mm/tlb.c 2010-08-26 19:47:12.000000000 -0400
19321 +++ linux-2.6.35.5/arch/x86/mm/tlb.c 2010-09-17 20:12:09.000000000 -0400
19323 #include <asm/uv/uv.h>
19325 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19326 - = { &init_mm, 0, };
19327 + = { &init_mm, 0 };
19330 * Smarter SMP flushing macros.
19331 @@ -62,7 +62,11 @@ void leave_mm(int cpu)
19333 cpumask_clear_cpu(cpu,
19334 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19336 +#ifndef CONFIG_PAX_PER_CPU_PGD
19337 load_cr3(swapper_pg_dir);
19341 EXPORT_SYMBOL_GPL(leave_mm);
19343 diff -urNp linux-2.6.35.5/arch/x86/oprofile/backtrace.c linux-2.6.35.5/arch/x86/oprofile/backtrace.c
19344 --- linux-2.6.35.5/arch/x86/oprofile/backtrace.c 2010-08-26 19:47:12.000000000 -0400
19345 +++ linux-2.6.35.5/arch/x86/oprofile/backtrace.c 2010-09-17 20:12:09.000000000 -0400
19346 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
19347 struct frame_head bufhead[2];
19349 /* Also check accessibility of one struct frame_head beyond */
19350 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19351 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19353 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19355 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
19357 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
19359 - if (!user_mode_vm(regs)) {
19360 + if (!user_mode(regs)) {
19361 unsigned long stack = kernel_stack_pointer(regs);
19363 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19364 diff -urNp linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c
19365 --- linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c 2010-08-26 19:47:12.000000000 -0400
19366 +++ linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c 2010-09-17 20:12:09.000000000 -0400
19367 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19371 -static int inline addr_increment(void)
19372 +static inline int addr_increment(void)
19375 return smp_num_siblings == 2 ? 2 : 1;
19376 diff -urNp linux-2.6.35.5/arch/x86/pci/common.c linux-2.6.35.5/arch/x86/pci/common.c
19377 --- linux-2.6.35.5/arch/x86/pci/common.c 2010-08-26 19:47:12.000000000 -0400
19378 +++ linux-2.6.35.5/arch/x86/pci/common.c 2010-09-17 20:12:09.000000000 -0400
19379 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19380 int pcibios_last_bus = -1;
19381 unsigned long pirq_table_addr;
19382 struct pci_bus *pci_root_bus;
19383 -struct pci_raw_ops *raw_pci_ops;
19384 -struct pci_raw_ops *raw_pci_ext_ops;
19385 +const struct pci_raw_ops *raw_pci_ops;
19386 +const struct pci_raw_ops *raw_pci_ext_ops;
19388 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19389 int reg, int len, u32 *val)
19390 @@ -365,7 +365,7 @@ static const struct dmi_system_id __devi
19391 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19395 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19398 void __init dmi_check_pciprobe(void)
19399 diff -urNp linux-2.6.35.5/arch/x86/pci/direct.c linux-2.6.35.5/arch/x86/pci/direct.c
19400 --- linux-2.6.35.5/arch/x86/pci/direct.c 2010-08-26 19:47:12.000000000 -0400
19401 +++ linux-2.6.35.5/arch/x86/pci/direct.c 2010-09-17 20:12:09.000000000 -0400
19402 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19404 #undef PCI_CONF1_ADDRESS
19406 -struct pci_raw_ops pci_direct_conf1 = {
19407 +const struct pci_raw_ops pci_direct_conf1 = {
19408 .read = pci_conf1_read,
19409 .write = pci_conf1_write,
19411 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19413 #undef PCI_CONF2_ADDRESS
19415 -struct pci_raw_ops pci_direct_conf2 = {
19416 +const struct pci_raw_ops pci_direct_conf2 = {
19417 .read = pci_conf2_read,
19418 .write = pci_conf2_write,
19420 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19421 * This should be close to trivial, but it isn't, because there are buggy
19422 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19424 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19425 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19429 diff -urNp linux-2.6.35.5/arch/x86/pci/fixup.c linux-2.6.35.5/arch/x86/pci/fixup.c
19430 --- linux-2.6.35.5/arch/x86/pci/fixup.c 2010-08-26 19:47:12.000000000 -0400
19431 +++ linux-2.6.35.5/arch/x86/pci/fixup.c 2010-09-17 20:12:09.000000000 -0400
19432 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19433 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19437 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19441 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19442 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19446 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19449 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19450 diff -urNp linux-2.6.35.5/arch/x86/pci/irq.c linux-2.6.35.5/arch/x86/pci/irq.c
19451 --- linux-2.6.35.5/arch/x86/pci/irq.c 2010-08-26 19:47:12.000000000 -0400
19452 +++ linux-2.6.35.5/arch/x86/pci/irq.c 2010-09-17 20:12:09.000000000 -0400
19453 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19454 static struct pci_device_id __initdata pirq_440gx[] = {
19455 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19456 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19458 + { PCI_DEVICE(0, 0) }
19461 /* 440GX has a proprietary PIRQ router -- don't use it */
19462 @@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
19463 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19467 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19470 void __init pcibios_irq_init(void)
19471 diff -urNp linux-2.6.35.5/arch/x86/pci/mmconfig_32.c linux-2.6.35.5/arch/x86/pci/mmconfig_32.c
19472 --- linux-2.6.35.5/arch/x86/pci/mmconfig_32.c 2010-08-26 19:47:12.000000000 -0400
19473 +++ linux-2.6.35.5/arch/x86/pci/mmconfig_32.c 2010-09-17 20:12:09.000000000 -0400
19474 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19478 -static struct pci_raw_ops pci_mmcfg = {
19479 +static const struct pci_raw_ops pci_mmcfg = {
19480 .read = pci_mmcfg_read,
19481 .write = pci_mmcfg_write,
19483 diff -urNp linux-2.6.35.5/arch/x86/pci/mmconfig_64.c linux-2.6.35.5/arch/x86/pci/mmconfig_64.c
19484 --- linux-2.6.35.5/arch/x86/pci/mmconfig_64.c 2010-08-26 19:47:12.000000000 -0400
19485 +++ linux-2.6.35.5/arch/x86/pci/mmconfig_64.c 2010-09-17 20:12:09.000000000 -0400
19486 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19490 -static struct pci_raw_ops pci_mmcfg = {
19491 +static const struct pci_raw_ops pci_mmcfg = {
19492 .read = pci_mmcfg_read,
19493 .write = pci_mmcfg_write,
19495 diff -urNp linux-2.6.35.5/arch/x86/pci/numaq_32.c linux-2.6.35.5/arch/x86/pci/numaq_32.c
19496 --- linux-2.6.35.5/arch/x86/pci/numaq_32.c 2010-08-26 19:47:12.000000000 -0400
19497 +++ linux-2.6.35.5/arch/x86/pci/numaq_32.c 2010-09-17 20:12:09.000000000 -0400
19498 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19500 #undef PCI_CONF1_MQ_ADDRESS
19502 -static struct pci_raw_ops pci_direct_conf1_mq = {
19503 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19504 .read = pci_conf1_mq_read,
19505 .write = pci_conf1_mq_write
19507 diff -urNp linux-2.6.35.5/arch/x86/pci/olpc.c linux-2.6.35.5/arch/x86/pci/olpc.c
19508 --- linux-2.6.35.5/arch/x86/pci/olpc.c 2010-08-26 19:47:12.000000000 -0400
19509 +++ linux-2.6.35.5/arch/x86/pci/olpc.c 2010-09-17 20:12:09.000000000 -0400
19510 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19514 -static struct pci_raw_ops pci_olpc_conf = {
19515 +static const struct pci_raw_ops pci_olpc_conf = {
19516 .read = pci_olpc_read,
19517 .write = pci_olpc_write,
19519 diff -urNp linux-2.6.35.5/arch/x86/pci/pcbios.c linux-2.6.35.5/arch/x86/pci/pcbios.c
19520 --- linux-2.6.35.5/arch/x86/pci/pcbios.c 2010-08-26 19:47:12.000000000 -0400
19521 +++ linux-2.6.35.5/arch/x86/pci/pcbios.c 2010-09-17 20:12:09.000000000 -0400
19522 @@ -57,50 +57,93 @@ union bios32 {
19524 unsigned long address;
19525 unsigned short segment;
19526 -} bios32_indirect = { 0, __KERNEL_CS };
19527 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19530 * Returns the entry point for the given service, NULL on error
19533 -static unsigned long bios32_service(unsigned long service)
19534 +static unsigned long __devinit bios32_service(unsigned long service)
19536 unsigned char return_code; /* %al */
19537 unsigned long address; /* %ebx */
19538 unsigned long length; /* %ecx */
19539 unsigned long entry; /* %edx */
19540 unsigned long flags;
19541 + struct desc_struct d, *gdt;
19543 local_irq_save(flags);
19544 - __asm__("lcall *(%%edi); cld"
19546 + gdt = get_cpu_gdt_table(smp_processor_id());
19548 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19549 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19550 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19551 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19553 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19554 : "=a" (return_code),
19560 - "D" (&bios32_indirect));
19561 + "D" (&bios32_indirect),
19562 + "r"(__PCIBIOS_DS)
19565 + pax_open_kernel();
19566 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19567 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19568 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19569 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19570 + pax_close_kernel();
19572 local_irq_restore(flags);
19574 switch (return_code) {
19576 - return address + entry;
19577 - case 0x80: /* Not present */
19578 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19580 - default: /* Shouldn't happen */
19581 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19582 - service, return_code);
19585 + unsigned char flags;
19587 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19588 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19589 + printk(KERN_WARNING "bios32_service: not valid\n");
19592 + address = address + PAGE_OFFSET;
19593 + length += 16UL; /* some BIOSs underreport this... */
19595 + if (length >= 64*1024*1024) {
19596 + length >>= PAGE_SHIFT;
19600 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19601 + gdt = get_cpu_gdt_table(cpu);
19602 + pack_descriptor(&d, address, length, 0x9b, flags);
19603 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19604 + pack_descriptor(&d, address, length, 0x93, flags);
19605 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19609 + case 0x80: /* Not present */
19610 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19612 + default: /* Shouldn't happen */
19613 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19614 + service, return_code);
19620 unsigned long address;
19621 unsigned short segment;
19622 -} pci_indirect = { 0, __KERNEL_CS };
19623 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19625 -static int pci_bios_present;
19626 +static int pci_bios_present __read_only;
19628 static int __devinit check_pcibios(void)
19630 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
19631 unsigned long flags, pcibios_entry;
19633 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19634 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19635 + pci_indirect.address = pcibios_entry;
19637 local_irq_save(flags);
19639 - "lcall *(%%edi); cld\n\t"
19640 + __asm__("movw %w6, %%ds\n\t"
19641 + "lcall *%%ss:(%%edi); cld\n\t"
19647 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
19650 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19651 - "D" (&pci_indirect)
19652 + "D" (&pci_indirect),
19653 + "r" (__PCIBIOS_DS)
19655 local_irq_restore(flags);
19657 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
19661 - __asm__("lcall *(%%esi); cld\n\t"
19662 + __asm__("movw %w6, %%ds\n\t"
19663 + "lcall *%%ss:(%%esi); cld\n\t"
19669 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
19670 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19673 - "S" (&pci_indirect));
19674 + "S" (&pci_indirect),
19675 + "r" (__PCIBIOS_DS));
19677 * Zero-extend the result beyond 8 bits, do not trust the
19678 * BIOS having done it:
19679 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
19683 - __asm__("lcall *(%%esi); cld\n\t"
19684 + __asm__("movw %w6, %%ds\n\t"
19685 + "lcall *%%ss:(%%esi); cld\n\t"
19691 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
19692 : "1" (PCIBIOS_READ_CONFIG_WORD),
19695 - "S" (&pci_indirect));
19696 + "S" (&pci_indirect),
19697 + "r" (__PCIBIOS_DS));
19699 * Zero-extend the result beyond 16 bits, do not trust the
19700 * BIOS having done it:
19701 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
19705 - __asm__("lcall *(%%esi); cld\n\t"
19706 + __asm__("movw %w6, %%ds\n\t"
19707 + "lcall *%%ss:(%%esi); cld\n\t"
19713 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
19714 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19717 - "S" (&pci_indirect));
19718 + "S" (&pci_indirect),
19719 + "r" (__PCIBIOS_DS));
19723 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
19727 - __asm__("lcall *(%%esi); cld\n\t"
19728 + __asm__("movw %w6, %%ds\n\t"
19729 + "lcall *%%ss:(%%esi); cld\n\t"
19735 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
19739 - "S" (&pci_indirect));
19740 + "S" (&pci_indirect),
19741 + "r" (__PCIBIOS_DS));
19744 - __asm__("lcall *(%%esi); cld\n\t"
19745 + __asm__("movw %w6, %%ds\n\t"
19746 + "lcall *%%ss:(%%esi); cld\n\t"
19752 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
19756 - "S" (&pci_indirect));
19757 + "S" (&pci_indirect),
19758 + "r" (__PCIBIOS_DS));
19761 - __asm__("lcall *(%%esi); cld\n\t"
19762 + __asm__("movw %w6, %%ds\n\t"
19763 + "lcall *%%ss:(%%esi); cld\n\t"
19769 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
19773 - "S" (&pci_indirect));
19774 + "S" (&pci_indirect),
19775 + "r" (__PCIBIOS_DS));
19779 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
19780 * Function table for BIOS32 access
19783 -static struct pci_raw_ops pci_bios_access = {
19784 +static const struct pci_raw_ops pci_bios_access = {
19785 .read = pci_bios_read,
19786 .write = pci_bios_write
19788 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
19789 * Try to find PCI BIOS.
19792 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19793 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19795 union bios32 *check;
19797 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
19799 DBG("PCI: Fetching IRQ routing table... ");
19800 __asm__("push %%es\n\t"
19801 + "movw %w8, %%ds\n\t"
19804 - "lcall *(%%esi); cld\n\t"
19805 + "lcall *%%ss:(%%esi); cld\n\t"
19812 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
19815 "S" (&pci_indirect),
19818 + "r" (__PCIBIOS_DS)
19820 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19822 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
19826 - __asm__("lcall *(%%esi); cld\n\t"
19827 + __asm__("movw %w5, %%ds\n\t"
19828 + "lcall *%%ss:(%%esi); cld\n\t"
19834 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
19835 : "0" (PCIBIOS_SET_PCI_HW_INT),
19836 "b" ((dev->bus->number << 8) | dev->devfn),
19837 "c" ((irq << 8) | (pin + 10)),
19838 - "S" (&pci_indirect));
19839 + "S" (&pci_indirect),
19840 + "r" (__PCIBIOS_DS));
19841 return !(ret & 0xff00);
19843 EXPORT_SYMBOL(pcibios_set_irq_routing);
19844 diff -urNp linux-2.6.35.5/arch/x86/power/cpu.c linux-2.6.35.5/arch/x86/power/cpu.c
19845 --- linux-2.6.35.5/arch/x86/power/cpu.c 2010-09-20 17:33:09.000000000 -0400
19846 +++ linux-2.6.35.5/arch/x86/power/cpu.c 2010-09-20 17:33:32.000000000 -0400
19847 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
19848 static void fix_processor_context(void)
19850 int cpu = smp_processor_id();
19851 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19852 + struct tss_struct *t = init_tss + cpu;
19854 set_tss_desc(cpu, t); /*
19855 * This just modifies memory; should not be
19856 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
19859 #ifdef CONFIG_X86_64
19860 + pax_open_kernel();
19861 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19862 + pax_close_kernel();
19864 syscall_init(); /* This sets MSR_*STAR and related */
19866 diff -urNp linux-2.6.35.5/arch/x86/vdso/Makefile linux-2.6.35.5/arch/x86/vdso/Makefile
19867 --- linux-2.6.35.5/arch/x86/vdso/Makefile 2010-08-26 19:47:12.000000000 -0400
19868 +++ linux-2.6.35.5/arch/x86/vdso/Makefile 2010-09-17 20:12:09.000000000 -0400
19869 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
19870 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
19871 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
19873 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19874 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19878 diff -urNp linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c
19879 --- linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c 2010-08-26 19:47:12.000000000 -0400
19880 +++ linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c 2010-09-17 20:12:09.000000000 -0400
19881 @@ -22,24 +22,48 @@
19882 #include <asm/hpet.h>
19883 #include <asm/unistd.h>
19884 #include <asm/io.h>
19885 +#include <asm/fixmap.h>
19886 #include "vextern.h"
19888 #define gtod vdso_vsyscall_gtod_data
19890 +notrace noinline long __vdso_fallback_time(long *t)
19893 + asm volatile("syscall"
19895 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
19899 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
19902 asm("syscall" : "=a" (ret) :
19903 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
19904 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
19908 +notrace static inline cycle_t __vdso_vread_hpet(void)
19910 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
19913 +notrace static inline cycle_t __vdso_vread_tsc(void)
19915 + cycle_t ret = (cycle_t)vget_cycles();
19917 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
19920 notrace static inline long vgetns(void)
19923 - cycles_t (*vread)(void);
19924 - vread = gtod->clock.vread;
19925 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
19926 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
19927 + v = __vdso_vread_tsc();
19929 + v = __vdso_vread_hpet();
19930 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
19931 return (v * gtod->clock.mult) >> gtod->clock.shift;
19934 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
19936 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
19938 - if (likely(gtod->sysctl_enabled))
19939 + if (likely(gtod->sysctl_enabled &&
19940 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
19941 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
19943 case CLOCK_REALTIME:
19944 if (likely(gtod->clock.vread))
19945 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
19946 int clock_gettime(clockid_t, struct timespec *)
19947 __attribute__((weak, alias("__vdso_clock_gettime")));
19949 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
19950 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
19953 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
19954 + asm("syscall" : "=a" (ret) :
19955 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
19959 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
19961 + if (likely(gtod->sysctl_enabled &&
19962 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
19963 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
19965 if (likely(tv != NULL)) {
19966 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
19967 offsetof(struct timespec, tv_nsec) ||
19968 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
19972 - asm("syscall" : "=a" (ret) :
19973 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
19975 + return __vdso_fallback_gettimeofday(tv, tz);
19977 int gettimeofday(struct timeval *, struct timezone *)
19978 __attribute__((weak, alias("__vdso_gettimeofday")));
19979 diff -urNp linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c
19980 --- linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c 2010-08-26 19:47:12.000000000 -0400
19981 +++ linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c 2010-09-17 20:12:09.000000000 -0400
19983 #include <asm/tlbflush.h>
19984 #include <asm/vdso.h>
19985 #include <asm/proto.h>
19986 +#include <asm/mman.h>
19990 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
19991 void enable_sep_cpu(void)
19993 int cpu = get_cpu();
19994 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
19995 + struct tss_struct *tss = init_tss + cpu;
19997 if (!boot_cpu_has(X86_FEATURE_SEP)) {
19999 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20000 gate_vma.vm_start = FIXADDR_USER_START;
20001 gate_vma.vm_end = FIXADDR_USER_END;
20002 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20003 - gate_vma.vm_page_prot = __P101;
20004 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20006 * Make sure the vDSO gets into every core dump.
20007 * Dumping its contents makes post-mortem fully interpretable later
20008 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20010 addr = VDSO_HIGH_BASE;
20012 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20013 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20014 if (IS_ERR_VALUE(addr)) {
20020 - current->mm->context.vdso = (void *)addr;
20021 + current->mm->context.vdso = addr;
20023 if (compat_uses_vma || !compat) {
20025 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20028 current_thread_info()->sysenter_return =
20029 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20030 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20034 - current->mm->context.vdso = NULL;
20035 + current->mm->context.vdso = 0;
20037 up_write(&mm->mmap_sem);
20039 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20041 const char *arch_vma_name(struct vm_area_struct *vma)
20043 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20044 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20047 +#ifdef CONFIG_PAX_SEGMEXEC
20048 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20055 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20056 struct mm_struct *mm = tsk->mm;
20058 /* Check to see if this task was created in compat vdso mode */
20059 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20060 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20064 diff -urNp linux-2.6.35.5/arch/x86/vdso/vdso.lds.S linux-2.6.35.5/arch/x86/vdso/vdso.lds.S
20065 --- linux-2.6.35.5/arch/x86/vdso/vdso.lds.S 2010-08-26 19:47:12.000000000 -0400
20066 +++ linux-2.6.35.5/arch/x86/vdso/vdso.lds.S 2010-09-17 20:12:09.000000000 -0400
20067 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20068 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20069 #include "vextern.h"
20072 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20073 +VEXTERN(fallback_gettimeofday)
20074 +VEXTERN(fallback_time)
20077 diff -urNp linux-2.6.35.5/arch/x86/vdso/vextern.h linux-2.6.35.5/arch/x86/vdso/vextern.h
20078 --- linux-2.6.35.5/arch/x86/vdso/vextern.h 2010-08-26 19:47:12.000000000 -0400
20079 +++ linux-2.6.35.5/arch/x86/vdso/vextern.h 2010-09-17 20:12:09.000000000 -0400
20081 put into vextern.h and be referenced as a pointer with vdso prefix.
20082 The main kernel later fills in the values. */
20085 VEXTERN(vgetcpu_mode)
20086 VEXTERN(vsyscall_gtod_data)
20087 diff -urNp linux-2.6.35.5/arch/x86/vdso/vma.c linux-2.6.35.5/arch/x86/vdso/vma.c
20088 --- linux-2.6.35.5/arch/x86/vdso/vma.c 2010-08-26 19:47:12.000000000 -0400
20089 +++ linux-2.6.35.5/arch/x86/vdso/vma.c 2010-09-17 20:12:09.000000000 -0400
20090 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20094 - if (memcmp(vbase, "\177ELF", 4)) {
20095 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20096 printk("VDSO: I'm broken; not ELF\n");
20099 @@ -67,6 +67,7 @@ static int __init init_vdso_vars(void)
20100 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
20101 #include "vextern.h"
20107 @@ -117,7 +118,7 @@ int arch_setup_additional_pages(struct l
20111 - current->mm->context.vdso = (void *)addr;
20112 + current->mm->context.vdso = addr;
20114 ret = install_special_mapping(mm, addr, vdso_size,
20116 @@ -125,7 +126,7 @@ int arch_setup_additional_pages(struct l
20120 - current->mm->context.vdso = NULL;
20121 + current->mm->context.vdso = 0;
20125 @@ -133,10 +134,3 @@ up_fail:
20126 up_write(&mm->mmap_sem);
20130 -static __init int vdso_setup(char *s)
20132 - vdso_enabled = simple_strtoul(s, NULL, 0);
20135 -__setup("vdso=", vdso_setup);
20136 diff -urNp linux-2.6.35.5/arch/x86/xen/enlighten.c linux-2.6.35.5/arch/x86/xen/enlighten.c
20137 --- linux-2.6.35.5/arch/x86/xen/enlighten.c 2010-08-26 19:47:12.000000000 -0400
20138 +++ linux-2.6.35.5/arch/x86/xen/enlighten.c 2010-09-17 20:12:09.000000000 -0400
20139 @@ -74,8 +74,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20141 struct shared_info xen_dummy_shared_info;
20143 -void *xen_initial_gdt;
20146 * Point at some empty memory to start with. We map the real shared_info
20147 * page as soon as fixmap is up and running.
20148 @@ -551,7 +549,7 @@ static void xen_write_idt_entry(gate_des
20152 - start = __get_cpu_var(idt_desc).address;
20153 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20154 end = start + __get_cpu_var(idt_desc).size + 1;
20157 @@ -1103,7 +1101,17 @@ asmlinkage void __init xen_start_kernel(
20158 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20160 /* Work out if we support NX */
20161 - x86_configure_nx();
20162 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20163 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20164 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20167 + __supported_pte_mask |= _PAGE_NX;
20168 + rdmsr(MSR_EFER, l, h);
20170 + wrmsr(MSR_EFER, l, h);
20174 xen_setup_features();
20176 @@ -1134,13 +1142,6 @@ asmlinkage void __init xen_start_kernel(
20178 machine_ops = xen_machine_ops;
20181 - * The only reliable way to retain the initial address of the
20182 - * percpu gdt_page is to remember it here, so we can go and
20183 - * mark it RW later, when the initial percpu area is freed.
20185 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20189 pgd = (pgd_t *)xen_start_info->pt_base;
20190 diff -urNp linux-2.6.35.5/arch/x86/xen/mmu.c linux-2.6.35.5/arch/x86/xen/mmu.c
20191 --- linux-2.6.35.5/arch/x86/xen/mmu.c 2010-08-26 19:47:12.000000000 -0400
20192 +++ linux-2.6.35.5/arch/x86/xen/mmu.c 2010-09-17 20:12:09.000000000 -0400
20193 @@ -1694,6 +1694,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20194 convert_pfn_mfn(init_level4_pgt);
20195 convert_pfn_mfn(level3_ident_pgt);
20196 convert_pfn_mfn(level3_kernel_pgt);
20197 + convert_pfn_mfn(level3_vmalloc_pgt);
20198 + convert_pfn_mfn(level3_vmemmap_pgt);
20200 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20201 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20202 @@ -1712,7 +1714,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20203 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20204 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20205 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20206 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20207 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20208 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20209 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20210 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20211 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20213 diff -urNp linux-2.6.35.5/arch/x86/xen/smp.c linux-2.6.35.5/arch/x86/xen/smp.c
20214 --- linux-2.6.35.5/arch/x86/xen/smp.c 2010-08-26 19:47:12.000000000 -0400
20215 +++ linux-2.6.35.5/arch/x86/xen/smp.c 2010-09-17 20:12:09.000000000 -0400
20216 @@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
20218 BUG_ON(smp_processor_id() != 0);
20219 native_smp_prepare_boot_cpu();
20221 - /* We've switched to the "real" per-cpu gdt, so make sure the
20222 - old memory can be recycled */
20223 - make_lowmem_page_readwrite(xen_initial_gdt);
20225 xen_setup_vcpu_info_placement();
20228 @@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
20229 gdt = get_cpu_gdt_table(cpu);
20231 ctxt->flags = VGCF_IN_KERNEL;
20232 - ctxt->user_regs.ds = __USER_DS;
20233 - ctxt->user_regs.es = __USER_DS;
20234 + ctxt->user_regs.ds = __KERNEL_DS;
20235 + ctxt->user_regs.es = __KERNEL_DS;
20236 ctxt->user_regs.ss = __KERNEL_DS;
20237 #ifdef CONFIG_X86_32
20238 ctxt->user_regs.fs = __KERNEL_PERCPU;
20239 diff -urNp linux-2.6.35.5/arch/x86/xen/xen-head.S linux-2.6.35.5/arch/x86/xen/xen-head.S
20240 --- linux-2.6.35.5/arch/x86/xen/xen-head.S 2010-08-26 19:47:12.000000000 -0400
20241 +++ linux-2.6.35.5/arch/x86/xen/xen-head.S 2010-09-17 20:12:09.000000000 -0400
20242 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20243 #ifdef CONFIG_X86_32
20244 mov %esi,xen_start_info
20245 mov $init_thread_union+THREAD_SIZE,%esp
20247 + movl $cpu_gdt_table,%edi
20248 + movl $__per_cpu_load,%eax
20249 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20251 + movb %al,__KERNEL_PERCPU + 4(%edi)
20252 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20253 + movl $__per_cpu_end - 1,%eax
20254 + subl $__per_cpu_start,%eax
20255 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20258 mov %rsi,xen_start_info
20259 mov $init_thread_union+THREAD_SIZE,%rsp
20260 diff -urNp linux-2.6.35.5/arch/x86/xen/xen-ops.h linux-2.6.35.5/arch/x86/xen/xen-ops.h
20261 --- linux-2.6.35.5/arch/x86/xen/xen-ops.h 2010-08-26 19:47:12.000000000 -0400
20262 +++ linux-2.6.35.5/arch/x86/xen/xen-ops.h 2010-09-17 20:12:09.000000000 -0400
20264 extern const char xen_hypervisor_callback[];
20265 extern const char xen_failsafe_callback[];
20267 -extern void *xen_initial_gdt;
20270 void xen_copy_trap_info(struct trap_info *traps);
20272 diff -urNp linux-2.6.35.5/block/blk-iopoll.c linux-2.6.35.5/block/blk-iopoll.c
20273 --- linux-2.6.35.5/block/blk-iopoll.c 2010-08-26 19:47:12.000000000 -0400
20274 +++ linux-2.6.35.5/block/blk-iopoll.c 2010-09-17 20:12:09.000000000 -0400
20275 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20277 EXPORT_SYMBOL(blk_iopoll_complete);
20279 -static void blk_iopoll_softirq(struct softirq_action *h)
20280 +static void blk_iopoll_softirq(void)
20282 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20283 int rearm = 0, budget = blk_iopoll_budget;
20284 diff -urNp linux-2.6.35.5/block/blk-map.c linux-2.6.35.5/block/blk-map.c
20285 --- linux-2.6.35.5/block/blk-map.c 2010-08-26 19:47:12.000000000 -0400
20286 +++ linux-2.6.35.5/block/blk-map.c 2010-09-17 20:12:09.000000000 -0400
20287 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20288 * direct dma. else, set up kernel bounce buffers
20290 uaddr = (unsigned long) ubuf;
20291 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
20292 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20293 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20295 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20296 @@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
20300 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20301 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20303 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20305 diff -urNp linux-2.6.35.5/block/blk-softirq.c linux-2.6.35.5/block/blk-softirq.c
20306 --- linux-2.6.35.5/block/blk-softirq.c 2010-08-26 19:47:12.000000000 -0400
20307 +++ linux-2.6.35.5/block/blk-softirq.c 2010-09-17 20:12:09.000000000 -0400
20308 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20309 * Softirq action handler - move entries to local list and loop over them
20310 * while passing them to the queue registered handler.
20312 -static void blk_done_softirq(struct softirq_action *h)
20313 +static void blk_done_softirq(void)
20315 struct list_head *cpu_list, local_list;
20317 diff -urNp linux-2.6.35.5/crypto/lrw.c linux-2.6.35.5/crypto/lrw.c
20318 --- linux-2.6.35.5/crypto/lrw.c 2010-08-26 19:47:12.000000000 -0400
20319 +++ linux-2.6.35.5/crypto/lrw.c 2010-09-17 20:12:09.000000000 -0400
20320 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20321 struct priv *ctx = crypto_tfm_ctx(parent);
20322 struct crypto_cipher *child = ctx->child;
20324 - be128 tmp = { 0 };
20325 + be128 tmp = { 0, 0 };
20326 int bsize = crypto_cipher_blocksize(child);
20328 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20329 diff -urNp linux-2.6.35.5/Documentation/dontdiff linux-2.6.35.5/Documentation/dontdiff
20330 --- linux-2.6.35.5/Documentation/dontdiff 2010-08-26 19:47:12.000000000 -0400
20331 +++ linux-2.6.35.5/Documentation/dontdiff 2010-09-17 20:12:09.000000000 -0400
20351 @@ -49,11 +52,16 @@
20368 @@ -76,7 +84,10 @@ btfixupprep
20379 @@ -100,19 +111,22 @@ fore200e_mkfirm
20394 initramfs_data.cpio
20395 +initramfs_data.cpio.bz2
20396 initramfs_data.cpio.gz
20403 @@ -136,10 +150,13 @@ mkboot
20417 @@ -151,7 +168,9 @@ parse.h
20427 @@ -160,12 +179,14 @@ qconf
20442 @@ -189,14 +210,20 @@ version.h*
20463 diff -urNp linux-2.6.35.5/Documentation/filesystems/sysfs.txt linux-2.6.35.5/Documentation/filesystems/sysfs.txt
20464 --- linux-2.6.35.5/Documentation/filesystems/sysfs.txt 2010-08-26 19:47:12.000000000 -0400
20465 +++ linux-2.6.35.5/Documentation/filesystems/sysfs.txt 2010-09-17 20:12:09.000000000 -0400
20466 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20467 show and store methods of the attribute owners.
20470 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20471 - ssize_t (*store)(struct kobject *, struct attribute *, const char *);
20472 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20473 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
20476 [ Subsystems should have already defined a struct kobj_type as a
20477 diff -urNp linux-2.6.35.5/Documentation/kernel-parameters.txt linux-2.6.35.5/Documentation/kernel-parameters.txt
20478 --- linux-2.6.35.5/Documentation/kernel-parameters.txt 2010-08-26 19:47:12.000000000 -0400
20479 +++ linux-2.6.35.5/Documentation/kernel-parameters.txt 2010-09-17 20:12:09.000000000 -0400
20480 @@ -1910,6 +1910,12 @@ and is between 256 and 4096 characters.
20481 the specified number of seconds. This is to be used if
20482 your oopses keep scrolling off the screen.
20484 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
20485 + virtualization environments that don't cope well with the
20486 + expand down segment used by UDEREF on X86-32.
20488 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20493 diff -urNp linux-2.6.35.5/drivers/acpi/battery.c linux-2.6.35.5/drivers/acpi/battery.c
20494 --- linux-2.6.35.5/drivers/acpi/battery.c 2010-08-26 19:47:12.000000000 -0400
20495 +++ linux-2.6.35.5/drivers/acpi/battery.c 2010-09-17 20:12:09.000000000 -0400
20496 @@ -810,7 +810,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20499 static struct battery_file {
20500 - struct file_operations ops;
20501 + const struct file_operations ops;
20504 } acpi_battery_file[] = {
20505 diff -urNp linux-2.6.35.5/drivers/acpi/blacklist.c linux-2.6.35.5/drivers/acpi/blacklist.c
20506 --- linux-2.6.35.5/drivers/acpi/blacklist.c 2010-08-26 19:47:12.000000000 -0400
20507 +++ linux-2.6.35.5/drivers/acpi/blacklist.c 2010-09-17 20:12:09.000000000 -0400
20508 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20509 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20510 "Incorrect _ADR", 1},
20513 + {"", "", 0, NULL, all_versions, NULL, 0}
20516 #if CONFIG_ACPI_BLACKLIST_YEAR
20517 diff -urNp linux-2.6.35.5/drivers/acpi/dock.c linux-2.6.35.5/drivers/acpi/dock.c
20518 --- linux-2.6.35.5/drivers/acpi/dock.c 2010-08-26 19:47:12.000000000 -0400
20519 +++ linux-2.6.35.5/drivers/acpi/dock.c 2010-09-17 20:12:09.000000000 -0400
20520 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20521 struct list_head list;
20522 struct list_head hotplug_list;
20523 acpi_handle handle;
20524 - struct acpi_dock_ops *ops;
20525 + const struct acpi_dock_ops *ops;
20529 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20530 * the dock driver after _DCK is executed.
20533 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20534 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20537 struct dock_dependent_device *dd;
20538 diff -urNp linux-2.6.35.5/drivers/acpi/osl.c linux-2.6.35.5/drivers/acpi/osl.c
20539 --- linux-2.6.35.5/drivers/acpi/osl.c 2010-08-26 19:47:12.000000000 -0400
20540 +++ linux-2.6.35.5/drivers/acpi/osl.c 2010-09-17 20:12:09.000000000 -0400
20541 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
20542 void __iomem *virt_addr;
20544 virt_addr = ioremap(phys_addr, width);
20546 + return AE_NO_MEMORY;
20550 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
20551 void __iomem *virt_addr;
20553 virt_addr = ioremap(phys_addr, width);
20555 + return AE_NO_MEMORY;
20559 diff -urNp linux-2.6.35.5/drivers/acpi/power_meter.c linux-2.6.35.5/drivers/acpi/power_meter.c
20560 --- linux-2.6.35.5/drivers/acpi/power_meter.c 2010-08-26 19:47:12.000000000 -0400
20561 +++ linux-2.6.35.5/drivers/acpi/power_meter.c 2010-09-17 20:12:09.000000000 -0400
20562 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20569 mutex_lock(&resource->lock);
20570 resource->trip[attr->index - 7] = temp;
20571 diff -urNp linux-2.6.35.5/drivers/acpi/proc.c linux-2.6.35.5/drivers/acpi/proc.c
20572 --- linux-2.6.35.5/drivers/acpi/proc.c 2010-08-26 19:47:12.000000000 -0400
20573 +++ linux-2.6.35.5/drivers/acpi/proc.c 2010-09-17 20:12:09.000000000 -0400
20574 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
20575 size_t count, loff_t * ppos)
20577 struct list_head *node, *next;
20579 - char str[5] = "";
20580 - unsigned int len = count;
20581 + char strbuf[5] = {0};
20582 struct acpi_device *found_dev = NULL;
20591 - if (copy_from_user(strbuf, buffer, len))
20592 + if (copy_from_user(strbuf, buffer, count))
20594 - strbuf[len] = '\0';
20595 - sscanf(strbuf, "%s", str);
20596 + strbuf[count] = '\0';
20598 mutex_lock(&acpi_device_lock);
20599 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20600 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
20601 if (!dev->wakeup.flags.valid)
20604 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20605 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20606 dev->wakeup.state.enabled =
20607 dev->wakeup.state.enabled ? 0 : 1;
20609 diff -urNp linux-2.6.35.5/drivers/acpi/processor_driver.c linux-2.6.35.5/drivers/acpi/processor_driver.c
20610 --- linux-2.6.35.5/drivers/acpi/processor_driver.c 2010-08-26 19:47:12.000000000 -0400
20611 +++ linux-2.6.35.5/drivers/acpi/processor_driver.c 2010-09-17 20:12:09.000000000 -0400
20612 @@ -586,7 +586,7 @@ static int __cpuinit acpi_processor_add(
20616 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20617 + BUG_ON(pr->id >= nr_cpu_ids);
20621 diff -urNp linux-2.6.35.5/drivers/acpi/processor_idle.c linux-2.6.35.5/drivers/acpi/processor_idle.c
20622 --- linux-2.6.35.5/drivers/acpi/processor_idle.c 2010-08-26 19:47:12.000000000 -0400
20623 +++ linux-2.6.35.5/drivers/acpi/processor_idle.c 2010-09-17 20:12:09.000000000 -0400
20624 @@ -124,7 +124,7 @@ static struct dmi_system_id __cpuinitdat
20625 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20626 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20629 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20633 diff -urNp linux-2.6.35.5/drivers/acpi/sleep.c linux-2.6.35.5/drivers/acpi/sleep.c
20634 --- linux-2.6.35.5/drivers/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
20635 +++ linux-2.6.35.5/drivers/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
20636 @@ -318,7 +318,7 @@ static int acpi_suspend_state_valid(susp
20640 -static struct platform_suspend_ops acpi_suspend_ops = {
20641 +static const struct platform_suspend_ops acpi_suspend_ops = {
20642 .valid = acpi_suspend_state_valid,
20643 .begin = acpi_suspend_begin,
20644 .prepare_late = acpi_pm_prepare,
20645 @@ -346,7 +346,7 @@ static int acpi_suspend_begin_old(suspen
20646 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20649 -static struct platform_suspend_ops acpi_suspend_ops_old = {
20650 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
20651 .valid = acpi_suspend_state_valid,
20652 .begin = acpi_suspend_begin_old,
20653 .prepare_late = acpi_pm_freeze,
20654 @@ -478,7 +478,7 @@ static void acpi_pm_thaw(void)
20655 acpi_enable_all_runtime_gpes();
20658 -static struct platform_hibernation_ops acpi_hibernation_ops = {
20659 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
20660 .begin = acpi_hibernation_begin,
20661 .end = acpi_pm_end,
20662 .pre_snapshot = acpi_hibernation_pre_snapshot,
20663 @@ -528,7 +528,7 @@ static int acpi_hibernation_pre_snapshot
20664 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20667 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20668 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20669 .begin = acpi_hibernation_begin_old,
20670 .end = acpi_pm_end,
20671 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
20672 diff -urNp linux-2.6.35.5/drivers/acpi/video.c linux-2.6.35.5/drivers/acpi/video.c
20673 --- linux-2.6.35.5/drivers/acpi/video.c 2010-08-26 19:47:12.000000000 -0400
20674 +++ linux-2.6.35.5/drivers/acpi/video.c 2010-09-17 20:12:09.000000000 -0400
20675 @@ -363,7 +363,7 @@ static int acpi_video_set_brightness(str
20676 vd->brightness->levels[request_level]);
20679 -static struct backlight_ops acpi_backlight_ops = {
20680 +static const struct backlight_ops acpi_backlight_ops = {
20681 .get_brightness = acpi_video_get_brightness,
20682 .update_status = acpi_video_set_brightness,
20684 diff -urNp linux-2.6.35.5/drivers/ata/ahci.c linux-2.6.35.5/drivers/ata/ahci.c
20685 --- linux-2.6.35.5/drivers/ata/ahci.c 2010-08-26 19:47:12.000000000 -0400
20686 +++ linux-2.6.35.5/drivers/ata/ahci.c 2010-09-17 20:12:09.000000000 -0400
20687 @@ -89,17 +89,17 @@ static int ahci_pci_device_suspend(struc
20688 static int ahci_pci_device_resume(struct pci_dev *pdev);
20691 -static struct ata_port_operations ahci_vt8251_ops = {
20692 +static const struct ata_port_operations ahci_vt8251_ops = {
20693 .inherits = &ahci_ops,
20694 .hardreset = ahci_vt8251_hardreset,
20697 -static struct ata_port_operations ahci_p5wdh_ops = {
20698 +static const struct ata_port_operations ahci_p5wdh_ops = {
20699 .inherits = &ahci_ops,
20700 .hardreset = ahci_p5wdh_hardreset,
20703 -static struct ata_port_operations ahci_sb600_ops = {
20704 +static const struct ata_port_operations ahci_sb600_ops = {
20705 .inherits = &ahci_ops,
20706 .softreset = ahci_sb600_softreset,
20707 .pmp_softreset = ahci_sb600_softreset,
20708 @@ -370,7 +370,7 @@ static const struct pci_device_id ahci_p
20709 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20710 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20712 - { } /* terminate list */
20713 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20717 diff -urNp linux-2.6.35.5/drivers/ata/ahci.h linux-2.6.35.5/drivers/ata/ahci.h
20718 --- linux-2.6.35.5/drivers/ata/ahci.h 2010-08-26 19:47:12.000000000 -0400
20719 +++ linux-2.6.35.5/drivers/ata/ahci.h 2010-09-17 20:12:09.000000000 -0400
20720 @@ -298,7 +298,7 @@ struct ahci_host_priv {
20721 extern int ahci_ignore_sss;
20723 extern struct scsi_host_template ahci_sht;
20724 -extern struct ata_port_operations ahci_ops;
20725 +extern const struct ata_port_operations ahci_ops;
20727 void ahci_save_initial_config(struct device *dev,
20728 struct ahci_host_priv *hpriv,
20729 diff -urNp linux-2.6.35.5/drivers/ata/ata_generic.c linux-2.6.35.5/drivers/ata/ata_generic.c
20730 --- linux-2.6.35.5/drivers/ata/ata_generic.c 2010-08-26 19:47:12.000000000 -0400
20731 +++ linux-2.6.35.5/drivers/ata/ata_generic.c 2010-09-17 20:12:09.000000000 -0400
20732 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
20733 ATA_BMDMA_SHT(DRV_NAME),
20736 -static struct ata_port_operations generic_port_ops = {
20737 +static const struct ata_port_operations generic_port_ops = {
20738 .inherits = &ata_bmdma_port_ops,
20739 .cable_detect = ata_cable_unknown,
20740 .set_mode = generic_set_mode,
20741 diff -urNp linux-2.6.35.5/drivers/ata/ata_piix.c linux-2.6.35.5/drivers/ata/ata_piix.c
20742 --- linux-2.6.35.5/drivers/ata/ata_piix.c 2010-08-26 19:47:12.000000000 -0400
20743 +++ linux-2.6.35.5/drivers/ata/ata_piix.c 2010-09-17 20:12:09.000000000 -0400
20744 @@ -302,7 +302,7 @@ static const struct pci_device_id piix_p
20745 { 0x8086, 0x1c08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20746 /* SATA Controller IDE (CPT) */
20747 { 0x8086, 0x1c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20748 - { } /* terminate list */
20749 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20752 static struct pci_driver piix_pci_driver = {
20753 @@ -320,12 +320,12 @@ static struct scsi_host_template piix_sh
20754 ATA_BMDMA_SHT(DRV_NAME),
20757 -static struct ata_port_operations piix_sata_ops = {
20758 +static const struct ata_port_operations piix_sata_ops = {
20759 .inherits = &ata_bmdma32_port_ops,
20760 .sff_irq_check = piix_irq_check,
20763 -static struct ata_port_operations piix_pata_ops = {
20764 +static const struct ata_port_operations piix_pata_ops = {
20765 .inherits = &piix_sata_ops,
20766 .cable_detect = ata_cable_40wire,
20767 .set_piomode = piix_set_piomode,
20768 @@ -333,18 +333,18 @@ static struct ata_port_operations piix_p
20769 .prereset = piix_pata_prereset,
20772 -static struct ata_port_operations piix_vmw_ops = {
20773 +static const struct ata_port_operations piix_vmw_ops = {
20774 .inherits = &piix_pata_ops,
20775 .bmdma_status = piix_vmw_bmdma_status,
20778 -static struct ata_port_operations ich_pata_ops = {
20779 +static const struct ata_port_operations ich_pata_ops = {
20780 .inherits = &piix_pata_ops,
20781 .cable_detect = ich_pata_cable_detect,
20782 .set_dmamode = ich_set_dmamode,
20785 -static struct ata_port_operations piix_sidpr_sata_ops = {
20786 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20787 .inherits = &piix_sata_ops,
20788 .hardreset = sata_std_hardreset,
20789 .scr_read = piix_sidpr_scr_read,
20790 @@ -620,7 +620,7 @@ static const struct ich_laptop ich_lapto
20791 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20792 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20799 @@ -1112,7 +1112,7 @@ static int piix_broken_suspend(void)
20803 - { } /* terminate list */
20804 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20806 static const char *oemstrs[] = {
20808 diff -urNp linux-2.6.35.5/drivers/ata/libahci.c linux-2.6.35.5/drivers/ata/libahci.c
20809 --- linux-2.6.35.5/drivers/ata/libahci.c 2010-09-20 17:33:09.000000000 -0400
20810 +++ linux-2.6.35.5/drivers/ata/libahci.c 2010-09-20 17:33:32.000000000 -0400
20811 @@ -149,7 +149,7 @@ struct scsi_host_template ahci_sht = {
20813 EXPORT_SYMBOL_GPL(ahci_sht);
20815 -struct ata_port_operations ahci_ops = {
20816 +const struct ata_port_operations ahci_ops = {
20817 .inherits = &sata_pmp_port_ops,
20819 .qc_defer = ahci_pmp_qc_defer,
20820 diff -urNp linux-2.6.35.5/drivers/ata/libata-acpi.c linux-2.6.35.5/drivers/ata/libata-acpi.c
20821 --- linux-2.6.35.5/drivers/ata/libata-acpi.c 2010-08-26 19:47:12.000000000 -0400
20822 +++ linux-2.6.35.5/drivers/ata/libata-acpi.c 2010-09-17 20:12:09.000000000 -0400
20823 @@ -224,12 +224,12 @@ static void ata_acpi_dev_uevent(acpi_han
20824 ata_acpi_uevent(dev->link->ap, dev, event);
20827 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20828 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20829 .handler = ata_acpi_dev_notify_dock,
20830 .uevent = ata_acpi_dev_uevent,
20833 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20834 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20835 .handler = ata_acpi_ap_notify_dock,
20836 .uevent = ata_acpi_ap_uevent,
20838 diff -urNp linux-2.6.35.5/drivers/ata/libata-core.c linux-2.6.35.5/drivers/ata/libata-core.c
20839 --- linux-2.6.35.5/drivers/ata/libata-core.c 2010-09-20 17:33:09.000000000 -0400
20840 +++ linux-2.6.35.5/drivers/ata/libata-core.c 2010-09-20 17:33:32.000000000 -0400
20841 @@ -901,7 +901,7 @@ static const struct ata_xfer_ent {
20842 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20843 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20844 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20850 @@ -3073,7 +3073,7 @@ static const struct ata_timing ata_timin
20851 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20852 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20855 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20858 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20859 @@ -4323,7 +4323,7 @@ static const struct ata_blacklist_entry
20860 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
20864 + { NULL, NULL, 0 }
20867 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
20868 @@ -5881,7 +5881,7 @@ static void ata_host_stop(struct device
20872 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
20873 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
20875 static DEFINE_SPINLOCK(lock);
20876 const struct ata_port_operations *cur;
20877 @@ -5893,6 +5893,7 @@ static void ata_finalize_port_ops(struct
20881 + pax_open_kernel();
20883 for (cur = ops->inherits; cur; cur = cur->inherits) {
20884 void **inherit = (void **)cur;
20885 @@ -5906,8 +5907,9 @@ static void ata_finalize_port_ops(struct
20889 - ops->inherits = NULL;
20890 + ((struct ata_port_operations *)ops)->inherits = NULL;
20892 + pax_close_kernel();
20893 spin_unlock(&lock);
20896 @@ -6004,7 +6006,7 @@ int ata_host_start(struct ata_host *host
20898 /* KILLME - the only user left is ipr */
20899 void ata_host_init(struct ata_host *host, struct device *dev,
20900 - unsigned long flags, struct ata_port_operations *ops)
20901 + unsigned long flags, const struct ata_port_operations *ops)
20903 spin_lock_init(&host->lock);
20905 @@ -6654,7 +6656,7 @@ static void ata_dummy_error_handler(stru
20909 -struct ata_port_operations ata_dummy_port_ops = {
20910 +const struct ata_port_operations ata_dummy_port_ops = {
20911 .qc_prep = ata_noop_qc_prep,
20912 .qc_issue = ata_dummy_qc_issue,
20913 .error_handler = ata_dummy_error_handler,
20914 diff -urNp linux-2.6.35.5/drivers/ata/libata-eh.c linux-2.6.35.5/drivers/ata/libata-eh.c
20915 --- linux-2.6.35.5/drivers/ata/libata-eh.c 2010-09-20 17:33:09.000000000 -0400
20916 +++ linux-2.6.35.5/drivers/ata/libata-eh.c 2010-09-20 17:33:32.000000000 -0400
20917 @@ -3684,7 +3684,7 @@ void ata_do_eh(struct ata_port *ap, ata_
20919 void ata_std_error_handler(struct ata_port *ap)
20921 - struct ata_port_operations *ops = ap->ops;
20922 + const struct ata_port_operations *ops = ap->ops;
20923 ata_reset_fn_t hardreset = ops->hardreset;
20925 /* ignore built-in hardreset if SCR access is not available */
20926 diff -urNp linux-2.6.35.5/drivers/ata/libata-pmp.c linux-2.6.35.5/drivers/ata/libata-pmp.c
20927 --- linux-2.6.35.5/drivers/ata/libata-pmp.c 2010-08-26 19:47:12.000000000 -0400
20928 +++ linux-2.6.35.5/drivers/ata/libata-pmp.c 2010-09-17 20:12:09.000000000 -0400
20929 @@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
20931 static int sata_pmp_eh_recover(struct ata_port *ap)
20933 - struct ata_port_operations *ops = ap->ops;
20934 + const struct ata_port_operations *ops = ap->ops;
20935 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
20936 struct ata_link *pmp_link = &ap->link;
20937 struct ata_device *pmp_dev = pmp_link->device;
20938 diff -urNp linux-2.6.35.5/drivers/ata/pata_acpi.c linux-2.6.35.5/drivers/ata/pata_acpi.c
20939 --- linux-2.6.35.5/drivers/ata/pata_acpi.c 2010-08-26 19:47:12.000000000 -0400
20940 +++ linux-2.6.35.5/drivers/ata/pata_acpi.c 2010-09-17 20:12:09.000000000 -0400
20941 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
20942 ATA_BMDMA_SHT(DRV_NAME),
20945 -static struct ata_port_operations pacpi_ops = {
20946 +static const struct ata_port_operations pacpi_ops = {
20947 .inherits = &ata_bmdma_port_ops,
20948 .qc_issue = pacpi_qc_issue,
20949 .cable_detect = pacpi_cable_detect,
20950 diff -urNp linux-2.6.35.5/drivers/ata/pata_ali.c linux-2.6.35.5/drivers/ata/pata_ali.c
20951 --- linux-2.6.35.5/drivers/ata/pata_ali.c 2010-08-26 19:47:12.000000000 -0400
20952 +++ linux-2.6.35.5/drivers/ata/pata_ali.c 2010-09-17 20:12:09.000000000 -0400
20953 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
20954 * Port operations for PIO only ALi
20957 -static struct ata_port_operations ali_early_port_ops = {
20958 +static const struct ata_port_operations ali_early_port_ops = {
20959 .inherits = &ata_sff_port_ops,
20960 .cable_detect = ata_cable_40wire,
20961 .set_piomode = ali_set_piomode,
20962 @@ -380,7 +380,7 @@ static const struct ata_port_operations
20963 * Port operations for DMA capable ALi without cable
20966 -static struct ata_port_operations ali_20_port_ops = {
20967 +static const struct ata_port_operations ali_20_port_ops = {
20968 .inherits = &ali_dma_base_ops,
20969 .cable_detect = ata_cable_40wire,
20970 .mode_filter = ali_20_filter,
20971 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
20973 * Port operations for DMA capable ALi with cable detect
20975 -static struct ata_port_operations ali_c2_port_ops = {
20976 +static const struct ata_port_operations ali_c2_port_ops = {
20977 .inherits = &ali_dma_base_ops,
20978 .check_atapi_dma = ali_check_atapi_dma,
20979 .cable_detect = ali_c2_cable_detect,
20980 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
20982 * Port operations for DMA capable ALi with cable detect
20984 -static struct ata_port_operations ali_c4_port_ops = {
20985 +static const struct ata_port_operations ali_c4_port_ops = {
20986 .inherits = &ali_dma_base_ops,
20987 .check_atapi_dma = ali_check_atapi_dma,
20988 .cable_detect = ali_c2_cable_detect,
20989 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
20991 * Port operations for DMA capable ALi with cable detect and LBA48
20993 -static struct ata_port_operations ali_c5_port_ops = {
20994 +static const struct ata_port_operations ali_c5_port_ops = {
20995 .inherits = &ali_dma_base_ops,
20996 .check_atapi_dma = ali_check_atapi_dma,
20997 .dev_config = ali_warn_atapi_dma,
20998 diff -urNp linux-2.6.35.5/drivers/ata/pata_amd.c linux-2.6.35.5/drivers/ata/pata_amd.c
20999 --- linux-2.6.35.5/drivers/ata/pata_amd.c 2010-08-26 19:47:12.000000000 -0400
21000 +++ linux-2.6.35.5/drivers/ata/pata_amd.c 2010-09-17 20:12:09.000000000 -0400
21001 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21002 .prereset = amd_pre_reset,
21005 -static struct ata_port_operations amd33_port_ops = {
21006 +static const struct ata_port_operations amd33_port_ops = {
21007 .inherits = &amd_base_port_ops,
21008 .cable_detect = ata_cable_40wire,
21009 .set_piomode = amd33_set_piomode,
21010 .set_dmamode = amd33_set_dmamode,
21013 -static struct ata_port_operations amd66_port_ops = {
21014 +static const struct ata_port_operations amd66_port_ops = {
21015 .inherits = &amd_base_port_ops,
21016 .cable_detect = ata_cable_unknown,
21017 .set_piomode = amd66_set_piomode,
21018 .set_dmamode = amd66_set_dmamode,
21021 -static struct ata_port_operations amd100_port_ops = {
21022 +static const struct ata_port_operations amd100_port_ops = {
21023 .inherits = &amd_base_port_ops,
21024 .cable_detect = ata_cable_unknown,
21025 .set_piomode = amd100_set_piomode,
21026 .set_dmamode = amd100_set_dmamode,
21029 -static struct ata_port_operations amd133_port_ops = {
21030 +static const struct ata_port_operations amd133_port_ops = {
21031 .inherits = &amd_base_port_ops,
21032 .cable_detect = amd_cable_detect,
21033 .set_piomode = amd133_set_piomode,
21034 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21035 .host_stop = nv_host_stop,
21038 -static struct ata_port_operations nv100_port_ops = {
21039 +static const struct ata_port_operations nv100_port_ops = {
21040 .inherits = &nv_base_port_ops,
21041 .set_piomode = nv100_set_piomode,
21042 .set_dmamode = nv100_set_dmamode,
21045 -static struct ata_port_operations nv133_port_ops = {
21046 +static const struct ata_port_operations nv133_port_ops = {
21047 .inherits = &nv_base_port_ops,
21048 .set_piomode = nv133_set_piomode,
21049 .set_dmamode = nv133_set_dmamode,
21050 diff -urNp linux-2.6.35.5/drivers/ata/pata_artop.c linux-2.6.35.5/drivers/ata/pata_artop.c
21051 --- linux-2.6.35.5/drivers/ata/pata_artop.c 2010-08-26 19:47:12.000000000 -0400
21052 +++ linux-2.6.35.5/drivers/ata/pata_artop.c 2010-09-17 20:12:09.000000000 -0400
21053 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
21054 ATA_BMDMA_SHT(DRV_NAME),
21057 -static struct ata_port_operations artop6210_ops = {
21058 +static const struct ata_port_operations artop6210_ops = {
21059 .inherits = &ata_bmdma_port_ops,
21060 .cable_detect = ata_cable_40wire,
21061 .set_piomode = artop6210_set_piomode,
21062 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
21063 .qc_defer = artop6210_qc_defer,
21066 -static struct ata_port_operations artop6260_ops = {
21067 +static const struct ata_port_operations artop6260_ops = {
21068 .inherits = &ata_bmdma_port_ops,
21069 .cable_detect = artop6260_cable_detect,
21070 .set_piomode = artop6260_set_piomode,
21071 diff -urNp linux-2.6.35.5/drivers/ata/pata_at32.c linux-2.6.35.5/drivers/ata/pata_at32.c
21072 --- linux-2.6.35.5/drivers/ata/pata_at32.c 2010-08-26 19:47:12.000000000 -0400
21073 +++ linux-2.6.35.5/drivers/ata/pata_at32.c 2010-09-17 20:12:09.000000000 -0400
21074 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21075 ATA_PIO_SHT(DRV_NAME),
21078 -static struct ata_port_operations at32_port_ops = {
21079 +static const struct ata_port_operations at32_port_ops = {
21080 .inherits = &ata_sff_port_ops,
21081 .cable_detect = ata_cable_40wire,
21082 .set_piomode = pata_at32_set_piomode,
21083 diff -urNp linux-2.6.35.5/drivers/ata/pata_at91.c linux-2.6.35.5/drivers/ata/pata_at91.c
21084 --- linux-2.6.35.5/drivers/ata/pata_at91.c 2010-08-26 19:47:12.000000000 -0400
21085 +++ linux-2.6.35.5/drivers/ata/pata_at91.c 2010-09-17 20:12:09.000000000 -0400
21086 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21087 ATA_PIO_SHT(DRV_NAME),
21090 -static struct ata_port_operations pata_at91_port_ops = {
21091 +static const struct ata_port_operations pata_at91_port_ops = {
21092 .inherits = &ata_sff_port_ops,
21094 .sff_data_xfer = pata_at91_data_xfer_noirq,
21095 diff -urNp linux-2.6.35.5/drivers/ata/pata_atiixp.c linux-2.6.35.5/drivers/ata/pata_atiixp.c
21096 --- linux-2.6.35.5/drivers/ata/pata_atiixp.c 2010-08-26 19:47:12.000000000 -0400
21097 +++ linux-2.6.35.5/drivers/ata/pata_atiixp.c 2010-09-17 20:12:09.000000000 -0400
21098 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21099 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21102 -static struct ata_port_operations atiixp_port_ops = {
21103 +static const struct ata_port_operations atiixp_port_ops = {
21104 .inherits = &ata_bmdma_port_ops,
21106 .qc_prep = ata_bmdma_dumb_qc_prep,
21107 diff -urNp linux-2.6.35.5/drivers/ata/pata_atp867x.c linux-2.6.35.5/drivers/ata/pata_atp867x.c
21108 --- linux-2.6.35.5/drivers/ata/pata_atp867x.c 2010-08-26 19:47:12.000000000 -0400
21109 +++ linux-2.6.35.5/drivers/ata/pata_atp867x.c 2010-09-17 20:12:09.000000000 -0400
21110 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21111 ATA_BMDMA_SHT(DRV_NAME),
21114 -static struct ata_port_operations atp867x_ops = {
21115 +static const struct ata_port_operations atp867x_ops = {
21116 .inherits = &ata_bmdma_port_ops,
21117 .cable_detect = atp867x_cable_detect,
21118 .set_piomode = atp867x_set_piomode,
21119 diff -urNp linux-2.6.35.5/drivers/ata/pata_bf54x.c linux-2.6.35.5/drivers/ata/pata_bf54x.c
21120 --- linux-2.6.35.5/drivers/ata/pata_bf54x.c 2010-08-26 19:47:12.000000000 -0400
21121 +++ linux-2.6.35.5/drivers/ata/pata_bf54x.c 2010-09-17 20:12:09.000000000 -0400
21122 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21123 .dma_boundary = ATA_DMA_BOUNDARY,
21126 -static struct ata_port_operations bfin_pata_ops = {
21127 +static const struct ata_port_operations bfin_pata_ops = {
21128 .inherits = &ata_bmdma_port_ops,
21130 .set_piomode = bfin_set_piomode,
21131 diff -urNp linux-2.6.35.5/drivers/ata/pata_cmd640.c linux-2.6.35.5/drivers/ata/pata_cmd640.c
21132 --- linux-2.6.35.5/drivers/ata/pata_cmd640.c 2010-08-26 19:47:12.000000000 -0400
21133 +++ linux-2.6.35.5/drivers/ata/pata_cmd640.c 2010-09-17 20:12:09.000000000 -0400
21134 @@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21135 ATA_PIO_SHT(DRV_NAME),
21138 -static struct ata_port_operations cmd640_port_ops = {
21139 +static const struct ata_port_operations cmd640_port_ops = {
21140 .inherits = &ata_sff_port_ops,
21141 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21142 .sff_data_xfer = ata_sff_data_xfer_noirq,
21143 diff -urNp linux-2.6.35.5/drivers/ata/pata_cmd64x.c linux-2.6.35.5/drivers/ata/pata_cmd64x.c
21144 --- linux-2.6.35.5/drivers/ata/pata_cmd64x.c 2010-09-20 17:33:09.000000000 -0400
21145 +++ linux-2.6.35.5/drivers/ata/pata_cmd64x.c 2010-09-20 17:33:32.000000000 -0400
21146 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21147 .set_dmamode = cmd64x_set_dmamode,
21150 -static struct ata_port_operations cmd64x_port_ops = {
21151 +static const struct ata_port_operations cmd64x_port_ops = {
21152 .inherits = &cmd64x_base_ops,
21153 .cable_detect = ata_cable_40wire,
21156 -static struct ata_port_operations cmd646r1_port_ops = {
21157 +static const struct ata_port_operations cmd646r1_port_ops = {
21158 .inherits = &cmd64x_base_ops,
21159 .bmdma_stop = cmd646r1_bmdma_stop,
21160 .cable_detect = ata_cable_40wire,
21163 -static struct ata_port_operations cmd648_port_ops = {
21164 +static const struct ata_port_operations cmd648_port_ops = {
21165 .inherits = &cmd64x_base_ops,
21166 .bmdma_stop = cmd648_bmdma_stop,
21167 .cable_detect = cmd648_cable_detect,
21168 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5520.c linux-2.6.35.5/drivers/ata/pata_cs5520.c
21169 --- linux-2.6.35.5/drivers/ata/pata_cs5520.c 2010-08-26 19:47:12.000000000 -0400
21170 +++ linux-2.6.35.5/drivers/ata/pata_cs5520.c 2010-09-17 20:12:09.000000000 -0400
21171 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21172 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21175 -static struct ata_port_operations cs5520_port_ops = {
21176 +static const struct ata_port_operations cs5520_port_ops = {
21177 .inherits = &ata_bmdma_port_ops,
21178 .qc_prep = ata_bmdma_dumb_qc_prep,
21179 .cable_detect = ata_cable_40wire,
21180 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5530.c linux-2.6.35.5/drivers/ata/pata_cs5530.c
21181 --- linux-2.6.35.5/drivers/ata/pata_cs5530.c 2010-08-26 19:47:12.000000000 -0400
21182 +++ linux-2.6.35.5/drivers/ata/pata_cs5530.c 2010-09-17 20:12:09.000000000 -0400
21183 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21184 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21187 -static struct ata_port_operations cs5530_port_ops = {
21188 +static const struct ata_port_operations cs5530_port_ops = {
21189 .inherits = &ata_bmdma_port_ops,
21191 .qc_prep = ata_bmdma_dumb_qc_prep,
21192 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5535.c linux-2.6.35.5/drivers/ata/pata_cs5535.c
21193 --- linux-2.6.35.5/drivers/ata/pata_cs5535.c 2010-08-26 19:47:12.000000000 -0400
21194 +++ linux-2.6.35.5/drivers/ata/pata_cs5535.c 2010-09-17 20:12:09.000000000 -0400
21195 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21196 ATA_BMDMA_SHT(DRV_NAME),
21199 -static struct ata_port_operations cs5535_port_ops = {
21200 +static const struct ata_port_operations cs5535_port_ops = {
21201 .inherits = &ata_bmdma_port_ops,
21202 .cable_detect = cs5535_cable_detect,
21203 .set_piomode = cs5535_set_piomode,
21204 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5536.c linux-2.6.35.5/drivers/ata/pata_cs5536.c
21205 --- linux-2.6.35.5/drivers/ata/pata_cs5536.c 2010-08-26 19:47:12.000000000 -0400
21206 +++ linux-2.6.35.5/drivers/ata/pata_cs5536.c 2010-09-17 20:12:09.000000000 -0400
21207 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21208 ATA_BMDMA_SHT(DRV_NAME),
21211 -static struct ata_port_operations cs5536_port_ops = {
21212 +static const struct ata_port_operations cs5536_port_ops = {
21213 .inherits = &ata_bmdma32_port_ops,
21214 .cable_detect = cs5536_cable_detect,
21215 .set_piomode = cs5536_set_piomode,
21216 diff -urNp linux-2.6.35.5/drivers/ata/pata_cypress.c linux-2.6.35.5/drivers/ata/pata_cypress.c
21217 --- linux-2.6.35.5/drivers/ata/pata_cypress.c 2010-08-26 19:47:12.000000000 -0400
21218 +++ linux-2.6.35.5/drivers/ata/pata_cypress.c 2010-09-17 20:12:09.000000000 -0400
21219 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21220 ATA_BMDMA_SHT(DRV_NAME),
21223 -static struct ata_port_operations cy82c693_port_ops = {
21224 +static const struct ata_port_operations cy82c693_port_ops = {
21225 .inherits = &ata_bmdma_port_ops,
21226 .cable_detect = ata_cable_40wire,
21227 .set_piomode = cy82c693_set_piomode,
21228 diff -urNp linux-2.6.35.5/drivers/ata/pata_efar.c linux-2.6.35.5/drivers/ata/pata_efar.c
21229 --- linux-2.6.35.5/drivers/ata/pata_efar.c 2010-08-26 19:47:12.000000000 -0400
21230 +++ linux-2.6.35.5/drivers/ata/pata_efar.c 2010-09-17 20:12:09.000000000 -0400
21231 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21232 ATA_BMDMA_SHT(DRV_NAME),
21235 -static struct ata_port_operations efar_ops = {
21236 +static const struct ata_port_operations efar_ops = {
21237 .inherits = &ata_bmdma_port_ops,
21238 .cable_detect = efar_cable_detect,
21239 .set_piomode = efar_set_piomode,
21240 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt366.c linux-2.6.35.5/drivers/ata/pata_hpt366.c
21241 --- linux-2.6.35.5/drivers/ata/pata_hpt366.c 2010-08-26 19:47:12.000000000 -0400
21242 +++ linux-2.6.35.5/drivers/ata/pata_hpt366.c 2010-09-17 20:12:09.000000000 -0400
21243 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21244 * Configuration for HPT366/68
21247 -static struct ata_port_operations hpt366_port_ops = {
21248 +static const struct ata_port_operations hpt366_port_ops = {
21249 .inherits = &ata_bmdma_port_ops,
21250 .cable_detect = hpt36x_cable_detect,
21251 .mode_filter = hpt366_filter,
21252 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt37x.c linux-2.6.35.5/drivers/ata/pata_hpt37x.c
21253 --- linux-2.6.35.5/drivers/ata/pata_hpt37x.c 2010-08-26 19:47:12.000000000 -0400
21254 +++ linux-2.6.35.5/drivers/ata/pata_hpt37x.c 2010-09-17 20:12:09.000000000 -0400
21255 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21256 * Configuration for HPT370
21259 -static struct ata_port_operations hpt370_port_ops = {
21260 +static const struct ata_port_operations hpt370_port_ops = {
21261 .inherits = &ata_bmdma_port_ops,
21263 .bmdma_stop = hpt370_bmdma_stop,
21264 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21265 * Configuration for HPT370A. Close to 370 but less filters
21268 -static struct ata_port_operations hpt370a_port_ops = {
21269 +static const struct ata_port_operations hpt370a_port_ops = {
21270 .inherits = &hpt370_port_ops,
21271 .mode_filter = hpt370a_filter,
21273 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21274 * and DMA mode setting functionality.
21277 -static struct ata_port_operations hpt372_port_ops = {
21278 +static const struct ata_port_operations hpt372_port_ops = {
21279 .inherits = &ata_bmdma_port_ops,
21281 .bmdma_stop = hpt37x_bmdma_stop,
21282 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21283 * but we have a different cable detection procedure for function 1.
21286 -static struct ata_port_operations hpt374_fn1_port_ops = {
21287 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21288 .inherits = &hpt372_port_ops,
21289 .cable_detect = hpt374_fn1_cable_detect,
21290 .prereset = hpt37x_pre_reset,
21291 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c
21292 --- linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c 2010-08-26 19:47:12.000000000 -0400
21293 +++ linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c 2010-09-17 20:12:09.000000000 -0400
21294 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21295 * Configuration for HPT3x2n.
21298 -static struct ata_port_operations hpt3x2n_port_ops = {
21299 +static const struct ata_port_operations hpt3x2n_port_ops = {
21300 .inherits = &ata_bmdma_port_ops,
21302 .bmdma_stop = hpt3x2n_bmdma_stop,
21303 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt3x3.c linux-2.6.35.5/drivers/ata/pata_hpt3x3.c
21304 --- linux-2.6.35.5/drivers/ata/pata_hpt3x3.c 2010-08-26 19:47:12.000000000 -0400
21305 +++ linux-2.6.35.5/drivers/ata/pata_hpt3x3.c 2010-09-17 20:12:09.000000000 -0400
21306 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21307 ATA_BMDMA_SHT(DRV_NAME),
21310 -static struct ata_port_operations hpt3x3_port_ops = {
21311 +static const struct ata_port_operations hpt3x3_port_ops = {
21312 .inherits = &ata_bmdma_port_ops,
21313 .cable_detect = ata_cable_40wire,
21314 .set_piomode = hpt3x3_set_piomode,
21315 diff -urNp linux-2.6.35.5/drivers/ata/pata_icside.c linux-2.6.35.5/drivers/ata/pata_icside.c
21316 --- linux-2.6.35.5/drivers/ata/pata_icside.c 2010-08-26 19:47:12.000000000 -0400
21317 +++ linux-2.6.35.5/drivers/ata/pata_icside.c 2010-09-17 20:12:09.000000000 -0400
21318 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21322 -static struct ata_port_operations pata_icside_port_ops = {
21323 +static const struct ata_port_operations pata_icside_port_ops = {
21324 .inherits = &ata_bmdma_port_ops,
21325 /* no need to build any PRD tables for DMA */
21326 .qc_prep = ata_noop_qc_prep,
21327 diff -urNp linux-2.6.35.5/drivers/ata/pata_isapnp.c linux-2.6.35.5/drivers/ata/pata_isapnp.c
21328 --- linux-2.6.35.5/drivers/ata/pata_isapnp.c 2010-08-26 19:47:12.000000000 -0400
21329 +++ linux-2.6.35.5/drivers/ata/pata_isapnp.c 2010-09-17 20:12:09.000000000 -0400
21330 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21331 ATA_PIO_SHT(DRV_NAME),
21334 -static struct ata_port_operations isapnp_port_ops = {
21335 +static const struct ata_port_operations isapnp_port_ops = {
21336 .inherits = &ata_sff_port_ops,
21337 .cable_detect = ata_cable_40wire,
21340 -static struct ata_port_operations isapnp_noalt_port_ops = {
21341 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21342 .inherits = &ata_sff_port_ops,
21343 .cable_detect = ata_cable_40wire,
21344 /* No altstatus so we don't want to use the lost interrupt poll */
21345 diff -urNp linux-2.6.35.5/drivers/ata/pata_it8213.c linux-2.6.35.5/drivers/ata/pata_it8213.c
21346 --- linux-2.6.35.5/drivers/ata/pata_it8213.c 2010-08-26 19:47:12.000000000 -0400
21347 +++ linux-2.6.35.5/drivers/ata/pata_it8213.c 2010-09-17 20:12:09.000000000 -0400
21348 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21352 -static struct ata_port_operations it8213_ops = {
21353 +static const struct ata_port_operations it8213_ops = {
21354 .inherits = &ata_bmdma_port_ops,
21355 .cable_detect = it8213_cable_detect,
21356 .set_piomode = it8213_set_piomode,
21357 diff -urNp linux-2.6.35.5/drivers/ata/pata_it821x.c linux-2.6.35.5/drivers/ata/pata_it821x.c
21358 --- linux-2.6.35.5/drivers/ata/pata_it821x.c 2010-08-26 19:47:12.000000000 -0400
21359 +++ linux-2.6.35.5/drivers/ata/pata_it821x.c 2010-09-17 20:12:09.000000000 -0400
21360 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21361 ATA_BMDMA_SHT(DRV_NAME),
21364 -static struct ata_port_operations it821x_smart_port_ops = {
21365 +static const struct ata_port_operations it821x_smart_port_ops = {
21366 .inherits = &ata_bmdma_port_ops,
21368 .check_atapi_dma= it821x_check_atapi_dma,
21369 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21370 .port_start = it821x_port_start,
21373 -static struct ata_port_operations it821x_passthru_port_ops = {
21374 +static const struct ata_port_operations it821x_passthru_port_ops = {
21375 .inherits = &ata_bmdma_port_ops,
21377 .check_atapi_dma= it821x_check_atapi_dma,
21378 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21379 .port_start = it821x_port_start,
21382 -static struct ata_port_operations it821x_rdc_port_ops = {
21383 +static const struct ata_port_operations it821x_rdc_port_ops = {
21384 .inherits = &ata_bmdma_port_ops,
21386 .check_atapi_dma= it821x_check_atapi_dma,
21387 diff -urNp linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c
21388 --- linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c 2010-08-26 19:47:12.000000000 -0400
21389 +++ linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c 2010-09-17 20:12:09.000000000 -0400
21390 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21391 ATA_PIO_SHT(DRV_NAME),
21394 -static struct ata_port_operations ixp4xx_port_ops = {
21395 +static const struct ata_port_operations ixp4xx_port_ops = {
21396 .inherits = &ata_sff_port_ops,
21397 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21398 .cable_detect = ata_cable_40wire,
21399 diff -urNp linux-2.6.35.5/drivers/ata/pata_jmicron.c linux-2.6.35.5/drivers/ata/pata_jmicron.c
21400 --- linux-2.6.35.5/drivers/ata/pata_jmicron.c 2010-08-26 19:47:12.000000000 -0400
21401 +++ linux-2.6.35.5/drivers/ata/pata_jmicron.c 2010-09-17 20:12:09.000000000 -0400
21402 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21403 ATA_BMDMA_SHT(DRV_NAME),
21406 -static struct ata_port_operations jmicron_ops = {
21407 +static const struct ata_port_operations jmicron_ops = {
21408 .inherits = &ata_bmdma_port_ops,
21409 .prereset = jmicron_pre_reset,
21411 diff -urNp linux-2.6.35.5/drivers/ata/pata_legacy.c linux-2.6.35.5/drivers/ata/pata_legacy.c
21412 --- linux-2.6.35.5/drivers/ata/pata_legacy.c 2010-08-26 19:47:12.000000000 -0400
21413 +++ linux-2.6.35.5/drivers/ata/pata_legacy.c 2010-09-17 20:12:09.000000000 -0400
21414 @@ -113,7 +113,7 @@ struct legacy_probe {
21416 struct legacy_controller {
21418 - struct ata_port_operations *ops;
21419 + const struct ata_port_operations *ops;
21420 unsigned int pio_mask;
21421 unsigned int flags;
21422 unsigned int pflags;
21423 @@ -230,12 +230,12 @@ static const struct ata_port_operations
21424 * pio_mask as well.
21427 -static struct ata_port_operations simple_port_ops = {
21428 +static const struct ata_port_operations simple_port_ops = {
21429 .inherits = &legacy_base_port_ops,
21430 .sff_data_xfer = ata_sff_data_xfer_noirq,
21433 -static struct ata_port_operations legacy_port_ops = {
21434 +static const struct ata_port_operations legacy_port_ops = {
21435 .inherits = &legacy_base_port_ops,
21436 .sff_data_xfer = ata_sff_data_xfer_noirq,
21437 .set_mode = legacy_set_mode,
21438 @@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
21442 -static struct ata_port_operations pdc20230_port_ops = {
21443 +static const struct ata_port_operations pdc20230_port_ops = {
21444 .inherits = &legacy_base_port_ops,
21445 .set_piomode = pdc20230_set_piomode,
21446 .sff_data_xfer = pdc_data_xfer_vlb,
21447 @@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
21448 ioread8(ap->ioaddr.status_addr);
21451 -static struct ata_port_operations ht6560a_port_ops = {
21452 +static const struct ata_port_operations ht6560a_port_ops = {
21453 .inherits = &legacy_base_port_ops,
21454 .set_piomode = ht6560a_set_piomode,
21456 @@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
21457 ioread8(ap->ioaddr.status_addr);
21460 -static struct ata_port_operations ht6560b_port_ops = {
21461 +static const struct ata_port_operations ht6560b_port_ops = {
21462 .inherits = &legacy_base_port_ops,
21463 .set_piomode = ht6560b_set_piomode,
21465 @@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
21469 -static struct ata_port_operations opti82c611a_port_ops = {
21470 +static const struct ata_port_operations opti82c611a_port_ops = {
21471 .inherits = &legacy_base_port_ops,
21472 .set_piomode = opti82c611a_set_piomode,
21474 @@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
21475 return ata_sff_qc_issue(qc);
21478 -static struct ata_port_operations opti82c46x_port_ops = {
21479 +static const struct ata_port_operations opti82c46x_port_ops = {
21480 .inherits = &legacy_base_port_ops,
21481 .set_piomode = opti82c46x_set_piomode,
21482 .qc_issue = opti82c46x_qc_issue,
21483 @@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
21487 -static struct ata_port_operations qdi6500_port_ops = {
21488 +static const struct ata_port_operations qdi6500_port_ops = {
21489 .inherits = &legacy_base_port_ops,
21490 .set_piomode = qdi6500_set_piomode,
21491 .qc_issue = qdi_qc_issue,
21492 .sff_data_xfer = vlb32_data_xfer,
21495 -static struct ata_port_operations qdi6580_port_ops = {
21496 +static const struct ata_port_operations qdi6580_port_ops = {
21497 .inherits = &legacy_base_port_ops,
21498 .set_piomode = qdi6580_set_piomode,
21499 .sff_data_xfer = vlb32_data_xfer,
21502 -static struct ata_port_operations qdi6580dp_port_ops = {
21503 +static const struct ata_port_operations qdi6580dp_port_ops = {
21504 .inherits = &legacy_base_port_ops,
21505 .set_piomode = qdi6580dp_set_piomode,
21506 .qc_issue = qdi_qc_issue,
21507 @@ -863,7 +863,7 @@ static int winbond_port(struct platform_
21511 -static struct ata_port_operations winbond_port_ops = {
21512 +static const struct ata_port_operations winbond_port_ops = {
21513 .inherits = &legacy_base_port_ops,
21514 .set_piomode = winbond_set_piomode,
21515 .sff_data_xfer = vlb32_data_xfer,
21516 @@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
21517 int pio_modes = controller->pio_mask;
21518 unsigned long io = probe->port;
21519 u32 mask = (1 << probe->slot);
21520 - struct ata_port_operations *ops = controller->ops;
21521 + const struct ata_port_operations *ops = controller->ops;
21522 struct legacy_data *ld = &legacy_data[probe->slot];
21523 struct ata_host *host = NULL;
21524 struct ata_port *ap;
21525 diff -urNp linux-2.6.35.5/drivers/ata/pata_macio.c linux-2.6.35.5/drivers/ata/pata_macio.c
21526 --- linux-2.6.35.5/drivers/ata/pata_macio.c 2010-08-26 19:47:12.000000000 -0400
21527 +++ linux-2.6.35.5/drivers/ata/pata_macio.c 2010-09-17 20:12:09.000000000 -0400
21528 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21529 .slave_configure = pata_macio_slave_config,
21532 -static struct ata_port_operations pata_macio_ops = {
21533 +static const struct ata_port_operations pata_macio_ops = {
21534 .inherits = &ata_bmdma_port_ops,
21536 .freeze = pata_macio_freeze,
21537 .set_piomode = pata_macio_set_timings,
21538 .set_dmamode = pata_macio_set_timings,
21539 diff -urNp linux-2.6.35.5/drivers/ata/pata_marvell.c linux-2.6.35.5/drivers/ata/pata_marvell.c
21540 --- linux-2.6.35.5/drivers/ata/pata_marvell.c 2010-08-26 19:47:12.000000000 -0400
21541 +++ linux-2.6.35.5/drivers/ata/pata_marvell.c 2010-09-17 20:12:09.000000000 -0400
21542 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21543 ATA_BMDMA_SHT(DRV_NAME),
21546 -static struct ata_port_operations marvell_ops = {
21547 +static const struct ata_port_operations marvell_ops = {
21548 .inherits = &ata_bmdma_port_ops,
21549 .cable_detect = marvell_cable_detect,
21550 .prereset = marvell_pre_reset,
21551 diff -urNp linux-2.6.35.5/drivers/ata/pata_mpc52xx.c linux-2.6.35.5/drivers/ata/pata_mpc52xx.c
21552 --- linux-2.6.35.5/drivers/ata/pata_mpc52xx.c 2010-08-26 19:47:12.000000000 -0400
21553 +++ linux-2.6.35.5/drivers/ata/pata_mpc52xx.c 2010-09-17 20:12:09.000000000 -0400
21554 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21555 ATA_PIO_SHT(DRV_NAME),
21558 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21559 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21560 .inherits = &ata_sff_port_ops,
21561 .sff_dev_select = mpc52xx_ata_dev_select,
21562 .set_piomode = mpc52xx_ata_set_piomode,
21563 diff -urNp linux-2.6.35.5/drivers/ata/pata_mpiix.c linux-2.6.35.5/drivers/ata/pata_mpiix.c
21564 --- linux-2.6.35.5/drivers/ata/pata_mpiix.c 2010-08-26 19:47:12.000000000 -0400
21565 +++ linux-2.6.35.5/drivers/ata/pata_mpiix.c 2010-09-17 20:12:09.000000000 -0400
21566 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21567 ATA_PIO_SHT(DRV_NAME),
21570 -static struct ata_port_operations mpiix_port_ops = {
21571 +static const struct ata_port_operations mpiix_port_ops = {
21572 .inherits = &ata_sff_port_ops,
21573 .qc_issue = mpiix_qc_issue,
21574 .cable_detect = ata_cable_40wire,
21575 diff -urNp linux-2.6.35.5/drivers/ata/pata_netcell.c linux-2.6.35.5/drivers/ata/pata_netcell.c
21576 --- linux-2.6.35.5/drivers/ata/pata_netcell.c 2010-08-26 19:47:12.000000000 -0400
21577 +++ linux-2.6.35.5/drivers/ata/pata_netcell.c 2010-09-17 20:12:09.000000000 -0400
21578 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21579 ATA_BMDMA_SHT(DRV_NAME),
21582 -static struct ata_port_operations netcell_ops = {
21583 +static const struct ata_port_operations netcell_ops = {
21584 .inherits = &ata_bmdma_port_ops,
21585 .cable_detect = ata_cable_80wire,
21586 .read_id = netcell_read_id,
21587 diff -urNp linux-2.6.35.5/drivers/ata/pata_ninja32.c linux-2.6.35.5/drivers/ata/pata_ninja32.c
21588 --- linux-2.6.35.5/drivers/ata/pata_ninja32.c 2010-08-26 19:47:12.000000000 -0400
21589 +++ linux-2.6.35.5/drivers/ata/pata_ninja32.c 2010-09-17 20:12:09.000000000 -0400
21590 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21591 ATA_BMDMA_SHT(DRV_NAME),
21594 -static struct ata_port_operations ninja32_port_ops = {
21595 +static const struct ata_port_operations ninja32_port_ops = {
21596 .inherits = &ata_bmdma_port_ops,
21597 .sff_dev_select = ninja32_dev_select,
21598 .cable_detect = ata_cable_40wire,
21599 diff -urNp linux-2.6.35.5/drivers/ata/pata_ns87410.c linux-2.6.35.5/drivers/ata/pata_ns87410.c
21600 --- linux-2.6.35.5/drivers/ata/pata_ns87410.c 2010-08-26 19:47:12.000000000 -0400
21601 +++ linux-2.6.35.5/drivers/ata/pata_ns87410.c 2010-09-17 20:12:09.000000000 -0400
21602 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21603 ATA_PIO_SHT(DRV_NAME),
21606 -static struct ata_port_operations ns87410_port_ops = {
21607 +static const struct ata_port_operations ns87410_port_ops = {
21608 .inherits = &ata_sff_port_ops,
21609 .qc_issue = ns87410_qc_issue,
21610 .cable_detect = ata_cable_40wire,
21611 diff -urNp linux-2.6.35.5/drivers/ata/pata_ns87415.c linux-2.6.35.5/drivers/ata/pata_ns87415.c
21612 --- linux-2.6.35.5/drivers/ata/pata_ns87415.c 2010-08-26 19:47:12.000000000 -0400
21613 +++ linux-2.6.35.5/drivers/ata/pata_ns87415.c 2010-09-17 20:12:09.000000000 -0400
21614 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21616 #endif /* 87560 SuperIO Support */
21618 -static struct ata_port_operations ns87415_pata_ops = {
21619 +static const struct ata_port_operations ns87415_pata_ops = {
21620 .inherits = &ata_bmdma_port_ops,
21622 .check_atapi_dma = ns87415_check_atapi_dma,
21623 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21626 #if defined(CONFIG_SUPERIO)
21627 -static struct ata_port_operations ns87560_pata_ops = {
21628 +static const struct ata_port_operations ns87560_pata_ops = {
21629 .inherits = &ns87415_pata_ops,
21630 .sff_tf_read = ns87560_tf_read,
21631 .sff_check_status = ns87560_check_status,
21632 diff -urNp linux-2.6.35.5/drivers/ata/pata_octeon_cf.c linux-2.6.35.5/drivers/ata/pata_octeon_cf.c
21633 --- linux-2.6.35.5/drivers/ata/pata_octeon_cf.c 2010-08-26 19:47:12.000000000 -0400
21634 +++ linux-2.6.35.5/drivers/ata/pata_octeon_cf.c 2010-09-17 20:12:09.000000000 -0400
21635 @@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
21639 +/* cannot be const */
21640 static struct ata_port_operations octeon_cf_ops = {
21641 .inherits = &ata_sff_port_ops,
21642 .check_atapi_dma = octeon_cf_check_atapi_dma,
21643 diff -urNp linux-2.6.35.5/drivers/ata/pata_oldpiix.c linux-2.6.35.5/drivers/ata/pata_oldpiix.c
21644 --- linux-2.6.35.5/drivers/ata/pata_oldpiix.c 2010-08-26 19:47:12.000000000 -0400
21645 +++ linux-2.6.35.5/drivers/ata/pata_oldpiix.c 2010-09-17 20:12:09.000000000 -0400
21646 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21647 ATA_BMDMA_SHT(DRV_NAME),
21650 -static struct ata_port_operations oldpiix_pata_ops = {
21651 +static const struct ata_port_operations oldpiix_pata_ops = {
21652 .inherits = &ata_bmdma_port_ops,
21653 .qc_issue = oldpiix_qc_issue,
21654 .cable_detect = ata_cable_40wire,
21655 diff -urNp linux-2.6.35.5/drivers/ata/pata_opti.c linux-2.6.35.5/drivers/ata/pata_opti.c
21656 --- linux-2.6.35.5/drivers/ata/pata_opti.c 2010-08-26 19:47:12.000000000 -0400
21657 +++ linux-2.6.35.5/drivers/ata/pata_opti.c 2010-09-17 20:12:09.000000000 -0400
21658 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21659 ATA_PIO_SHT(DRV_NAME),
21662 -static struct ata_port_operations opti_port_ops = {
21663 +static const struct ata_port_operations opti_port_ops = {
21664 .inherits = &ata_sff_port_ops,
21665 .cable_detect = ata_cable_40wire,
21666 .set_piomode = opti_set_piomode,
21667 diff -urNp linux-2.6.35.5/drivers/ata/pata_optidma.c linux-2.6.35.5/drivers/ata/pata_optidma.c
21668 --- linux-2.6.35.5/drivers/ata/pata_optidma.c 2010-08-26 19:47:12.000000000 -0400
21669 +++ linux-2.6.35.5/drivers/ata/pata_optidma.c 2010-09-17 20:12:09.000000000 -0400
21670 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21671 ATA_BMDMA_SHT(DRV_NAME),
21674 -static struct ata_port_operations optidma_port_ops = {
21675 +static const struct ata_port_operations optidma_port_ops = {
21676 .inherits = &ata_bmdma_port_ops,
21677 .cable_detect = ata_cable_40wire,
21678 .set_piomode = optidma_set_pio_mode,
21679 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21680 .prereset = optidma_pre_reset,
21683 -static struct ata_port_operations optiplus_port_ops = {
21684 +static const struct ata_port_operations optiplus_port_ops = {
21685 .inherits = &optidma_port_ops,
21686 .set_piomode = optiplus_set_pio_mode,
21687 .set_dmamode = optiplus_set_dma_mode,
21688 diff -urNp linux-2.6.35.5/drivers/ata/pata_palmld.c linux-2.6.35.5/drivers/ata/pata_palmld.c
21689 --- linux-2.6.35.5/drivers/ata/pata_palmld.c 2010-08-26 19:47:12.000000000 -0400
21690 +++ linux-2.6.35.5/drivers/ata/pata_palmld.c 2010-09-17 20:12:09.000000000 -0400
21691 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21692 ATA_PIO_SHT(DRV_NAME),
21695 -static struct ata_port_operations palmld_port_ops = {
21696 +static const struct ata_port_operations palmld_port_ops = {
21697 .inherits = &ata_sff_port_ops,
21698 .sff_data_xfer = ata_sff_data_xfer_noirq,
21699 .cable_detect = ata_cable_40wire,
21700 diff -urNp linux-2.6.35.5/drivers/ata/pata_pcmcia.c linux-2.6.35.5/drivers/ata/pata_pcmcia.c
21701 --- linux-2.6.35.5/drivers/ata/pata_pcmcia.c 2010-08-26 19:47:12.000000000 -0400
21702 +++ linux-2.6.35.5/drivers/ata/pata_pcmcia.c 2010-09-17 20:12:09.000000000 -0400
21703 @@ -153,14 +153,14 @@ static struct scsi_host_template pcmcia_
21704 ATA_PIO_SHT(DRV_NAME),
21707 -static struct ata_port_operations pcmcia_port_ops = {
21708 +static const struct ata_port_operations pcmcia_port_ops = {
21709 .inherits = &ata_sff_port_ops,
21710 .sff_data_xfer = ata_sff_data_xfer_noirq,
21711 .cable_detect = ata_cable_40wire,
21712 .set_mode = pcmcia_set_mode,
21715 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21716 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21717 .inherits = &ata_sff_port_ops,
21718 .sff_data_xfer = ata_data_xfer_8bit,
21719 .cable_detect = ata_cable_40wire,
21720 @@ -243,7 +243,7 @@ static int pcmcia_init_one(struct pcmcia
21721 unsigned long io_base, ctl_base;
21722 void __iomem *io_addr, *ctl_addr;
21724 - struct ata_port_operations *ops = &pcmcia_port_ops;
21725 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21727 /* Set up attributes in order to probe card and get resources */
21728 pdev->io.Attributes1 = IO_DATA_PATH_WIDTH_AUTO;
21729 diff -urNp linux-2.6.35.5/drivers/ata/pata_pdc2027x.c linux-2.6.35.5/drivers/ata/pata_pdc2027x.c
21730 --- linux-2.6.35.5/drivers/ata/pata_pdc2027x.c 2010-08-26 19:47:12.000000000 -0400
21731 +++ linux-2.6.35.5/drivers/ata/pata_pdc2027x.c 2010-09-17 20:12:09.000000000 -0400
21732 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21733 ATA_BMDMA_SHT(DRV_NAME),
21736 -static struct ata_port_operations pdc2027x_pata100_ops = {
21737 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21738 .inherits = &ata_bmdma_port_ops,
21739 .check_atapi_dma = pdc2027x_check_atapi_dma,
21740 .cable_detect = pdc2027x_cable_detect,
21741 .prereset = pdc2027x_prereset,
21744 -static struct ata_port_operations pdc2027x_pata133_ops = {
21745 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21746 .inherits = &pdc2027x_pata100_ops,
21747 .mode_filter = pdc2027x_mode_filter,
21748 .set_piomode = pdc2027x_set_piomode,
21749 diff -urNp linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c
21750 --- linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c 2010-08-26 19:47:12.000000000 -0400
21751 +++ linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c 2010-09-17 20:12:09.000000000 -0400
21752 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
21753 ATA_BMDMA_SHT(DRV_NAME),
21756 -static struct ata_port_operations pdc2024x_port_ops = {
21757 +static const struct ata_port_operations pdc2024x_port_ops = {
21758 .inherits = &ata_bmdma_port_ops,
21760 .cable_detect = ata_cable_40wire,
21761 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
21762 .sff_exec_command = pdc202xx_exec_command,
21765 -static struct ata_port_operations pdc2026x_port_ops = {
21766 +static const struct ata_port_operations pdc2026x_port_ops = {
21767 .inherits = &pdc2024x_port_ops,
21769 .check_atapi_dma = pdc2026x_check_atapi_dma,
21770 diff -urNp linux-2.6.35.5/drivers/ata/pata_piccolo.c linux-2.6.35.5/drivers/ata/pata_piccolo.c
21771 --- linux-2.6.35.5/drivers/ata/pata_piccolo.c 2010-08-26 19:47:12.000000000 -0400
21772 +++ linux-2.6.35.5/drivers/ata/pata_piccolo.c 2010-09-17 20:12:09.000000000 -0400
21773 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21774 ATA_BMDMA_SHT(DRV_NAME),
21777 -static struct ata_port_operations tosh_port_ops = {
21778 +static const struct ata_port_operations tosh_port_ops = {
21779 .inherits = &ata_bmdma_port_ops,
21780 .cable_detect = ata_cable_unknown,
21781 .set_piomode = tosh_set_piomode,
21782 diff -urNp linux-2.6.35.5/drivers/ata/pata_platform.c linux-2.6.35.5/drivers/ata/pata_platform.c
21783 --- linux-2.6.35.5/drivers/ata/pata_platform.c 2010-08-26 19:47:12.000000000 -0400
21784 +++ linux-2.6.35.5/drivers/ata/pata_platform.c 2010-09-17 20:12:09.000000000 -0400
21785 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21786 ATA_PIO_SHT(DRV_NAME),
21789 -static struct ata_port_operations pata_platform_port_ops = {
21790 +static const struct ata_port_operations pata_platform_port_ops = {
21791 .inherits = &ata_sff_port_ops,
21792 .sff_data_xfer = ata_sff_data_xfer_noirq,
21793 .cable_detect = ata_cable_unknown,
21794 diff -urNp linux-2.6.35.5/drivers/ata/pata_qdi.c linux-2.6.35.5/drivers/ata/pata_qdi.c
21795 --- linux-2.6.35.5/drivers/ata/pata_qdi.c 2010-08-26 19:47:12.000000000 -0400
21796 +++ linux-2.6.35.5/drivers/ata/pata_qdi.c 2010-09-17 20:12:09.000000000 -0400
21797 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21798 ATA_PIO_SHT(DRV_NAME),
21801 -static struct ata_port_operations qdi6500_port_ops = {
21802 +static const struct ata_port_operations qdi6500_port_ops = {
21803 .inherits = &ata_sff_port_ops,
21804 .qc_issue = qdi_qc_issue,
21805 .sff_data_xfer = qdi_data_xfer,
21806 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21807 .set_piomode = qdi6500_set_piomode,
21810 -static struct ata_port_operations qdi6580_port_ops = {
21811 +static const struct ata_port_operations qdi6580_port_ops = {
21812 .inherits = &qdi6500_port_ops,
21813 .set_piomode = qdi6580_set_piomode,
21815 diff -urNp linux-2.6.35.5/drivers/ata/pata_radisys.c linux-2.6.35.5/drivers/ata/pata_radisys.c
21816 --- linux-2.6.35.5/drivers/ata/pata_radisys.c 2010-08-26 19:47:12.000000000 -0400
21817 +++ linux-2.6.35.5/drivers/ata/pata_radisys.c 2010-09-17 20:12:09.000000000 -0400
21818 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21819 ATA_BMDMA_SHT(DRV_NAME),
21822 -static struct ata_port_operations radisys_pata_ops = {
21823 +static const struct ata_port_operations radisys_pata_ops = {
21824 .inherits = &ata_bmdma_port_ops,
21825 .qc_issue = radisys_qc_issue,
21826 .cable_detect = ata_cable_unknown,
21827 diff -urNp linux-2.6.35.5/drivers/ata/pata_rb532_cf.c linux-2.6.35.5/drivers/ata/pata_rb532_cf.c
21828 --- linux-2.6.35.5/drivers/ata/pata_rb532_cf.c 2010-08-26 19:47:12.000000000 -0400
21829 +++ linux-2.6.35.5/drivers/ata/pata_rb532_cf.c 2010-09-17 20:12:09.000000000 -0400
21830 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21831 return IRQ_HANDLED;
21834 -static struct ata_port_operations rb532_pata_port_ops = {
21835 +static const struct ata_port_operations rb532_pata_port_ops = {
21836 .inherits = &ata_sff_port_ops,
21837 .sff_data_xfer = ata_sff_data_xfer32,
21839 diff -urNp linux-2.6.35.5/drivers/ata/pata_rdc.c linux-2.6.35.5/drivers/ata/pata_rdc.c
21840 --- linux-2.6.35.5/drivers/ata/pata_rdc.c 2010-08-26 19:47:12.000000000 -0400
21841 +++ linux-2.6.35.5/drivers/ata/pata_rdc.c 2010-09-17 20:12:09.000000000 -0400
21842 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21843 pci_write_config_byte(dev, 0x48, udma_enable);
21846 -static struct ata_port_operations rdc_pata_ops = {
21847 +static const struct ata_port_operations rdc_pata_ops = {
21848 .inherits = &ata_bmdma32_port_ops,
21849 .cable_detect = rdc_pata_cable_detect,
21850 .set_piomode = rdc_set_piomode,
21851 diff -urNp linux-2.6.35.5/drivers/ata/pata_rz1000.c linux-2.6.35.5/drivers/ata/pata_rz1000.c
21852 --- linux-2.6.35.5/drivers/ata/pata_rz1000.c 2010-08-26 19:47:12.000000000 -0400
21853 +++ linux-2.6.35.5/drivers/ata/pata_rz1000.c 2010-09-17 20:12:09.000000000 -0400
21854 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
21855 ATA_PIO_SHT(DRV_NAME),
21858 -static struct ata_port_operations rz1000_port_ops = {
21859 +static const struct ata_port_operations rz1000_port_ops = {
21860 .inherits = &ata_sff_port_ops,
21861 .cable_detect = ata_cable_40wire,
21862 .set_mode = rz1000_set_mode,
21863 diff -urNp linux-2.6.35.5/drivers/ata/pata_sc1200.c linux-2.6.35.5/drivers/ata/pata_sc1200.c
21864 --- linux-2.6.35.5/drivers/ata/pata_sc1200.c 2010-08-26 19:47:12.000000000 -0400
21865 +++ linux-2.6.35.5/drivers/ata/pata_sc1200.c 2010-09-17 20:12:09.000000000 -0400
21866 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
21867 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21870 -static struct ata_port_operations sc1200_port_ops = {
21871 +static const struct ata_port_operations sc1200_port_ops = {
21872 .inherits = &ata_bmdma_port_ops,
21873 .qc_prep = ata_bmdma_dumb_qc_prep,
21874 .qc_issue = sc1200_qc_issue,
21875 diff -urNp linux-2.6.35.5/drivers/ata/pata_scc.c linux-2.6.35.5/drivers/ata/pata_scc.c
21876 --- linux-2.6.35.5/drivers/ata/pata_scc.c 2010-08-26 19:47:12.000000000 -0400
21877 +++ linux-2.6.35.5/drivers/ata/pata_scc.c 2010-09-17 20:12:09.000000000 -0400
21878 @@ -927,7 +927,7 @@ static struct scsi_host_template scc_sht
21879 ATA_BMDMA_SHT(DRV_NAME),
21882 -static struct ata_port_operations scc_pata_ops = {
21883 +static const struct ata_port_operations scc_pata_ops = {
21884 .inherits = &ata_bmdma_port_ops,
21886 .set_piomode = scc_set_piomode,
21887 diff -urNp linux-2.6.35.5/drivers/ata/pata_sch.c linux-2.6.35.5/drivers/ata/pata_sch.c
21888 --- linux-2.6.35.5/drivers/ata/pata_sch.c 2010-08-26 19:47:12.000000000 -0400
21889 +++ linux-2.6.35.5/drivers/ata/pata_sch.c 2010-09-17 20:12:09.000000000 -0400
21890 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
21891 ATA_BMDMA_SHT(DRV_NAME),
21894 -static struct ata_port_operations sch_pata_ops = {
21895 +static const struct ata_port_operations sch_pata_ops = {
21896 .inherits = &ata_bmdma_port_ops,
21897 .cable_detect = ata_cable_unknown,
21898 .set_piomode = sch_set_piomode,
21899 diff -urNp linux-2.6.35.5/drivers/ata/pata_serverworks.c linux-2.6.35.5/drivers/ata/pata_serverworks.c
21900 --- linux-2.6.35.5/drivers/ata/pata_serverworks.c 2010-08-26 19:47:12.000000000 -0400
21901 +++ linux-2.6.35.5/drivers/ata/pata_serverworks.c 2010-09-17 20:12:09.000000000 -0400
21902 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
21903 ATA_BMDMA_SHT(DRV_NAME),
21906 -static struct ata_port_operations serverworks_osb4_port_ops = {
21907 +static const struct ata_port_operations serverworks_osb4_port_ops = {
21908 .inherits = &ata_bmdma_port_ops,
21909 .cable_detect = serverworks_cable_detect,
21910 .mode_filter = serverworks_osb4_filter,
21911 @@ -308,7 +308,7 @@ static struct ata_port_operations server
21912 .set_dmamode = serverworks_set_dmamode,
21915 -static struct ata_port_operations serverworks_csb_port_ops = {
21916 +static const struct ata_port_operations serverworks_csb_port_ops = {
21917 .inherits = &serverworks_osb4_port_ops,
21918 .mode_filter = serverworks_csb_filter,
21920 diff -urNp linux-2.6.35.5/drivers/ata/pata_sil680.c linux-2.6.35.5/drivers/ata/pata_sil680.c
21921 --- linux-2.6.35.5/drivers/ata/pata_sil680.c 2010-08-26 19:47:12.000000000 -0400
21922 +++ linux-2.6.35.5/drivers/ata/pata_sil680.c 2010-09-17 20:12:09.000000000 -0400
21923 @@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
21924 ATA_BMDMA_SHT(DRV_NAME),
21928 -static struct ata_port_operations sil680_port_ops = {
21929 +static const struct ata_port_operations sil680_port_ops = {
21930 .inherits = &ata_bmdma32_port_ops,
21931 .sff_exec_command = sil680_sff_exec_command,
21932 .cable_detect = sil680_cable_detect,
21933 diff -urNp linux-2.6.35.5/drivers/ata/pata_sis.c linux-2.6.35.5/drivers/ata/pata_sis.c
21934 --- linux-2.6.35.5/drivers/ata/pata_sis.c 2010-08-26 19:47:12.000000000 -0400
21935 +++ linux-2.6.35.5/drivers/ata/pata_sis.c 2010-09-17 20:12:09.000000000 -0400
21936 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
21937 ATA_BMDMA_SHT(DRV_NAME),
21940 -static struct ata_port_operations sis_133_for_sata_ops = {
21941 +static const struct ata_port_operations sis_133_for_sata_ops = {
21942 .inherits = &ata_bmdma_port_ops,
21943 .set_piomode = sis_133_set_piomode,
21944 .set_dmamode = sis_133_set_dmamode,
21945 .cable_detect = sis_133_cable_detect,
21948 -static struct ata_port_operations sis_base_ops = {
21949 +static const struct ata_port_operations sis_base_ops = {
21950 .inherits = &ata_bmdma_port_ops,
21951 .prereset = sis_pre_reset,
21954 -static struct ata_port_operations sis_133_ops = {
21955 +static const struct ata_port_operations sis_133_ops = {
21956 .inherits = &sis_base_ops,
21957 .set_piomode = sis_133_set_piomode,
21958 .set_dmamode = sis_133_set_dmamode,
21959 .cable_detect = sis_133_cable_detect,
21962 -static struct ata_port_operations sis_133_early_ops = {
21963 +static const struct ata_port_operations sis_133_early_ops = {
21964 .inherits = &sis_base_ops,
21965 .set_piomode = sis_100_set_piomode,
21966 .set_dmamode = sis_133_early_set_dmamode,
21967 .cable_detect = sis_66_cable_detect,
21970 -static struct ata_port_operations sis_100_ops = {
21971 +static const struct ata_port_operations sis_100_ops = {
21972 .inherits = &sis_base_ops,
21973 .set_piomode = sis_100_set_piomode,
21974 .set_dmamode = sis_100_set_dmamode,
21975 .cable_detect = sis_66_cable_detect,
21978 -static struct ata_port_operations sis_66_ops = {
21979 +static const struct ata_port_operations sis_66_ops = {
21980 .inherits = &sis_base_ops,
21981 .set_piomode = sis_old_set_piomode,
21982 .set_dmamode = sis_66_set_dmamode,
21983 .cable_detect = sis_66_cable_detect,
21986 -static struct ata_port_operations sis_old_ops = {
21987 +static const struct ata_port_operations sis_old_ops = {
21988 .inherits = &sis_base_ops,
21989 .set_piomode = sis_old_set_piomode,
21990 .set_dmamode = sis_old_set_dmamode,
21991 diff -urNp linux-2.6.35.5/drivers/ata/pata_sl82c105.c linux-2.6.35.5/drivers/ata/pata_sl82c105.c
21992 --- linux-2.6.35.5/drivers/ata/pata_sl82c105.c 2010-08-26 19:47:12.000000000 -0400
21993 +++ linux-2.6.35.5/drivers/ata/pata_sl82c105.c 2010-09-17 20:12:09.000000000 -0400
21994 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
21995 ATA_BMDMA_SHT(DRV_NAME),
21998 -static struct ata_port_operations sl82c105_port_ops = {
21999 +static const struct ata_port_operations sl82c105_port_ops = {
22000 .inherits = &ata_bmdma_port_ops,
22001 .qc_defer = sl82c105_qc_defer,
22002 .bmdma_start = sl82c105_bmdma_start,
22003 diff -urNp linux-2.6.35.5/drivers/ata/pata_triflex.c linux-2.6.35.5/drivers/ata/pata_triflex.c
22004 --- linux-2.6.35.5/drivers/ata/pata_triflex.c 2010-08-26 19:47:12.000000000 -0400
22005 +++ linux-2.6.35.5/drivers/ata/pata_triflex.c 2010-09-17 20:12:09.000000000 -0400
22006 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22007 ATA_BMDMA_SHT(DRV_NAME),
22010 -static struct ata_port_operations triflex_port_ops = {
22011 +static const struct ata_port_operations triflex_port_ops = {
22012 .inherits = &ata_bmdma_port_ops,
22013 .bmdma_start = triflex_bmdma_start,
22014 .bmdma_stop = triflex_bmdma_stop,
22015 diff -urNp linux-2.6.35.5/drivers/ata/pata_via.c linux-2.6.35.5/drivers/ata/pata_via.c
22016 --- linux-2.6.35.5/drivers/ata/pata_via.c 2010-09-20 17:33:09.000000000 -0400
22017 +++ linux-2.6.35.5/drivers/ata/pata_via.c 2010-09-20 17:33:32.000000000 -0400
22018 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22019 ATA_BMDMA_SHT(DRV_NAME),
22022 -static struct ata_port_operations via_port_ops = {
22023 +static const struct ata_port_operations via_port_ops = {
22024 .inherits = &ata_bmdma_port_ops,
22025 .cable_detect = via_cable_detect,
22026 .set_piomode = via_set_piomode,
22027 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22028 .mode_filter = via_mode_filter,
22031 -static struct ata_port_operations via_port_ops_noirq = {
22032 +static const struct ata_port_operations via_port_ops_noirq = {
22033 .inherits = &via_port_ops,
22034 .sff_data_xfer = ata_sff_data_xfer_noirq,
22036 diff -urNp linux-2.6.35.5/drivers/ata/pata_winbond.c linux-2.6.35.5/drivers/ata/pata_winbond.c
22037 --- linux-2.6.35.5/drivers/ata/pata_winbond.c 2010-08-26 19:47:12.000000000 -0400
22038 +++ linux-2.6.35.5/drivers/ata/pata_winbond.c 2010-09-17 20:12:09.000000000 -0400
22039 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
22040 ATA_PIO_SHT(DRV_NAME),
22043 -static struct ata_port_operations winbond_port_ops = {
22044 +static const struct ata_port_operations winbond_port_ops = {
22045 .inherits = &ata_sff_port_ops,
22046 .sff_data_xfer = winbond_data_xfer,
22047 .cable_detect = ata_cable_40wire,
22048 diff -urNp linux-2.6.35.5/drivers/ata/pdc_adma.c linux-2.6.35.5/drivers/ata/pdc_adma.c
22049 --- linux-2.6.35.5/drivers/ata/pdc_adma.c 2010-08-26 19:47:12.000000000 -0400
22050 +++ linux-2.6.35.5/drivers/ata/pdc_adma.c 2010-09-17 20:12:09.000000000 -0400
22051 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22052 .dma_boundary = ADMA_DMA_BOUNDARY,
22055 -static struct ata_port_operations adma_ata_ops = {
22056 +static const struct ata_port_operations adma_ata_ops = {
22057 .inherits = &ata_sff_port_ops,
22059 .lost_interrupt = ATA_OP_NULL,
22060 diff -urNp linux-2.6.35.5/drivers/ata/sata_fsl.c linux-2.6.35.5/drivers/ata/sata_fsl.c
22061 --- linux-2.6.35.5/drivers/ata/sata_fsl.c 2010-08-26 19:47:12.000000000 -0400
22062 +++ linux-2.6.35.5/drivers/ata/sata_fsl.c 2010-09-17 20:12:09.000000000 -0400
22063 @@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
22064 .dma_boundary = ATA_DMA_BOUNDARY,
22067 -static struct ata_port_operations sata_fsl_ops = {
22068 +static const struct ata_port_operations sata_fsl_ops = {
22069 .inherits = &sata_pmp_port_ops,
22071 .qc_defer = ata_std_qc_defer,
22072 diff -urNp linux-2.6.35.5/drivers/ata/sata_inic162x.c linux-2.6.35.5/drivers/ata/sata_inic162x.c
22073 --- linux-2.6.35.5/drivers/ata/sata_inic162x.c 2010-08-26 19:47:12.000000000 -0400
22074 +++ linux-2.6.35.5/drivers/ata/sata_inic162x.c 2010-09-17 20:12:09.000000000 -0400
22075 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22079 -static struct ata_port_operations inic_port_ops = {
22080 +static const struct ata_port_operations inic_port_ops = {
22081 .inherits = &sata_port_ops,
22083 .check_atapi_dma = inic_check_atapi_dma,
22084 diff -urNp linux-2.6.35.5/drivers/ata/sata_mv.c linux-2.6.35.5/drivers/ata/sata_mv.c
22085 --- linux-2.6.35.5/drivers/ata/sata_mv.c 2010-09-20 17:33:09.000000000 -0400
22086 +++ linux-2.6.35.5/drivers/ata/sata_mv.c 2010-09-20 17:33:32.000000000 -0400
22087 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22088 .dma_boundary = MV_DMA_BOUNDARY,
22091 -static struct ata_port_operations mv5_ops = {
22092 +static const struct ata_port_operations mv5_ops = {
22093 .inherits = &ata_sff_port_ops,
22095 .lost_interrupt = ATA_OP_NULL,
22096 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22097 .port_stop = mv_port_stop,
22100 -static struct ata_port_operations mv6_ops = {
22101 +static const struct ata_port_operations mv6_ops = {
22102 .inherits = &ata_bmdma_port_ops,
22104 .lost_interrupt = ATA_OP_NULL,
22105 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22106 .port_stop = mv_port_stop,
22109 -static struct ata_port_operations mv_iie_ops = {
22110 +static const struct ata_port_operations mv_iie_ops = {
22111 .inherits = &mv6_ops,
22112 .dev_config = ATA_OP_NULL,
22113 .qc_prep = mv_qc_prep_iie,
22114 diff -urNp linux-2.6.35.5/drivers/ata/sata_nv.c linux-2.6.35.5/drivers/ata/sata_nv.c
22115 --- linux-2.6.35.5/drivers/ata/sata_nv.c 2010-08-26 19:47:12.000000000 -0400
22116 +++ linux-2.6.35.5/drivers/ata/sata_nv.c 2010-09-17 20:12:09.000000000 -0400
22117 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22118 * cases. Define nv_hardreset() which only kicks in for post-boot
22119 * probing and use it for all variants.
22121 -static struct ata_port_operations nv_generic_ops = {
22122 +static const struct ata_port_operations nv_generic_ops = {
22123 .inherits = &ata_bmdma_port_ops,
22124 .lost_interrupt = ATA_OP_NULL,
22125 .scr_read = nv_scr_read,
22126 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22127 .hardreset = nv_hardreset,
22130 -static struct ata_port_operations nv_nf2_ops = {
22131 +static const struct ata_port_operations nv_nf2_ops = {
22132 .inherits = &nv_generic_ops,
22133 .freeze = nv_nf2_freeze,
22134 .thaw = nv_nf2_thaw,
22137 -static struct ata_port_operations nv_ck804_ops = {
22138 +static const struct ata_port_operations nv_ck804_ops = {
22139 .inherits = &nv_generic_ops,
22140 .freeze = nv_ck804_freeze,
22141 .thaw = nv_ck804_thaw,
22142 .host_stop = nv_ck804_host_stop,
22145 -static struct ata_port_operations nv_adma_ops = {
22146 +static const struct ata_port_operations nv_adma_ops = {
22147 .inherits = &nv_ck804_ops,
22149 .check_atapi_dma = nv_adma_check_atapi_dma,
22150 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22151 .host_stop = nv_adma_host_stop,
22154 -static struct ata_port_operations nv_swncq_ops = {
22155 +static const struct ata_port_operations nv_swncq_ops = {
22156 .inherits = &nv_generic_ops,
22158 .qc_defer = ata_std_qc_defer,
22159 diff -urNp linux-2.6.35.5/drivers/ata/sata_promise.c linux-2.6.35.5/drivers/ata/sata_promise.c
22160 --- linux-2.6.35.5/drivers/ata/sata_promise.c 2010-08-26 19:47:12.000000000 -0400
22161 +++ linux-2.6.35.5/drivers/ata/sata_promise.c 2010-09-17 20:12:09.000000000 -0400
22162 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22163 .error_handler = pdc_error_handler,
22166 -static struct ata_port_operations pdc_sata_ops = {
22167 +static const struct ata_port_operations pdc_sata_ops = {
22168 .inherits = &pdc_common_ops,
22169 .cable_detect = pdc_sata_cable_detect,
22170 .freeze = pdc_sata_freeze,
22171 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22173 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22174 and ->freeze/thaw that ignore the hotplug controls. */
22175 -static struct ata_port_operations pdc_old_sata_ops = {
22176 +static const struct ata_port_operations pdc_old_sata_ops = {
22177 .inherits = &pdc_sata_ops,
22178 .freeze = pdc_freeze,
22180 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22183 -static struct ata_port_operations pdc_pata_ops = {
22184 +static const struct ata_port_operations pdc_pata_ops = {
22185 .inherits = &pdc_common_ops,
22186 .cable_detect = pdc_pata_cable_detect,
22187 .freeze = pdc_freeze,
22188 diff -urNp linux-2.6.35.5/drivers/ata/sata_qstor.c linux-2.6.35.5/drivers/ata/sata_qstor.c
22189 --- linux-2.6.35.5/drivers/ata/sata_qstor.c 2010-08-26 19:47:12.000000000 -0400
22190 +++ linux-2.6.35.5/drivers/ata/sata_qstor.c 2010-09-17 20:12:09.000000000 -0400
22191 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22192 .dma_boundary = QS_DMA_BOUNDARY,
22195 -static struct ata_port_operations qs_ata_ops = {
22196 +static const struct ata_port_operations qs_ata_ops = {
22197 .inherits = &ata_sff_port_ops,
22199 .check_atapi_dma = qs_check_atapi_dma,
22200 diff -urNp linux-2.6.35.5/drivers/ata/sata_sil24.c linux-2.6.35.5/drivers/ata/sata_sil24.c
22201 --- linux-2.6.35.5/drivers/ata/sata_sil24.c 2010-08-26 19:47:12.000000000 -0400
22202 +++ linux-2.6.35.5/drivers/ata/sata_sil24.c 2010-09-17 20:12:09.000000000 -0400
22203 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22204 .dma_boundary = ATA_DMA_BOUNDARY,
22207 -static struct ata_port_operations sil24_ops = {
22208 +static const struct ata_port_operations sil24_ops = {
22209 .inherits = &sata_pmp_port_ops,
22211 .qc_defer = sil24_qc_defer,
22212 diff -urNp linux-2.6.35.5/drivers/ata/sata_sil.c linux-2.6.35.5/drivers/ata/sata_sil.c
22213 --- linux-2.6.35.5/drivers/ata/sata_sil.c 2010-08-26 19:47:12.000000000 -0400
22214 +++ linux-2.6.35.5/drivers/ata/sata_sil.c 2010-09-17 20:12:09.000000000 -0400
22215 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22216 .sg_tablesize = ATA_MAX_PRD
22219 -static struct ata_port_operations sil_ops = {
22220 +static const struct ata_port_operations sil_ops = {
22221 .inherits = &ata_bmdma32_port_ops,
22222 .dev_config = sil_dev_config,
22223 .set_mode = sil_set_mode,
22224 diff -urNp linux-2.6.35.5/drivers/ata/sata_sis.c linux-2.6.35.5/drivers/ata/sata_sis.c
22225 --- linux-2.6.35.5/drivers/ata/sata_sis.c 2010-08-26 19:47:12.000000000 -0400
22226 +++ linux-2.6.35.5/drivers/ata/sata_sis.c 2010-09-17 20:12:09.000000000 -0400
22227 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22228 ATA_BMDMA_SHT(DRV_NAME),
22231 -static struct ata_port_operations sis_ops = {
22232 +static const struct ata_port_operations sis_ops = {
22233 .inherits = &ata_bmdma_port_ops,
22234 .scr_read = sis_scr_read,
22235 .scr_write = sis_scr_write,
22236 diff -urNp linux-2.6.35.5/drivers/ata/sata_svw.c linux-2.6.35.5/drivers/ata/sata_svw.c
22237 --- linux-2.6.35.5/drivers/ata/sata_svw.c 2010-08-26 19:47:12.000000000 -0400
22238 +++ linux-2.6.35.5/drivers/ata/sata_svw.c 2010-09-17 20:12:09.000000000 -0400
22239 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22243 -static struct ata_port_operations k2_sata_ops = {
22244 +static const struct ata_port_operations k2_sata_ops = {
22245 .inherits = &ata_bmdma_port_ops,
22246 .sff_tf_load = k2_sata_tf_load,
22247 .sff_tf_read = k2_sata_tf_read,
22248 diff -urNp linux-2.6.35.5/drivers/ata/sata_sx4.c linux-2.6.35.5/drivers/ata/sata_sx4.c
22249 --- linux-2.6.35.5/drivers/ata/sata_sx4.c 2010-08-26 19:47:12.000000000 -0400
22250 +++ linux-2.6.35.5/drivers/ata/sata_sx4.c 2010-09-17 20:12:09.000000000 -0400
22251 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22254 /* TODO: inherit from base port_ops after converting to new EH */
22255 -static struct ata_port_operations pdc_20621_ops = {
22256 +static const struct ata_port_operations pdc_20621_ops = {
22257 .inherits = &ata_sff_port_ops,
22259 .check_atapi_dma = pdc_check_atapi_dma,
22260 diff -urNp linux-2.6.35.5/drivers/ata/sata_uli.c linux-2.6.35.5/drivers/ata/sata_uli.c
22261 --- linux-2.6.35.5/drivers/ata/sata_uli.c 2010-08-26 19:47:12.000000000 -0400
22262 +++ linux-2.6.35.5/drivers/ata/sata_uli.c 2010-09-17 20:12:09.000000000 -0400
22263 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22264 ATA_BMDMA_SHT(DRV_NAME),
22267 -static struct ata_port_operations uli_ops = {
22268 +static const struct ata_port_operations uli_ops = {
22269 .inherits = &ata_bmdma_port_ops,
22270 .scr_read = uli_scr_read,
22271 .scr_write = uli_scr_write,
22272 diff -urNp linux-2.6.35.5/drivers/ata/sata_via.c linux-2.6.35.5/drivers/ata/sata_via.c
22273 --- linux-2.6.35.5/drivers/ata/sata_via.c 2010-08-26 19:47:12.000000000 -0400
22274 +++ linux-2.6.35.5/drivers/ata/sata_via.c 2010-09-17 20:12:09.000000000 -0400
22275 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22276 ATA_BMDMA_SHT(DRV_NAME),
22279 -static struct ata_port_operations svia_base_ops = {
22280 +static const struct ata_port_operations svia_base_ops = {
22281 .inherits = &ata_bmdma_port_ops,
22282 .sff_tf_load = svia_tf_load,
22285 -static struct ata_port_operations vt6420_sata_ops = {
22286 +static const struct ata_port_operations vt6420_sata_ops = {
22287 .inherits = &svia_base_ops,
22288 .freeze = svia_noop_freeze,
22289 .prereset = vt6420_prereset,
22290 .bmdma_start = vt6420_bmdma_start,
22293 -static struct ata_port_operations vt6421_pata_ops = {
22294 +static const struct ata_port_operations vt6421_pata_ops = {
22295 .inherits = &svia_base_ops,
22296 .cable_detect = vt6421_pata_cable_detect,
22297 .set_piomode = vt6421_set_pio_mode,
22298 .set_dmamode = vt6421_set_dma_mode,
22301 -static struct ata_port_operations vt6421_sata_ops = {
22302 +static const struct ata_port_operations vt6421_sata_ops = {
22303 .inherits = &svia_base_ops,
22304 .scr_read = svia_scr_read,
22305 .scr_write = svia_scr_write,
22308 -static struct ata_port_operations vt8251_ops = {
22309 +static const struct ata_port_operations vt8251_ops = {
22310 .inherits = &svia_base_ops,
22311 .hardreset = sata_std_hardreset,
22312 .scr_read = vt8251_scr_read,
22313 diff -urNp linux-2.6.35.5/drivers/ata/sata_vsc.c linux-2.6.35.5/drivers/ata/sata_vsc.c
22314 --- linux-2.6.35.5/drivers/ata/sata_vsc.c 2010-08-26 19:47:12.000000000 -0400
22315 +++ linux-2.6.35.5/drivers/ata/sata_vsc.c 2010-09-17 20:12:09.000000000 -0400
22316 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22320 -static struct ata_port_operations vsc_sata_ops = {
22321 +static const struct ata_port_operations vsc_sata_ops = {
22322 .inherits = &ata_bmdma_port_ops,
22323 /* The IRQ handling is not quite standard SFF behaviour so we
22324 cannot use the default lost interrupt handler */
22325 diff -urNp linux-2.6.35.5/drivers/atm/adummy.c linux-2.6.35.5/drivers/atm/adummy.c
22326 --- linux-2.6.35.5/drivers/atm/adummy.c 2010-08-26 19:47:12.000000000 -0400
22327 +++ linux-2.6.35.5/drivers/atm/adummy.c 2010-09-17 20:12:09.000000000 -0400
22328 @@ -78,7 +78,7 @@ adummy_send(struct atm_vcc *vcc, struct
22329 vcc->pop(vcc, skb);
22331 dev_kfree_skb_any(skb);
22332 - atomic_inc(&vcc->stats->tx);
22333 + atomic_inc_unchecked(&vcc->stats->tx);
22337 diff -urNp linux-2.6.35.5/drivers/atm/ambassador.c linux-2.6.35.5/drivers/atm/ambassador.c
22338 --- linux-2.6.35.5/drivers/atm/ambassador.c 2010-08-26 19:47:12.000000000 -0400
22339 +++ linux-2.6.35.5/drivers/atm/ambassador.c 2010-09-17 20:12:09.000000000 -0400
22340 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22341 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22344 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22345 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22347 // free the descriptor
22349 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22350 dump_skb ("<<<", vc, skb);
22353 - atomic_inc(&atm_vcc->stats->rx);
22354 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22355 __net_timestamp(skb);
22356 // end of our responsability
22357 atm_vcc->push (atm_vcc, skb);
22358 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22360 PRINTK (KERN_INFO, "dropped over-size frame");
22361 // should we count this?
22362 - atomic_inc(&atm_vcc->stats->rx_drop);
22363 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22367 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22370 if (check_area (skb->data, skb->len)) {
22371 - atomic_inc(&atm_vcc->stats->tx_err);
22372 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22373 return -ENOMEM; // ?
22376 diff -urNp linux-2.6.35.5/drivers/atm/atmtcp.c linux-2.6.35.5/drivers/atm/atmtcp.c
22377 --- linux-2.6.35.5/drivers/atm/atmtcp.c 2010-08-26 19:47:12.000000000 -0400
22378 +++ linux-2.6.35.5/drivers/atm/atmtcp.c 2010-09-17 20:12:09.000000000 -0400
22379 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22380 if (vcc->pop) vcc->pop(vcc,skb);
22381 else dev_kfree_skb(skb);
22382 if (dev_data) return 0;
22383 - atomic_inc(&vcc->stats->tx_err);
22384 + atomic_inc_unchecked(&vcc->stats->tx_err);
22387 size = skb->len+sizeof(struct atmtcp_hdr);
22388 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22390 if (vcc->pop) vcc->pop(vcc,skb);
22391 else dev_kfree_skb(skb);
22392 - atomic_inc(&vcc->stats->tx_err);
22393 + atomic_inc_unchecked(&vcc->stats->tx_err);
22396 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22397 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22398 if (vcc->pop) vcc->pop(vcc,skb);
22399 else dev_kfree_skb(skb);
22400 out_vcc->push(out_vcc,new_skb);
22401 - atomic_inc(&vcc->stats->tx);
22402 - atomic_inc(&out_vcc->stats->rx);
22403 + atomic_inc_unchecked(&vcc->stats->tx);
22404 + atomic_inc_unchecked(&out_vcc->stats->rx);
22408 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22409 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22410 read_unlock(&vcc_sklist_lock);
22412 - atomic_inc(&vcc->stats->tx_err);
22413 + atomic_inc_unchecked(&vcc->stats->tx_err);
22416 skb_pull(skb,sizeof(struct atmtcp_hdr));
22417 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22418 __net_timestamp(new_skb);
22419 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22420 out_vcc->push(out_vcc,new_skb);
22421 - atomic_inc(&vcc->stats->tx);
22422 - atomic_inc(&out_vcc->stats->rx);
22423 + atomic_inc_unchecked(&vcc->stats->tx);
22424 + atomic_inc_unchecked(&out_vcc->stats->rx);
22426 if (vcc->pop) vcc->pop(vcc,skb);
22427 else dev_kfree_skb(skb);
22428 diff -urNp linux-2.6.35.5/drivers/atm/eni.c linux-2.6.35.5/drivers/atm/eni.c
22429 --- linux-2.6.35.5/drivers/atm/eni.c 2010-08-26 19:47:12.000000000 -0400
22430 +++ linux-2.6.35.5/drivers/atm/eni.c 2010-09-17 20:12:09.000000000 -0400
22431 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22432 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22435 - atomic_inc(&vcc->stats->rx_err);
22436 + atomic_inc_unchecked(&vcc->stats->rx_err);
22439 length = ATM_CELL_SIZE-1; /* no HEC */
22440 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22444 - atomic_inc(&vcc->stats->rx_err);
22445 + atomic_inc_unchecked(&vcc->stats->rx_err);
22448 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22449 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22450 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22451 vcc->dev->number,vcc->vci,length,size << 2,descr);
22453 - atomic_inc(&vcc->stats->rx_err);
22454 + atomic_inc_unchecked(&vcc->stats->rx_err);
22457 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22458 @@ -771,7 +771,7 @@ rx_dequeued++;
22459 vcc->push(vcc,skb);
22462 - atomic_inc(&vcc->stats->rx);
22463 + atomic_inc_unchecked(&vcc->stats->rx);
22465 wake_up(&eni_dev->rx_wait);
22467 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22469 if (vcc->pop) vcc->pop(vcc,skb);
22470 else dev_kfree_skb_irq(skb);
22471 - atomic_inc(&vcc->stats->tx);
22472 + atomic_inc_unchecked(&vcc->stats->tx);
22473 wake_up(&eni_dev->tx_wait);
22476 diff -urNp linux-2.6.35.5/drivers/atm/firestream.c linux-2.6.35.5/drivers/atm/firestream.c
22477 --- linux-2.6.35.5/drivers/atm/firestream.c 2010-08-26 19:47:12.000000000 -0400
22478 +++ linux-2.6.35.5/drivers/atm/firestream.c 2010-09-17 20:12:09.000000000 -0400
22479 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22483 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22484 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22486 fs_dprintk (FS_DEBUG_TXMEM, "i");
22487 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22488 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22490 skb_put (skb, qe->p1 & 0xffff);
22491 ATM_SKB(skb)->vcc = atm_vcc;
22492 - atomic_inc(&atm_vcc->stats->rx);
22493 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22494 __net_timestamp(skb);
22495 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22496 atm_vcc->push (atm_vcc, skb);
22497 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22501 - atomic_inc(&atm_vcc->stats->rx_drop);
22502 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22504 case 0x1f: /* Reassembly abort: no buffers. */
22505 /* Silently increment error counter. */
22507 - atomic_inc(&atm_vcc->stats->rx_drop);
22508 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22510 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22511 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22512 diff -urNp linux-2.6.35.5/drivers/atm/fore200e.c linux-2.6.35.5/drivers/atm/fore200e.c
22513 --- linux-2.6.35.5/drivers/atm/fore200e.c 2010-08-26 19:47:12.000000000 -0400
22514 +++ linux-2.6.35.5/drivers/atm/fore200e.c 2010-09-17 20:12:09.000000000 -0400
22515 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22517 /* check error condition */
22518 if (*entry->status & STATUS_ERROR)
22519 - atomic_inc(&vcc->stats->tx_err);
22520 + atomic_inc_unchecked(&vcc->stats->tx_err);
22522 - atomic_inc(&vcc->stats->tx);
22523 + atomic_inc_unchecked(&vcc->stats->tx);
22527 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22529 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22531 - atomic_inc(&vcc->stats->rx_drop);
22532 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22536 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22538 dev_kfree_skb_any(skb);
22540 - atomic_inc(&vcc->stats->rx_drop);
22541 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22545 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22547 vcc->push(vcc, skb);
22548 - atomic_inc(&vcc->stats->rx);
22549 + atomic_inc_unchecked(&vcc->stats->rx);
22551 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22553 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22554 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22555 fore200e->atm_dev->number,
22556 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22557 - atomic_inc(&vcc->stats->rx_err);
22558 + atomic_inc_unchecked(&vcc->stats->rx_err);
22562 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22566 - atomic_inc(&vcc->stats->tx_err);
22567 + atomic_inc_unchecked(&vcc->stats->tx_err);
22569 fore200e->tx_sat++;
22570 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22571 diff -urNp linux-2.6.35.5/drivers/atm/he.c linux-2.6.35.5/drivers/atm/he.c
22572 --- linux-2.6.35.5/drivers/atm/he.c 2010-08-26 19:47:12.000000000 -0400
22573 +++ linux-2.6.35.5/drivers/atm/he.c 2010-09-17 20:12:09.000000000 -0400
22574 @@ -1770,7 +1770,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22576 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22577 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22578 - atomic_inc(&vcc->stats->rx_drop);
22579 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22580 goto return_host_buffers;
22583 @@ -1803,7 +1803,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22584 RBRQ_LEN_ERR(he_dev->rbrq_head)
22586 vcc->vpi, vcc->vci);
22587 - atomic_inc(&vcc->stats->rx_err);
22588 + atomic_inc_unchecked(&vcc->stats->rx_err);
22589 goto return_host_buffers;
22592 @@ -1862,7 +1862,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22593 vcc->push(vcc, skb);
22594 spin_lock(&he_dev->global_lock);
22596 - atomic_inc(&vcc->stats->rx);
22597 + atomic_inc_unchecked(&vcc->stats->rx);
22599 return_host_buffers:
22601 @@ -2207,7 +2207,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22602 tpd->vcc->pop(tpd->vcc, tpd->skb);
22604 dev_kfree_skb_any(tpd->skb);
22605 - atomic_inc(&tpd->vcc->stats->tx_err);
22606 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22608 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22610 @@ -2619,7 +2619,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22611 vcc->pop(vcc, skb);
22613 dev_kfree_skb_any(skb);
22614 - atomic_inc(&vcc->stats->tx_err);
22615 + atomic_inc_unchecked(&vcc->stats->tx_err);
22619 @@ -2630,7 +2630,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22620 vcc->pop(vcc, skb);
22622 dev_kfree_skb_any(skb);
22623 - atomic_inc(&vcc->stats->tx_err);
22624 + atomic_inc_unchecked(&vcc->stats->tx_err);
22628 @@ -2642,7 +2642,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22629 vcc->pop(vcc, skb);
22631 dev_kfree_skb_any(skb);
22632 - atomic_inc(&vcc->stats->tx_err);
22633 + atomic_inc_unchecked(&vcc->stats->tx_err);
22634 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22637 @@ -2684,7 +2684,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22638 vcc->pop(vcc, skb);
22640 dev_kfree_skb_any(skb);
22641 - atomic_inc(&vcc->stats->tx_err);
22642 + atomic_inc_unchecked(&vcc->stats->tx_err);
22643 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22646 @@ -2715,7 +2715,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22647 __enqueue_tpd(he_dev, tpd, cid);
22648 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22650 - atomic_inc(&vcc->stats->tx);
22651 + atomic_inc_unchecked(&vcc->stats->tx);
22655 diff -urNp linux-2.6.35.5/drivers/atm/horizon.c linux-2.6.35.5/drivers/atm/horizon.c
22656 --- linux-2.6.35.5/drivers/atm/horizon.c 2010-08-26 19:47:12.000000000 -0400
22657 +++ linux-2.6.35.5/drivers/atm/horizon.c 2010-09-17 20:12:09.000000000 -0400
22658 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22660 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22662 - atomic_inc(&vcc->stats->rx);
22663 + atomic_inc_unchecked(&vcc->stats->rx);
22664 __net_timestamp(skb);
22665 // end of our responsability
22666 vcc->push (vcc, skb);
22667 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22668 dev->tx_iovec = NULL;
22671 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22672 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22675 hrz_kfree_skb (skb);
22676 diff -urNp linux-2.6.35.5/drivers/atm/idt77252.c linux-2.6.35.5/drivers/atm/idt77252.c
22677 --- linux-2.6.35.5/drivers/atm/idt77252.c 2010-08-26 19:47:12.000000000 -0400
22678 +++ linux-2.6.35.5/drivers/atm/idt77252.c 2010-09-17 20:12:09.000000000 -0400
22679 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22681 dev_kfree_skb(skb);
22683 - atomic_inc(&vcc->stats->tx);
22684 + atomic_inc_unchecked(&vcc->stats->tx);
22687 atomic_dec(&scq->used);
22688 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22689 if ((sb = dev_alloc_skb(64)) == NULL) {
22690 printk("%s: Can't allocate buffers for aal0.\n",
22692 - atomic_add(i, &vcc->stats->rx_drop);
22693 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22696 if (!atm_charge(vcc, sb->truesize)) {
22697 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22699 - atomic_add(i - 1, &vcc->stats->rx_drop);
22700 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22704 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22705 ATM_SKB(sb)->vcc = vcc;
22706 __net_timestamp(sb);
22707 vcc->push(vcc, sb);
22708 - atomic_inc(&vcc->stats->rx);
22709 + atomic_inc_unchecked(&vcc->stats->rx);
22711 cell += ATM_CELL_PAYLOAD;
22713 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22715 card->name, len, rpp->len, readl(SAR_REG_CDC));
22716 recycle_rx_pool_skb(card, rpp);
22717 - atomic_inc(&vcc->stats->rx_err);
22718 + atomic_inc_unchecked(&vcc->stats->rx_err);
22721 if (stat & SAR_RSQE_CRC) {
22722 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22723 recycle_rx_pool_skb(card, rpp);
22724 - atomic_inc(&vcc->stats->rx_err);
22725 + atomic_inc_unchecked(&vcc->stats->rx_err);
22728 if (skb_queue_len(&rpp->queue) > 1) {
22729 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22730 RXPRINTK("%s: Can't alloc RX skb.\n",
22732 recycle_rx_pool_skb(card, rpp);
22733 - atomic_inc(&vcc->stats->rx_err);
22734 + atomic_inc_unchecked(&vcc->stats->rx_err);
22737 if (!atm_charge(vcc, skb->truesize)) {
22738 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22739 __net_timestamp(skb);
22741 vcc->push(vcc, skb);
22742 - atomic_inc(&vcc->stats->rx);
22743 + atomic_inc_unchecked(&vcc->stats->rx);
22747 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22748 __net_timestamp(skb);
22750 vcc->push(vcc, skb);
22751 - atomic_inc(&vcc->stats->rx);
22752 + atomic_inc_unchecked(&vcc->stats->rx);
22754 if (skb->truesize > SAR_FB_SIZE_3)
22755 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22756 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22757 if (vcc->qos.aal != ATM_AAL0) {
22758 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22759 card->name, vpi, vci);
22760 - atomic_inc(&vcc->stats->rx_drop);
22761 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22765 if ((sb = dev_alloc_skb(64)) == NULL) {
22766 printk("%s: Can't allocate buffers for AAL0.\n",
22768 - atomic_inc(&vcc->stats->rx_err);
22769 + atomic_inc_unchecked(&vcc->stats->rx_err);
22773 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22774 ATM_SKB(sb)->vcc = vcc;
22775 __net_timestamp(sb);
22776 vcc->push(vcc, sb);
22777 - atomic_inc(&vcc->stats->rx);
22778 + atomic_inc_unchecked(&vcc->stats->rx);
22781 skb_pull(queue, 64);
22782 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22785 printk("%s: NULL connection in send().\n", card->name);
22786 - atomic_inc(&vcc->stats->tx_err);
22787 + atomic_inc_unchecked(&vcc->stats->tx_err);
22788 dev_kfree_skb(skb);
22791 if (!test_bit(VCF_TX, &vc->flags)) {
22792 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22793 - atomic_inc(&vcc->stats->tx_err);
22794 + atomic_inc_unchecked(&vcc->stats->tx_err);
22795 dev_kfree_skb(skb);
22798 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22801 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22802 - atomic_inc(&vcc->stats->tx_err);
22803 + atomic_inc_unchecked(&vcc->stats->tx_err);
22804 dev_kfree_skb(skb);
22808 if (skb_shinfo(skb)->nr_frags != 0) {
22809 printk("%s: No scatter-gather yet.\n", card->name);
22810 - atomic_inc(&vcc->stats->tx_err);
22811 + atomic_inc_unchecked(&vcc->stats->tx_err);
22812 dev_kfree_skb(skb);
22815 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22817 err = queue_skb(card, vc, skb, oam);
22819 - atomic_inc(&vcc->stats->tx_err);
22820 + atomic_inc_unchecked(&vcc->stats->tx_err);
22821 dev_kfree_skb(skb);
22824 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22825 skb = dev_alloc_skb(64);
22827 printk("%s: Out of memory in send_oam().\n", card->name);
22828 - atomic_inc(&vcc->stats->tx_err);
22829 + atomic_inc_unchecked(&vcc->stats->tx_err);
22832 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22833 diff -urNp linux-2.6.35.5/drivers/atm/iphase.c linux-2.6.35.5/drivers/atm/iphase.c
22834 --- linux-2.6.35.5/drivers/atm/iphase.c 2010-08-26 19:47:12.000000000 -0400
22835 +++ linux-2.6.35.5/drivers/atm/iphase.c 2010-09-17 20:12:09.000000000 -0400
22836 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22837 status = (u_short) (buf_desc_ptr->desc_mode);
22838 if (status & (RX_CER | RX_PTE | RX_OFL))
22840 - atomic_inc(&vcc->stats->rx_err);
22841 + atomic_inc_unchecked(&vcc->stats->rx_err);
22842 IF_ERR(printk("IA: bad packet, dropping it");)
22843 if (status & RX_CER) {
22844 IF_ERR(printk(" cause: packet CRC error\n");)
22845 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22846 len = dma_addr - buf_addr;
22847 if (len > iadev->rx_buf_sz) {
22848 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
22849 - atomic_inc(&vcc->stats->rx_err);
22850 + atomic_inc_unchecked(&vcc->stats->rx_err);
22851 goto out_free_desc;
22854 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
22855 ia_vcc = INPH_IA_VCC(vcc);
22856 if (ia_vcc == NULL)
22858 - atomic_inc(&vcc->stats->rx_err);
22859 + atomic_inc_unchecked(&vcc->stats->rx_err);
22860 dev_kfree_skb_any(skb);
22861 atm_return(vcc, atm_guess_pdu2truesize(len));
22863 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
22864 if ((length > iadev->rx_buf_sz) || (length >
22865 (skb->len - sizeof(struct cpcs_trailer))))
22867 - atomic_inc(&vcc->stats->rx_err);
22868 + atomic_inc_unchecked(&vcc->stats->rx_err);
22869 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
22870 length, skb->len);)
22871 dev_kfree_skb_any(skb);
22872 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
22874 IF_RX(printk("rx_dle_intr: skb push");)
22875 vcc->push(vcc,skb);
22876 - atomic_inc(&vcc->stats->rx);
22877 + atomic_inc_unchecked(&vcc->stats->rx);
22878 iadev->rx_pkt_cnt++;
22881 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
22883 struct k_sonet_stats *stats;
22884 stats = &PRIV(_ia_dev[board])->sonet_stats;
22885 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
22886 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
22887 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
22888 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
22889 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
22890 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
22891 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
22892 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
22893 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
22894 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
22895 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
22896 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
22897 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
22898 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
22899 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
22900 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
22901 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
22902 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
22904 ia_cmds.status = 0;
22906 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
22907 if ((desc == 0) || (desc > iadev->num_tx_desc))
22909 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
22910 - atomic_inc(&vcc->stats->tx);
22911 + atomic_inc_unchecked(&vcc->stats->tx);
22913 vcc->pop(vcc, skb);
22915 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
22916 ATM_DESC(skb) = vcc->vci;
22917 skb_queue_tail(&iadev->tx_dma_q, skb);
22919 - atomic_inc(&vcc->stats->tx);
22920 + atomic_inc_unchecked(&vcc->stats->tx);
22921 iadev->tx_pkt_cnt++;
22922 /* Increment transaction counter */
22923 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
22926 /* add flow control logic */
22927 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
22928 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
22929 if (iavcc->vc_desc_cnt > 10) {
22930 vcc->tx_quota = vcc->tx_quota * 3 / 4;
22931 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
22932 diff -urNp linux-2.6.35.5/drivers/atm/lanai.c linux-2.6.35.5/drivers/atm/lanai.c
22933 --- linux-2.6.35.5/drivers/atm/lanai.c 2010-08-26 19:47:12.000000000 -0400
22934 +++ linux-2.6.35.5/drivers/atm/lanai.c 2010-09-17 20:12:09.000000000 -0400
22935 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
22936 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
22937 lanai_endtx(lanai, lvcc);
22938 lanai_free_skb(lvcc->tx.atmvcc, skb);
22939 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
22940 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
22943 /* Try to fill the buffer - don't call unless there is backlog */
22944 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
22945 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
22946 __net_timestamp(skb);
22947 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
22948 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
22949 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
22951 lvcc->rx.buf.ptr = end;
22952 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
22953 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
22954 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
22955 "vcc %d\n", lanai->number, (unsigned int) s, vci);
22956 lanai->stats.service_rxnotaal5++;
22957 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22958 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22961 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
22962 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
22964 read_unlock(&vcc_sklist_lock);
22965 DPRINTK("got trashed rx pdu on vci %d\n", vci);
22966 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22967 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22968 lvcc->stats.x.aal5.service_trash++;
22969 bytes = (SERVICE_GET_END(s) * 16) -
22970 (((unsigned long) lvcc->rx.buf.ptr) -
22971 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
22973 if (s & SERVICE_STREAM) {
22974 read_unlock(&vcc_sklist_lock);
22975 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22976 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22977 lvcc->stats.x.aal5.service_stream++;
22978 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
22979 "PDU on VCI %d!\n", lanai->number, vci);
22980 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
22983 DPRINTK("got rx crc error on vci %d\n", vci);
22984 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22985 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22986 lvcc->stats.x.aal5.service_rxcrc++;
22987 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
22988 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
22989 diff -urNp linux-2.6.35.5/drivers/atm/nicstar.c linux-2.6.35.5/drivers/atm/nicstar.c
22990 --- linux-2.6.35.5/drivers/atm/nicstar.c 2010-08-26 19:47:12.000000000 -0400
22991 +++ linux-2.6.35.5/drivers/atm/nicstar.c 2010-09-17 20:12:09.000000000 -0400
22992 @@ -1722,7 +1722,7 @@ static int ns_send(struct atm_vcc *vcc,
22993 if ((vc = (vc_map *) vcc->dev_data) == NULL)
22995 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
22996 - atomic_inc(&vcc->stats->tx_err);
22997 + atomic_inc_unchecked(&vcc->stats->tx_err);
22998 dev_kfree_skb_any(skb);
23001 @@ -1730,7 +1730,7 @@ static int ns_send(struct atm_vcc *vcc,
23004 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
23005 - atomic_inc(&vcc->stats->tx_err);
23006 + atomic_inc_unchecked(&vcc->stats->tx_err);
23007 dev_kfree_skb_any(skb);
23010 @@ -1738,7 +1738,7 @@ static int ns_send(struct atm_vcc *vcc,
23011 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
23013 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
23014 - atomic_inc(&vcc->stats->tx_err);
23015 + atomic_inc_unchecked(&vcc->stats->tx_err);
23016 dev_kfree_skb_any(skb);
23019 @@ -1746,7 +1746,7 @@ static int ns_send(struct atm_vcc *vcc,
23020 if (skb_shinfo(skb)->nr_frags != 0)
23022 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23023 - atomic_inc(&vcc->stats->tx_err);
23024 + atomic_inc_unchecked(&vcc->stats->tx_err);
23025 dev_kfree_skb_any(skb);
23028 @@ -1791,11 +1791,11 @@ static int ns_send(struct atm_vcc *vcc,
23030 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
23032 - atomic_inc(&vcc->stats->tx_err);
23033 + atomic_inc_unchecked(&vcc->stats->tx_err);
23034 dev_kfree_skb_any(skb);
23037 - atomic_inc(&vcc->stats->tx);
23038 + atomic_inc_unchecked(&vcc->stats->tx);
23042 @@ -2110,14 +2110,14 @@ static void dequeue_rx(ns_dev *card, ns_
23044 printk("nicstar%d: Can't allocate buffers for aal0.\n",
23046 - atomic_add(i,&vcc->stats->rx_drop);
23047 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
23050 if (!atm_charge(vcc, sb->truesize))
23052 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
23054 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23055 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23056 dev_kfree_skb_any(sb);
23059 @@ -2132,7 +2132,7 @@ static void dequeue_rx(ns_dev *card, ns_
23060 ATM_SKB(sb)->vcc = vcc;
23061 __net_timestamp(sb);
23062 vcc->push(vcc, sb);
23063 - atomic_inc(&vcc->stats->rx);
23064 + atomic_inc_unchecked(&vcc->stats->rx);
23065 cell += ATM_CELL_PAYLOAD;
23068 @@ -2151,7 +2151,7 @@ static void dequeue_rx(ns_dev *card, ns_
23071 printk("nicstar%d: Out of iovec buffers.\n", card->index);
23072 - atomic_inc(&vcc->stats->rx_drop);
23073 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23074 recycle_rx_buf(card, skb);
23077 @@ -2181,7 +2181,7 @@ static void dequeue_rx(ns_dev *card, ns_
23078 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
23080 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23081 - atomic_inc(&vcc->stats->rx_err);
23082 + atomic_inc_unchecked(&vcc->stats->rx_err);
23083 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
23084 NS_SKB(iovb)->iovcnt = 0;
23086 @@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev *card, ns_
23087 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
23089 which_list(card, skb);
23090 - atomic_inc(&vcc->stats->rx_err);
23091 + atomic_inc_unchecked(&vcc->stats->rx_err);
23092 recycle_rx_buf(card, skb);
23094 recycle_iov_buf(card, iovb);
23095 @@ -2215,7 +2215,7 @@ static void dequeue_rx(ns_dev *card, ns_
23096 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
23098 which_list(card, skb);
23099 - atomic_inc(&vcc->stats->rx_err);
23100 + atomic_inc_unchecked(&vcc->stats->rx_err);
23101 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23102 NS_SKB(iovb)->iovcnt);
23104 @@ -2239,7 +2239,7 @@ static void dequeue_rx(ns_dev *card, ns_
23105 printk(" - PDU size mismatch.\n");
23108 - atomic_inc(&vcc->stats->rx_err);
23109 + atomic_inc_unchecked(&vcc->stats->rx_err);
23110 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23111 NS_SKB(iovb)->iovcnt);
23113 @@ -2255,7 +2255,7 @@ static void dequeue_rx(ns_dev *card, ns_
23114 if (!atm_charge(vcc, skb->truesize))
23116 push_rxbufs(card, skb);
23117 - atomic_inc(&vcc->stats->rx_drop);
23118 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23122 @@ -2267,7 +2267,7 @@ static void dequeue_rx(ns_dev *card, ns_
23123 ATM_SKB(skb)->vcc = vcc;
23124 __net_timestamp(skb);
23125 vcc->push(vcc, skb);
23126 - atomic_inc(&vcc->stats->rx);
23127 + atomic_inc_unchecked(&vcc->stats->rx);
23130 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
23131 @@ -2282,7 +2282,7 @@ static void dequeue_rx(ns_dev *card, ns_
23132 if (!atm_charge(vcc, sb->truesize))
23134 push_rxbufs(card, sb);
23135 - atomic_inc(&vcc->stats->rx_drop);
23136 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23140 @@ -2294,7 +2294,7 @@ static void dequeue_rx(ns_dev *card, ns_
23141 ATM_SKB(sb)->vcc = vcc;
23142 __net_timestamp(sb);
23143 vcc->push(vcc, sb);
23144 - atomic_inc(&vcc->stats->rx);
23145 + atomic_inc_unchecked(&vcc->stats->rx);
23148 push_rxbufs(card, skb);
23149 @@ -2305,7 +2305,7 @@ static void dequeue_rx(ns_dev *card, ns_
23150 if (!atm_charge(vcc, skb->truesize))
23152 push_rxbufs(card, skb);
23153 - atomic_inc(&vcc->stats->rx_drop);
23154 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23158 @@ -2319,7 +2319,7 @@ static void dequeue_rx(ns_dev *card, ns_
23159 ATM_SKB(skb)->vcc = vcc;
23160 __net_timestamp(skb);
23161 vcc->push(vcc, skb);
23162 - atomic_inc(&vcc->stats->rx);
23163 + atomic_inc_unchecked(&vcc->stats->rx);
23166 push_rxbufs(card, sb);
23167 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev *card, ns_
23170 printk("nicstar%d: Out of huge buffers.\n", card->index);
23171 - atomic_inc(&vcc->stats->rx_drop);
23172 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23173 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23174 NS_SKB(iovb)->iovcnt);
23176 @@ -2392,7 +2392,7 @@ static void dequeue_rx(ns_dev *card, ns_
23179 dev_kfree_skb_any(hb);
23180 - atomic_inc(&vcc->stats->rx_drop);
23181 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23185 @@ -2426,7 +2426,7 @@ static void dequeue_rx(ns_dev *card, ns_
23186 #endif /* NS_USE_DESTRUCTORS */
23187 __net_timestamp(hb);
23188 vcc->push(vcc, hb);
23189 - atomic_inc(&vcc->stats->rx);
23190 + atomic_inc_unchecked(&vcc->stats->rx);
23194 diff -urNp linux-2.6.35.5/drivers/atm/solos-pci.c linux-2.6.35.5/drivers/atm/solos-pci.c
23195 --- linux-2.6.35.5/drivers/atm/solos-pci.c 2010-08-26 19:47:12.000000000 -0400
23196 +++ linux-2.6.35.5/drivers/atm/solos-pci.c 2010-09-17 20:12:09.000000000 -0400
23197 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
23199 atm_charge(vcc, skb->truesize);
23200 vcc->push(vcc, skb);
23201 - atomic_inc(&vcc->stats->rx);
23202 + atomic_inc_unchecked(&vcc->stats->rx);
23206 @@ -1023,7 +1023,7 @@ static uint32_t fpga_tx(struct solos_car
23207 vcc = SKB_CB(oldskb)->vcc;
23210 - atomic_inc(&vcc->stats->tx);
23211 + atomic_inc_unchecked(&vcc->stats->tx);
23212 solos_pop(vcc, oldskb);
23214 dev_kfree_skb_irq(oldskb);
23215 diff -urNp linux-2.6.35.5/drivers/atm/suni.c linux-2.6.35.5/drivers/atm/suni.c
23216 --- linux-2.6.35.5/drivers/atm/suni.c 2010-08-26 19:47:12.000000000 -0400
23217 +++ linux-2.6.35.5/drivers/atm/suni.c 2010-09-17 20:12:09.000000000 -0400
23218 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23221 #define ADD_LIMITED(s,v) \
23222 - atomic_add((v),&stats->s); \
23223 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23224 + atomic_add_unchecked((v),&stats->s); \
23225 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23228 static void suni_hz(unsigned long from_timer)
23229 diff -urNp linux-2.6.35.5/drivers/atm/uPD98402.c linux-2.6.35.5/drivers/atm/uPD98402.c
23230 --- linux-2.6.35.5/drivers/atm/uPD98402.c 2010-08-26 19:47:12.000000000 -0400
23231 +++ linux-2.6.35.5/drivers/atm/uPD98402.c 2010-09-17 20:12:09.000000000 -0400
23232 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23233 struct sonet_stats tmp;
23236 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23237 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23238 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23239 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23240 if (zero && !error) {
23241 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23244 #define ADD_LIMITED(s,v) \
23245 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23246 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23247 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23248 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23249 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23250 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23253 static void stat_event(struct atm_dev *dev)
23254 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23255 if (reason & uPD98402_INT_PFM) stat_event(dev);
23256 if (reason & uPD98402_INT_PCO) {
23257 (void) GET(PCOCR); /* clear interrupt cause */
23258 - atomic_add(GET(HECCT),
23259 + atomic_add_unchecked(GET(HECCT),
23260 &PRIV(dev)->sonet_stats.uncorr_hcs);
23262 if ((reason & uPD98402_INT_RFO) &&
23263 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23264 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23265 uPD98402_INT_LOS),PIMR); /* enable them */
23266 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23267 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23268 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23269 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23270 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23271 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23272 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23276 diff -urNp linux-2.6.35.5/drivers/atm/zatm.c linux-2.6.35.5/drivers/atm/zatm.c
23277 --- linux-2.6.35.5/drivers/atm/zatm.c 2010-08-26 19:47:12.000000000 -0400
23278 +++ linux-2.6.35.5/drivers/atm/zatm.c 2010-09-17 20:12:09.000000000 -0400
23279 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23282 dev_kfree_skb_irq(skb);
23283 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23284 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23287 if (!atm_charge(vcc,skb->truesize)) {
23288 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23290 ATM_SKB(skb)->vcc = vcc;
23291 vcc->push(vcc,skb);
23292 - atomic_inc(&vcc->stats->rx);
23293 + atomic_inc_unchecked(&vcc->stats->rx);
23295 zout(pos & 0xffff,MTA(mbx));
23296 #if 0 /* probably a stupid idea */
23297 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23298 skb_queue_head(&zatm_vcc->backlog,skb);
23301 - atomic_inc(&vcc->stats->tx);
23302 + atomic_inc_unchecked(&vcc->stats->tx);
23303 wake_up(&zatm_vcc->tx_wait);
23306 diff -urNp linux-2.6.35.5/drivers/char/agp/frontend.c linux-2.6.35.5/drivers/char/agp/frontend.c
23307 --- linux-2.6.35.5/drivers/char/agp/frontend.c 2010-08-26 19:47:12.000000000 -0400
23308 +++ linux-2.6.35.5/drivers/char/agp/frontend.c 2010-09-17 20:12:09.000000000 -0400
23309 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
23310 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23313 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23314 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23317 client = agp_find_client_by_pid(reserve.pid);
23318 diff -urNp linux-2.6.35.5/drivers/char/agp/intel-agp.c linux-2.6.35.5/drivers/char/agp/intel-agp.c
23319 --- linux-2.6.35.5/drivers/char/agp/intel-agp.c 2010-08-26 19:47:12.000000000 -0400
23320 +++ linux-2.6.35.5/drivers/char/agp/intel-agp.c 2010-09-17 20:12:09.000000000 -0400
23321 @@ -1036,7 +1036,7 @@ static struct pci_device_id agp_intel_pc
23322 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
23323 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23324 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23326 + { 0, 0, 0, 0, 0, 0, 0 }
23329 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23330 diff -urNp linux-2.6.35.5/drivers/char/hpet.c linux-2.6.35.5/drivers/char/hpet.c
23331 --- linux-2.6.35.5/drivers/char/hpet.c 2010-08-26 19:47:12.000000000 -0400
23332 +++ linux-2.6.35.5/drivers/char/hpet.c 2010-09-17 20:12:09.000000000 -0400
23333 @@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
23337 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
23338 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
23340 static long hpet_ioctl(struct file *file, unsigned int cmd,
23342 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23346 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
23347 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
23349 struct hpet_timer __iomem *timer;
23350 struct hpet __iomem *hpet;
23351 @@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
23355 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23356 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23358 static int __init hpet_init(void)
23360 diff -urNp linux-2.6.35.5/drivers/char/hvc_console.h linux-2.6.35.5/drivers/char/hvc_console.h
23361 --- linux-2.6.35.5/drivers/char/hvc_console.h 2010-08-26 19:47:12.000000000 -0400
23362 +++ linux-2.6.35.5/drivers/char/hvc_console.h 2010-09-17 20:12:09.000000000 -0400
23363 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23364 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23365 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23366 const struct hv_ops *ops, int outbuf_size);
23368 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23369 extern int hvc_remove(struct hvc_struct *hp);
23371 diff -urNp linux-2.6.35.5/drivers/char/hvcs.c linux-2.6.35.5/drivers/char/hvcs.c
23372 --- linux-2.6.35.5/drivers/char/hvcs.c 2010-08-26 19:47:12.000000000 -0400
23373 +++ linux-2.6.35.5/drivers/char/hvcs.c 2010-09-17 20:12:09.000000000 -0400
23374 @@ -270,7 +270,7 @@ struct hvcs_struct {
23375 unsigned int index;
23377 struct tty_struct *tty;
23379 + atomic_t open_count;
23382 * Used to tell the driver kernel_thread what operations need to take
23383 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
23385 spin_lock_irqsave(&hvcsd->lock, flags);
23387 - if (hvcsd->open_count > 0) {
23388 + if (atomic_read(&hvcsd->open_count) > 0) {
23389 spin_unlock_irqrestore(&hvcsd->lock, flags);
23390 printk(KERN_INFO "HVCS: vterm state unchanged. "
23391 "The hvcs device node is still in use.\n");
23392 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
23393 if ((retval = hvcs_partner_connect(hvcsd)))
23394 goto error_release;
23396 - hvcsd->open_count = 1;
23397 + atomic_set(&hvcsd->open_count, 1);
23399 tty->driver_data = hvcsd;
23401 @@ -1170,7 +1170,7 @@ fast_open:
23403 spin_lock_irqsave(&hvcsd->lock, flags);
23404 kref_get(&hvcsd->kref);
23405 - hvcsd->open_count++;
23406 + atomic_inc(&hvcsd->open_count);
23407 hvcsd->todo_mask |= HVCS_SCHED_READ;
23408 spin_unlock_irqrestore(&hvcsd->lock, flags);
23410 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
23411 hvcsd = tty->driver_data;
23413 spin_lock_irqsave(&hvcsd->lock, flags);
23414 - if (--hvcsd->open_count == 0) {
23415 + if (atomic_dec_and_test(&hvcsd->open_count)) {
23417 vio_disable_interrupts(hvcsd->vdev);
23419 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
23420 free_irq(irq, hvcsd);
23421 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23423 - } else if (hvcsd->open_count < 0) {
23424 + } else if (atomic_read(&hvcsd->open_count) < 0) {
23425 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23426 " is missmanaged.\n",
23427 - hvcsd->vdev->unit_address, hvcsd->open_count);
23428 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23431 spin_unlock_irqrestore(&hvcsd->lock, flags);
23432 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
23434 spin_lock_irqsave(&hvcsd->lock, flags);
23435 /* Preserve this so that we know how many kref refs to put */
23436 - temp_open_count = hvcsd->open_count;
23437 + temp_open_count = atomic_read(&hvcsd->open_count);
23440 * Don't kref put inside the spinlock because the destruction
23441 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
23442 hvcsd->tty->driver_data = NULL;
23445 - hvcsd->open_count = 0;
23446 + atomic_set(&hvcsd->open_count, 0);
23448 /* This will drop any buffered data on the floor which is OK in a hangup
23450 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
23451 * the middle of a write operation? This is a crummy place to do this
23452 * but we want to keep it all in the spinlock.
23454 - if (hvcsd->open_count <= 0) {
23455 + if (atomic_read(&hvcsd->open_count) <= 0) {
23456 spin_unlock_irqrestore(&hvcsd->lock, flags);
23459 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
23461 struct hvcs_struct *hvcsd = tty->driver_data;
23463 - if (!hvcsd || hvcsd->open_count <= 0)
23464 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23467 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23468 diff -urNp linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c
23469 --- linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c 2010-08-26 19:47:12.000000000 -0400
23470 +++ linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c 2010-09-17 20:12:09.000000000 -0400
23471 @@ -414,7 +414,7 @@ struct ipmi_smi {
23472 struct proc_dir_entry *proc_dir;
23473 char proc_dir_name[10];
23475 - atomic_t stats[IPMI_NUM_STATS];
23476 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23479 * run_to_completion duplicate of smb_info, smi_info
23480 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23483 #define ipmi_inc_stat(intf, stat) \
23484 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23485 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23486 #define ipmi_get_stat(intf, stat) \
23487 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23488 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23490 static int is_lan_addr(struct ipmi_addr *addr)
23492 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23493 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23494 init_waitqueue_head(&intf->waitq);
23495 for (i = 0; i < IPMI_NUM_STATS; i++)
23496 - atomic_set(&intf->stats[i], 0);
23497 + atomic_set_unchecked(&intf->stats[i], 0);
23499 intf->proc_dir = NULL;
23501 diff -urNp linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c
23502 --- linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c 2010-08-26 19:47:12.000000000 -0400
23503 +++ linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c 2010-09-17 20:12:09.000000000 -0400
23504 @@ -286,7 +286,7 @@ struct smi_info {
23505 unsigned char slave_addr;
23507 /* Counters and things for the proc filesystem. */
23508 - atomic_t stats[SI_NUM_STATS];
23509 + atomic_unchecked_t stats[SI_NUM_STATS];
23511 struct task_struct *thread;
23513 @@ -294,9 +294,9 @@ struct smi_info {
23516 #define smi_inc_stat(smi, stat) \
23517 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23518 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23519 #define smi_get_stat(smi, stat) \
23520 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23521 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23523 #define SI_MAX_PARMS 4
23525 @@ -3143,7 +3143,7 @@ static int try_smi_init(struct smi_info
23526 atomic_set(&new_smi->req_events, 0);
23527 new_smi->run_to_completion = 0;
23528 for (i = 0; i < SI_NUM_STATS; i++)
23529 - atomic_set(&new_smi->stats[i], 0);
23530 + atomic_set_unchecked(&new_smi->stats[i], 0);
23532 new_smi->interrupt_disabled = 1;
23533 atomic_set(&new_smi->stop_operation, 0);
23534 diff -urNp linux-2.6.35.5/drivers/char/keyboard.c linux-2.6.35.5/drivers/char/keyboard.c
23535 --- linux-2.6.35.5/drivers/char/keyboard.c 2010-08-26 19:47:12.000000000 -0400
23536 +++ linux-2.6.35.5/drivers/char/keyboard.c 2010-09-17 20:12:37.000000000 -0400
23537 @@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
23538 kbd->kbdmode == VC_MEDIUMRAW) &&
23539 value != KVAL(K_SAK))
23540 return; /* SAK is allowed even in raw mode */
23542 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
23544 + void *func = fn_handler[value];
23545 + if (func == fn_show_state || func == fn_show_ptregs ||
23546 + func == fn_show_mem)
23551 fn_handler[value](vc);
23554 @@ -1392,7 +1402,7 @@ static const struct input_device_id kbd_
23555 .evbit = { BIT_MASK(EV_SND) },
23558 - { }, /* Terminating entry */
23559 + { 0 }, /* Terminating entry */
23562 MODULE_DEVICE_TABLE(input, kbd_ids);
23563 diff -urNp linux-2.6.35.5/drivers/char/mem.c linux-2.6.35.5/drivers/char/mem.c
23564 --- linux-2.6.35.5/drivers/char/mem.c 2010-08-26 19:47:12.000000000 -0400
23565 +++ linux-2.6.35.5/drivers/char/mem.c 2010-09-17 20:12:37.000000000 -0400
23567 #include <linux/raw.h>
23568 #include <linux/tty.h>
23569 #include <linux/capability.h>
23570 +#include <linux/security.h>
23571 #include <linux/ptrace.h>
23572 #include <linux/device.h>
23573 #include <linux/highmem.h>
23575 # include <linux/efi.h>
23578 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23579 +extern struct file_operations grsec_fops;
23582 static inline unsigned long size_inside_page(unsigned long start,
23583 unsigned long size)
23585 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23587 while (count > 0) {
23588 unsigned long remaining;
23591 sz = size_inside_page(p, count);
23593 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23597 - remaining = copy_to_user(buf, ptr, sz);
23598 +#ifdef CONFIG_PAX_USERCOPY
23599 + temp = kmalloc(sz, GFP_KERNEL);
23601 + unxlate_dev_mem_ptr(p, ptr);
23604 + memcpy(temp, ptr, sz);
23609 + remaining = copy_to_user(buf, temp, sz);
23611 +#ifdef CONFIG_PAX_USERCOPY
23615 unxlate_dev_mem_ptr(p, ptr);
23618 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23619 if (!valid_phys_addr_range(p, count))
23622 +#ifdef CONFIG_GRKERNSEC_KMEM
23623 + gr_handle_mem_write();
23629 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23630 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23631 &vma->vm_page_prot))
23634 +#ifdef CONFIG_GRKERNSEC_KMEM
23635 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23639 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23641 vma->vm_page_prot);
23642 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23643 size_t count, loff_t *ppos)
23645 unsigned long p = *ppos;
23646 - ssize_t low_count, read, sz;
23647 + ssize_t low_count, read, sz, err = 0;
23648 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23652 if (p < (unsigned long) high_memory) {
23653 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23656 while (low_count > 0) {
23659 sz = size_inside_page(p, low_count);
23662 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23664 kbuf = xlate_dev_kmem_ptr((char *)p);
23666 - if (copy_to_user(buf, kbuf, sz))
23667 +#ifdef CONFIG_PAX_USERCOPY
23668 + temp = kmalloc(sz, GFP_KERNEL);
23671 + memcpy(temp, kbuf, sz);
23676 + err = copy_to_user(buf, temp, sz);
23678 +#ifdef CONFIG_PAX_USERCOPY
23686 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23687 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23690 +#ifdef CONFIG_GRKERNSEC_KMEM
23691 + gr_handle_kmem_write();
23695 if (p < (unsigned long) high_memory) {
23696 unsigned long to_write = min_t(unsigned long, count,
23697 (unsigned long)high_memory - p);
23698 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23700 static int open_port(struct inode * inode, struct file * filp)
23702 +#ifdef CONFIG_GRKERNSEC_KMEM
23703 + gr_handle_open_port();
23707 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23710 +static int open_mem(struct inode * inode, struct file * filp)
23712 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23715 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23716 #define full_lseek null_lseek
23717 #define write_zero write_null
23718 #define read_full read_zero
23719 -#define open_mem open_port
23720 #define open_kmem open_mem
23721 #define open_oldmem open_mem
23723 @@ -854,6 +916,9 @@ static const struct memdev {
23724 #ifdef CONFIG_CRASH_DUMP
23725 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23727 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23728 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23732 static int memory_open(struct inode *inode, struct file *filp)
23733 diff -urNp linux-2.6.35.5/drivers/char/n_tty.c linux-2.6.35.5/drivers/char/n_tty.c
23734 --- linux-2.6.35.5/drivers/char/n_tty.c 2010-08-26 19:47:12.000000000 -0400
23735 +++ linux-2.6.35.5/drivers/char/n_tty.c 2010-09-17 20:12:09.000000000 -0400
23736 @@ -2105,6 +2105,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
23738 *ops = tty_ldisc_N_TTY;
23740 - ops->refcount = ops->flags = 0;
23741 + atomic_set(&ops->refcount, 0);
23744 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
23745 diff -urNp linux-2.6.35.5/drivers/char/nvram.c linux-2.6.35.5/drivers/char/nvram.c
23746 --- linux-2.6.35.5/drivers/char/nvram.c 2010-08-26 19:47:12.000000000 -0400
23747 +++ linux-2.6.35.5/drivers/char/nvram.c 2010-09-17 20:12:09.000000000 -0400
23748 @@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
23750 spin_unlock_irq(&rtc_lock);
23752 - if (copy_to_user(buf, contents, tmp - contents))
23753 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23757 @@ -434,7 +434,10 @@ static const struct file_operations nvra
23758 static struct miscdevice nvram_dev = {
23768 static int __init nvram_init(void)
23769 diff -urNp linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c
23770 --- linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c 2010-08-26 19:47:12.000000000 -0400
23771 +++ linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c 2010-09-17 20:12:09.000000000 -0400
23772 @@ -51,7 +51,7 @@ struct ipw_tty {
23774 struct ipw_network *network;
23775 struct tty_struct *linux_tty;
23777 + atomic_t open_count;
23778 unsigned int control_lines;
23779 struct mutex ipw_tty_mutex;
23780 int tx_bytes_queued;
23781 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
23782 mutex_unlock(&tty->ipw_tty_mutex);
23785 - if (tty->open_count == 0)
23786 + if (atomic_read(&tty->open_count) == 0)
23787 tty->tx_bytes_queued = 0;
23789 - tty->open_count++;
23790 + atomic_inc(&tty->open_count);
23792 tty->linux_tty = linux_tty;
23793 linux_tty->driver_data = tty;
23794 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
23796 static void do_ipw_close(struct ipw_tty *tty)
23798 - tty->open_count--;
23800 - if (tty->open_count == 0) {
23801 + if (atomic_dec_return(&tty->open_count) == 0) {
23802 struct tty_struct *linux_tty = tty->linux_tty;
23804 if (linux_tty != NULL) {
23805 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
23808 mutex_lock(&tty->ipw_tty_mutex);
23809 - if (tty->open_count == 0) {
23810 + if (atomic_read(&tty->open_count) == 0) {
23811 mutex_unlock(&tty->ipw_tty_mutex);
23814 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
23818 - if (!tty->open_count) {
23819 + if (!atomic_read(&tty->open_count)) {
23820 mutex_unlock(&tty->ipw_tty_mutex);
23823 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
23826 mutex_lock(&tty->ipw_tty_mutex);
23827 - if (!tty->open_count) {
23828 + if (!atomic_read(&tty->open_count)) {
23829 mutex_unlock(&tty->ipw_tty_mutex);
23832 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
23836 - if (!tty->open_count)
23837 + if (!atomic_read(&tty->open_count))
23840 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23841 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
23845 - if (!tty->open_count)
23846 + if (!atomic_read(&tty->open_count))
23849 return tty->tx_bytes_queued;
23850 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
23854 - if (!tty->open_count)
23855 + if (!atomic_read(&tty->open_count))
23858 return get_control_lines(tty);
23859 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
23863 - if (!tty->open_count)
23864 + if (!atomic_read(&tty->open_count))
23867 return set_control_lines(tty, set, clear);
23868 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
23872 - if (!tty->open_count)
23873 + if (!atomic_read(&tty->open_count))
23876 /* FIXME: Exactly how is the tty object locked here .. */
23877 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
23878 against a parallel ioctl etc */
23879 mutex_lock(&ttyj->ipw_tty_mutex);
23881 - while (ttyj->open_count)
23882 + while (atomic_read(&ttyj->open_count))
23883 do_ipw_close(ttyj);
23884 ipwireless_disassociate_network_ttys(network,
23885 ttyj->channel_idx);
23886 diff -urNp linux-2.6.35.5/drivers/char/pty.c linux-2.6.35.5/drivers/char/pty.c
23887 --- linux-2.6.35.5/drivers/char/pty.c 2010-08-26 19:47:12.000000000 -0400
23888 +++ linux-2.6.35.5/drivers/char/pty.c 2010-09-17 20:12:09.000000000 -0400
23889 @@ -677,7 +677,18 @@ static int ptmx_open(struct inode *inode
23893 -static struct file_operations ptmx_fops;
23894 +static const struct file_operations ptmx_fops = {
23895 + .llseek = no_llseek,
23896 + .read = tty_read,
23897 + .write = tty_write,
23898 + .poll = tty_poll,
23899 + .unlocked_ioctl = tty_ioctl,
23900 + .compat_ioctl = tty_compat_ioctl,
23901 + .open = ptmx_open,
23902 + .release = tty_release,
23903 + .fasync = tty_fasync,
23907 static void __init unix98_pty_init(void)
23909 @@ -731,9 +742,6 @@ static void __init unix98_pty_init(void)
23910 register_sysctl_table(pty_root_table);
23912 /* Now create the /dev/ptmx special device */
23913 - tty_default_fops(&ptmx_fops);
23914 - ptmx_fops.open = ptmx_open;
23916 cdev_init(&ptmx_cdev, &ptmx_fops);
23917 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
23918 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
23919 diff -urNp linux-2.6.35.5/drivers/char/random.c linux-2.6.35.5/drivers/char/random.c
23920 --- linux-2.6.35.5/drivers/char/random.c 2010-08-26 19:47:12.000000000 -0400
23921 +++ linux-2.6.35.5/drivers/char/random.c 2010-09-17 20:24:41.000000000 -0400
23922 @@ -254,8 +254,13 @@
23924 * Configuration information
23926 +#ifdef CONFIG_GRKERNSEC_RANDNET
23927 +#define INPUT_POOL_WORDS 512
23928 +#define OUTPUT_POOL_WORDS 128
23930 #define INPUT_POOL_WORDS 128
23931 #define OUTPUT_POOL_WORDS 32
23933 #define SEC_XFER_SIZE 512
23934 #define EXTRACT_SIZE 10
23936 @@ -293,10 +298,17 @@ static struct poolinfo {
23938 int tap1, tap2, tap3, tap4, tap5;
23939 } poolinfo_table[] = {
23940 +#ifdef CONFIG_GRKERNSEC_RANDNET
23941 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
23942 + { 512, 411, 308, 208, 104, 1 },
23943 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
23944 + { 128, 103, 76, 51, 25, 1 },
23946 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
23947 { 128, 103, 76, 51, 25, 1 },
23948 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
23949 { 32, 26, 20, 14, 7, 1 },
23952 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
23953 { 2048, 1638, 1231, 819, 411, 1 },
23954 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
23956 extract_buf(r, tmp);
23957 i = min_t(int, nbytes, EXTRACT_SIZE);
23958 - if (copy_to_user(buf, tmp, i)) {
23959 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
23963 @@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
23964 #include <linux/sysctl.h>
23966 static int min_read_thresh = 8, min_write_thresh;
23967 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
23968 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
23969 static int max_write_thresh = INPUT_POOL_WORDS * 32;
23970 static char sysctl_bootid[16];
23972 diff -urNp linux-2.6.35.5/drivers/char/sonypi.c linux-2.6.35.5/drivers/char/sonypi.c
23973 --- linux-2.6.35.5/drivers/char/sonypi.c 2010-08-26 19:47:12.000000000 -0400
23974 +++ linux-2.6.35.5/drivers/char/sonypi.c 2010-09-17 20:12:09.000000000 -0400
23975 @@ -491,7 +491,7 @@ static struct sonypi_device {
23976 spinlock_t fifo_lock;
23977 wait_queue_head_t fifo_proc_list;
23978 struct fasync_struct *fifo_async;
23980 + atomic_t open_count;
23982 struct input_dev *input_jog_dev;
23983 struct input_dev *input_key_dev;
23984 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
23985 static int sonypi_misc_release(struct inode *inode, struct file *file)
23987 mutex_lock(&sonypi_device.lock);
23988 - sonypi_device.open_count--;
23989 + atomic_dec(&sonypi_device.open_count);
23990 mutex_unlock(&sonypi_device.lock);
23993 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
23995 mutex_lock(&sonypi_device.lock);
23996 /* Flush input queue on first open */
23997 - if (!sonypi_device.open_count)
23998 + if (!atomic_read(&sonypi_device.open_count))
23999 kfifo_reset(&sonypi_device.fifo);
24000 - sonypi_device.open_count++;
24001 + atomic_inc(&sonypi_device.open_count);
24002 mutex_unlock(&sonypi_device.lock);
24005 diff -urNp linux-2.6.35.5/drivers/char/tpm/tpm_bios.c linux-2.6.35.5/drivers/char/tpm/tpm_bios.c
24006 --- linux-2.6.35.5/drivers/char/tpm/tpm_bios.c 2010-08-26 19:47:12.000000000 -0400
24007 +++ linux-2.6.35.5/drivers/char/tpm/tpm_bios.c 2010-09-17 20:12:09.000000000 -0400
24008 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24011 if ((event->event_type == 0 && event->event_size == 0) ||
24012 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24013 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24017 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24020 if ((event->event_type == 0 && event->event_size == 0) ||
24021 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24022 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24026 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24029 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24030 - seq_putc(m, data[i]);
24031 + if (!seq_putc(m, data[i]))
24036 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24037 log->bios_event_log_end = log->bios_event_log + len;
24039 virt = acpi_os_map_memory(start, len);
24041 + kfree(log->bios_event_log);
24042 + log->bios_event_log = NULL;
24046 memcpy(log->bios_event_log, virt, len);
24048 diff -urNp linux-2.6.35.5/drivers/char/tty_io.c linux-2.6.35.5/drivers/char/tty_io.c
24049 --- linux-2.6.35.5/drivers/char/tty_io.c 2010-08-26 19:47:12.000000000 -0400
24050 +++ linux-2.6.35.5/drivers/char/tty_io.c 2010-09-17 20:12:09.000000000 -0400
24051 @@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
24052 DEFINE_MUTEX(tty_mutex);
24053 EXPORT_SYMBOL(tty_mutex);
24055 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24056 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24057 ssize_t redirected_tty_write(struct file *, const char __user *,
24059 -static unsigned int tty_poll(struct file *, poll_table *);
24060 static int tty_open(struct inode *, struct file *);
24061 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24062 -#ifdef CONFIG_COMPAT
24063 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24064 - unsigned long arg);
24066 -#define tty_compat_ioctl NULL
24068 -static int tty_fasync(int fd, struct file *filp, int on);
24069 static void release_tty(struct tty_struct *tty, int idx);
24070 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24071 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24072 @@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
24073 * read calls may be outstanding in parallel.
24076 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24077 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24081 @@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
24085 +EXPORT_SYMBOL(tty_read);
24087 void tty_write_unlock(struct tty_struct *tty)
24089 mutex_unlock(&tty->atomic_write_lock);
24090 @@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
24091 * write method will not be invoked in parallel for each device.
24094 -static ssize_t tty_write(struct file *file, const char __user *buf,
24095 +ssize_t tty_write(struct file *file, const char __user *buf,
24096 size_t count, loff_t *ppos)
24098 struct tty_struct *tty;
24099 @@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
24103 +EXPORT_SYMBOL(tty_write);
24105 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24106 size_t count, loff_t *ppos)
24108 @@ -1897,6 +1891,8 @@ got_driver:
24112 +EXPORT_SYMBOL(tty_release);
24115 * tty_poll - check tty status
24116 * @filp: file being polled
24117 @@ -1909,7 +1905,7 @@ got_driver:
24118 * may be re-entered freely by other callers.
24121 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
24122 +unsigned int tty_poll(struct file *filp, poll_table *wait)
24124 struct tty_struct *tty;
24125 struct tty_ldisc *ld;
24126 @@ -1926,7 +1922,9 @@ static unsigned int tty_poll(struct file
24130 -static int tty_fasync(int fd, struct file *filp, int on)
24131 +EXPORT_SYMBOL(tty_poll);
24133 +int tty_fasync(int fd, struct file *filp, int on)
24135 struct tty_struct *tty;
24136 unsigned long flags;
24137 @@ -1970,6 +1968,8 @@ out:
24141 +EXPORT_SYMBOL(tty_fasync);
24144 * tiocsti - fake input character
24145 * @tty: tty to fake input into
24146 @@ -2602,8 +2602,10 @@ long tty_ioctl(struct file *file, unsign
24150 +EXPORT_SYMBOL(tty_ioctl);
24152 #ifdef CONFIG_COMPAT
24153 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24154 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
24157 struct inode *inode = file->f_dentry->d_inode;
24158 @@ -2627,6 +2629,9 @@ static long tty_compat_ioctl(struct file
24163 +EXPORT_SYMBOL(tty_compat_ioctl);
24168 @@ -3070,11 +3075,6 @@ struct tty_struct *get_current_tty(void)
24170 EXPORT_SYMBOL_GPL(get_current_tty);
24172 -void tty_default_fops(struct file_operations *fops)
24174 - *fops = tty_fops;
24178 * Initialize the console device. This is called *early*, so
24179 * we can't necessarily depend on lots of kernel help here.
24180 diff -urNp linux-2.6.35.5/drivers/char/tty_ldisc.c linux-2.6.35.5/drivers/char/tty_ldisc.c
24181 --- linux-2.6.35.5/drivers/char/tty_ldisc.c 2010-08-26 19:47:12.000000000 -0400
24182 +++ linux-2.6.35.5/drivers/char/tty_ldisc.c 2010-09-17 20:12:09.000000000 -0400
24183 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
24184 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24185 struct tty_ldisc_ops *ldo = ld->ops;
24188 + atomic_dec(&ldo->refcount);
24189 module_put(ldo->owner);
24190 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24192 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
24193 spin_lock_irqsave(&tty_ldisc_lock, flags);
24194 tty_ldiscs[disc] = new_ldisc;
24195 new_ldisc->num = disc;
24196 - new_ldisc->refcount = 0;
24197 + atomic_set(&new_ldisc->refcount, 0);
24198 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24201 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
24204 spin_lock_irqsave(&tty_ldisc_lock, flags);
24205 - if (tty_ldiscs[disc]->refcount)
24206 + if (atomic_read(&tty_ldiscs[disc]->refcount))
24209 tty_ldiscs[disc] = NULL;
24210 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
24212 ret = ERR_PTR(-EAGAIN);
24213 if (try_module_get(ldops->owner)) {
24214 - ldops->refcount++;
24215 + atomic_inc(&ldops->refcount);
24219 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
24220 unsigned long flags;
24222 spin_lock_irqsave(&tty_ldisc_lock, flags);
24223 - ldops->refcount--;
24224 + atomic_dec(&ldops->refcount);
24225 module_put(ldops->owner);
24226 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24228 diff -urNp linux-2.6.35.5/drivers/char/vt_ioctl.c linux-2.6.35.5/drivers/char/vt_ioctl.c
24229 --- linux-2.6.35.5/drivers/char/vt_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24230 +++ linux-2.6.35.5/drivers/char/vt_ioctl.c 2010-09-17 20:12:37.000000000 -0400
24231 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24232 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
24235 - if (!capable(CAP_SYS_TTY_CONFIG))
24240 key_map = key_maps[s];
24241 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24242 val = (i ? K_HOLE : K_NOSUCHMAP);
24243 return put_user(val, &user_kbe->kb_value);
24245 + if (!capable(CAP_SYS_TTY_CONFIG))
24251 if (!i && v == K_NOSUCHMAP) {
24252 /* deallocate map */
24253 key_map = key_maps[s];
24254 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24258 - if (!capable(CAP_SYS_TTY_CONFIG))
24261 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
24264 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24266 return ((p && *p) ? -EOVERFLOW : 0);
24268 + if (!capable(CAP_SYS_TTY_CONFIG))
24274 diff -urNp linux-2.6.35.5/drivers/cpuidle/sysfs.c linux-2.6.35.5/drivers/cpuidle/sysfs.c
24275 --- linux-2.6.35.5/drivers/cpuidle/sysfs.c 2010-08-26 19:47:12.000000000 -0400
24276 +++ linux-2.6.35.5/drivers/cpuidle/sysfs.c 2010-09-17 20:12:09.000000000 -0400
24277 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24278 .release = cpuidle_state_sysfs_release,
24281 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24282 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24284 kobject_put(&device->kobjs[i]->kobj);
24285 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24286 diff -urNp linux-2.6.35.5/drivers/edac/edac_core.h linux-2.6.35.5/drivers/edac/edac_core.h
24287 --- linux-2.6.35.5/drivers/edac/edac_core.h 2010-08-26 19:47:12.000000000 -0400
24288 +++ linux-2.6.35.5/drivers/edac/edac_core.h 2010-09-17 20:12:09.000000000 -0400
24289 @@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
24291 #else /* !CONFIG_EDAC_DEBUG */
24293 -#define debugf0( ... )
24294 -#define debugf1( ... )
24295 -#define debugf2( ... )
24296 -#define debugf3( ... )
24297 -#define debugf4( ... )
24298 +#define debugf0( ... ) do {} while (0)
24299 +#define debugf1( ... ) do {} while (0)
24300 +#define debugf2( ... ) do {} while (0)
24301 +#define debugf3( ... ) do {} while (0)
24302 +#define debugf4( ... ) do {} while (0)
24304 #endif /* !CONFIG_EDAC_DEBUG */
24306 diff -urNp linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c
24307 --- linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c 2010-08-26 19:47:12.000000000 -0400
24308 +++ linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c 2010-09-17 20:12:09.000000000 -0400
24309 @@ -776,7 +776,7 @@ static void edac_inst_grp_release(struct
24312 /* Intermediate show/store table */
24313 -static struct sysfs_ops inst_grp_ops = {
24314 +static const struct sysfs_ops inst_grp_ops = {
24315 .show = inst_grp_show,
24316 .store = inst_grp_store
24318 diff -urNp linux-2.6.35.5/drivers/firewire/core-cdev.c linux-2.6.35.5/drivers/firewire/core-cdev.c
24319 --- linux-2.6.35.5/drivers/firewire/core-cdev.c 2010-08-26 19:47:12.000000000 -0400
24320 +++ linux-2.6.35.5/drivers/firewire/core-cdev.c 2010-09-17 20:12:09.000000000 -0400
24321 @@ -1195,8 +1195,7 @@ static int init_iso_resource(struct clie
24324 if ((request->channels == 0 && request->bandwidth == 0) ||
24325 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24326 - request->bandwidth < 0)
24327 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24330 r = kmalloc(sizeof(*r), GFP_KERNEL);
24331 diff -urNp linux-2.6.35.5/drivers/firmware/dmi_scan.c linux-2.6.35.5/drivers/firmware/dmi_scan.c
24332 --- linux-2.6.35.5/drivers/firmware/dmi_scan.c 2010-08-26 19:47:12.000000000 -0400
24333 +++ linux-2.6.35.5/drivers/firmware/dmi_scan.c 2010-09-17 20:12:09.000000000 -0400
24334 @@ -387,11 +387,6 @@ void __init dmi_scan_machine(void)
24339 - * no iounmap() for that ioremap(); it would be a no-op, but
24340 - * it's so early in setup that sucker gets confused into doing
24341 - * what it shouldn't if we actually call it.
24343 p = dmi_ioremap(0xF0000, 0x10000);
24346 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_drv.c linux-2.6.35.5/drivers/gpu/drm/drm_drv.c
24347 --- linux-2.6.35.5/drivers/gpu/drm/drm_drv.c 2010-08-26 19:47:12.000000000 -0400
24348 +++ linux-2.6.35.5/drivers/gpu/drm/drm_drv.c 2010-09-17 20:12:09.000000000 -0400
24349 @@ -449,7 +449,7 @@ long drm_ioctl(struct file *filp,
24351 dev = file_priv->minor->dev;
24352 atomic_inc(&dev->ioctl_count);
24353 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24354 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24355 ++file_priv->ioctl_count;
24357 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24358 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_fops.c linux-2.6.35.5/drivers/gpu/drm/drm_fops.c
24359 --- linux-2.6.35.5/drivers/gpu/drm/drm_fops.c 2010-08-26 19:47:12.000000000 -0400
24360 +++ linux-2.6.35.5/drivers/gpu/drm/drm_fops.c 2010-09-17 20:12:09.000000000 -0400
24361 @@ -67,7 +67,7 @@ static int drm_setup(struct drm_device *
24364 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24365 - atomic_set(&dev->counts[i], 0);
24366 + atomic_set_unchecked(&dev->counts[i], 0);
24368 dev->sigdata.lock = NULL;
24370 @@ -131,9 +131,9 @@ int drm_open(struct inode *inode, struct
24372 retcode = drm_open_helper(inode, filp, dev);
24374 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24375 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24376 spin_lock(&dev->count_lock);
24377 - if (!dev->open_count++) {
24378 + if (atomic_inc_return(&dev->open_count) == 1) {
24379 spin_unlock(&dev->count_lock);
24380 retcode = drm_setup(dev);
24382 @@ -474,7 +474,7 @@ int drm_release(struct inode *inode, str
24386 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24387 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24389 if (dev->driver->preclose)
24390 dev->driver->preclose(dev, file_priv);
24391 @@ -486,7 +486,7 @@ int drm_release(struct inode *inode, str
24392 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24393 task_pid_nr(current),
24394 (long)old_encode_dev(file_priv->minor->device),
24395 - dev->open_count);
24396 + atomic_read(&dev->open_count));
24398 /* if the master has gone away we can't do anything with the lock */
24399 if (file_priv->minor->master)
24400 @@ -567,9 +567,9 @@ int drm_release(struct inode *inode, str
24401 * End inline drm_release
24404 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24405 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24406 spin_lock(&dev->count_lock);
24407 - if (!--dev->open_count) {
24408 + if (atomic_dec_and_test(&dev->open_count)) {
24409 if (atomic_read(&dev->ioctl_count)) {
24410 DRM_ERROR("Device busy: %d\n",
24411 atomic_read(&dev->ioctl_count));
24412 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c
24413 --- linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24414 +++ linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c 2010-09-17 20:12:09.000000000 -0400
24415 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
24416 stats->data[i].value =
24417 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24419 - stats->data[i].value = atomic_read(&dev->counts[i]);
24420 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24421 stats->data[i].type = dev->types[i];
24424 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_lock.c linux-2.6.35.5/drivers/gpu/drm/drm_lock.c
24425 --- linux-2.6.35.5/drivers/gpu/drm/drm_lock.c 2010-08-26 19:47:12.000000000 -0400
24426 +++ linux-2.6.35.5/drivers/gpu/drm/drm_lock.c 2010-09-17 20:12:09.000000000 -0400
24427 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
24428 if (drm_lock_take(&master->lock, lock->context)) {
24429 master->lock.file_priv = file_priv;
24430 master->lock.lock_time = jiffies;
24431 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24432 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24433 break; /* Got lock */
24436 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
24440 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24441 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24443 /* kernel_context_switch isn't used by any of the x86 drm
24444 * modules but is required by the Sparc driver.
24445 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c
24446 --- linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c 2010-08-26 19:47:12.000000000 -0400
24447 +++ linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c 2010-09-17 20:12:09.000000000 -0400
24448 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24449 dma->buflist[vertex->idx],
24450 vertex->discard, vertex->used);
24452 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24453 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24454 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24455 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24456 sarea_priv->last_enqueue = dev_priv->counter - 1;
24457 sarea_priv->last_dispatch = (int)hw_status[5];
24459 @@ -1116,8 +1116,8 @@ static int i810_dma_mc(struct drm_device
24460 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24463 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24464 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24465 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24466 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24467 sarea_priv->last_enqueue = dev_priv->counter - 1;
24468 sarea_priv->last_dispatch = (int)hw_status[5];
24470 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c
24471 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c 2010-08-26 19:47:12.000000000 -0400
24472 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c 2010-09-17 20:12:09.000000000 -0400
24473 @@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
24477 -struct intel_dvo_dev_ops ch7017_ops = {
24478 +const struct intel_dvo_dev_ops ch7017_ops = {
24479 .init = ch7017_init,
24480 .detect = ch7017_detect,
24481 .mode_valid = ch7017_mode_valid,
24482 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c
24483 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-08-26 19:47:12.000000000 -0400
24484 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-09-17 20:12:09.000000000 -0400
24485 @@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
24489 -struct intel_dvo_dev_ops ch7xxx_ops = {
24490 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24491 .init = ch7xxx_init,
24492 .detect = ch7xxx_detect,
24493 .mode_valid = ch7xxx_mode_valid,
24494 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h
24495 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h 2010-08-26 19:47:12.000000000 -0400
24496 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h 2010-09-17 20:12:09.000000000 -0400
24497 @@ -125,23 +125,23 @@ struct intel_dvo_dev_ops {
24499 * \return singly-linked list of modes or NULL if no modes found.
24501 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24502 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24505 * Clean up driver-specific bits of the output
24507 - void (*destroy) (struct intel_dvo_device *dvo);
24508 + void (* const destroy) (struct intel_dvo_device *dvo);
24511 * Debugging hook to dump device registers to log file
24513 - void (*dump_regs)(struct intel_dvo_device *dvo);
24514 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24517 -extern struct intel_dvo_dev_ops sil164_ops;
24518 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24519 -extern struct intel_dvo_dev_ops ivch_ops;
24520 -extern struct intel_dvo_dev_ops tfp410_ops;
24521 -extern struct intel_dvo_dev_ops ch7017_ops;
24522 +extern const struct intel_dvo_dev_ops sil164_ops;
24523 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24524 +extern const struct intel_dvo_dev_ops ivch_ops;
24525 +extern const struct intel_dvo_dev_ops tfp410_ops;
24526 +extern const struct intel_dvo_dev_ops ch7017_ops;
24528 #endif /* _INTEL_DVO_H */
24529 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c
24530 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c 2010-08-26 19:47:12.000000000 -0400
24531 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c 2010-09-17 20:12:09.000000000 -0400
24532 @@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
24536 -struct intel_dvo_dev_ops ivch_ops= {
24537 +const struct intel_dvo_dev_ops ivch_ops= {
24540 .mode_valid = ivch_mode_valid,
24541 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c
24542 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c 2010-08-26 19:47:12.000000000 -0400
24543 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c 2010-09-17 20:12:09.000000000 -0400
24544 @@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
24548 -struct intel_dvo_dev_ops sil164_ops = {
24549 +const struct intel_dvo_dev_ops sil164_ops = {
24550 .init = sil164_init,
24551 .detect = sil164_detect,
24552 .mode_valid = sil164_mode_valid,
24553 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c
24554 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c 2010-08-26 19:47:12.000000000 -0400
24555 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c 2010-09-17 20:12:09.000000000 -0400
24556 @@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
24560 -struct intel_dvo_dev_ops tfp410_ops = {
24561 +const struct intel_dvo_dev_ops tfp410_ops = {
24562 .init = tfp410_init,
24563 .detect = tfp410_detect,
24564 .mode_valid = tfp410_mode_valid,
24565 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c
24566 --- linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c 2010-09-20 17:33:09.000000000 -0400
24567 +++ linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c 2010-09-20 17:33:32.000000000 -0400
24568 @@ -1348,7 +1348,7 @@ static bool i915_switcheroo_can_switch(s
24571 spin_lock(&dev->count_lock);
24572 - can_switch = (dev->open_count == 0);
24573 + can_switch = (atomic_read(&dev->open_count) == 0);
24574 spin_unlock(&dev->count_lock);
24577 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c
24578 --- linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c 2010-08-26 19:47:12.000000000 -0400
24579 +++ linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c 2010-09-17 20:12:09.000000000 -0400
24580 @@ -491,7 +491,7 @@ const struct dev_pm_ops i915_pm_ops = {
24581 .restore = i915_pm_resume,
24584 -static struct vm_operations_struct i915_gem_vm_ops = {
24585 +static const struct vm_operations_struct i915_gem_vm_ops = {
24586 .fault = i915_gem_fault,
24587 .open = drm_gem_vm_open,
24588 .close = drm_gem_vm_close,
24589 diff -urNp linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c
24590 --- linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-08-26 19:47:12.000000000 -0400
24591 +++ linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-09-17 20:12:09.000000000 -0400
24592 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
24596 -static struct backlight_ops nv40_bl_ops = {
24597 +static const struct backlight_ops nv40_bl_ops = {
24598 .options = BL_CORE_SUSPENDRESUME,
24599 .get_brightness = nv40_get_intensity,
24600 .update_status = nv40_set_intensity,
24601 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
24605 -static struct backlight_ops nv50_bl_ops = {
24606 +static const struct backlight_ops nv50_bl_ops = {
24607 .options = BL_CORE_SUSPENDRESUME,
24608 .get_brightness = nv50_get_intensity,
24609 .update_status = nv50_set_intensity,
24610 diff -urNp linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c
24611 --- linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c 2010-08-26 19:47:12.000000000 -0400
24612 +++ linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c 2010-09-17 20:12:09.000000000 -0400
24613 @@ -395,7 +395,7 @@ static bool nouveau_switcheroo_can_switc
24616 spin_lock(&dev->count_lock);
24617 - can_switch = (dev->open_count == 0);
24618 + can_switch = (atomic_read(&dev->open_count) == 0);
24619 spin_unlock(&dev->count_lock);
24622 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c
24623 --- linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c 2010-08-26 19:47:12.000000000 -0400
24624 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c 2010-09-17 20:12:09.000000000 -0400
24625 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24627 regmatch_t match[4];
24635 struct offset *offset;
24636 char last_reg_s[10];
24638 + unsigned long last_reg;
24641 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24642 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c
24643 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c 2010-08-26 19:47:12.000000000 -0400
24644 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c 2010-09-17 20:12:09.000000000 -0400
24645 @@ -562,7 +562,7 @@ static bool radeon_switcheroo_can_switch
24648 spin_lock(&dev->count_lock);
24649 - can_switch = (dev->open_count == 0);
24650 + can_switch = (atomic_read(&dev->open_count) == 0);
24651 spin_unlock(&dev->count_lock);
24654 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c
24655 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c 2010-08-26 19:47:12.000000000 -0400
24656 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c 2010-09-17 20:12:09.000000000 -0400
24657 @@ -559,7 +559,7 @@ static void radeon_compute_pll_legacy(st
24659 if (pll->flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
24660 error = freq - current_freq;
24661 - error = error < 0 ? 0xffffffff : error;
24662 + error = (int32_t)error < 0 ? 0xffffffff : error;
24664 error = abs(current_freq - freq);
24665 vco_diff = abs(vco - best_vco);
24666 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c
24667 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c 2010-08-26 19:47:12.000000000 -0400
24668 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c 2010-09-17 20:12:09.000000000 -0400
24669 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24670 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24671 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24673 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24674 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24675 sarea_priv->nbox * sizeof(depth_boxes[0])))
24678 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24680 drm_radeon_private_t *dev_priv = dev->dev_private;
24681 drm_radeon_getparam_t *param = data;
24685 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24687 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c
24688 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c 2010-08-26 19:47:12.000000000 -0400
24689 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c 2010-09-17 20:12:09.000000000 -0400
24690 @@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
24691 DRM_INFO("radeon: ttm finalized\n");
24694 -static struct vm_operations_struct radeon_ttm_vm_ops;
24695 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24696 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24697 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24698 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24700 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24702 @@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
24703 struct radeon_device *rdev;
24706 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24707 - if (bo == NULL) {
24708 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24710 return VM_FAULT_NOPAGE;
24712 rdev = radeon_get_rdev(bo->bdev);
24713 mutex_lock(&rdev->vram_mutex);
24714 - r = ttm_vm_ops->fault(vma, vmf);
24715 + r = ttm_bo_vm_fault(vma, vmf);
24716 mutex_unlock(&rdev->vram_mutex);
24720 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24721 + .fault = radeon_ttm_fault,
24722 + .open = ttm_bo_vm_open,
24723 + .close = ttm_bo_vm_close
24726 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24728 struct drm_file *file_priv;
24729 @@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
24731 file_priv = (struct drm_file *)filp->private_data;
24732 rdev = file_priv->minor->dev->dev_private;
24733 - if (rdev == NULL) {
24737 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24738 - if (unlikely(r != 0)) {
24742 - if (unlikely(ttm_vm_ops == NULL)) {
24743 - ttm_vm_ops = vma->vm_ops;
24744 - radeon_ttm_vm_ops = *ttm_vm_ops;
24745 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24747 vma->vm_ops = &radeon_ttm_vm_ops;
24750 diff -urNp linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c
24751 --- linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c 2010-08-26 19:47:12.000000000 -0400
24752 +++ linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c 2010-09-17 20:12:09.000000000 -0400
24754 #include <linux/module.h>
24756 #define TTM_ASSERT_LOCKED(param)
24757 -#define TTM_DEBUG(fmt, arg...)
24758 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24759 #define TTM_BO_HASH_ORDER 13
24761 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24762 diff -urNp linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c
24763 --- linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-08-26 19:47:12.000000000 -0400
24764 +++ linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-09-20 17:14:49.000000000 -0400
24765 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24769 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24770 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24772 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24773 vma->vm_private_data;
24774 - struct ttm_bo_device *bdev = bo->bdev;
24775 + struct ttm_bo_device *bdev;
24776 unsigned long page_offset;
24777 unsigned long page_last;
24779 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
24780 unsigned long address = (unsigned long)vmf->virtual_address;
24781 int retval = VM_FAULT_NOPAGE;
24784 + return VM_FAULT_NOPAGE;
24788 * Work around locking order reversal in fault / nopfn
24789 * between mmap_sem and bo_reserve: Perform a trylock operation
24790 @@ -212,22 +216,25 @@ out_unlock:
24791 ttm_bo_unreserve(bo);
24794 +EXPORT_SYMBOL(ttm_bo_vm_fault);
24796 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24797 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24799 struct ttm_buffer_object *bo =
24800 (struct ttm_buffer_object *)vma->vm_private_data;
24802 (void)ttm_bo_reference(bo);
24804 +EXPORT_SYMBOL(ttm_bo_vm_open);
24806 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24807 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24809 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24812 vma->vm_private_data = NULL;
24814 +EXPORT_SYMBOL(ttm_bo_vm_close);
24816 static const struct vm_operations_struct ttm_bo_vm_ops = {
24817 .fault = ttm_bo_vm_fault,
24818 diff -urNp linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c
24819 --- linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c 2010-08-26 19:47:12.000000000 -0400
24820 +++ linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c 2010-09-17 20:12:09.000000000 -0400
24822 struct ttm_global_item {
24823 struct mutex mutex;
24826 + atomic_t refcount;
24829 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
24830 @@ -49,7 +49,7 @@ void ttm_global_init(void)
24831 struct ttm_global_item *item = &glob[i];
24832 mutex_init(&item->mutex);
24833 item->object = NULL;
24834 - item->refcount = 0;
24835 + atomic_set(&item->refcount, 0);
24839 @@ -59,7 +59,7 @@ void ttm_global_release(void)
24840 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
24841 struct ttm_global_item *item = &glob[i];
24842 BUG_ON(item->object != NULL);
24843 - BUG_ON(item->refcount != 0);
24844 + BUG_ON(atomic_read(&item->refcount) != 0);
24848 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
24851 mutex_lock(&item->mutex);
24852 - if (item->refcount == 0) {
24853 + if (atomic_read(&item->refcount) == 0) {
24854 item->object = kzalloc(ref->size, GFP_KERNEL);
24855 if (unlikely(item->object == NULL)) {
24857 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
24861 - ++item->refcount;
24862 + atomic_inc(&item->refcount);
24863 ref->object = item->object;
24864 object = item->object;
24865 mutex_unlock(&item->mutex);
24866 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
24867 struct ttm_global_item *item = &glob[ref->global_type];
24869 mutex_lock(&item->mutex);
24870 - BUG_ON(item->refcount == 0);
24871 + BUG_ON(atomic_read(&item->refcount) == 0);
24872 BUG_ON(ref->object != item->object);
24873 - if (--item->refcount == 0) {
24874 + if (atomic_dec_and_test(&item->refcount)) {
24876 item->object = NULL;
24878 diff -urNp linux-2.6.35.5/drivers/hid/usbhid/hiddev.c linux-2.6.35.5/drivers/hid/usbhid/hiddev.c
24879 --- linux-2.6.35.5/drivers/hid/usbhid/hiddev.c 2010-08-26 19:47:12.000000000 -0400
24880 +++ linux-2.6.35.5/drivers/hid/usbhid/hiddev.c 2010-09-17 20:12:09.000000000 -0400
24881 @@ -616,7 +616,7 @@ static long hiddev_ioctl(struct file *fi
24882 return put_user(HID_VERSION, (int __user *)arg);
24884 case HIDIOCAPPLICATION:
24885 - if (arg < 0 || arg >= hid->maxapplication)
24886 + if (arg >= hid->maxapplication)
24889 for (i = 0; i < hid->maxcollection; i++)
24890 diff -urNp linux-2.6.35.5/drivers/hwmon/k8temp.c linux-2.6.35.5/drivers/hwmon/k8temp.c
24891 --- linux-2.6.35.5/drivers/hwmon/k8temp.c 2010-09-20 17:33:09.000000000 -0400
24892 +++ linux-2.6.35.5/drivers/hwmon/k8temp.c 2010-09-20 17:33:32.000000000 -0400
24893 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
24895 static const struct pci_device_id k8temp_ids[] = {
24896 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
24898 + { 0, 0, 0, 0, 0, 0, 0 },
24901 MODULE_DEVICE_TABLE(pci, k8temp_ids);
24902 diff -urNp linux-2.6.35.5/drivers/hwmon/sis5595.c linux-2.6.35.5/drivers/hwmon/sis5595.c
24903 --- linux-2.6.35.5/drivers/hwmon/sis5595.c 2010-08-26 19:47:12.000000000 -0400
24904 +++ linux-2.6.35.5/drivers/hwmon/sis5595.c 2010-09-17 20:12:09.000000000 -0400
24905 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
24907 static const struct pci_device_id sis5595_pci_ids[] = {
24908 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24910 + { 0, 0, 0, 0, 0, 0, 0 }
24913 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
24914 diff -urNp linux-2.6.35.5/drivers/hwmon/via686a.c linux-2.6.35.5/drivers/hwmon/via686a.c
24915 --- linux-2.6.35.5/drivers/hwmon/via686a.c 2010-08-26 19:47:12.000000000 -0400
24916 +++ linux-2.6.35.5/drivers/hwmon/via686a.c 2010-09-17 20:12:09.000000000 -0400
24917 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
24919 static const struct pci_device_id via686a_pci_ids[] = {
24920 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
24922 + { 0, 0, 0, 0, 0, 0, 0 }
24925 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
24926 diff -urNp linux-2.6.35.5/drivers/hwmon/vt8231.c linux-2.6.35.5/drivers/hwmon/vt8231.c
24927 --- linux-2.6.35.5/drivers/hwmon/vt8231.c 2010-08-26 19:47:12.000000000 -0400
24928 +++ linux-2.6.35.5/drivers/hwmon/vt8231.c 2010-09-17 20:12:09.000000000 -0400
24929 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
24931 static const struct pci_device_id vt8231_pci_ids[] = {
24932 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
24934 + { 0, 0, 0, 0, 0, 0, 0 }
24937 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
24938 diff -urNp linux-2.6.35.5/drivers/hwmon/w83791d.c linux-2.6.35.5/drivers/hwmon/w83791d.c
24939 --- linux-2.6.35.5/drivers/hwmon/w83791d.c 2010-08-26 19:47:12.000000000 -0400
24940 +++ linux-2.6.35.5/drivers/hwmon/w83791d.c 2010-09-17 20:12:09.000000000 -0400
24941 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
24942 struct i2c_board_info *info);
24943 static int w83791d_remove(struct i2c_client *client);
24945 -static int w83791d_read(struct i2c_client *client, u8 register);
24946 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
24947 +static int w83791d_read(struct i2c_client *client, u8 reg);
24948 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
24949 static struct w83791d_data *w83791d_update_device(struct device *dev);
24952 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c
24953 --- linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c 2010-08-26 19:47:12.000000000 -0400
24954 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c 2010-09-17 20:12:09.000000000 -0400
24955 @@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
24956 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
24957 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
24958 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
24960 + { 0, 0, 0, 0, 0, 0, 0 }
24963 MODULE_DEVICE_TABLE(pci, i801_ids);
24964 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c
24965 --- linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c 2010-08-26 19:47:12.000000000 -0400
24966 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c 2010-09-17 20:12:09.000000000 -0400
24967 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
24969 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
24972 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24975 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
24976 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
24977 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
24978 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
24979 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
24981 + { 0, 0, 0, 0, 0, 0, 0 }
24984 MODULE_DEVICE_TABLE (pci, piix4_ids);
24985 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c
24986 --- linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c 2010-08-26 19:47:12.000000000 -0400
24987 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c 2010-09-17 20:12:09.000000000 -0400
24988 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
24989 static const struct pci_device_id sis630_ids[] __devinitconst = {
24990 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24991 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
24993 + { 0, 0, 0, 0, 0, 0, 0 }
24996 MODULE_DEVICE_TABLE (pci, sis630_ids);
24997 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c
24998 --- linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c 2010-08-26 19:47:12.000000000 -0400
24999 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c 2010-09-17 20:12:09.000000000 -0400
25000 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25002 static const struct pci_device_id sis96x_ids[] = {
25003 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25005 + { 0, 0, 0, 0, 0, 0, 0 }
25008 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25009 diff -urNp linux-2.6.35.5/drivers/ide/ide-cd.c linux-2.6.35.5/drivers/ide/ide-cd.c
25010 --- linux-2.6.35.5/drivers/ide/ide-cd.c 2010-08-26 19:47:12.000000000 -0400
25011 +++ linux-2.6.35.5/drivers/ide/ide-cd.c 2010-09-17 20:12:09.000000000 -0400
25012 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
25013 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25014 if ((unsigned long)buf & alignment
25015 || blk_rq_bytes(rq) & q->dma_pad_mask
25016 - || object_is_on_stack(buf))
25017 + || object_starts_on_stack(buf))
25021 diff -urNp linux-2.6.35.5/drivers/ieee1394/dv1394.c linux-2.6.35.5/drivers/ieee1394/dv1394.c
25022 --- linux-2.6.35.5/drivers/ieee1394/dv1394.c 2010-08-26 19:47:12.000000000 -0400
25023 +++ linux-2.6.35.5/drivers/ieee1394/dv1394.c 2010-09-17 20:12:09.000000000 -0400
25024 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
25025 based upon DIF section and sequence
25028 -static void inline
25029 +static inline void
25030 frame_put_packet (struct frame *f, struct packet *p)
25032 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
25033 @@ -2179,7 +2179,7 @@ static const struct ieee1394_device_id d
25034 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25035 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25038 + { 0, 0, 0, 0, 0, 0 }
25041 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
25042 diff -urNp linux-2.6.35.5/drivers/ieee1394/eth1394.c linux-2.6.35.5/drivers/ieee1394/eth1394.c
25043 --- linux-2.6.35.5/drivers/ieee1394/eth1394.c 2010-08-26 19:47:12.000000000 -0400
25044 +++ linux-2.6.35.5/drivers/ieee1394/eth1394.c 2010-09-17 20:12:09.000000000 -0400
25045 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
25046 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25047 .version = ETHER1394_GASP_VERSION,
25050 + { 0, 0, 0, 0, 0, 0 }
25053 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
25054 diff -urNp linux-2.6.35.5/drivers/ieee1394/hosts.c linux-2.6.35.5/drivers/ieee1394/hosts.c
25055 --- linux-2.6.35.5/drivers/ieee1394/hosts.c 2010-08-26 19:47:12.000000000 -0400
25056 +++ linux-2.6.35.5/drivers/ieee1394/hosts.c 2010-09-17 20:12:09.000000000 -0400
25057 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25060 static struct hpsb_host_driver dummy_driver = {
25062 .transmit_packet = dummy_transmit_packet,
25063 .devctl = dummy_devctl,
25064 .isoctl = dummy_isoctl
25065 diff -urNp linux-2.6.35.5/drivers/ieee1394/ohci1394.c linux-2.6.35.5/drivers/ieee1394/ohci1394.c
25066 --- linux-2.6.35.5/drivers/ieee1394/ohci1394.c 2010-08-26 19:47:12.000000000 -0400
25067 +++ linux-2.6.35.5/drivers/ieee1394/ohci1394.c 2010-09-17 20:12:09.000000000 -0400
25068 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
25069 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25071 /* Module Parameters */
25072 -static int phys_dma = 1;
25073 +static int phys_dma;
25074 module_param(phys_dma, int, 0444);
25075 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25076 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25078 static void dma_trm_tasklet(unsigned long data);
25079 static void dma_trm_reset(struct dma_trm_ctx *d);
25080 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
25081 .subvendor = PCI_ANY_ID,
25082 .subdevice = PCI_ANY_ID,
25085 + { 0, 0, 0, 0, 0, 0, 0 },
25088 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
25089 diff -urNp linux-2.6.35.5/drivers/ieee1394/raw1394.c linux-2.6.35.5/drivers/ieee1394/raw1394.c
25090 --- linux-2.6.35.5/drivers/ieee1394/raw1394.c 2010-08-26 19:47:12.000000000 -0400
25091 +++ linux-2.6.35.5/drivers/ieee1394/raw1394.c 2010-09-17 20:12:09.000000000 -0400
25092 @@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
25093 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25094 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25095 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25097 + { 0, 0, 0, 0, 0, 0 }
25100 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
25101 diff -urNp linux-2.6.35.5/drivers/ieee1394/sbp2.c linux-2.6.35.5/drivers/ieee1394/sbp2.c
25102 --- linux-2.6.35.5/drivers/ieee1394/sbp2.c 2010-08-26 19:47:12.000000000 -0400
25103 +++ linux-2.6.35.5/drivers/ieee1394/sbp2.c 2010-09-17 20:12:09.000000000 -0400
25104 @@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
25105 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25106 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25107 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25109 + { 0, 0, 0, 0, 0, 0 }
25111 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25113 @@ -2110,7 +2110,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
25114 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25115 MODULE_LICENSE("GPL");
25117 -static int sbp2_module_init(void)
25118 +static int __init sbp2_module_init(void)
25122 diff -urNp linux-2.6.35.5/drivers/ieee1394/video1394.c linux-2.6.35.5/drivers/ieee1394/video1394.c
25123 --- linux-2.6.35.5/drivers/ieee1394/video1394.c 2010-08-26 19:47:12.000000000 -0400
25124 +++ linux-2.6.35.5/drivers/ieee1394/video1394.c 2010-09-17 20:12:09.000000000 -0400
25125 @@ -1312,7 +1312,7 @@ static const struct ieee1394_device_id v
25126 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25127 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25130 + { 0, 0, 0, 0, 0, 0 }
25133 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
25134 diff -urNp linux-2.6.35.5/drivers/infiniband/core/cm.c linux-2.6.35.5/drivers/infiniband/core/cm.c
25135 --- linux-2.6.35.5/drivers/infiniband/core/cm.c 2010-08-26 19:47:12.000000000 -0400
25136 +++ linux-2.6.35.5/drivers/infiniband/core/cm.c 2010-09-17 20:12:09.000000000 -0400
25137 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25139 struct cm_counter_group {
25140 struct kobject obj;
25141 - atomic_long_t counter[CM_ATTR_COUNT];
25142 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25145 struct cm_counter_attribute {
25146 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25147 struct ib_mad_send_buf *msg = NULL;
25150 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25151 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25152 counter[CM_REQ_COUNTER]);
25154 /* Quick state check to discard duplicate REQs. */
25155 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25159 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25160 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25161 counter[CM_REP_COUNTER]);
25162 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25164 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25165 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25166 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25167 spin_unlock_irq(&cm_id_priv->lock);
25168 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25169 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25170 counter[CM_RTU_COUNTER]);
25173 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25174 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25175 dreq_msg->local_comm_id);
25177 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25178 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25179 counter[CM_DREQ_COUNTER]);
25180 cm_issue_drep(work->port, work->mad_recv_wc);
25182 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25183 case IB_CM_MRA_REP_RCVD:
25185 case IB_CM_TIMEWAIT:
25186 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25187 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25188 counter[CM_DREQ_COUNTER]);
25189 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25191 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25194 case IB_CM_DREQ_RCVD:
25195 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25196 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25197 counter[CM_DREQ_COUNTER]);
25200 @@ -2502,7 +2502,7 @@ static int cm_mra_handler(struct cm_work
25201 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25202 cm_id_priv->msg, timeout)) {
25203 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25204 - atomic_long_inc(&work->port->
25205 + atomic_long_inc_unchecked(&work->port->
25206 counter_group[CM_RECV_DUPLICATES].
25207 counter[CM_MRA_COUNTER]);
25209 @@ -2511,7 +2511,7 @@ static int cm_mra_handler(struct cm_work
25211 case IB_CM_MRA_REQ_RCVD:
25212 case IB_CM_MRA_REP_RCVD:
25213 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25214 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25215 counter[CM_MRA_COUNTER]);
25218 @@ -2673,7 +2673,7 @@ static int cm_lap_handler(struct cm_work
25219 case IB_CM_LAP_IDLE:
25221 case IB_CM_MRA_LAP_SENT:
25222 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25223 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25224 counter[CM_LAP_COUNTER]);
25225 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25227 @@ -2689,7 +2689,7 @@ static int cm_lap_handler(struct cm_work
25230 case IB_CM_LAP_RCVD:
25231 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25232 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25233 counter[CM_LAP_COUNTER]);
25236 @@ -2973,7 +2973,7 @@ static int cm_sidr_req_handler(struct cm
25237 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25238 if (cur_cm_id_priv) {
25239 spin_unlock_irq(&cm.lock);
25240 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25241 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25242 counter[CM_SIDR_REQ_COUNTER]);
25243 goto out; /* Duplicate message. */
25245 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
25246 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25249 - atomic_long_add(1 + msg->retries,
25250 + atomic_long_add_unchecked(1 + msg->retries,
25251 &port->counter_group[CM_XMIT].counter[attr_index]);
25253 - atomic_long_add(msg->retries,
25254 + atomic_long_add_unchecked(msg->retries,
25255 &port->counter_group[CM_XMIT_RETRIES].
25256 counter[attr_index]);
25258 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
25261 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25262 - atomic_long_inc(&port->counter_group[CM_RECV].
25263 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25264 counter[attr_id - CM_ATTR_ID_OFFSET]);
25266 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25267 @@ -3595,7 +3595,7 @@ static ssize_t cm_show_counter(struct ko
25268 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25270 return sprintf(buf, "%ld\n",
25271 - atomic_long_read(&group->counter[cm_attr->index]));
25272 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25275 static const struct sysfs_ops cm_counter_ops = {
25276 diff -urNp linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h
25277 --- linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h 2010-08-26 19:47:12.000000000 -0400
25278 +++ linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h 2010-09-17 20:12:09.000000000 -0400
25280 #include <linux/completion.h>
25281 #include <linux/kref.h>
25282 #include <linux/sched.h>
25283 +#include <linux/slab.h>
25285 #include "qib_common.h"
25286 #include "qib_verbs.h"
25287 diff -urNp linux-2.6.35.5/drivers/input/keyboard/atkbd.c linux-2.6.35.5/drivers/input/keyboard/atkbd.c
25288 --- linux-2.6.35.5/drivers/input/keyboard/atkbd.c 2010-08-26 19:47:12.000000000 -0400
25289 +++ linux-2.6.35.5/drivers/input/keyboard/atkbd.c 2010-09-17 20:12:09.000000000 -0400
25290 @@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
25292 .extra = SERIO_ANY,
25298 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25299 diff -urNp linux-2.6.35.5/drivers/input/mouse/lifebook.c linux-2.6.35.5/drivers/input/mouse/lifebook.c
25300 --- linux-2.6.35.5/drivers/input/mouse/lifebook.c 2010-08-26 19:47:12.000000000 -0400
25301 +++ linux-2.6.35.5/drivers/input/mouse/lifebook.c 2010-09-17 20:12:09.000000000 -0400
25302 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25303 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25307 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25310 void __init lifebook_module_init(void)
25311 diff -urNp linux-2.6.35.5/drivers/input/mouse/psmouse-base.c linux-2.6.35.5/drivers/input/mouse/psmouse-base.c
25312 --- linux-2.6.35.5/drivers/input/mouse/psmouse-base.c 2010-08-26 19:47:12.000000000 -0400
25313 +++ linux-2.6.35.5/drivers/input/mouse/psmouse-base.c 2010-09-17 20:12:09.000000000 -0400
25314 @@ -1460,7 +1460,7 @@ static struct serio_device_id psmouse_se
25316 .extra = SERIO_ANY,
25322 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25323 diff -urNp linux-2.6.35.5/drivers/input/mouse/synaptics.c linux-2.6.35.5/drivers/input/mouse/synaptics.c
25324 --- linux-2.6.35.5/drivers/input/mouse/synaptics.c 2010-08-26 19:47:12.000000000 -0400
25325 +++ linux-2.6.35.5/drivers/input/mouse/synaptics.c 2010-09-17 20:12:09.000000000 -0400
25326 @@ -476,7 +476,7 @@ static void synaptics_process_packet(str
25329 if (SYN_MODEL_PEN(priv->model_id))
25330 - ; /* Nothing, treat a pen as a single finger */
25331 + break; /* Nothing, treat a pen as a single finger */
25334 if (SYN_CAP_PALMDETECT(priv->capabilities))
25335 @@ -701,7 +701,6 @@ static const struct dmi_system_id __init
25336 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25337 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25342 /* Toshiba Portege M300 */
25343 @@ -710,9 +709,8 @@ static const struct dmi_system_id __init
25344 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25345 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25350 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25354 diff -urNp linux-2.6.35.5/drivers/input/mousedev.c linux-2.6.35.5/drivers/input/mousedev.c
25355 --- linux-2.6.35.5/drivers/input/mousedev.c 2010-08-26 19:47:12.000000000 -0400
25356 +++ linux-2.6.35.5/drivers/input/mousedev.c 2010-09-17 20:12:09.000000000 -0400
25357 @@ -754,7 +754,7 @@ static ssize_t mousedev_read(struct file
25359 spin_unlock_irq(&client->packet_lock);
25361 - if (copy_to_user(buffer, data, count))
25362 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25366 @@ -1051,7 +1051,7 @@ static struct input_handler mousedev_han
25368 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25369 static struct miscdevice psaux_mouse = {
25370 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25371 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25373 static int psaux_registered;
25375 diff -urNp linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h
25376 --- linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h 2010-08-26 19:47:12.000000000 -0400
25377 +++ linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h 2010-09-17 20:12:09.000000000 -0400
25378 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25379 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25383 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25387 @@ -413,7 +413,7 @@ static const struct dmi_system_id __init
25388 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25392 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25395 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25396 @@ -487,7 +487,7 @@ static const struct dmi_system_id __init
25397 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25401 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25405 @@ -506,7 +506,7 @@ static const struct dmi_system_id __init
25406 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25410 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25413 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25414 @@ -530,7 +530,7 @@ static const struct dmi_system_id __init
25415 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25419 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25423 @@ -604,7 +604,7 @@ static const struct dmi_system_id __init
25424 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25428 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25431 #endif /* CONFIG_X86 */
25432 diff -urNp linux-2.6.35.5/drivers/input/serio/serio_raw.c linux-2.6.35.5/drivers/input/serio/serio_raw.c
25433 --- linux-2.6.35.5/drivers/input/serio/serio_raw.c 2010-08-26 19:47:12.000000000 -0400
25434 +++ linux-2.6.35.5/drivers/input/serio/serio_raw.c 2010-09-17 20:12:09.000000000 -0400
25435 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25437 .extra = SERIO_ANY,
25443 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25444 diff -urNp linux-2.6.35.5/drivers/isdn/gigaset/common.c linux-2.6.35.5/drivers/isdn/gigaset/common.c
25445 --- linux-2.6.35.5/drivers/isdn/gigaset/common.c 2010-08-26 19:47:12.000000000 -0400
25446 +++ linux-2.6.35.5/drivers/isdn/gigaset/common.c 2010-09-17 20:12:09.000000000 -0400
25447 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25448 cs->commands_pending = 0;
25449 cs->cur_at_seq = 0;
25451 - cs->open_count = 0;
25452 + atomic_set(&cs->open_count, 0);
25455 cs->tty_dev = NULL;
25456 diff -urNp linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h
25457 --- linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h 2010-08-26 19:47:12.000000000 -0400
25458 +++ linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h 2010-09-17 20:12:09.000000000 -0400
25459 @@ -442,7 +442,7 @@ struct cardstate {
25460 spinlock_t cmdlock;
25461 unsigned curlen, cmdbytes;
25463 - unsigned open_count;
25464 + atomic_t open_count;
25465 struct tty_struct *tty;
25466 struct tasklet_struct if_wake_tasklet;
25467 unsigned control_state;
25468 diff -urNp linux-2.6.35.5/drivers/isdn/gigaset/interface.c linux-2.6.35.5/drivers/isdn/gigaset/interface.c
25469 --- linux-2.6.35.5/drivers/isdn/gigaset/interface.c 2010-08-26 19:47:12.000000000 -0400
25470 +++ linux-2.6.35.5/drivers/isdn/gigaset/interface.c 2010-09-17 20:12:09.000000000 -0400
25471 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25472 return -ERESTARTSYS;
25473 tty->driver_data = cs;
25475 - ++cs->open_count;
25477 - if (cs->open_count == 1) {
25478 + if (atomic_inc_return(&cs->open_count) == 1) {
25479 spin_lock_irqsave(&cs->lock, flags);
25481 spin_unlock_irqrestore(&cs->lock, flags);
25482 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25484 if (!cs->connected)
25485 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25486 - else if (!cs->open_count)
25487 + else if (!atomic_read(&cs->open_count))
25488 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25490 - if (!--cs->open_count) {
25491 + if (!atomic_dec_return(&cs->open_count)) {
25492 spin_lock_irqsave(&cs->lock, flags);
25494 spin_unlock_irqrestore(&cs->lock, flags);
25495 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25496 if (!cs->connected) {
25497 gig_dbg(DEBUG_IF, "not connected");
25499 - } else if (!cs->open_count)
25500 + } else if (!atomic_read(&cs->open_count))
25501 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25504 @@ -355,7 +353,7 @@ static int if_write(struct tty_struct *t
25505 if (!cs->connected) {
25506 gig_dbg(DEBUG_IF, "not connected");
25508 - } else if (!cs->open_count)
25509 + } else if (!atomic_read(&cs->open_count))
25510 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25511 else if (cs->mstate != MS_LOCKED) {
25512 dev_warn(cs->dev, "can't write to unlocked device\n");
25513 @@ -389,7 +387,7 @@ static int if_write_room(struct tty_stru
25514 if (!cs->connected) {
25515 gig_dbg(DEBUG_IF, "not connected");
25517 - } else if (!cs->open_count)
25518 + } else if (!atomic_read(&cs->open_count))
25519 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25520 else if (cs->mstate != MS_LOCKED) {
25521 dev_warn(cs->dev, "can't write to unlocked device\n");
25522 @@ -419,7 +417,7 @@ static int if_chars_in_buffer(struct tty
25524 if (!cs->connected)
25525 gig_dbg(DEBUG_IF, "not connected");
25526 - else if (!cs->open_count)
25527 + else if (!atomic_read(&cs->open_count))
25528 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25529 else if (cs->mstate != MS_LOCKED)
25530 dev_warn(cs->dev, "can't write to unlocked device\n");
25531 @@ -447,7 +445,7 @@ static void if_throttle(struct tty_struc
25533 if (!cs->connected)
25534 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25535 - else if (!cs->open_count)
25536 + else if (!atomic_read(&cs->open_count))
25537 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25539 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25540 @@ -471,7 +469,7 @@ static void if_unthrottle(struct tty_str
25542 if (!cs->connected)
25543 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25544 - else if (!cs->open_count)
25545 + else if (!atomic_read(&cs->open_count))
25546 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25548 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25549 @@ -502,7 +500,7 @@ static void if_set_termios(struct tty_st
25553 - if (!cs->open_count) {
25554 + if (!atomic_read(&cs->open_count)) {
25555 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25558 diff -urNp linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c
25559 --- linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c 2010-08-26 19:47:12.000000000 -0400
25560 +++ linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c 2010-09-17 20:12:37.000000000 -0400
25561 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25564 if (t4file->user) {
25565 - if (copy_from_user(buf, dp, left))
25566 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25569 memcpy(buf, dp, left);
25570 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25573 if (config->user) {
25574 - if (copy_from_user(buf, dp, left))
25575 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25578 memcpy(buf, dp, left);
25579 diff -urNp linux-2.6.35.5/drivers/isdn/icn/icn.c linux-2.6.35.5/drivers/isdn/icn/icn.c
25580 --- linux-2.6.35.5/drivers/isdn/icn/icn.c 2010-08-26 19:47:12.000000000 -0400
25581 +++ linux-2.6.35.5/drivers/isdn/icn/icn.c 2010-09-17 20:12:37.000000000 -0400
25582 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25586 - if (copy_from_user(msg, buf, count))
25587 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
25590 memcpy(msg, buf, count);
25591 diff -urNp linux-2.6.35.5/drivers/lguest/core.c linux-2.6.35.5/drivers/lguest/core.c
25592 --- linux-2.6.35.5/drivers/lguest/core.c 2010-08-26 19:47:12.000000000 -0400
25593 +++ linux-2.6.35.5/drivers/lguest/core.c 2010-09-17 20:12:09.000000000 -0400
25594 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25595 * it's worked so far. The end address needs +1 because __get_vm_area
25596 * allocates an extra guard page, so we need space for that.
25599 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25600 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25601 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25602 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25604 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25605 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25606 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25609 if (!switcher_vma) {
25611 printk("lguest: could not map switcher pages high\n");
25612 diff -urNp linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c
25613 --- linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c 2010-08-26 19:47:12.000000000 -0400
25614 +++ linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c 2010-09-17 20:12:09.000000000 -0400
25617 #define MAX_PMU_LEVEL 0xFF
25619 -static struct backlight_ops pmu_backlight_data;
25620 +static const struct backlight_ops pmu_backlight_data;
25621 static DEFINE_SPINLOCK(pmu_backlight_lock);
25622 static int sleeping, uses_pmu_bl;
25623 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25624 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25625 return bd->props.brightness;
25628 -static struct backlight_ops pmu_backlight_data = {
25629 +static const struct backlight_ops pmu_backlight_data = {
25630 .get_brightness = pmu_backlight_get_brightness,
25631 .update_status = pmu_backlight_update_status,
25633 diff -urNp linux-2.6.35.5/drivers/macintosh/via-pmu.c linux-2.6.35.5/drivers/macintosh/via-pmu.c
25634 --- linux-2.6.35.5/drivers/macintosh/via-pmu.c 2010-08-26 19:47:12.000000000 -0400
25635 +++ linux-2.6.35.5/drivers/macintosh/via-pmu.c 2010-09-17 20:12:09.000000000 -0400
25636 @@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
25637 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25640 -static struct platform_suspend_ops pmu_pm_ops = {
25641 +static const struct platform_suspend_ops pmu_pm_ops = {
25642 .enter = powerbook_sleep,
25643 .valid = pmu_sleep_valid,
25645 diff -urNp linux-2.6.35.5/drivers/md/bitmap.c linux-2.6.35.5/drivers/md/bitmap.c
25646 --- linux-2.6.35.5/drivers/md/bitmap.c 2010-08-26 19:47:12.000000000 -0400
25647 +++ linux-2.6.35.5/drivers/md/bitmap.c 2010-09-17 20:12:09.000000000 -0400
25650 # define PRINTK(x...) printk(KERN_DEBUG x)
25652 -# define PRINTK(x...)
25653 +# define PRINTK(x...) do {} while (0)
25657 diff -urNp linux-2.6.35.5/drivers/md/dm-table.c linux-2.6.35.5/drivers/md/dm-table.c
25658 --- linux-2.6.35.5/drivers/md/dm-table.c 2010-08-26 19:47:12.000000000 -0400
25659 +++ linux-2.6.35.5/drivers/md/dm-table.c 2010-09-17 20:12:09.000000000 -0400
25660 @@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
25664 - if ((start >= dev_size) || (start + len > dev_size)) {
25665 + if ((start >= dev_size) || (len > dev_size - start)) {
25666 DMWARN("%s: %s too small for target: "
25667 "start=%llu, len=%llu, dev_size=%llu",
25668 dm_device_name(ti->table->md), bdevname(bdev, b),
25669 diff -urNp linux-2.6.35.5/drivers/md/md.c linux-2.6.35.5/drivers/md/md.c
25670 --- linux-2.6.35.5/drivers/md/md.c 2010-08-26 19:47:12.000000000 -0400
25671 +++ linux-2.6.35.5/drivers/md/md.c 2010-09-17 20:12:09.000000000 -0400
25672 @@ -6352,7 +6352,7 @@ static int md_seq_show(struct seq_file *
25673 chunk_kb ? "KB" : "B");
25674 if (bitmap->file) {
25675 seq_printf(seq, ", file: ");
25676 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25677 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25680 seq_printf(seq, "\n");
25681 @@ -6446,7 +6446,7 @@ static int is_mddev_idle(mddev_t *mddev,
25682 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25683 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25684 (int)part_stat_read(&disk->part0, sectors[1]) -
25685 - atomic_read(&disk->sync_io);
25686 + atomic_read_unchecked(&disk->sync_io);
25687 /* sync IO will cause sync_io to increase before the disk_stats
25688 * as sync_io is counted when a request starts, and
25689 * disk_stats is counted when it completes.
25690 diff -urNp linux-2.6.35.5/drivers/md/md.h linux-2.6.35.5/drivers/md/md.h
25691 --- linux-2.6.35.5/drivers/md/md.h 2010-08-26 19:47:12.000000000 -0400
25692 +++ linux-2.6.35.5/drivers/md/md.h 2010-09-17 20:12:09.000000000 -0400
25693 @@ -334,7 +334,7 @@ static inline void rdev_dec_pending(mdk_
25695 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25697 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25698 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25701 struct mdk_personality
25702 diff -urNp linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c
25703 --- linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c 2010-08-26 19:47:12.000000000 -0400
25704 +++ linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c 2010-09-17 20:12:09.000000000 -0400
25705 @@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
25706 const struct dvb_device *template, void *priv, int type)
25708 struct dvb_device *dvbdev;
25709 + /* cannot be const, see this function */
25710 struct file_operations *dvbdevfops;
25711 struct device *clsdev;
25713 diff -urNp linux-2.6.35.5/drivers/media/radio/radio-cadet.c linux-2.6.35.5/drivers/media/radio/radio-cadet.c
25714 --- linux-2.6.35.5/drivers/media/radio/radio-cadet.c 2010-08-26 19:47:12.000000000 -0400
25715 +++ linux-2.6.35.5/drivers/media/radio/radio-cadet.c 2010-09-17 20:12:37.000000000 -0400
25716 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
25717 while (i < count && dev->rdsin != dev->rdsout)
25718 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25720 - if (copy_to_user(data, readbuf, i))
25721 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
25725 diff -urNp linux-2.6.35.5/drivers/message/fusion/mptbase.c linux-2.6.35.5/drivers/message/fusion/mptbase.c
25726 --- linux-2.6.35.5/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
25727 +++ linux-2.6.35.5/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
25728 @@ -6715,8 +6715,14 @@ procmpt_iocinfo_read(char *buf, char **s
25729 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25730 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25732 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25733 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25736 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25737 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25741 * Rounding UP to nearest 4-kB boundary here...
25743 diff -urNp linux-2.6.35.5/drivers/message/fusion/mptdebug.h linux-2.6.35.5/drivers/message/fusion/mptdebug.h
25744 --- linux-2.6.35.5/drivers/message/fusion/mptdebug.h 2010-08-26 19:47:12.000000000 -0400
25745 +++ linux-2.6.35.5/drivers/message/fusion/mptdebug.h 2010-09-17 20:12:09.000000000 -0400
25750 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25751 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25755 diff -urNp linux-2.6.35.5/drivers/message/fusion/mptsas.c linux-2.6.35.5/drivers/message/fusion/mptsas.c
25756 --- linux-2.6.35.5/drivers/message/fusion/mptsas.c 2010-08-26 19:47:12.000000000 -0400
25757 +++ linux-2.6.35.5/drivers/message/fusion/mptsas.c 2010-09-17 20:12:09.000000000 -0400
25758 @@ -437,6 +437,23 @@ mptsas_is_end_device(struct mptsas_devin
25762 +static inline void
25763 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25765 + if (phy_info->port_details) {
25766 + phy_info->port_details->rphy = rphy;
25767 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25768 + ioc->name, rphy));
25772 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25773 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25774 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25775 + ioc->name, rphy, rphy->dev.release));
25781 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25782 @@ -475,23 +492,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25786 -static inline void
25787 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25789 - if (phy_info->port_details) {
25790 - phy_info->port_details->rphy = rphy;
25791 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25792 - ioc->name, rphy));
25796 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25797 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25798 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25799 - ioc->name, rphy, rphy->dev.release));
25803 static inline struct sas_port *
25804 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25806 diff -urNp linux-2.6.35.5/drivers/message/i2o/i2o_proc.c linux-2.6.35.5/drivers/message/i2o/i2o_proc.c
25807 --- linux-2.6.35.5/drivers/message/i2o/i2o_proc.c 2010-08-26 19:47:12.000000000 -0400
25808 +++ linux-2.6.35.5/drivers/message/i2o/i2o_proc.c 2010-09-17 20:12:09.000000000 -0400
25809 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25810 "Array Controller Device"
25813 -static char *chtostr(u8 * chars, int n)
25817 - return strncat(tmp, (char *)chars, n);
25820 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25823 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25825 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25826 seq_printf(seq, "%-#8x", ddm_table.module_id);
25827 - seq_printf(seq, "%-29s",
25828 - chtostr(ddm_table.module_name_version, 28));
25829 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25830 seq_printf(seq, "%9d ", ddm_table.data_size);
25831 seq_printf(seq, "%8d", ddm_table.code_size);
25833 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25835 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25836 seq_printf(seq, "%-#8x", dst->module_id);
25837 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25838 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25839 + seq_printf(seq, "%-.28s", dst->module_name_version);
25840 + seq_printf(seq, "%-.8s", dst->date);
25841 seq_printf(seq, "%8d ", dst->module_size);
25842 seq_printf(seq, "%8d ", dst->mpb_size);
25843 seq_printf(seq, "0x%04x", dst->module_flags);
25844 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25845 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25846 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25847 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25848 - seq_printf(seq, "Vendor info : %s\n",
25849 - chtostr((u8 *) (work32 + 2), 16));
25850 - seq_printf(seq, "Product info : %s\n",
25851 - chtostr((u8 *) (work32 + 6), 16));
25852 - seq_printf(seq, "Description : %s\n",
25853 - chtostr((u8 *) (work32 + 10), 16));
25854 - seq_printf(seq, "Product rev. : %s\n",
25855 - chtostr((u8 *) (work32 + 14), 8));
25856 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25857 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25858 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25859 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25861 seq_printf(seq, "Serial number : ");
25862 print_serial_number(seq, (u8 *) (work32 + 16),
25863 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
25866 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
25867 - seq_printf(seq, "Module name : %s\n",
25868 - chtostr(result.module_name, 24));
25869 - seq_printf(seq, "Module revision : %s\n",
25870 - chtostr(result.module_rev, 8));
25871 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
25872 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
25874 seq_printf(seq, "Serial number : ");
25875 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
25876 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
25880 - seq_printf(seq, "Device name : %s\n",
25881 - chtostr(result.device_name, 64));
25882 - seq_printf(seq, "Service name : %s\n",
25883 - chtostr(result.service_name, 64));
25884 - seq_printf(seq, "Physical name : %s\n",
25885 - chtostr(result.physical_location, 64));
25886 - seq_printf(seq, "Instance number : %s\n",
25887 - chtostr(result.instance_number, 4));
25888 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
25889 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
25890 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
25891 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
25895 diff -urNp linux-2.6.35.5/drivers/mfd/janz-cmodio.c linux-2.6.35.5/drivers/mfd/janz-cmodio.c
25896 --- linux-2.6.35.5/drivers/mfd/janz-cmodio.c 2010-08-26 19:47:12.000000000 -0400
25897 +++ linux-2.6.35.5/drivers/mfd/janz-cmodio.c 2010-09-17 20:12:09.000000000 -0400
25900 #include <linux/kernel.h>
25901 #include <linux/module.h>
25902 +#include <linux/slab.h>
25903 #include <linux/init.h>
25904 #include <linux/pci.h>
25905 #include <linux/interrupt.h>
25906 diff -urNp linux-2.6.35.5/drivers/misc/kgdbts.c linux-2.6.35.5/drivers/misc/kgdbts.c
25907 --- linux-2.6.35.5/drivers/misc/kgdbts.c 2010-08-26 19:47:12.000000000 -0400
25908 +++ linux-2.6.35.5/drivers/misc/kgdbts.c 2010-09-17 20:12:09.000000000 -0400
25909 @@ -118,7 +118,7 @@
25911 #define MAX_CONFIG_LEN 40
25913 -static struct kgdb_io kgdbts_io_ops;
25914 +static const struct kgdb_io kgdbts_io_ops;
25915 static char get_buf[BUFMAX];
25916 static int get_buf_cnt;
25917 static char put_buf[BUFMAX];
25918 @@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
25919 module_put(THIS_MODULE);
25922 -static struct kgdb_io kgdbts_io_ops = {
25923 +static const struct kgdb_io kgdbts_io_ops = {
25925 .read_char = kgdbts_get_char,
25926 .write_char = kgdbts_put_char,
25927 diff -urNp linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c
25928 --- linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c 2010-08-26 19:47:12.000000000 -0400
25929 +++ linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c 2010-09-17 20:12:09.000000000 -0400
25930 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
25931 unsigned long nsec;
25933 nsec = CLKS2NSEC(clks);
25934 - atomic_long_inc(&mcs_op_statistics[op].count);
25935 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
25936 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
25937 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
25938 if (mcs_op_statistics[op].max < nsec)
25939 mcs_op_statistics[op].max = nsec;
25941 diff -urNp linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c
25942 --- linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c 2010-08-26 19:47:12.000000000 -0400
25943 +++ linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c 2010-09-17 20:12:09.000000000 -0400
25946 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
25948 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
25949 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
25951 - unsigned long val = atomic_long_read(v);
25952 + unsigned long val = atomic_long_read_unchecked(v);
25954 seq_printf(s, "%16lu %s\n", val, id);
25956 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
25958 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
25959 for (op = 0; op < mcsop_last; op++) {
25960 - count = atomic_long_read(&mcs_op_statistics[op].count);
25961 - total = atomic_long_read(&mcs_op_statistics[op].total);
25962 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
25963 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
25964 max = mcs_op_statistics[op].max;
25965 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
25966 count ? total / count : 0, max);
25967 diff -urNp linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h
25968 --- linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h 2010-08-26 19:47:12.000000000 -0400
25969 +++ linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h 2010-09-17 20:12:09.000000000 -0400
25970 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
25973 struct gru_stats_s {
25974 - atomic_long_t vdata_alloc;
25975 - atomic_long_t vdata_free;
25976 - atomic_long_t gts_alloc;
25977 - atomic_long_t gts_free;
25978 - atomic_long_t gms_alloc;
25979 - atomic_long_t gms_free;
25980 - atomic_long_t gts_double_allocate;
25981 - atomic_long_t assign_context;
25982 - atomic_long_t assign_context_failed;
25983 - atomic_long_t free_context;
25984 - atomic_long_t load_user_context;
25985 - atomic_long_t load_kernel_context;
25986 - atomic_long_t lock_kernel_context;
25987 - atomic_long_t unlock_kernel_context;
25988 - atomic_long_t steal_user_context;
25989 - atomic_long_t steal_kernel_context;
25990 - atomic_long_t steal_context_failed;
25991 - atomic_long_t nopfn;
25992 - atomic_long_t asid_new;
25993 - atomic_long_t asid_next;
25994 - atomic_long_t asid_wrap;
25995 - atomic_long_t asid_reuse;
25996 - atomic_long_t intr;
25997 - atomic_long_t intr_cbr;
25998 - atomic_long_t intr_tfh;
25999 - atomic_long_t intr_spurious;
26000 - atomic_long_t intr_mm_lock_failed;
26001 - atomic_long_t call_os;
26002 - atomic_long_t call_os_wait_queue;
26003 - atomic_long_t user_flush_tlb;
26004 - atomic_long_t user_unload_context;
26005 - atomic_long_t user_exception;
26006 - atomic_long_t set_context_option;
26007 - atomic_long_t check_context_retarget_intr;
26008 - atomic_long_t check_context_unload;
26009 - atomic_long_t tlb_dropin;
26010 - atomic_long_t tlb_preload_page;
26011 - atomic_long_t tlb_dropin_fail_no_asid;
26012 - atomic_long_t tlb_dropin_fail_upm;
26013 - atomic_long_t tlb_dropin_fail_invalid;
26014 - atomic_long_t tlb_dropin_fail_range_active;
26015 - atomic_long_t tlb_dropin_fail_idle;
26016 - atomic_long_t tlb_dropin_fail_fmm;
26017 - atomic_long_t tlb_dropin_fail_no_exception;
26018 - atomic_long_t tfh_stale_on_fault;
26019 - atomic_long_t mmu_invalidate_range;
26020 - atomic_long_t mmu_invalidate_page;
26021 - atomic_long_t flush_tlb;
26022 - atomic_long_t flush_tlb_gru;
26023 - atomic_long_t flush_tlb_gru_tgh;
26024 - atomic_long_t flush_tlb_gru_zero_asid;
26026 - atomic_long_t copy_gpa;
26027 - atomic_long_t read_gpa;
26029 - atomic_long_t mesq_receive;
26030 - atomic_long_t mesq_receive_none;
26031 - atomic_long_t mesq_send;
26032 - atomic_long_t mesq_send_failed;
26033 - atomic_long_t mesq_noop;
26034 - atomic_long_t mesq_send_unexpected_error;
26035 - atomic_long_t mesq_send_lb_overflow;
26036 - atomic_long_t mesq_send_qlimit_reached;
26037 - atomic_long_t mesq_send_amo_nacked;
26038 - atomic_long_t mesq_send_put_nacked;
26039 - atomic_long_t mesq_page_overflow;
26040 - atomic_long_t mesq_qf_locked;
26041 - atomic_long_t mesq_qf_noop_not_full;
26042 - atomic_long_t mesq_qf_switch_head_failed;
26043 - atomic_long_t mesq_qf_unexpected_error;
26044 - atomic_long_t mesq_noop_unexpected_error;
26045 - atomic_long_t mesq_noop_lb_overflow;
26046 - atomic_long_t mesq_noop_qlimit_reached;
26047 - atomic_long_t mesq_noop_amo_nacked;
26048 - atomic_long_t mesq_noop_put_nacked;
26049 - atomic_long_t mesq_noop_page_overflow;
26050 + atomic_long_unchecked_t vdata_alloc;
26051 + atomic_long_unchecked_t vdata_free;
26052 + atomic_long_unchecked_t gts_alloc;
26053 + atomic_long_unchecked_t gts_free;
26054 + atomic_long_unchecked_t gms_alloc;
26055 + atomic_long_unchecked_t gms_free;
26056 + atomic_long_unchecked_t gts_double_allocate;
26057 + atomic_long_unchecked_t assign_context;
26058 + atomic_long_unchecked_t assign_context_failed;
26059 + atomic_long_unchecked_t free_context;
26060 + atomic_long_unchecked_t load_user_context;
26061 + atomic_long_unchecked_t load_kernel_context;
26062 + atomic_long_unchecked_t lock_kernel_context;
26063 + atomic_long_unchecked_t unlock_kernel_context;
26064 + atomic_long_unchecked_t steal_user_context;
26065 + atomic_long_unchecked_t steal_kernel_context;
26066 + atomic_long_unchecked_t steal_context_failed;
26067 + atomic_long_unchecked_t nopfn;
26068 + atomic_long_unchecked_t asid_new;
26069 + atomic_long_unchecked_t asid_next;
26070 + atomic_long_unchecked_t asid_wrap;
26071 + atomic_long_unchecked_t asid_reuse;
26072 + atomic_long_unchecked_t intr;
26073 + atomic_long_unchecked_t intr_cbr;
26074 + atomic_long_unchecked_t intr_tfh;
26075 + atomic_long_unchecked_t intr_spurious;
26076 + atomic_long_unchecked_t intr_mm_lock_failed;
26077 + atomic_long_unchecked_t call_os;
26078 + atomic_long_unchecked_t call_os_wait_queue;
26079 + atomic_long_unchecked_t user_flush_tlb;
26080 + atomic_long_unchecked_t user_unload_context;
26081 + atomic_long_unchecked_t user_exception;
26082 + atomic_long_unchecked_t set_context_option;
26083 + atomic_long_unchecked_t check_context_retarget_intr;
26084 + atomic_long_unchecked_t check_context_unload;
26085 + atomic_long_unchecked_t tlb_dropin;
26086 + atomic_long_unchecked_t tlb_preload_page;
26087 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26088 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26089 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26090 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26091 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26092 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26093 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26094 + atomic_long_unchecked_t tfh_stale_on_fault;
26095 + atomic_long_unchecked_t mmu_invalidate_range;
26096 + atomic_long_unchecked_t mmu_invalidate_page;
26097 + atomic_long_unchecked_t flush_tlb;
26098 + atomic_long_unchecked_t flush_tlb_gru;
26099 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26100 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26102 + atomic_long_unchecked_t copy_gpa;
26103 + atomic_long_unchecked_t read_gpa;
26105 + atomic_long_unchecked_t mesq_receive;
26106 + atomic_long_unchecked_t mesq_receive_none;
26107 + atomic_long_unchecked_t mesq_send;
26108 + atomic_long_unchecked_t mesq_send_failed;
26109 + atomic_long_unchecked_t mesq_noop;
26110 + atomic_long_unchecked_t mesq_send_unexpected_error;
26111 + atomic_long_unchecked_t mesq_send_lb_overflow;
26112 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26113 + atomic_long_unchecked_t mesq_send_amo_nacked;
26114 + atomic_long_unchecked_t mesq_send_put_nacked;
26115 + atomic_long_unchecked_t mesq_page_overflow;
26116 + atomic_long_unchecked_t mesq_qf_locked;
26117 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26118 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26119 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26120 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26121 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26122 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26123 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26124 + atomic_long_unchecked_t mesq_noop_put_nacked;
26125 + atomic_long_unchecked_t mesq_noop_page_overflow;
26129 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26130 tghop_invalidate, mcsop_last};
26132 struct mcs_op_statistic {
26133 - atomic_long_t count;
26134 - atomic_long_t total;
26135 + atomic_long_unchecked_t count;
26136 + atomic_long_unchecked_t total;
26140 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26142 #define STAT(id) do { \
26143 if (gru_options & OPT_STATS) \
26144 - atomic_long_inc(&gru_stats.id); \
26145 + atomic_long_inc_unchecked(&gru_stats.id); \
26148 #ifdef CONFIG_SGI_GRU_DEBUG
26149 diff -urNp linux-2.6.35.5/drivers/mtd/devices/doc2000.c linux-2.6.35.5/drivers/mtd/devices/doc2000.c
26150 --- linux-2.6.35.5/drivers/mtd/devices/doc2000.c 2010-08-26 19:47:12.000000000 -0400
26151 +++ linux-2.6.35.5/drivers/mtd/devices/doc2000.c 2010-09-17 20:12:09.000000000 -0400
26152 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26154 /* The ECC will not be calculated correctly if less than 512 is written */
26156 - if (len != 0x200 && eccbuf)
26157 + if (len != 0x200)
26158 printk(KERN_WARNING
26159 "ECC needs a full sector write (adr: %lx size %lx)\n",
26160 (long) to, (long) len);
26161 diff -urNp linux-2.6.35.5/drivers/mtd/devices/doc2001.c linux-2.6.35.5/drivers/mtd/devices/doc2001.c
26162 --- linux-2.6.35.5/drivers/mtd/devices/doc2001.c 2010-08-26 19:47:12.000000000 -0400
26163 +++ linux-2.6.35.5/drivers/mtd/devices/doc2001.c 2010-09-17 20:12:09.000000000 -0400
26164 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26165 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26167 /* Don't allow read past end of device */
26168 - if (from >= this->totlen)
26169 + if (from >= this->totlen || !len)
26172 /* Don't allow a single read to cross a 512-byte block boundary */
26173 diff -urNp linux-2.6.35.5/drivers/mtd/nand/denali.c linux-2.6.35.5/drivers/mtd/nand/denali.c
26174 --- linux-2.6.35.5/drivers/mtd/nand/denali.c 2010-08-26 19:47:12.000000000 -0400
26175 +++ linux-2.6.35.5/drivers/mtd/nand/denali.c 2010-09-17 20:12:09.000000000 -0400
26177 #include <linux/pci.h>
26178 #include <linux/mtd/mtd.h>
26179 #include <linux/module.h>
26180 +#include <linux/slab.h>
26182 #include "denali.h"
26184 diff -urNp linux-2.6.35.5/drivers/mtd/ubi/build.c linux-2.6.35.5/drivers/mtd/ubi/build.c
26185 --- linux-2.6.35.5/drivers/mtd/ubi/build.c 2010-08-26 19:47:12.000000000 -0400
26186 +++ linux-2.6.35.5/drivers/mtd/ubi/build.c 2010-09-17 20:12:09.000000000 -0400
26187 @@ -1282,7 +1282,7 @@ module_exit(ubi_exit);
26188 static int __init bytes_str_to_int(const char *str)
26191 - unsigned long result;
26192 + unsigned long result, scale = 1;
26194 result = simple_strtoul(str, &endp, 0);
26195 if (str == endp || result >= INT_MAX) {
26196 @@ -1293,11 +1293,11 @@ static int __init bytes_str_to_int(const
26208 if (endp[1] == 'i' && endp[2] == 'B')
26211 @@ -1308,7 +1308,13 @@ static int __init bytes_str_to_int(const
26216 + if ((intoverflow_t)result*scale >= INT_MAX) {
26217 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26222 + return result*scale;
26226 diff -urNp linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c
26227 --- linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c 2010-08-26 19:47:12.000000000 -0400
26228 +++ linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c 2010-09-17 20:12:37.000000000 -0400
26229 @@ -2296,6 +2296,8 @@ static int cxgb_extension_ioctl(struct n
26230 case CHELSIO_GET_QSET_NUM:{
26231 struct ch_reg edata;
26233 + memset(&edata, 0, sizeof(edata));
26235 edata.cmd = CHELSIO_GET_QSET_NUM;
26236 edata.val = pi->nqsets;
26237 if (copy_to_user(useraddr, &edata, sizeof(edata)))
26238 diff -urNp linux-2.6.35.5/drivers/net/e1000e/82571.c linux-2.6.35.5/drivers/net/e1000e/82571.c
26239 --- linux-2.6.35.5/drivers/net/e1000e/82571.c 2010-08-26 19:47:12.000000000 -0400
26240 +++ linux-2.6.35.5/drivers/net/e1000e/82571.c 2010-09-17 20:12:09.000000000 -0400
26241 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
26243 struct e1000_hw *hw = &adapter->hw;
26244 struct e1000_mac_info *mac = &hw->mac;
26245 + /* cannot be const */
26246 struct e1000_mac_operations *func = &mac->ops;
26249 @@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
26253 -static struct e1000_mac_operations e82571_mac_ops = {
26254 +static const struct e1000_mac_operations e82571_mac_ops = {
26255 /* .check_mng_mode: mac type dependent */
26256 /* .check_for_link: media type dependent */
26257 .id_led_init = e1000e_id_led_init,
26258 @@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
26259 .read_mac_addr = e1000_read_mac_addr_82571,
26262 -static struct e1000_phy_operations e82_phy_ops_igp = {
26263 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26264 .acquire = e1000_get_hw_semaphore_82571,
26265 .check_polarity = e1000_check_polarity_igp,
26266 .check_reset_block = e1000e_check_reset_block_generic,
26267 @@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
26268 .cfg_on_link_up = NULL,
26271 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26272 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26273 .acquire = e1000_get_hw_semaphore_82571,
26274 .check_polarity = e1000_check_polarity_m88,
26275 .check_reset_block = e1000e_check_reset_block_generic,
26276 @@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
26277 .cfg_on_link_up = NULL,
26280 -static struct e1000_phy_operations e82_phy_ops_bm = {
26281 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26282 .acquire = e1000_get_hw_semaphore_82571,
26283 .check_polarity = e1000_check_polarity_m88,
26284 .check_reset_block = e1000e_check_reset_block_generic,
26285 @@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
26286 .cfg_on_link_up = NULL,
26289 -static struct e1000_nvm_operations e82571_nvm_ops = {
26290 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26291 .acquire = e1000_acquire_nvm_82571,
26292 .read = e1000e_read_nvm_eerd,
26293 .release = e1000_release_nvm_82571,
26294 diff -urNp linux-2.6.35.5/drivers/net/e1000e/e1000.h linux-2.6.35.5/drivers/net/e1000e/e1000.h
26295 --- linux-2.6.35.5/drivers/net/e1000e/e1000.h 2010-08-26 19:47:12.000000000 -0400
26296 +++ linux-2.6.35.5/drivers/net/e1000e/e1000.h 2010-09-17 20:12:09.000000000 -0400
26297 @@ -377,9 +377,9 @@ struct e1000_info {
26299 u32 max_hw_frame_size;
26300 s32 (*get_variants)(struct e1000_adapter *);
26301 - struct e1000_mac_operations *mac_ops;
26302 - struct e1000_phy_operations *phy_ops;
26303 - struct e1000_nvm_operations *nvm_ops;
26304 + const struct e1000_mac_operations *mac_ops;
26305 + const struct e1000_phy_operations *phy_ops;
26306 + const struct e1000_nvm_operations *nvm_ops;
26309 /* hardware capability, feature, and workaround flags */
26310 diff -urNp linux-2.6.35.5/drivers/net/e1000e/es2lan.c linux-2.6.35.5/drivers/net/e1000e/es2lan.c
26311 --- linux-2.6.35.5/drivers/net/e1000e/es2lan.c 2010-08-26 19:47:12.000000000 -0400
26312 +++ linux-2.6.35.5/drivers/net/e1000e/es2lan.c 2010-09-17 20:12:09.000000000 -0400
26313 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26315 struct e1000_hw *hw = &adapter->hw;
26316 struct e1000_mac_info *mac = &hw->mac;
26317 + /* cannot be const */
26318 struct e1000_mac_operations *func = &mac->ops;
26320 /* Set media type */
26321 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26325 -static struct e1000_mac_operations es2_mac_ops = {
26326 +static const struct e1000_mac_operations es2_mac_ops = {
26327 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26328 .id_led_init = e1000e_id_led_init,
26329 .check_mng_mode = e1000e_check_mng_mode_generic,
26330 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26331 .setup_led = e1000e_setup_led_generic,
26334 -static struct e1000_phy_operations es2_phy_ops = {
26335 +static const struct e1000_phy_operations es2_phy_ops = {
26336 .acquire = e1000_acquire_phy_80003es2lan,
26337 .check_polarity = e1000_check_polarity_m88,
26338 .check_reset_block = e1000e_check_reset_block_generic,
26339 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26340 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26343 -static struct e1000_nvm_operations es2_nvm_ops = {
26344 +static const struct e1000_nvm_operations es2_nvm_ops = {
26345 .acquire = e1000_acquire_nvm_80003es2lan,
26346 .read = e1000e_read_nvm_eerd,
26347 .release = e1000_release_nvm_80003es2lan,
26348 diff -urNp linux-2.6.35.5/drivers/net/e1000e/hw.h linux-2.6.35.5/drivers/net/e1000e/hw.h
26349 --- linux-2.6.35.5/drivers/net/e1000e/hw.h 2010-08-26 19:47:12.000000000 -0400
26350 +++ linux-2.6.35.5/drivers/net/e1000e/hw.h 2010-09-17 20:12:09.000000000 -0400
26351 @@ -791,13 +791,13 @@ struct e1000_phy_operations {
26353 /* Function pointers for the NVM. */
26354 struct e1000_nvm_operations {
26355 - s32 (*acquire)(struct e1000_hw *);
26356 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26357 - void (*release)(struct e1000_hw *);
26358 - s32 (*update)(struct e1000_hw *);
26359 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26360 - s32 (*validate)(struct e1000_hw *);
26361 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26362 + s32 (* const acquire)(struct e1000_hw *);
26363 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26364 + void (* const release)(struct e1000_hw *);
26365 + s32 (* const update)(struct e1000_hw *);
26366 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26367 + s32 (* const validate)(struct e1000_hw *);
26368 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26371 struct e1000_mac_info {
26372 @@ -877,6 +877,7 @@ struct e1000_phy_info {
26375 struct e1000_nvm_info {
26376 + /* cannot be const */
26377 struct e1000_nvm_operations ops;
26379 enum e1000_nvm_type type;
26380 diff -urNp linux-2.6.35.5/drivers/net/e1000e/ich8lan.c linux-2.6.35.5/drivers/net/e1000e/ich8lan.c
26381 --- linux-2.6.35.5/drivers/net/e1000e/ich8lan.c 2010-08-26 19:47:12.000000000 -0400
26382 +++ linux-2.6.35.5/drivers/net/e1000e/ich8lan.c 2010-09-17 20:12:09.000000000 -0400
26383 @@ -3388,7 +3388,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26387 -static struct e1000_mac_operations ich8_mac_ops = {
26388 +static const struct e1000_mac_operations ich8_mac_ops = {
26389 .id_led_init = e1000e_id_led_init,
26390 .check_mng_mode = e1000_check_mng_mode_ich8lan,
26391 .check_for_link = e1000_check_for_copper_link_ich8lan,
26392 @@ -3407,7 +3407,7 @@ static struct e1000_mac_operations ich8_
26393 /* id_led_init dependent on mac type */
26396 -static struct e1000_phy_operations ich8_phy_ops = {
26397 +static const struct e1000_phy_operations ich8_phy_ops = {
26398 .acquire = e1000_acquire_swflag_ich8lan,
26399 .check_reset_block = e1000_check_reset_block_ich8lan,
26401 @@ -3421,7 +3421,7 @@ static struct e1000_phy_operations ich8_
26402 .write_reg = e1000e_write_phy_reg_igp,
26405 -static struct e1000_nvm_operations ich8_nvm_ops = {
26406 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26407 .acquire = e1000_acquire_nvm_ich8lan,
26408 .read = e1000_read_nvm_ich8lan,
26409 .release = e1000_release_nvm_ich8lan,
26410 diff -urNp linux-2.6.35.5/drivers/net/eql.c linux-2.6.35.5/drivers/net/eql.c
26411 --- linux-2.6.35.5/drivers/net/eql.c 2010-08-26 19:47:12.000000000 -0400
26412 +++ linux-2.6.35.5/drivers/net/eql.c 2010-09-17 20:12:37.000000000 -0400
26413 @@ -555,6 +555,8 @@ static int eql_g_master_cfg(struct net_d
26415 master_config_t mc;
26417 + memset(&mc, 0, sizeof(mc));
26419 if (eql_is_master(dev)) {
26420 eql = netdev_priv(dev);
26421 mc.max_slaves = eql->max_slaves;
26422 diff -urNp linux-2.6.35.5/drivers/net/igb/e1000_82575.c linux-2.6.35.5/drivers/net/igb/e1000_82575.c
26423 --- linux-2.6.35.5/drivers/net/igb/e1000_82575.c 2010-08-26 19:47:12.000000000 -0400
26424 +++ linux-2.6.35.5/drivers/net/igb/e1000_82575.c 2010-09-17 20:12:09.000000000 -0400
26425 @@ -1597,7 +1597,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26429 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26430 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26431 .init_hw = igb_init_hw_82575,
26432 .check_for_link = igb_check_for_link_82575,
26433 .rar_set = igb_rar_set,
26434 @@ -1605,13 +1605,13 @@ static struct e1000_mac_operations e1000
26435 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26438 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26439 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26440 .acquire = igb_acquire_phy_82575,
26441 .get_cfg_done = igb_get_cfg_done_82575,
26442 .release = igb_release_phy_82575,
26445 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26446 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26447 .acquire = igb_acquire_nvm_82575,
26448 .read = igb_read_nvm_eerd,
26449 .release = igb_release_nvm_82575,
26450 diff -urNp linux-2.6.35.5/drivers/net/igb/e1000_hw.h linux-2.6.35.5/drivers/net/igb/e1000_hw.h
26451 --- linux-2.6.35.5/drivers/net/igb/e1000_hw.h 2010-08-26 19:47:12.000000000 -0400
26452 +++ linux-2.6.35.5/drivers/net/igb/e1000_hw.h 2010-09-17 20:12:09.000000000 -0400
26453 @@ -323,17 +323,17 @@ struct e1000_phy_operations {
26456 struct e1000_nvm_operations {
26457 - s32 (*acquire)(struct e1000_hw *);
26458 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26459 - void (*release)(struct e1000_hw *);
26460 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26461 + s32 (* const acquire)(struct e1000_hw *);
26462 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26463 + void (* const release)(struct e1000_hw *);
26464 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26467 struct e1000_info {
26468 s32 (*get_invariants)(struct e1000_hw *);
26469 - struct e1000_mac_operations *mac_ops;
26470 - struct e1000_phy_operations *phy_ops;
26471 - struct e1000_nvm_operations *nvm_ops;
26472 + const struct e1000_mac_operations *mac_ops;
26473 + const struct e1000_phy_operations *phy_ops;
26474 + const struct e1000_nvm_operations *nvm_ops;
26477 extern const struct e1000_info e1000_82575_info;
26478 @@ -412,6 +412,7 @@ struct e1000_phy_info {
26481 struct e1000_nvm_info {
26482 + /* cannot be const */
26483 struct e1000_nvm_operations ops;
26485 enum e1000_nvm_type type;
26486 diff -urNp linux-2.6.35.5/drivers/net/irda/vlsi_ir.c linux-2.6.35.5/drivers/net/irda/vlsi_ir.c
26487 --- linux-2.6.35.5/drivers/net/irda/vlsi_ir.c 2010-08-26 19:47:12.000000000 -0400
26488 +++ linux-2.6.35.5/drivers/net/irda/vlsi_ir.c 2010-09-17 20:12:09.000000000 -0400
26489 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26490 /* no race - tx-ring already empty */
26491 vlsi_set_baud(idev, iobase);
26492 netif_wake_queue(ndev);
26497 /* keep the speed change pending like it would
26498 * for any len>0 packet. tx completion interrupt
26499 * will apply it when the tx ring becomes empty.
26502 spin_unlock_irqrestore(&idev->lock, flags);
26503 dev_kfree_skb_any(skb);
26504 return NETDEV_TX_OK;
26505 diff -urNp linux-2.6.35.5/drivers/net/pcnet32.c linux-2.6.35.5/drivers/net/pcnet32.c
26506 --- linux-2.6.35.5/drivers/net/pcnet32.c 2010-08-26 19:47:12.000000000 -0400
26507 +++ linux-2.6.35.5/drivers/net/pcnet32.c 2010-09-17 20:12:09.000000000 -0400
26508 @@ -82,7 +82,7 @@ static int cards_found;
26510 * VLB I/O addresses
26512 -static unsigned int pcnet32_portlist[] __initdata =
26513 +static unsigned int pcnet32_portlist[] __devinitdata =
26514 { 0x300, 0x320, 0x340, 0x360, 0 };
26516 static int pcnet32_debug;
26517 diff -urNp linux-2.6.35.5/drivers/net/ppp_generic.c linux-2.6.35.5/drivers/net/ppp_generic.c
26518 --- linux-2.6.35.5/drivers/net/ppp_generic.c 2010-08-26 19:47:12.000000000 -0400
26519 +++ linux-2.6.35.5/drivers/net/ppp_generic.c 2010-09-17 20:12:09.000000000 -0400
26520 @@ -992,7 +992,6 @@ ppp_net_ioctl(struct net_device *dev, st
26521 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26522 struct ppp_stats stats;
26523 struct ppp_comp_stats cstats;
26527 case SIOCGPPPSTATS:
26528 @@ -1014,8 +1013,7 @@ ppp_net_ioctl(struct net_device *dev, st
26532 - vers = PPP_VERSION;
26533 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26534 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26538 diff -urNp linux-2.6.35.5/drivers/net/tg3.c linux-2.6.35.5/drivers/net/tg3.c
26539 --- linux-2.6.35.5/drivers/net/tg3.c 2010-08-26 19:47:12.000000000 -0400
26540 +++ linux-2.6.35.5/drivers/net/tg3.c 2010-09-17 20:12:09.000000000 -0400
26541 @@ -12410,7 +12410,7 @@ static void __devinit tg3_read_vpd(struc
26542 cnt = pci_read_vpd(tp->pdev, pos,
26543 TG3_NVM_VPD_LEN - pos,
26545 - if (cnt == -ETIMEDOUT || -EINTR)
26546 + if (cnt == -ETIMEDOUT || cnt == -EINTR)
26549 goto out_not_found;
26550 diff -urNp linux-2.6.35.5/drivers/net/tg3.h linux-2.6.35.5/drivers/net/tg3.h
26551 --- linux-2.6.35.5/drivers/net/tg3.h 2010-08-26 19:47:12.000000000 -0400
26552 +++ linux-2.6.35.5/drivers/net/tg3.h 2010-09-17 20:12:09.000000000 -0400
26553 @@ -130,6 +130,7 @@
26554 #define CHIPREV_ID_5750_A0 0x4000
26555 #define CHIPREV_ID_5750_A1 0x4001
26556 #define CHIPREV_ID_5750_A3 0x4003
26557 +#define CHIPREV_ID_5750_C1 0x4201
26558 #define CHIPREV_ID_5750_C2 0x4202
26559 #define CHIPREV_ID_5752_A0_HW 0x5000
26560 #define CHIPREV_ID_5752_A0 0x6000
26561 diff -urNp linux-2.6.35.5/drivers/net/tulip/de4x5.c linux-2.6.35.5/drivers/net/tulip/de4x5.c
26562 --- linux-2.6.35.5/drivers/net/tulip/de4x5.c 2010-08-26 19:47:12.000000000 -0400
26563 +++ linux-2.6.35.5/drivers/net/tulip/de4x5.c 2010-09-17 20:12:37.000000000 -0400
26564 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26565 for (i=0; i<ETH_ALEN; i++) {
26566 tmp.addr[i] = dev->dev_addr[i];
26568 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26569 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26572 case DE4X5_SET_HWADDR: /* Set the hardware address */
26573 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26574 spin_lock_irqsave(&lp->lock, flags);
26575 memcpy(&statbuf, &lp->pktStats, ioc->len);
26576 spin_unlock_irqrestore(&lp->lock, flags);
26577 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26578 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
26582 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
26583 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
26584 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
26586 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26587 + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
26590 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
26591 diff -urNp linux-2.6.35.5/drivers/net/usb/hso.c linux-2.6.35.5/drivers/net/usb/hso.c
26592 --- linux-2.6.35.5/drivers/net/usb/hso.c 2010-08-26 19:47:12.000000000 -0400
26593 +++ linux-2.6.35.5/drivers/net/usb/hso.c 2010-09-17 20:12:37.000000000 -0400
26594 @@ -258,7 +258,7 @@ struct hso_serial {
26596 /* from usb_serial_port */
26597 struct tty_struct *tty;
26599 + atomic_t open_count;
26600 spinlock_t serial_lock;
26602 int (*write_data) (struct hso_serial *serial);
26603 @@ -1201,7 +1201,7 @@ static void put_rxbuf_data_and_resubmit_
26606 urb = serial->rx_urb[0];
26607 - if (serial->open_count > 0) {
26608 + if (atomic_read(&serial->open_count) > 0) {
26609 count = put_rxbuf_data(urb, serial);
26612 @@ -1237,7 +1237,7 @@ static void hso_std_serial_read_bulk_cal
26613 DUMP1(urb->transfer_buffer, urb->actual_length);
26615 /* Anyone listening? */
26616 - if (serial->open_count == 0)
26617 + if (atomic_read(&serial->open_count) == 0)
26621 @@ -1332,8 +1332,7 @@ static int hso_serial_open(struct tty_st
26622 spin_unlock_irq(&serial->serial_lock);
26624 /* check for port already opened, if not set the termios */
26625 - serial->open_count++;
26626 - if (serial->open_count == 1) {
26627 + if (atomic_inc_return(&serial->open_count) == 1) {
26628 serial->rx_state = RX_IDLE;
26629 /* Force default termio settings */
26630 _hso_serial_set_termios(tty, NULL);
26631 @@ -1345,7 +1344,7 @@ static int hso_serial_open(struct tty_st
26632 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26634 hso_stop_serial_device(serial->parent);
26635 - serial->open_count--;
26636 + atomic_dec(&serial->open_count);
26637 kref_put(&serial->parent->ref, hso_serial_ref_free);
26640 @@ -1382,10 +1381,10 @@ static void hso_serial_close(struct tty_
26642 /* reset the rts and dtr */
26643 /* do the actual close */
26644 - serial->open_count--;
26645 + atomic_dec(&serial->open_count);
26647 - if (serial->open_count <= 0) {
26648 - serial->open_count = 0;
26649 + if (atomic_read(&serial->open_count) <= 0) {
26650 + atomic_set(&serial->open_count, 0);
26651 spin_lock_irq(&serial->serial_lock);
26652 if (serial->tty == tty) {
26653 serial->tty->driver_data = NULL;
26654 @@ -1467,7 +1466,7 @@ static void hso_serial_set_termios(struc
26656 /* the actual setup */
26657 spin_lock_irqsave(&serial->serial_lock, flags);
26658 - if (serial->open_count)
26659 + if (atomic_read(&serial->open_count))
26660 _hso_serial_set_termios(tty, old);
26662 tty->termios = old;
26663 @@ -1655,6 +1654,9 @@ static int hso_get_count(struct hso_seri
26668 + memset(&icount, 0, sizeof(icount));
26670 spin_lock_irq(&serial->serial_lock);
26671 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
26672 spin_unlock_irq(&serial->serial_lock);
26673 @@ -1929,7 +1931,7 @@ static void intr_callback(struct urb *ur
26674 D1("Pending read interrupt on port %d\n", i);
26675 spin_lock(&serial->serial_lock);
26676 if (serial->rx_state == RX_IDLE &&
26677 - serial->open_count > 0) {
26678 + atomic_read(&serial->open_count) > 0) {
26679 /* Setup and send a ctrl req read on
26681 if (!serial->rx_urb_filled[0]) {
26682 @@ -3119,7 +3121,7 @@ static int hso_resume(struct usb_interfa
26683 /* Start all serial ports */
26684 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26685 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26686 - if (dev2ser(serial_table[i])->open_count) {
26687 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
26689 hso_start_serial_device(serial_table[i], GFP_NOIO);
26690 hso_kick_transmit(dev2ser(serial_table[i]));
26691 diff -urNp linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c
26692 --- linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26693 +++ linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26694 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26695 struct b43_debugfs_fops {
26696 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26697 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26698 - struct file_operations fops;
26699 + const struct file_operations fops;
26700 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26701 size_t file_struct_offset;
26703 diff -urNp linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c
26704 --- linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26705 +++ linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26706 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26707 struct b43legacy_debugfs_fops {
26708 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26709 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26710 - struct file_operations fops;
26711 + const struct file_operations fops;
26712 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26713 size_t file_struct_offset;
26714 /* Take wl->irq_lock before calling read/write? */
26715 diff -urNp linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h
26716 --- linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-08-26 19:47:12.000000000 -0400
26717 +++ linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-09-17 20:12:09.000000000 -0400
26718 @@ -68,8 +68,8 @@ do {
26722 -#define IWL_DEBUG(__priv, level, fmt, args...)
26723 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26724 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26725 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26726 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26729 diff -urNp linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c
26730 --- linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26731 +++ linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26732 @@ -718,7 +718,7 @@ out_unlock:
26733 struct lbs_debugfs_files {
26736 - struct file_operations fops;
26737 + const struct file_operations fops;
26740 static const struct lbs_debugfs_files debugfs_files[] = {
26741 diff -urNp linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c
26742 --- linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c 2010-08-26 19:47:12.000000000 -0400
26743 +++ linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c 2010-09-17 20:12:09.000000000 -0400
26744 @@ -1235,7 +1235,7 @@ static int set_rts_threshold(struct usbn
26746 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26748 - if (rts_threshold < 0 || rts_threshold > 2347)
26749 + if (rts_threshold > 2347)
26750 rts_threshold = 2347;
26752 tmp = cpu_to_le32(rts_threshold);
26753 diff -urNp linux-2.6.35.5/drivers/oprofile/buffer_sync.c linux-2.6.35.5/drivers/oprofile/buffer_sync.c
26754 --- linux-2.6.35.5/drivers/oprofile/buffer_sync.c 2010-09-20 17:33:09.000000000 -0400
26755 +++ linux-2.6.35.5/drivers/oprofile/buffer_sync.c 2010-09-20 17:33:32.000000000 -0400
26756 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
26757 if (cookie == NO_COOKIE)
26759 if (cookie == INVALID_COOKIE) {
26760 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26761 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26764 if (cookie != last_cookie) {
26765 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
26766 /* add userspace sample */
26769 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26770 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26774 cookie = lookup_dcookie(mm, s->eip, &offset);
26776 if (cookie == INVALID_COOKIE) {
26777 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26778 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26782 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
26783 /* ignore backtraces if failed to add a sample */
26784 if (state == sb_bt_start) {
26785 state = sb_bt_ignore;
26786 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26787 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26791 diff -urNp linux-2.6.35.5/drivers/oprofile/event_buffer.c linux-2.6.35.5/drivers/oprofile/event_buffer.c
26792 --- linux-2.6.35.5/drivers/oprofile/event_buffer.c 2010-08-26 19:47:12.000000000 -0400
26793 +++ linux-2.6.35.5/drivers/oprofile/event_buffer.c 2010-09-17 20:12:09.000000000 -0400
26794 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26797 if (buffer_pos == buffer_size) {
26798 - atomic_inc(&oprofile_stats.event_lost_overflow);
26799 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26803 diff -urNp linux-2.6.35.5/drivers/oprofile/oprof.c linux-2.6.35.5/drivers/oprofile/oprof.c
26804 --- linux-2.6.35.5/drivers/oprofile/oprof.c 2010-08-26 19:47:12.000000000 -0400
26805 +++ linux-2.6.35.5/drivers/oprofile/oprof.c 2010-09-17 20:12:09.000000000 -0400
26806 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26807 if (oprofile_ops.switch_events())
26810 - atomic_inc(&oprofile_stats.multiplex_counter);
26811 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26812 start_switch_worker();
26815 diff -urNp linux-2.6.35.5/drivers/oprofile/oprofilefs.c linux-2.6.35.5/drivers/oprofile/oprofilefs.c
26816 --- linux-2.6.35.5/drivers/oprofile/oprofilefs.c 2010-08-26 19:47:12.000000000 -0400
26817 +++ linux-2.6.35.5/drivers/oprofile/oprofilefs.c 2010-09-17 20:12:09.000000000 -0400
26818 @@ -187,7 +187,7 @@ static const struct file_operations atom
26821 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26822 - char const *name, atomic_t *val)
26823 + char const *name, atomic_unchecked_t *val)
26825 struct dentry *d = __oprofilefs_create_file(sb, root, name,
26826 &atomic_ro_fops, 0444);
26827 diff -urNp linux-2.6.35.5/drivers/oprofile/oprofile_stats.c linux-2.6.35.5/drivers/oprofile/oprofile_stats.c
26828 --- linux-2.6.35.5/drivers/oprofile/oprofile_stats.c 2010-08-26 19:47:12.000000000 -0400
26829 +++ linux-2.6.35.5/drivers/oprofile/oprofile_stats.c 2010-09-17 20:12:09.000000000 -0400
26830 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26831 cpu_buf->sample_invalid_eip = 0;
26834 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26835 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26836 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26837 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26838 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26839 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26840 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26841 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26842 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26843 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26847 diff -urNp linux-2.6.35.5/drivers/oprofile/oprofile_stats.h linux-2.6.35.5/drivers/oprofile/oprofile_stats.h
26848 --- linux-2.6.35.5/drivers/oprofile/oprofile_stats.h 2010-08-26 19:47:12.000000000 -0400
26849 +++ linux-2.6.35.5/drivers/oprofile/oprofile_stats.h 2010-09-17 20:12:09.000000000 -0400
26850 @@ -13,11 +13,11 @@
26851 #include <asm/atomic.h>
26853 struct oprofile_stat_struct {
26854 - atomic_t sample_lost_no_mm;
26855 - atomic_t sample_lost_no_mapping;
26856 - atomic_t bt_lost_no_mapping;
26857 - atomic_t event_lost_overflow;
26858 - atomic_t multiplex_counter;
26859 + atomic_unchecked_t sample_lost_no_mm;
26860 + atomic_unchecked_t sample_lost_no_mapping;
26861 + atomic_unchecked_t bt_lost_no_mapping;
26862 + atomic_unchecked_t event_lost_overflow;
26863 + atomic_unchecked_t multiplex_counter;
26866 extern struct oprofile_stat_struct oprofile_stats;
26867 diff -urNp linux-2.6.35.5/drivers/parport/procfs.c linux-2.6.35.5/drivers/parport/procfs.c
26868 --- linux-2.6.35.5/drivers/parport/procfs.c 2010-08-26 19:47:12.000000000 -0400
26869 +++ linux-2.6.35.5/drivers/parport/procfs.c 2010-09-17 20:12:37.000000000 -0400
26870 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
26874 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
26875 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
26878 #ifdef CONFIG_PARPORT_1284
26879 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
26883 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
26884 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
26886 #endif /* IEEE1284.3 support. */
26888 diff -urNp linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c
26889 --- linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c 2010-08-26 19:47:12.000000000 -0400
26890 +++ linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c 2010-09-17 20:12:09.000000000 -0400
26891 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
26895 -static struct acpi_dock_ops acpiphp_dock_ops = {
26896 +static const struct acpi_dock_ops acpiphp_dock_ops = {
26897 .handler = handle_hotplug_event_func,
26900 diff -urNp linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c
26901 --- linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c 2010-08-26 19:47:12.000000000 -0400
26902 +++ linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c 2010-09-17 20:12:09.000000000 -0400
26903 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
26905 void compaq_nvram_init (void __iomem *rom_start)
26908 +#ifndef CONFIG_PAX_KERNEXEC
26910 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
26914 dbg("int15 entry = %p\n", compaq_int15_entry_point);
26916 /* initialize our int15 lock */
26917 diff -urNp linux-2.6.35.5/drivers/pci/intel-iommu.c linux-2.6.35.5/drivers/pci/intel-iommu.c
26918 --- linux-2.6.35.5/drivers/pci/intel-iommu.c 2010-08-26 19:47:12.000000000 -0400
26919 +++ linux-2.6.35.5/drivers/pci/intel-iommu.c 2010-09-17 20:12:09.000000000 -0400
26920 @@ -2938,7 +2938,7 @@ static int intel_mapping_error(struct de
26924 -struct dma_map_ops intel_dma_ops = {
26925 +const struct dma_map_ops intel_dma_ops = {
26926 .alloc_coherent = intel_alloc_coherent,
26927 .free_coherent = intel_free_coherent,
26928 .map_sg = intel_map_sg,
26929 diff -urNp linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c
26930 --- linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c 2010-08-26 19:47:12.000000000 -0400
26931 +++ linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c 2010-09-17 20:12:09.000000000 -0400
26932 @@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
26933 static const struct pci_device_id port_pci_ids[] = { {
26934 /* handle any PCI-Express port */
26935 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
26936 - }, { /* end: all zeroes */ }
26937 + }, { 0, 0, 0, 0, 0, 0, 0 }
26939 MODULE_DEVICE_TABLE(pci, port_pci_ids);
26941 diff -urNp linux-2.6.35.5/drivers/pci/probe.c linux-2.6.35.5/drivers/pci/probe.c
26942 --- linux-2.6.35.5/drivers/pci/probe.c 2010-08-26 19:47:12.000000000 -0400
26943 +++ linux-2.6.35.5/drivers/pci/probe.c 2010-09-17 20:12:09.000000000 -0400
26944 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
26948 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
26949 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
26950 struct device_attribute *attr,
26953 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
26956 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
26957 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
26958 struct device_attribute *attr,
26961 diff -urNp linux-2.6.35.5/drivers/pci/proc.c linux-2.6.35.5/drivers/pci/proc.c
26962 --- linux-2.6.35.5/drivers/pci/proc.c 2010-08-26 19:47:12.000000000 -0400
26963 +++ linux-2.6.35.5/drivers/pci/proc.c 2010-09-17 20:12:37.000000000 -0400
26964 @@ -481,7 +481,16 @@ static const struct file_operations proc
26965 static int __init pci_proc_init(void)
26967 struct pci_dev *dev = NULL;
26969 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26970 +#ifdef CONFIG_GRKERNSEC_PROC_USER
26971 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
26972 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
26973 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
26976 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
26978 proc_create("devices", 0, proc_bus_pci_dir,
26979 &proc_bus_pci_dev_operations);
26980 proc_initialized = 1;
26981 diff -urNp linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c
26982 --- linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c 2010-08-26 19:47:12.000000000 -0400
26983 +++ linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c 2010-09-17 20:12:09.000000000 -0400
26984 @@ -850,7 +850,7 @@ static int ds_ioctl(struct file *file, u
26988 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
26989 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
26993 diff -urNp linux-2.6.35.5/drivers/pcmcia/ti113x.h linux-2.6.35.5/drivers/pcmcia/ti113x.h
26994 --- linux-2.6.35.5/drivers/pcmcia/ti113x.h 2010-08-26 19:47:12.000000000 -0400
26995 +++ linux-2.6.35.5/drivers/pcmcia/ti113x.h 2010-09-17 20:12:09.000000000 -0400
26996 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
26997 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
26998 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27001 + { 0, 0, 0, 0, 0, 0, 0 }
27004 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27005 diff -urNp linux-2.6.35.5/drivers/pcmcia/yenta_socket.c linux-2.6.35.5/drivers/pcmcia/yenta_socket.c
27006 --- linux-2.6.35.5/drivers/pcmcia/yenta_socket.c 2010-08-26 19:47:12.000000000 -0400
27007 +++ linux-2.6.35.5/drivers/pcmcia/yenta_socket.c 2010-09-17 20:12:09.000000000 -0400
27008 @@ -1428,7 +1428,7 @@ static struct pci_device_id yenta_table[
27010 /* match any cardbus bridge */
27011 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27012 - { /* all zeroes */ }
27013 + { 0, 0, 0, 0, 0, 0, 0 }
27015 MODULE_DEVICE_TABLE(pci, yenta_table);
27017 diff -urNp linux-2.6.35.5/drivers/platform/x86/acer-wmi.c linux-2.6.35.5/drivers/platform/x86/acer-wmi.c
27018 --- linux-2.6.35.5/drivers/platform/x86/acer-wmi.c 2010-08-26 19:47:12.000000000 -0400
27019 +++ linux-2.6.35.5/drivers/platform/x86/acer-wmi.c 2010-09-17 20:12:09.000000000 -0400
27020 @@ -916,7 +916,7 @@ static int update_bl_status(struct backl
27024 -static struct backlight_ops acer_bl_ops = {
27025 +static const struct backlight_ops acer_bl_ops = {
27026 .get_brightness = read_brightness,
27027 .update_status = update_bl_status,
27029 diff -urNp linux-2.6.35.5/drivers/platform/x86/asus_acpi.c linux-2.6.35.5/drivers/platform/x86/asus_acpi.c
27030 --- linux-2.6.35.5/drivers/platform/x86/asus_acpi.c 2010-08-26 19:47:12.000000000 -0400
27031 +++ linux-2.6.35.5/drivers/platform/x86/asus_acpi.c 2010-09-17 20:12:09.000000000 -0400
27032 @@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
27036 -static struct backlight_ops asus_backlight_data = {
27037 +static const struct backlight_ops asus_backlight_data = {
27038 .get_brightness = read_brightness,
27039 .update_status = set_brightness_status,
27041 diff -urNp linux-2.6.35.5/drivers/platform/x86/asus-laptop.c linux-2.6.35.5/drivers/platform/x86/asus-laptop.c
27042 --- linux-2.6.35.5/drivers/platform/x86/asus-laptop.c 2010-08-26 19:47:12.000000000 -0400
27043 +++ linux-2.6.35.5/drivers/platform/x86/asus-laptop.c 2010-09-17 20:12:09.000000000 -0400
27044 @@ -224,7 +224,6 @@ struct asus_laptop {
27045 struct asus_led gled;
27046 struct asus_led kled;
27047 struct workqueue_struct *led_workqueue;
27049 int wireless_status;
27052 @@ -621,7 +620,7 @@ static int update_bl_status(struct backl
27053 return asus_lcd_set(asus, value);
27056 -static struct backlight_ops asusbl_ops = {
27057 +static const struct backlight_ops asusbl_ops = {
27058 .get_brightness = asus_read_brightness,
27059 .update_status = update_bl_status,
27061 diff -urNp linux-2.6.35.5/drivers/platform/x86/compal-laptop.c linux-2.6.35.5/drivers/platform/x86/compal-laptop.c
27062 --- linux-2.6.35.5/drivers/platform/x86/compal-laptop.c 2010-08-26 19:47:12.000000000 -0400
27063 +++ linux-2.6.35.5/drivers/platform/x86/compal-laptop.c 2010-09-17 20:12:09.000000000 -0400
27064 @@ -168,7 +168,7 @@ static int bl_update_status(struct backl
27065 return set_lcd_level(b->props.brightness);
27068 -static struct backlight_ops compalbl_ops = {
27069 +static const struct backlight_ops compalbl_ops = {
27070 .get_brightness = bl_get_brightness,
27071 .update_status = bl_update_status,
27073 diff -urNp linux-2.6.35.5/drivers/platform/x86/dell-laptop.c linux-2.6.35.5/drivers/platform/x86/dell-laptop.c
27074 --- linux-2.6.35.5/drivers/platform/x86/dell-laptop.c 2010-08-26 19:47:12.000000000 -0400
27075 +++ linux-2.6.35.5/drivers/platform/x86/dell-laptop.c 2010-09-17 20:12:09.000000000 -0400
27076 @@ -469,7 +469,7 @@ out:
27077 return buffer->output[1];
27080 -static struct backlight_ops dell_ops = {
27081 +static const struct backlight_ops dell_ops = {
27082 .get_brightness = dell_get_intensity,
27083 .update_status = dell_send_intensity,
27085 diff -urNp linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c
27086 --- linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c 2010-08-26 19:47:12.000000000 -0400
27087 +++ linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c 2010-09-17 20:12:09.000000000 -0400
27088 @@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
27089 return set_brightness(bd, bd->props.brightness);
27092 -static struct backlight_ops eeepcbl_ops = {
27093 +static const struct backlight_ops eeepcbl_ops = {
27094 .get_brightness = read_brightness,
27095 .update_status = update_bl_status,
27097 diff -urNp linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c
27098 --- linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c 2010-08-26 19:47:12.000000000 -0400
27099 +++ linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c 2010-09-17 20:12:09.000000000 -0400
27100 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27104 -static struct backlight_ops fujitsubl_ops = {
27105 +static const struct backlight_ops fujitsubl_ops = {
27106 .get_brightness = bl_get_brightness,
27107 .update_status = bl_update_status,
27109 diff -urNp linux-2.6.35.5/drivers/platform/x86/sony-laptop.c linux-2.6.35.5/drivers/platform/x86/sony-laptop.c
27110 --- linux-2.6.35.5/drivers/platform/x86/sony-laptop.c 2010-08-26 19:47:12.000000000 -0400
27111 +++ linux-2.6.35.5/drivers/platform/x86/sony-laptop.c 2010-09-17 20:12:09.000000000 -0400
27112 @@ -857,7 +857,7 @@ static int sony_backlight_get_brightness
27115 static struct backlight_device *sony_backlight_device;
27116 -static struct backlight_ops sony_backlight_ops = {
27117 +static const struct backlight_ops sony_backlight_ops = {
27118 .update_status = sony_backlight_update_status,
27119 .get_brightness = sony_backlight_get_brightness,
27121 diff -urNp linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c
27122 --- linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c 2010-08-26 19:47:12.000000000 -0400
27123 +++ linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c 2010-09-17 20:12:09.000000000 -0400
27124 @@ -6142,7 +6142,7 @@ static void tpacpi_brightness_notify_cha
27125 BACKLIGHT_UPDATE_HOTKEY);
27128 -static struct backlight_ops ibm_backlight_data = {
27129 +static const struct backlight_ops ibm_backlight_data = {
27130 .get_brightness = brightness_get,
27131 .update_status = brightness_update_status,
27133 diff -urNp linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c
27134 --- linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c 2010-08-26 19:47:12.000000000 -0400
27135 +++ linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c 2010-09-17 20:12:09.000000000 -0400
27136 @@ -741,7 +741,7 @@ static acpi_status remove_device(void)
27140 -static struct backlight_ops toshiba_backlight_data = {
27141 +static const struct backlight_ops toshiba_backlight_data = {
27142 .get_brightness = get_lcd,
27143 .update_status = set_lcd_status,
27145 diff -urNp linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c
27146 --- linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c 2010-08-26 19:47:12.000000000 -0400
27147 +++ linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c 2010-09-17 20:12:09.000000000 -0400
27148 @@ -59,7 +59,7 @@ do { \
27149 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27152 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27153 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27154 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27157 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27160 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27162 + pax_open_kernel();
27163 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27164 + pax_close_kernel();
27166 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27167 spin_lock_irqsave(&pnp_bios_lock, flags);
27168 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27170 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27172 + pax_open_kernel();
27173 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27174 + pax_close_kernel();
27178 /* If we get here and this is set then the PnP BIOS faulted on us. */
27179 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27183 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27184 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27188 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27189 pnp_bios_callpoint.offset = header->fields.pm16offset;
27190 pnp_bios_callpoint.segment = PNP_CS16;
27192 + pax_open_kernel();
27194 for_each_possible_cpu(i) {
27195 struct desc_struct *gdt = get_cpu_gdt_table(i);
27197 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27198 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27199 (unsigned long)__va(header->fields.pm16dseg));
27202 + pax_close_kernel();
27204 diff -urNp linux-2.6.35.5/drivers/pnp/quirks.c linux-2.6.35.5/drivers/pnp/quirks.c
27205 --- linux-2.6.35.5/drivers/pnp/quirks.c 2010-08-26 19:47:12.000000000 -0400
27206 +++ linux-2.6.35.5/drivers/pnp/quirks.c 2010-09-17 20:12:09.000000000 -0400
27207 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27208 /* PnP resources that might overlap PCI BARs */
27209 {"PNP0c01", quirk_system_pci_resources},
27210 {"PNP0c02", quirk_system_pci_resources},
27215 void pnp_fixup_device(struct pnp_dev *dev)
27216 diff -urNp linux-2.6.35.5/drivers/pnp/resource.c linux-2.6.35.5/drivers/pnp/resource.c
27217 --- linux-2.6.35.5/drivers/pnp/resource.c 2010-08-26 19:47:12.000000000 -0400
27218 +++ linux-2.6.35.5/drivers/pnp/resource.c 2010-09-17 20:12:09.000000000 -0400
27219 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27222 /* check if the resource is valid */
27223 - if (*irq < 0 || *irq > 15)
27227 /* check if the resource is reserved */
27228 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27231 /* check if the resource is valid */
27232 - if (*dma < 0 || *dma == 4 || *dma > 7)
27233 + if (*dma == 4 || *dma > 7)
27236 /* check if the resource is reserved */
27237 diff -urNp linux-2.6.35.5/drivers/s390/cio/qdio_debug.c linux-2.6.35.5/drivers/s390/cio/qdio_debug.c
27238 --- linux-2.6.35.5/drivers/s390/cio/qdio_debug.c 2010-08-26 19:47:12.000000000 -0400
27239 +++ linux-2.6.35.5/drivers/s390/cio/qdio_debug.c 2010-09-17 20:12:09.000000000 -0400
27240 @@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
27241 filp->f_path.dentry->d_inode->i_private);
27244 -static struct file_operations debugfs_perf_fops = {
27245 +static const struct file_operations debugfs_perf_fops = {
27246 .owner = THIS_MODULE,
27247 .open = qperf_seq_open,
27249 diff -urNp linux-2.6.35.5/drivers/scsi/ipr.c linux-2.6.35.5/drivers/scsi/ipr.c
27250 --- linux-2.6.35.5/drivers/scsi/ipr.c 2010-08-26 19:47:12.000000000 -0400
27251 +++ linux-2.6.35.5/drivers/scsi/ipr.c 2010-09-17 20:12:09.000000000 -0400
27252 @@ -6091,7 +6091,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27256 -static struct ata_port_operations ipr_sata_ops = {
27257 +static const struct ata_port_operations ipr_sata_ops = {
27258 .phy_reset = ipr_ata_phy_reset,
27259 .hardreset = ipr_sata_reset,
27260 .post_internal_cmd = ipr_ata_post_internal,
27261 diff -urNp linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c
27262 --- linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c 2010-08-26 19:47:12.000000000 -0400
27263 +++ linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c 2010-09-17 20:12:09.000000000 -0400
27264 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27265 * all together if not used XXX
27268 - atomic_t no_free_exch;
27269 - atomic_t no_free_exch_xid;
27270 - atomic_t xid_not_found;
27271 - atomic_t xid_busy;
27272 - atomic_t seq_not_found;
27273 - atomic_t non_bls_resp;
27274 + atomic_unchecked_t no_free_exch;
27275 + atomic_unchecked_t no_free_exch_xid;
27276 + atomic_unchecked_t xid_not_found;
27277 + atomic_unchecked_t xid_busy;
27278 + atomic_unchecked_t seq_not_found;
27279 + atomic_unchecked_t non_bls_resp;
27282 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27283 @@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
27284 /* allocate memory for exchange */
27285 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27287 - atomic_inc(&mp->stats.no_free_exch);
27288 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27291 memset(ep, 0, sizeof(*ep));
27292 @@ -719,7 +719,7 @@ out:
27295 spin_unlock_bh(&pool->lock);
27296 - atomic_inc(&mp->stats.no_free_exch_xid);
27297 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27298 mempool_free(ep, mp->ep_pool);
27301 @@ -864,7 +864,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27302 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27303 ep = fc_exch_find(mp, xid);
27305 - atomic_inc(&mp->stats.xid_not_found);
27306 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27307 reject = FC_RJT_OX_ID;
27310 @@ -894,7 +894,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27311 ep = fc_exch_find(mp, xid);
27312 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27314 - atomic_inc(&mp->stats.xid_busy);
27315 + atomic_inc_unchecked(&mp->stats.xid_busy);
27316 reject = FC_RJT_RX_ID;
27319 @@ -905,7 +905,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27321 xid = ep->xid; /* get our XID */
27323 - atomic_inc(&mp->stats.xid_not_found);
27324 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27325 reject = FC_RJT_RX_ID; /* XID not found */
27328 @@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27331 if (sp->id != fh->fh_seq_id) {
27332 - atomic_inc(&mp->stats.seq_not_found);
27333 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27334 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27337 @@ -1303,22 +1303,22 @@ static void fc_exch_recv_seq_resp(struct
27339 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27341 - atomic_inc(&mp->stats.xid_not_found);
27342 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27345 if (ep->esb_stat & ESB_ST_COMPLETE) {
27346 - atomic_inc(&mp->stats.xid_not_found);
27347 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27350 if (ep->rxid == FC_XID_UNKNOWN)
27351 ep->rxid = ntohs(fh->fh_rx_id);
27352 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27353 - atomic_inc(&mp->stats.xid_not_found);
27354 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27357 if (ep->did != ntoh24(fh->fh_s_id) &&
27358 ep->did != FC_FID_FLOGI) {
27359 - atomic_inc(&mp->stats.xid_not_found);
27360 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27364 @@ -1327,7 +1327,7 @@ static void fc_exch_recv_seq_resp(struct
27365 sp->ssb_stat |= SSB_ST_RESP;
27366 sp->id = fh->fh_seq_id;
27367 } else if (sp->id != fh->fh_seq_id) {
27368 - atomic_inc(&mp->stats.seq_not_found);
27369 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27373 @@ -1390,9 +1390,9 @@ static void fc_exch_recv_resp(struct fc_
27374 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27377 - atomic_inc(&mp->stats.xid_not_found);
27378 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27380 - atomic_inc(&mp->stats.non_bls_resp);
27381 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27385 diff -urNp linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c
27386 --- linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c 2010-08-26 19:47:12.000000000 -0400
27387 +++ linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c 2010-09-17 20:12:09.000000000 -0400
27388 @@ -344,7 +344,7 @@ static int sas_ata_scr_read(struct ata_l
27392 -static struct ata_port_operations sas_sata_ops = {
27393 +static const struct ata_port_operations sas_sata_ops = {
27394 .phy_reset = sas_ata_phy_reset,
27395 .post_internal_cmd = sas_ata_post_internal,
27396 .qc_prep = ata_noop_qc_prep,
27397 diff -urNp linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h
27398 --- linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-08-26 19:47:12.000000000 -0400
27399 +++ linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-09-17 20:12:09.000000000 -0400
27404 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27405 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27406 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27409 diff -urNp linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c
27410 --- linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c 2010-08-26 19:47:12.000000000 -0400
27411 +++ linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c 2010-09-17 20:12:09.000000000 -0400
27412 @@ -3899,7 +3899,7 @@ static struct pci_driver qla2xxx_pci_dri
27413 .err_handler = &qla2xxx_err_handler,
27416 -static struct file_operations apidev_fops = {
27417 +static const struct file_operations apidev_fops = {
27418 .owner = THIS_MODULE,
27421 diff -urNp linux-2.6.35.5/drivers/scsi/scsi_logging.h linux-2.6.35.5/drivers/scsi/scsi_logging.h
27422 --- linux-2.6.35.5/drivers/scsi/scsi_logging.h 2010-08-26 19:47:12.000000000 -0400
27423 +++ linux-2.6.35.5/drivers/scsi/scsi_logging.h 2010-09-17 20:12:09.000000000 -0400
27424 @@ -51,7 +51,7 @@ do { \
27428 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27429 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27430 #endif /* CONFIG_SCSI_LOGGING */
27433 diff -urNp linux-2.6.35.5/drivers/scsi/sg.c linux-2.6.35.5/drivers/scsi/sg.c
27434 --- linux-2.6.35.5/drivers/scsi/sg.c 2010-08-26 19:47:12.000000000 -0400
27435 +++ linux-2.6.35.5/drivers/scsi/sg.c 2010-09-17 20:12:09.000000000 -0400
27436 @@ -2302,7 +2302,7 @@ struct sg_proc_leaf {
27437 const struct file_operations * fops;
27440 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27441 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27442 {"allow_dio", &adio_fops},
27443 {"debug", &debug_fops},
27444 {"def_reserved_size", &dressz_fops},
27445 @@ -2317,7 +2317,7 @@ sg_proc_init(void)
27448 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27449 - struct sg_proc_leaf * leaf;
27450 + const struct sg_proc_leaf * leaf;
27452 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27454 diff -urNp linux-2.6.35.5/drivers/serial/8250_pci.c linux-2.6.35.5/drivers/serial/8250_pci.c
27455 --- linux-2.6.35.5/drivers/serial/8250_pci.c 2010-08-26 19:47:12.000000000 -0400
27456 +++ linux-2.6.35.5/drivers/serial/8250_pci.c 2010-09-17 20:12:09.000000000 -0400
27457 @@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
27458 PCI_ANY_ID, PCI_ANY_ID,
27459 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27460 0xffff00, pbn_default },
27462 + { 0, 0, 0, 0, 0, 0, 0 }
27465 static struct pci_driver serial_pci_driver = {
27466 diff -urNp linux-2.6.35.5/drivers/serial/kgdboc.c linux-2.6.35.5/drivers/serial/kgdboc.c
27467 --- linux-2.6.35.5/drivers/serial/kgdboc.c 2010-08-26 19:47:12.000000000 -0400
27468 +++ linux-2.6.35.5/drivers/serial/kgdboc.c 2010-09-17 20:12:09.000000000 -0400
27471 #define MAX_CONFIG_LEN 40
27473 -static struct kgdb_io kgdboc_io_ops;
27474 +static struct kgdb_io kgdboc_io_ops;
27476 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27477 static int configured = -1;
27478 diff -urNp linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c
27479 --- linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c 2010-08-26 19:47:12.000000000 -0400
27480 +++ linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c 2010-09-17 20:12:09.000000000 -0400
27481 @@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
27482 mutex_unlock(&dev->mutex);
27485 -static struct vm_operations_struct comedi_vm_ops = {
27486 +static const struct vm_operations_struct comedi_vm_ops = {
27487 .close = comedi_unmap,
27490 diff -urNp linux-2.6.35.5/drivers/staging/dream/pmem.c linux-2.6.35.5/drivers/staging/dream/pmem.c
27491 --- linux-2.6.35.5/drivers/staging/dream/pmem.c 2010-08-26 19:47:12.000000000 -0400
27492 +++ linux-2.6.35.5/drivers/staging/dream/pmem.c 2010-09-17 20:12:09.000000000 -0400
27493 @@ -175,7 +175,7 @@ static int pmem_mmap(struct file *, stru
27494 static int pmem_open(struct inode *, struct file *);
27495 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
27497 -struct file_operations pmem_fops = {
27498 +const struct file_operations pmem_fops = {
27499 .release = pmem_release,
27502 @@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
27503 return simple_read_from_buffer(buf, count, ppos, buffer, n);
27506 -static struct file_operations debug_fops = {
27507 +static const struct file_operations debug_fops = {
27508 .read = debug_read,
27509 .open = debug_open,
27511 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c
27512 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c 2010-08-26 19:47:12.000000000 -0400
27513 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c 2010-09-17 20:12:09.000000000 -0400
27514 @@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
27515 static dev_t adsp_devno;
27516 static struct class *adsp_class;
27518 -static struct file_operations adsp_fops = {
27519 +static const struct file_operations adsp_fops = {
27520 .owner = THIS_MODULE,
27522 .unlocked_ioctl = adsp_ioctl,
27523 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c
27524 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c 2010-08-26 19:47:12.000000000 -0400
27525 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c 2010-09-17 20:12:09.000000000 -0400
27526 @@ -1023,7 +1023,7 @@ done:
27530 -static struct file_operations audio_aac_fops = {
27531 +static const struct file_operations audio_aac_fops = {
27532 .owner = THIS_MODULE,
27533 .open = audio_open,
27534 .release = audio_release,
27535 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c
27536 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-08-26 19:47:12.000000000 -0400
27537 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-09-17 20:12:09.000000000 -0400
27538 @@ -834,7 +834,7 @@ done:
27542 -static struct file_operations audio_amrnb_fops = {
27543 +static const struct file_operations audio_amrnb_fops = {
27544 .owner = THIS_MODULE,
27545 .open = audamrnb_open,
27546 .release = audamrnb_release,
27547 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c
27548 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c 2010-08-26 19:47:12.000000000 -0400
27549 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c 2010-09-17 20:12:09.000000000 -0400
27550 @@ -806,7 +806,7 @@ dma_fail:
27554 -static struct file_operations audio_evrc_fops = {
27555 +static const struct file_operations audio_evrc_fops = {
27556 .owner = THIS_MODULE,
27557 .open = audevrc_open,
27558 .release = audevrc_release,
27559 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c
27560 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c 2010-08-26 19:47:12.000000000 -0400
27561 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c 2010-09-17 20:12:09.000000000 -0400
27562 @@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
27566 -static struct file_operations audio_fops = {
27567 +static const struct file_operations audio_fops = {
27568 .owner = THIS_MODULE,
27569 .open = audio_in_open,
27570 .release = audio_in_release,
27571 @@ -923,7 +923,7 @@ static struct file_operations audio_fops
27572 .unlocked_ioctl = audio_in_ioctl,
27575 -static struct file_operations audpre_fops = {
27576 +static const struct file_operations audpre_fops = {
27577 .owner = THIS_MODULE,
27578 .open = audpre_open,
27579 .unlocked_ioctl = audpre_ioctl,
27580 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c
27581 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c 2010-08-26 19:47:12.000000000 -0400
27582 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c 2010-09-17 20:12:09.000000000 -0400
27583 @@ -941,7 +941,7 @@ done:
27587 -static struct file_operations audio_mp3_fops = {
27588 +static const struct file_operations audio_mp3_fops = {
27589 .owner = THIS_MODULE,
27590 .open = audio_open,
27591 .release = audio_release,
27592 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c
27593 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c 2010-08-26 19:47:12.000000000 -0400
27594 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c 2010-09-17 20:12:09.000000000 -0400
27595 @@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
27599 -static struct file_operations audio_fops = {
27600 +static const struct file_operations audio_fops = {
27601 .owner = THIS_MODULE,
27602 .open = audio_open,
27603 .release = audio_release,
27604 @@ -809,7 +809,7 @@ static struct file_operations audio_fops
27605 .unlocked_ioctl = audio_ioctl,
27608 -static struct file_operations audpp_fops = {
27609 +static const struct file_operations audpp_fops = {
27610 .owner = THIS_MODULE,
27611 .open = audpp_open,
27612 .unlocked_ioctl = audpp_ioctl,
27613 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c
27614 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-08-26 19:47:12.000000000 -0400
27615 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-09-17 20:12:09.000000000 -0400
27616 @@ -817,7 +817,7 @@ err:
27620 -static struct file_operations audio_qcelp_fops = {
27621 +static const struct file_operations audio_qcelp_fops = {
27622 .owner = THIS_MODULE,
27623 .open = audqcelp_open,
27624 .release = audqcelp_release,
27625 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c
27626 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c 2010-08-26 19:47:12.000000000 -0400
27627 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c 2010-09-17 20:12:09.000000000 -0400
27628 @@ -242,7 +242,7 @@ err:
27632 -static struct file_operations snd_fops = {
27633 +static const struct file_operations snd_fops = {
27634 .owner = THIS_MODULE,
27636 .release = snd_release,
27637 diff -urNp linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c
27638 --- linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c 2010-08-26 19:47:12.000000000 -0400
27639 +++ linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c 2010-09-17 20:12:09.000000000 -0400
27640 @@ -853,7 +853,7 @@ dt3155_unlocked_ioctl(struct file *file,
27641 * needed by init_module
27643 *****************************************************/
27644 -static struct file_operations dt3155_fops = {
27645 +static const struct file_operations dt3155_fops = {
27646 .read = dt3155_read,
27647 .unlocked_ioctl = dt3155_unlocked_ioctl,
27648 .mmap = dt3155_mmap,
27649 diff -urNp linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c
27650 --- linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c 2010-08-26 19:47:12.000000000 -0400
27651 +++ linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c 2010-09-17 20:12:09.000000000 -0400
27652 @@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
27656 -static struct vm_operations_struct go7007_vm_ops = {
27657 +static const struct vm_operations_struct go7007_vm_ops = {
27658 .open = go7007_vm_open,
27659 .close = go7007_vm_close,
27660 .fault = go7007_vm_fault,
27661 diff -urNp linux-2.6.35.5/drivers/staging/hv/hv.c linux-2.6.35.5/drivers/staging/hv/hv.c
27662 --- linux-2.6.35.5/drivers/staging/hv/hv.c 2010-08-26 19:47:12.000000000 -0400
27663 +++ linux-2.6.35.5/drivers/staging/hv/hv.c 2010-09-17 20:12:09.000000000 -0400
27664 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
27665 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
27666 u32 outputAddressHi = outputAddress >> 32;
27667 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
27668 - volatile void *hypercallPage = gHvContext.HypercallPage;
27669 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
27671 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27672 Control, Input, Output);
27673 diff -urNp linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c
27674 --- linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c 2010-08-26 19:47:12.000000000 -0400
27675 +++ linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c 2010-09-17 20:12:09.000000000 -0400
27676 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
27680 -static struct backlight_ops msm_fb_bl_ops = {
27681 +static const struct backlight_ops msm_fb_bl_ops = {
27682 .get_brightness = msm_fb_bl_get_brightness,
27683 .update_status = msm_fb_bl_update_status,
27685 diff -urNp linux-2.6.35.5/drivers/staging/panel/panel.c linux-2.6.35.5/drivers/staging/panel/panel.c
27686 --- linux-2.6.35.5/drivers/staging/panel/panel.c 2010-08-26 19:47:12.000000000 -0400
27687 +++ linux-2.6.35.5/drivers/staging/panel/panel.c 2010-09-17 20:12:09.000000000 -0400
27688 @@ -1304,7 +1304,7 @@ static int lcd_release(struct inode *ino
27692 -static struct file_operations lcd_fops = {
27693 +static const struct file_operations lcd_fops = {
27694 .write = lcd_write,
27696 .release = lcd_release,
27697 @@ -1564,7 +1564,7 @@ static int keypad_release(struct inode *
27701 -static struct file_operations keypad_fops = {
27702 +static const struct file_operations keypad_fops = {
27703 .read = keypad_read, /* read */
27704 .open = keypad_open, /* open */
27705 .release = keypad_release, /* close */
27706 diff -urNp linux-2.6.35.5/drivers/staging/phison/phison.c linux-2.6.35.5/drivers/staging/phison/phison.c
27707 --- linux-2.6.35.5/drivers/staging/phison/phison.c 2010-08-26 19:47:12.000000000 -0400
27708 +++ linux-2.6.35.5/drivers/staging/phison/phison.c 2010-09-17 20:12:09.000000000 -0400
27709 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27710 ATA_BMDMA_SHT(DRV_NAME),
27713 -static struct ata_port_operations phison_ops = {
27714 +static const struct ata_port_operations phison_ops = {
27715 .inherits = &ata_bmdma_port_ops,
27716 .prereset = phison_pre_reset,
27718 diff -urNp linux-2.6.35.5/drivers/staging/pohmelfs/inode.c linux-2.6.35.5/drivers/staging/pohmelfs/inode.c
27719 --- linux-2.6.35.5/drivers/staging/pohmelfs/inode.c 2010-08-26 19:47:12.000000000 -0400
27720 +++ linux-2.6.35.5/drivers/staging/pohmelfs/inode.c 2010-09-17 20:12:09.000000000 -0400
27721 @@ -1846,7 +1846,7 @@ static int pohmelfs_fill_super(struct su
27722 mutex_init(&psb->mcache_lock);
27723 psb->mcache_root = RB_ROOT;
27724 psb->mcache_timeout = msecs_to_jiffies(5000);
27725 - atomic_long_set(&psb->mcache_gen, 0);
27726 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27728 psb->trans_max_pages = 100;
27730 diff -urNp linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c
27731 --- linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c 2010-08-26 19:47:12.000000000 -0400
27732 +++ linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c 2010-09-17 20:12:09.000000000 -0400
27733 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27737 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27738 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27740 mutex_lock(&psb->mcache_lock);
27741 err = pohmelfs_mcache_insert(psb, m);
27742 diff -urNp linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h
27743 --- linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h 2010-08-26 19:47:12.000000000 -0400
27744 +++ linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h 2010-09-17 20:12:09.000000000 -0400
27745 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27746 struct pohmelfs_sb {
27747 struct rb_root mcache_root;
27748 struct mutex mcache_lock;
27749 - atomic_long_t mcache_gen;
27750 + atomic_long_unchecked_t mcache_gen;
27751 unsigned long mcache_timeout;
27754 diff -urNp linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c
27755 --- linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c 2010-08-26 19:47:12.000000000 -0400
27756 +++ linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c 2010-09-17 20:12:09.000000000 -0400
27757 @@ -693,7 +693,7 @@ void ramzswap_slot_free_notify(struct bl
27761 -static struct block_device_operations ramzswap_devops = {
27762 +static const struct block_device_operations ramzswap_devops = {
27763 .ioctl = ramzswap_ioctl,
27764 .swap_slot_free_notify = ramzswap_slot_free_notify,
27765 .owner = THIS_MODULE
27766 diff -urNp linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c
27767 --- linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c 2010-08-26 19:47:12.000000000 -0400
27768 +++ linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c 2010-09-17 20:12:09.000000000 -0400
27769 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27770 return seq_open(file, &crypto_seq_ops);
27773 -static struct file_operations proc_crypto_ops = {
27774 +static const struct file_operations proc_crypto_ops = {
27775 .open = crypto_info_open,
27777 .llseek = seq_lseek,
27778 diff -urNp linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c
27779 --- linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c 2010-08-26 19:47:12.000000000 -0400
27780 +++ linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c 2010-09-17 20:12:09.000000000 -0400
27781 @@ -269,7 +269,7 @@ static int update_status(struct backligh
27785 -static struct backlight_ops backlight_ops = {
27786 +static const struct backlight_ops backlight_ops = {
27787 .get_brightness = get_brightness,
27788 .update_status = update_status,
27790 diff -urNp linux-2.6.35.5/drivers/staging/sep/sep_driver.c linux-2.6.35.5/drivers/staging/sep/sep_driver.c
27791 --- linux-2.6.35.5/drivers/staging/sep/sep_driver.c 2010-08-26 19:47:12.000000000 -0400
27792 +++ linux-2.6.35.5/drivers/staging/sep/sep_driver.c 2010-09-17 20:12:09.000000000 -0400
27793 @@ -2637,7 +2637,7 @@ static struct pci_driver sep_pci_driver
27794 static dev_t sep_devno;
27796 /* the files operations structure of the driver */
27797 -static struct file_operations sep_file_operations = {
27798 +static const struct file_operations sep_file_operations = {
27799 .owner = THIS_MODULE,
27800 .unlocked_ioctl = sep_ioctl,
27802 diff -urNp linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c
27803 --- linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c 2010-08-26 19:47:12.000000000 -0400
27804 +++ linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c 2010-09-17 20:12:09.000000000 -0400
27805 @@ -136,7 +136,7 @@ static long vme_user_unlocked_ioctl(stru
27806 static int __init vme_user_probe(struct device *, int, int);
27807 static int __exit vme_user_remove(struct device *, int, int);
27809 -static struct file_operations vme_user_fops = {
27810 +static const struct file_operations vme_user_fops = {
27811 .open = vme_user_open,
27812 .release = vme_user_release,
27813 .read = vme_user_read,
27814 diff -urNp linux-2.6.35.5/drivers/usb/atm/usbatm.c linux-2.6.35.5/drivers/usb/atm/usbatm.c
27815 --- linux-2.6.35.5/drivers/usb/atm/usbatm.c 2010-08-26 19:47:12.000000000 -0400
27816 +++ linux-2.6.35.5/drivers/usb/atm/usbatm.c 2010-09-17 20:12:09.000000000 -0400
27817 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
27818 if (printk_ratelimit())
27819 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
27820 __func__, vpi, vci);
27821 - atomic_inc(&vcc->stats->rx_err);
27822 + atomic_inc_unchecked(&vcc->stats->rx_err);
27826 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
27827 if (length > ATM_MAX_AAL5_PDU) {
27828 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
27829 __func__, length, vcc);
27830 - atomic_inc(&vcc->stats->rx_err);
27831 + atomic_inc_unchecked(&vcc->stats->rx_err);
27835 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
27836 if (sarb->len < pdu_length) {
27837 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
27838 __func__, pdu_length, sarb->len, vcc);
27839 - atomic_inc(&vcc->stats->rx_err);
27840 + atomic_inc_unchecked(&vcc->stats->rx_err);
27844 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
27845 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
27847 - atomic_inc(&vcc->stats->rx_err);
27848 + atomic_inc_unchecked(&vcc->stats->rx_err);
27852 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
27853 if (printk_ratelimit())
27854 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
27856 - atomic_inc(&vcc->stats->rx_drop);
27857 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27861 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
27863 vcc->push(vcc, skb);
27865 - atomic_inc(&vcc->stats->rx);
27866 + atomic_inc_unchecked(&vcc->stats->rx);
27870 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
27871 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
27873 usbatm_pop(vcc, skb);
27874 - atomic_inc(&vcc->stats->tx);
27875 + atomic_inc_unchecked(&vcc->stats->tx);
27877 skb = skb_dequeue(&instance->sndqueue);
27879 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
27881 return sprintf(page,
27882 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
27883 - atomic_read(&atm_dev->stats.aal5.tx),
27884 - atomic_read(&atm_dev->stats.aal5.tx_err),
27885 - atomic_read(&atm_dev->stats.aal5.rx),
27886 - atomic_read(&atm_dev->stats.aal5.rx_err),
27887 - atomic_read(&atm_dev->stats.aal5.rx_drop));
27888 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
27889 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
27890 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
27891 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
27892 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
27895 if (instance->disconnected)
27896 diff -urNp linux-2.6.35.5/drivers/usb/class/cdc-acm.c linux-2.6.35.5/drivers/usb/class/cdc-acm.c
27897 --- linux-2.6.35.5/drivers/usb/class/cdc-acm.c 2010-09-20 17:33:09.000000000 -0400
27898 +++ linux-2.6.35.5/drivers/usb/class/cdc-acm.c 2010-09-20 17:33:32.000000000 -0400
27899 @@ -1640,7 +1640,7 @@ static const struct usb_device_id acm_id
27900 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
27901 USB_CDC_ACM_PROTO_AT_CDMA) },
27904 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
27907 MODULE_DEVICE_TABLE(usb, acm_ids);
27908 diff -urNp linux-2.6.35.5/drivers/usb/class/cdc-wdm.c linux-2.6.35.5/drivers/usb/class/cdc-wdm.c
27909 --- linux-2.6.35.5/drivers/usb/class/cdc-wdm.c 2010-08-26 19:47:12.000000000 -0400
27910 +++ linux-2.6.35.5/drivers/usb/class/cdc-wdm.c 2010-09-17 20:12:09.000000000 -0400
27911 @@ -342,7 +342,7 @@ static ssize_t wdm_write
27915 - if (!file->f_flags && O_NONBLOCK)
27916 + if (!(file->f_flags & O_NONBLOCK))
27917 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
27920 diff -urNp linux-2.6.35.5/drivers/usb/class/usblp.c linux-2.6.35.5/drivers/usb/class/usblp.c
27921 --- linux-2.6.35.5/drivers/usb/class/usblp.c 2010-08-26 19:47:12.000000000 -0400
27922 +++ linux-2.6.35.5/drivers/usb/class/usblp.c 2010-09-17 20:12:09.000000000 -0400
27923 @@ -226,7 +226,7 @@ static const struct quirk_printer_struct
27924 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
27925 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
27926 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
27931 static int usblp_wwait(struct usblp *usblp, int nonblock);
27932 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
27933 { USB_INTERFACE_INFO(7, 1, 2) },
27934 { USB_INTERFACE_INFO(7, 1, 3) },
27935 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
27936 - { } /* Terminating entry */
27937 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
27940 MODULE_DEVICE_TABLE (usb, usblp_ids);
27941 diff -urNp linux-2.6.35.5/drivers/usb/core/hcd.c linux-2.6.35.5/drivers/usb/core/hcd.c
27942 --- linux-2.6.35.5/drivers/usb/core/hcd.c 2010-08-26 19:47:12.000000000 -0400
27943 +++ linux-2.6.35.5/drivers/usb/core/hcd.c 2010-09-17 20:12:09.000000000 -0400
27944 @@ -2381,7 +2381,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
27946 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
27948 -struct usb_mon_operations *mon_ops;
27949 +const struct usb_mon_operations *mon_ops;
27952 * The registration is unlocked.
27953 @@ -2391,7 +2391,7 @@ struct usb_mon_operations *mon_ops;
27954 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
27957 -int usb_mon_register (struct usb_mon_operations *ops)
27958 +int usb_mon_register (const struct usb_mon_operations *ops)
27962 diff -urNp linux-2.6.35.5/drivers/usb/core/hub.c linux-2.6.35.5/drivers/usb/core/hub.c
27963 --- linux-2.6.35.5/drivers/usb/core/hub.c 2010-08-26 19:47:12.000000000 -0400
27964 +++ linux-2.6.35.5/drivers/usb/core/hub.c 2010-09-17 20:12:09.000000000 -0400
27965 @@ -3453,7 +3453,7 @@ static const struct usb_device_id hub_id
27966 .bDeviceClass = USB_CLASS_HUB},
27967 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
27968 .bInterfaceClass = USB_CLASS_HUB},
27969 - { } /* Terminating entry */
27970 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
27973 MODULE_DEVICE_TABLE (usb, hub_id_table);
27974 diff -urNp linux-2.6.35.5/drivers/usb/core/message.c linux-2.6.35.5/drivers/usb/core/message.c
27975 --- linux-2.6.35.5/drivers/usb/core/message.c 2010-09-20 17:33:09.000000000 -0400
27976 +++ linux-2.6.35.5/drivers/usb/core/message.c 2010-09-20 17:33:32.000000000 -0400
27977 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
27978 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
27980 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
27982 - smallbuf = kmalloc(++len, GFP_NOIO);
27984 + smallbuf = kmalloc(len, GFP_NOIO);
27987 memcpy(smallbuf, buf, len);
27988 diff -urNp linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c
27989 --- linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c 2010-08-26 19:47:12.000000000 -0400
27990 +++ linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c 2010-09-17 20:12:09.000000000 -0400
27991 @@ -1026,6 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
27992 early_dbgp_write(NULL, &chr, 1);
27995 +/* cannot be const, see kgdbdbgp_parse_config() */
27996 static struct kgdb_io kgdbdbgp_io_ops = {
27997 .name = "kgdbdbgp",
27998 .read_char = kgdbdbgp_read_char,
27999 diff -urNp linux-2.6.35.5/drivers/usb/host/ehci-pci.c linux-2.6.35.5/drivers/usb/host/ehci-pci.c
28000 --- linux-2.6.35.5/drivers/usb/host/ehci-pci.c 2010-08-26 19:47:12.000000000 -0400
28001 +++ linux-2.6.35.5/drivers/usb/host/ehci-pci.c 2010-09-17 20:12:09.000000000 -0400
28002 @@ -419,7 +419,7 @@ static const struct pci_device_id pci_id
28003 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28004 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28006 - { /* end: all zeroes */ }
28007 + { 0, 0, 0, 0, 0, 0, 0 }
28009 MODULE_DEVICE_TABLE(pci, pci_ids);
28011 diff -urNp linux-2.6.35.5/drivers/usb/host/uhci-hcd.c linux-2.6.35.5/drivers/usb/host/uhci-hcd.c
28012 --- linux-2.6.35.5/drivers/usb/host/uhci-hcd.c 2010-08-26 19:47:12.000000000 -0400
28013 +++ linux-2.6.35.5/drivers/usb/host/uhci-hcd.c 2010-09-17 20:12:09.000000000 -0400
28014 @@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
28015 /* handle any USB UHCI controller */
28016 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28017 .driver_data = (unsigned long) &uhci_driver,
28018 - }, { /* end: all zeroes */ }
28019 + }, { 0, 0, 0, 0, 0, 0, 0 }
28022 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28023 diff -urNp linux-2.6.35.5/drivers/usb/mon/mon_main.c linux-2.6.35.5/drivers/usb/mon/mon_main.c
28024 --- linux-2.6.35.5/drivers/usb/mon/mon_main.c 2010-08-26 19:47:12.000000000 -0400
28025 +++ linux-2.6.35.5/drivers/usb/mon/mon_main.c 2010-09-17 20:12:09.000000000 -0400
28026 @@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
28030 -static struct usb_mon_operations mon_ops_0 = {
28031 +static const struct usb_mon_operations mon_ops_0 = {
28032 .urb_submit = mon_submit,
28033 .urb_submit_error = mon_submit_error,
28034 .urb_complete = mon_complete,
28035 diff -urNp linux-2.6.35.5/drivers/usb/storage/debug.h linux-2.6.35.5/drivers/usb/storage/debug.h
28036 --- linux-2.6.35.5/drivers/usb/storage/debug.h 2010-08-26 19:47:12.000000000 -0400
28037 +++ linux-2.6.35.5/drivers/usb/storage/debug.h 2010-09-17 20:12:09.000000000 -0400
28038 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28039 #define US_DEBUGPX(x...) printk( x )
28040 #define US_DEBUG(x) x
28042 -#define US_DEBUGP(x...)
28043 -#define US_DEBUGPX(x...)
28044 -#define US_DEBUG(x)
28045 +#define US_DEBUGP(x...) do {} while (0)
28046 +#define US_DEBUGPX(x...) do {} while (0)
28047 +#define US_DEBUG(x) do {} while (0)
28051 diff -urNp linux-2.6.35.5/drivers/usb/storage/usb.c linux-2.6.35.5/drivers/usb/storage/usb.c
28052 --- linux-2.6.35.5/drivers/usb/storage/usb.c 2010-08-26 19:47:12.000000000 -0400
28053 +++ linux-2.6.35.5/drivers/usb/storage/usb.c 2010-09-17 20:12:09.000000000 -0400
28054 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28056 static struct us_unusual_dev us_unusual_dev_list[] = {
28057 # include "unusual_devs.h"
28058 - { } /* Terminating entry */
28059 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28063 diff -urNp linux-2.6.35.5/drivers/usb/storage/usual-tables.c linux-2.6.35.5/drivers/usb/storage/usual-tables.c
28064 --- linux-2.6.35.5/drivers/usb/storage/usual-tables.c 2010-08-26 19:47:12.000000000 -0400
28065 +++ linux-2.6.35.5/drivers/usb/storage/usual-tables.c 2010-09-17 20:12:09.000000000 -0400
28068 struct usb_device_id usb_storage_usb_ids[] = {
28069 # include "unusual_devs.h"
28070 - { } /* Terminating entry */
28071 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28073 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28075 diff -urNp linux-2.6.35.5/drivers/uwb/wlp/messages.c linux-2.6.35.5/drivers/uwb/wlp/messages.c
28076 --- linux-2.6.35.5/drivers/uwb/wlp/messages.c 2010-08-26 19:47:12.000000000 -0400
28077 +++ linux-2.6.35.5/drivers/uwb/wlp/messages.c 2010-09-17 20:12:09.000000000 -0400
28078 @@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
28079 size_t len = skb->len;
28082 - struct wlp_nonce enonce, rnonce;
28083 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
28084 enum wlp_assc_error assc_err;
28085 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
28086 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
28087 diff -urNp linux-2.6.35.5/drivers/vhost/vhost.c linux-2.6.35.5/drivers/vhost/vhost.c
28088 --- linux-2.6.35.5/drivers/vhost/vhost.c 2010-08-26 19:47:12.000000000 -0400
28089 +++ linux-2.6.35.5/drivers/vhost/vhost.c 2010-09-17 20:12:09.000000000 -0400
28090 @@ -357,7 +357,7 @@ static int init_used(struct vhost_virtqu
28091 return get_user(vq->last_used_idx, &used->idx);
28094 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28095 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28097 struct file *eventfp, *filep = NULL,
28098 *pollstart = NULL, *pollstop = NULL;
28099 diff -urNp linux-2.6.35.5/drivers/video/atmel_lcdfb.c linux-2.6.35.5/drivers/video/atmel_lcdfb.c
28100 --- linux-2.6.35.5/drivers/video/atmel_lcdfb.c 2010-08-26 19:47:12.000000000 -0400
28101 +++ linux-2.6.35.5/drivers/video/atmel_lcdfb.c 2010-09-17 20:12:09.000000000 -0400
28102 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28103 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28106 -static struct backlight_ops atmel_lcdc_bl_ops = {
28107 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28108 .update_status = atmel_bl_update_status,
28109 .get_brightness = atmel_bl_get_brightness,
28111 diff -urNp linux-2.6.35.5/drivers/video/aty/aty128fb.c linux-2.6.35.5/drivers/video/aty/aty128fb.c
28112 --- linux-2.6.35.5/drivers/video/aty/aty128fb.c 2010-08-26 19:47:12.000000000 -0400
28113 +++ linux-2.6.35.5/drivers/video/aty/aty128fb.c 2010-09-17 20:12:09.000000000 -0400
28114 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28115 return bd->props.brightness;
28118 -static struct backlight_ops aty128_bl_data = {
28119 +static const struct backlight_ops aty128_bl_data = {
28120 .get_brightness = aty128_bl_get_brightness,
28121 .update_status = aty128_bl_update_status,
28123 diff -urNp linux-2.6.35.5/drivers/video/aty/atyfb_base.c linux-2.6.35.5/drivers/video/aty/atyfb_base.c
28124 --- linux-2.6.35.5/drivers/video/aty/atyfb_base.c 2010-08-26 19:47:12.000000000 -0400
28125 +++ linux-2.6.35.5/drivers/video/aty/atyfb_base.c 2010-09-17 20:12:09.000000000 -0400
28126 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28127 return bd->props.brightness;
28130 -static struct backlight_ops aty_bl_data = {
28131 +static const struct backlight_ops aty_bl_data = {
28132 .get_brightness = aty_bl_get_brightness,
28133 .update_status = aty_bl_update_status,
28135 diff -urNp linux-2.6.35.5/drivers/video/aty/radeon_backlight.c linux-2.6.35.5/drivers/video/aty/radeon_backlight.c
28136 --- linux-2.6.35.5/drivers/video/aty/radeon_backlight.c 2010-08-26 19:47:12.000000000 -0400
28137 +++ linux-2.6.35.5/drivers/video/aty/radeon_backlight.c 2010-09-17 20:12:09.000000000 -0400
28138 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28139 return bd->props.brightness;
28142 -static struct backlight_ops radeon_bl_data = {
28143 +static const struct backlight_ops radeon_bl_data = {
28144 .get_brightness = radeon_bl_get_brightness,
28145 .update_status = radeon_bl_update_status,
28147 diff -urNp linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c
28148 --- linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c 2010-08-26 19:47:12.000000000 -0400
28149 +++ linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c 2010-09-17 20:12:09.000000000 -0400
28150 @@ -155,7 +155,7 @@ out:
28154 -static struct backlight_ops pm860x_backlight_ops = {
28155 +static const struct backlight_ops pm860x_backlight_ops = {
28156 .options = BL_CORE_SUSPENDRESUME,
28157 .update_status = pm860x_backlight_update_status,
28158 .get_brightness = pm860x_backlight_get_brightness,
28159 diff -urNp linux-2.6.35.5/drivers/video/backlight/max8925_bl.c linux-2.6.35.5/drivers/video/backlight/max8925_bl.c
28160 --- linux-2.6.35.5/drivers/video/backlight/max8925_bl.c 2010-08-26 19:47:12.000000000 -0400
28161 +++ linux-2.6.35.5/drivers/video/backlight/max8925_bl.c 2010-09-17 20:12:09.000000000 -0400
28162 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28166 -static struct backlight_ops max8925_backlight_ops = {
28167 +static const struct backlight_ops max8925_backlight_ops = {
28168 .options = BL_CORE_SUSPENDRESUME,
28169 .update_status = max8925_backlight_update_status,
28170 .get_brightness = max8925_backlight_get_brightness,
28171 diff -urNp linux-2.6.35.5/drivers/video/fbcmap.c linux-2.6.35.5/drivers/video/fbcmap.c
28172 --- linux-2.6.35.5/drivers/video/fbcmap.c 2010-08-26 19:47:12.000000000 -0400
28173 +++ linux-2.6.35.5/drivers/video/fbcmap.c 2010-09-17 20:12:09.000000000 -0400
28174 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28178 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28179 - !info->fbops->fb_setcmap)) {
28180 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28184 diff -urNp linux-2.6.35.5/drivers/video/fbmem.c linux-2.6.35.5/drivers/video/fbmem.c
28185 --- linux-2.6.35.5/drivers/video/fbmem.c 2010-08-26 19:47:12.000000000 -0400
28186 +++ linux-2.6.35.5/drivers/video/fbmem.c 2010-09-17 20:12:09.000000000 -0400
28187 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28188 image->dx += image->width + 8;
28190 } else if (rotate == FB_ROTATE_UD) {
28191 - for (x = 0; x < num && image->dx >= 0; x++) {
28192 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28193 info->fbops->fb_imageblit(info, image);
28194 image->dx -= image->width + 8;
28196 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28197 image->dy += image->height + 8;
28199 } else if (rotate == FB_ROTATE_CCW) {
28200 - for (x = 0; x < num && image->dy >= 0; x++) {
28201 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28202 info->fbops->fb_imageblit(info, image);
28203 image->dy -= image->height + 8;
28205 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
28207 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28209 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28210 + if (con2fb.framebuffer >= FB_MAX)
28212 if (!registered_fb[con2fb.framebuffer])
28213 request_module("fb%d", con2fb.framebuffer);
28214 diff -urNp linux-2.6.35.5/drivers/video/fbmon.c linux-2.6.35.5/drivers/video/fbmon.c
28215 --- linux-2.6.35.5/drivers/video/fbmon.c 2010-08-26 19:47:12.000000000 -0400
28216 +++ linux-2.6.35.5/drivers/video/fbmon.c 2010-09-17 20:12:09.000000000 -0400
28219 #define DPRINTK(fmt, args...) printk(fmt,## args)
28221 -#define DPRINTK(fmt, args...)
28222 +#define DPRINTK(fmt, args...) do {} while (0)
28225 #define FBMON_FIX_HEADER 1
28226 diff -urNp linux-2.6.35.5/drivers/video/i810/i810_accel.c linux-2.6.35.5/drivers/video/i810/i810_accel.c
28227 --- linux-2.6.35.5/drivers/video/i810/i810_accel.c 2010-08-26 19:47:12.000000000 -0400
28228 +++ linux-2.6.35.5/drivers/video/i810/i810_accel.c 2010-09-17 20:12:09.000000000 -0400
28229 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28232 printk("ringbuffer lockup!!!\n");
28233 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28234 i810_report_error(mmio);
28235 par->dev_flags |= LOCKUP;
28236 info->pixmap.scan_align = 1;
28237 diff -urNp linux-2.6.35.5/drivers/video/i810/i810_main.c linux-2.6.35.5/drivers/video/i810/i810_main.c
28238 --- linux-2.6.35.5/drivers/video/i810/i810_main.c 2010-08-26 19:47:12.000000000 -0400
28239 +++ linux-2.6.35.5/drivers/video/i810/i810_main.c 2010-09-17 20:12:09.000000000 -0400
28240 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28241 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28242 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28243 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28245 + { 0, 0, 0, 0, 0, 0, 0 },
28248 static struct pci_driver i810fb_driver = {
28249 diff -urNp linux-2.6.35.5/drivers/video/modedb.c linux-2.6.35.5/drivers/video/modedb.c
28250 --- linux-2.6.35.5/drivers/video/modedb.c 2010-08-26 19:47:12.000000000 -0400
28251 +++ linux-2.6.35.5/drivers/video/modedb.c 2010-09-17 20:12:09.000000000 -0400
28252 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28254 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28255 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28256 - 0, FB_VMODE_NONINTERLACED
28257 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28259 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28260 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28261 - 0, FB_VMODE_NONINTERLACED
28262 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28264 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28265 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28266 - 0, FB_VMODE_NONINTERLACED
28267 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28269 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28270 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28271 - 0, FB_VMODE_INTERLACED
28272 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28274 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28275 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28276 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28277 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28279 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28280 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28281 - 0, FB_VMODE_NONINTERLACED
28282 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28284 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28285 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28286 - 0, FB_VMODE_NONINTERLACED
28287 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28289 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28290 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28291 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28292 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28294 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28295 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28296 - 0, FB_VMODE_NONINTERLACED
28297 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28299 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28300 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28301 - 0, FB_VMODE_INTERLACED
28302 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28304 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28305 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28306 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28307 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28309 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28310 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28311 - 0, FB_VMODE_NONINTERLACED
28312 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28314 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28315 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28316 - 0, FB_VMODE_NONINTERLACED
28317 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28319 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28320 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28321 - 0, FB_VMODE_NONINTERLACED
28322 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28324 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28325 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28326 - 0, FB_VMODE_NONINTERLACED
28327 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28329 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28330 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28331 - 0, FB_VMODE_NONINTERLACED
28332 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28334 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28335 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28336 - 0, FB_VMODE_INTERLACED
28337 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28339 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28340 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28341 - 0, FB_VMODE_NONINTERLACED
28342 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28344 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28345 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28346 - 0, FB_VMODE_NONINTERLACED
28347 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28349 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28350 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28351 - 0, FB_VMODE_NONINTERLACED
28352 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28354 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28355 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28356 - 0, FB_VMODE_NONINTERLACED
28357 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28359 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28360 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28361 - 0, FB_VMODE_NONINTERLACED
28362 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28364 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28365 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28366 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28367 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28369 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28370 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28371 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28372 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28374 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28375 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28376 - 0, FB_VMODE_NONINTERLACED
28377 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28379 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28380 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28381 - 0, FB_VMODE_NONINTERLACED
28382 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28384 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28385 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28386 - 0, FB_VMODE_NONINTERLACED
28387 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28389 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28390 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28391 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28392 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28394 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28395 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28396 - 0, FB_VMODE_NONINTERLACED
28397 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28399 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28400 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28401 - 0, FB_VMODE_NONINTERLACED
28402 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28404 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28405 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28406 - 0, FB_VMODE_NONINTERLACED
28407 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28409 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28410 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28411 - 0, FB_VMODE_NONINTERLACED
28412 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28414 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28415 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28416 - 0, FB_VMODE_NONINTERLACED
28417 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28419 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28420 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28421 - 0, FB_VMODE_NONINTERLACED
28422 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28424 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28425 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28426 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28427 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28429 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28430 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28431 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28432 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28434 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28435 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28436 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28437 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28439 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28440 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28441 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28442 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28444 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28445 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28446 - 0, FB_VMODE_NONINTERLACED
28447 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28449 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28450 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28451 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28452 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28454 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28455 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28456 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28457 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28459 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28460 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28461 - 0, FB_VMODE_NONINTERLACED
28462 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28464 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28465 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28466 - 0, FB_VMODE_NONINTERLACED
28467 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28469 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28470 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28471 - 0, FB_VMODE_DOUBLE
28472 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28474 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28475 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28476 - 0, FB_VMODE_DOUBLE
28477 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28479 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28480 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28481 - 0, FB_VMODE_DOUBLE
28482 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28484 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28485 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28486 - 0, FB_VMODE_DOUBLE
28487 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28489 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28490 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28491 - 0, FB_VMODE_DOUBLE
28492 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28494 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28495 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28496 - 0, FB_VMODE_DOUBLE
28497 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28499 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28500 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28501 - 0, FB_VMODE_DOUBLE
28502 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28504 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28505 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28506 - 0, FB_VMODE_DOUBLE
28507 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28509 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28510 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28511 - 0, FB_VMODE_DOUBLE
28512 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28514 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28515 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28516 - 0, FB_VMODE_DOUBLE
28517 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28519 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28520 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28521 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28522 - FB_VMODE_NONINTERLACED
28523 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28525 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28526 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28527 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28528 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28530 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28531 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28532 - 0, FB_VMODE_NONINTERLACED
28533 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28535 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28536 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28537 - 0, FB_VMODE_NONINTERLACED
28538 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28540 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28541 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28542 - 0, FB_VMODE_INTERLACED
28543 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28545 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28546 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28547 - 0, FB_VMODE_INTERLACED
28548 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28552 diff -urNp linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c
28553 --- linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c 2010-08-26 19:47:12.000000000 -0400
28554 +++ linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c 2010-09-17 20:12:09.000000000 -0400
28555 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28556 return bd->props.brightness;
28559 -static struct backlight_ops nvidia_bl_ops = {
28560 +static const struct backlight_ops nvidia_bl_ops = {
28561 .get_brightness = nvidia_bl_get_brightness,
28562 .update_status = nvidia_bl_update_status,
28564 diff -urNp linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c
28565 --- linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c 2010-08-26 19:47:12.000000000 -0400
28566 +++ linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c 2010-09-17 20:12:09.000000000 -0400
28567 @@ -319,7 +319,7 @@ static int taal_bl_get_intensity(struct
28571 -static struct backlight_ops taal_bl_ops = {
28572 +static const struct backlight_ops taal_bl_ops = {
28573 .get_brightness = taal_bl_get_intensity,
28574 .update_status = taal_bl_update_status,
28576 diff -urNp linux-2.6.35.5/drivers/video/riva/fbdev.c linux-2.6.35.5/drivers/video/riva/fbdev.c
28577 --- linux-2.6.35.5/drivers/video/riva/fbdev.c 2010-08-26 19:47:12.000000000 -0400
28578 +++ linux-2.6.35.5/drivers/video/riva/fbdev.c 2010-09-17 20:12:09.000000000 -0400
28579 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
28580 return bd->props.brightness;
28583 -static struct backlight_ops riva_bl_ops = {
28584 +static const struct backlight_ops riva_bl_ops = {
28585 .get_brightness = riva_bl_get_brightness,
28586 .update_status = riva_bl_update_status,
28588 diff -urNp linux-2.6.35.5/drivers/video/uvesafb.c linux-2.6.35.5/drivers/video/uvesafb.c
28589 --- linux-2.6.35.5/drivers/video/uvesafb.c 2010-08-26 19:47:12.000000000 -0400
28590 +++ linux-2.6.35.5/drivers/video/uvesafb.c 2010-09-17 20:12:09.000000000 -0400
28592 #include <linux/io.h>
28593 #include <linux/mutex.h>
28594 #include <linux/slab.h>
28595 +#include <linux/moduleloader.h>
28596 #include <video/edid.h>
28597 #include <video/uvesafb.h>
28599 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28603 - return call_usermodehelper(v86d_path, argv, envp, 1);
28604 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28608 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
28609 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28610 par->pmi_setpal = par->ypan = 0;
28613 +#ifdef CONFIG_PAX_KERNEXEC
28614 +#ifdef CONFIG_MODULES
28615 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28617 + if (!par->pmi_code) {
28618 + par->pmi_setpal = par->ypan = 0;
28623 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28624 + task->t.regs.edi);
28626 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28627 + pax_open_kernel();
28628 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
28629 + pax_close_kernel();
28631 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28632 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28634 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28635 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28638 printk(KERN_INFO "uvesafb: protected mode interface info at "
28640 (u16)task->t.regs.es, (u16)task->t.regs.edi);
28641 @@ -1800,6 +1823,11 @@ out:
28642 if (par->vbe_modes)
28643 kfree(par->vbe_modes);
28645 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28646 + if (par->pmi_code)
28647 + module_free_exec(NULL, par->pmi_code);
28650 framebuffer_release(info);
28653 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
28654 kfree(par->vbe_state_orig);
28655 if (par->vbe_state_saved)
28656 kfree(par->vbe_state_saved);
28658 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28659 + if (par->pmi_code)
28660 + module_free_exec(NULL, par->pmi_code);
28665 framebuffer_release(info);
28666 diff -urNp linux-2.6.35.5/drivers/video/vesafb.c linux-2.6.35.5/drivers/video/vesafb.c
28667 --- linux-2.6.35.5/drivers/video/vesafb.c 2010-08-26 19:47:12.000000000 -0400
28668 +++ linux-2.6.35.5/drivers/video/vesafb.c 2010-09-17 20:12:09.000000000 -0400
28672 #include <linux/module.h>
28673 +#include <linux/moduleloader.h>
28674 #include <linux/kernel.h>
28675 #include <linux/errno.h>
28676 #include <linux/string.h>
28677 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
28678 static int vram_total __initdata; /* Set total amount of memory */
28679 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
28680 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
28681 -static void (*pmi_start)(void) __read_mostly;
28682 -static void (*pmi_pal) (void) __read_mostly;
28683 +static void (*pmi_start)(void) __read_only;
28684 +static void (*pmi_pal) (void) __read_only;
28685 static int depth __read_mostly;
28686 static int vga_compat __read_mostly;
28687 /* --------------------------------------------------------------------- */
28688 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
28689 unsigned int size_vmode;
28690 unsigned int size_remap;
28691 unsigned int size_total;
28692 + void *pmi_code = NULL;
28694 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
28696 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
28697 size_remap = size_total;
28698 vesafb_fix.smem_len = size_remap;
28701 - screen_info.vesapm_seg = 0;
28704 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
28705 printk(KERN_WARNING
28706 "vesafb: cannot reserve video memory at 0x%lx\n",
28707 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
28708 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
28709 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
28713 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28714 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
28716 +#elif !defined(CONFIG_PAX_KERNEXEC)
28721 + screen_info.vesapm_seg = 0;
28723 if (screen_info.vesapm_seg) {
28724 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
28725 - screen_info.vesapm_seg,screen_info.vesapm_off);
28726 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
28727 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
28730 if (screen_info.vesapm_seg < 0xc000)
28731 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
28733 if (ypan || pmi_setpal) {
28734 unsigned short *pmi_base;
28735 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28736 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
28737 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
28739 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28741 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28742 + pax_open_kernel();
28743 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
28745 + pmi_code = pmi_base;
28748 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
28749 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
28751 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28752 + pmi_start = ktva_ktla(pmi_start);
28753 + pmi_pal = ktva_ktla(pmi_pal);
28754 + pax_close_kernel();
28757 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
28759 printk(KERN_INFO "vesafb: pmi: ports = ");
28760 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
28761 info->node, info->fix.id);
28765 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28766 + module_free_exec(NULL, pmi_code);
28769 if (info->screen_base)
28770 iounmap(info->screen_base);
28771 framebuffer_release(info);
28772 diff -urNp linux-2.6.35.5/drivers/xen/events.c linux-2.6.35.5/drivers/xen/events.c
28773 --- linux-2.6.35.5/drivers/xen/events.c 2010-09-20 17:33:09.000000000 -0400
28774 +++ linux-2.6.35.5/drivers/xen/events.c 2010-09-21 21:22:54.000000000 -0400
28775 @@ -107,7 +107,6 @@ static inline unsigned long *cpu_evtchn_
28776 #define VALID_EVTCHN(chn) ((chn) != 0)
28778 static struct irq_chip xen_dynamic_chip;
28779 -static struct irq_chip xen_percpu_chip;
28781 /* Constructor for packed IRQ information. */
28782 static struct irq_info mk_unbound_info(void)
28783 @@ -364,7 +363,7 @@ int bind_evtchn_to_irq(unsigned int evtc
28784 irq = find_unbound_irq();
28786 set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
28787 - handle_edge_irq, "event");
28788 + handle_level_irq, "event");
28790 evtchn_to_irq[evtchn] = irq;
28791 irq_info[irq] = mk_evtchn_info(evtchn);
28792 @@ -390,8 +389,8 @@ static int bind_ipi_to_irq(unsigned int
28796 - set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
28797 - handle_percpu_irq, "ipi");
28798 + set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
28799 + handle_level_irq, "ipi");
28801 bind_ipi.vcpu = cpu;
28802 if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_ipi,
28803 @@ -431,8 +430,8 @@ static int bind_virq_to_irq(unsigned int
28805 irq = find_unbound_irq();
28807 - set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
28808 - handle_percpu_irq, "virq");
28809 + set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
28810 + handle_level_irq, "virq");
28812 evtchn_to_irq[evtchn] = irq;
28813 irq_info[irq] = mk_virq_info(evtchn, virq);
28814 @@ -935,16 +934,6 @@ static struct irq_chip xen_dynamic_chip
28815 .retrigger = retrigger_dynirq,
28818 -static struct irq_chip en_percpu_chip __read_mostly = {
28819 - .name = "xen-percpu",
28821 - .disable = disable_dynirq,
28822 - .mask = disable_dynirq,
28823 - .unmask = enable_dynirq,
28825 - .ack = ack_dynirq,
28828 void __init xen_init_IRQ(void)
28831 diff -urNp linux-2.6.35.5/fs/9p/vfs_inode.c linux-2.6.35.5/fs/9p/vfs_inode.c
28832 --- linux-2.6.35.5/fs/9p/vfs_inode.c 2010-08-26 19:47:12.000000000 -0400
28833 +++ linux-2.6.35.5/fs/9p/vfs_inode.c 2010-09-17 20:12:09.000000000 -0400
28834 @@ -1087,7 +1087,7 @@ static void *v9fs_vfs_follow_link(struct
28836 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
28838 - char *s = nd_get_link(nd);
28839 + const char *s = nd_get_link(nd);
28841 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
28842 IS_ERR(s) ? "<error>" : s);
28843 diff -urNp linux-2.6.35.5/fs/aio.c linux-2.6.35.5/fs/aio.c
28844 --- linux-2.6.35.5/fs/aio.c 2010-08-26 19:47:12.000000000 -0400
28845 +++ linux-2.6.35.5/fs/aio.c 2010-09-20 17:24:27.000000000 -0400
28846 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
28847 size += sizeof(struct io_event) * nr_events;
28848 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
28850 - if (nr_pages < 0)
28851 + if (nr_pages <= 0)
28854 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
28855 @@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id,
28856 if (unlikely(nr < 0))
28859 + if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
28860 + nr = LONG_MAX/sizeof(*iocbpp);
28862 if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
28865 diff -urNp linux-2.6.35.5/fs/attr.c linux-2.6.35.5/fs/attr.c
28866 --- linux-2.6.35.5/fs/attr.c 2010-08-26 19:47:12.000000000 -0400
28867 +++ linux-2.6.35.5/fs/attr.c 2010-09-17 20:12:37.000000000 -0400
28868 @@ -82,6 +82,7 @@ int inode_newsize_ok(const struct inode
28869 unsigned long limit;
28871 limit = rlimit(RLIMIT_FSIZE);
28872 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
28873 if (limit != RLIM_INFINITY && offset > limit)
28875 if (offset > inode->i_sb->s_maxbytes)
28876 diff -urNp linux-2.6.35.5/fs/autofs/root.c linux-2.6.35.5/fs/autofs/root.c
28877 --- linux-2.6.35.5/fs/autofs/root.c 2010-08-26 19:47:12.000000000 -0400
28878 +++ linux-2.6.35.5/fs/autofs/root.c 2010-09-17 20:12:09.000000000 -0400
28879 @@ -301,7 +301,8 @@ static int autofs_root_symlink(struct in
28880 set_bit(n,sbi->symlink_bitmap);
28881 sl = &sbi->symlink[n];
28882 sl->len = strlen(symname);
28883 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
28884 + slsize = sl->len+1;
28885 + sl->data = kmalloc(slsize, GFP_KERNEL);
28887 clear_bit(n,sbi->symlink_bitmap);
28889 diff -urNp linux-2.6.35.5/fs/autofs4/symlink.c linux-2.6.35.5/fs/autofs4/symlink.c
28890 --- linux-2.6.35.5/fs/autofs4/symlink.c 2010-08-26 19:47:12.000000000 -0400
28891 +++ linux-2.6.35.5/fs/autofs4/symlink.c 2010-09-17 20:12:09.000000000 -0400
28893 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
28895 struct autofs_info *ino = autofs4_dentry_ino(dentry);
28896 - nd_set_link(nd, (char *)ino->u.symlink);
28897 + nd_set_link(nd, ino->u.symlink);
28901 diff -urNp linux-2.6.35.5/fs/befs/linuxvfs.c linux-2.6.35.5/fs/befs/linuxvfs.c
28902 --- linux-2.6.35.5/fs/befs/linuxvfs.c 2010-08-26 19:47:12.000000000 -0400
28903 +++ linux-2.6.35.5/fs/befs/linuxvfs.c 2010-09-17 20:12:09.000000000 -0400
28904 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
28906 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
28907 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
28908 - char *link = nd_get_link(nd);
28909 + const char *link = nd_get_link(nd);
28913 diff -urNp linux-2.6.35.5/fs/binfmt_aout.c linux-2.6.35.5/fs/binfmt_aout.c
28914 --- linux-2.6.35.5/fs/binfmt_aout.c 2010-08-26 19:47:12.000000000 -0400
28915 +++ linux-2.6.35.5/fs/binfmt_aout.c 2010-09-23 20:16:12.000000000 -0400
28917 #include <linux/string.h>
28918 #include <linux/fs.h>
28919 #include <linux/file.h>
28920 +#include <linux/security.h>
28921 #include <linux/stat.h>
28922 #include <linux/fcntl.h>
28923 #include <linux/ptrace.h>
28924 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
28926 # define START_STACK(u) ((void __user *)u.start_stack)
28928 + memset(&dump, 0, sizeof(dump));
28933 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
28935 /* If the size of the dump file exceeds the rlimit, then see what would happen
28936 if we wrote the stack, but not the data area. */
28937 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
28938 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
28941 /* Make sure we have enough room to write the stack and data areas. */
28942 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
28943 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
28946 @@ -134,10 +139,7 @@ static int aout_core_dump(struct coredum
28947 if (!dump_write(file, dump_start, dump_size))
28950 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
28951 - set_fs(KERNEL_DS);
28952 - if (!dump_write(file, current, sizeof(*current)))
28953 - goto end_coredump;
28954 +/* Finally let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
28958 @@ -238,6 +240,8 @@ static int load_aout_binary(struct linux
28959 rlim = rlimit(RLIMIT_DATA);
28960 if (rlim >= RLIM_INFINITY)
28963 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
28964 if (ex.a_data + ex.a_bss > rlim)
28967 @@ -266,6 +270,27 @@ static int load_aout_binary(struct linux
28968 install_exec_creds(bprm);
28969 current->flags &= ~PF_FORKNOEXEC;
28971 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
28972 + current->mm->pax_flags = 0UL;
28975 +#ifdef CONFIG_PAX_PAGEEXEC
28976 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
28977 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
28979 +#ifdef CONFIG_PAX_EMUTRAMP
28980 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
28981 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
28984 +#ifdef CONFIG_PAX_MPROTECT
28985 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
28986 + current->mm->pax_flags |= MF_PAX_MPROTECT;
28992 if (N_MAGIC(ex) == OMAGIC) {
28993 unsigned long text_addr, map_size;
28995 @@ -338,7 +363,7 @@ static int load_aout_binary(struct linux
28997 down_write(¤t->mm->mmap_sem);
28998 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
28999 - PROT_READ | PROT_WRITE | PROT_EXEC,
29000 + PROT_READ | PROT_WRITE,
29001 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29002 fd_offset + ex.a_text);
29003 up_write(¤t->mm->mmap_sem);
29004 diff -urNp linux-2.6.35.5/fs/binfmt_elf.c linux-2.6.35.5/fs/binfmt_elf.c
29005 --- linux-2.6.35.5/fs/binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29006 +++ linux-2.6.35.5/fs/binfmt_elf.c 2010-09-17 20:12:37.000000000 -0400
29007 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29008 #define elf_core_dump NULL
29011 +#ifdef CONFIG_PAX_MPROTECT
29012 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29015 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29016 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29018 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29019 .load_binary = load_elf_binary,
29020 .load_shlib = load_elf_library,
29021 .core_dump = elf_core_dump,
29023 +#ifdef CONFIG_PAX_MPROTECT
29024 + .handle_mprotect= elf_handle_mprotect,
29027 .min_coredump = ELF_EXEC_PAGESIZE,
29030 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29032 static int set_brk(unsigned long start, unsigned long end)
29034 + unsigned long e = end;
29036 start = ELF_PAGEALIGN(start);
29037 end = ELF_PAGEALIGN(end);
29039 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29040 if (BAD_ADDR(addr))
29043 - current->mm->start_brk = current->mm->brk = end;
29044 + current->mm->start_brk = current->mm->brk = e;
29048 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29049 elf_addr_t __user *u_rand_bytes;
29050 const char *k_platform = ELF_PLATFORM;
29051 const char *k_base_platform = ELF_BASE_PLATFORM;
29052 - unsigned char k_rand_bytes[16];
29053 + u32 k_rand_bytes[4];
29055 elf_addr_t *elf_info;
29057 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29058 * Generate 16 random bytes for userspace PRNG seeding.
29060 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29061 - u_rand_bytes = (elf_addr_t __user *)
29062 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29063 + srandom32(k_rand_bytes[0] ^ random32());
29064 + srandom32(k_rand_bytes[1] ^ random32());
29065 + srandom32(k_rand_bytes[2] ^ random32());
29066 + srandom32(k_rand_bytes[3] ^ random32());
29067 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29068 + u_rand_bytes = (elf_addr_t __user *) p;
29069 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29072 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29074 struct elf_phdr *elf_phdata;
29075 struct elf_phdr *eppnt;
29076 - unsigned long load_addr = 0;
29077 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29078 int load_addr_set = 0;
29079 unsigned long last_bss = 0, elf_bss = 0;
29080 - unsigned long error = ~0UL;
29081 + unsigned long error = -EINVAL;
29082 unsigned long total_size;
29083 int retval, i, size;
29085 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29089 +#ifdef CONFIG_PAX_SEGMEXEC
29090 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29091 + pax_task_size = SEGMEXEC_TASK_SIZE;
29094 eppnt = elf_phdata;
29095 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29096 if (eppnt->p_type == PT_LOAD) {
29097 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
29098 k = load_addr + eppnt->p_vaddr;
29100 eppnt->p_filesz > eppnt->p_memsz ||
29101 - eppnt->p_memsz > TASK_SIZE ||
29102 - TASK_SIZE - eppnt->p_memsz < k) {
29103 + eppnt->p_memsz > pax_task_size ||
29104 + pax_task_size - eppnt->p_memsz < k) {
29108 @@ -533,6 +553,177 @@ out:
29112 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29113 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29115 + unsigned long pax_flags = 0UL;
29117 +#ifdef CONFIG_PAX_PAGEEXEC
29118 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29119 + pax_flags |= MF_PAX_PAGEEXEC;
29122 +#ifdef CONFIG_PAX_SEGMEXEC
29123 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29124 + pax_flags |= MF_PAX_SEGMEXEC;
29127 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29128 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29129 + if ((__supported_pte_mask & _PAGE_NX))
29130 + pax_flags &= ~MF_PAX_SEGMEXEC;
29132 + pax_flags &= ~MF_PAX_PAGEEXEC;
29136 +#ifdef CONFIG_PAX_EMUTRAMP
29137 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29138 + pax_flags |= MF_PAX_EMUTRAMP;
29141 +#ifdef CONFIG_PAX_MPROTECT
29142 + if (elf_phdata->p_flags & PF_MPROTECT)
29143 + pax_flags |= MF_PAX_MPROTECT;
29146 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29147 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29148 + pax_flags |= MF_PAX_RANDMMAP;
29151 + return pax_flags;
29155 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29156 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29158 + unsigned long pax_flags = 0UL;
29160 +#ifdef CONFIG_PAX_PAGEEXEC
29161 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29162 + pax_flags |= MF_PAX_PAGEEXEC;
29165 +#ifdef CONFIG_PAX_SEGMEXEC
29166 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29167 + pax_flags |= MF_PAX_SEGMEXEC;
29170 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29171 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29172 + if ((__supported_pte_mask & _PAGE_NX))
29173 + pax_flags &= ~MF_PAX_SEGMEXEC;
29175 + pax_flags &= ~MF_PAX_PAGEEXEC;
29179 +#ifdef CONFIG_PAX_EMUTRAMP
29180 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29181 + pax_flags |= MF_PAX_EMUTRAMP;
29184 +#ifdef CONFIG_PAX_MPROTECT
29185 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29186 + pax_flags |= MF_PAX_MPROTECT;
29189 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29190 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29191 + pax_flags |= MF_PAX_RANDMMAP;
29194 + return pax_flags;
29198 +#ifdef CONFIG_PAX_EI_PAX
29199 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29201 + unsigned long pax_flags = 0UL;
29203 +#ifdef CONFIG_PAX_PAGEEXEC
29204 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29205 + pax_flags |= MF_PAX_PAGEEXEC;
29208 +#ifdef CONFIG_PAX_SEGMEXEC
29209 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29210 + pax_flags |= MF_PAX_SEGMEXEC;
29213 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29214 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29215 + if ((__supported_pte_mask & _PAGE_NX))
29216 + pax_flags &= ~MF_PAX_SEGMEXEC;
29218 + pax_flags &= ~MF_PAX_PAGEEXEC;
29222 +#ifdef CONFIG_PAX_EMUTRAMP
29223 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29224 + pax_flags |= MF_PAX_EMUTRAMP;
29227 +#ifdef CONFIG_PAX_MPROTECT
29228 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29229 + pax_flags |= MF_PAX_MPROTECT;
29232 +#ifdef CONFIG_PAX_ASLR
29233 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29234 + pax_flags |= MF_PAX_RANDMMAP;
29237 + return pax_flags;
29241 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29242 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29244 + unsigned long pax_flags = 0UL;
29246 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29250 +#ifdef CONFIG_PAX_EI_PAX
29251 + pax_flags = pax_parse_ei_pax(elf_ex);
29254 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29255 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29256 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29257 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29258 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29259 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29260 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29261 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29264 +#ifdef CONFIG_PAX_SOFTMODE
29265 + if (pax_softmode)
29266 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29270 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29275 + if (0 > pax_check_flags(&pax_flags))
29278 + current->mm->pax_flags = pax_flags;
29284 * These are the functions used to load ELF style executables and shared
29285 * libraries. There is no binary dependent code anywhere else.
29286 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29288 unsigned int random_variable = 0;
29290 +#ifdef CONFIG_PAX_RANDUSTACK
29291 + if (randomize_va_space)
29292 + return stack_top - current->mm->delta_stack;
29295 if ((current->flags & PF_RANDOMIZE) &&
29296 !(current->personality & ADDR_NO_RANDOMIZE)) {
29297 random_variable = get_random_int() & STACK_RND_MASK;
29298 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29299 unsigned long load_addr = 0, load_bias = 0;
29300 int load_addr_set = 0;
29301 char * elf_interpreter = NULL;
29302 - unsigned long error;
29303 + unsigned long error = 0;
29304 struct elf_phdr *elf_ppnt, *elf_phdata;
29305 unsigned long elf_bss, elf_brk;
29307 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29308 unsigned long start_code, end_code, start_data, end_data;
29309 unsigned long reloc_func_desc = 0;
29310 int executable_stack = EXSTACK_DEFAULT;
29311 - unsigned long def_flags = 0;
29313 struct elfhdr elf_ex;
29314 struct elfhdr interp_elf_ex;
29316 + unsigned long pax_task_size = TASK_SIZE;
29318 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29320 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29322 /* OK, This is the point of no return */
29323 current->flags &= ~PF_FORKNOEXEC;
29324 - current->mm->def_flags = def_flags;
29326 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29327 + current->mm->pax_flags = 0UL;
29330 +#ifdef CONFIG_PAX_DLRESOLVE
29331 + current->mm->call_dl_resolve = 0UL;
29334 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29335 + current->mm->call_syscall = 0UL;
29338 +#ifdef CONFIG_PAX_ASLR
29339 + current->mm->delta_mmap = 0UL;
29340 + current->mm->delta_stack = 0UL;
29343 + current->mm->def_flags = 0;
29345 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29346 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29347 + send_sig(SIGKILL, current, 0);
29348 + goto out_free_dentry;
29352 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29353 + pax_set_initial_flags(bprm);
29354 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29355 + if (pax_set_initial_flags_func)
29356 + (pax_set_initial_flags_func)(bprm);
29359 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29360 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29361 + current->mm->context.user_cs_limit = PAGE_SIZE;
29362 + current->mm->def_flags |= VM_PAGEEXEC;
29366 +#ifdef CONFIG_PAX_SEGMEXEC
29367 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29368 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29369 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29370 + pax_task_size = SEGMEXEC_TASK_SIZE;
29374 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29375 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29376 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29381 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29382 may depend on the personality. */
29383 SET_PERSONALITY(loc->elf_ex);
29385 +#ifdef CONFIG_PAX_ASLR
29386 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29387 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29388 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29392 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29393 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29394 + executable_stack = EXSTACK_DISABLE_X;
29395 + current->personality &= ~READ_IMPLIES_EXEC;
29399 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29400 current->personality |= READ_IMPLIES_EXEC;
29402 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29404 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29407 +#ifdef CONFIG_PAX_RANDMMAP
29408 + /* PaX: randomize base address at the default exe base if requested */
29409 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29410 +#ifdef CONFIG_SPARC64
29411 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29413 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29415 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29416 + elf_flags |= MAP_FIXED;
29422 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29423 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29424 * allowed task size. Note that p_filesz must always be
29425 * <= p_memsz so it is only necessary to check p_memsz.
29427 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29428 - elf_ppnt->p_memsz > TASK_SIZE ||
29429 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29430 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29431 + elf_ppnt->p_memsz > pax_task_size ||
29432 + pax_task_size - elf_ppnt->p_memsz < k) {
29433 /* set_brk can never work. Avoid overflows. */
29434 send_sig(SIGKILL, current, 0);
29436 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29437 start_data += load_bias;
29438 end_data += load_bias;
29440 +#ifdef CONFIG_PAX_RANDMMAP
29441 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29442 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29445 /* Calling set_brk effectively mmaps the pages that we need
29446 * for the bss and break sections. We must do this before
29447 * mapping in the interpreter, to make sure it doesn't wind
29448 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
29449 goto out_free_dentry;
29451 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29452 - send_sig(SIGSEGV, current, 0);
29453 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29454 - goto out_free_dentry;
29456 + * This bss-zeroing can fail if the ELF
29457 + * file specifies odd protections. So
29458 + * we don't check the return value
29462 if (elf_interpreter) {
29463 @@ -1091,7 +1377,7 @@ out:
29464 * Decide what to dump of a segment, part, all or none.
29466 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29467 - unsigned long mm_flags)
29468 + unsigned long mm_flags, long signr)
29470 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29472 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
29473 if (vma->vm_file == NULL)
29476 - if (FILTER(MAPPED_PRIVATE))
29477 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29481 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
29483 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29488 - while (auxv[i - 2] != AT_NULL);
29489 + } while (auxv[i - 2] != AT_NULL);
29490 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29493 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29496 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29497 - unsigned long mm_flags)
29498 + struct coredump_params *cprm)
29500 struct vm_area_struct *vma;
29503 for (vma = first_vma(current, gate_vma); vma != NULL;
29504 vma = next_vma(vma, gate_vma))
29505 - size += vma_dump_size(vma, mm_flags);
29506 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29510 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29512 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29514 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29515 + offset += elf_core_vma_data_size(gate_vma, cprm);
29516 offset += elf_core_extra_data_size();
29519 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29522 size += sizeof(*elf);
29523 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29524 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29527 size += sizeof(*phdr4note);
29528 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29529 if (size > cprm->limit
29530 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29532 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
29533 phdr.p_offset = offset;
29534 phdr.p_vaddr = vma->vm_start;
29536 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29537 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29538 phdr.p_memsz = vma->vm_end - vma->vm_start;
29539 offset += phdr.p_filesz;
29540 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29541 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29542 phdr.p_align = ELF_EXEC_PAGESIZE;
29544 size += sizeof(phdr);
29545 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29546 if (size > cprm->limit
29547 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29549 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
29550 unsigned long addr;
29553 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29554 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29556 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29558 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
29559 page = get_dump_page(addr);
29561 void *kaddr = kmap(page);
29562 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29563 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29564 !dump_write(cprm->file, kaddr,
29566 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29568 if (e_phnum == PN_XNUM) {
29569 size += sizeof(*shdr4extnum);
29570 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29571 if (size > cprm->limit
29572 || !dump_write(cprm->file, shdr4extnum,
29573 sizeof(*shdr4extnum)))
29574 @@ -2068,6 +2359,97 @@ out:
29576 #endif /* CONFIG_ELF_CORE */
29578 +#ifdef CONFIG_PAX_MPROTECT
29579 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29580 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29581 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29583 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29584 + * basis because we want to allow the common case and not the special ones.
29586 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29588 + struct elfhdr elf_h;
29589 + struct elf_phdr elf_p;
29591 + unsigned long oldflags;
29592 + bool is_textrel_rw, is_textrel_rx, is_relro;
29594 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29597 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29598 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29600 +#ifdef CONFIG_PAX_ELFRELOCS
29601 + /* possible TEXTREL */
29602 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29603 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29605 + is_textrel_rw = false;
29606 + is_textrel_rx = false;
29609 + /* possible RELRO */
29610 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29612 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29615 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29616 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29618 +#ifdef CONFIG_PAX_ETEXECRELOCS
29619 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29621 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29624 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29625 + !elf_check_arch(&elf_h) ||
29626 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29627 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29630 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29631 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29633 + switch (elf_p.p_type) {
29635 + if (!is_textrel_rw && !is_textrel_rx)
29638 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29641 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29643 + if (dyn.d_tag == DT_NULL)
29645 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29646 + gr_log_textrel(vma);
29647 + if (is_textrel_rw)
29648 + vma->vm_flags |= VM_MAYWRITE;
29650 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29651 + vma->vm_flags &= ~VM_MAYWRITE;
29658 + case PT_GNU_RELRO:
29661 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29662 + vma->vm_flags &= ~VM_MAYWRITE;
29669 static int __init init_elf_binfmt(void)
29671 return register_binfmt(&elf_format);
29672 diff -urNp linux-2.6.35.5/fs/binfmt_flat.c linux-2.6.35.5/fs/binfmt_flat.c
29673 --- linux-2.6.35.5/fs/binfmt_flat.c 2010-08-26 19:47:12.000000000 -0400
29674 +++ linux-2.6.35.5/fs/binfmt_flat.c 2010-09-17 20:12:09.000000000 -0400
29675 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
29676 realdatastart = (unsigned long) -ENOMEM;
29677 printk("Unable to allocate RAM for process data, errno %d\n",
29678 (int)-realdatastart);
29679 + down_write(¤t->mm->mmap_sem);
29680 do_munmap(current->mm, textpos, text_len);
29681 + up_write(¤t->mm->mmap_sem);
29682 ret = realdatastart;
29685 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
29687 if (IS_ERR_VALUE(result)) {
29688 printk("Unable to read data+bss, errno %d\n", (int)-result);
29689 + down_write(¤t->mm->mmap_sem);
29690 do_munmap(current->mm, textpos, text_len);
29691 do_munmap(current->mm, realdatastart, len);
29692 + up_write(¤t->mm->mmap_sem);
29696 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
29698 if (IS_ERR_VALUE(result)) {
29699 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29700 + down_write(¤t->mm->mmap_sem);
29701 do_munmap(current->mm, textpos, text_len + data_len + extra +
29702 MAX_SHARED_LIBS * sizeof(unsigned long));
29703 + up_write(¤t->mm->mmap_sem);
29707 diff -urNp linux-2.6.35.5/fs/binfmt_misc.c linux-2.6.35.5/fs/binfmt_misc.c
29708 --- linux-2.6.35.5/fs/binfmt_misc.c 2010-09-20 17:33:09.000000000 -0400
29709 +++ linux-2.6.35.5/fs/binfmt_misc.c 2010-09-20 17:33:32.000000000 -0400
29710 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
29711 static struct tree_descr bm_files[] = {
29712 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29713 [3] = {"register", &bm_register_operations, S_IWUSR},
29714 - /* last one */ {""}
29715 + /* last one */ {"", NULL, 0}
29717 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29719 diff -urNp linux-2.6.35.5/fs/bio.c linux-2.6.35.5/fs/bio.c
29720 --- linux-2.6.35.5/fs/bio.c 2010-08-26 19:47:12.000000000 -0400
29721 +++ linux-2.6.35.5/fs/bio.c 2010-09-17 20:12:09.000000000 -0400
29722 @@ -1213,7 +1213,7 @@ static void bio_copy_kern_endio(struct b
29723 const int read = bio_data_dir(bio) == READ;
29724 struct bio_map_data *bmd = bio->bi_private;
29726 - char *p = bmd->sgvecs[0].iov_base;
29727 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
29729 __bio_for_each_segment(bvec, bio, i, 0) {
29730 char *addr = page_address(bvec->bv_page);
29731 diff -urNp linux-2.6.35.5/fs/block_dev.c linux-2.6.35.5/fs/block_dev.c
29732 --- linux-2.6.35.5/fs/block_dev.c 2010-08-26 19:47:12.000000000 -0400
29733 +++ linux-2.6.35.5/fs/block_dev.c 2010-09-17 20:12:09.000000000 -0400
29734 @@ -647,7 +647,7 @@ static bool bd_may_claim(struct block_de
29735 else if (bdev->bd_contains == bdev)
29736 return true; /* is a whole device which isn't held */
29738 - else if (whole->bd_holder == bd_claim)
29739 + else if (whole->bd_holder == (void *)bd_claim)
29740 return true; /* is a partition of a device that is being partitioned */
29741 else if (whole->bd_holder != NULL)
29742 return false; /* is a partition of a held device */
29743 diff -urNp linux-2.6.35.5/fs/btrfs/ctree.c linux-2.6.35.5/fs/btrfs/ctree.c
29744 --- linux-2.6.35.5/fs/btrfs/ctree.c 2010-08-26 19:47:12.000000000 -0400
29745 +++ linux-2.6.35.5/fs/btrfs/ctree.c 2010-09-17 20:12:09.000000000 -0400
29746 @@ -3763,7 +3763,6 @@ setup_items_for_insert(struct btrfs_tran
29750 - struct btrfs_disk_key disk_key;
29751 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29752 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29754 diff -urNp linux-2.6.35.5/fs/btrfs/disk-io.c linux-2.6.35.5/fs/btrfs/disk-io.c
29755 --- linux-2.6.35.5/fs/btrfs/disk-io.c 2010-08-26 19:47:12.000000000 -0400
29756 +++ linux-2.6.35.5/fs/btrfs/disk-io.c 2010-09-17 20:12:09.000000000 -0400
29758 #include "tree-log.h"
29759 #include "free-space-cache.h"
29761 -static struct extent_io_ops btree_extent_io_ops;
29762 +static const struct extent_io_ops btree_extent_io_ops;
29763 static void end_workqueue_fn(struct btrfs_work *work);
29764 static void free_fs_root(struct btrfs_root *root);
29766 @@ -2597,7 +2597,7 @@ out:
29770 -static struct extent_io_ops btree_extent_io_ops = {
29771 +static const struct extent_io_ops btree_extent_io_ops = {
29772 .write_cache_pages_lock_hook = btree_lock_page_hook,
29773 .readpage_end_io_hook = btree_readpage_end_io_hook,
29774 .submit_bio_hook = btree_submit_bio_hook,
29775 diff -urNp linux-2.6.35.5/fs/btrfs/extent_io.h linux-2.6.35.5/fs/btrfs/extent_io.h
29776 --- linux-2.6.35.5/fs/btrfs/extent_io.h 2010-08-26 19:47:12.000000000 -0400
29777 +++ linux-2.6.35.5/fs/btrfs/extent_io.h 2010-09-17 20:12:09.000000000 -0400
29778 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
29779 struct bio *bio, int mirror_num,
29780 unsigned long bio_flags, u64 bio_offset);
29781 struct extent_io_ops {
29782 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
29783 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
29784 u64 start, u64 end, int *page_started,
29785 unsigned long *nr_written);
29786 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
29787 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
29788 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
29789 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
29790 extent_submit_bio_hook_t *submit_bio_hook;
29791 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
29792 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
29793 size_t size, struct bio *bio,
29794 unsigned long bio_flags);
29795 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
29796 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
29797 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
29798 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
29799 u64 start, u64 end,
29800 struct extent_state *state);
29801 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
29802 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
29803 u64 start, u64 end,
29804 struct extent_state *state);
29805 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29806 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29807 struct extent_state *state);
29808 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29809 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29810 struct extent_state *state, int uptodate);
29811 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
29812 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
29814 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
29815 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
29817 - int (*merge_extent_hook)(struct inode *inode,
29818 + int (* const merge_extent_hook)(struct inode *inode,
29819 struct extent_state *new,
29820 struct extent_state *other);
29821 - int (*split_extent_hook)(struct inode *inode,
29822 + int (* const split_extent_hook)(struct inode *inode,
29823 struct extent_state *orig, u64 split);
29824 - int (*write_cache_pages_lock_hook)(struct page *page);
29825 + int (* const write_cache_pages_lock_hook)(struct page *page);
29828 struct extent_io_tree {
29829 @@ -90,7 +90,7 @@ struct extent_io_tree {
29832 spinlock_t buffer_lock;
29833 - struct extent_io_ops *ops;
29834 + const struct extent_io_ops *ops;
29837 struct extent_state {
29838 diff -urNp linux-2.6.35.5/fs/btrfs/free-space-cache.c linux-2.6.35.5/fs/btrfs/free-space-cache.c
29839 --- linux-2.6.35.5/fs/btrfs/free-space-cache.c 2010-08-26 19:47:12.000000000 -0400
29840 +++ linux-2.6.35.5/fs/btrfs/free-space-cache.c 2010-09-17 20:12:09.000000000 -0400
29841 @@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
29844 if (entry->bytes < bytes || entry->offset < min_start) {
29845 - struct rb_node *node;
29847 node = rb_next(&entry->offset_index);
29850 @@ -1227,7 +1225,7 @@ again:
29852 while (entry->bitmap || found_bitmap ||
29853 (!entry->bitmap && entry->bytes < min_bytes)) {
29854 - struct rb_node *node = rb_next(&entry->offset_index);
29855 + node = rb_next(&entry->offset_index);
29857 if (entry->bitmap && entry->bytes > bytes + empty_size) {
29858 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
29859 diff -urNp linux-2.6.35.5/fs/btrfs/inode.c linux-2.6.35.5/fs/btrfs/inode.c
29860 --- linux-2.6.35.5/fs/btrfs/inode.c 2010-08-26 19:47:12.000000000 -0400
29861 +++ linux-2.6.35.5/fs/btrfs/inode.c 2010-09-17 20:12:09.000000000 -0400
29862 @@ -64,7 +64,7 @@ static const struct inode_operations btr
29863 static const struct address_space_operations btrfs_aops;
29864 static const struct address_space_operations btrfs_symlink_aops;
29865 static const struct file_operations btrfs_dir_file_operations;
29866 -static struct extent_io_ops btrfs_extent_io_ops;
29867 +static const struct extent_io_ops btrfs_extent_io_ops;
29869 static struct kmem_cache *btrfs_inode_cachep;
29870 struct kmem_cache *btrfs_trans_handle_cachep;
29871 @@ -6958,7 +6958,7 @@ static const struct file_operations btrf
29872 .fsync = btrfs_sync_file,
29875 -static struct extent_io_ops btrfs_extent_io_ops = {
29876 +static const struct extent_io_ops btrfs_extent_io_ops = {
29877 .fill_delalloc = run_delalloc_range,
29878 .submit_bio_hook = btrfs_submit_bio_hook,
29879 .merge_bio_hook = btrfs_merge_bio_hook,
29880 diff -urNp linux-2.6.35.5/fs/buffer.c linux-2.6.35.5/fs/buffer.c
29881 --- linux-2.6.35.5/fs/buffer.c 2010-08-26 19:47:12.000000000 -0400
29882 +++ linux-2.6.35.5/fs/buffer.c 2010-09-17 20:12:37.000000000 -0400
29884 #include <linux/percpu.h>
29885 #include <linux/slab.h>
29886 #include <linux/capability.h>
29887 +#include <linux/security.h>
29888 #include <linux/blkdev.h>
29889 #include <linux/file.h>
29890 #include <linux/quotaops.h>
29891 diff -urNp linux-2.6.35.5/fs/cachefiles/bind.c linux-2.6.35.5/fs/cachefiles/bind.c
29892 --- linux-2.6.35.5/fs/cachefiles/bind.c 2010-08-26 19:47:12.000000000 -0400
29893 +++ linux-2.6.35.5/fs/cachefiles/bind.c 2010-09-17 20:12:09.000000000 -0400
29894 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
29897 /* start by checking things over */
29898 - ASSERT(cache->fstop_percent >= 0 &&
29899 - cache->fstop_percent < cache->fcull_percent &&
29900 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
29901 cache->fcull_percent < cache->frun_percent &&
29902 cache->frun_percent < 100);
29904 - ASSERT(cache->bstop_percent >= 0 &&
29905 - cache->bstop_percent < cache->bcull_percent &&
29906 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
29907 cache->bcull_percent < cache->brun_percent &&
29908 cache->brun_percent < 100);
29910 diff -urNp linux-2.6.35.5/fs/cachefiles/daemon.c linux-2.6.35.5/fs/cachefiles/daemon.c
29911 --- linux-2.6.35.5/fs/cachefiles/daemon.c 2010-08-26 19:47:12.000000000 -0400
29912 +++ linux-2.6.35.5/fs/cachefiles/daemon.c 2010-09-17 20:12:09.000000000 -0400
29913 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
29917 - if (copy_to_user(_buffer, buffer, n) != 0)
29918 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
29922 @@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
29923 if (test_bit(CACHEFILES_DEAD, &cache->flags))
29926 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
29927 + if (datalen > PAGE_SIZE - 1)
29928 return -EOPNOTSUPP;
29930 /* drag the command string into the kernel so we can parse it */
29931 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
29932 if (args[0] != '%' || args[1] != '\0')
29935 - if (fstop < 0 || fstop >= cache->fcull_percent)
29936 + if (fstop >= cache->fcull_percent)
29937 return cachefiles_daemon_range_error(cache, args);
29939 cache->fstop_percent = fstop;
29940 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
29941 if (args[0] != '%' || args[1] != '\0')
29944 - if (bstop < 0 || bstop >= cache->bcull_percent)
29945 + if (bstop >= cache->bcull_percent)
29946 return cachefiles_daemon_range_error(cache, args);
29948 cache->bstop_percent = bstop;
29949 diff -urNp linux-2.6.35.5/fs/cachefiles/rdwr.c linux-2.6.35.5/fs/cachefiles/rdwr.c
29950 --- linux-2.6.35.5/fs/cachefiles/rdwr.c 2010-08-26 19:47:12.000000000 -0400
29951 +++ linux-2.6.35.5/fs/cachefiles/rdwr.c 2010-09-17 20:12:09.000000000 -0400
29952 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
29955 ret = file->f_op->write(
29956 - file, (const void __user *) data, len, &pos);
29957 + file, (__force const void __user *) data, len, &pos);
29961 diff -urNp linux-2.6.35.5/fs/cifs/cifs_uniupr.h linux-2.6.35.5/fs/cifs/cifs_uniupr.h
29962 --- linux-2.6.35.5/fs/cifs/cifs_uniupr.h 2010-08-26 19:47:12.000000000 -0400
29963 +++ linux-2.6.35.5/fs/cifs/cifs_uniupr.h 2010-09-17 20:12:09.000000000 -0400
29964 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
29965 {0x0490, 0x04cc, UniCaseRangeU0490},
29966 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
29967 {0xff40, 0xff5a, UniCaseRangeUff40},
29973 diff -urNp linux-2.6.35.5/fs/cifs/link.c linux-2.6.35.5/fs/cifs/link.c
29974 --- linux-2.6.35.5/fs/cifs/link.c 2010-08-26 19:47:12.000000000 -0400
29975 +++ linux-2.6.35.5/fs/cifs/link.c 2010-09-17 20:12:09.000000000 -0400
29976 @@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
29978 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
29980 - char *p = nd_get_link(nd);
29981 + const char *p = nd_get_link(nd);
29985 diff -urNp linux-2.6.35.5/fs/compat_binfmt_elf.c linux-2.6.35.5/fs/compat_binfmt_elf.c
29986 --- linux-2.6.35.5/fs/compat_binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29987 +++ linux-2.6.35.5/fs/compat_binfmt_elf.c 2010-09-17 20:12:09.000000000 -0400
29988 @@ -30,11 +30,13 @@
29994 #define elfhdr elf32_hdr
29995 #define elf_phdr elf32_phdr
29996 #define elf_shdr elf32_shdr
29997 #define elf_note elf32_note
29998 +#define elf_dyn Elf32_Dyn
29999 #define elf_addr_t Elf32_Addr
30002 diff -urNp linux-2.6.35.5/fs/compat.c linux-2.6.35.5/fs/compat.c
30003 --- linux-2.6.35.5/fs/compat.c 2010-08-26 19:47:12.000000000 -0400
30004 +++ linux-2.6.35.5/fs/compat.c 2010-09-21 20:51:20.000000000 -0400
30005 @@ -1150,7 +1150,7 @@ static ssize_t compat_do_readv_writev(in
30007 compat_ssize_t tot_len;
30008 struct iovec iovstack[UIO_FASTIOV];
30009 - struct iovec *iov;
30010 + struct iovec *iov = iovstack;
30014 @@ -1433,14 +1433,12 @@ static int compat_copy_strings(int argc,
30015 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
30018 -#ifdef CONFIG_STACK_GROWSUP
30019 ret = expand_stack_downwards(bprm->vma, pos);
30021 /* We've exceed the stack rlimit. */
30026 ret = get_user_pages(current, bprm->mm, pos,
30027 1, 1, 1, &page, NULL);
30029 @@ -1486,6 +1484,11 @@ int compat_do_execve(char * filename,
30030 compat_uptr_t __user *envp,
30031 struct pt_regs * regs)
30033 +#ifdef CONFIG_GRKERNSEC
30034 + struct file *old_exec_file;
30035 + struct acl_subject_label *old_acl;
30036 + struct rlimit old_rlim[RLIM_NLIMITS];
30038 struct linux_binprm *bprm;
30040 struct files_struct *displaced;
30041 @@ -1522,6 +1525,14 @@ int compat_do_execve(char * filename,
30042 bprm->filename = filename;
30043 bprm->interp = filename;
30045 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30046 + retval = -EAGAIN;
30047 + if (gr_handle_nproc())
30049 + retval = -EACCES;
30050 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30053 retval = bprm_mm_init(bprm);
30056 @@ -1551,9 +1562,40 @@ int compat_do_execve(char * filename,
30060 + if (!gr_tpe_allow(file)) {
30061 + retval = -EACCES;
30065 + if (gr_check_crash_exec(file)) {
30066 + retval = -EACCES;
30070 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30072 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
30074 +#ifdef CONFIG_GRKERNSEC
30075 + old_acl = current->acl;
30076 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30077 + old_exec_file = current->exec_file;
30079 + current->exec_file = file;
30082 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30083 + bprm->unsafe & LSM_UNSAFE_SHARE);
30087 retval = search_binary_handler(bprm, regs);
30091 +#ifdef CONFIG_GRKERNSEC
30092 + if (old_exec_file)
30093 + fput(old_exec_file);
30096 /* execve succeeded */
30097 current->fs->in_exec = 0;
30098 @@ -1564,6 +1606,14 @@ int compat_do_execve(char * filename,
30099 put_files_struct(displaced);
30103 +#ifdef CONFIG_GRKERNSEC
30104 + current->acl = old_acl;
30105 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30106 + fput(current->exec_file);
30107 + current->exec_file = old_exec_file;
30113 diff -urNp linux-2.6.35.5/fs/debugfs/inode.c linux-2.6.35.5/fs/debugfs/inode.c
30114 --- linux-2.6.35.5/fs/debugfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30115 +++ linux-2.6.35.5/fs/debugfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30116 @@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
30118 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30120 - static struct tree_descr debug_files[] = {{""}};
30121 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30123 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30125 diff -urNp linux-2.6.35.5/fs/dlm/lockspace.c linux-2.6.35.5/fs/dlm/lockspace.c
30126 --- linux-2.6.35.5/fs/dlm/lockspace.c 2010-08-26 19:47:12.000000000 -0400
30127 +++ linux-2.6.35.5/fs/dlm/lockspace.c 2010-09-17 20:12:09.000000000 -0400
30128 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30132 -static struct kset_uevent_ops dlm_uevent_ops = {
30133 +static const struct kset_uevent_ops dlm_uevent_ops = {
30134 .uevent = dlm_uevent,
30137 diff -urNp linux-2.6.35.5/fs/ecryptfs/inode.c linux-2.6.35.5/fs/ecryptfs/inode.c
30138 --- linux-2.6.35.5/fs/ecryptfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30139 +++ linux-2.6.35.5/fs/ecryptfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30140 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
30143 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30144 - (char __user *)lower_buf,
30145 + (__force char __user *)lower_buf,
30149 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
30153 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30154 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30158 @@ -719,7 +719,7 @@ out:
30160 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30162 - char *buf = nd_get_link(nd);
30163 + const char *buf = nd_get_link(nd);
30164 if (!IS_ERR(buf)) {
30165 /* Free the char* */
30167 diff -urNp linux-2.6.35.5/fs/ecryptfs/miscdev.c linux-2.6.35.5/fs/ecryptfs/miscdev.c
30168 --- linux-2.6.35.5/fs/ecryptfs/miscdev.c 2010-08-26 19:47:12.000000000 -0400
30169 +++ linux-2.6.35.5/fs/ecryptfs/miscdev.c 2010-09-17 20:12:09.000000000 -0400
30170 @@ -328,7 +328,7 @@ check_list:
30171 goto out_unlock_msg_ctx;
30173 if (msg_ctx->msg) {
30174 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30175 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30176 goto out_unlock_msg_ctx;
30177 i += packet_length_size;
30178 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30179 diff -urNp linux-2.6.35.5/fs/exec.c linux-2.6.35.5/fs/exec.c
30180 --- linux-2.6.35.5/fs/exec.c 2010-08-26 19:47:12.000000000 -0400
30181 +++ linux-2.6.35.5/fs/exec.c 2010-09-20 17:20:42.000000000 -0400
30182 @@ -55,12 +55,24 @@
30183 #include <linux/fsnotify.h>
30184 #include <linux/fs_struct.h>
30185 #include <linux/pipe_fs_i.h>
30186 +#include <linux/random.h>
30187 +#include <linux/seq_file.h>
30189 +#ifdef CONFIG_PAX_REFCOUNT
30190 +#include <linux/kallsyms.h>
30191 +#include <linux/kdebug.h>
30194 #include <asm/uaccess.h>
30195 #include <asm/mmu_context.h>
30196 #include <asm/tlb.h>
30197 #include "internal.h"
30199 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30200 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30201 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30205 char core_pattern[CORENAME_MAX_SIZE] = "core";
30206 unsigned int core_pipe_limit;
30207 @@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30210 file = do_filp_open(AT_FDCWD, tmp,
30211 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30212 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30213 MAY_READ | MAY_EXEC | MAY_OPEN);
30215 error = PTR_ERR(file);
30216 @@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
30222 -#ifdef CONFIG_STACK_GROWSUP
30224 - ret = expand_stack_downwards(bprm->vma, pos);
30229 - ret = get_user_pages(current, bprm->mm, pos,
30230 - 1, write, 1, &page, NULL);
30232 + if (0 > expand_stack_downwards(bprm->vma, pos))
30234 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30238 @@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
30239 vma->vm_end = STACK_TOP_MAX;
30240 vma->vm_start = vma->vm_end - PAGE_SIZE;
30241 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30243 +#ifdef CONFIG_PAX_SEGMEXEC
30244 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30247 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30248 INIT_LIST_HEAD(&vma->anon_vma_chain);
30249 err = insert_vm_struct(mm, vma);
30250 @@ -255,6 +264,12 @@ static int __bprm_mm_init(struct linux_b
30251 mm->stack_vm = mm->total_vm = 1;
30252 up_write(&mm->mmap_sem);
30253 bprm->p = vma->vm_end - sizeof(void *);
30255 +#ifdef CONFIG_PAX_RANDUSTACK
30256 + if (randomize_va_space)
30257 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30262 up_write(&mm->mmap_sem);
30263 @@ -377,6 +392,9 @@ static int count(char __user * __user *
30268 + if (fatal_signal_pending(current))
30269 + return -ERESTARTNOHAND;
30273 @@ -420,6 +438,12 @@ static int copy_strings(int argc, char _
30275 int offset, bytes_to_copy;
30277 + if (fatal_signal_pending(current)) {
30278 + ret = -ERESTARTNOHAND;
30283 offset = pos % PAGE_SIZE;
30285 offset = PAGE_SIZE;
30286 @@ -476,7 +500,7 @@ int copy_strings_kernel(int argc,char **
30288 mm_segment_t oldfs = get_fs();
30290 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
30291 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
30295 @@ -506,7 +530,8 @@ static int shift_arg_pages(struct vm_are
30296 unsigned long new_end = old_end - shift;
30297 struct mmu_gather *tlb;
30299 - BUG_ON(new_start > new_end);
30300 + if (new_start >= new_end || new_start < mmap_min_addr)
30304 * ensure there are no vmas between where we want to go
30305 @@ -515,6 +540,10 @@ static int shift_arg_pages(struct vm_are
30306 if (vma != find_vma(mm, new_start))
30309 +#ifdef CONFIG_PAX_SEGMEXEC
30310 + BUG_ON(pax_find_mirror_vma(vma));
30314 * cover the whole range: [new_start, old_end)
30316 @@ -605,8 +634,28 @@ int setup_arg_pages(struct linux_binprm
30317 bprm->exec -= stack_shift;
30319 down_write(&mm->mmap_sem);
30321 + /* Move stack pages down in memory. */
30322 + if (stack_shift) {
30323 + ret = shift_arg_pages(vma, stack_shift);
30328 vm_flags = VM_STACK_FLAGS;
30330 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30331 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30332 + vm_flags &= ~VM_EXEC;
30334 +#ifdef CONFIG_PAX_MPROTECT
30335 + if (mm->pax_flags & MF_PAX_MPROTECT)
30336 + vm_flags &= ~VM_MAYEXEC;
30343 * Adjust stack execute permissions; explicitly enable for
30344 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30345 @@ -625,13 +674,6 @@ int setup_arg_pages(struct linux_binprm
30347 BUG_ON(prev != vma);
30349 - /* Move stack pages down in memory. */
30350 - if (stack_shift) {
30351 - ret = shift_arg_pages(vma, stack_shift);
30356 /* mprotect_fixup is overkill to remove the temporary stack flags */
30357 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30359 @@ -671,7 +713,7 @@ struct file *open_exec(const char *name)
30362 file = do_filp_open(AT_FDCWD, name,
30363 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30364 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30365 MAY_EXEC | MAY_OPEN);
30368 @@ -708,7 +750,7 @@ int kernel_read(struct file *file, loff_
30371 /* The cast to a user pointer is valid due to the set_fs() */
30372 - result = vfs_read(file, (void __user *)addr, count, &pos);
30373 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30377 @@ -1125,7 +1167,7 @@ int check_unsafe_exec(struct linux_binpr
30381 - if (p->fs->users > n_fs) {
30382 + if (atomic_read(&p->fs->users) > n_fs) {
30383 bprm->unsafe |= LSM_UNSAFE_SHARE;
30386 @@ -1321,6 +1363,11 @@ int do_execve(char * filename,
30387 char __user *__user *envp,
30388 struct pt_regs * regs)
30390 +#ifdef CONFIG_GRKERNSEC
30391 + struct file *old_exec_file;
30392 + struct acl_subject_label *old_acl;
30393 + struct rlimit old_rlim[RLIM_NLIMITS];
30395 struct linux_binprm *bprm;
30397 struct files_struct *displaced;
30398 @@ -1357,6 +1404,18 @@ int do_execve(char * filename,
30399 bprm->filename = filename;
30400 bprm->interp = filename;
30402 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30404 + if (gr_handle_nproc()) {
30405 + retval = -EAGAIN;
30409 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30410 + retval = -EACCES;
30414 retval = bprm_mm_init(bprm);
30417 @@ -1386,10 +1445,41 @@ int do_execve(char * filename,
30421 + if (!gr_tpe_allow(file)) {
30422 + retval = -EACCES;
30426 + if (gr_check_crash_exec(file)) {
30427 + retval = -EACCES;
30431 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30433 + gr_handle_exec_args(bprm, argv);
30435 +#ifdef CONFIG_GRKERNSEC
30436 + old_acl = current->acl;
30437 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30438 + old_exec_file = current->exec_file;
30440 + current->exec_file = file;
30443 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30444 + bprm->unsafe & LSM_UNSAFE_SHARE);
30448 current->flags &= ~PF_KTHREAD;
30449 retval = search_binary_handler(bprm,regs);
30453 +#ifdef CONFIG_GRKERNSEC
30454 + if (old_exec_file)
30455 + fput(old_exec_file);
30458 /* execve succeeded */
30459 current->fs->in_exec = 0;
30460 @@ -1400,6 +1490,14 @@ int do_execve(char * filename,
30461 put_files_struct(displaced);
30465 +#ifdef CONFIG_GRKERNSEC
30466 + current->acl = old_acl;
30467 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30468 + fput(current->exec_file);
30469 + current->exec_file = old_exec_file;
30475 @@ -1563,6 +1661,225 @@ out:
30479 +int pax_check_flags(unsigned long *flags)
30483 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30484 + if (*flags & MF_PAX_SEGMEXEC)
30486 + *flags &= ~MF_PAX_SEGMEXEC;
30487 + retval = -EINVAL;
30491 + if ((*flags & MF_PAX_PAGEEXEC)
30493 +#ifdef CONFIG_PAX_PAGEEXEC
30494 + && (*flags & MF_PAX_SEGMEXEC)
30499 + *flags &= ~MF_PAX_PAGEEXEC;
30500 + retval = -EINVAL;
30503 + if ((*flags & MF_PAX_MPROTECT)
30505 +#ifdef CONFIG_PAX_MPROTECT
30506 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30511 + *flags &= ~MF_PAX_MPROTECT;
30512 + retval = -EINVAL;
30515 + if ((*flags & MF_PAX_EMUTRAMP)
30517 +#ifdef CONFIG_PAX_EMUTRAMP
30518 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30523 + *flags &= ~MF_PAX_EMUTRAMP;
30524 + retval = -EINVAL;
30530 +EXPORT_SYMBOL(pax_check_flags);
30532 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30533 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30535 + struct task_struct *tsk = current;
30536 + struct mm_struct *mm = current->mm;
30537 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30538 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30539 + char *path_exec = NULL;
30540 + char *path_fault = NULL;
30541 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30543 + if (buffer_exec && buffer_fault) {
30544 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30546 + down_read(&mm->mmap_sem);
30548 + while (vma && (!vma_exec || !vma_fault)) {
30549 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30551 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30553 + vma = vma->vm_next;
30556 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30557 + if (IS_ERR(path_exec))
30558 + path_exec = "<path too long>";
30560 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30563 + path_exec = buffer_exec;
30565 + path_exec = "<path too long>";
30569 + start = vma_fault->vm_start;
30570 + end = vma_fault->vm_end;
30571 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30572 + if (vma_fault->vm_file) {
30573 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30574 + if (IS_ERR(path_fault))
30575 + path_fault = "<path too long>";
30577 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30578 + if (path_fault) {
30580 + path_fault = buffer_fault;
30582 + path_fault = "<path too long>";
30585 + path_fault = "<anonymous mapping>";
30587 + up_read(&mm->mmap_sem);
30589 + if (tsk->signal->curr_ip)
30590 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30592 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30593 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30594 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30595 + task_uid(tsk), task_euid(tsk), pc, sp);
30596 + free_page((unsigned long)buffer_exec);
30597 + free_page((unsigned long)buffer_fault);
30598 + pax_report_insns(pc, sp);
30599 + do_coredump(SIGKILL, SIGKILL, regs);
30603 +#ifdef CONFIG_PAX_REFCOUNT
30604 +void pax_report_refcount_overflow(struct pt_regs *regs)
30606 + if (current->signal->curr_ip)
30607 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30608 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
30610 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30611 + current->comm, task_pid_nr(current), current_uid(), current_euid());
30612 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
30614 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
30618 +#ifdef CONFIG_PAX_USERCOPY
30619 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30620 +struct stack_frame {
30621 + struct stack_frame *next_frame;
30622 + unsigned long return_address;
30626 +/* 0: not at all, 1: fully, 2: fully inside frame,
30627 + -1: partially (implies an error) */
30629 +int object_is_on_stack(const void *obj, unsigned long len)
30631 + const void *stack = task_stack_page(current);
30632 + const void *stackend = stack + THREAD_SIZE;
30634 + if (obj + len < obj)
30637 + if (stack <= obj && obj + len <= stackend) {
30638 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30639 + void *frame = __builtin_frame_address(2);
30640 + void *oldframe = __builtin_frame_address(1);
30642 + bottom ----------------------------------------------> top
30643 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
30644 + ^----------------^
30645 + allow copies only within here
30648 + /* if obj + len extends past the last frame, this
30649 + check won't pass and the next frame will be 0,
30650 + causing us to bail out and correctly report
30651 + the copy as invalid
30653 + if (obj + len <= frame) {
30654 + if (obj >= (oldframe + (2 * sizeof(void *))))
30659 + oldframe = frame;
30660 + frame = ((struct stack_frame *)frame)->next_frame;
30668 + if (obj + len <= stack || stackend <= obj)
30675 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
30677 + if (current->signal->curr_ip)
30678 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
30679 + ¤t->signal->curr_ip, ptr, len);
30681 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
30683 + do_group_exit(SIGKILL);
30686 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
30688 + if (current->signal->curr_ip)
30689 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
30690 + ¤t->signal->curr_ip, ptr, len);
30692 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
30694 + do_group_exit(SIGKILL);
30698 static int zap_process(struct task_struct *start, int exit_code)
30700 struct task_struct *t;
30701 @@ -1773,17 +2090,17 @@ static void wait_for_dump_helpers(struct
30702 pipe = file->f_path.dentry->d_inode->i_pipe;
30707 + atomic_inc(&pipe->readers);
30708 + atomic_dec(&pipe->writers);
30710 - while ((pipe->readers > 1) && (!signal_pending(current))) {
30711 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
30712 wake_up_interruptible_sync(&pipe->wait);
30713 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30719 + atomic_dec(&pipe->readers);
30720 + atomic_inc(&pipe->writers);
30724 @@ -1891,6 +2208,10 @@ void do_coredump(long signr, int exit_co
30726 clear_thread_flag(TIF_SIGPENDING);
30728 + if (signr == SIGKILL || signr == SIGILL)
30729 + gr_handle_brute_attach(current);
30730 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
30733 * lock_kernel() because format_corename() is controlled by sysctl, which
30734 * uses lock_kernel()
30735 diff -urNp linux-2.6.35.5/fs/ext2/balloc.c linux-2.6.35.5/fs/ext2/balloc.c
30736 --- linux-2.6.35.5/fs/ext2/balloc.c 2010-08-26 19:47:12.000000000 -0400
30737 +++ linux-2.6.35.5/fs/ext2/balloc.c 2010-09-17 20:12:37.000000000 -0400
30738 @@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
30740 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30741 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30742 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30743 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30744 sbi->s_resuid != current_fsuid() &&
30745 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30747 diff -urNp linux-2.6.35.5/fs/ext2/xattr.c linux-2.6.35.5/fs/ext2/xattr.c
30748 --- linux-2.6.35.5/fs/ext2/xattr.c 2010-08-26 19:47:12.000000000 -0400
30749 +++ linux-2.6.35.5/fs/ext2/xattr.c 2010-09-17 20:12:09.000000000 -0400
30754 -# define ea_idebug(f...)
30755 -# define ea_bdebug(f...)
30756 +# define ea_idebug(inode, f...) do {} while (0)
30757 +# define ea_bdebug(bh, f...) do {} while (0)
30760 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
30761 diff -urNp linux-2.6.35.5/fs/ext3/balloc.c linux-2.6.35.5/fs/ext3/balloc.c
30762 --- linux-2.6.35.5/fs/ext3/balloc.c 2010-08-26 19:47:12.000000000 -0400
30763 +++ linux-2.6.35.5/fs/ext3/balloc.c 2010-09-17 20:12:37.000000000 -0400
30764 @@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
30766 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30767 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30768 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30769 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30770 sbi->s_resuid != current_fsuid() &&
30771 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30773 diff -urNp linux-2.6.35.5/fs/ext3/namei.c linux-2.6.35.5/fs/ext3/namei.c
30774 --- linux-2.6.35.5/fs/ext3/namei.c 2010-08-26 19:47:12.000000000 -0400
30775 +++ linux-2.6.35.5/fs/ext3/namei.c 2010-09-17 20:12:09.000000000 -0400
30776 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
30777 char *data1 = (*bh)->b_data, *data2;
30778 unsigned split, move, size;
30779 struct ext3_dir_entry_2 *de = NULL, *de2;
30783 bh2 = ext3_append (handle, dir, &newblock, &err);
30785 diff -urNp linux-2.6.35.5/fs/ext3/xattr.c linux-2.6.35.5/fs/ext3/xattr.c
30786 --- linux-2.6.35.5/fs/ext3/xattr.c 2010-08-26 19:47:12.000000000 -0400
30787 +++ linux-2.6.35.5/fs/ext3/xattr.c 2010-09-17 20:12:09.000000000 -0400
30792 -# define ea_idebug(f...)
30793 -# define ea_bdebug(f...)
30794 +# define ea_idebug(f...) do {} while (0)
30795 +# define ea_bdebug(f...) do {} while (0)
30798 static void ext3_xattr_cache_insert(struct buffer_head *);
30799 diff -urNp linux-2.6.35.5/fs/ext4/balloc.c linux-2.6.35.5/fs/ext4/balloc.c
30800 --- linux-2.6.35.5/fs/ext4/balloc.c 2010-08-26 19:47:12.000000000 -0400
30801 +++ linux-2.6.35.5/fs/ext4/balloc.c 2010-09-17 20:12:37.000000000 -0400
30802 @@ -522,7 +522,7 @@ int ext4_has_free_blocks(struct ext4_sb_
30803 /* Hm, nope. Are (enough) root reserved blocks available? */
30804 if (sbi->s_resuid == current_fsuid() ||
30805 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
30806 - capable(CAP_SYS_RESOURCE)) {
30807 + capable_nolog(CAP_SYS_RESOURCE)) {
30808 if (free_blocks >= (nblocks + dirty_blocks))
30811 diff -urNp linux-2.6.35.5/fs/ext4/namei.c linux-2.6.35.5/fs/ext4/namei.c
30812 --- linux-2.6.35.5/fs/ext4/namei.c 2010-08-26 19:47:12.000000000 -0400
30813 +++ linux-2.6.35.5/fs/ext4/namei.c 2010-09-17 20:12:09.000000000 -0400
30814 @@ -1197,7 +1197,7 @@ static struct ext4_dir_entry_2 *do_split
30815 char *data1 = (*bh)->b_data, *data2;
30816 unsigned split, move, size;
30817 struct ext4_dir_entry_2 *de = NULL, *de2;
30821 bh2 = ext4_append (handle, dir, &newblock, &err);
30823 diff -urNp linux-2.6.35.5/fs/ext4/xattr.c linux-2.6.35.5/fs/ext4/xattr.c
30824 --- linux-2.6.35.5/fs/ext4/xattr.c 2010-08-26 19:47:12.000000000 -0400
30825 +++ linux-2.6.35.5/fs/ext4/xattr.c 2010-09-17 20:12:09.000000000 -0400
30830 -# define ea_idebug(f...)
30831 -# define ea_bdebug(f...)
30832 +# define ea_idebug(inode, f...) do {} while (0)
30833 +# define ea_bdebug(bh, f...) do {} while (0)
30836 static void ext4_xattr_cache_insert(struct buffer_head *);
30837 diff -urNp linux-2.6.35.5/fs/fcntl.c linux-2.6.35.5/fs/fcntl.c
30838 --- linux-2.6.35.5/fs/fcntl.c 2010-08-26 19:47:12.000000000 -0400
30839 +++ linux-2.6.35.5/fs/fcntl.c 2010-09-17 20:12:37.000000000 -0400
30840 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
30844 + if (gr_handle_chroot_fowner(pid, type))
30846 + if (gr_check_protected_task_fowner(pid, type))
30849 f_modown(filp, pid, type, force);
30852 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
30855 case F_DUPFD_CLOEXEC:
30856 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
30857 if (arg >= rlimit(RLIMIT_NOFILE))
30859 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
30860 diff -urNp linux-2.6.35.5/fs/fifo.c linux-2.6.35.5/fs/fifo.c
30861 --- linux-2.6.35.5/fs/fifo.c 2010-08-26 19:47:12.000000000 -0400
30862 +++ linux-2.6.35.5/fs/fifo.c 2010-09-17 20:12:09.000000000 -0400
30863 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
30865 filp->f_op = &read_pipefifo_fops;
30867 - if (pipe->readers++ == 0)
30868 + if (atomic_inc_return(&pipe->readers) == 1)
30869 wake_up_partner(inode);
30871 - if (!pipe->writers) {
30872 + if (!atomic_read(&pipe->writers)) {
30873 if ((filp->f_flags & O_NONBLOCK)) {
30874 /* suppress POLLHUP until we have
30876 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
30877 * errno=ENXIO when there is no process reading the FIFO.
30880 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
30881 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
30884 filp->f_op = &write_pipefifo_fops;
30886 - if (!pipe->writers++)
30887 + if (atomic_inc_return(&pipe->writers) == 1)
30888 wake_up_partner(inode);
30890 - if (!pipe->readers) {
30891 + if (!atomic_read(&pipe->readers)) {
30892 wait_for_partner(inode, &pipe->r_counter);
30893 if (signal_pending(current))
30895 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
30897 filp->f_op = &rdwr_pipefifo_fops;
30901 + atomic_inc(&pipe->readers);
30902 + atomic_inc(&pipe->writers);
30905 - if (pipe->readers == 1 || pipe->writers == 1)
30906 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
30907 wake_up_partner(inode);
30910 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
30914 - if (!--pipe->readers)
30915 + if (atomic_dec_and_test(&pipe->readers))
30916 wake_up_interruptible(&pipe->wait);
30917 ret = -ERESTARTSYS;
30921 - if (!--pipe->writers)
30922 + if (atomic_dec_and_test(&pipe->writers))
30923 wake_up_interruptible(&pipe->wait);
30924 ret = -ERESTARTSYS;
30928 - if (!pipe->readers && !pipe->writers)
30929 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
30930 free_pipe_info(inode);
30933 diff -urNp linux-2.6.35.5/fs/file.c linux-2.6.35.5/fs/file.c
30934 --- linux-2.6.35.5/fs/file.c 2010-08-26 19:47:12.000000000 -0400
30935 +++ linux-2.6.35.5/fs/file.c 2010-09-17 20:12:37.000000000 -0400
30937 #include <linux/slab.h>
30938 #include <linux/vmalloc.h>
30939 #include <linux/file.h>
30940 +#include <linux/security.h>
30941 #include <linux/fdtable.h>
30942 #include <linux/bitops.h>
30943 #include <linux/interrupt.h>
30944 @@ -257,6 +258,7 @@ int expand_files(struct files_struct *fi
30945 * N.B. For clone tasks sharing a files structure, this test
30946 * will limit the total number of files that can be opened.
30948 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
30949 if (nr >= rlimit(RLIMIT_NOFILE))
30952 diff -urNp linux-2.6.35.5/fs/fs_struct.c linux-2.6.35.5/fs/fs_struct.c
30953 --- linux-2.6.35.5/fs/fs_struct.c 2010-08-26 19:47:12.000000000 -0400
30954 +++ linux-2.6.35.5/fs/fs_struct.c 2010-09-17 20:12:37.000000000 -0400
30956 #include <linux/slab.h>
30957 #include <linux/fs_struct.h>
30958 #include <linux/vserver/global.h>
30959 +#include <linux/grsecurity.h>
30962 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
30963 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
30964 old_root = fs->root;
30967 + gr_set_chroot_entries(current, path);
30968 write_unlock(&fs->lock);
30969 if (old_root.dentry)
30970 path_put(&old_root);
30971 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
30972 && fs->root.mnt == old_root->mnt) {
30973 path_get(new_root);
30974 fs->root = *new_root;
30975 + gr_set_chroot_entries(p, new_root);
30978 if (fs->pwd.dentry == old_root->dentry
30979 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
30981 write_lock(&fs->lock);
30983 - kill = !--fs->users;
30984 + gr_clear_chroot_entries(tsk);
30985 + kill = !atomic_dec_return(&fs->users);
30986 write_unlock(&fs->lock);
30989 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
30990 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
30991 /* We don't need to lock fs - think why ;-) */
30994 + atomic_set(&fs->users, 1);
30996 rwlock_init(&fs->lock);
30997 fs->umask = old->umask;
30998 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
31000 task_lock(current);
31001 write_lock(&fs->lock);
31002 - kill = !--fs->users;
31003 + kill = !atomic_dec_return(&fs->users);
31004 current->fs = new_fs;
31005 + gr_set_chroot_entries(current, &new_fs->root);
31006 write_unlock(&fs->lock);
31007 task_unlock(current);
31009 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
31011 /* to be mentioned only in INIT_TASK */
31012 struct fs_struct init_fs = {
31014 + .users = ATOMIC_INIT(1),
31015 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
31018 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
31019 task_lock(current);
31021 write_lock(&init_fs.lock);
31023 + atomic_inc(&init_fs.users);
31024 write_unlock(&init_fs.lock);
31026 write_lock(&fs->lock);
31027 current->fs = &init_fs;
31028 - kill = !--fs->users;
31029 + gr_set_chroot_entries(current, ¤t->fs->root);
31030 + kill = !atomic_dec_return(&fs->users);
31031 write_unlock(&fs->lock);
31033 task_unlock(current);
31034 diff -urNp linux-2.6.35.5/fs/fuse/control.c linux-2.6.35.5/fs/fuse/control.c
31035 --- linux-2.6.35.5/fs/fuse/control.c 2010-08-26 19:47:12.000000000 -0400
31036 +++ linux-2.6.35.5/fs/fuse/control.c 2010-09-17 20:12:09.000000000 -0400
31037 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31039 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31041 - struct tree_descr empty_descr = {""};
31042 + struct tree_descr empty_descr = {"", NULL, 0};
31043 struct fuse_conn *fc;
31046 diff -urNp linux-2.6.35.5/fs/fuse/cuse.c linux-2.6.35.5/fs/fuse/cuse.c
31047 --- linux-2.6.35.5/fs/fuse/cuse.c 2010-08-26 19:47:12.000000000 -0400
31048 +++ linux-2.6.35.5/fs/fuse/cuse.c 2010-09-17 20:12:09.000000000 -0400
31049 @@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
31053 -static struct file_operations cuse_channel_fops; /* initialized during init */
31055 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31056 + .owner = THIS_MODULE,
31057 + .llseek = no_llseek,
31058 + .read = do_sync_read,
31059 + .aio_read = fuse_dev_read,
31060 + .write = do_sync_write,
31061 + .aio_write = fuse_dev_write,
31062 + .poll = fuse_dev_poll,
31063 + .open = cuse_channel_open,
31064 + .release = cuse_channel_release,
31065 + .fasync = fuse_dev_fasync,
31068 /**************************************************************************
31069 * Misc stuff and module initializatiion
31070 @@ -576,12 +586,6 @@ static int __init cuse_init(void)
31071 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31072 INIT_LIST_HEAD(&cuse_conntbl[i]);
31074 - /* inherit and extend fuse_dev_operations */
31075 - cuse_channel_fops = fuse_dev_operations;
31076 - cuse_channel_fops.owner = THIS_MODULE;
31077 - cuse_channel_fops.open = cuse_channel_open;
31078 - cuse_channel_fops.release = cuse_channel_release;
31080 cuse_class = class_create(THIS_MODULE, "cuse");
31081 if (IS_ERR(cuse_class))
31082 return PTR_ERR(cuse_class);
31083 diff -urNp linux-2.6.35.5/fs/fuse/dev.c linux-2.6.35.5/fs/fuse/dev.c
31084 --- linux-2.6.35.5/fs/fuse/dev.c 2010-09-20 17:33:09.000000000 -0400
31085 +++ linux-2.6.35.5/fs/fuse/dev.c 2010-09-20 17:33:32.000000000 -0400
31086 @@ -1031,7 +1031,7 @@ static ssize_t fuse_dev_do_read(struct f
31090 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31091 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31092 unsigned long nr_segs, loff_t pos)
31094 struct fuse_copy_state cs;
31095 @@ -1045,6 +1045,8 @@ static ssize_t fuse_dev_read(struct kioc
31096 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31099 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31101 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31102 struct pipe_buffer *buf)
31104 @@ -1088,7 +1090,7 @@ static ssize_t fuse_dev_splice_read(stru
31108 - if (!pipe->readers) {
31109 + if (!atomic_read(&pipe->readers)) {
31110 send_sig(SIGPIPE, current, 0);
31113 @@ -1387,7 +1389,7 @@ static ssize_t fuse_dev_do_write(struct
31117 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31118 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31119 unsigned long nr_segs, loff_t pos)
31121 struct fuse_copy_state cs;
31122 @@ -1400,6 +1402,8 @@ static ssize_t fuse_dev_write(struct kio
31123 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31126 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31128 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31129 struct file *out, loff_t *ppos,
31130 size_t len, unsigned int flags)
31131 @@ -1478,7 +1482,7 @@ out:
31135 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31136 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31138 unsigned mask = POLLOUT | POLLWRNORM;
31139 struct fuse_conn *fc = fuse_get_conn(file);
31140 @@ -1497,6 +1501,8 @@ static unsigned fuse_dev_poll(struct fil
31144 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31147 * Abort all requests on the given list (pending or processing)
31149 @@ -1612,7 +1618,7 @@ int fuse_dev_release(struct inode *inode
31151 EXPORT_SYMBOL_GPL(fuse_dev_release);
31153 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31154 +int fuse_dev_fasync(int fd, struct file *file, int on)
31156 struct fuse_conn *fc = fuse_get_conn(file);
31158 @@ -1622,6 +1628,8 @@ static int fuse_dev_fasync(int fd, struc
31159 return fasync_helper(fd, file, on, &fc->fasync);
31162 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31164 const struct file_operations fuse_dev_operations = {
31165 .owner = THIS_MODULE,
31166 .llseek = no_llseek,
31167 diff -urNp linux-2.6.35.5/fs/fuse/dir.c linux-2.6.35.5/fs/fuse/dir.c
31168 --- linux-2.6.35.5/fs/fuse/dir.c 2010-08-26 19:47:12.000000000 -0400
31169 +++ linux-2.6.35.5/fs/fuse/dir.c 2010-09-17 20:12:09.000000000 -0400
31170 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31174 -static void free_link(char *link)
31175 +static void free_link(const char *link)
31178 free_page((unsigned long) link);
31179 diff -urNp linux-2.6.35.5/fs/fuse/fuse_i.h linux-2.6.35.5/fs/fuse/fuse_i.h
31180 --- linux-2.6.35.5/fs/fuse/fuse_i.h 2010-08-26 19:47:12.000000000 -0400
31181 +++ linux-2.6.35.5/fs/fuse/fuse_i.h 2010-09-17 20:12:09.000000000 -0400
31182 @@ -524,6 +524,16 @@ extern const struct file_operations fuse
31184 extern const struct dentry_operations fuse_dentry_operations;
31186 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31187 + unsigned long nr_segs, loff_t pos);
31189 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31190 + unsigned long nr_segs, loff_t pos);
31192 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31194 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31197 * Inode to nodeid comparison.
31199 diff -urNp linux-2.6.35.5/fs/hfs/inode.c linux-2.6.35.5/fs/hfs/inode.c
31200 --- linux-2.6.35.5/fs/hfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31201 +++ linux-2.6.35.5/fs/hfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31202 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
31204 if (S_ISDIR(main_inode->i_mode)) {
31205 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31208 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31209 sizeof(struct hfs_cat_dir));
31210 if (rec.type != HFS_CDR_DIR ||
31211 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
31212 sizeof(struct hfs_cat_file));
31214 if (fd.entrylength < sizeof(struct hfs_cat_file))
31217 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31218 sizeof(struct hfs_cat_file));
31219 if (rec.type != HFS_CDR_FIL ||
31220 diff -urNp linux-2.6.35.5/fs/hfsplus/inode.c linux-2.6.35.5/fs/hfsplus/inode.c
31221 --- linux-2.6.35.5/fs/hfsplus/inode.c 2010-08-26 19:47:12.000000000 -0400
31222 +++ linux-2.6.35.5/fs/hfsplus/inode.c 2010-09-17 20:12:09.000000000 -0400
31223 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
31224 struct hfsplus_cat_folder *folder = &entry.folder;
31226 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31229 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31230 sizeof(struct hfsplus_cat_folder));
31231 hfsplus_get_perms(inode, &folder->permissions, 1);
31232 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
31233 struct hfsplus_cat_file *file = &entry.file;
31235 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31238 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31239 sizeof(struct hfsplus_cat_file));
31241 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
31242 struct hfsplus_cat_folder *folder = &entry.folder;
31244 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31247 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31248 sizeof(struct hfsplus_cat_folder));
31249 /* simple node checks? */
31250 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
31251 struct hfsplus_cat_file *file = &entry.file;
31253 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31256 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31257 sizeof(struct hfsplus_cat_file));
31258 hfsplus_inode_write_fork(inode, &file->data_fork);
31259 diff -urNp linux-2.6.35.5/fs/hugetlbfs/inode.c linux-2.6.35.5/fs/hugetlbfs/inode.c
31260 --- linux-2.6.35.5/fs/hugetlbfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31261 +++ linux-2.6.35.5/fs/hugetlbfs/inode.c 2010-09-17 20:12:37.000000000 -0400
31262 @@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31263 .kill_sb = kill_litter_super,
31266 -static struct vfsmount *hugetlbfs_vfsmount;
31267 +struct vfsmount *hugetlbfs_vfsmount;
31269 static int can_do_hugetlb_shm(void)
31271 diff -urNp linux-2.6.35.5/fs/ioctl.c linux-2.6.35.5/fs/ioctl.c
31272 --- linux-2.6.35.5/fs/ioctl.c 2010-08-26 19:47:12.000000000 -0400
31273 +++ linux-2.6.35.5/fs/ioctl.c 2010-09-17 20:12:09.000000000 -0400
31274 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
31275 u64 phys, u64 len, u32 flags)
31277 struct fiemap_extent extent;
31278 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31279 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31281 /* only count the extents */
31282 if (fieinfo->fi_extents_max == 0) {
31283 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
31285 fieinfo.fi_flags = fiemap.fm_flags;
31286 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31287 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31288 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31290 if (fiemap.fm_extent_count != 0 &&
31291 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31292 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
31293 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31294 fiemap.fm_flags = fieinfo.fi_flags;
31295 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31296 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31297 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31301 diff -urNp linux-2.6.35.5/fs/jffs2/debug.h linux-2.6.35.5/fs/jffs2/debug.h
31302 --- linux-2.6.35.5/fs/jffs2/debug.h 2010-08-26 19:47:12.000000000 -0400
31303 +++ linux-2.6.35.5/fs/jffs2/debug.h 2010-09-17 20:12:09.000000000 -0400
31304 @@ -52,13 +52,13 @@
31305 #if CONFIG_JFFS2_FS_DEBUG > 0
31309 +#define D1(x) do {} while (0);
31312 #if CONFIG_JFFS2_FS_DEBUG > 1
31316 +#define D2(x) do {} while (0);
31319 /* The prefixes of JFFS2 messages */
31320 @@ -114,73 +114,73 @@
31321 #ifdef JFFS2_DBG_READINODE_MESSAGES
31322 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31324 -#define dbg_readinode(fmt, ...)
31325 +#define dbg_readinode(fmt, ...) do {} while (0)
31327 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31328 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31330 -#define dbg_readinode2(fmt, ...)
31331 +#define dbg_readinode2(fmt, ...) do {} while (0)
31334 /* Fragtree build debugging messages */
31335 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31336 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31338 -#define dbg_fragtree(fmt, ...)
31339 +#define dbg_fragtree(fmt, ...) do {} while (0)
31341 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31342 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31344 -#define dbg_fragtree2(fmt, ...)
31345 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31348 /* Directory entry list manilulation debugging messages */
31349 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31350 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31352 -#define dbg_dentlist(fmt, ...)
31353 +#define dbg_dentlist(fmt, ...) do {} while (0)
31356 /* Print the messages about manipulating node_refs */
31357 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31358 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31360 -#define dbg_noderef(fmt, ...)
31361 +#define dbg_noderef(fmt, ...) do {} while (0)
31364 /* Manipulations with the list of inodes (JFFS2 inocache) */
31365 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31366 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31368 -#define dbg_inocache(fmt, ...)
31369 +#define dbg_inocache(fmt, ...) do {} while (0)
31372 /* Summary debugging messages */
31373 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31374 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31376 -#define dbg_summary(fmt, ...)
31377 +#define dbg_summary(fmt, ...) do {} while (0)
31380 /* File system build messages */
31381 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31382 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31384 -#define dbg_fsbuild(fmt, ...)
31385 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31388 /* Watch the object allocations */
31389 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31390 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31392 -#define dbg_memalloc(fmt, ...)
31393 +#define dbg_memalloc(fmt, ...) do {} while (0)
31396 /* Watch the XATTR subsystem */
31397 #ifdef JFFS2_DBG_XATTR_MESSAGES
31398 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31400 -#define dbg_xattr(fmt, ...)
31401 +#define dbg_xattr(fmt, ...) do {} while (0)
31404 /* "Sanity" checks */
31405 diff -urNp linux-2.6.35.5/fs/jffs2/erase.c linux-2.6.35.5/fs/jffs2/erase.c
31406 --- linux-2.6.35.5/fs/jffs2/erase.c 2010-08-26 19:47:12.000000000 -0400
31407 +++ linux-2.6.35.5/fs/jffs2/erase.c 2010-09-17 20:12:09.000000000 -0400
31408 @@ -438,7 +438,8 @@ static void jffs2_mark_erased_block(stru
31409 struct jffs2_unknown_node marker = {
31410 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31411 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31412 - .totlen = cpu_to_je32(c->cleanmarker_size)
31413 + .totlen = cpu_to_je32(c->cleanmarker_size),
31414 + .hdr_crc = cpu_to_je32(0)
31417 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31418 diff -urNp linux-2.6.35.5/fs/jffs2/summary.h linux-2.6.35.5/fs/jffs2/summary.h
31419 --- linux-2.6.35.5/fs/jffs2/summary.h 2010-08-26 19:47:12.000000000 -0400
31420 +++ linux-2.6.35.5/fs/jffs2/summary.h 2010-09-17 20:12:09.000000000 -0400
31421 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31423 #define jffs2_sum_active() (0)
31424 #define jffs2_sum_init(a) (0)
31425 -#define jffs2_sum_exit(a)
31426 -#define jffs2_sum_disable_collecting(a)
31427 +#define jffs2_sum_exit(a) do {} while (0)
31428 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31429 #define jffs2_sum_is_disabled(a) (0)
31430 -#define jffs2_sum_reset_collected(a)
31431 +#define jffs2_sum_reset_collected(a) do {} while (0)
31432 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31433 -#define jffs2_sum_move_collected(a,b)
31434 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31435 #define jffs2_sum_write_sumnode(a) (0)
31436 -#define jffs2_sum_add_padding_mem(a,b)
31437 -#define jffs2_sum_add_inode_mem(a,b,c)
31438 -#define jffs2_sum_add_dirent_mem(a,b,c)
31439 -#define jffs2_sum_add_xattr_mem(a,b,c)
31440 -#define jffs2_sum_add_xref_mem(a,b,c)
31441 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31442 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31443 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31444 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31445 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31446 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31448 #endif /* CONFIG_JFFS2_SUMMARY */
31449 diff -urNp linux-2.6.35.5/fs/jffs2/wbuf.c linux-2.6.35.5/fs/jffs2/wbuf.c
31450 --- linux-2.6.35.5/fs/jffs2/wbuf.c 2010-08-26 19:47:12.000000000 -0400
31451 +++ linux-2.6.35.5/fs/jffs2/wbuf.c 2010-09-17 20:12:09.000000000 -0400
31452 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31454 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31455 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31456 - .totlen = constant_cpu_to_je32(8)
31457 + .totlen = constant_cpu_to_je32(8),
31458 + .hdr_crc = constant_cpu_to_je32(0)
31462 diff -urNp linux-2.6.35.5/fs/Kconfig.binfmt linux-2.6.35.5/fs/Kconfig.binfmt
31463 --- linux-2.6.35.5/fs/Kconfig.binfmt 2010-08-26 19:47:12.000000000 -0400
31464 +++ linux-2.6.35.5/fs/Kconfig.binfmt 2010-09-23 20:17:27.000000000 -0400
31465 @@ -86,7 +86,7 @@ config HAVE_AOUT
31468 tristate "Kernel support for a.out and ECOFF binaries"
31469 - depends on HAVE_AOUT
31470 + depends on HAVE_AOUT && BROKEN
31472 A.out (Assembler.OUTput) is a set of formats for libraries and
31473 executables used in the earliest versions of UNIX. Linux used
31474 diff -urNp linux-2.6.35.5/fs/lockd/svc.c linux-2.6.35.5/fs/lockd/svc.c
31475 --- linux-2.6.35.5/fs/lockd/svc.c 2010-08-26 19:47:12.000000000 -0400
31476 +++ linux-2.6.35.5/fs/lockd/svc.c 2010-09-17 20:12:09.000000000 -0400
31479 static struct svc_program nlmsvc_program;
31481 -struct nlmsvc_binding * nlmsvc_ops;
31482 +const struct nlmsvc_binding * nlmsvc_ops;
31483 EXPORT_SYMBOL_GPL(nlmsvc_ops);
31485 static DEFINE_MUTEX(nlmsvc_mutex);
31486 diff -urNp linux-2.6.35.5/fs/locks.c linux-2.6.35.5/fs/locks.c
31487 --- linux-2.6.35.5/fs/locks.c 2010-08-26 19:47:12.000000000 -0400
31488 +++ linux-2.6.35.5/fs/locks.c 2010-09-17 20:12:09.000000000 -0400
31489 @@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
31492 if (filp->f_op && filp->f_op->flock) {
31493 - struct file_lock fl = {
31494 + struct file_lock flock = {
31495 .fl_pid = current->tgid,
31497 .fl_flags = FL_FLOCK,
31498 .fl_type = F_UNLCK,
31499 .fl_end = OFFSET_MAX,
31501 - filp->f_op->flock(filp, F_SETLKW, &fl);
31502 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
31503 - fl.fl_ops->fl_release_private(&fl);
31504 + filp->f_op->flock(filp, F_SETLKW, &flock);
31505 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
31506 + flock.fl_ops->fl_release_private(&flock);
31510 diff -urNp linux-2.6.35.5/fs/namei.c linux-2.6.35.5/fs/namei.c
31511 --- linux-2.6.35.5/fs/namei.c 2010-08-26 19:47:12.000000000 -0400
31512 +++ linux-2.6.35.5/fs/namei.c 2010-09-17 20:12:37.000000000 -0400
31513 @@ -548,7 +548,7 @@ __do_follow_link(struct path *path, stru
31514 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
31515 error = PTR_ERR(*p);
31517 - char *s = nd_get_link(nd);
31518 + const char *s = nd_get_link(nd);
31521 error = __vfs_follow_link(nd, s);
31522 @@ -581,6 +581,13 @@ static inline int do_follow_link(struct
31523 err = security_inode_follow_link(path->dentry, nd);
31527 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
31528 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
31533 current->link_count++;
31534 current->total_link_count++;
31536 @@ -965,11 +972,18 @@ return_reval:
31540 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
31541 + path_put(&nd->path);
31546 path_put_conditional(&next, nd);
31549 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
31552 path_put(&nd->path);
31555 @@ -1506,12 +1520,19 @@ static int __open_namei_create(struct na
31557 struct dentry *dir = nd->path.dentry;
31559 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, open_flag, mode)) {
31564 if (!IS_POSIXACL(dir->d_inode))
31565 mode &= ~current_umask();
31566 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
31569 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
31571 + gr_handle_create(path->dentry, nd->path.mnt);
31573 mutex_unlock(&dir->d_inode->i_mutex);
31574 dput(nd->path.dentry);
31575 @@ -1614,6 +1635,7 @@ static struct file *do_last(struct namei
31576 int mode, const char *pathname)
31578 struct dentry *dir = nd->path.dentry;
31579 + int flag = open_to_namei_flags(open_flag);
31581 int error = -EISDIR;
31583 @@ -1662,6 +1684,22 @@ static struct file *do_last(struct namei
31585 path_to_nameidata(path, nd);
31586 audit_inode(pathname, nd->path.dentry);
31588 + if (gr_handle_rofs_blockwrite(nd->path.dentry, nd->path.mnt, acc_mode)) {
31593 + if (gr_handle_rawio(nd->path.dentry->d_inode)) {
31598 + if (!gr_acl_handle_open(nd->path.dentry, nd->path.mnt, flag)) {
31606 @@ -1714,6 +1752,24 @@ static struct file *do_last(struct namei
31608 * It already exists.
31611 + if (gr_handle_rofs_blockwrite(path->dentry, nd->path.mnt, acc_mode)) {
31613 + goto exit_mutex_unlock;
31615 + if (gr_handle_rawio(path->dentry->d_inode)) {
31617 + goto exit_mutex_unlock;
31619 + if (!gr_acl_handle_open(path->dentry, nd->path.mnt, flag)) {
31621 + goto exit_mutex_unlock;
31623 + if (gr_handle_fifo(path->dentry, nd->path.mnt, dir, flag, acc_mode)) {
31625 + goto exit_mutex_unlock;
31628 mutex_unlock(&dir->d_inode->i_mutex);
31629 audit_inode(pathname, path->dentry);
31631 @@ -2034,6 +2090,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31632 error = may_mknod(mode);
31636 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
31641 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
31646 error = mnt_want_write(nd.path.mnt);
31649 @@ -2054,6 +2121,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31652 mnt_drop_write(nd.path.mnt);
31655 + gr_handle_create(dentry, nd.path.mnt);
31659 @@ -2106,6 +2176,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31660 if (IS_ERR(dentry))
31663 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
31668 if (!IS_POSIXACL(nd.path.dentry->d_inode))
31669 mode &= ~current_umask();
31670 error = mnt_want_write(nd.path.mnt);
31671 @@ -2117,6 +2192,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31672 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
31674 mnt_drop_write(nd.path.mnt);
31677 + gr_handle_create(dentry, nd.path.mnt);
31682 @@ -2198,6 +2277,8 @@ static long do_rmdir(int dfd, const char
31684 struct dentry *dentry;
31685 struct nameidata nd;
31686 + ino_t saved_ino = 0;
31687 + dev_t saved_dev = 0;
31689 error = user_path_parent(dfd, pathname, &nd, &name);
31691 @@ -2222,6 +2303,19 @@ static long do_rmdir(int dfd, const char
31692 error = PTR_ERR(dentry);
31693 if (IS_ERR(dentry))
31696 + if (dentry->d_inode != NULL) {
31697 + if (dentry->d_inode->i_nlink <= 1) {
31698 + saved_ino = dentry->d_inode->i_ino;
31699 + saved_dev = dentry->d_inode->i_sb->s_dev;
31702 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
31708 error = mnt_want_write(nd.path.mnt);
31711 @@ -2229,6 +2323,8 @@ static long do_rmdir(int dfd, const char
31714 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
31715 + if (!error && (saved_dev || saved_ino))
31716 + gr_handle_delete(saved_ino, saved_dev);
31718 mnt_drop_write(nd.path.mnt);
31720 @@ -2291,6 +2387,8 @@ static long do_unlinkat(int dfd, const c
31721 struct dentry *dentry;
31722 struct nameidata nd;
31723 struct inode *inode = NULL;
31724 + ino_t saved_ino = 0;
31725 + dev_t saved_dev = 0;
31727 error = user_path_parent(dfd, pathname, &nd, &name);
31729 @@ -2310,8 +2408,19 @@ static long do_unlinkat(int dfd, const c
31730 if (nd.last.name[nd.last.len])
31732 inode = dentry->d_inode;
31735 + if (inode->i_nlink <= 1) {
31736 + saved_ino = inode->i_ino;
31737 + saved_dev = inode->i_sb->s_dev;
31740 atomic_inc(&inode->i_count);
31742 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
31747 error = mnt_want_write(nd.path.mnt);
31750 @@ -2319,6 +2428,8 @@ static long do_unlinkat(int dfd, const c
31753 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
31754 + if (!error && (saved_ino || saved_dev))
31755 + gr_handle_delete(saved_ino, saved_dev);
31757 mnt_drop_write(nd.path.mnt);
31759 @@ -2396,6 +2507,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
31760 if (IS_ERR(dentry))
31763 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
31768 error = mnt_want_write(nd.path.mnt);
31771 @@ -2403,6 +2519,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
31773 goto out_drop_write;
31774 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
31776 + gr_handle_create(dentry, nd.path.mnt);
31778 mnt_drop_write(nd.path.mnt);
31780 @@ -2495,6 +2613,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31781 error = PTR_ERR(new_dentry);
31782 if (IS_ERR(new_dentry))
31785 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
31786 + old_path.dentry->d_inode,
31787 + old_path.dentry->d_inode->i_mode, to)) {
31792 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
31793 + old_path.dentry, old_path.mnt, to)) {
31798 error = mnt_want_write(nd.path.mnt);
31801 @@ -2502,6 +2634,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31803 goto out_drop_write;
31804 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
31806 + gr_handle_create(new_dentry, nd.path.mnt);
31808 mnt_drop_write(nd.path.mnt);
31810 @@ -2735,6 +2869,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31811 if (new_dentry == trap)
31814 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
31815 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
31820 error = mnt_want_write(oldnd.path.mnt);
31823 @@ -2744,6 +2884,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31825 error = vfs_rename(old_dir->d_inode, old_dentry,
31826 new_dir->d_inode, new_dentry);
31828 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
31829 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
31831 mnt_drop_write(oldnd.path.mnt);
31833 diff -urNp linux-2.6.35.5/fs/namespace.c linux-2.6.35.5/fs/namespace.c
31834 --- linux-2.6.35.5/fs/namespace.c 2010-08-26 19:47:12.000000000 -0400
31835 +++ linux-2.6.35.5/fs/namespace.c 2010-09-17 20:21:58.000000000 -0400
31836 @@ -1099,6 +1099,9 @@ static int do_umount(struct vfsmount *mn
31837 if (!(sb->s_flags & MS_RDONLY))
31838 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
31839 up_write(&sb->s_umount);
31841 + gr_log_remount(mnt->mnt_devname, retval);
31846 @@ -1118,6 +1121,9 @@ static int do_umount(struct vfsmount *mn
31847 spin_unlock(&vfsmount_lock);
31848 up_write(&namespace_sem);
31849 release_mounts(&umount_list);
31851 + gr_log_unmount(mnt->mnt_devname, retval);
31856 @@ -1988,6 +1994,16 @@ long do_mount(char *dev_name, char *dir_
31857 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
31860 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
31865 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
31870 if (flags & MS_REMOUNT)
31871 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
31873 @@ -2002,6 +2018,9 @@ long do_mount(char *dev_name, char *dir_
31874 dev_name, data_page);
31878 + gr_log_mount(dev_name, dir_name, retval);
31883 @@ -2208,6 +2227,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
31887 + if (gr_handle_chroot_pivot()) {
31893 read_lock(¤t->fs->lock);
31894 root = current->fs->root;
31895 path_get(¤t->fs->root);
31896 diff -urNp linux-2.6.35.5/fs/nfs/inode.c linux-2.6.35.5/fs/nfs/inode.c
31897 --- linux-2.6.35.5/fs/nfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31898 +++ linux-2.6.35.5/fs/nfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31899 @@ -915,16 +915,16 @@ static int nfs_size_need_update(const st
31900 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
31903 -static atomic_long_t nfs_attr_generation_counter;
31904 +static atomic_long_unchecked_t nfs_attr_generation_counter;
31906 static unsigned long nfs_read_attr_generation_counter(void)
31908 - return atomic_long_read(&nfs_attr_generation_counter);
31909 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
31912 unsigned long nfs_inc_attr_generation_counter(void)
31914 - return atomic_long_inc_return(&nfs_attr_generation_counter);
31915 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
31918 void nfs_fattr_init(struct nfs_fattr *fattr)
31919 diff -urNp linux-2.6.35.5/fs/nfs/nfs4proc.c linux-2.6.35.5/fs/nfs/nfs4proc.c
31920 --- linux-2.6.35.5/fs/nfs/nfs4proc.c 2010-08-26 19:47:12.000000000 -0400
31921 +++ linux-2.6.35.5/fs/nfs/nfs4proc.c 2010-09-17 20:12:09.000000000 -0400
31922 @@ -1166,7 +1166,7 @@ static int _nfs4_do_open_reclaim(struct
31923 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
31925 struct nfs_server *server = NFS_SERVER(state->inode);
31926 - struct nfs4_exception exception = { };
31927 + struct nfs4_exception exception = {0, 0};
31930 err = _nfs4_do_open_reclaim(ctx, state);
31931 @@ -1208,7 +1208,7 @@ static int _nfs4_open_delegation_recall(
31933 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
31935 - struct nfs4_exception exception = { };
31936 + struct nfs4_exception exception = {0, 0};
31937 struct nfs_server *server = NFS_SERVER(state->inode);
31940 @@ -1581,7 +1581,7 @@ static int _nfs4_open_expired(struct nfs
31941 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
31943 struct nfs_server *server = NFS_SERVER(state->inode);
31944 - struct nfs4_exception exception = { };
31945 + struct nfs4_exception exception = {0, 0};
31949 @@ -1697,7 +1697,7 @@ out_err:
31951 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
31953 - struct nfs4_exception exception = { };
31954 + struct nfs4_exception exception = {0, 0};
31955 struct nfs4_state *res;
31958 @@ -1788,7 +1788,7 @@ static int nfs4_do_setattr(struct inode
31959 struct nfs4_state *state)
31961 struct nfs_server *server = NFS_SERVER(inode);
31962 - struct nfs4_exception exception = { };
31963 + struct nfs4_exception exception = {0, 0};
31966 err = nfs4_handle_exception(server,
31967 @@ -2166,7 +2166,7 @@ static int _nfs4_server_capabilities(str
31969 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
31971 - struct nfs4_exception exception = { };
31972 + struct nfs4_exception exception = {0, 0};
31975 err = nfs4_handle_exception(server,
31976 @@ -2200,7 +2200,7 @@ static int _nfs4_lookup_root(struct nfs_
31977 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
31978 struct nfs_fsinfo *info)
31980 - struct nfs4_exception exception = { };
31981 + struct nfs4_exception exception = {0, 0};
31984 err = nfs4_handle_exception(server,
31985 @@ -2289,7 +2289,7 @@ static int _nfs4_proc_getattr(struct nfs
31987 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
31989 - struct nfs4_exception exception = { };
31990 + struct nfs4_exception exception = {0, 0};
31993 err = nfs4_handle_exception(server,
31994 @@ -2377,7 +2377,7 @@ static int nfs4_proc_lookupfh(struct nfs
31995 struct qstr *name, struct nfs_fh *fhandle,
31996 struct nfs_fattr *fattr)
31998 - struct nfs4_exception exception = { };
31999 + struct nfs4_exception exception = {0, 0};
32002 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32003 @@ -2406,7 +2406,7 @@ static int _nfs4_proc_lookup(struct inod
32005 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32007 - struct nfs4_exception exception = { };
32008 + struct nfs4_exception exception = {0, 0};
32011 err = nfs4_handle_exception(NFS_SERVER(dir),
32012 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_access(struct inod
32014 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32016 - struct nfs4_exception exception = { };
32017 + struct nfs4_exception exception = {0, 0};
32020 err = nfs4_handle_exception(NFS_SERVER(inode),
32021 @@ -2529,7 +2529,7 @@ static int _nfs4_proc_readlink(struct in
32022 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32023 unsigned int pgbase, unsigned int pglen)
32025 - struct nfs4_exception exception = { };
32026 + struct nfs4_exception exception = {0, 0};
32029 err = nfs4_handle_exception(NFS_SERVER(inode),
32030 @@ -2625,7 +2625,7 @@ out:
32032 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32034 - struct nfs4_exception exception = { };
32035 + struct nfs4_exception exception = {0, 0};
32038 err = nfs4_handle_exception(NFS_SERVER(dir),
32039 @@ -2700,7 +2700,7 @@ out:
32040 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32041 struct inode *new_dir, struct qstr *new_name)
32043 - struct nfs4_exception exception = { };
32044 + struct nfs4_exception exception = {0, 0};
32047 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32048 @@ -2749,7 +2749,7 @@ out:
32050 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32052 - struct nfs4_exception exception = { };
32053 + struct nfs4_exception exception = {0, 0};
32056 err = nfs4_handle_exception(NFS_SERVER(inode),
32057 @@ -2841,7 +2841,7 @@ out:
32058 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32059 struct page *page, unsigned int len, struct iattr *sattr)
32061 - struct nfs4_exception exception = { };
32062 + struct nfs4_exception exception = {0, 0};
32065 err = nfs4_handle_exception(NFS_SERVER(dir),
32066 @@ -2872,7 +2872,7 @@ out:
32067 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32068 struct iattr *sattr)
32070 - struct nfs4_exception exception = { };
32071 + struct nfs4_exception exception = {0, 0};
32074 err = nfs4_handle_exception(NFS_SERVER(dir),
32075 @@ -2921,7 +2921,7 @@ static int _nfs4_proc_readdir(struct den
32076 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32077 u64 cookie, struct page *page, unsigned int count, int plus)
32079 - struct nfs4_exception exception = { };
32080 + struct nfs4_exception exception = {0, 0};
32083 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32084 @@ -2969,7 +2969,7 @@ out:
32085 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32086 struct iattr *sattr, dev_t rdev)
32088 - struct nfs4_exception exception = { };
32089 + struct nfs4_exception exception = {0, 0};
32092 err = nfs4_handle_exception(NFS_SERVER(dir),
32093 @@ -3001,7 +3001,7 @@ static int _nfs4_proc_statfs(struct nfs_
32095 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32097 - struct nfs4_exception exception = { };
32098 + struct nfs4_exception exception = {0, 0};
32101 err = nfs4_handle_exception(server,
32102 @@ -3032,7 +3032,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32104 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32106 - struct nfs4_exception exception = { };
32107 + struct nfs4_exception exception = {0, 0};
32111 @@ -3078,7 +3078,7 @@ static int _nfs4_proc_pathconf(struct nf
32112 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32113 struct nfs_pathconf *pathconf)
32115 - struct nfs4_exception exception = { };
32116 + struct nfs4_exception exception = {0, 0};
32120 @@ -3399,7 +3399,7 @@ out_free:
32122 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32124 - struct nfs4_exception exception = { };
32125 + struct nfs4_exception exception = {0, 0};
32128 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32129 @@ -3455,7 +3455,7 @@ static int __nfs4_proc_set_acl(struct in
32131 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32133 - struct nfs4_exception exception = { };
32134 + struct nfs4_exception exception = {0, 0};
32137 err = nfs4_handle_exception(NFS_SERVER(inode),
32138 @@ -3745,7 +3745,7 @@ out:
32139 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32141 struct nfs_server *server = NFS_SERVER(inode);
32142 - struct nfs4_exception exception = { };
32143 + struct nfs4_exception exception = {0, 0};
32146 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32147 @@ -3818,7 +3818,7 @@ out:
32149 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32151 - struct nfs4_exception exception = { };
32152 + struct nfs4_exception exception = {0, 0};
32156 @@ -4232,7 +4232,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32157 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32159 struct nfs_server *server = NFS_SERVER(state->inode);
32160 - struct nfs4_exception exception = { };
32161 + struct nfs4_exception exception = {0, 0};
32165 @@ -4250,7 +4250,7 @@ static int nfs4_lock_reclaim(struct nfs4
32166 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32168 struct nfs_server *server = NFS_SERVER(state->inode);
32169 - struct nfs4_exception exception = { };
32170 + struct nfs4_exception exception = {0, 0};
32173 err = nfs4_set_lock_state(state, request);
32174 @@ -4315,7 +4315,7 @@ out:
32176 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32178 - struct nfs4_exception exception = { };
32179 + struct nfs4_exception exception = {0, 0};
32183 @@ -4375,7 +4375,7 @@ nfs4_proc_lock(struct file *filp, int cm
32184 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32186 struct nfs_server *server = NFS_SERVER(state->inode);
32187 - struct nfs4_exception exception = { };
32188 + struct nfs4_exception exception = {0, 0};
32191 err = nfs4_set_lock_state(state, fl);
32192 diff -urNp linux-2.6.35.5/fs/nfsd/lockd.c linux-2.6.35.5/fs/nfsd/lockd.c
32193 --- linux-2.6.35.5/fs/nfsd/lockd.c 2010-08-26 19:47:12.000000000 -0400
32194 +++ linux-2.6.35.5/fs/nfsd/lockd.c 2010-09-17 20:12:09.000000000 -0400
32195 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32199 -static struct nlmsvc_binding nfsd_nlm_ops = {
32200 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32201 .fopen = nlm_fopen, /* open file for locking */
32202 .fclose = nlm_fclose, /* close file */
32204 diff -urNp linux-2.6.35.5/fs/nfsd/nfsctl.c linux-2.6.35.5/fs/nfsd/nfsctl.c
32205 --- linux-2.6.35.5/fs/nfsd/nfsctl.c 2010-08-26 19:47:12.000000000 -0400
32206 +++ linux-2.6.35.5/fs/nfsd/nfsctl.c 2010-09-17 20:12:09.000000000 -0400
32207 @@ -163,7 +163,7 @@ static int export_features_open(struct i
32208 return single_open(file, export_features_show, NULL);
32211 -static struct file_operations export_features_operations = {
32212 +static const struct file_operations export_features_operations = {
32213 .open = export_features_open,
32215 .llseek = seq_lseek,
32216 diff -urNp linux-2.6.35.5/fs/nfsd/vfs.c linux-2.6.35.5/fs/nfsd/vfs.c
32217 --- linux-2.6.35.5/fs/nfsd/vfs.c 2010-08-26 19:47:12.000000000 -0400
32218 +++ linux-2.6.35.5/fs/nfsd/vfs.c 2010-09-17 20:12:09.000000000 -0400
32219 @@ -933,7 +933,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32223 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32224 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32228 @@ -1056,7 +1056,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32230 /* Write the data. */
32231 oldfs = get_fs(); set_fs(KERNEL_DS);
32232 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32233 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32237 @@ -1541,7 +1541,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32240 oldfs = get_fs(); set_fs(KERNEL_DS);
32241 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32242 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32246 diff -urNp linux-2.6.35.5/fs/nls/nls_base.c linux-2.6.35.5/fs/nls/nls_base.c
32247 --- linux-2.6.35.5/fs/nls/nls_base.c 2010-08-26 19:47:12.000000000 -0400
32248 +++ linux-2.6.35.5/fs/nls/nls_base.c 2010-09-17 20:12:09.000000000 -0400
32249 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32250 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32251 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32252 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32253 - {0, /* end of table */}
32254 + {0, 0, 0, 0, 0, /* end of table */}
32257 #define UNICODE_MAX 0x0010ffff
32258 diff -urNp linux-2.6.35.5/fs/ntfs/file.c linux-2.6.35.5/fs/ntfs/file.c
32259 --- linux-2.6.35.5/fs/ntfs/file.c 2010-08-26 19:47:12.000000000 -0400
32260 +++ linux-2.6.35.5/fs/ntfs/file.c 2010-09-17 20:12:09.000000000 -0400
32261 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
32262 #endif /* NTFS_RW */
32265 -const struct file_operations ntfs_empty_file_ops = {};
32266 +const struct file_operations ntfs_empty_file_ops __read_only;
32268 -const struct inode_operations ntfs_empty_inode_ops = {};
32269 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32270 diff -urNp linux-2.6.35.5/fs/ocfs2/localalloc.c linux-2.6.35.5/fs/ocfs2/localalloc.c
32271 --- linux-2.6.35.5/fs/ocfs2/localalloc.c 2010-08-26 19:47:12.000000000 -0400
32272 +++ linux-2.6.35.5/fs/ocfs2/localalloc.c 2010-09-17 20:12:09.000000000 -0400
32273 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32277 - atomic_inc(&osb->alloc_stats.moves);
32278 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32282 diff -urNp linux-2.6.35.5/fs/ocfs2/ocfs2.h linux-2.6.35.5/fs/ocfs2/ocfs2.h
32283 --- linux-2.6.35.5/fs/ocfs2/ocfs2.h 2010-08-26 19:47:12.000000000 -0400
32284 +++ linux-2.6.35.5/fs/ocfs2/ocfs2.h 2010-09-17 20:12:09.000000000 -0400
32285 @@ -223,11 +223,11 @@ enum ocfs2_vol_state
32287 struct ocfs2_alloc_stats
32290 - atomic_t local_data;
32291 - atomic_t bitmap_data;
32292 - atomic_t bg_allocs;
32293 - atomic_t bg_extends;
32294 + atomic_unchecked_t moves;
32295 + atomic_unchecked_t local_data;
32296 + atomic_unchecked_t bitmap_data;
32297 + atomic_unchecked_t bg_allocs;
32298 + atomic_unchecked_t bg_extends;
32301 enum ocfs2_local_alloc_state
32302 diff -urNp linux-2.6.35.5/fs/ocfs2/suballoc.c linux-2.6.35.5/fs/ocfs2/suballoc.c
32303 --- linux-2.6.35.5/fs/ocfs2/suballoc.c 2010-08-26 19:47:12.000000000 -0400
32304 +++ linux-2.6.35.5/fs/ocfs2/suballoc.c 2010-09-17 20:12:09.000000000 -0400
32305 @@ -856,7 +856,7 @@ static int ocfs2_reserve_suballoc_bits(s
32306 mlog_errno(status);
32309 - atomic_inc(&osb->alloc_stats.bg_extends);
32310 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32312 /* You should never ask for this much metadata */
32313 BUG_ON(bits_wanted >
32314 @@ -1968,7 +1968,7 @@ int ocfs2_claim_metadata(handle_t *handl
32315 mlog_errno(status);
32318 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32319 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32321 *suballoc_loc = res.sr_bg_blkno;
32322 *suballoc_bit_start = res.sr_bit_offset;
32323 @@ -2045,7 +2045,7 @@ int ocfs2_claim_new_inode(handle_t *hand
32324 mlog_errno(status);
32327 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32328 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32330 BUG_ON(res.sr_bits != 1);
32332 @@ -2150,7 +2150,7 @@ int __ocfs2_claim_clusters(handle_t *han
32336 - atomic_inc(&osb->alloc_stats.local_data);
32337 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
32339 if (min_clusters > (osb->bitmap_cpg - 1)) {
32340 /* The only paths asking for contiguousness
32341 @@ -2176,7 +2176,7 @@ int __ocfs2_claim_clusters(handle_t *han
32342 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
32344 res.sr_bit_offset);
32345 - atomic_inc(&osb->alloc_stats.bitmap_data);
32346 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
32347 *num_clusters = res.sr_bits;
32350 diff -urNp linux-2.6.35.5/fs/ocfs2/super.c linux-2.6.35.5/fs/ocfs2/super.c
32351 --- linux-2.6.35.5/fs/ocfs2/super.c 2010-08-26 19:47:12.000000000 -0400
32352 +++ linux-2.6.35.5/fs/ocfs2/super.c 2010-09-17 20:12:09.000000000 -0400
32353 @@ -293,11 +293,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
32354 "%10s => GlobalAllocs: %d LocalAllocs: %d "
32355 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
32357 - atomic_read(&osb->alloc_stats.bitmap_data),
32358 - atomic_read(&osb->alloc_stats.local_data),
32359 - atomic_read(&osb->alloc_stats.bg_allocs),
32360 - atomic_read(&osb->alloc_stats.moves),
32361 - atomic_read(&osb->alloc_stats.bg_extends));
32362 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
32363 + atomic_read_unchecked(&osb->alloc_stats.local_data),
32364 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
32365 + atomic_read_unchecked(&osb->alloc_stats.moves),
32366 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
32368 out += snprintf(buf + out, len - out,
32369 "%10s => State: %u Descriptor: %llu Size: %u bits "
32370 @@ -2047,11 +2047,11 @@ static int ocfs2_initialize_super(struct
32371 spin_lock_init(&osb->osb_xattr_lock);
32372 ocfs2_init_steal_slots(osb);
32374 - atomic_set(&osb->alloc_stats.moves, 0);
32375 - atomic_set(&osb->alloc_stats.local_data, 0);
32376 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
32377 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
32378 - atomic_set(&osb->alloc_stats.bg_extends, 0);
32379 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
32380 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
32381 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
32382 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
32383 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
32385 /* Copy the blockcheck stats from the superblock probe */
32386 osb->osb_ecc_stats = *stats;
32387 diff -urNp linux-2.6.35.5/fs/ocfs2/symlink.c linux-2.6.35.5/fs/ocfs2/symlink.c
32388 --- linux-2.6.35.5/fs/ocfs2/symlink.c 2010-08-26 19:47:12.000000000 -0400
32389 +++ linux-2.6.35.5/fs/ocfs2/symlink.c 2010-09-17 20:12:09.000000000 -0400
32390 @@ -148,7 +148,7 @@ bail:
32392 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32394 - char *link = nd_get_link(nd);
32395 + const char *link = nd_get_link(nd);
32399 diff -urNp linux-2.6.35.5/fs/open.c linux-2.6.35.5/fs/open.c
32400 --- linux-2.6.35.5/fs/open.c 2010-08-26 19:47:12.000000000 -0400
32401 +++ linux-2.6.35.5/fs/open.c 2010-09-17 20:12:37.000000000 -0400
32402 @@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l
32406 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
32409 newattrs.ia_size = length;
32410 newattrs.ia_valid = ATTR_SIZE | time_attrs;
32412 @@ -345,6 +348,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
32413 if (__mnt_is_readonly(path.mnt))
32416 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
32422 @@ -371,6 +377,8 @@ SYSCALL_DEFINE1(chdir, const char __user
32426 + gr_log_chdir(path.dentry, path.mnt);
32428 set_fs_pwd(current->fs, &path);
32431 @@ -397,6 +405,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
32434 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
32436 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
32440 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
32443 set_fs_pwd(current->fs, &file->f_path);
32445 @@ -425,7 +440,18 @@ SYSCALL_DEFINE1(chroot, const char __use
32449 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
32450 + goto dput_and_out;
32452 + if (gr_handle_chroot_caps(&path)) {
32454 + goto dput_and_out;
32457 set_fs_root(current->fs, &path);
32459 + gr_handle_chroot_chdir(&path);
32464 @@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32465 err = mnt_want_write_file(file);
32469 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
32471 + goto out_drop_write;
32474 mutex_lock(&inode->i_mutex);
32475 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
32477 @@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32478 err = notify_change(dentry, &newattrs);
32480 mutex_unlock(&inode->i_mutex);
32482 mnt_drop_write(file->f_path.mnt);
32485 @@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
32486 error = mnt_want_write(path.mnt);
32490 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
32492 + goto out_drop_write;
32495 mutex_lock(&inode->i_mutex);
32496 error = security_path_chmod(path.dentry, path.mnt, mode);
32499 if (mode == (mode_t) -1)
32500 mode = inode->i_mode;
32502 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
32507 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
32508 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
32509 error = notify_change(path.dentry, &newattrs);
32511 mutex_unlock(&inode->i_mutex);
32513 mnt_drop_write(path.mnt);
32516 @@ -515,6 +561,9 @@ static int chown_common(struct path *pat
32518 struct iattr newattrs;
32520 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
32523 newattrs.ia_valid = ATTR_CTIME;
32524 if (user != (uid_t) -1) {
32525 newattrs.ia_valid |= ATTR_UID;
32526 diff -urNp linux-2.6.35.5/fs/pipe.c linux-2.6.35.5/fs/pipe.c
32527 --- linux-2.6.35.5/fs/pipe.c 2010-08-26 19:47:12.000000000 -0400
32528 +++ linux-2.6.35.5/fs/pipe.c 2010-09-17 20:12:37.000000000 -0400
32529 @@ -420,9 +420,9 @@ redo:
32531 if (bufs) /* More to do? */
32533 - if (!pipe->writers)
32534 + if (!atomic_read(&pipe->writers))
32536 - if (!pipe->waiting_writers) {
32537 + if (!atomic_read(&pipe->waiting_writers)) {
32538 /* syscall merging: Usually we must not sleep
32539 * if O_NONBLOCK is set, or if we got some data.
32540 * But if a writer sleeps in kernel space, then
32541 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
32542 mutex_lock(&inode->i_mutex);
32543 pipe = inode->i_pipe;
32545 - if (!pipe->readers) {
32546 + if (!atomic_read(&pipe->readers)) {
32547 send_sig(SIGPIPE, current, 0);
32550 @@ -530,7 +530,7 @@ redo1:
32554 - if (!pipe->readers) {
32555 + if (!atomic_read(&pipe->readers)) {
32556 send_sig(SIGPIPE, current, 0);
32559 @@ -616,9 +616,9 @@ redo2:
32560 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
32563 - pipe->waiting_writers++;
32564 + atomic_inc(&pipe->waiting_writers);
32566 - pipe->waiting_writers--;
32567 + atomic_dec(&pipe->waiting_writers);
32570 mutex_unlock(&inode->i_mutex);
32571 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
32573 if (filp->f_mode & FMODE_READ) {
32574 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
32575 - if (!pipe->writers && filp->f_version != pipe->w_counter)
32576 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
32580 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
32581 * Most Unices do not set POLLERR for FIFOs but on Linux they
32582 * behave exactly like pipes for poll().
32584 - if (!pipe->readers)
32585 + if (!atomic_read(&pipe->readers))
32589 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
32591 mutex_lock(&inode->i_mutex);
32592 pipe = inode->i_pipe;
32593 - pipe->readers -= decr;
32594 - pipe->writers -= decw;
32595 + atomic_sub(decr, &pipe->readers);
32596 + atomic_sub(decw, &pipe->writers);
32598 - if (!pipe->readers && !pipe->writers) {
32599 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
32600 free_pipe_info(inode);
32602 wake_up_interruptible_sync(&pipe->wait);
32603 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
32605 if (inode->i_pipe) {
32607 - inode->i_pipe->readers++;
32608 + atomic_inc(&inode->i_pipe->readers);
32611 mutex_unlock(&inode->i_mutex);
32612 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
32614 if (inode->i_pipe) {
32616 - inode->i_pipe->writers++;
32617 + atomic_inc(&inode->i_pipe->writers);
32620 mutex_unlock(&inode->i_mutex);
32621 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
32622 if (inode->i_pipe) {
32624 if (filp->f_mode & FMODE_READ)
32625 - inode->i_pipe->readers++;
32626 + atomic_inc(&inode->i_pipe->readers);
32627 if (filp->f_mode & FMODE_WRITE)
32628 - inode->i_pipe->writers++;
32629 + atomic_inc(&inode->i_pipe->writers);
32632 mutex_unlock(&inode->i_mutex);
32633 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
32634 inode->i_pipe = NULL;
32637 -static struct vfsmount *pipe_mnt __read_mostly;
32638 +struct vfsmount *pipe_mnt __read_mostly;
32641 * pipefs_dname() is called from d_path().
32642 @@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
32644 inode->i_pipe = pipe;
32646 - pipe->readers = pipe->writers = 1;
32647 + atomic_set(&pipe->readers, 1);
32648 + atomic_set(&pipe->writers, 1);
32649 inode->i_fop = &rdwr_pipefifo_fops;
32652 diff -urNp linux-2.6.35.5/fs/proc/array.c linux-2.6.35.5/fs/proc/array.c
32653 --- linux-2.6.35.5/fs/proc/array.c 2010-08-26 19:47:12.000000000 -0400
32654 +++ linux-2.6.35.5/fs/proc/array.c 2010-09-17 20:12:37.000000000 -0400
32655 @@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
32656 seq_printf(m, "\n");
32659 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32660 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
32663 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
32664 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
32665 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
32666 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
32667 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
32668 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
32670 + seq_printf(m, "PaX:\t-----\n");
32674 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
32675 struct pid *pid, struct task_struct *task)
32677 @@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
32678 task_show_regs(m, task);
32680 task_context_switch_counts(m, task);
32682 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32683 + task_pax(m, task);
32689 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32690 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32691 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32692 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32695 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
32696 struct pid *pid, struct task_struct *task, int whole)
32698 @@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
32699 gtime = task->gtime;
32702 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32703 + if (PAX_RAND_FLAGS(mm)) {
32709 +#ifdef CONFIG_GRKERNSEC_HIDESYM
32715 /* scale priority and nice values from timeslices to -20..20 */
32716 /* to make it look like a "normal" Unix priority/nice value */
32717 priority = task_prio(task);
32718 @@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
32720 mm ? get_mm_rss(mm) : 0,
32722 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32723 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
32724 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
32725 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
32727 mm ? mm->start_code : 0,
32728 mm ? mm->end_code : 0,
32729 (permitted && mm) ? mm->start_stack : 0,
32733 /* The signal information here is obsolete.
32734 @@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
32739 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
32740 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
32742 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
32745 diff -urNp linux-2.6.35.5/fs/proc/base.c linux-2.6.35.5/fs/proc/base.c
32746 --- linux-2.6.35.5/fs/proc/base.c 2010-08-26 19:47:12.000000000 -0400
32747 +++ linux-2.6.35.5/fs/proc/base.c 2010-09-22 18:45:42.000000000 -0400
32748 @@ -103,6 +103,22 @@ struct pid_entry {
32752 +struct getdents_callback {
32753 + struct linux_dirent __user * current_dir;
32754 + struct linux_dirent __user * previous;
32755 + struct file * file;
32760 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
32761 + loff_t offset, u64 ino, unsigned int d_type)
32763 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
32764 + buf->error = -EINVAL;
32768 #define NOD(NAME, MODE, IOP, FOP, OP) { \
32770 .len = sizeof(NAME) - 1, \
32771 @@ -202,6 +218,9 @@ static int check_mem_permission(struct t
32772 if (task == current)
32775 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
32779 * If current is actively ptrace'ing, and would also be
32780 * permitted to freshly attach with ptrace now, permit it.
32781 @@ -249,6 +268,9 @@ static int proc_pid_cmdline(struct task_
32783 goto out_mm; /* Shh! No looking before we're done */
32785 + if (gr_acl_handle_procpidmem(task))
32788 len = mm->arg_end - mm->arg_start;
32790 if (len > PAGE_SIZE)
32791 @@ -276,12 +298,26 @@ out:
32795 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32796 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32797 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32798 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32801 static int proc_pid_auxv(struct task_struct *task, char *buffer)
32804 struct mm_struct *mm = get_task_mm(task);
32806 unsigned int nwords = 0;
32808 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32809 + if (PAX_RAND_FLAGS(mm)) {
32817 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
32818 @@ -295,7 +331,7 @@ static int proc_pid_auxv(struct task_str
32822 -#ifdef CONFIG_KALLSYMS
32823 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32825 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
32826 * Returns the resolved symbol. If that fails, simply return the address.
32827 @@ -317,7 +353,7 @@ static int proc_pid_wchan(struct task_st
32829 #endif /* CONFIG_KALLSYMS */
32831 -#ifdef CONFIG_STACKTRACE
32832 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32834 #define MAX_STACK_TRACE_DEPTH 64
32836 @@ -511,7 +547,7 @@ static int proc_pid_limits(struct task_s
32840 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32841 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32842 static int proc_pid_syscall(struct task_struct *task, char *buffer)
32845 @@ -920,6 +956,9 @@ static ssize_t environ_read(struct file
32849 + if (gr_acl_handle_procpidmem(task))
32852 if (!ptrace_may_access(task, PTRACE_MODE_READ))
32855 @@ -1514,7 +1553,11 @@ static struct inode *proc_pid_make_inode
32857 cred = __task_cred(task);
32858 inode->i_uid = cred->euid;
32859 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32860 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32862 inode->i_gid = cred->egid;
32866 security_task_to_inode(task, inode);
32867 @@ -1532,6 +1575,9 @@ static int pid_getattr(struct vfsmount *
32868 struct inode *inode = dentry->d_inode;
32869 struct task_struct *task;
32870 const struct cred *cred;
32871 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32872 + const struct cred *tmpcred = current_cred();
32875 generic_fillattr(inode, stat);
32877 @@ -1539,12 +1585,34 @@ static int pid_getattr(struct vfsmount *
32880 task = pid_task(proc_pid(inode), PIDTYPE_PID);
32882 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
32883 + rcu_read_unlock();
32888 + cred = __task_cred(task);
32889 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32890 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
32891 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32892 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
32896 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32897 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32898 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32899 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32900 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32902 task_dumpable(task)) {
32903 - cred = __task_cred(task);
32904 stat->uid = cred->euid;
32905 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32906 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
32908 stat->gid = cred->egid;
32913 @@ -1576,11 +1644,20 @@ static int pid_revalidate(struct dentry
32916 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32917 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32918 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32919 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32920 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32922 task_dumpable(task)) {
32924 cred = __task_cred(task);
32925 inode->i_uid = cred->euid;
32926 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32927 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32929 inode->i_gid = cred->egid;
32934 @@ -1701,7 +1778,8 @@ static int proc_fd_info(struct inode *in
32935 int fd = proc_fd(inode);
32938 - files = get_files_struct(task);
32939 + if (!gr_acl_handle_procpidmem(task))
32940 + files = get_files_struct(task);
32941 put_task_struct(task);
32944 @@ -1953,12 +2031,22 @@ static const struct file_operations proc
32945 static int proc_fd_permission(struct inode *inode, int mask)
32948 + struct task_struct *task;
32950 rv = generic_permission(inode, mask, NULL);
32954 if (task_pid(current) == proc_pid(inode))
32957 + task = get_proc_task(inode);
32958 + if (task == NULL)
32961 + if (gr_acl_handle_procpidmem(task))
32964 + put_task_struct(task);
32969 @@ -2067,6 +2155,9 @@ static struct dentry *proc_pident_lookup
32973 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32977 * Yes, it does not scale. And it should not. Don't add
32978 * new entries into /proc/<tgid>/ without very good reasons.
32979 @@ -2111,6 +2202,9 @@ static int proc_pident_readdir(struct fi
32983 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32989 @@ -2380,7 +2474,7 @@ static void *proc_self_follow_link(struc
32990 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
32993 - char *s = nd_get_link(nd);
32994 + const char *s = nd_get_link(nd);
32998 @@ -2580,7 +2674,7 @@ static const struct pid_entry tgid_base_
32999 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33001 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33002 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33003 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33004 INF("syscall", S_IRUSR, proc_pid_syscall),
33006 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33007 @@ -2605,10 +2699,10 @@ static const struct pid_entry tgid_base_
33008 #ifdef CONFIG_SECURITY
33009 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33011 -#ifdef CONFIG_KALLSYMS
33012 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33013 INF("wchan", S_IRUGO, proc_pid_wchan),
33015 -#ifdef CONFIG_STACKTRACE
33016 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33017 ONE("stack", S_IRUSR, proc_pid_stack),
33019 #ifdef CONFIG_SCHEDSTATS
33020 @@ -2638,6 +2732,9 @@ static const struct pid_entry tgid_base_
33021 INF("io", S_IRUGO, proc_tgid_io_accounting),
33023 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33024 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33025 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33029 static int proc_tgid_base_readdir(struct file * filp,
33030 @@ -2762,7 +2859,14 @@ static struct dentry *proc_pid_instantia
33034 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33035 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33036 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33037 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33038 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33040 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33042 inode->i_op = &proc_tgid_base_inode_operations;
33043 inode->i_fop = &proc_tgid_base_operations;
33044 inode->i_flags|=S_IMMUTABLE;
33045 @@ -2804,7 +2908,11 @@ struct dentry *proc_pid_lookup(struct in
33049 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33050 + goto out_put_task;
33052 result = proc_pid_instantiate(dir, dentry, task, NULL);
33054 put_task_struct(task);
33057 @@ -2869,6 +2977,11 @@ int proc_pid_readdir(struct file * filp,
33059 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33060 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33061 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33062 + const struct cred *tmpcred = current_cred();
33063 + const struct cred *itercred;
33065 + filldir_t __filldir = filldir;
33066 struct tgid_iter iter;
33067 struct pid_namespace *ns;
33069 @@ -2887,8 +3000,27 @@ int proc_pid_readdir(struct file * filp,
33070 for (iter = next_tgid(ns, iter);
33072 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33073 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33075 + itercred = __task_cred(iter.task);
33077 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33078 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33079 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33080 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33081 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33086 + __filldir = &gr_fake_filldir;
33088 + __filldir = filldir;
33089 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33090 + rcu_read_unlock();
33092 filp->f_pos = iter.tgid + TGID_OFFSET;
33093 if (!vx_proc_task_visible(iter.task))
33095 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33096 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33097 put_task_struct(iter.task);
33098 @@ -2915,7 +3047,7 @@ static const struct pid_entry tid_base_s
33099 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33101 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33102 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33103 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33104 INF("syscall", S_IRUSR, proc_pid_syscall),
33106 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33107 @@ -2939,10 +3071,10 @@ static const struct pid_entry tid_base_s
33108 #ifdef CONFIG_SECURITY
33109 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33111 -#ifdef CONFIG_KALLSYMS
33112 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33113 INF("wchan", S_IRUGO, proc_pid_wchan),
33115 -#ifdef CONFIG_STACKTRACE
33116 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33117 ONE("stack", S_IRUSR, proc_pid_stack),
33119 #ifdef CONFIG_SCHEDSTATS
33120 diff -urNp linux-2.6.35.5/fs/proc/cmdline.c linux-2.6.35.5/fs/proc/cmdline.c
33121 --- linux-2.6.35.5/fs/proc/cmdline.c 2010-08-26 19:47:12.000000000 -0400
33122 +++ linux-2.6.35.5/fs/proc/cmdline.c 2010-09-17 20:12:37.000000000 -0400
33123 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33125 static int __init proc_cmdline_init(void)
33127 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33128 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33130 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33134 module_init(proc_cmdline_init);
33135 diff -urNp linux-2.6.35.5/fs/proc/devices.c linux-2.6.35.5/fs/proc/devices.c
33136 --- linux-2.6.35.5/fs/proc/devices.c 2010-08-26 19:47:12.000000000 -0400
33137 +++ linux-2.6.35.5/fs/proc/devices.c 2010-09-17 20:12:37.000000000 -0400
33138 @@ -64,7 +64,11 @@ static const struct file_operations proc
33140 static int __init proc_devices_init(void)
33142 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33143 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33145 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33149 module_init(proc_devices_init);
33150 diff -urNp linux-2.6.35.5/fs/proc/inode.c linux-2.6.35.5/fs/proc/inode.c
33151 --- linux-2.6.35.5/fs/proc/inode.c 2010-08-26 19:47:12.000000000 -0400
33152 +++ linux-2.6.35.5/fs/proc/inode.c 2010-09-17 20:12:37.000000000 -0400
33153 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
33155 inode->i_mode = de->mode;
33156 inode->i_uid = de->uid;
33157 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33158 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33160 inode->i_gid = de->gid;
33164 inode->i_size = de->size;
33165 diff -urNp linux-2.6.35.5/fs/proc/internal.h linux-2.6.35.5/fs/proc/internal.h
33166 --- linux-2.6.35.5/fs/proc/internal.h 2010-08-26 19:47:12.000000000 -0400
33167 +++ linux-2.6.35.5/fs/proc/internal.h 2010-09-17 20:12:37.000000000 -0400
33168 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33169 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33170 struct pid *pid, struct task_struct *task);
33172 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33173 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33175 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33177 extern const struct file_operations proc_maps_operations;
33178 diff -urNp linux-2.6.35.5/fs/proc/Kconfig linux-2.6.35.5/fs/proc/Kconfig
33179 --- linux-2.6.35.5/fs/proc/Kconfig 2010-08-26 19:47:12.000000000 -0400
33180 +++ linux-2.6.35.5/fs/proc/Kconfig 2010-09-17 20:12:37.000000000 -0400
33181 @@ -30,12 +30,12 @@ config PROC_FS
33184 bool "/proc/kcore support" if !ARM
33185 - depends on PROC_FS && MMU
33186 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33189 bool "/proc/vmcore support (EXPERIMENTAL)"
33190 - depends on PROC_FS && CRASH_DUMP
33192 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33195 Exports the dump image of crashed kernel in ELF format.
33197 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33200 config PROC_PAGE_MONITOR
33202 - depends on PROC_FS && MMU
33204 + depends on PROC_FS && MMU && !GRKERNSEC
33205 bool "Enable /proc page monitoring" if EMBEDDED
33207 Various /proc files exist to monitor process memory utilization:
33208 diff -urNp linux-2.6.35.5/fs/proc/kcore.c linux-2.6.35.5/fs/proc/kcore.c
33209 --- linux-2.6.35.5/fs/proc/kcore.c 2010-08-26 19:47:12.000000000 -0400
33210 +++ linux-2.6.35.5/fs/proc/kcore.c 2010-09-17 20:12:37.000000000 -0400
33211 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33212 * the addresses in the elf_phdr on our list.
33214 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33215 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33216 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33217 + if (tsz > buflen)
33222 struct kcore_list *m;
33224 @@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
33227 if (kern_addr_valid(start)) {
33231 - n = copy_to_user(buffer, (char *)start, tsz);
33233 - * We cannot distingush between fault on source
33234 - * and fault on destination. When this happens
33235 - * we clear too and hope it will trigger the
33239 - if (clear_user(buffer + tsz - n,
33241 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33244 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33245 + if (copy_to_user(buffer, elf_buf, tsz)) {
33252 if (clear_user(buffer, tsz))
33254 @@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
33256 static int open_kcore(struct inode *inode, struct file *filp)
33258 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33261 if (!capable(CAP_SYS_RAWIO))
33263 if (kcore_need_update)
33264 diff -urNp linux-2.6.35.5/fs/proc/meminfo.c linux-2.6.35.5/fs/proc/meminfo.c
33265 --- linux-2.6.35.5/fs/proc/meminfo.c 2010-08-26 19:47:12.000000000 -0400
33266 +++ linux-2.6.35.5/fs/proc/meminfo.c 2010-09-17 20:12:09.000000000 -0400
33267 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33269 vmi.largest_chunk >> 10
33270 #ifdef CONFIG_MEMORY_FAILURE
33271 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33272 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33276 diff -urNp linux-2.6.35.5/fs/proc/nommu.c linux-2.6.35.5/fs/proc/nommu.c
33277 --- linux-2.6.35.5/fs/proc/nommu.c 2010-08-26 19:47:12.000000000 -0400
33278 +++ linux-2.6.35.5/fs/proc/nommu.c 2010-09-17 20:12:09.000000000 -0400
33279 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
33282 seq_printf(m, "%*c", len, ' ');
33283 - seq_path(m, &file->f_path, "");
33284 + seq_path(m, &file->f_path, "\n\\");
33288 diff -urNp linux-2.6.35.5/fs/proc/proc_net.c linux-2.6.35.5/fs/proc/proc_net.c
33289 --- linux-2.6.35.5/fs/proc/proc_net.c 2010-08-26 19:47:12.000000000 -0400
33290 +++ linux-2.6.35.5/fs/proc/proc_net.c 2010-09-17 20:12:37.000000000 -0400
33291 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
33292 struct task_struct *task;
33293 struct nsproxy *ns;
33294 struct net *net = NULL;
33295 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33296 + const struct cred *cred = current_cred();
33299 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33302 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33303 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
33308 task = pid_task(proc_pid(dir), PIDTYPE_PID);
33309 diff -urNp linux-2.6.35.5/fs/proc/proc_sysctl.c linux-2.6.35.5/fs/proc/proc_sysctl.c
33310 --- linux-2.6.35.5/fs/proc/proc_sysctl.c 2010-08-26 19:47:12.000000000 -0400
33311 +++ linux-2.6.35.5/fs/proc/proc_sysctl.c 2010-09-17 20:12:37.000000000 -0400
33313 #include <linux/security.h>
33314 #include "internal.h"
33316 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
33318 static const struct dentry_operations proc_sys_dentry_operations;
33319 static const struct file_operations proc_sys_file_operations;
33320 static const struct inode_operations proc_sys_inode_operations;
33321 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
33325 + if (gr_handle_sysctl(p, MAY_EXEC))
33328 err = ERR_PTR(-ENOMEM);
33329 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
33331 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
33332 if (*pos < file->f_pos)
33335 + if (gr_handle_sysctl(table, 0))
33338 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
33341 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
33343 return PTR_ERR(head);
33345 + if (table && gr_handle_sysctl(table, MAY_EXEC))
33348 generic_fillattr(inode, stat);
33350 stat->mode = (stat->mode & S_IFMT) | table->mode;
33351 diff -urNp linux-2.6.35.5/fs/proc/root.c linux-2.6.35.5/fs/proc/root.c
33352 --- linux-2.6.35.5/fs/proc/root.c 2010-08-26 19:47:12.000000000 -0400
33353 +++ linux-2.6.35.5/fs/proc/root.c 2010-09-17 20:12:37.000000000 -0400
33354 @@ -133,7 +133,15 @@ void __init proc_root_init(void)
33355 #ifdef CONFIG_PROC_DEVICETREE
33356 proc_device_tree_init();
33358 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33359 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33360 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
33361 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33362 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33365 proc_mkdir("bus", NULL);
33370 diff -urNp linux-2.6.35.5/fs/proc/task_mmu.c linux-2.6.35.5/fs/proc/task_mmu.c
33371 --- linux-2.6.35.5/fs/proc/task_mmu.c 2010-08-26 19:47:12.000000000 -0400
33372 +++ linux-2.6.35.5/fs/proc/task_mmu.c 2010-09-17 20:12:37.000000000 -0400
33373 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
33374 "VmExe:\t%8lu kB\n"
33375 "VmLib:\t%8lu kB\n"
33376 "VmPTE:\t%8lu kB\n"
33377 - "VmSwap:\t%8lu kB\n",
33378 - hiwater_vm << (PAGE_SHIFT-10),
33379 + "VmSwap:\t%8lu kB\n"
33381 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33382 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
33385 + ,hiwater_vm << (PAGE_SHIFT-10),
33386 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
33387 mm->locked_vm << (PAGE_SHIFT-10),
33388 hiwater_rss << (PAGE_SHIFT-10),
33389 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
33390 data << (PAGE_SHIFT-10),
33391 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
33392 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
33393 - swap << (PAGE_SHIFT-10));
33394 + swap << (PAGE_SHIFT-10)
33396 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33397 + , mm->context.user_cs_base, mm->context.user_cs_limit
33403 unsigned long task_vsize(struct mm_struct *mm)
33404 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
33408 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33409 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33410 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33411 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33414 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
33416 struct mm_struct *mm = vma->vm_mm;
33417 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
33418 int flags = vma->vm_flags;
33419 unsigned long ino = 0;
33420 unsigned long long pgoff = 0;
33421 - unsigned long start;
33425 @@ -221,19 +237,24 @@ static void show_map_vma(struct seq_file
33426 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
33429 - /* We don't show the stack guard page in /proc/maps */
33430 - start = vma->vm_start;
33431 - if (vma->vm_flags & VM_GROWSDOWN)
33432 - start += PAGE_SIZE;
33434 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
33436 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33437 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
33438 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
33443 flags & VM_READ ? 'r' : '-',
33444 flags & VM_WRITE ? 'w' : '-',
33445 flags & VM_EXEC ? 'x' : '-',
33446 flags & VM_MAYSHARE ? 's' : 'p',
33447 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33448 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
33452 MAJOR(dev), MINOR(dev), ino, &len);
33455 @@ -242,16 +263,16 @@ static void show_map_vma(struct seq_file
33458 pad_len_spaces(m, len);
33459 - seq_path(m, &file->f_path, "\n");
33460 + seq_path(m, &file->f_path, "\n\\");
33462 const char *name = arch_vma_name(vma);
33465 - if (vma->vm_start <= mm->start_brk &&
33466 - vma->vm_end >= mm->brk) {
33467 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
33469 - } else if (vma->vm_start <= mm->start_stack &&
33470 - vma->vm_end >= mm->start_stack) {
33471 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
33472 + (vma->vm_start <= mm->start_stack &&
33473 + vma->vm_end >= mm->start_stack)) {
33477 @@ -393,11 +414,16 @@ static int show_smap(struct seq_file *m,
33480 memset(&mss, 0, sizeof mss);
33482 - /* mmap_sem is held in m_start */
33483 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33484 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33486 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33487 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
33490 + /* mmap_sem is held in m_start */
33491 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33492 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33493 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33496 show_map_vma(m, vma);
33499 @@ -412,7 +438,11 @@ static int show_smap(struct seq_file *m,
33501 "KernelPageSize: %8lu kB\n"
33502 "MMUPageSize: %8lu kB\n",
33503 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33504 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
33506 (vma->vm_end - vma->vm_start) >> 10,
33508 mss.resident >> 10,
33509 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
33510 mss.shared_clean >> 10,
33511 diff -urNp linux-2.6.35.5/fs/proc/task_nommu.c linux-2.6.35.5/fs/proc/task_nommu.c
33512 --- linux-2.6.35.5/fs/proc/task_nommu.c 2010-08-26 19:47:12.000000000 -0400
33513 +++ linux-2.6.35.5/fs/proc/task_nommu.c 2010-09-17 20:12:09.000000000 -0400
33514 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
33516 bytes += kobjsize(mm);
33518 - if (current->fs && current->fs->users > 1)
33519 + if (current->fs && atomic_read(¤t->fs->users) > 1)
33520 sbytes += kobjsize(current->fs);
33522 bytes += kobjsize(current->fs);
33523 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
33526 pad_len_spaces(m, len);
33527 - seq_path(m, &file->f_path, "");
33528 + seq_path(m, &file->f_path, "\n\\");
33530 if (vma->vm_start <= mm->start_stack &&
33531 vma->vm_end >= mm->start_stack) {
33532 diff -urNp linux-2.6.35.5/fs/readdir.c linux-2.6.35.5/fs/readdir.c
33533 --- linux-2.6.35.5/fs/readdir.c 2010-08-26 19:47:12.000000000 -0400
33534 +++ linux-2.6.35.5/fs/readdir.c 2010-09-17 20:12:37.000000000 -0400
33536 #include <linux/security.h>
33537 #include <linux/syscalls.h>
33538 #include <linux/unistd.h>
33539 +#include <linux/namei.h>
33541 #include <asm/uaccess.h>
33543 @@ -67,6 +68,7 @@ struct old_linux_dirent {
33545 struct readdir_callback {
33546 struct old_linux_dirent __user * dirent;
33547 + struct file * file;
33551 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
33552 buf->result = -EOVERFLOW;
33556 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33560 dirent = buf->dirent;
33561 if (!access_ok(VERIFY_WRITE, dirent,
33562 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
33565 buf.dirent = dirent;
33568 error = vfs_readdir(file, fillonedir, &buf);
33570 @@ -142,6 +149,7 @@ struct linux_dirent {
33571 struct getdents_callback {
33572 struct linux_dirent __user * current_dir;
33573 struct linux_dirent __user * previous;
33574 + struct file * file;
33578 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
33579 buf->error = -EOVERFLOW;
33583 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33586 dirent = buf->previous;
33588 if (__put_user(offset, &dirent->d_off))
33589 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
33590 buf.previous = NULL;
33595 error = vfs_readdir(file, filldir, &buf);
33597 @@ -228,6 +241,7 @@ out:
33598 struct getdents_callback64 {
33599 struct linux_dirent64 __user * current_dir;
33600 struct linux_dirent64 __user * previous;
33601 + struct file *file;
33605 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
33606 buf->error = -EINVAL; /* only used if we fail.. */
33607 if (reclen > buf->count)
33610 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33613 dirent = buf->previous;
33615 if (__put_user(offset, &dirent->d_off))
33616 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
33618 buf.current_dir = dirent;
33619 buf.previous = NULL;
33624 diff -urNp linux-2.6.35.5/fs/reiserfs/do_balan.c linux-2.6.35.5/fs/reiserfs/do_balan.c
33625 --- linux-2.6.35.5/fs/reiserfs/do_balan.c 2010-08-26 19:47:12.000000000 -0400
33626 +++ linux-2.6.35.5/fs/reiserfs/do_balan.c 2010-09-17 20:12:09.000000000 -0400
33627 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
33631 - atomic_inc(&(fs_generation(tb->tb_sb)));
33632 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
33633 do_balance_starts(tb);
33635 /* balance leaf returns 0 except if combining L R and S into
33636 diff -urNp linux-2.6.35.5/fs/reiserfs/item_ops.c linux-2.6.35.5/fs/reiserfs/item_ops.c
33637 --- linux-2.6.35.5/fs/reiserfs/item_ops.c 2010-08-26 19:47:12.000000000 -0400
33638 +++ linux-2.6.35.5/fs/reiserfs/item_ops.c 2010-09-17 20:12:09.000000000 -0400
33639 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
33640 vi->vi_index, vi->vi_type, vi->vi_ih);
33643 -static struct item_operations stat_data_ops = {
33644 +static const struct item_operations stat_data_ops = {
33645 .bytes_number = sd_bytes_number,
33646 .decrement_key = sd_decrement_key,
33647 .is_left_mergeable = sd_is_left_mergeable,
33648 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
33649 vi->vi_index, vi->vi_type, vi->vi_ih);
33652 -static struct item_operations direct_ops = {
33653 +static const struct item_operations direct_ops = {
33654 .bytes_number = direct_bytes_number,
33655 .decrement_key = direct_decrement_key,
33656 .is_left_mergeable = direct_is_left_mergeable,
33657 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
33658 vi->vi_index, vi->vi_type, vi->vi_ih);
33661 -static struct item_operations indirect_ops = {
33662 +static const struct item_operations indirect_ops = {
33663 .bytes_number = indirect_bytes_number,
33664 .decrement_key = indirect_decrement_key,
33665 .is_left_mergeable = indirect_is_left_mergeable,
33666 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
33670 -static struct item_operations direntry_ops = {
33671 +static const struct item_operations direntry_ops = {
33672 .bytes_number = direntry_bytes_number,
33673 .decrement_key = direntry_decrement_key,
33674 .is_left_mergeable = direntry_is_left_mergeable,
33675 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
33676 "Invalid item type observed, run fsck ASAP");
33679 -static struct item_operations errcatch_ops = {
33680 +static const struct item_operations errcatch_ops = {
33681 errcatch_bytes_number,
33682 errcatch_decrement_key,
33683 errcatch_is_left_mergeable,
33684 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
33685 #error Item types must use disk-format assigned values.
33688 -struct item_operations *item_ops[TYPE_ANY + 1] = {
33689 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
33693 diff -urNp linux-2.6.35.5/fs/reiserfs/procfs.c linux-2.6.35.5/fs/reiserfs/procfs.c
33694 --- linux-2.6.35.5/fs/reiserfs/procfs.c 2010-08-26 19:47:12.000000000 -0400
33695 +++ linux-2.6.35.5/fs/reiserfs/procfs.c 2010-09-17 20:12:09.000000000 -0400
33696 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
33697 "SMALL_TAILS " : "NO_TAILS ",
33698 replay_only(sb) ? "REPLAY_ONLY " : "",
33699 convert_reiserfs(sb) ? "CONV " : "",
33700 - atomic_read(&r->s_generation_counter),
33701 + atomic_read_unchecked(&r->s_generation_counter),
33702 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
33703 SF(s_do_balance), SF(s_unneeded_left_neighbor),
33704 SF(s_good_search_by_key_reada), SF(s_bmaps),
33705 diff -urNp linux-2.6.35.5/fs/select.c linux-2.6.35.5/fs/select.c
33706 --- linux-2.6.35.5/fs/select.c 2010-08-26 19:47:12.000000000 -0400
33707 +++ linux-2.6.35.5/fs/select.c 2010-09-17 20:12:37.000000000 -0400
33709 #include <linux/module.h>
33710 #include <linux/slab.h>
33711 #include <linux/poll.h>
33712 +#include <linux/security.h>
33713 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
33714 #include <linux/file.h>
33715 #include <linux/fdtable.h>
33716 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
33717 struct poll_list *walk = head;
33718 unsigned long todo = nfds;
33720 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
33721 if (nfds > rlimit(RLIMIT_NOFILE))
33724 diff -urNp linux-2.6.35.5/fs/seq_file.c linux-2.6.35.5/fs/seq_file.c
33725 --- linux-2.6.35.5/fs/seq_file.c 2010-08-26 19:47:12.000000000 -0400
33726 +++ linux-2.6.35.5/fs/seq_file.c 2010-09-17 20:12:09.000000000 -0400
33727 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
33731 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33732 + m->size = PAGE_SIZE;
33733 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33737 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
33741 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33743 + m->buf = kmalloc(m->size, GFP_KERNEL);
33744 return !m->buf ? -ENOMEM : -EAGAIN;
33747 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
33748 m->version = file->f_version;
33749 /* grab buffer if we didn't have one */
33751 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33752 + m->size = PAGE_SIZE;
33753 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33757 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
33761 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33763 + m->buf = kmalloc(m->size, GFP_KERNEL);
33767 diff -urNp linux-2.6.35.5/fs/smbfs/symlink.c linux-2.6.35.5/fs/smbfs/symlink.c
33768 --- linux-2.6.35.5/fs/smbfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33769 +++ linux-2.6.35.5/fs/smbfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33770 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
33772 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
33774 - char *s = nd_get_link(nd);
33775 + const char *s = nd_get_link(nd);
33779 diff -urNp linux-2.6.35.5/fs/splice.c linux-2.6.35.5/fs/splice.c
33780 --- linux-2.6.35.5/fs/splice.c 2010-08-26 19:47:12.000000000 -0400
33781 +++ linux-2.6.35.5/fs/splice.c 2010-09-17 20:12:09.000000000 -0400
33782 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
33786 - if (!pipe->readers) {
33787 + if (!atomic_read(&pipe->readers)) {
33788 send_sig(SIGPIPE, current, 0);
33791 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
33795 - pipe->waiting_writers++;
33796 + atomic_inc(&pipe->waiting_writers);
33798 - pipe->waiting_writers--;
33799 + atomic_dec(&pipe->waiting_writers);
33803 @@ -566,7 +566,7 @@ static ssize_t kernel_readv(struct file
33806 /* The cast to a user pointer is valid due to the set_fs() */
33807 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
33808 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
33812 @@ -581,7 +581,7 @@ static ssize_t kernel_write(struct file
33815 /* The cast to a user pointer is valid due to the set_fs() */
33816 - res = vfs_write(file, (const char __user *)buf, count, &pos);
33817 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
33821 @@ -634,7 +634,7 @@ ssize_t default_file_splice_read(struct
33824 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
33825 - vec[i].iov_base = (void __user *) page_address(page);
33826 + vec[i].iov_base = (__force void __user *) page_address(page);
33827 vec[i].iov_len = this_len;
33828 spd.pages[i] = page;
33830 @@ -861,10 +861,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
33831 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
33833 while (!pipe->nrbufs) {
33834 - if (!pipe->writers)
33835 + if (!atomic_read(&pipe->writers))
33838 - if (!pipe->waiting_writers && sd->num_spliced)
33839 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
33842 if (sd->flags & SPLICE_F_NONBLOCK)
33843 @@ -1201,7 +1201,7 @@ ssize_t splice_direct_to_actor(struct fi
33844 * out of the pipe right after the splice_to_pipe(). So set
33845 * PIPE_READERS appropriately.
33847 - pipe->readers = 1;
33848 + atomic_set(&pipe->readers, 1);
33850 current->splice_pipe = pipe;
33852 @@ -1769,9 +1769,9 @@ static int ipipe_prep(struct pipe_inode_
33853 ret = -ERESTARTSYS;
33856 - if (!pipe->writers)
33857 + if (!atomic_read(&pipe->writers))
33859 - if (!pipe->waiting_writers) {
33860 + if (!atomic_read(&pipe->waiting_writers)) {
33861 if (flags & SPLICE_F_NONBLOCK) {
33864 @@ -1803,7 +1803,7 @@ static int opipe_prep(struct pipe_inode_
33867 while (pipe->nrbufs >= pipe->buffers) {
33868 - if (!pipe->readers) {
33869 + if (!atomic_read(&pipe->readers)) {
33870 send_sig(SIGPIPE, current, 0);
33873 @@ -1816,9 +1816,9 @@ static int opipe_prep(struct pipe_inode_
33874 ret = -ERESTARTSYS;
33877 - pipe->waiting_writers++;
33878 + atomic_inc(&pipe->waiting_writers);
33880 - pipe->waiting_writers--;
33881 + atomic_dec(&pipe->waiting_writers);
33885 @@ -1854,14 +1854,14 @@ retry:
33886 pipe_double_lock(ipipe, opipe);
33889 - if (!opipe->readers) {
33890 + if (!atomic_read(&opipe->readers)) {
33891 send_sig(SIGPIPE, current, 0);
33897 - if (!ipipe->nrbufs && !ipipe->writers)
33898 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
33902 @@ -1961,7 +1961,7 @@ static int link_pipe(struct pipe_inode_i
33903 pipe_double_lock(ipipe, opipe);
33906 - if (!opipe->readers) {
33907 + if (!atomic_read(&opipe->readers)) {
33908 send_sig(SIGPIPE, current, 0);
33911 @@ -2006,7 +2006,7 @@ static int link_pipe(struct pipe_inode_i
33912 * return EAGAIN if we have the potential of some data in the
33913 * future, otherwise just return 0
33915 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
33916 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
33919 pipe_unlock(ipipe);
33920 diff -urNp linux-2.6.35.5/fs/sysfs/symlink.c linux-2.6.35.5/fs/sysfs/symlink.c
33921 --- linux-2.6.35.5/fs/sysfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33922 +++ linux-2.6.35.5/fs/sysfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33923 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
33925 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33927 - char *page = nd_get_link(nd);
33928 + const char *page = nd_get_link(nd);
33930 free_page((unsigned long)page);
33932 diff -urNp linux-2.6.35.5/fs/udf/misc.c linux-2.6.35.5/fs/udf/misc.c
33933 --- linux-2.6.35.5/fs/udf/misc.c 2010-08-26 19:47:12.000000000 -0400
33934 +++ linux-2.6.35.5/fs/udf/misc.c 2010-09-17 20:12:09.000000000 -0400
33935 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
33936 iinfo->i_lenEAttr += size;
33937 return (struct genericFormat *)&ea[offset];
33941 + if (loc & 0x02) {
33946 diff -urNp linux-2.6.35.5/fs/udf/udfdecl.h linux-2.6.35.5/fs/udf/udfdecl.h
33947 --- linux-2.6.35.5/fs/udf/udfdecl.h 2010-08-26 19:47:12.000000000 -0400
33948 +++ linux-2.6.35.5/fs/udf/udfdecl.h 2010-09-17 20:12:09.000000000 -0400
33949 @@ -26,7 +26,7 @@ do { \
33953 -#define udf_debug(f, a...) /**/
33954 +#define udf_debug(f, a...) do {} while (0)
33957 #define udf_info(f, a...) \
33958 diff -urNp linux-2.6.35.5/fs/utimes.c linux-2.6.35.5/fs/utimes.c
33959 --- linux-2.6.35.5/fs/utimes.c 2010-08-26 19:47:12.000000000 -0400
33960 +++ linux-2.6.35.5/fs/utimes.c 2010-09-17 20:12:37.000000000 -0400
33962 #include <linux/compiler.h>
33963 #include <linux/file.h>
33964 #include <linux/fs.h>
33965 +#include <linux/security.h>
33966 #include <linux/linkage.h>
33967 #include <linux/mount.h>
33968 #include <linux/namei.h>
33969 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
33970 goto mnt_drop_write_and_out;
33974 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
33976 + goto mnt_drop_write_and_out;
33979 mutex_lock(&inode->i_mutex);
33980 error = notify_change(path->dentry, &newattrs);
33981 mutex_unlock(&inode->i_mutex);
33982 diff -urNp linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c
33983 --- linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c 2010-08-26 19:47:12.000000000 -0400
33984 +++ linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c 2010-09-17 20:12:37.000000000 -0400
33985 @@ -136,7 +136,7 @@ xfs_find_handle(
33989 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
33990 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
33991 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
33994 diff -urNp linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c
33995 --- linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c 2010-08-26 19:47:12.000000000 -0400
33996 +++ linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c 2010-09-17 20:12:09.000000000 -0400
33997 @@ -480,7 +480,7 @@ xfs_vn_put_link(
33998 struct nameidata *nd,
34001 - char *s = nd_get_link(nd);
34002 + const char *s = nd_get_link(nd);
34006 diff -urNp linux-2.6.35.5/fs/xfs/xfs_bmap.c linux-2.6.35.5/fs/xfs/xfs_bmap.c
34007 --- linux-2.6.35.5/fs/xfs/xfs_bmap.c 2010-08-26 19:47:12.000000000 -0400
34008 +++ linux-2.6.35.5/fs/xfs/xfs_bmap.c 2010-09-17 20:12:09.000000000 -0400
34009 @@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
34013 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34014 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34018 diff -urNp linux-2.6.35.5/grsecurity/gracl_alloc.c linux-2.6.35.5/grsecurity/gracl_alloc.c
34019 --- linux-2.6.35.5/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34020 +++ linux-2.6.35.5/grsecurity/gracl_alloc.c 2010-09-17 20:12:37.000000000 -0400
34022 +#include <linux/kernel.h>
34023 +#include <linux/mm.h>
34024 +#include <linux/slab.h>
34025 +#include <linux/vmalloc.h>
34026 +#include <linux/gracl.h>
34027 +#include <linux/grsecurity.h>
34029 +static unsigned long alloc_stack_next = 1;
34030 +static unsigned long alloc_stack_size = 1;
34031 +static void **alloc_stack;
34033 +static __inline__ int
34036 + if (alloc_stack_next == 1)
34039 + kfree(alloc_stack[alloc_stack_next - 2]);
34041 + alloc_stack_next--;
34046 +static __inline__ int
34047 +alloc_push(void *buf)
34049 + if (alloc_stack_next >= alloc_stack_size)
34052 + alloc_stack[alloc_stack_next - 1] = buf;
34054 + alloc_stack_next++;
34060 +acl_alloc(unsigned long len)
34062 + void *ret = NULL;
34064 + if (!len || len > PAGE_SIZE)
34067 + ret = kmalloc(len, GFP_KERNEL);
34070 + if (alloc_push(ret)) {
34081 +acl_alloc_num(unsigned long num, unsigned long len)
34083 + if (!len || (num > (PAGE_SIZE / len)))
34086 + return acl_alloc(num * len);
34090 +acl_free_all(void)
34092 + if (gr_acl_is_enabled() || !alloc_stack)
34095 + while (alloc_pop()) ;
34097 + if (alloc_stack) {
34098 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34099 + kfree(alloc_stack);
34101 + vfree(alloc_stack);
34104 + alloc_stack = NULL;
34105 + alloc_stack_size = 1;
34106 + alloc_stack_next = 1;
34112 +acl_alloc_stack_init(unsigned long size)
34114 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34116 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34118 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
34120 + alloc_stack_size = size;
34122 + if (!alloc_stack)
34127 diff -urNp linux-2.6.35.5/grsecurity/gracl.c linux-2.6.35.5/grsecurity/gracl.c
34128 --- linux-2.6.35.5/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34129 +++ linux-2.6.35.5/grsecurity/gracl.c 2010-09-17 20:18:36.000000000 -0400
34131 +#include <linux/kernel.h>
34132 +#include <linux/module.h>
34133 +#include <linux/sched.h>
34134 +#include <linux/mm.h>
34135 +#include <linux/file.h>
34136 +#include <linux/fs.h>
34137 +#include <linux/namei.h>
34138 +#include <linux/mount.h>
34139 +#include <linux/tty.h>
34140 +#include <linux/proc_fs.h>
34141 +#include <linux/smp_lock.h>
34142 +#include <linux/slab.h>
34143 +#include <linux/vmalloc.h>
34144 +#include <linux/types.h>
34145 +#include <linux/sysctl.h>
34146 +#include <linux/netdevice.h>
34147 +#include <linux/ptrace.h>
34148 +#include <linux/gracl.h>
34149 +#include <linux/gralloc.h>
34150 +#include <linux/grsecurity.h>
34151 +#include <linux/grinternal.h>
34152 +#include <linux/pid_namespace.h>
34153 +#include <linux/fdtable.h>
34154 +#include <linux/percpu.h>
34156 +#include <asm/uaccess.h>
34157 +#include <asm/errno.h>
34158 +#include <asm/mman.h>
34160 +static struct acl_role_db acl_role_set;
34161 +static struct name_db name_set;
34162 +static struct inodev_db inodev_set;
34164 +/* for keeping track of userspace pointers used for subjects, so we
34165 + can share references in the kernel as well
34168 +static struct dentry *real_root;
34169 +static struct vfsmount *real_root_mnt;
34171 +static struct acl_subj_map_db subj_map_set;
34173 +static struct acl_role_label *default_role;
34175 +static struct acl_role_label *role_list;
34177 +static u16 acl_sp_role_value;
34179 +extern char *gr_shared_page[4];
34180 +static DECLARE_MUTEX(gr_dev_sem);
34181 +DEFINE_RWLOCK(gr_inode_lock);
34183 +struct gr_arg *gr_usermode;
34185 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
34187 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34188 +extern void gr_clear_learn_entries(void);
34190 +#ifdef CONFIG_GRKERNSEC_RESLOG
34191 +extern void gr_log_resource(const struct task_struct *task,
34192 + const int res, const unsigned long wanted, const int gt);
34195 +unsigned char *gr_system_salt;
34196 +unsigned char *gr_system_sum;
34198 +static struct sprole_pw **acl_special_roles = NULL;
34199 +static __u16 num_sprole_pws = 0;
34201 +static struct acl_role_label *kernel_role = NULL;
34203 +static unsigned int gr_auth_attempts = 0;
34204 +static unsigned long gr_auth_expires = 0UL;
34206 +extern struct vfsmount *sock_mnt;
34207 +extern struct vfsmount *pipe_mnt;
34208 +extern struct vfsmount *shm_mnt;
34209 +#ifdef CONFIG_HUGETLBFS
34210 +extern struct vfsmount *hugetlbfs_vfsmount;
34213 +static struct acl_object_label *fakefs_obj;
34215 +extern int gr_init_uidset(void);
34216 +extern void gr_free_uidset(void);
34217 +extern void gr_remove_uid(uid_t uid);
34218 +extern int gr_find_uid(uid_t uid);
34220 +extern spinlock_t vfsmount_lock;
34223 +gr_acl_is_enabled(void)
34225 + return (gr_status & GR_READY);
34228 +char gr_roletype_to_char(void)
34230 + switch (current->role->roletype &
34231 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
34232 + GR_ROLE_SPECIAL)) {
34233 + case GR_ROLE_DEFAULT:
34235 + case GR_ROLE_USER:
34237 + case GR_ROLE_GROUP:
34239 + case GR_ROLE_SPECIAL:
34247 +gr_acl_tpe_check(void)
34249 + if (unlikely(!(gr_status & GR_READY)))
34251 + if (current->role->roletype & GR_ROLE_TPE)
34258 +gr_handle_rawio(const struct inode *inode)
34260 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34261 + if (inode && S_ISBLK(inode->i_mode) &&
34262 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
34263 + !capable(CAP_SYS_RAWIO))
34270 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
34272 + if (likely(lena != lenb))
34275 + return !memcmp(a, b, lena);
34278 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34279 + struct dentry *root, struct vfsmount *rootmnt,
34280 + char *buffer, int buflen)
34282 + char * end = buffer+buflen;
34286 + spin_lock(&vfsmount_lock);
34292 + /* Get '/' right */
34297 + struct dentry * parent;
34299 + if (dentry == root && vfsmnt == rootmnt)
34301 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
34302 + /* Global root? */
34303 + if (vfsmnt->mnt_parent == vfsmnt) {
34304 + goto global_root;
34306 + dentry = vfsmnt->mnt_mountpoint;
34307 + vfsmnt = vfsmnt->mnt_parent;
34310 + parent = dentry->d_parent;
34311 + prefetch(parent);
34312 + namelen = dentry->d_name.len;
34313 + buflen -= namelen + 1;
34317 + memcpy(end, dentry->d_name.name, namelen);
34324 + spin_unlock(&vfsmount_lock);
34328 + namelen = dentry->d_name.len;
34329 + buflen -= namelen;
34332 + retval -= namelen-1; /* hit the slash */
34333 + memcpy(retval, dentry->d_name.name, namelen);
34336 + retval = ERR_PTR(-ENAMETOOLONG);
34341 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34342 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
34346 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
34347 + if (unlikely(IS_ERR(retval)))
34348 + retval = strcpy(buf, "<path too long>");
34349 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
34350 + retval[1] = '\0';
34356 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34357 + char *buf, int buflen)
34361 + /* we can use real_root, real_root_mnt, because this is only called
34362 + by the RBAC system */
34363 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
34369 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34370 + char *buf, int buflen)
34373 + struct dentry *root;
34374 + struct vfsmount *rootmnt;
34375 + struct task_struct *reaper = &init_task;
34377 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
34378 + read_lock(&reaper->fs->lock);
34379 + root = dget(reaper->fs->root.dentry);
34380 + rootmnt = mntget(reaper->fs->root.mnt);
34381 + read_unlock(&reaper->fs->lock);
34383 + spin_lock(&dcache_lock);
34384 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
34385 + spin_unlock(&dcache_lock);
34393 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
34396 + spin_lock(&dcache_lock);
34397 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34399 + spin_unlock(&dcache_lock);
34404 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
34406 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34411 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
34413 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
34418 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
34420 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
34425 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
34427 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
34432 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
34434 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
34439 +to_gr_audit(const __u32 reqmode)
34441 + /* masks off auditable permission flags, then shifts them to create
34442 + auditing flags, and adds the special case of append auditing if
34443 + we're requesting write */
34444 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
34447 +struct acl_subject_label *
34448 +lookup_subject_map(const struct acl_subject_label *userp)
34450 + unsigned int index = shash(userp, subj_map_set.s_size);
34451 + struct subject_map *match;
34453 + match = subj_map_set.s_hash[index];
34455 + while (match && match->user != userp)
34456 + match = match->next;
34458 + if (match != NULL)
34459 + return match->kernel;
34465 +insert_subj_map_entry(struct subject_map *subjmap)
34467 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
34468 + struct subject_map **curr;
34470 + subjmap->prev = NULL;
34472 + curr = &subj_map_set.s_hash[index];
34473 + if (*curr != NULL)
34474 + (*curr)->prev = subjmap;
34476 + subjmap->next = *curr;
34482 +static struct acl_role_label *
34483 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
34486 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
34487 + struct acl_role_label *match;
34488 + struct role_allowed_ip *ipp;
34491 + match = acl_role_set.r_hash[index];
34494 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
34495 + for (x = 0; x < match->domain_child_num; x++) {
34496 + if (match->domain_children[x] == uid)
34499 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
34501 + match = match->next;
34504 + if (match == NULL) {
34506 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
34507 + match = acl_role_set.r_hash[index];
34510 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
34511 + for (x = 0; x < match->domain_child_num; x++) {
34512 + if (match->domain_children[x] == gid)
34515 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
34517 + match = match->next;
34520 + if (match == NULL)
34521 + match = default_role;
34522 + if (match->allowed_ips == NULL)
34525 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34527 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34528 + (ntohl(ipp->addr) & ipp->netmask)))
34531 + match = default_role;
34533 + } else if (match->allowed_ips == NULL) {
34536 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34538 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34539 + (ntohl(ipp->addr) & ipp->netmask)))
34548 +struct acl_subject_label *
34549 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
34550 + const struct acl_role_label *role)
34552 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34553 + struct acl_subject_label *match;
34555 + match = role->subj_hash[index];
34557 + while (match && (match->inode != ino || match->device != dev ||
34558 + (match->mode & GR_DELETED))) {
34559 + match = match->next;
34562 + if (match && !(match->mode & GR_DELETED))
34568 +struct acl_subject_label *
34569 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
34570 + const struct acl_role_label *role)
34572 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34573 + struct acl_subject_label *match;
34575 + match = role->subj_hash[index];
34577 + while (match && (match->inode != ino || match->device != dev ||
34578 + !(match->mode & GR_DELETED))) {
34579 + match = match->next;
34582 + if (match && (match->mode & GR_DELETED))
34588 +static struct acl_object_label *
34589 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
34590 + const struct acl_subject_label *subj)
34592 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34593 + struct acl_object_label *match;
34595 + match = subj->obj_hash[index];
34597 + while (match && (match->inode != ino || match->device != dev ||
34598 + (match->mode & GR_DELETED))) {
34599 + match = match->next;
34602 + if (match && !(match->mode & GR_DELETED))
34608 +static struct acl_object_label *
34609 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
34610 + const struct acl_subject_label *subj)
34612 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34613 + struct acl_object_label *match;
34615 + match = subj->obj_hash[index];
34617 + while (match && (match->inode != ino || match->device != dev ||
34618 + !(match->mode & GR_DELETED))) {
34619 + match = match->next;
34622 + if (match && (match->mode & GR_DELETED))
34625 + match = subj->obj_hash[index];
34627 + while (match && (match->inode != ino || match->device != dev ||
34628 + (match->mode & GR_DELETED))) {
34629 + match = match->next;
34632 + if (match && !(match->mode & GR_DELETED))
34638 +static struct name_entry *
34639 +lookup_name_entry(const char *name)
34641 + unsigned int len = strlen(name);
34642 + unsigned int key = full_name_hash(name, len);
34643 + unsigned int index = key % name_set.n_size;
34644 + struct name_entry *match;
34646 + match = name_set.n_hash[index];
34648 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
34649 + match = match->next;
34654 +static struct name_entry *
34655 +lookup_name_entry_create(const char *name)
34657 + unsigned int len = strlen(name);
34658 + unsigned int key = full_name_hash(name, len);
34659 + unsigned int index = key % name_set.n_size;
34660 + struct name_entry *match;
34662 + match = name_set.n_hash[index];
34664 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34665 + !match->deleted))
34666 + match = match->next;
34668 + if (match && match->deleted)
34671 + match = name_set.n_hash[index];
34673 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34675 + match = match->next;
34677 + if (match && !match->deleted)
34683 +static struct inodev_entry *
34684 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
34686 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
34687 + struct inodev_entry *match;
34689 + match = inodev_set.i_hash[index];
34691 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
34692 + match = match->next;
34698 +insert_inodev_entry(struct inodev_entry *entry)
34700 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
34701 + inodev_set.i_size);
34702 + struct inodev_entry **curr;
34704 + entry->prev = NULL;
34706 + curr = &inodev_set.i_hash[index];
34707 + if (*curr != NULL)
34708 + (*curr)->prev = entry;
34710 + entry->next = *curr;
34717 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
34719 + unsigned int index =
34720 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
34721 + struct acl_role_label **curr;
34722 + struct acl_role_label *tmp;
34724 + curr = &acl_role_set.r_hash[index];
34726 + /* if role was already inserted due to domains and already has
34727 + a role in the same bucket as it attached, then we need to
34728 + combine these two buckets
34730 + if (role->next) {
34731 + tmp = role->next;
34732 + while (tmp->next)
34734 + tmp->next = *curr;
34736 + role->next = *curr;
34743 +insert_acl_role_label(struct acl_role_label *role)
34747 + if (role_list == NULL) {
34748 + role_list = role;
34749 + role->prev = NULL;
34751 + role->prev = role_list;
34752 + role_list = role;
34755 + /* used for hash chains */
34756 + role->next = NULL;
34758 + if (role->roletype & GR_ROLE_DOMAIN) {
34759 + for (i = 0; i < role->domain_child_num; i++)
34760 + __insert_acl_role_label(role, role->domain_children[i]);
34762 + __insert_acl_role_label(role, role->uidgid);
34766 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
34768 + struct name_entry **curr, *nentry;
34769 + struct inodev_entry *ientry;
34770 + unsigned int len = strlen(name);
34771 + unsigned int key = full_name_hash(name, len);
34772 + unsigned int index = key % name_set.n_size;
34774 + curr = &name_set.n_hash[index];
34776 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
34777 + curr = &((*curr)->next);
34779 + if (*curr != NULL)
34782 + nentry = acl_alloc(sizeof (struct name_entry));
34783 + if (nentry == NULL)
34785 + ientry = acl_alloc(sizeof (struct inodev_entry));
34786 + if (ientry == NULL)
34788 + ientry->nentry = nentry;
34790 + nentry->key = key;
34791 + nentry->name = name;
34792 + nentry->inode = inode;
34793 + nentry->device = device;
34794 + nentry->len = len;
34795 + nentry->deleted = deleted;
34797 + nentry->prev = NULL;
34798 + curr = &name_set.n_hash[index];
34799 + if (*curr != NULL)
34800 + (*curr)->prev = nentry;
34801 + nentry->next = *curr;
34804 + /* insert us into the table searchable by inode/dev */
34805 + insert_inodev_entry(ientry);
34811 +insert_acl_obj_label(struct acl_object_label *obj,
34812 + struct acl_subject_label *subj)
34814 + unsigned int index =
34815 + fhash(obj->inode, obj->device, subj->obj_hash_size);
34816 + struct acl_object_label **curr;
34819 + obj->prev = NULL;
34821 + curr = &subj->obj_hash[index];
34822 + if (*curr != NULL)
34823 + (*curr)->prev = obj;
34825 + obj->next = *curr;
34832 +insert_acl_subj_label(struct acl_subject_label *obj,
34833 + struct acl_role_label *role)
34835 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
34836 + struct acl_subject_label **curr;
34838 + obj->prev = NULL;
34840 + curr = &role->subj_hash[index];
34841 + if (*curr != NULL)
34842 + (*curr)->prev = obj;
34844 + obj->next = *curr;
34850 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
34853 +create_table(__u32 * len, int elementsize)
34855 + unsigned int table_sizes[] = {
34856 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
34857 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
34858 + 4194301, 8388593, 16777213, 33554393, 67108859
34860 + void *newtable = NULL;
34861 + unsigned int pwr = 0;
34863 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
34864 + table_sizes[pwr] <= *len)
34867 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
34870 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
34872 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
34874 + newtable = vmalloc(table_sizes[pwr] * elementsize);
34876 + *len = table_sizes[pwr];
34882 +init_variables(const struct gr_arg *arg)
34884 + struct task_struct *reaper = &init_task;
34885 + unsigned int stacksize;
34887 + subj_map_set.s_size = arg->role_db.num_subjects;
34888 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
34889 + name_set.n_size = arg->role_db.num_objects;
34890 + inodev_set.i_size = arg->role_db.num_objects;
34892 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
34893 + !name_set.n_size || !inodev_set.i_size)
34896 + if (!gr_init_uidset())
34899 + /* set up the stack that holds allocation info */
34901 + stacksize = arg->role_db.num_pointers + 5;
34903 + if (!acl_alloc_stack_init(stacksize))
34906 + /* grab reference for the real root dentry and vfsmount */
34907 + read_lock(&reaper->fs->lock);
34908 + real_root_mnt = mntget(reaper->fs->root.mnt);
34909 + real_root = dget(reaper->fs->root.dentry);
34910 + read_unlock(&reaper->fs->lock);
34912 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
34913 + if (fakefs_obj == NULL)
34915 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
34917 + subj_map_set.s_hash =
34918 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
34919 + acl_role_set.r_hash =
34920 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
34921 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
34922 + inodev_set.i_hash =
34923 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
34925 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
34926 + !name_set.n_hash || !inodev_set.i_hash)
34929 + memset(subj_map_set.s_hash, 0,
34930 + sizeof(struct subject_map *) * subj_map_set.s_size);
34931 + memset(acl_role_set.r_hash, 0,
34932 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
34933 + memset(name_set.n_hash, 0,
34934 + sizeof (struct name_entry *) * name_set.n_size);
34935 + memset(inodev_set.i_hash, 0,
34936 + sizeof (struct inodev_entry *) * inodev_set.i_size);
34941 +/* free information not needed after startup
34942 + currently contains user->kernel pointer mappings for subjects
34946 +free_init_variables(void)
34950 + if (subj_map_set.s_hash) {
34951 + for (i = 0; i < subj_map_set.s_size; i++) {
34952 + if (subj_map_set.s_hash[i]) {
34953 + kfree(subj_map_set.s_hash[i]);
34954 + subj_map_set.s_hash[i] = NULL;
34958 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
34960 + kfree(subj_map_set.s_hash);
34962 + vfree(subj_map_set.s_hash);
34969 +free_variables(void)
34971 + struct acl_subject_label *s;
34972 + struct acl_role_label *r;
34973 + struct task_struct *task, *task2;
34976 + gr_clear_learn_entries();
34978 + read_lock(&tasklist_lock);
34979 + do_each_thread(task2, task) {
34980 + task->acl_sp_role = 0;
34981 + task->acl_role_id = 0;
34982 + task->acl = NULL;
34983 + task->role = NULL;
34984 + } while_each_thread(task2, task);
34985 + read_unlock(&tasklist_lock);
34987 + /* release the reference to the real root dentry and vfsmount */
34990 + real_root = NULL;
34991 + if (real_root_mnt)
34992 + mntput(real_root_mnt);
34993 + real_root_mnt = NULL;
34995 + /* free all object hash tables */
34997 + FOR_EACH_ROLE_START(r)
34998 + if (r->subj_hash == NULL)
35000 + FOR_EACH_SUBJECT_START(r, s, x)
35001 + if (s->obj_hash == NULL)
35003 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35004 + kfree(s->obj_hash);
35006 + vfree(s->obj_hash);
35007 + FOR_EACH_SUBJECT_END(s, x)
35008 + FOR_EACH_NESTED_SUBJECT_START(r, s)
35009 + if (s->obj_hash == NULL)
35011 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35012 + kfree(s->obj_hash);
35014 + vfree(s->obj_hash);
35015 + FOR_EACH_NESTED_SUBJECT_END(s)
35016 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35017 + kfree(r->subj_hash);
35019 + vfree(r->subj_hash);
35020 + r->subj_hash = NULL;
35022 + FOR_EACH_ROLE_END(r)
35026 + if (acl_role_set.r_hash) {
35027 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35029 + kfree(acl_role_set.r_hash);
35031 + vfree(acl_role_set.r_hash);
35033 + if (name_set.n_hash) {
35034 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35036 + kfree(name_set.n_hash);
35038 + vfree(name_set.n_hash);
35041 + if (inodev_set.i_hash) {
35042 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35044 + kfree(inodev_set.i_hash);
35046 + vfree(inodev_set.i_hash);
35049 + gr_free_uidset();
35051 + memset(&name_set, 0, sizeof (struct name_db));
35052 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35053 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35054 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35056 + default_role = NULL;
35057 + role_list = NULL;
35063 +count_user_objs(struct acl_object_label *userp)
35065 + struct acl_object_label o_tmp;
35069 + if (copy_from_user(&o_tmp, userp,
35070 + sizeof (struct acl_object_label)))
35073 + userp = o_tmp.prev;
35080 +static struct acl_subject_label *
35081 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35084 +copy_user_glob(struct acl_object_label *obj)
35086 + struct acl_object_label *g_tmp, **guser;
35087 + unsigned int len;
35090 + if (obj->globbed == NULL)
35093 + guser = &obj->globbed;
35095 + g_tmp = (struct acl_object_label *)
35096 + acl_alloc(sizeof (struct acl_object_label));
35097 + if (g_tmp == NULL)
35100 + if (copy_from_user(g_tmp, *guser,
35101 + sizeof (struct acl_object_label)))
35104 + len = strnlen_user(g_tmp->filename, PATH_MAX);
35106 + if (!len || len >= PATH_MAX)
35109 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35112 + if (copy_from_user(tmp, g_tmp->filename, len))
35114 + tmp[len-1] = '\0';
35115 + g_tmp->filename = tmp;
35118 + guser = &(g_tmp->next);
35125 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35126 + struct acl_role_label *role)
35128 + struct acl_object_label *o_tmp;
35129 + unsigned int len;
35134 + if ((o_tmp = (struct acl_object_label *)
35135 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
35138 + if (copy_from_user(o_tmp, userp,
35139 + sizeof (struct acl_object_label)))
35142 + userp = o_tmp->prev;
35144 + len = strnlen_user(o_tmp->filename, PATH_MAX);
35146 + if (!len || len >= PATH_MAX)
35149 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35152 + if (copy_from_user(tmp, o_tmp->filename, len))
35154 + tmp[len-1] = '\0';
35155 + o_tmp->filename = tmp;
35157 + insert_acl_obj_label(o_tmp, subj);
35158 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
35159 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
35162 + ret = copy_user_glob(o_tmp);
35166 + if (o_tmp->nested) {
35167 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
35168 + if (IS_ERR(o_tmp->nested))
35169 + return PTR_ERR(o_tmp->nested);
35171 + /* insert into nested subject list */
35172 + o_tmp->nested->next = role->hash->first;
35173 + role->hash->first = o_tmp->nested;
35181 +count_user_subjs(struct acl_subject_label *userp)
35183 + struct acl_subject_label s_tmp;
35187 + if (copy_from_user(&s_tmp, userp,
35188 + sizeof (struct acl_subject_label)))
35191 + userp = s_tmp.prev;
35192 + /* do not count nested subjects against this count, since
35193 + they are not included in the hash table, but are
35194 + attached to objects. We have already counted
35195 + the subjects in userspace for the allocation
35198 + if (!(s_tmp.mode & GR_NESTED))
35206 +copy_user_allowedips(struct acl_role_label *rolep)
35208 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35210 + ruserip = rolep->allowed_ips;
35212 + while (ruserip) {
35215 + if ((rtmp = (struct role_allowed_ip *)
35216 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35219 + if (copy_from_user(rtmp, ruserip,
35220 + sizeof (struct role_allowed_ip)))
35223 + ruserip = rtmp->prev;
35226 + rtmp->prev = NULL;
35227 + rolep->allowed_ips = rtmp;
35229 + rlast->next = rtmp;
35230 + rtmp->prev = rlast;
35234 + rtmp->next = NULL;
35241 +copy_user_transitions(struct acl_role_label *rolep)
35243 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
35245 + unsigned int len;
35248 + rusertp = rolep->transitions;
35250 + while (rusertp) {
35253 + if ((rtmp = (struct role_transition *)
35254 + acl_alloc(sizeof (struct role_transition))) == NULL)
35257 + if (copy_from_user(rtmp, rusertp,
35258 + sizeof (struct role_transition)))
35261 + rusertp = rtmp->prev;
35263 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35265 + if (!len || len >= GR_SPROLE_LEN)
35268 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35271 + if (copy_from_user(tmp, rtmp->rolename, len))
35273 + tmp[len-1] = '\0';
35274 + rtmp->rolename = tmp;
35277 + rtmp->prev = NULL;
35278 + rolep->transitions = rtmp;
35280 + rlast->next = rtmp;
35281 + rtmp->prev = rlast;
35285 + rtmp->next = NULL;
35291 +static struct acl_subject_label *
35292 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
35294 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
35295 + unsigned int len;
35298 + struct acl_ip_label **i_tmp, *i_utmp2;
35299 + struct gr_hash_struct ghash;
35300 + struct subject_map *subjmap;
35301 + unsigned int i_num;
35304 + s_tmp = lookup_subject_map(userp);
35306 + /* we've already copied this subject into the kernel, just return
35307 + the reference to it, and don't copy it over again
35312 + if ((s_tmp = (struct acl_subject_label *)
35313 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
35314 + return ERR_PTR(-ENOMEM);
35316 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
35317 + if (subjmap == NULL)
35318 + return ERR_PTR(-ENOMEM);
35320 + subjmap->user = userp;
35321 + subjmap->kernel = s_tmp;
35322 + insert_subj_map_entry(subjmap);
35324 + if (copy_from_user(s_tmp, userp,
35325 + sizeof (struct acl_subject_label)))
35326 + return ERR_PTR(-EFAULT);
35328 + len = strnlen_user(s_tmp->filename, PATH_MAX);
35330 + if (!len || len >= PATH_MAX)
35331 + return ERR_PTR(-EINVAL);
35333 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35334 + return ERR_PTR(-ENOMEM);
35336 + if (copy_from_user(tmp, s_tmp->filename, len))
35337 + return ERR_PTR(-EFAULT);
35338 + tmp[len-1] = '\0';
35339 + s_tmp->filename = tmp;
35341 + if (!strcmp(s_tmp->filename, "/"))
35342 + role->root_label = s_tmp;
35344 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
35345 + return ERR_PTR(-EFAULT);
35347 + /* copy user and group transition tables */
35349 + if (s_tmp->user_trans_num) {
35352 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
35353 + if (uidlist == NULL)
35354 + return ERR_PTR(-ENOMEM);
35355 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
35356 + return ERR_PTR(-EFAULT);
35358 + s_tmp->user_transitions = uidlist;
35361 + if (s_tmp->group_trans_num) {
35364 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
35365 + if (gidlist == NULL)
35366 + return ERR_PTR(-ENOMEM);
35367 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
35368 + return ERR_PTR(-EFAULT);
35370 + s_tmp->group_transitions = gidlist;
35373 + /* set up object hash table */
35374 + num_objs = count_user_objs(ghash.first);
35376 + s_tmp->obj_hash_size = num_objs;
35377 + s_tmp->obj_hash =
35378 + (struct acl_object_label **)
35379 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
35381 + if (!s_tmp->obj_hash)
35382 + return ERR_PTR(-ENOMEM);
35384 + memset(s_tmp->obj_hash, 0,
35385 + s_tmp->obj_hash_size *
35386 + sizeof (struct acl_object_label *));
35388 + /* add in objects */
35389 + err = copy_user_objs(ghash.first, s_tmp, role);
35392 + return ERR_PTR(err);
35394 + /* set pointer for parent subject */
35395 + if (s_tmp->parent_subject) {
35396 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
35398 + if (IS_ERR(s_tmp2))
35401 + s_tmp->parent_subject = s_tmp2;
35404 + /* add in ip acls */
35406 + if (!s_tmp->ip_num) {
35407 + s_tmp->ips = NULL;
35412 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
35413 + sizeof (struct acl_ip_label *));
35416 + return ERR_PTR(-ENOMEM);
35418 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
35419 + *(i_tmp + i_num) =
35420 + (struct acl_ip_label *)
35421 + acl_alloc(sizeof (struct acl_ip_label));
35422 + if (!*(i_tmp + i_num))
35423 + return ERR_PTR(-ENOMEM);
35425 + if (copy_from_user
35426 + (&i_utmp2, s_tmp->ips + i_num,
35427 + sizeof (struct acl_ip_label *)))
35428 + return ERR_PTR(-EFAULT);
35430 + if (copy_from_user
35431 + (*(i_tmp + i_num), i_utmp2,
35432 + sizeof (struct acl_ip_label)))
35433 + return ERR_PTR(-EFAULT);
35435 + if ((*(i_tmp + i_num))->iface == NULL)
35438 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
35439 + if (!len || len >= IFNAMSIZ)
35440 + return ERR_PTR(-EINVAL);
35441 + tmp = acl_alloc(len);
35443 + return ERR_PTR(-ENOMEM);
35444 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
35445 + return ERR_PTR(-EFAULT);
35446 + (*(i_tmp + i_num))->iface = tmp;
35449 + s_tmp->ips = i_tmp;
35452 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
35453 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
35454 + return ERR_PTR(-ENOMEM);
35460 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
35462 + struct acl_subject_label s_pre;
35463 + struct acl_subject_label * ret;
35467 + if (copy_from_user(&s_pre, userp,
35468 + sizeof (struct acl_subject_label)))
35471 + /* do not add nested subjects here, add
35472 + while parsing objects
35475 + if (s_pre.mode & GR_NESTED) {
35476 + userp = s_pre.prev;
35480 + ret = do_copy_user_subj(userp, role);
35482 + err = PTR_ERR(ret);
35486 + insert_acl_subj_label(ret, role);
35488 + userp = s_pre.prev;
35495 +copy_user_acl(struct gr_arg *arg)
35497 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
35498 + struct sprole_pw *sptmp;
35499 + struct gr_hash_struct *ghash;
35500 + uid_t *domainlist;
35501 + unsigned int r_num;
35502 + unsigned int len;
35508 + /* we need a default and kernel role */
35509 + if (arg->role_db.num_roles < 2)
35512 + /* copy special role authentication info from userspace */
35514 + num_sprole_pws = arg->num_sprole_pws;
35515 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
35517 + if (!acl_special_roles) {
35522 + for (i = 0; i < num_sprole_pws; i++) {
35523 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
35528 + if (copy_from_user(sptmp, arg->sprole_pws + i,
35529 + sizeof (struct sprole_pw))) {
35535 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
35537 + if (!len || len >= GR_SPROLE_LEN) {
35542 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35547 + if (copy_from_user(tmp, sptmp->rolename, len)) {
35551 + tmp[len-1] = '\0';
35552 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35553 + printk(KERN_ALERT "Copying special role %s\n", tmp);
35555 + sptmp->rolename = tmp;
35556 + acl_special_roles[i] = sptmp;
35559 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
35561 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
35562 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
35569 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
35570 + sizeof (struct acl_role_label *))) {
35575 + if (copy_from_user(r_tmp, r_utmp2,
35576 + sizeof (struct acl_role_label))) {
35581 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
35583 + if (!len || len >= PATH_MAX) {
35588 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35592 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
35596 + tmp[len-1] = '\0';
35597 + r_tmp->rolename = tmp;
35599 + if (!strcmp(r_tmp->rolename, "default")
35600 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
35601 + default_role = r_tmp;
35602 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
35603 + kernel_role = r_tmp;
35606 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
35610 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
35615 + r_tmp->hash = ghash;
35617 + num_subjs = count_user_subjs(r_tmp->hash->first);
35619 + r_tmp->subj_hash_size = num_subjs;
35620 + r_tmp->subj_hash =
35621 + (struct acl_subject_label **)
35622 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
35624 + if (!r_tmp->subj_hash) {
35629 + err = copy_user_allowedips(r_tmp);
35633 + /* copy domain info */
35634 + if (r_tmp->domain_children != NULL) {
35635 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
35636 + if (domainlist == NULL) {
35640 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
35644 + r_tmp->domain_children = domainlist;
35647 + err = copy_user_transitions(r_tmp);
35651 + memset(r_tmp->subj_hash, 0,
35652 + r_tmp->subj_hash_size *
35653 + sizeof (struct acl_subject_label *));
35655 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
35660 + /* set nested subject list to null */
35661 + r_tmp->hash->first = NULL;
35663 + insert_acl_role_label(r_tmp);
35668 + free_variables();
35675 +gracl_init(struct gr_arg *args)
35679 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
35680 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
35682 + if (init_variables(args)) {
35683 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
35685 + free_variables();
35689 + error = copy_user_acl(args);
35690 + free_init_variables();
35692 + free_variables();
35696 + if ((error = gr_set_acls(0))) {
35697 + free_variables();
35701 + pax_open_kernel();
35702 + gr_status |= GR_READY;
35703 + pax_close_kernel();
35709 +/* derived from glibc fnmatch() 0: match, 1: no match*/
35712 +glob_match(const char *p, const char *n)
35716 + while ((c = *p++) != '\0') {
35721 + else if (*n == '/')
35729 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
35732 + else if (c == '?') {
35742 + const char *endp;
35744 + if ((endp = strchr(n, '/')) == NULL)
35745 + endp = n + strlen(n);
35748 + for (--p; n < endp; ++n)
35749 + if (!glob_match(p, n))
35751 + } else if (c == '/') {
35752 + while (*n != '\0' && *n != '/')
35754 + if (*n == '/' && !glob_match(p, n + 1))
35757 + for (--p; n < endp; ++n)
35758 + if (*n == c && !glob_match(p, n))
35769 + if (*n == '\0' || *n == '/')
35772 + not = (*p == '!' || *p == '^');
35778 + unsigned char fn = (unsigned char)*n;
35788 + if (c == '-' && *p != ']') {
35789 + unsigned char cend = *p++;
35791 + if (cend == '\0')
35794 + if (cold <= fn && fn <= cend)
35808 + while (c != ']') {
35835 +static struct acl_object_label *
35836 +chk_glob_label(struct acl_object_label *globbed,
35837 + struct dentry *dentry, struct vfsmount *mnt, char **path)
35839 + struct acl_object_label *tmp;
35841 + if (*path == NULL)
35842 + *path = gr_to_filename_nolock(dentry, mnt);
35847 + if (!glob_match(tmp->filename, *path))
35855 +static struct acl_object_label *
35856 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35857 + const ino_t curr_ino, const dev_t curr_dev,
35858 + const struct acl_subject_label *subj, char **path, const int checkglob)
35860 + struct acl_subject_label *tmpsubj;
35861 + struct acl_object_label *retval;
35862 + struct acl_object_label *retval2;
35864 + tmpsubj = (struct acl_subject_label *) subj;
35865 + read_lock(&gr_inode_lock);
35867 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
35869 + if (checkglob && retval->globbed) {
35870 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
35871 + (struct vfsmount *)orig_mnt, path);
35873 + retval = retval2;
35877 + } while ((tmpsubj = tmpsubj->parent_subject));
35878 + read_unlock(&gr_inode_lock);
35883 +static __inline__ struct acl_object_label *
35884 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35885 + const struct dentry *curr_dentry,
35886 + const struct acl_subject_label *subj, char **path, const int checkglob)
35888 + return __full_lookup(orig_dentry, orig_mnt,
35889 + curr_dentry->d_inode->i_ino,
35890 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
35893 +static struct acl_object_label *
35894 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35895 + const struct acl_subject_label *subj, char *path, const int checkglob)
35897 + struct dentry *dentry = (struct dentry *) l_dentry;
35898 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35899 + struct acl_object_label *retval;
35901 + spin_lock(&dcache_lock);
35903 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
35904 +#ifdef CONFIG_HUGETLBFS
35905 + mnt == hugetlbfs_vfsmount ||
35907 + /* ignore Eric Biederman */
35908 + IS_PRIVATE(l_dentry->d_inode))) {
35909 + retval = fakefs_obj;
35914 + if (dentry == real_root && mnt == real_root_mnt)
35917 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35918 + if (mnt->mnt_parent == mnt)
35921 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35922 + if (retval != NULL)
35925 + dentry = mnt->mnt_mountpoint;
35926 + mnt = mnt->mnt_parent;
35930 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35931 + if (retval != NULL)
35934 + dentry = dentry->d_parent;
35937 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35939 + if (retval == NULL)
35940 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
35942 + spin_unlock(&dcache_lock);
35946 +static __inline__ struct acl_object_label *
35947 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35948 + const struct acl_subject_label *subj)
35950 + char *path = NULL;
35951 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35954 +static __inline__ struct acl_object_label *
35955 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35956 + const struct acl_subject_label *subj)
35958 + char *path = NULL;
35959 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
35962 +static __inline__ struct acl_object_label *
35963 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35964 + const struct acl_subject_label *subj, char *path)
35966 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35969 +static struct acl_subject_label *
35970 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35971 + const struct acl_role_label *role)
35973 + struct dentry *dentry = (struct dentry *) l_dentry;
35974 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35975 + struct acl_subject_label *retval;
35977 + spin_lock(&dcache_lock);
35980 + if (dentry == real_root && mnt == real_root_mnt)
35982 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35983 + if (mnt->mnt_parent == mnt)
35986 + read_lock(&gr_inode_lock);
35988 + lookup_acl_subj_label(dentry->d_inode->i_ino,
35989 + dentry->d_inode->i_sb->s_dev, role);
35990 + read_unlock(&gr_inode_lock);
35991 + if (retval != NULL)
35994 + dentry = mnt->mnt_mountpoint;
35995 + mnt = mnt->mnt_parent;
35999 + read_lock(&gr_inode_lock);
36000 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36001 + dentry->d_inode->i_sb->s_dev, role);
36002 + read_unlock(&gr_inode_lock);
36003 + if (retval != NULL)
36006 + dentry = dentry->d_parent;
36009 + read_lock(&gr_inode_lock);
36010 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36011 + dentry->d_inode->i_sb->s_dev, role);
36012 + read_unlock(&gr_inode_lock);
36014 + if (unlikely(retval == NULL)) {
36015 + read_lock(&gr_inode_lock);
36016 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
36017 + real_root->d_inode->i_sb->s_dev, role);
36018 + read_unlock(&gr_inode_lock);
36021 + spin_unlock(&dcache_lock);
36027 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36029 + struct task_struct *task = current;
36030 + const struct cred *cred = current_cred();
36032 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36033 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36034 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36035 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
36041 +gr_log_learn_sysctl(const char *path, const __u32 mode)
36043 + struct task_struct *task = current;
36044 + const struct cred *cred = current_cred();
36046 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36047 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36048 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36049 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
36055 +gr_log_learn_id_change(const char type, const unsigned int real,
36056 + const unsigned int effective, const unsigned int fs)
36058 + struct task_struct *task = current;
36059 + const struct cred *cred = current_cred();
36061 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36062 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36063 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36064 + type, real, effective, fs, &task->signal->curr_ip);
36070 +gr_check_link(const struct dentry * new_dentry,
36071 + const struct dentry * parent_dentry,
36072 + const struct vfsmount * parent_mnt,
36073 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36075 + struct acl_object_label *obj;
36076 + __u32 oldmode, newmode;
36079 + if (unlikely(!(gr_status & GR_READY)))
36080 + return (GR_CREATE | GR_LINK);
36082 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36083 + oldmode = obj->mode;
36085 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36086 + oldmode |= (GR_CREATE | GR_LINK);
36088 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36089 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36090 + needmode |= GR_SETID | GR_AUDIT_SETID;
36093 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36094 + oldmode | needmode);
36096 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36097 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36098 + GR_INHERIT | GR_AUDIT_INHERIT);
36100 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36103 + if ((oldmode & needmode) != needmode)
36106 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36107 + if ((newmode & needmode) != needmode)
36110 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
36113 + needmode = oldmode;
36114 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36115 + needmode |= GR_SETID;
36117 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36118 + gr_log_learn(old_dentry, old_mnt, needmode);
36119 + return (GR_CREATE | GR_LINK);
36120 + } else if (newmode & GR_SUPPRESS)
36121 + return GR_SUPPRESS;
36127 +gr_search_file(const struct dentry * dentry, const __u32 mode,
36128 + const struct vfsmount * mnt)
36130 + __u32 retval = mode;
36131 + struct acl_subject_label *curracl;
36132 + struct acl_object_label *currobj;
36134 + if (unlikely(!(gr_status & GR_READY)))
36135 + return (mode & ~GR_AUDITS);
36137 + curracl = current->acl;
36139 + currobj = chk_obj_label(dentry, mnt, curracl);
36140 + retval = currobj->mode & mode;
36143 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
36144 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
36145 + __u32 new_mode = mode;
36147 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36149 + retval = new_mode;
36151 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
36152 + new_mode |= GR_INHERIT;
36154 + if (!(mode & GR_NOLEARN))
36155 + gr_log_learn(dentry, mnt, new_mode);
36162 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
36163 + const struct vfsmount * mnt, const __u32 mode)
36165 + struct name_entry *match;
36166 + struct acl_object_label *matchpo;
36167 + struct acl_subject_label *curracl;
36171 + if (unlikely(!(gr_status & GR_READY)))
36172 + return (mode & ~GR_AUDITS);
36174 + preempt_disable();
36175 + path = gr_to_filename_rbac(new_dentry, mnt);
36176 + match = lookup_name_entry_create(path);
36179 + goto check_parent;
36181 + curracl = current->acl;
36183 + read_lock(&gr_inode_lock);
36184 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
36185 + read_unlock(&gr_inode_lock);
36188 + if ((matchpo->mode & mode) !=
36189 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
36190 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36191 + __u32 new_mode = mode;
36193 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36195 + gr_log_learn(new_dentry, mnt, new_mode);
36197 + preempt_enable();
36200 + preempt_enable();
36201 + return (matchpo->mode & mode);
36205 + curracl = current->acl;
36207 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36208 + retval = matchpo->mode & mode;
36210 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36211 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36212 + __u32 new_mode = mode;
36214 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36216 + gr_log_learn(new_dentry, mnt, new_mode);
36217 + preempt_enable();
36221 + preempt_enable();
36226 +gr_check_hidden_task(const struct task_struct *task)
36228 + if (unlikely(!(gr_status & GR_READY)))
36231 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36238 +gr_check_protected_task(const struct task_struct *task)
36240 + if (unlikely(!(gr_status & GR_READY) || !task))
36243 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36244 + task->acl != current->acl)
36251 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36253 + struct task_struct *p;
36256 + if (unlikely(!(gr_status & GR_READY) || !pid))
36259 + read_lock(&tasklist_lock);
36260 + do_each_pid_task(pid, type, p) {
36261 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36262 + p->acl != current->acl) {
36266 + } while_each_pid_task(pid, type, p);
36268 + read_unlock(&tasklist_lock);
36274 +gr_copy_label(struct task_struct *tsk)
36276 + tsk->signal->used_accept = 0;
36277 + tsk->acl_sp_role = 0;
36278 + tsk->acl_role_id = current->acl_role_id;
36279 + tsk->acl = current->acl;
36280 + tsk->role = current->role;
36281 + tsk->signal->curr_ip = current->signal->curr_ip;
36282 + if (current->exec_file)
36283 + get_file(current->exec_file);
36284 + tsk->exec_file = current->exec_file;
36285 + tsk->is_writable = current->is_writable;
36286 + if (unlikely(current->signal->used_accept))
36287 + current->signal->curr_ip = 0;
36293 +gr_set_proc_res(struct task_struct *task)
36295 + struct acl_subject_label *proc;
36296 + unsigned short i;
36298 + proc = task->acl;
36300 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
36303 + for (i = 0; i < RLIM_NLIMITS; i++) {
36304 + if (!(proc->resmask & (1 << i)))
36307 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
36308 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
36315 +gr_check_user_change(int real, int effective, int fs)
36322 + int effectiveok = 0;
36325 + if (unlikely(!(gr_status & GR_READY)))
36328 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36329 + gr_log_learn_id_change('u', real, effective, fs);
36331 + num = current->acl->user_trans_num;
36332 + uidlist = current->acl->user_transitions;
36334 + if (uidlist == NULL)
36339 + if (effective == -1)
36344 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
36345 + for (i = 0; i < num; i++) {
36346 + curuid = (int)uidlist[i];
36347 + if (real == curuid)
36349 + if (effective == curuid)
36351 + if (fs == curuid)
36354 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
36355 + for (i = 0; i < num; i++) {
36356 + curuid = (int)uidlist[i];
36357 + if (real == curuid)
36359 + if (effective == curuid)
36361 + if (fs == curuid)
36364 + /* not in deny list */
36372 + if (realok && effectiveok && fsok)
36375 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36381 +gr_check_group_change(int real, int effective, int fs)
36388 + int effectiveok = 0;
36391 + if (unlikely(!(gr_status & GR_READY)))
36394 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36395 + gr_log_learn_id_change('g', real, effective, fs);
36397 + num = current->acl->group_trans_num;
36398 + gidlist = current->acl->group_transitions;
36400 + if (gidlist == NULL)
36405 + if (effective == -1)
36410 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
36411 + for (i = 0; i < num; i++) {
36412 + curgid = (int)gidlist[i];
36413 + if (real == curgid)
36415 + if (effective == curgid)
36417 + if (fs == curgid)
36420 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
36421 + for (i = 0; i < num; i++) {
36422 + curgid = (int)gidlist[i];
36423 + if (real == curgid)
36425 + if (effective == curgid)
36427 + if (fs == curgid)
36430 + /* not in deny list */
36438 + if (realok && effectiveok && fsok)
36441 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36447 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
36449 + struct acl_role_label *role = task->role;
36450 + struct acl_subject_label *subj = NULL;
36451 + struct acl_object_label *obj;
36452 + struct file *filp;
36454 + if (unlikely(!(gr_status & GR_READY)))
36457 + filp = task->exec_file;
36459 + /* kernel process, we'll give them the kernel role */
36460 + if (unlikely(!filp)) {
36461 + task->role = kernel_role;
36462 + task->acl = kernel_role->root_label;
36464 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
36465 + role = lookup_acl_role_label(task, uid, gid);
36467 + /* perform subject lookup in possibly new role
36468 + we can use this result below in the case where role == task->role
36470 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
36472 + /* if we changed uid/gid, but result in the same role
36473 + and are using inheritance, don't lose the inherited subject
36474 + if current subject is other than what normal lookup
36475 + would result in, we arrived via inheritance, don't
36478 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
36479 + (subj == task->acl)))
36480 + task->acl = subj;
36482 + task->role = role;
36484 + task->is_writable = 0;
36486 + /* ignore additional mmap checks for processes that are writable
36487 + by the default ACL */
36488 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36489 + if (unlikely(obj->mode & GR_WRITE))
36490 + task->is_writable = 1;
36491 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
36492 + if (unlikely(obj->mode & GR_WRITE))
36493 + task->is_writable = 1;
36495 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36496 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36499 + gr_set_proc_res(task);
36505 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
36506 + const int unsafe_share)
36508 + struct task_struct *task = current;
36509 + struct acl_subject_label *newacl;
36510 + struct acl_object_label *obj;
36513 + if (unlikely(!(gr_status & GR_READY)))
36516 + newacl = chk_subj_label(dentry, mnt, task->role);
36519 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
36520 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
36521 + !(task->role->roletype & GR_ROLE_GOD) &&
36522 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
36523 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
36524 + task_unlock(task);
36525 + if (unsafe_share)
36526 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
36528 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
36531 + task_unlock(task);
36533 + obj = chk_obj_label(dentry, mnt, task->acl);
36534 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
36536 + if (!(task->acl->mode & GR_INHERITLEARN) &&
36537 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
36539 + task->acl = obj->nested;
36541 + task->acl = newacl;
36542 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
36543 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
36545 + task->is_writable = 0;
36547 + /* ignore additional mmap checks for processes that are writable
36548 + by the default ACL */
36549 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
36550 + if (unlikely(obj->mode & GR_WRITE))
36551 + task->is_writable = 1;
36552 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
36553 + if (unlikely(obj->mode & GR_WRITE))
36554 + task->is_writable = 1;
36556 + gr_set_proc_res(task);
36558 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36559 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36564 +/* always called with valid inodev ptr */
36566 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
36568 + struct acl_object_label *matchpo;
36569 + struct acl_subject_label *matchps;
36570 + struct acl_subject_label *subj;
36571 + struct acl_role_label *role;
36574 + FOR_EACH_ROLE_START(role)
36575 + FOR_EACH_SUBJECT_START(role, subj, x)
36576 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
36577 + matchpo->mode |= GR_DELETED;
36578 + FOR_EACH_SUBJECT_END(subj,x)
36579 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36580 + if (subj->inode == ino && subj->device == dev)
36581 + subj->mode |= GR_DELETED;
36582 + FOR_EACH_NESTED_SUBJECT_END(subj)
36583 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
36584 + matchps->mode |= GR_DELETED;
36585 + FOR_EACH_ROLE_END(role)
36587 + inodev->nentry->deleted = 1;
36593 +gr_handle_delete(const ino_t ino, const dev_t dev)
36595 + struct inodev_entry *inodev;
36597 + if (unlikely(!(gr_status & GR_READY)))
36600 + write_lock(&gr_inode_lock);
36601 + inodev = lookup_inodev_entry(ino, dev);
36602 + if (inodev != NULL)
36603 + do_handle_delete(inodev, ino, dev);
36604 + write_unlock(&gr_inode_lock);
36610 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
36611 + const ino_t newinode, const dev_t newdevice,
36612 + struct acl_subject_label *subj)
36614 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
36615 + struct acl_object_label *match;
36617 + match = subj->obj_hash[index];
36619 + while (match && (match->inode != oldinode ||
36620 + match->device != olddevice ||
36621 + !(match->mode & GR_DELETED)))
36622 + match = match->next;
36624 + if (match && (match->inode == oldinode)
36625 + && (match->device == olddevice)
36626 + && (match->mode & GR_DELETED)) {
36627 + if (match->prev == NULL) {
36628 + subj->obj_hash[index] = match->next;
36629 + if (match->next != NULL)
36630 + match->next->prev = NULL;
36632 + match->prev->next = match->next;
36633 + if (match->next != NULL)
36634 + match->next->prev = match->prev;
36636 + match->prev = NULL;
36637 + match->next = NULL;
36638 + match->inode = newinode;
36639 + match->device = newdevice;
36640 + match->mode &= ~GR_DELETED;
36642 + insert_acl_obj_label(match, subj);
36649 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
36650 + const ino_t newinode, const dev_t newdevice,
36651 + struct acl_role_label *role)
36653 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
36654 + struct acl_subject_label *match;
36656 + match = role->subj_hash[index];
36658 + while (match && (match->inode != oldinode ||
36659 + match->device != olddevice ||
36660 + !(match->mode & GR_DELETED)))
36661 + match = match->next;
36663 + if (match && (match->inode == oldinode)
36664 + && (match->device == olddevice)
36665 + && (match->mode & GR_DELETED)) {
36666 + if (match->prev == NULL) {
36667 + role->subj_hash[index] = match->next;
36668 + if (match->next != NULL)
36669 + match->next->prev = NULL;
36671 + match->prev->next = match->next;
36672 + if (match->next != NULL)
36673 + match->next->prev = match->prev;
36675 + match->prev = NULL;
36676 + match->next = NULL;
36677 + match->inode = newinode;
36678 + match->device = newdevice;
36679 + match->mode &= ~GR_DELETED;
36681 + insert_acl_subj_label(match, role);
36688 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
36689 + const ino_t newinode, const dev_t newdevice)
36691 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
36692 + struct inodev_entry *match;
36694 + match = inodev_set.i_hash[index];
36696 + while (match && (match->nentry->inode != oldinode ||
36697 + match->nentry->device != olddevice || !match->nentry->deleted))
36698 + match = match->next;
36700 + if (match && (match->nentry->inode == oldinode)
36701 + && (match->nentry->device == olddevice) &&
36702 + match->nentry->deleted) {
36703 + if (match->prev == NULL) {
36704 + inodev_set.i_hash[index] = match->next;
36705 + if (match->next != NULL)
36706 + match->next->prev = NULL;
36708 + match->prev->next = match->next;
36709 + if (match->next != NULL)
36710 + match->next->prev = match->prev;
36712 + match->prev = NULL;
36713 + match->next = NULL;
36714 + match->nentry->inode = newinode;
36715 + match->nentry->device = newdevice;
36716 + match->nentry->deleted = 0;
36718 + insert_inodev_entry(match);
36725 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
36726 + const struct vfsmount *mnt)
36728 + struct acl_subject_label *subj;
36729 + struct acl_role_label *role;
36732 + FOR_EACH_ROLE_START(role)
36733 + update_acl_subj_label(matchn->inode, matchn->device,
36734 + dentry->d_inode->i_ino,
36735 + dentry->d_inode->i_sb->s_dev, role);
36737 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36738 + if ((subj->inode == dentry->d_inode->i_ino) &&
36739 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
36740 + subj->inode = dentry->d_inode->i_ino;
36741 + subj->device = dentry->d_inode->i_sb->s_dev;
36743 + FOR_EACH_NESTED_SUBJECT_END(subj)
36744 + FOR_EACH_SUBJECT_START(role, subj, x)
36745 + update_acl_obj_label(matchn->inode, matchn->device,
36746 + dentry->d_inode->i_ino,
36747 + dentry->d_inode->i_sb->s_dev, subj);
36748 + FOR_EACH_SUBJECT_END(subj,x)
36749 + FOR_EACH_ROLE_END(role)
36751 + update_inodev_entry(matchn->inode, matchn->device,
36752 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
36758 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
36760 + struct name_entry *matchn;
36762 + if (unlikely(!(gr_status & GR_READY)))
36765 + preempt_disable();
36766 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
36768 + if (unlikely((unsigned long)matchn)) {
36769 + write_lock(&gr_inode_lock);
36770 + do_handle_create(matchn, dentry, mnt);
36771 + write_unlock(&gr_inode_lock);
36773 + preempt_enable();
36779 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
36780 + struct dentry *old_dentry,
36781 + struct dentry *new_dentry,
36782 + struct vfsmount *mnt, const __u8 replace)
36784 + struct name_entry *matchn;
36785 + struct inodev_entry *inodev;
36787 + /* vfs_rename swaps the name and parent link for old_dentry and
36789 + at this point, old_dentry has the new name, parent link, and inode
36790 + for the renamed file
36791 + if a file is being replaced by a rename, new_dentry has the inode
36792 + and name for the replaced file
36795 + if (unlikely(!(gr_status & GR_READY)))
36798 + preempt_disable();
36799 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
36801 + /* we wouldn't have to check d_inode if it weren't for
36802 + NFS silly-renaming
36805 + write_lock(&gr_inode_lock);
36806 + if (unlikely(replace && new_dentry->d_inode)) {
36807 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
36808 + new_dentry->d_inode->i_sb->s_dev);
36809 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
36810 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
36811 + new_dentry->d_inode->i_sb->s_dev);
36814 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
36815 + old_dentry->d_inode->i_sb->s_dev);
36816 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
36817 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
36818 + old_dentry->d_inode->i_sb->s_dev);
36820 + if (unlikely((unsigned long)matchn))
36821 + do_handle_create(matchn, old_dentry, mnt);
36823 + write_unlock(&gr_inode_lock);
36824 + preempt_enable();
36830 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
36831 + unsigned char **sum)
36833 + struct acl_role_label *r;
36834 + struct role_allowed_ip *ipp;
36835 + struct role_transition *trans;
36839 + /* check transition table */
36841 + for (trans = current->role->transitions; trans; trans = trans->next) {
36842 + if (!strcmp(rolename, trans->rolename)) {
36851 + /* handle special roles that do not require authentication
36854 + FOR_EACH_ROLE_START(r)
36855 + if (!strcmp(rolename, r->rolename) &&
36856 + (r->roletype & GR_ROLE_SPECIAL)) {
36858 + if (r->allowed_ips != NULL) {
36859 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
36860 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
36861 + (ntohl(ipp->addr) & ipp->netmask))
36869 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
36870 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
36876 + FOR_EACH_ROLE_END(r)
36878 + for (i = 0; i < num_sprole_pws; i++) {
36879 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
36880 + *salt = acl_special_roles[i]->salt;
36881 + *sum = acl_special_roles[i]->sum;
36890 +assign_special_role(char *rolename)
36892 + struct acl_object_label *obj;
36893 + struct acl_role_label *r;
36894 + struct acl_role_label *assigned = NULL;
36895 + struct task_struct *tsk;
36896 + struct file *filp;
36898 + FOR_EACH_ROLE_START(r)
36899 + if (!strcmp(rolename, r->rolename) &&
36900 + (r->roletype & GR_ROLE_SPECIAL)) {
36904 + FOR_EACH_ROLE_END(r)
36909 + read_lock(&tasklist_lock);
36910 + read_lock(&grsec_exec_file_lock);
36912 + tsk = current->parent;
36916 + filp = tsk->exec_file;
36917 + if (filp == NULL)
36920 + tsk->is_writable = 0;
36922 + tsk->acl_sp_role = 1;
36923 + tsk->acl_role_id = ++acl_sp_role_value;
36924 + tsk->role = assigned;
36925 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
36927 + /* ignore additional mmap checks for processes that are writable
36928 + by the default ACL */
36929 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36930 + if (unlikely(obj->mode & GR_WRITE))
36931 + tsk->is_writable = 1;
36932 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
36933 + if (unlikely(obj->mode & GR_WRITE))
36934 + tsk->is_writable = 1;
36936 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36937 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
36941 + read_unlock(&grsec_exec_file_lock);
36942 + read_unlock(&tasklist_lock);
36946 +int gr_check_secure_terminal(struct task_struct *task)
36948 + struct task_struct *p, *p2, *p3;
36949 + struct files_struct *files;
36950 + struct fdtable *fdt;
36951 + struct file *our_file = NULL, *file;
36954 + if (task->signal->tty == NULL)
36957 + files = get_files_struct(task);
36958 + if (files != NULL) {
36960 + fdt = files_fdtable(files);
36961 + for (i=0; i < fdt->max_fds; i++) {
36962 + file = fcheck_files(files, i);
36963 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
36968 + rcu_read_unlock();
36969 + put_files_struct(files);
36972 + if (our_file == NULL)
36975 + read_lock(&tasklist_lock);
36976 + do_each_thread(p2, p) {
36977 + files = get_files_struct(p);
36978 + if (files == NULL ||
36979 + (p->signal && p->signal->tty == task->signal->tty)) {
36980 + if (files != NULL)
36981 + put_files_struct(files);
36985 + fdt = files_fdtable(files);
36986 + for (i=0; i < fdt->max_fds; i++) {
36987 + file = fcheck_files(files, i);
36988 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
36989 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
36991 + while (p3->pid > 0) {
36998 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
36999 + gr_handle_alertkill(p);
37000 + rcu_read_unlock();
37001 + put_files_struct(files);
37002 + read_unlock(&tasklist_lock);
37007 + rcu_read_unlock();
37008 + put_files_struct(files);
37009 + } while_each_thread(p2, p);
37010 + read_unlock(&tasklist_lock);
37017 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37019 + struct gr_arg_wrapper uwrap;
37020 + unsigned char *sprole_salt = NULL;
37021 + unsigned char *sprole_sum = NULL;
37022 + int error = sizeof (struct gr_arg_wrapper);
37025 + down(&gr_dev_sem);
37027 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37032 + if (count != sizeof (struct gr_arg_wrapper)) {
37033 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37039 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37040 + gr_auth_expires = 0;
37041 + gr_auth_attempts = 0;
37044 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37049 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37054 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37059 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37060 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37061 + time_after(gr_auth_expires, get_seconds())) {
37066 + /* if non-root trying to do anything other than use a special role,
37067 + do not attempt authentication, do not count towards authentication
37071 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37072 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37078 + /* ensure pw and special role name are null terminated */
37080 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37081 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37084 + * We have our enough of the argument structure..(we have yet
37085 + * to copy_from_user the tables themselves) . Copy the tables
37086 + * only if we need them, i.e. for loading operations. */
37088 + switch (gr_usermode->mode) {
37090 + if (gr_status & GR_READY) {
37092 + if (!gr_check_secure_terminal(current))
37097 + case GR_SHUTDOWN:
37098 + if ((gr_status & GR_READY)
37099 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37100 + pax_open_kernel();
37101 + gr_status &= ~GR_READY;
37102 + pax_close_kernel();
37104 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
37105 + free_variables();
37106 + memset(gr_usermode, 0, sizeof (struct gr_arg));
37107 + memset(gr_system_salt, 0, GR_SALT_LEN);
37108 + memset(gr_system_sum, 0, GR_SHA_LEN);
37109 + } else if (gr_status & GR_READY) {
37110 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
37113 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
37118 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
37119 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
37121 + if (gr_status & GR_READY)
37125 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
37129 + if (!(gr_status & GR_READY)) {
37130 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
37132 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37135 + pax_open_kernel();
37136 + gr_status &= ~GR_READY;
37137 + pax_close_kernel();
37139 + free_variables();
37140 + if (!(error2 = gracl_init(gr_usermode))) {
37142 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
37146 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37149 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37154 + if (unlikely(!(gr_status & GR_READY))) {
37155 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
37160 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37161 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
37162 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
37163 + struct acl_subject_label *segvacl;
37165 + lookup_acl_subj_label(gr_usermode->segv_inode,
37166 + gr_usermode->segv_device,
37169 + segvacl->crashes = 0;
37170 + segvacl->expires = 0;
37172 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
37173 + gr_remove_uid(gr_usermode->segv_uid);
37176 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
37181 + case GR_SPROLEPAM:
37182 + if (unlikely(!(gr_status & GR_READY))) {
37183 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37188 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37189 + current->role->expires = 0;
37190 + current->role->auth_attempts = 0;
37193 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37194 + time_after(current->role->expires, get_seconds())) {
37199 + if (lookup_special_role_auth
37200 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37201 + && ((!sprole_salt && !sprole_sum)
37202 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37204 + assign_special_role(gr_usermode->sp_role);
37205 + read_lock(&tasklist_lock);
37206 + if (current->parent)
37207 + p = current->parent->role->rolename;
37208 + read_unlock(&tasklist_lock);
37209 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37210 + p, acl_sp_role_value);
37212 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37214 + if(!(current->role->auth_attempts++))
37215 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37220 + case GR_UNSPROLE:
37221 + if (unlikely(!(gr_status & GR_READY))) {
37222 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37227 + if (current->role->roletype & GR_ROLE_SPECIAL) {
37231 + read_lock(&tasklist_lock);
37232 + if (current->parent) {
37233 + p = current->parent->role->rolename;
37234 + i = current->parent->acl_role_id;
37236 + read_unlock(&tasklist_lock);
37238 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37246 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37251 + if (error != -EPERM)
37254 + if(!(gr_auth_attempts++))
37255 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37263 +gr_set_acls(const int type)
37265 + struct acl_object_label *obj;
37266 + struct task_struct *task, *task2;
37267 + struct file *filp;
37268 + struct acl_role_label *role = current->role;
37269 + __u16 acl_role_id = current->acl_role_id;
37270 + const struct cred *cred;
37272 + struct name_entry *nmatch;
37273 + struct acl_subject_label *tmpsubj;
37276 + read_lock(&tasklist_lock);
37277 + read_lock(&grsec_exec_file_lock);
37278 + do_each_thread(task2, task) {
37279 + /* check to see if we're called from the exit handler,
37280 + if so, only replace ACLs that have inherited the admin
37283 + if (type && (task->role != role ||
37284 + task->acl_role_id != acl_role_id))
37287 + task->acl_role_id = 0;
37288 + task->acl_sp_role = 0;
37290 + if ((filp = task->exec_file)) {
37291 + cred = __task_cred(task);
37292 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
37294 + /* the following is to apply the correct subject
37295 + on binaries running when the RBAC system
37296 + is enabled, when the binaries have been
37297 + replaced or deleted since their execution
37299 + when the RBAC system starts, the inode/dev
37300 + from exec_file will be one the RBAC system
37301 + is unaware of. It only knows the inode/dev
37302 + of the present file on disk, or the absence
37305 + preempt_disable();
37306 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
37308 + nmatch = lookup_name_entry(tmpname);
37309 + preempt_enable();
37312 + if (nmatch->deleted)
37313 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
37315 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
37316 + if (tmpsubj != NULL)
37317 + task->acl = tmpsubj;
37319 + if (tmpsubj == NULL)
37320 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
37323 + struct acl_subject_label *curr;
37324 + curr = task->acl;
37326 + task->is_writable = 0;
37327 + /* ignore additional mmap checks for processes that are writable
37328 + by the default ACL */
37329 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37330 + if (unlikely(obj->mode & GR_WRITE))
37331 + task->is_writable = 1;
37332 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37333 + if (unlikely(obj->mode & GR_WRITE))
37334 + task->is_writable = 1;
37336 + gr_set_proc_res(task);
37338 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37339 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37342 + read_unlock(&grsec_exec_file_lock);
37343 + read_unlock(&tasklist_lock);
37344 + rcu_read_unlock();
37345 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
37349 + // it's a kernel process
37350 + task->role = kernel_role;
37351 + task->acl = kernel_role->root_label;
37352 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
37353 + task->acl->mode &= ~GR_PROCFIND;
37356 + } while_each_thread(task2, task);
37357 + read_unlock(&grsec_exec_file_lock);
37358 + read_unlock(&tasklist_lock);
37359 + rcu_read_unlock();
37365 +gr_learn_resource(const struct task_struct *task,
37366 + const int res, const unsigned long wanted, const int gt)
37368 + struct acl_subject_label *acl;
37369 + const struct cred *cred;
37371 + if (unlikely((gr_status & GR_READY) &&
37372 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
37373 + goto skip_reslog;
37375 +#ifdef CONFIG_GRKERNSEC_RESLOG
37376 + gr_log_resource(task, res, wanted, gt);
37380 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
37385 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
37386 + !(acl->resmask & (1 << (unsigned short) res))))
37389 + if (wanted >= acl->res[res].rlim_cur) {
37390 + unsigned long res_add;
37392 + res_add = wanted;
37395 + res_add += GR_RLIM_CPU_BUMP;
37397 + case RLIMIT_FSIZE:
37398 + res_add += GR_RLIM_FSIZE_BUMP;
37400 + case RLIMIT_DATA:
37401 + res_add += GR_RLIM_DATA_BUMP;
37403 + case RLIMIT_STACK:
37404 + res_add += GR_RLIM_STACK_BUMP;
37406 + case RLIMIT_CORE:
37407 + res_add += GR_RLIM_CORE_BUMP;
37410 + res_add += GR_RLIM_RSS_BUMP;
37412 + case RLIMIT_NPROC:
37413 + res_add += GR_RLIM_NPROC_BUMP;
37415 + case RLIMIT_NOFILE:
37416 + res_add += GR_RLIM_NOFILE_BUMP;
37418 + case RLIMIT_MEMLOCK:
37419 + res_add += GR_RLIM_MEMLOCK_BUMP;
37422 + res_add += GR_RLIM_AS_BUMP;
37424 + case RLIMIT_LOCKS:
37425 + res_add += GR_RLIM_LOCKS_BUMP;
37427 + case RLIMIT_SIGPENDING:
37428 + res_add += GR_RLIM_SIGPENDING_BUMP;
37430 + case RLIMIT_MSGQUEUE:
37431 + res_add += GR_RLIM_MSGQUEUE_BUMP;
37433 + case RLIMIT_NICE:
37434 + res_add += GR_RLIM_NICE_BUMP;
37436 + case RLIMIT_RTPRIO:
37437 + res_add += GR_RLIM_RTPRIO_BUMP;
37439 + case RLIMIT_RTTIME:
37440 + res_add += GR_RLIM_RTTIME_BUMP;
37444 + acl->res[res].rlim_cur = res_add;
37446 + if (wanted > acl->res[res].rlim_max)
37447 + acl->res[res].rlim_max = res_add;
37449 + /* only log the subject filename, since resource logging is supported for
37450 + single-subject learning only */
37452 + cred = __task_cred(task);
37453 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
37454 + task->role->roletype, cred->uid, cred->gid, acl->filename,
37455 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
37456 + "", (unsigned long) res, &task->signal->curr_ip);
37457 + rcu_read_unlock();
37463 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
37465 +pax_set_initial_flags(struct linux_binprm *bprm)
37467 + struct task_struct *task = current;
37468 + struct acl_subject_label *proc;
37469 + unsigned long flags;
37471 + if (unlikely(!(gr_status & GR_READY)))
37474 + flags = pax_get_flags(task);
37476 + proc = task->acl;
37478 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
37479 + flags &= ~MF_PAX_PAGEEXEC;
37480 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
37481 + flags &= ~MF_PAX_SEGMEXEC;
37482 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
37483 + flags &= ~MF_PAX_RANDMMAP;
37484 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
37485 + flags &= ~MF_PAX_EMUTRAMP;
37486 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
37487 + flags &= ~MF_PAX_MPROTECT;
37489 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
37490 + flags |= MF_PAX_PAGEEXEC;
37491 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
37492 + flags |= MF_PAX_SEGMEXEC;
37493 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
37494 + flags |= MF_PAX_RANDMMAP;
37495 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
37496 + flags |= MF_PAX_EMUTRAMP;
37497 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
37498 + flags |= MF_PAX_MPROTECT;
37500 + pax_set_flags(task, flags);
37506 +#ifdef CONFIG_SYSCTL
37507 +/* Eric Biederman likes breaking userland ABI and every inode-based security
37508 + system to save 35kb of memory */
37510 +/* we modify the passed in filename, but adjust it back before returning */
37511 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
37513 + struct name_entry *nmatch;
37514 + char *p, *lastp = NULL;
37515 + struct acl_object_label *obj = NULL, *tmp;
37516 + struct acl_subject_label *tmpsubj;
37519 + read_lock(&gr_inode_lock);
37521 + p = name + len - 1;
37523 + nmatch = lookup_name_entry(name);
37524 + if (lastp != NULL)
37527 + if (nmatch == NULL)
37528 + goto next_component;
37529 + tmpsubj = current->acl;
37531 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
37532 + if (obj != NULL) {
37533 + tmp = obj->globbed;
37535 + if (!glob_match(tmp->filename, name)) {
37543 + } while ((tmpsubj = tmpsubj->parent_subject));
37549 + while (*p != '/')
37561 + read_unlock(&gr_inode_lock);
37562 + /* obj returned will always be non-null */
37566 +/* returns 0 when allowing, non-zero on error
37567 + op of 0 is used for readdir, so we don't log the names of hidden files
37570 +gr_handle_sysctl(const struct ctl_table *table, const int op)
37572 + struct ctl_table *tmp;
37573 + const char *proc_sys = "/proc/sys";
37575 + struct acl_object_label *obj;
37576 + unsigned short len = 0, pos = 0, depth = 0, i;
37580 + if (unlikely(!(gr_status & GR_READY)))
37583 + /* for now, ignore operations on non-sysctl entries if it's not a
37585 + if (table->child != NULL && op != 0)
37589 + /* it's only a read if it's an entry, read on dirs is for readdir */
37590 + if (op & MAY_READ)
37592 + if (op & MAY_WRITE)
37593 + mode |= GR_WRITE;
37595 + preempt_disable();
37597 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
37599 + /* it's only a read/write if it's an actual entry, not a dir
37600 + (which are opened for readdir)
37603 + /* convert the requested sysctl entry into a pathname */
37605 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37606 + len += strlen(tmp->procname);
37611 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
37616 + memset(path, 0, PAGE_SIZE);
37618 + memcpy(path, proc_sys, strlen(proc_sys));
37620 + pos += strlen(proc_sys);
37622 + for (; depth > 0; depth--) {
37625 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37626 + if (depth == i) {
37627 + memcpy(path + pos, tmp->procname,
37628 + strlen(tmp->procname));
37629 + pos += strlen(tmp->procname);
37635 + obj = gr_lookup_by_name(path, pos);
37636 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
37638 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
37639 + ((err & mode) != mode))) {
37640 + __u32 new_mode = mode;
37642 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37645 + gr_log_learn_sysctl(path, new_mode);
37646 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
37647 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
37649 + } else if (!(err & GR_FIND)) {
37651 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
37652 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
37653 + path, (mode & GR_READ) ? " reading" : "",
37654 + (mode & GR_WRITE) ? " writing" : "");
37656 + } else if ((err & mode) != mode) {
37658 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
37659 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
37660 + path, (mode & GR_READ) ? " reading" : "",
37661 + (mode & GR_WRITE) ? " writing" : "");
37667 + preempt_enable();
37674 +gr_handle_proc_ptrace(struct task_struct *task)
37676 + struct file *filp;
37677 + struct task_struct *tmp = task;
37678 + struct task_struct *curtemp = current;
37681 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37682 + if (unlikely(!(gr_status & GR_READY)))
37686 + read_lock(&tasklist_lock);
37687 + read_lock(&grsec_exec_file_lock);
37688 + filp = task->exec_file;
37690 + while (tmp->pid > 0) {
37691 + if (tmp == curtemp)
37693 + tmp = tmp->parent;
37696 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37697 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
37698 + read_unlock(&grsec_exec_file_lock);
37699 + read_unlock(&tasklist_lock);
37703 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37704 + if (!(gr_status & GR_READY)) {
37705 + read_unlock(&grsec_exec_file_lock);
37706 + read_unlock(&tasklist_lock);
37711 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
37712 + read_unlock(&grsec_exec_file_lock);
37713 + read_unlock(&tasklist_lock);
37715 + if (retmode & GR_NOPTRACE)
37718 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
37719 + && (current->acl != task->acl || (current->acl != current->role->root_label
37720 + && current->pid != task->pid)))
37727 +gr_handle_ptrace(struct task_struct *task, const long request)
37729 + struct task_struct *tmp = task;
37730 + struct task_struct *curtemp = current;
37733 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37734 + if (unlikely(!(gr_status & GR_READY)))
37738 + read_lock(&tasklist_lock);
37739 + while (tmp->pid > 0) {
37740 + if (tmp == curtemp)
37742 + tmp = tmp->parent;
37745 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37746 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
37747 + read_unlock(&tasklist_lock);
37748 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37751 + read_unlock(&tasklist_lock);
37753 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37754 + if (!(gr_status & GR_READY))
37758 + read_lock(&grsec_exec_file_lock);
37759 + if (unlikely(!task->exec_file)) {
37760 + read_unlock(&grsec_exec_file_lock);
37764 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
37765 + read_unlock(&grsec_exec_file_lock);
37767 + if (retmode & GR_NOPTRACE) {
37768 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37772 + if (retmode & GR_PTRACERD) {
37773 + switch (request) {
37774 + case PTRACE_POKETEXT:
37775 + case PTRACE_POKEDATA:
37776 + case PTRACE_POKEUSR:
37777 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
37778 + case PTRACE_SETREGS:
37779 + case PTRACE_SETFPREGS:
37782 + case PTRACE_SETFPXREGS:
37784 +#ifdef CONFIG_ALTIVEC
37785 + case PTRACE_SETVRREGS:
37791 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
37792 + !(current->role->roletype & GR_ROLE_GOD) &&
37793 + (current->acl != task->acl)) {
37794 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37801 +static int is_writable_mmap(const struct file *filp)
37803 + struct task_struct *task = current;
37804 + struct acl_object_label *obj, *obj2;
37806 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
37807 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
37808 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37809 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
37810 + task->role->root_label);
37811 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
37812 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
37820 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
37824 + if (unlikely(!file || !(prot & PROT_EXEC)))
37827 + if (is_writable_mmap(file))
37831 + gr_search_file(file->f_path.dentry,
37832 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37833 + file->f_path.mnt);
37835 + if (!gr_tpe_allow(file))
37838 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37839 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37841 + } else if (unlikely(!(mode & GR_EXEC))) {
37843 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37844 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37852 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
37856 + if (unlikely(!file || !(prot & PROT_EXEC)))
37859 + if (is_writable_mmap(file))
37863 + gr_search_file(file->f_path.dentry,
37864 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37865 + file->f_path.mnt);
37867 + if (!gr_tpe_allow(file))
37870 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37871 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37873 + } else if (unlikely(!(mode & GR_EXEC))) {
37875 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37876 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37884 +gr_acl_handle_psacct(struct task_struct *task, const long code)
37886 + unsigned long runtime;
37887 + unsigned long cputime;
37888 + unsigned int wday, cday;
37892 + struct timespec timeval;
37894 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
37895 + !(task->acl->mode & GR_PROCACCT)))
37898 + do_posix_clock_monotonic_gettime(&timeval);
37899 + runtime = timeval.tv_sec - task->start_time.tv_sec;
37900 + wday = runtime / (3600 * 24);
37901 + runtime -= wday * (3600 * 24);
37902 + whr = runtime / 3600;
37903 + runtime -= whr * 3600;
37904 + wmin = runtime / 60;
37905 + runtime -= wmin * 60;
37908 + cputime = (task->utime + task->stime) / HZ;
37909 + cday = cputime / (3600 * 24);
37910 + cputime -= cday * (3600 * 24);
37911 + chr = cputime / 3600;
37912 + cputime -= chr * 3600;
37913 + cmin = cputime / 60;
37914 + cputime -= cmin * 60;
37917 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
37922 +void gr_set_kernel_label(struct task_struct *task)
37924 + if (gr_status & GR_READY) {
37925 + task->role = kernel_role;
37926 + task->acl = kernel_role->root_label;
37931 +#ifdef CONFIG_TASKSTATS
37932 +int gr_is_taskstats_denied(int pid)
37934 + struct task_struct *task;
37935 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37936 + const struct cred *cred;
37940 + /* restrict taskstats viewing to un-chrooted root users
37941 + who have the 'view' subject flag if the RBAC system is enabled
37945 + read_lock(&tasklist_lock);
37946 + task = find_task_by_vpid(pid);
37948 +#ifdef CONFIG_GRKERNSEC_CHROOT
37949 + if (proc_is_chrooted(task))
37952 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37953 + cred = __task_cred(task);
37954 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37955 + if (cred->uid != 0)
37957 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37958 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
37962 + if (gr_status & GR_READY) {
37963 + if (!(task->acl->mode & GR_VIEW))
37969 + read_unlock(&tasklist_lock);
37970 + rcu_read_unlock();
37976 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
37978 + struct task_struct *task = current;
37979 + struct dentry *dentry = file->f_path.dentry;
37980 + struct vfsmount *mnt = file->f_path.mnt;
37981 + struct acl_object_label *obj, *tmp;
37982 + struct acl_subject_label *subj;
37983 + unsigned int bufsize;
37987 + if (unlikely(!(gr_status & GR_READY)))
37990 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37993 + /* ignore Eric Biederman */
37994 + if (IS_PRIVATE(dentry->d_inode))
37997 + subj = task->acl;
37999 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
38001 + return (obj->mode & GR_FIND) ? 1 : 0;
38002 + } while ((subj = subj->parent_subject));
38004 + /* this is purely an optimization since we're looking for an object
38005 + for the directory we're doing a readdir on
38006 + if it's possible for any globbed object to match the entry we're
38007 + filling into the directory, then the object we find here will be
38008 + an anchor point with attached globbed objects
38010 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
38011 + if (obj->globbed == NULL)
38012 + return (obj->mode & GR_FIND) ? 1 : 0;
38014 + is_not_root = ((obj->filename[0] == '/') &&
38015 + (obj->filename[1] == '\0')) ? 0 : 1;
38016 + bufsize = PAGE_SIZE - namelen - is_not_root;
38018 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
38019 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38022 + preempt_disable();
38023 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38026 + bufsize = strlen(path);
38028 + /* if base is "/", don't append an additional slash */
38030 + *(path + bufsize) = '/';
38031 + memcpy(path + bufsize + is_not_root, name, namelen);
38032 + *(path + bufsize + namelen + is_not_root) = '\0';
38034 + tmp = obj->globbed;
38036 + if (!glob_match(tmp->filename, path)) {
38037 + preempt_enable();
38038 + return (tmp->mode & GR_FIND) ? 1 : 0;
38042 + preempt_enable();
38043 + return (obj->mode & GR_FIND) ? 1 : 0;
38046 +EXPORT_SYMBOL(gr_learn_resource);
38047 +EXPORT_SYMBOL(gr_set_kernel_label);
38048 +#ifdef CONFIG_SECURITY
38049 +EXPORT_SYMBOL(gr_check_user_change);
38050 +EXPORT_SYMBOL(gr_check_group_change);
38053 diff -urNp linux-2.6.35.5/grsecurity/gracl_cap.c linux-2.6.35.5/grsecurity/gracl_cap.c
38054 --- linux-2.6.35.5/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38055 +++ linux-2.6.35.5/grsecurity/gracl_cap.c 2010-09-17 20:12:37.000000000 -0400
38057 +#include <linux/kernel.h>
38058 +#include <linux/module.h>
38059 +#include <linux/sched.h>
38060 +#include <linux/gracl.h>
38061 +#include <linux/grsecurity.h>
38062 +#include <linux/grinternal.h>
38064 +static const char *captab_log[] = {
38066 + "CAP_DAC_OVERRIDE",
38067 + "CAP_DAC_READ_SEARCH",
38074 + "CAP_LINUX_IMMUTABLE",
38075 + "CAP_NET_BIND_SERVICE",
38076 + "CAP_NET_BROADCAST",
38081 + "CAP_SYS_MODULE",
38083 + "CAP_SYS_CHROOT",
38084 + "CAP_SYS_PTRACE",
38089 + "CAP_SYS_RESOURCE",
38091 + "CAP_SYS_TTY_CONFIG",
38094 + "CAP_AUDIT_WRITE",
38095 + "CAP_AUDIT_CONTROL",
38097 + "CAP_MAC_OVERRIDE",
38101 +EXPORT_SYMBOL(gr_is_capable);
38102 +EXPORT_SYMBOL(gr_is_capable_nolog);
38105 +gr_is_capable(const int cap)
38107 + struct task_struct *task = current;
38108 + const struct cred *cred = current_cred();
38109 + struct acl_subject_label *curracl;
38110 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38111 + kernel_cap_t cap_audit = __cap_empty_set;
38113 + if (!gr_acl_is_enabled())
38116 + curracl = task->acl;
38118 + cap_drop = curracl->cap_lower;
38119 + cap_mask = curracl->cap_mask;
38120 + cap_audit = curracl->cap_invert_audit;
38122 + while ((curracl = curracl->parent_subject)) {
38123 + /* if the cap isn't specified in the current computed mask but is specified in the
38124 + current level subject, and is lowered in the current level subject, then add
38125 + it to the set of dropped capabilities
38126 + otherwise, add the current level subject's mask to the current computed mask
38128 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38129 + cap_raise(cap_mask, cap);
38130 + if (cap_raised(curracl->cap_lower, cap))
38131 + cap_raise(cap_drop, cap);
38132 + if (cap_raised(curracl->cap_invert_audit, cap))
38133 + cap_raise(cap_audit, cap);
38137 + if (!cap_raised(cap_drop, cap)) {
38138 + if (cap_raised(cap_audit, cap))
38139 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
38143 + curracl = task->acl;
38145 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
38146 + && cap_raised(cred->cap_effective, cap)) {
38147 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38148 + task->role->roletype, cred->uid,
38149 + cred->gid, task->exec_file ?
38150 + gr_to_filename(task->exec_file->f_path.dentry,
38151 + task->exec_file->f_path.mnt) : curracl->filename,
38152 + curracl->filename, 0UL,
38153 + 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
38157 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
38158 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
38163 +gr_is_capable_nolog(const int cap)
38165 + struct acl_subject_label *curracl;
38166 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38168 + if (!gr_acl_is_enabled())
38171 + curracl = current->acl;
38173 + cap_drop = curracl->cap_lower;
38174 + cap_mask = curracl->cap_mask;
38176 + while ((curracl = curracl->parent_subject)) {
38177 + /* if the cap isn't specified in the current computed mask but is specified in the
38178 + current level subject, and is lowered in the current level subject, then add
38179 + it to the set of dropped capabilities
38180 + otherwise, add the current level subject's mask to the current computed mask
38182 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38183 + cap_raise(cap_mask, cap);
38184 + if (cap_raised(curracl->cap_lower, cap))
38185 + cap_raise(cap_drop, cap);
38189 + if (!cap_raised(cap_drop, cap))
38195 diff -urNp linux-2.6.35.5/grsecurity/gracl_fs.c linux-2.6.35.5/grsecurity/gracl_fs.c
38196 --- linux-2.6.35.5/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38197 +++ linux-2.6.35.5/grsecurity/gracl_fs.c 2010-09-17 20:12:37.000000000 -0400
38199 +#include <linux/kernel.h>
38200 +#include <linux/sched.h>
38201 +#include <linux/types.h>
38202 +#include <linux/fs.h>
38203 +#include <linux/file.h>
38204 +#include <linux/stat.h>
38205 +#include <linux/grsecurity.h>
38206 +#include <linux/grinternal.h>
38207 +#include <linux/gracl.h>
38210 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38211 + const struct vfsmount * mnt)
38215 + if (unlikely(!dentry->d_inode))
38219 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38221 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38222 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38224 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38225 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38227 + } else if (unlikely(!(mode & GR_FIND)))
38234 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38237 + __u32 reqmode = GR_FIND;
38240 + if (unlikely(!dentry->d_inode))
38243 + if (unlikely(fmode & O_APPEND))
38244 + reqmode |= GR_APPEND;
38245 + else if (unlikely(fmode & FMODE_WRITE))
38246 + reqmode |= GR_WRITE;
38247 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38248 + reqmode |= GR_READ;
38249 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
38250 + reqmode &= ~GR_READ;
38252 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38255 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38256 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38257 + reqmode & GR_READ ? " reading" : "",
38258 + reqmode & GR_WRITE ? " writing" : reqmode &
38259 + GR_APPEND ? " appending" : "");
38262 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38264 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38265 + reqmode & GR_READ ? " reading" : "",
38266 + reqmode & GR_WRITE ? " writing" : reqmode &
38267 + GR_APPEND ? " appending" : "");
38269 + } else if (unlikely((mode & reqmode) != reqmode))
38276 +gr_acl_handle_creat(const struct dentry * dentry,
38277 + const struct dentry * p_dentry,
38278 + const struct vfsmount * p_mnt, const int fmode,
38281 + __u32 reqmode = GR_WRITE | GR_CREATE;
38284 + if (unlikely(fmode & O_APPEND))
38285 + reqmode |= GR_APPEND;
38286 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38287 + reqmode |= GR_READ;
38288 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
38289 + reqmode |= GR_SETID;
38292 + gr_check_create(dentry, p_dentry, p_mnt,
38293 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38295 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38296 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38297 + reqmode & GR_READ ? " reading" : "",
38298 + reqmode & GR_WRITE ? " writing" : reqmode &
38299 + GR_APPEND ? " appending" : "");
38302 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38304 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38305 + reqmode & GR_READ ? " reading" : "",
38306 + reqmode & GR_WRITE ? " writing" : reqmode &
38307 + GR_APPEND ? " appending" : "");
38309 + } else if (unlikely((mode & reqmode) != reqmode))
38316 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
38319 + __u32 mode, reqmode = GR_FIND;
38321 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
38322 + reqmode |= GR_EXEC;
38323 + if (fmode & S_IWOTH)
38324 + reqmode |= GR_WRITE;
38325 + if (fmode & S_IROTH)
38326 + reqmode |= GR_READ;
38329 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38332 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38333 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38334 + reqmode & GR_READ ? " reading" : "",
38335 + reqmode & GR_WRITE ? " writing" : "",
38336 + reqmode & GR_EXEC ? " executing" : "");
38339 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38341 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38342 + reqmode & GR_READ ? " reading" : "",
38343 + reqmode & GR_WRITE ? " writing" : "",
38344 + reqmode & GR_EXEC ? " executing" : "");
38346 + } else if (unlikely((mode & reqmode) != reqmode))
38352 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
38356 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
38358 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38359 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
38361 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38362 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
38364 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38367 + return (reqmode);
38371 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38373 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
38377 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
38379 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
38383 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
38385 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
38389 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
38391 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
38395 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
38398 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
38401 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38402 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38403 + GR_FCHMOD_ACL_MSG);
38405 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
38410 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
38413 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38414 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38415 + GR_CHMOD_ACL_MSG);
38417 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
38422 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
38424 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
38428 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
38430 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
38434 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
38436 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
38437 + GR_UNIXCONNECT_ACL_MSG);
38440 +/* hardlinks require at minimum create permission,
38441 + any additional privilege required is based on the
38442 + privilege of the file being linked to
38445 +gr_acl_handle_link(const struct dentry * new_dentry,
38446 + const struct dentry * parent_dentry,
38447 + const struct vfsmount * parent_mnt,
38448 + const struct dentry * old_dentry,
38449 + const struct vfsmount * old_mnt, const char *to)
38452 + __u32 needmode = GR_CREATE | GR_LINK;
38453 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
38456 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
38459 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
38460 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38462 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38463 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38465 + } else if (unlikely((mode & needmode) != needmode))
38472 +gr_acl_handle_symlink(const struct dentry * new_dentry,
38473 + const struct dentry * parent_dentry,
38474 + const struct vfsmount * parent_mnt, const char *from)
38476 + __u32 needmode = GR_WRITE | GR_CREATE;
38480 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
38481 + GR_CREATE | GR_AUDIT_CREATE |
38482 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
38484 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
38485 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38487 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38488 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38490 + } else if (unlikely((mode & needmode) != needmode))
38493 + return (GR_WRITE | GR_CREATE);
38496 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
38500 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38502 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38503 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
38505 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38506 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
38508 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38511 + return (reqmode);
38515 +gr_acl_handle_mknod(const struct dentry * new_dentry,
38516 + const struct dentry * parent_dentry,
38517 + const struct vfsmount * parent_mnt,
38520 + __u32 reqmode = GR_WRITE | GR_CREATE;
38521 + if (unlikely(mode & (S_ISUID | S_ISGID)))
38522 + reqmode |= GR_SETID;
38524 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38525 + reqmode, GR_MKNOD_ACL_MSG);
38529 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
38530 + const struct dentry *parent_dentry,
38531 + const struct vfsmount *parent_mnt)
38533 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38534 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
38537 +#define RENAME_CHECK_SUCCESS(old, new) \
38538 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
38539 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
38542 +gr_acl_handle_rename(struct dentry *new_dentry,
38543 + struct dentry *parent_dentry,
38544 + const struct vfsmount *parent_mnt,
38545 + struct dentry *old_dentry,
38546 + struct inode *old_parent_inode,
38547 + struct vfsmount *old_mnt, const char *newname)
38549 + __u32 comp1, comp2;
38552 + if (unlikely(!gr_acl_is_enabled()))
38555 + if (!new_dentry->d_inode) {
38556 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
38557 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
38558 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
38559 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
38560 + GR_DELETE | GR_AUDIT_DELETE |
38561 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38562 + GR_SUPPRESS, old_mnt);
38564 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
38565 + GR_CREATE | GR_DELETE |
38566 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
38567 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38568 + GR_SUPPRESS, parent_mnt);
38570 + gr_search_file(old_dentry,
38571 + GR_READ | GR_WRITE | GR_AUDIT_READ |
38572 + GR_DELETE | GR_AUDIT_DELETE |
38573 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
38576 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
38577 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
38578 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38579 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
38580 + && !(comp2 & GR_SUPPRESS)) {
38581 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38583 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
38590 +gr_acl_handle_exit(void)
38594 + struct file *exec_file;
38596 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
38597 + id = current->acl_role_id;
38598 + rolename = current->role->rolename;
38600 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
38603 + write_lock(&grsec_exec_file_lock);
38604 + exec_file = current->exec_file;
38605 + current->exec_file = NULL;
38606 + write_unlock(&grsec_exec_file_lock);
38613 +gr_acl_handle_procpidmem(const struct task_struct *task)
38615 + if (unlikely(!gr_acl_is_enabled()))
38618 + if (task != current && task->acl->mode & GR_PROTPROCFD)
38623 diff -urNp linux-2.6.35.5/grsecurity/gracl_ip.c linux-2.6.35.5/grsecurity/gracl_ip.c
38624 --- linux-2.6.35.5/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
38625 +++ linux-2.6.35.5/grsecurity/gracl_ip.c 2010-09-17 20:12:37.000000000 -0400
38627 +#include <linux/kernel.h>
38628 +#include <asm/uaccess.h>
38629 +#include <asm/errno.h>
38630 +#include <net/sock.h>
38631 +#include <linux/file.h>
38632 +#include <linux/fs.h>
38633 +#include <linux/net.h>
38634 +#include <linux/in.h>
38635 +#include <linux/skbuff.h>
38636 +#include <linux/ip.h>
38637 +#include <linux/udp.h>
38638 +#include <linux/smp_lock.h>
38639 +#include <linux/types.h>
38640 +#include <linux/sched.h>
38641 +#include <linux/netdevice.h>
38642 +#include <linux/inetdevice.h>
38643 +#include <linux/gracl.h>
38644 +#include <linux/grsecurity.h>
38645 +#include <linux/grinternal.h>
38647 +#define GR_BIND 0x01
38648 +#define GR_CONNECT 0x02
38649 +#define GR_INVERT 0x04
38650 +#define GR_BINDOVERRIDE 0x08
38651 +#define GR_CONNECTOVERRIDE 0x10
38653 +static const char * gr_protocols[256] = {
38654 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
38655 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
38656 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
38657 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
38658 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
38659 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
38660 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
38661 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
38662 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
38663 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
38664 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
38665 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
38666 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
38667 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
38668 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
38669 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
38670 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
38671 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
38672 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
38673 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
38674 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
38675 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
38676 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
38677 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
38678 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
38679 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
38680 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
38681 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
38682 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
38683 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
38684 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
38685 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
38688 +static const char * gr_socktypes[11] = {
38689 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
38690 + "unknown:7", "unknown:8", "unknown:9", "packet"
38694 +gr_proto_to_name(unsigned char proto)
38696 + return gr_protocols[proto];
38700 +gr_socktype_to_name(unsigned char type)
38702 + return gr_socktypes[type];
38706 +gr_search_socket(const int domain, const int type, const int protocol)
38708 + struct acl_subject_label *curr;
38709 + const struct cred *cred = current_cred();
38711 + if (unlikely(!gr_acl_is_enabled()))
38714 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
38715 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
38716 + goto exit; // let the kernel handle it
38718 + curr = current->acl;
38723 + if ((curr->ip_type & (1 << type)) &&
38724 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
38727 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38728 + /* we don't place acls on raw sockets , and sometimes
38729 + dgram/ip sockets are opened for ioctl and not
38730 + bind/connect, so we'll fake a bind learn log */
38731 + if (type == SOCK_RAW || type == SOCK_PACKET) {
38732 + __u32 fakeip = 0;
38733 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38734 + current->role->roletype, cred->uid,
38735 + cred->gid, current->exec_file ?
38736 + gr_to_filename(current->exec_file->f_path.dentry,
38737 + current->exec_file->f_path.mnt) :
38738 + curr->filename, curr->filename,
38739 + &fakeip, 0, type,
38740 + protocol, GR_CONNECT, ¤t->signal->curr_ip);
38741 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
38742 + __u32 fakeip = 0;
38743 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38744 + current->role->roletype, cred->uid,
38745 + cred->gid, current->exec_file ?
38746 + gr_to_filename(current->exec_file->f_path.dentry,
38747 + current->exec_file->f_path.mnt) :
38748 + curr->filename, curr->filename,
38749 + &fakeip, 0, type,
38750 + protocol, GR_BIND, ¤t->signal->curr_ip);
38752 + /* we'll log when they use connect or bind */
38756 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
38757 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
38764 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
38766 + if ((ip->mode & mode) &&
38767 + (ip_port >= ip->low) &&
38768 + (ip_port <= ip->high) &&
38769 + ((ntohl(ip_addr) & our_netmask) ==
38770 + (ntohl(our_addr) & our_netmask))
38771 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
38772 + && (ip->type & (1 << type))) {
38773 + if (ip->mode & GR_INVERT)
38774 + return 2; // specifically denied
38776 + return 1; // allowed
38779 + return 0; // not specifically allowed, may continue parsing
38783 +gr_search_connectbind(const int full_mode, struct sock *sk,
38784 + struct sockaddr_in *addr, const int type)
38786 + char iface[IFNAMSIZ] = {0};
38787 + struct acl_subject_label *curr;
38788 + struct acl_ip_label *ip;
38789 + struct inet_sock *isk;
38790 + struct net_device *dev;
38791 + struct in_device *idev;
38794 + int mode = full_mode & (GR_BIND | GR_CONNECT);
38795 + __u32 ip_addr = 0;
38797 + __u32 our_netmask;
38799 + __u16 ip_port = 0;
38800 + const struct cred *cred = current_cred();
38802 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
38805 + curr = current->acl;
38806 + isk = inet_sk(sk);
38808 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
38809 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
38810 + addr->sin_addr.s_addr = curr->inaddr_any_override;
38811 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
38812 + struct sockaddr_in saddr;
38815 + saddr.sin_family = AF_INET;
38816 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
38817 + saddr.sin_port = isk->inet_sport;
38819 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38823 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38831 + ip_addr = addr->sin_addr.s_addr;
38832 + ip_port = ntohs(addr->sin_port);
38834 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38835 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38836 + current->role->roletype, cred->uid,
38837 + cred->gid, current->exec_file ?
38838 + gr_to_filename(current->exec_file->f_path.dentry,
38839 + current->exec_file->f_path.mnt) :
38840 + curr->filename, curr->filename,
38841 + &ip_addr, ip_port, type,
38842 + sk->sk_protocol, mode, ¤t->signal->curr_ip);
38846 + for (i = 0; i < curr->ip_num; i++) {
38847 + ip = *(curr->ips + i);
38848 + if (ip->iface != NULL) {
38849 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
38850 + p = strchr(iface, ':');
38853 + dev = dev_get_by_name(sock_net(sk), iface);
38856 + idev = in_dev_get(dev);
38857 + if (idev == NULL) {
38863 + if (!strcmp(ip->iface, ifa->ifa_label)) {
38864 + our_addr = ifa->ifa_address;
38865 + our_netmask = 0xffffffff;
38866 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38868 + rcu_read_unlock();
38869 + in_dev_put(idev);
38872 + } else if (ret == 2) {
38873 + rcu_read_unlock();
38874 + in_dev_put(idev);
38879 + } endfor_ifa(idev);
38880 + rcu_read_unlock();
38881 + in_dev_put(idev);
38884 + our_addr = ip->addr;
38885 + our_netmask = ip->netmask;
38886 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38889 + else if (ret == 2)
38895 + if (mode == GR_BIND)
38896 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38897 + else if (mode == GR_CONNECT)
38898 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38904 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
38906 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
38910 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
38912 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
38915 +int gr_search_listen(struct socket *sock)
38917 + struct sock *sk = sock->sk;
38918 + struct sockaddr_in addr;
38920 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38921 + addr.sin_port = inet_sk(sk)->inet_sport;
38923 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38926 +int gr_search_accept(struct socket *sock)
38928 + struct sock *sk = sock->sk;
38929 + struct sockaddr_in addr;
38931 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38932 + addr.sin_port = inet_sk(sk)->inet_sport;
38934 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38938 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
38941 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
38943 + struct sockaddr_in sin;
38944 + const struct inet_sock *inet = inet_sk(sk);
38946 + sin.sin_addr.s_addr = inet->inet_daddr;
38947 + sin.sin_port = inet->inet_dport;
38949 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38954 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
38956 + struct sockaddr_in sin;
38958 + if (unlikely(skb->len < sizeof (struct udphdr)))
38959 + return 0; // skip this packet
38961 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
38962 + sin.sin_port = udp_hdr(skb)->source;
38964 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38966 diff -urNp linux-2.6.35.5/grsecurity/gracl_learn.c linux-2.6.35.5/grsecurity/gracl_learn.c
38967 --- linux-2.6.35.5/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
38968 +++ linux-2.6.35.5/grsecurity/gracl_learn.c 2010-09-17 20:12:37.000000000 -0400
38970 +#include <linux/kernel.h>
38971 +#include <linux/mm.h>
38972 +#include <linux/sched.h>
38973 +#include <linux/poll.h>
38974 +#include <linux/smp_lock.h>
38975 +#include <linux/string.h>
38976 +#include <linux/file.h>
38977 +#include <linux/types.h>
38978 +#include <linux/vmalloc.h>
38979 +#include <linux/grinternal.h>
38981 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
38982 + size_t count, loff_t *ppos);
38983 +extern int gr_acl_is_enabled(void);
38985 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
38986 +static int gr_learn_attached;
38988 +/* use a 512k buffer */
38989 +#define LEARN_BUFFER_SIZE (512 * 1024)
38991 +static DEFINE_SPINLOCK(gr_learn_lock);
38992 +static DECLARE_MUTEX(gr_learn_user_sem);
38994 +/* we need to maintain two buffers, so that the kernel context of grlearn
38995 + uses a semaphore around the userspace copying, and the other kernel contexts
38996 + use a spinlock when copying into the buffer, since they cannot sleep
38998 +static char *learn_buffer;
38999 +static char *learn_buffer_user;
39000 +static int learn_buffer_len;
39001 +static int learn_buffer_user_len;
39004 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
39006 + DECLARE_WAITQUEUE(wait, current);
39007 + ssize_t retval = 0;
39009 + add_wait_queue(&learn_wait, &wait);
39010 + set_current_state(TASK_INTERRUPTIBLE);
39012 + down(&gr_learn_user_sem);
39013 + spin_lock(&gr_learn_lock);
39014 + if (learn_buffer_len)
39016 + spin_unlock(&gr_learn_lock);
39017 + up(&gr_learn_user_sem);
39018 + if (file->f_flags & O_NONBLOCK) {
39019 + retval = -EAGAIN;
39022 + if (signal_pending(current)) {
39023 + retval = -ERESTARTSYS;
39030 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
39031 + learn_buffer_user_len = learn_buffer_len;
39032 + retval = learn_buffer_len;
39033 + learn_buffer_len = 0;
39035 + spin_unlock(&gr_learn_lock);
39037 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
39038 + retval = -EFAULT;
39040 + up(&gr_learn_user_sem);
39042 + set_current_state(TASK_RUNNING);
39043 + remove_wait_queue(&learn_wait, &wait);
39047 +static unsigned int
39048 +poll_learn(struct file * file, poll_table * wait)
39050 + poll_wait(file, &learn_wait, wait);
39052 + if (learn_buffer_len)
39053 + return (POLLIN | POLLRDNORM);
39059 +gr_clear_learn_entries(void)
39063 + down(&gr_learn_user_sem);
39064 + if (learn_buffer != NULL) {
39065 + spin_lock(&gr_learn_lock);
39066 + tmp = learn_buffer;
39067 + learn_buffer = NULL;
39068 + spin_unlock(&gr_learn_lock);
39069 + vfree(learn_buffer);
39071 + if (learn_buffer_user != NULL) {
39072 + vfree(learn_buffer_user);
39073 + learn_buffer_user = NULL;
39075 + learn_buffer_len = 0;
39076 + up(&gr_learn_user_sem);
39082 +gr_add_learn_entry(const char *fmt, ...)
39085 + unsigned int len;
39087 + if (!gr_learn_attached)
39090 + spin_lock(&gr_learn_lock);
39092 + /* leave a gap at the end so we know when it's "full" but don't have to
39093 + compute the exact length of the string we're trying to append
39095 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
39096 + spin_unlock(&gr_learn_lock);
39097 + wake_up_interruptible(&learn_wait);
39100 + if (learn_buffer == NULL) {
39101 + spin_unlock(&gr_learn_lock);
39105 + va_start(args, fmt);
39106 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
39109 + learn_buffer_len += len + 1;
39111 + spin_unlock(&gr_learn_lock);
39112 + wake_up_interruptible(&learn_wait);
39118 +open_learn(struct inode *inode, struct file *file)
39120 + if (file->f_mode & FMODE_READ && gr_learn_attached)
39122 + if (file->f_mode & FMODE_READ) {
39124 + down(&gr_learn_user_sem);
39125 + if (learn_buffer == NULL)
39126 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
39127 + if (learn_buffer_user == NULL)
39128 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
39129 + if (learn_buffer == NULL) {
39130 + retval = -ENOMEM;
39133 + if (learn_buffer_user == NULL) {
39134 + retval = -ENOMEM;
39137 + learn_buffer_len = 0;
39138 + learn_buffer_user_len = 0;
39139 + gr_learn_attached = 1;
39141 + up(&gr_learn_user_sem);
39148 +close_learn(struct inode *inode, struct file *file)
39152 + if (file->f_mode & FMODE_READ) {
39153 + down(&gr_learn_user_sem);
39154 + if (learn_buffer != NULL) {
39155 + spin_lock(&gr_learn_lock);
39156 + tmp = learn_buffer;
39157 + learn_buffer = NULL;
39158 + spin_unlock(&gr_learn_lock);
39161 + if (learn_buffer_user != NULL) {
39162 + vfree(learn_buffer_user);
39163 + learn_buffer_user = NULL;
39165 + learn_buffer_len = 0;
39166 + learn_buffer_user_len = 0;
39167 + gr_learn_attached = 0;
39168 + up(&gr_learn_user_sem);
39174 +const struct file_operations grsec_fops = {
39175 + .read = read_learn,
39176 + .write = write_grsec_handler,
39177 + .open = open_learn,
39178 + .release = close_learn,
39179 + .poll = poll_learn,
39181 diff -urNp linux-2.6.35.5/grsecurity/gracl_res.c linux-2.6.35.5/grsecurity/gracl_res.c
39182 --- linux-2.6.35.5/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
39183 +++ linux-2.6.35.5/grsecurity/gracl_res.c 2010-09-17 20:12:37.000000000 -0400
39185 +#include <linux/kernel.h>
39186 +#include <linux/sched.h>
39187 +#include <linux/gracl.h>
39188 +#include <linux/grinternal.h>
39190 +static const char *restab_log[] = {
39191 + [RLIMIT_CPU] = "RLIMIT_CPU",
39192 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39193 + [RLIMIT_DATA] = "RLIMIT_DATA",
39194 + [RLIMIT_STACK] = "RLIMIT_STACK",
39195 + [RLIMIT_CORE] = "RLIMIT_CORE",
39196 + [RLIMIT_RSS] = "RLIMIT_RSS",
39197 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
39198 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39199 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39200 + [RLIMIT_AS] = "RLIMIT_AS",
39201 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39202 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39203 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39204 + [RLIMIT_NICE] = "RLIMIT_NICE",
39205 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
39206 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
39207 + [GR_CRASH_RES] = "RLIMIT_CRASH"
39211 +gr_log_resource(const struct task_struct *task,
39212 + const int res, const unsigned long wanted, const int gt)
39214 + const struct cred *cred;
39215 + unsigned long rlim;
39217 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
39220 + // not yet supported resource
39221 + if (unlikely(!restab_log[res]))
39224 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
39225 + rlim = task_rlimit_max(task, res);
39227 + rlim = task_rlimit(task, res);
39229 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
39233 + cred = __task_cred(task);
39235 + if (res == RLIMIT_NPROC &&
39236 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
39237 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
39238 + goto out_rcu_unlock;
39239 + else if (res == RLIMIT_MEMLOCK &&
39240 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
39241 + goto out_rcu_unlock;
39242 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
39243 + goto out_rcu_unlock;
39244 + rcu_read_unlock();
39246 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
39250 + rcu_read_unlock();
39253 diff -urNp linux-2.6.35.5/grsecurity/gracl_segv.c linux-2.6.35.5/grsecurity/gracl_segv.c
39254 --- linux-2.6.35.5/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
39255 +++ linux-2.6.35.5/grsecurity/gracl_segv.c 2010-09-17 20:12:37.000000000 -0400
39257 +#include <linux/kernel.h>
39258 +#include <linux/mm.h>
39259 +#include <asm/uaccess.h>
39260 +#include <asm/errno.h>
39261 +#include <asm/mman.h>
39262 +#include <net/sock.h>
39263 +#include <linux/file.h>
39264 +#include <linux/fs.h>
39265 +#include <linux/net.h>
39266 +#include <linux/in.h>
39267 +#include <linux/smp_lock.h>
39268 +#include <linux/slab.h>
39269 +#include <linux/types.h>
39270 +#include <linux/sched.h>
39271 +#include <linux/timer.h>
39272 +#include <linux/gracl.h>
39273 +#include <linux/grsecurity.h>
39274 +#include <linux/grinternal.h>
39276 +static struct crash_uid *uid_set;
39277 +static unsigned short uid_used;
39278 +static DEFINE_SPINLOCK(gr_uid_lock);
39279 +extern rwlock_t gr_inode_lock;
39280 +extern struct acl_subject_label *
39281 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
39282 + struct acl_role_label *role);
39283 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
39286 +gr_init_uidset(void)
39289 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
39292 + return uid_set ? 1 : 0;
39296 +gr_free_uidset(void)
39305 +gr_find_uid(const uid_t uid)
39307 + struct crash_uid *tmp = uid_set;
39309 + int low = 0, high = uid_used - 1, mid;
39311 + while (high >= low) {
39312 + mid = (low + high) >> 1;
39313 + buid = tmp[mid].uid;
39325 +static __inline__ void
39326 +gr_insertsort(void)
39328 + unsigned short i, j;
39329 + struct crash_uid index;
39331 + for (i = 1; i < uid_used; i++) {
39332 + index = uid_set[i];
39334 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
39335 + uid_set[j] = uid_set[j - 1];
39338 + uid_set[j] = index;
39344 +static __inline__ void
39345 +gr_insert_uid(const uid_t uid, const unsigned long expires)
39349 + if (uid_used == GR_UIDTABLE_MAX)
39352 + loc = gr_find_uid(uid);
39355 + uid_set[loc].expires = expires;
39359 + uid_set[uid_used].uid = uid;
39360 + uid_set[uid_used].expires = expires;
39369 +gr_remove_uid(const unsigned short loc)
39371 + unsigned short i;
39373 + for (i = loc + 1; i < uid_used; i++)
39374 + uid_set[i - 1] = uid_set[i];
39382 +gr_check_crash_uid(const uid_t uid)
39387 + if (unlikely(!gr_acl_is_enabled()))
39390 + spin_lock(&gr_uid_lock);
39391 + loc = gr_find_uid(uid);
39396 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
39397 + gr_remove_uid(loc);
39402 + spin_unlock(&gr_uid_lock);
39406 +static __inline__ int
39407 +proc_is_setxid(const struct cred *cred)
39409 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
39410 + cred->uid != cred->fsuid)
39412 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
39413 + cred->gid != cred->fsgid)
39418 +static __inline__ int
39419 +gr_fake_force_sig(int sig, struct task_struct *t)
39421 + unsigned long int flags;
39422 + int ret, blocked, ignored;
39423 + struct k_sigaction *action;
39425 + spin_lock_irqsave(&t->sighand->siglock, flags);
39426 + action = &t->sighand->action[sig-1];
39427 + ignored = action->sa.sa_handler == SIG_IGN;
39428 + blocked = sigismember(&t->blocked, sig);
39429 + if (blocked || ignored) {
39430 + action->sa.sa_handler = SIG_DFL;
39432 + sigdelset(&t->blocked, sig);
39433 + recalc_sigpending_and_wake(t);
39436 + if (action->sa.sa_handler == SIG_DFL)
39437 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
39438 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
39440 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
39446 +gr_handle_crash(struct task_struct *task, const int sig)
39448 + struct acl_subject_label *curr;
39449 + struct acl_subject_label *curr2;
39450 + struct task_struct *tsk, *tsk2;
39451 + const struct cred *cred;
39452 + const struct cred *cred2;
39454 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
39457 + if (unlikely(!gr_acl_is_enabled()))
39460 + curr = task->acl;
39462 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
39465 + if (time_before_eq(curr->expires, get_seconds())) {
39466 + curr->expires = 0;
39467 + curr->crashes = 0;
39472 + if (!curr->expires)
39473 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
39475 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39476 + time_after(curr->expires, get_seconds())) {
39478 + cred = __task_cred(task);
39479 + if (cred->uid && proc_is_setxid(cred)) {
39480 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39481 + spin_lock(&gr_uid_lock);
39482 + gr_insert_uid(cred->uid, curr->expires);
39483 + spin_unlock(&gr_uid_lock);
39484 + curr->expires = 0;
39485 + curr->crashes = 0;
39486 + read_lock(&tasklist_lock);
39487 + do_each_thread(tsk2, tsk) {
39488 + cred2 = __task_cred(tsk);
39489 + if (tsk != task && cred2->uid == cred->uid)
39490 + gr_fake_force_sig(SIGKILL, tsk);
39491 + } while_each_thread(tsk2, tsk);
39492 + read_unlock(&tasklist_lock);
39494 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39495 + read_lock(&tasklist_lock);
39496 + do_each_thread(tsk2, tsk) {
39497 + if (likely(tsk != task)) {
39498 + curr2 = tsk->acl;
39500 + if (curr2->device == curr->device &&
39501 + curr2->inode == curr->inode)
39502 + gr_fake_force_sig(SIGKILL, tsk);
39504 + } while_each_thread(tsk2, tsk);
39505 + read_unlock(&tasklist_lock);
39507 + rcu_read_unlock();
39514 +gr_check_crash_exec(const struct file *filp)
39516 + struct acl_subject_label *curr;
39518 + if (unlikely(!gr_acl_is_enabled()))
39521 + read_lock(&gr_inode_lock);
39522 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
39523 + filp->f_path.dentry->d_inode->i_sb->s_dev,
39525 + read_unlock(&gr_inode_lock);
39527 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
39528 + (!curr->crashes && !curr->expires))
39531 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39532 + time_after(curr->expires, get_seconds()))
39534 + else if (time_before_eq(curr->expires, get_seconds())) {
39535 + curr->crashes = 0;
39536 + curr->expires = 0;
39543 +gr_handle_alertkill(struct task_struct *task)
39545 + struct acl_subject_label *curracl;
39547 + struct task_struct *p, *p2;
39549 + if (unlikely(!gr_acl_is_enabled()))
39552 + curracl = task->acl;
39553 + curr_ip = task->signal->curr_ip;
39555 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
39556 + read_lock(&tasklist_lock);
39557 + do_each_thread(p2, p) {
39558 + if (p->signal->curr_ip == curr_ip)
39559 + gr_fake_force_sig(SIGKILL, p);
39560 + } while_each_thread(p2, p);
39561 + read_unlock(&tasklist_lock);
39562 + } else if (curracl->mode & GR_KILLPROC)
39563 + gr_fake_force_sig(SIGKILL, task);
39567 diff -urNp linux-2.6.35.5/grsecurity/gracl_shm.c linux-2.6.35.5/grsecurity/gracl_shm.c
39568 --- linux-2.6.35.5/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
39569 +++ linux-2.6.35.5/grsecurity/gracl_shm.c 2010-09-17 20:12:37.000000000 -0400
39571 +#include <linux/kernel.h>
39572 +#include <linux/mm.h>
39573 +#include <linux/sched.h>
39574 +#include <linux/file.h>
39575 +#include <linux/ipc.h>
39576 +#include <linux/gracl.h>
39577 +#include <linux/grsecurity.h>
39578 +#include <linux/grinternal.h>
39581 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39582 + const time_t shm_createtime, const uid_t cuid, const int shmid)
39584 + struct task_struct *task;
39586 + if (!gr_acl_is_enabled())
39590 + read_lock(&tasklist_lock);
39592 + task = find_task_by_vpid(shm_cprid);
39594 + if (unlikely(!task))
39595 + task = find_task_by_vpid(shm_lapid);
39597 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
39598 + (task->pid == shm_lapid)) &&
39599 + (task->acl->mode & GR_PROTSHM) &&
39600 + (task->acl != current->acl))) {
39601 + read_unlock(&tasklist_lock);
39602 + rcu_read_unlock();
39603 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
39606 + read_unlock(&tasklist_lock);
39607 + rcu_read_unlock();
39611 diff -urNp linux-2.6.35.5/grsecurity/grsec_chdir.c linux-2.6.35.5/grsecurity/grsec_chdir.c
39612 --- linux-2.6.35.5/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
39613 +++ linux-2.6.35.5/grsecurity/grsec_chdir.c 2010-09-17 20:12:37.000000000 -0400
39615 +#include <linux/kernel.h>
39616 +#include <linux/sched.h>
39617 +#include <linux/fs.h>
39618 +#include <linux/file.h>
39619 +#include <linux/grsecurity.h>
39620 +#include <linux/grinternal.h>
39623 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
39625 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
39626 + if ((grsec_enable_chdir && grsec_enable_group &&
39627 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
39628 + !grsec_enable_group)) {
39629 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
39634 diff -urNp linux-2.6.35.5/grsecurity/grsec_chroot.c linux-2.6.35.5/grsecurity/grsec_chroot.c
39635 --- linux-2.6.35.5/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
39636 +++ linux-2.6.35.5/grsecurity/grsec_chroot.c 2010-09-17 20:12:37.000000000 -0400
39638 +#include <linux/kernel.h>
39639 +#include <linux/module.h>
39640 +#include <linux/sched.h>
39641 +#include <linux/file.h>
39642 +#include <linux/fs.h>
39643 +#include <linux/mount.h>
39644 +#include <linux/types.h>
39645 +#include <linux/pid_namespace.h>
39646 +#include <linux/grsecurity.h>
39647 +#include <linux/grinternal.h>
39649 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
39651 +#ifdef CONFIG_GRKERNSEC
39652 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
39653 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
39654 + task->gr_is_chrooted = 1;
39656 + task->gr_is_chrooted = 0;
39658 + task->gr_chroot_dentry = path->dentry;
39663 +void gr_clear_chroot_entries(struct task_struct *task)
39665 +#ifdef CONFIG_GRKERNSEC
39666 + task->gr_is_chrooted = 0;
39667 + task->gr_chroot_dentry = NULL;
39673 +gr_handle_chroot_unix(const pid_t pid)
39675 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39676 + struct pid *spid = NULL;
39678 + if (unlikely(!grsec_enable_chroot_unix))
39681 + if (likely(!proc_is_chrooted(current)))
39685 + read_lock(&tasklist_lock);
39687 + spid = find_vpid(pid);
39689 + struct task_struct *p;
39690 + p = pid_task(spid, PIDTYPE_PID);
39691 + if (unlikely(!have_same_root(current, p))) {
39692 + read_unlock(&tasklist_lock);
39693 + rcu_read_unlock();
39694 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
39698 + read_unlock(&tasklist_lock);
39699 + rcu_read_unlock();
39705 +gr_handle_chroot_nice(void)
39707 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39708 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
39709 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
39717 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
39719 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39720 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
39721 + && proc_is_chrooted(current)) {
39722 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
39730 +gr_handle_chroot_rawio(const struct inode *inode)
39732 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39733 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
39734 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
39741 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
39743 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39744 + struct task_struct *p;
39746 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
39749 + read_lock(&tasklist_lock);
39750 + do_each_pid_task(pid, type, p) {
39751 + if (!have_same_root(current, p)) {
39755 + } while_each_pid_task(pid, type, p);
39757 + read_unlock(&tasklist_lock);
39764 +gr_pid_is_chrooted(struct task_struct *p)
39766 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39767 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
39770 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
39771 + !have_same_root(current, p)) {
39778 +EXPORT_SYMBOL(gr_pid_is_chrooted);
39780 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
39781 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
39783 + struct dentry *dentry = (struct dentry *)u_dentry;
39784 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
39785 + struct dentry *realroot;
39786 + struct vfsmount *realrootmnt;
39787 + struct dentry *currentroot;
39788 + struct vfsmount *currentmnt;
39789 + struct task_struct *reaper = &init_task;
39792 + read_lock(&reaper->fs->lock);
39793 + realrootmnt = mntget(reaper->fs->root.mnt);
39794 + realroot = dget(reaper->fs->root.dentry);
39795 + read_unlock(&reaper->fs->lock);
39797 + read_lock(¤t->fs->lock);
39798 + currentmnt = mntget(current->fs->root.mnt);
39799 + currentroot = dget(current->fs->root.dentry);
39800 + read_unlock(¤t->fs->lock);
39802 + spin_lock(&dcache_lock);
39804 + if (unlikely((dentry == realroot && mnt == realrootmnt)
39805 + || (dentry == currentroot && mnt == currentmnt)))
39807 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
39808 + if (mnt->mnt_parent == mnt)
39810 + dentry = mnt->mnt_mountpoint;
39811 + mnt = mnt->mnt_parent;
39814 + dentry = dentry->d_parent;
39816 + spin_unlock(&dcache_lock);
39818 + dput(currentroot);
39819 + mntput(currentmnt);
39821 + /* access is outside of chroot */
39822 + if (dentry == realroot && mnt == realrootmnt)
39826 + mntput(realrootmnt);
39832 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
39834 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39835 + if (!grsec_enable_chroot_fchdir)
39838 + if (!proc_is_chrooted(current))
39840 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
39841 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
39849 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39850 + const time_t shm_createtime)
39852 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39853 + struct pid *pid = NULL;
39854 + time_t starttime;
39856 + if (unlikely(!grsec_enable_chroot_shmat))
39859 + if (likely(!proc_is_chrooted(current)))
39863 + read_lock(&tasklist_lock);
39865 + pid = find_vpid(shm_cprid);
39867 + struct task_struct *p;
39868 + p = pid_task(pid, PIDTYPE_PID);
39869 + starttime = p->start_time.tv_sec;
39870 + if (unlikely(!have_same_root(current, p) &&
39871 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
39872 + read_unlock(&tasklist_lock);
39873 + rcu_read_unlock();
39874 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39878 + pid = find_vpid(shm_lapid);
39880 + struct task_struct *p;
39881 + p = pid_task(pid, PIDTYPE_PID);
39882 + if (unlikely(!have_same_root(current, p))) {
39883 + read_unlock(&tasklist_lock);
39884 + rcu_read_unlock();
39885 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39891 + read_unlock(&tasklist_lock);
39892 + rcu_read_unlock();
39898 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
39900 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39901 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
39902 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
39908 +gr_handle_chroot_mknod(const struct dentry *dentry,
39909 + const struct vfsmount *mnt, const int mode)
39911 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39912 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
39913 + proc_is_chrooted(current)) {
39914 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
39922 +gr_handle_chroot_mount(const struct dentry *dentry,
39923 + const struct vfsmount *mnt, const char *dev_name)
39925 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39926 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
39927 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
39935 +gr_handle_chroot_pivot(void)
39937 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39938 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
39939 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
39947 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
39949 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39950 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
39951 + !gr_is_outside_chroot(dentry, mnt)) {
39952 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
39960 +gr_handle_chroot_caps(struct path *path)
39962 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39963 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
39964 + (init_task.fs->root.dentry != path->dentry) &&
39965 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
39967 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
39968 + const struct cred *old = current_cred();
39969 + struct cred *new = prepare_creds();
39973 + new->cap_permitted = cap_drop(old->cap_permitted,
39975 + new->cap_inheritable = cap_drop(old->cap_inheritable,
39977 + new->cap_effective = cap_drop(old->cap_effective,
39980 + commit_creds(new);
39989 +gr_handle_chroot_sysctl(const int op)
39991 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39992 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
39993 + proc_is_chrooted(current))
40000 +gr_handle_chroot_chdir(struct path *path)
40002 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40003 + if (grsec_enable_chroot_chdir)
40004 + set_fs_pwd(current->fs, path);
40010 +gr_handle_chroot_chmod(const struct dentry *dentry,
40011 + const struct vfsmount *mnt, const int mode)
40013 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40014 + if (grsec_enable_chroot_chmod &&
40015 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
40016 + proc_is_chrooted(current)) {
40017 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40024 +#ifdef CONFIG_SECURITY
40025 +EXPORT_SYMBOL(gr_handle_chroot_caps);
40027 diff -urNp linux-2.6.35.5/grsecurity/grsec_disabled.c linux-2.6.35.5/grsecurity/grsec_disabled.c
40028 --- linux-2.6.35.5/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40029 +++ linux-2.6.35.5/grsecurity/grsec_disabled.c 2010-09-17 20:12:37.000000000 -0400
40031 +#include <linux/kernel.h>
40032 +#include <linux/module.h>
40033 +#include <linux/sched.h>
40034 +#include <linux/file.h>
40035 +#include <linux/fs.h>
40036 +#include <linux/kdev_t.h>
40037 +#include <linux/net.h>
40038 +#include <linux/in.h>
40039 +#include <linux/ip.h>
40040 +#include <linux/skbuff.h>
40041 +#include <linux/sysctl.h>
40043 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40045 +pax_set_initial_flags(struct linux_binprm *bprm)
40051 +#ifdef CONFIG_SYSCTL
40053 +gr_handle_sysctl(const struct ctl_table * table, const int op)
40059 +#ifdef CONFIG_TASKSTATS
40060 +int gr_is_taskstats_denied(int pid)
40067 +gr_acl_is_enabled(void)
40073 +gr_handle_rawio(const struct inode *inode)
40079 +gr_acl_handle_psacct(struct task_struct *task, const long code)
40085 +gr_handle_ptrace(struct task_struct *task, const long request)
40091 +gr_handle_proc_ptrace(struct task_struct *task)
40097 +gr_learn_resource(const struct task_struct *task,
40098 + const int res, const unsigned long wanted, const int gt)
40104 +gr_set_acls(const int type)
40110 +gr_check_hidden_task(const struct task_struct *tsk)
40116 +gr_check_protected_task(const struct task_struct *task)
40122 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
40128 +gr_copy_label(struct task_struct *tsk)
40134 +gr_set_pax_flags(struct task_struct *task)
40140 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
40141 + const int unsafe_share)
40147 +gr_handle_delete(const ino_t ino, const dev_t dev)
40153 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
40159 +gr_handle_crash(struct task_struct *task, const int sig)
40165 +gr_check_crash_exec(const struct file *filp)
40171 +gr_check_crash_uid(const uid_t uid)
40177 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
40178 + struct dentry *old_dentry,
40179 + struct dentry *new_dentry,
40180 + struct vfsmount *mnt, const __u8 replace)
40186 +gr_search_socket(const int family, const int type, const int protocol)
40192 +gr_search_connectbind(const int mode, const struct socket *sock,
40193 + const struct sockaddr_in *addr)
40199 +gr_is_capable(const int cap)
40205 +gr_is_capable_nolog(const int cap)
40211 +gr_handle_alertkill(struct task_struct *task)
40217 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
40223 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40224 + const struct vfsmount * mnt)
40230 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40237 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40243 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
40249 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
40250 + unsigned int *vm_flags)
40256 +gr_acl_handle_truncate(const struct dentry * dentry,
40257 + const struct vfsmount * mnt)
40263 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
40269 +gr_acl_handle_access(const struct dentry * dentry,
40270 + const struct vfsmount * mnt, const int fmode)
40276 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
40283 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
40290 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
40296 +grsecurity_init(void)
40302 +gr_acl_handle_mknod(const struct dentry * new_dentry,
40303 + const struct dentry * parent_dentry,
40304 + const struct vfsmount * parent_mnt,
40311 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
40312 + const struct dentry * parent_dentry,
40313 + const struct vfsmount * parent_mnt)
40319 +gr_acl_handle_symlink(const struct dentry * new_dentry,
40320 + const struct dentry * parent_dentry,
40321 + const struct vfsmount * parent_mnt, const char *from)
40327 +gr_acl_handle_link(const struct dentry * new_dentry,
40328 + const struct dentry * parent_dentry,
40329 + const struct vfsmount * parent_mnt,
40330 + const struct dentry * old_dentry,
40331 + const struct vfsmount * old_mnt, const char *to)
40337 +gr_acl_handle_rename(const struct dentry *new_dentry,
40338 + const struct dentry *parent_dentry,
40339 + const struct vfsmount *parent_mnt,
40340 + const struct dentry *old_dentry,
40341 + const struct inode *old_parent_inode,
40342 + const struct vfsmount *old_mnt, const char *newname)
40348 +gr_acl_handle_filldir(const struct file *file, const char *name,
40349 + const int namelen, const ino_t ino)
40355 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40356 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40362 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
40368 +gr_search_accept(const struct socket *sock)
40374 +gr_search_listen(const struct socket *sock)
40380 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
40386 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
40392 +gr_acl_handle_creat(const struct dentry * dentry,
40393 + const struct dentry * p_dentry,
40394 + const struct vfsmount * p_mnt, const int fmode,
40401 +gr_acl_handle_exit(void)
40407 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
40413 +gr_set_role_label(const uid_t uid, const gid_t gid)
40419 +gr_acl_handle_procpidmem(const struct task_struct *task)
40425 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
40431 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
40437 +gr_set_kernel_label(struct task_struct *task)
40443 +gr_check_user_change(int real, int effective, int fs)
40449 +gr_check_group_change(int real, int effective, int fs)
40454 +EXPORT_SYMBOL(gr_is_capable);
40455 +EXPORT_SYMBOL(gr_is_capable_nolog);
40456 +EXPORT_SYMBOL(gr_learn_resource);
40457 +EXPORT_SYMBOL(gr_set_kernel_label);
40458 +#ifdef CONFIG_SECURITY
40459 +EXPORT_SYMBOL(gr_check_user_change);
40460 +EXPORT_SYMBOL(gr_check_group_change);
40462 diff -urNp linux-2.6.35.5/grsecurity/grsec_exec.c linux-2.6.35.5/grsecurity/grsec_exec.c
40463 --- linux-2.6.35.5/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
40464 +++ linux-2.6.35.5/grsecurity/grsec_exec.c 2010-09-17 20:12:37.000000000 -0400
40466 +#include <linux/kernel.h>
40467 +#include <linux/sched.h>
40468 +#include <linux/file.h>
40469 +#include <linux/binfmts.h>
40470 +#include <linux/smp_lock.h>
40471 +#include <linux/fs.h>
40472 +#include <linux/types.h>
40473 +#include <linux/grdefs.h>
40474 +#include <linux/grinternal.h>
40475 +#include <linux/capability.h>
40477 +#include <asm/uaccess.h>
40479 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40480 +static char gr_exec_arg_buf[132];
40481 +static DECLARE_MUTEX(gr_exec_arg_sem);
40485 +gr_handle_nproc(void)
40487 +#ifdef CONFIG_GRKERNSEC_EXECVE
40488 + const struct cred *cred = current_cred();
40489 + if (grsec_enable_execve && cred->user &&
40490 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
40491 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
40492 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
40500 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
40502 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40503 + char *grarg = gr_exec_arg_buf;
40504 + unsigned int i, x, execlen = 0;
40507 + if (!((grsec_enable_execlog && grsec_enable_group &&
40508 + in_group_p(grsec_audit_gid))
40509 + || (grsec_enable_execlog && !grsec_enable_group)))
40512 + down(&gr_exec_arg_sem);
40513 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
40515 + if (unlikely(argv == NULL))
40518 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
40519 + const char __user *p;
40520 + unsigned int len;
40522 + if (copy_from_user(&p, argv + i, sizeof(p)))
40526 + len = strnlen_user(p, 128 - execlen);
40527 + if (len > 128 - execlen)
40528 + len = 128 - execlen;
40529 + else if (len > 0)
40531 + if (copy_from_user(grarg + execlen, p, len))
40534 + /* rewrite unprintable characters */
40535 + for (x = 0; x < len; x++) {
40536 + c = *(grarg + execlen + x);
40537 + if (c < 32 || c > 126)
40538 + *(grarg + execlen + x) = ' ';
40542 + *(grarg + execlen) = ' ';
40543 + *(grarg + execlen + 1) = '\0';
40548 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
40549 + bprm->file->f_path.mnt, grarg);
40550 + up(&gr_exec_arg_sem);
40554 diff -urNp linux-2.6.35.5/grsecurity/grsec_fifo.c linux-2.6.35.5/grsecurity/grsec_fifo.c
40555 --- linux-2.6.35.5/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
40556 +++ linux-2.6.35.5/grsecurity/grsec_fifo.c 2010-09-17 20:12:37.000000000 -0400
40558 +#include <linux/kernel.h>
40559 +#include <linux/sched.h>
40560 +#include <linux/fs.h>
40561 +#include <linux/file.h>
40562 +#include <linux/grinternal.h>
40565 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
40566 + const struct dentry *dir, const int flag, const int acc_mode)
40568 +#ifdef CONFIG_GRKERNSEC_FIFO
40569 + const struct cred *cred = current_cred();
40571 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
40572 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
40573 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
40574 + (cred->fsuid != dentry->d_inode->i_uid)) {
40575 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
40576 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
40582 diff -urNp linux-2.6.35.5/grsecurity/grsec_fork.c linux-2.6.35.5/grsecurity/grsec_fork.c
40583 --- linux-2.6.35.5/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
40584 +++ linux-2.6.35.5/grsecurity/grsec_fork.c 2010-09-23 20:39:19.000000000 -0400
40586 +#include <linux/kernel.h>
40587 +#include <linux/sched.h>
40588 +#include <linux/grsecurity.h>
40589 +#include <linux/grinternal.h>
40590 +#include <linux/errno.h>
40593 +gr_log_forkfail(const int retval)
40595 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40596 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
40597 + switch (retval) {
40599 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
40602 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
40609 diff -urNp linux-2.6.35.5/grsecurity/grsec_init.c linux-2.6.35.5/grsecurity/grsec_init.c
40610 --- linux-2.6.35.5/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
40611 +++ linux-2.6.35.5/grsecurity/grsec_init.c 2010-09-17 20:12:37.000000000 -0400
40613 +#include <linux/kernel.h>
40614 +#include <linux/sched.h>
40615 +#include <linux/mm.h>
40616 +#include <linux/smp_lock.h>
40617 +#include <linux/gracl.h>
40618 +#include <linux/slab.h>
40619 +#include <linux/vmalloc.h>
40620 +#include <linux/percpu.h>
40621 +#include <linux/module.h>
40623 +int grsec_enable_link;
40624 +int grsec_enable_dmesg;
40625 +int grsec_enable_harden_ptrace;
40626 +int grsec_enable_fifo;
40627 +int grsec_enable_execve;
40628 +int grsec_enable_execlog;
40629 +int grsec_enable_signal;
40630 +int grsec_enable_forkfail;
40631 +int grsec_enable_audit_ptrace;
40632 +int grsec_enable_time;
40633 +int grsec_enable_audit_textrel;
40634 +int grsec_enable_group;
40635 +int grsec_audit_gid;
40636 +int grsec_enable_chdir;
40637 +int grsec_enable_mount;
40638 +int grsec_enable_rofs;
40639 +int grsec_enable_chroot_findtask;
40640 +int grsec_enable_chroot_mount;
40641 +int grsec_enable_chroot_shmat;
40642 +int grsec_enable_chroot_fchdir;
40643 +int grsec_enable_chroot_double;
40644 +int grsec_enable_chroot_pivot;
40645 +int grsec_enable_chroot_chdir;
40646 +int grsec_enable_chroot_chmod;
40647 +int grsec_enable_chroot_mknod;
40648 +int grsec_enable_chroot_nice;
40649 +int grsec_enable_chroot_execlog;
40650 +int grsec_enable_chroot_caps;
40651 +int grsec_enable_chroot_sysctl;
40652 +int grsec_enable_chroot_unix;
40653 +int grsec_enable_tpe;
40654 +int grsec_tpe_gid;
40655 +int grsec_enable_blackhole;
40656 +#ifdef CONFIG_IPV6_MODULE
40657 +EXPORT_SYMBOL(grsec_enable_blackhole);
40659 +int grsec_lastack_retries;
40660 +int grsec_enable_tpe_all;
40661 +int grsec_enable_tpe_invert;
40662 +int grsec_enable_socket_all;
40663 +int grsec_socket_all_gid;
40664 +int grsec_enable_socket_client;
40665 +int grsec_socket_client_gid;
40666 +int grsec_enable_socket_server;
40667 +int grsec_socket_server_gid;
40668 +int grsec_resource_logging;
40669 +int grsec_disable_privio;
40672 +DEFINE_SPINLOCK(grsec_alert_lock);
40673 +unsigned long grsec_alert_wtime = 0;
40674 +unsigned long grsec_alert_fyet = 0;
40676 +DEFINE_SPINLOCK(grsec_audit_lock);
40678 +DEFINE_RWLOCK(grsec_exec_file_lock);
40680 +char *gr_shared_page[4];
40682 +char *gr_alert_log_fmt;
40683 +char *gr_audit_log_fmt;
40684 +char *gr_alert_log_buf;
40685 +char *gr_audit_log_buf;
40687 +extern struct gr_arg *gr_usermode;
40688 +extern unsigned char *gr_system_salt;
40689 +extern unsigned char *gr_system_sum;
40692 +grsecurity_init(void)
40695 + /* create the per-cpu shared pages */
40698 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
40701 + for (j = 0; j < 4; j++) {
40702 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
40703 + if (gr_shared_page[j] == NULL) {
40704 + panic("Unable to allocate grsecurity shared page");
40709 + /* allocate log buffers */
40710 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
40711 + if (!gr_alert_log_fmt) {
40712 + panic("Unable to allocate grsecurity alert log format buffer");
40715 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
40716 + if (!gr_audit_log_fmt) {
40717 + panic("Unable to allocate grsecurity audit log format buffer");
40720 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40721 + if (!gr_alert_log_buf) {
40722 + panic("Unable to allocate grsecurity alert log buffer");
40725 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40726 + if (!gr_audit_log_buf) {
40727 + panic("Unable to allocate grsecurity audit log buffer");
40731 + /* allocate memory for authentication structure */
40732 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
40733 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
40734 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
40736 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
40737 + panic("Unable to allocate grsecurity authentication structure");
40742 +#ifdef CONFIG_GRKERNSEC_IO
40743 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
40744 + grsec_disable_privio = 1;
40745 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40746 + grsec_disable_privio = 1;
40748 + grsec_disable_privio = 0;
40752 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40753 + /* for backward compatibility, tpe_invert always defaults to on if
40754 + enabled in the kernel
40756 + grsec_enable_tpe_invert = 1;
40759 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40760 +#ifndef CONFIG_GRKERNSEC_SYSCTL
40764 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40765 + grsec_enable_audit_textrel = 1;
40767 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40768 + grsec_enable_group = 1;
40769 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
40771 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40772 + grsec_enable_chdir = 1;
40774 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40775 + grsec_enable_harden_ptrace = 1;
40777 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40778 + grsec_enable_mount = 1;
40780 +#ifdef CONFIG_GRKERNSEC_LINK
40781 + grsec_enable_link = 1;
40783 +#ifdef CONFIG_GRKERNSEC_DMESG
40784 + grsec_enable_dmesg = 1;
40786 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
40787 + grsec_enable_blackhole = 1;
40788 + grsec_lastack_retries = 4;
40790 +#ifdef CONFIG_GRKERNSEC_FIFO
40791 + grsec_enable_fifo = 1;
40793 +#ifdef CONFIG_GRKERNSEC_EXECVE
40794 + grsec_enable_execve = 1;
40796 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40797 + grsec_enable_execlog = 1;
40799 +#ifdef CONFIG_GRKERNSEC_SIGNAL
40800 + grsec_enable_signal = 1;
40802 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40803 + grsec_enable_forkfail = 1;
40805 +#ifdef CONFIG_GRKERNSEC_TIME
40806 + grsec_enable_time = 1;
40808 +#ifdef CONFIG_GRKERNSEC_RESLOG
40809 + grsec_resource_logging = 1;
40811 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40812 + grsec_enable_chroot_findtask = 1;
40814 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40815 + grsec_enable_chroot_unix = 1;
40817 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40818 + grsec_enable_chroot_mount = 1;
40820 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40821 + grsec_enable_chroot_fchdir = 1;
40823 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40824 + grsec_enable_chroot_shmat = 1;
40826 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40827 + grsec_enable_audit_ptrace = 1;
40829 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40830 + grsec_enable_chroot_double = 1;
40832 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40833 + grsec_enable_chroot_pivot = 1;
40835 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40836 + grsec_enable_chroot_chdir = 1;
40838 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40839 + grsec_enable_chroot_chmod = 1;
40841 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40842 + grsec_enable_chroot_mknod = 1;
40844 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40845 + grsec_enable_chroot_nice = 1;
40847 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40848 + grsec_enable_chroot_execlog = 1;
40850 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40851 + grsec_enable_chroot_caps = 1;
40853 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40854 + grsec_enable_chroot_sysctl = 1;
40856 +#ifdef CONFIG_GRKERNSEC_TPE
40857 + grsec_enable_tpe = 1;
40858 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
40859 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
40860 + grsec_enable_tpe_all = 1;
40863 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
40864 + grsec_enable_socket_all = 1;
40865 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
40867 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
40868 + grsec_enable_socket_client = 1;
40869 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
40871 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
40872 + grsec_enable_socket_server = 1;
40873 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
40879 diff -urNp linux-2.6.35.5/grsecurity/grsec_link.c linux-2.6.35.5/grsecurity/grsec_link.c
40880 --- linux-2.6.35.5/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
40881 +++ linux-2.6.35.5/grsecurity/grsec_link.c 2010-09-17 20:12:37.000000000 -0400
40883 +#include <linux/kernel.h>
40884 +#include <linux/sched.h>
40885 +#include <linux/fs.h>
40886 +#include <linux/file.h>
40887 +#include <linux/grinternal.h>
40890 +gr_handle_follow_link(const struct inode *parent,
40891 + const struct inode *inode,
40892 + const struct dentry *dentry, const struct vfsmount *mnt)
40894 +#ifdef CONFIG_GRKERNSEC_LINK
40895 + const struct cred *cred = current_cred();
40897 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
40898 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
40899 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
40900 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
40908 +gr_handle_hardlink(const struct dentry *dentry,
40909 + const struct vfsmount *mnt,
40910 + struct inode *inode, const int mode, const char *to)
40912 +#ifdef CONFIG_GRKERNSEC_LINK
40913 + const struct cred *cred = current_cred();
40915 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
40916 + (!S_ISREG(mode) || (mode & S_ISUID) ||
40917 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
40918 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
40919 + !capable(CAP_FOWNER) && cred->uid) {
40920 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
40926 diff -urNp linux-2.6.35.5/grsecurity/grsec_log.c linux-2.6.35.5/grsecurity/grsec_log.c
40927 --- linux-2.6.35.5/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
40928 +++ linux-2.6.35.5/grsecurity/grsec_log.c 2010-09-17 20:12:37.000000000 -0400
40930 +#include <linux/kernel.h>
40931 +#include <linux/sched.h>
40932 +#include <linux/file.h>
40933 +#include <linux/tty.h>
40934 +#include <linux/fs.h>
40935 +#include <linux/grinternal.h>
40937 +#ifdef CONFIG_TREE_PREEMPT_RCU
40938 +#define DISABLE_PREEMPT() preempt_disable()
40939 +#define ENABLE_PREEMPT() preempt_enable()
40941 +#define DISABLE_PREEMPT()
40942 +#define ENABLE_PREEMPT()
40945 +#define BEGIN_LOCKS(x) \
40946 + DISABLE_PREEMPT(); \
40947 + rcu_read_lock(); \
40948 + read_lock(&tasklist_lock); \
40949 + read_lock(&grsec_exec_file_lock); \
40950 + if (x != GR_DO_AUDIT) \
40951 + spin_lock(&grsec_alert_lock); \
40953 + spin_lock(&grsec_audit_lock)
40955 +#define END_LOCKS(x) \
40956 + if (x != GR_DO_AUDIT) \
40957 + spin_unlock(&grsec_alert_lock); \
40959 + spin_unlock(&grsec_audit_lock); \
40960 + read_unlock(&grsec_exec_file_lock); \
40961 + read_unlock(&tasklist_lock); \
40962 + rcu_read_unlock(); \
40963 + ENABLE_PREEMPT(); \
40964 + if (x == GR_DONT_AUDIT) \
40965 + gr_handle_alertkill(current)
40972 +extern char *gr_alert_log_fmt;
40973 +extern char *gr_audit_log_fmt;
40974 +extern char *gr_alert_log_buf;
40975 +extern char *gr_audit_log_buf;
40977 +static int gr_log_start(int audit)
40979 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
40980 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
40981 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40983 + if (audit == GR_DO_AUDIT)
40986 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
40987 + grsec_alert_wtime = jiffies;
40988 + grsec_alert_fyet = 0;
40989 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
40990 + grsec_alert_fyet++;
40991 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
40992 + grsec_alert_wtime = jiffies;
40993 + grsec_alert_fyet++;
40994 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
40996 + } else return FLOODING;
40999 + memset(buf, 0, PAGE_SIZE);
41000 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
41001 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
41002 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41003 + } else if (current->signal->curr_ip) {
41004 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
41005 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
41006 + } else if (gr_acl_is_enabled()) {
41007 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
41008 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41010 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
41011 + strcpy(buf, fmt);
41014 + return NO_FLOODING;
41017 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41018 + __attribute__ ((format (printf, 2, 0)));
41020 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41022 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41023 + unsigned int len = strlen(buf);
41025 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41030 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41031 + __attribute__ ((format (printf, 2, 3)));
41033 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41035 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41036 + unsigned int len = strlen(buf);
41039 + va_start(ap, msg);
41040 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41046 +static void gr_log_end(int audit)
41048 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41049 + unsigned int len = strlen(buf);
41051 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
41052 + printk("%s\n", buf);
41057 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
41060 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
41061 + char *str1, *str2, *str3;
41064 + unsigned long ulong1, ulong2;
41065 + struct dentry *dentry;
41066 + struct vfsmount *mnt;
41067 + struct file *file;
41068 + struct task_struct *task;
41069 + const struct cred *cred, *pcred;
41072 + BEGIN_LOCKS(audit);
41073 + logtype = gr_log_start(audit);
41074 + if (logtype == FLOODING) {
41075 + END_LOCKS(audit);
41078 + va_start(ap, argtypes);
41079 + switch (argtypes) {
41080 + case GR_TTYSNIFF:
41081 + task = va_arg(ap, struct task_struct *);
41082 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
41084 + case GR_SYSCTL_HIDDEN:
41085 + str1 = va_arg(ap, char *);
41086 + gr_log_middle_varargs(audit, msg, result, str1);
41089 + dentry = va_arg(ap, struct dentry *);
41090 + mnt = va_arg(ap, struct vfsmount *);
41091 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
41093 + case GR_RBAC_STR:
41094 + dentry = va_arg(ap, struct dentry *);
41095 + mnt = va_arg(ap, struct vfsmount *);
41096 + str1 = va_arg(ap, char *);
41097 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
41099 + case GR_STR_RBAC:
41100 + str1 = va_arg(ap, char *);
41101 + dentry = va_arg(ap, struct dentry *);
41102 + mnt = va_arg(ap, struct vfsmount *);
41103 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
41105 + case GR_RBAC_MODE2:
41106 + dentry = va_arg(ap, struct dentry *);
41107 + mnt = va_arg(ap, struct vfsmount *);
41108 + str1 = va_arg(ap, char *);
41109 + str2 = va_arg(ap, char *);
41110 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
41112 + case GR_RBAC_MODE3:
41113 + dentry = va_arg(ap, struct dentry *);
41114 + mnt = va_arg(ap, struct vfsmount *);
41115 + str1 = va_arg(ap, char *);
41116 + str2 = va_arg(ap, char *);
41117 + str3 = va_arg(ap, char *);
41118 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
41120 + case GR_FILENAME:
41121 + dentry = va_arg(ap, struct dentry *);
41122 + mnt = va_arg(ap, struct vfsmount *);
41123 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
41125 + case GR_STR_FILENAME:
41126 + str1 = va_arg(ap, char *);
41127 + dentry = va_arg(ap, struct dentry *);
41128 + mnt = va_arg(ap, struct vfsmount *);
41129 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
41131 + case GR_FILENAME_STR:
41132 + dentry = va_arg(ap, struct dentry *);
41133 + mnt = va_arg(ap, struct vfsmount *);
41134 + str1 = va_arg(ap, char *);
41135 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
41137 + case GR_FILENAME_TWO_INT:
41138 + dentry = va_arg(ap, struct dentry *);
41139 + mnt = va_arg(ap, struct vfsmount *);
41140 + num1 = va_arg(ap, int);
41141 + num2 = va_arg(ap, int);
41142 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
41144 + case GR_FILENAME_TWO_INT_STR:
41145 + dentry = va_arg(ap, struct dentry *);
41146 + mnt = va_arg(ap, struct vfsmount *);
41147 + num1 = va_arg(ap, int);
41148 + num2 = va_arg(ap, int);
41149 + str1 = va_arg(ap, char *);
41150 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
41153 + file = va_arg(ap, struct file *);
41154 + ulong1 = va_arg(ap, unsigned long);
41155 + ulong2 = va_arg(ap, unsigned long);
41156 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
41159 + task = va_arg(ap, struct task_struct *);
41160 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
41162 + case GR_RESOURCE:
41163 + task = va_arg(ap, struct task_struct *);
41164 + cred = __task_cred(task);
41165 + pcred = __task_cred(task->parent);
41166 + ulong1 = va_arg(ap, unsigned long);
41167 + str1 = va_arg(ap, char *);
41168 + ulong2 = va_arg(ap, unsigned long);
41169 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41172 + task = va_arg(ap, struct task_struct *);
41173 + cred = __task_cred(task);
41174 + pcred = __task_cred(task->parent);
41175 + str1 = va_arg(ap, char *);
41176 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41179 + str1 = va_arg(ap, char *);
41180 + voidptr = va_arg(ap, void *);
41181 + gr_log_middle_varargs(audit, msg, str1, voidptr);
41184 + task = va_arg(ap, struct task_struct *);
41185 + cred = __task_cred(task);
41186 + pcred = __task_cred(task->parent);
41187 + num1 = va_arg(ap, int);
41188 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41191 + task = va_arg(ap, struct task_struct *);
41192 + cred = __task_cred(task);
41193 + pcred = __task_cred(task->parent);
41194 + ulong1 = va_arg(ap, unsigned long);
41195 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
41198 + task = va_arg(ap, struct task_struct *);
41199 + cred = __task_cred(task);
41200 + pcred = __task_cred(task->parent);
41201 + ulong1 = va_arg(ap, unsigned long);
41202 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
41206 + unsigned int wday, cday;
41210 + char cur_tty[64] = { 0 };
41211 + char parent_tty[64] = { 0 };
41213 + task = va_arg(ap, struct task_struct *);
41214 + wday = va_arg(ap, unsigned int);
41215 + cday = va_arg(ap, unsigned int);
41216 + whr = va_arg(ap, int);
41217 + chr = va_arg(ap, int);
41218 + wmin = va_arg(ap, int);
41219 + cmin = va_arg(ap, int);
41220 + wsec = va_arg(ap, int);
41221 + csec = va_arg(ap, int);
41222 + ulong1 = va_arg(ap, unsigned long);
41223 + cred = __task_cred(task);
41224 + pcred = __task_cred(task->parent);
41226 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41230 + gr_log_middle(audit, msg, ap);
41233 + gr_log_end(audit);
41234 + END_LOCKS(audit);
41236 diff -urNp linux-2.6.35.5/grsecurity/grsec_mem.c linux-2.6.35.5/grsecurity/grsec_mem.c
41237 --- linux-2.6.35.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
41238 +++ linux-2.6.35.5/grsecurity/grsec_mem.c 2010-09-17 20:12:37.000000000 -0400
41240 +#include <linux/kernel.h>
41241 +#include <linux/sched.h>
41242 +#include <linux/mm.h>
41243 +#include <linux/mman.h>
41244 +#include <linux/grinternal.h>
41247 +gr_handle_ioperm(void)
41249 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
41254 +gr_handle_iopl(void)
41256 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
41261 +gr_handle_mem_write(void)
41263 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
41268 +gr_handle_kmem_write(void)
41270 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
41275 +gr_handle_open_port(void)
41277 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
41282 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
41284 + unsigned long start, end;
41287 + end = start + vma->vm_end - vma->vm_start;
41289 + if (start > end) {
41290 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41294 + /* allowed ranges : ISA I/O BIOS */
41295 + if ((start >= __pa(high_memory))
41296 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
41297 + || (start >= 0x000a0000 && end <= 0x00100000)
41298 + || (start >= 0x00000000 && end <= 0x00001000)
41303 + if (vma->vm_flags & VM_WRITE) {
41304 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41307 + vma->vm_flags &= ~VM_MAYWRITE;
41313 +gr_log_nonroot_mod_load(const char *modname)
41315 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
41320 +gr_handle_vm86(void)
41322 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
41325 diff -urNp linux-2.6.35.5/grsecurity/grsec_mount.c linux-2.6.35.5/grsecurity/grsec_mount.c
41326 --- linux-2.6.35.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
41327 +++ linux-2.6.35.5/grsecurity/grsec_mount.c 2010-09-17 20:12:37.000000000 -0400
41329 +#include <linux/kernel.h>
41330 +#include <linux/sched.h>
41331 +#include <linux/mount.h>
41332 +#include <linux/grsecurity.h>
41333 +#include <linux/grinternal.h>
41336 +gr_log_remount(const char *devname, const int retval)
41338 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41339 + if (grsec_enable_mount && (retval >= 0))
41340 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
41346 +gr_log_unmount(const char *devname, const int retval)
41348 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41349 + if (grsec_enable_mount && (retval >= 0))
41350 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
41356 +gr_log_mount(const char *from, const char *to, const int retval)
41358 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41359 + if (grsec_enable_mount && (retval >= 0))
41360 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
41366 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
41368 +#ifdef CONFIG_GRKERNSEC_ROFS
41369 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
41370 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
41379 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
41381 +#ifdef CONFIG_GRKERNSEC_ROFS
41382 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
41383 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
41384 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
41391 diff -urNp linux-2.6.35.5/grsecurity/grsec_ptrace.c linux-2.6.35.5/grsecurity/grsec_ptrace.c
41392 --- linux-2.6.35.5/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
41393 +++ linux-2.6.35.5/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
41395 +#include <linux/kernel.h>
41396 +#include <linux/sched.h>
41397 +#include <linux/grinternal.h>
41398 +#include <linux/grsecurity.h>
41401 +gr_audit_ptrace(struct task_struct *task)
41403 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41404 + if (grsec_enable_audit_ptrace)
41405 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
41409 diff -urNp linux-2.6.35.5/grsecurity/grsec_sig.c linux-2.6.35.5/grsecurity/grsec_sig.c
41410 --- linux-2.6.35.5/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
41411 +++ linux-2.6.35.5/grsecurity/grsec_sig.c 2010-09-17 20:12:37.000000000 -0400
41413 +#include <linux/kernel.h>
41414 +#include <linux/sched.h>
41415 +#include <linux/delay.h>
41416 +#include <linux/grsecurity.h>
41417 +#include <linux/grinternal.h>
41419 +char *signames[] = {
41420 + [SIGSEGV] = "Segmentation fault",
41421 + [SIGILL] = "Illegal instruction",
41422 + [SIGABRT] = "Abort",
41423 + [SIGBUS] = "Invalid alignment/Bus error"
41427 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
41429 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41430 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
41431 + (sig == SIGABRT) || (sig == SIGBUS))) {
41432 + if (t->pid == current->pid) {
41433 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
41435 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
41443 +gr_handle_signal(const struct task_struct *p, const int sig)
41445 +#ifdef CONFIG_GRKERNSEC
41446 + if (current->pid > 1 && gr_check_protected_task(p)) {
41447 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
41449 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
41456 +void gr_handle_brute_attach(struct task_struct *p)
41458 +#ifdef CONFIG_GRKERNSEC_BRUTE
41459 + read_lock(&tasklist_lock);
41460 + read_lock(&grsec_exec_file_lock);
41461 + if (p->parent && p->parent->exec_file == p->exec_file)
41462 + p->parent->brute = 1;
41463 + read_unlock(&grsec_exec_file_lock);
41464 + read_unlock(&tasklist_lock);
41469 +void gr_handle_brute_check(void)
41471 +#ifdef CONFIG_GRKERNSEC_BRUTE
41472 + if (current->brute)
41473 + msleep(30 * 1000);
41478 diff -urNp linux-2.6.35.5/grsecurity/grsec_sock.c linux-2.6.35.5/grsecurity/grsec_sock.c
41479 --- linux-2.6.35.5/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
41480 +++ linux-2.6.35.5/grsecurity/grsec_sock.c 2010-09-17 20:12:37.000000000 -0400
41482 +#include <linux/kernel.h>
41483 +#include <linux/module.h>
41484 +#include <linux/sched.h>
41485 +#include <linux/file.h>
41486 +#include <linux/net.h>
41487 +#include <linux/in.h>
41488 +#include <linux/ip.h>
41489 +#include <net/sock.h>
41490 +#include <net/inet_sock.h>
41491 +#include <linux/grsecurity.h>
41492 +#include <linux/grinternal.h>
41493 +#include <linux/gracl.h>
41495 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
41496 +EXPORT_SYMBOL(gr_cap_rtnetlink);
41498 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
41499 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
41501 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
41502 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
41504 +#ifdef CONFIG_UNIX_MODULE
41505 +EXPORT_SYMBOL(gr_acl_handle_unix);
41506 +EXPORT_SYMBOL(gr_acl_handle_mknod);
41507 +EXPORT_SYMBOL(gr_handle_chroot_unix);
41508 +EXPORT_SYMBOL(gr_handle_create);
41511 +#ifdef CONFIG_GRKERNSEC
41512 +#define gr_conn_table_size 32749
41513 +struct conn_table_entry {
41514 + struct conn_table_entry *next;
41515 + struct signal_struct *sig;
41518 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
41519 +DEFINE_SPINLOCK(gr_conn_table_lock);
41521 +extern const char * gr_socktype_to_name(unsigned char type);
41522 +extern const char * gr_proto_to_name(unsigned char proto);
41524 +static __inline__ int
41525 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
41527 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
41530 +static __inline__ int
41531 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
41532 + __u16 sport, __u16 dport)
41534 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
41535 + sig->gr_sport == sport && sig->gr_dport == dport))
41541 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
41543 + struct conn_table_entry **match;
41544 + unsigned int index;
41546 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41547 + sig->gr_sport, sig->gr_dport,
41548 + gr_conn_table_size);
41550 + newent->sig = sig;
41552 + match = &gr_conn_table[index];
41553 + newent->next = *match;
41559 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
41561 + struct conn_table_entry *match, *last = NULL;
41562 + unsigned int index;
41564 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41565 + sig->gr_sport, sig->gr_dport,
41566 + gr_conn_table_size);
41568 + match = gr_conn_table[index];
41569 + while (match && !conn_match(match->sig,
41570 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
41571 + sig->gr_dport)) {
41573 + match = match->next;
41578 + last->next = match->next;
41580 + gr_conn_table[index] = NULL;
41587 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
41588 + __u16 sport, __u16 dport)
41590 + struct conn_table_entry *match;
41591 + unsigned int index;
41593 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
41595 + match = gr_conn_table[index];
41596 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
41597 + match = match->next;
41600 + return match->sig;
41607 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
41609 +#ifdef CONFIG_GRKERNSEC
41610 + struct signal_struct *sig = task->signal;
41611 + struct conn_table_entry *newent;
41613 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
41614 + if (newent == NULL)
41616 + /* no bh lock needed since we are called with bh disabled */
41617 + spin_lock(&gr_conn_table_lock);
41618 + gr_del_task_from_ip_table_nolock(sig);
41619 + sig->gr_saddr = inet->inet_rcv_saddr;
41620 + sig->gr_daddr = inet->inet_daddr;
41621 + sig->gr_sport = inet->inet_sport;
41622 + sig->gr_dport = inet->inet_dport;
41623 + gr_add_to_task_ip_table_nolock(sig, newent);
41624 + spin_unlock(&gr_conn_table_lock);
41629 +void gr_del_task_from_ip_table(struct task_struct *task)
41631 +#ifdef CONFIG_GRKERNSEC
41632 + spin_lock_bh(&gr_conn_table_lock);
41633 + gr_del_task_from_ip_table_nolock(task->signal);
41634 + spin_unlock_bh(&gr_conn_table_lock);
41640 +gr_attach_curr_ip(const struct sock *sk)
41642 +#ifdef CONFIG_GRKERNSEC
41643 + struct signal_struct *p, *set;
41644 + const struct inet_sock *inet = inet_sk(sk);
41646 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
41649 + set = current->signal;
41651 + spin_lock_bh(&gr_conn_table_lock);
41652 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
41653 + inet->inet_dport, inet->inet_sport);
41654 + if (unlikely(p != NULL)) {
41655 + set->curr_ip = p->curr_ip;
41656 + set->used_accept = 1;
41657 + gr_del_task_from_ip_table_nolock(p);
41658 + spin_unlock_bh(&gr_conn_table_lock);
41661 + spin_unlock_bh(&gr_conn_table_lock);
41663 + set->curr_ip = inet->inet_daddr;
41664 + set->used_accept = 1;
41670 +gr_handle_sock_all(const int family, const int type, const int protocol)
41672 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41673 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
41674 + (family != AF_UNIX) && (family != AF_LOCAL)) {
41675 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
41683 +gr_handle_sock_server(const struct sockaddr *sck)
41685 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41686 + if (grsec_enable_socket_server &&
41687 + in_group_p(grsec_socket_server_gid) &&
41688 + sck && (sck->sa_family != AF_UNIX) &&
41689 + (sck->sa_family != AF_LOCAL)) {
41690 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41698 +gr_handle_sock_server_other(const struct sock *sck)
41700 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41701 + if (grsec_enable_socket_server &&
41702 + in_group_p(grsec_socket_server_gid) &&
41703 + sck && (sck->sk_family != AF_UNIX) &&
41704 + (sck->sk_family != AF_LOCAL)) {
41705 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41713 +gr_handle_sock_client(const struct sockaddr *sck)
41715 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41716 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
41717 + sck && (sck->sa_family != AF_UNIX) &&
41718 + (sck->sa_family != AF_LOCAL)) {
41719 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
41727 +gr_cap_rtnetlink(struct sock *sock)
41729 +#ifdef CONFIG_GRKERNSEC
41730 + if (!gr_acl_is_enabled())
41731 + return current_cap();
41732 + else if (sock->sk_protocol == NETLINK_ISCSI &&
41733 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
41734 + gr_is_capable(CAP_SYS_ADMIN))
41735 + return current_cap();
41736 + else if (sock->sk_protocol == NETLINK_AUDIT &&
41737 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
41738 + gr_is_capable(CAP_AUDIT_WRITE) &&
41739 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
41740 + gr_is_capable(CAP_AUDIT_CONTROL))
41741 + return current_cap();
41742 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
41743 + ((sock->sk_protocol == NETLINK_ROUTE) ?
41744 + gr_is_capable_nolog(CAP_NET_ADMIN) :
41745 + gr_is_capable(CAP_NET_ADMIN)))
41746 + return current_cap();
41748 + return __cap_empty_set;
41750 + return current_cap();
41753 diff -urNp linux-2.6.35.5/grsecurity/grsec_sysctl.c linux-2.6.35.5/grsecurity/grsec_sysctl.c
41754 --- linux-2.6.35.5/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
41755 +++ linux-2.6.35.5/grsecurity/grsec_sysctl.c 2010-09-17 20:18:57.000000000 -0400
41757 +#include <linux/kernel.h>
41758 +#include <linux/sched.h>
41759 +#include <linux/sysctl.h>
41760 +#include <linux/grsecurity.h>
41761 +#include <linux/grinternal.h>
41764 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
41766 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41767 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
41768 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
41775 +#ifdef CONFIG_GRKERNSEC_ROFS
41776 +static int __maybe_unused one = 1;
41779 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
41780 +struct ctl_table grsecurity_table[] = {
41781 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41782 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
41783 +#ifdef CONFIG_GRKERNSEC_IO
41785 + .procname = "disable_priv_io",
41786 + .data = &grsec_disable_privio,
41787 + .maxlen = sizeof(int),
41789 + .proc_handler = &proc_dointvec,
41793 +#ifdef CONFIG_GRKERNSEC_LINK
41795 + .procname = "linking_restrictions",
41796 + .data = &grsec_enable_link,
41797 + .maxlen = sizeof(int),
41799 + .proc_handler = &proc_dointvec,
41802 +#ifdef CONFIG_GRKERNSEC_FIFO
41804 + .procname = "fifo_restrictions",
41805 + .data = &grsec_enable_fifo,
41806 + .maxlen = sizeof(int),
41808 + .proc_handler = &proc_dointvec,
41811 +#ifdef CONFIG_GRKERNSEC_EXECVE
41813 + .procname = "execve_limiting",
41814 + .data = &grsec_enable_execve,
41815 + .maxlen = sizeof(int),
41817 + .proc_handler = &proc_dointvec,
41820 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41822 + .procname = "ip_blackhole",
41823 + .data = &grsec_enable_blackhole,
41824 + .maxlen = sizeof(int),
41826 + .proc_handler = &proc_dointvec,
41829 + .procname = "lastack_retries",
41830 + .data = &grsec_lastack_retries,
41831 + .maxlen = sizeof(int),
41833 + .proc_handler = &proc_dointvec,
41836 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41838 + .procname = "exec_logging",
41839 + .data = &grsec_enable_execlog,
41840 + .maxlen = sizeof(int),
41842 + .proc_handler = &proc_dointvec,
41845 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41847 + .procname = "signal_logging",
41848 + .data = &grsec_enable_signal,
41849 + .maxlen = sizeof(int),
41851 + .proc_handler = &proc_dointvec,
41854 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41856 + .procname = "forkfail_logging",
41857 + .data = &grsec_enable_forkfail,
41858 + .maxlen = sizeof(int),
41860 + .proc_handler = &proc_dointvec,
41863 +#ifdef CONFIG_GRKERNSEC_TIME
41865 + .procname = "timechange_logging",
41866 + .data = &grsec_enable_time,
41867 + .maxlen = sizeof(int),
41869 + .proc_handler = &proc_dointvec,
41872 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41874 + .procname = "chroot_deny_shmat",
41875 + .data = &grsec_enable_chroot_shmat,
41876 + .maxlen = sizeof(int),
41878 + .proc_handler = &proc_dointvec,
41881 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41883 + .procname = "chroot_deny_unix",
41884 + .data = &grsec_enable_chroot_unix,
41885 + .maxlen = sizeof(int),
41887 + .proc_handler = &proc_dointvec,
41890 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41892 + .procname = "chroot_deny_mount",
41893 + .data = &grsec_enable_chroot_mount,
41894 + .maxlen = sizeof(int),
41896 + .proc_handler = &proc_dointvec,
41899 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41901 + .procname = "chroot_deny_fchdir",
41902 + .data = &grsec_enable_chroot_fchdir,
41903 + .maxlen = sizeof(int),
41905 + .proc_handler = &proc_dointvec,
41908 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41910 + .procname = "chroot_deny_chroot",
41911 + .data = &grsec_enable_chroot_double,
41912 + .maxlen = sizeof(int),
41914 + .proc_handler = &proc_dointvec,
41917 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41919 + .procname = "chroot_deny_pivot",
41920 + .data = &grsec_enable_chroot_pivot,
41921 + .maxlen = sizeof(int),
41923 + .proc_handler = &proc_dointvec,
41926 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41928 + .procname = "chroot_enforce_chdir",
41929 + .data = &grsec_enable_chroot_chdir,
41930 + .maxlen = sizeof(int),
41932 + .proc_handler = &proc_dointvec,
41935 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41937 + .procname = "chroot_deny_chmod",
41938 + .data = &grsec_enable_chroot_chmod,
41939 + .maxlen = sizeof(int),
41941 + .proc_handler = &proc_dointvec,
41944 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41946 + .procname = "chroot_deny_mknod",
41947 + .data = &grsec_enable_chroot_mknod,
41948 + .maxlen = sizeof(int),
41950 + .proc_handler = &proc_dointvec,
41953 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41955 + .procname = "chroot_restrict_nice",
41956 + .data = &grsec_enable_chroot_nice,
41957 + .maxlen = sizeof(int),
41959 + .proc_handler = &proc_dointvec,
41962 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41964 + .procname = "chroot_execlog",
41965 + .data = &grsec_enable_chroot_execlog,
41966 + .maxlen = sizeof(int),
41968 + .proc_handler = &proc_dointvec,
41971 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41973 + .procname = "chroot_caps",
41974 + .data = &grsec_enable_chroot_caps,
41975 + .maxlen = sizeof(int),
41977 + .proc_handler = &proc_dointvec,
41980 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41982 + .procname = "chroot_deny_sysctl",
41983 + .data = &grsec_enable_chroot_sysctl,
41984 + .maxlen = sizeof(int),
41986 + .proc_handler = &proc_dointvec,
41989 +#ifdef CONFIG_GRKERNSEC_TPE
41991 + .procname = "tpe",
41992 + .data = &grsec_enable_tpe,
41993 + .maxlen = sizeof(int),
41995 + .proc_handler = &proc_dointvec,
41998 + .procname = "tpe_gid",
41999 + .data = &grsec_tpe_gid,
42000 + .maxlen = sizeof(int),
42002 + .proc_handler = &proc_dointvec,
42005 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42007 + .procname = "tpe_invert",
42008 + .data = &grsec_enable_tpe_invert,
42009 + .maxlen = sizeof(int),
42011 + .proc_handler = &proc_dointvec,
42014 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42016 + .procname = "tpe_restrict_all",
42017 + .data = &grsec_enable_tpe_all,
42018 + .maxlen = sizeof(int),
42020 + .proc_handler = &proc_dointvec,
42023 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42025 + .procname = "socket_all",
42026 + .data = &grsec_enable_socket_all,
42027 + .maxlen = sizeof(int),
42029 + .proc_handler = &proc_dointvec,
42032 + .procname = "socket_all_gid",
42033 + .data = &grsec_socket_all_gid,
42034 + .maxlen = sizeof(int),
42036 + .proc_handler = &proc_dointvec,
42039 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42041 + .procname = "socket_client",
42042 + .data = &grsec_enable_socket_client,
42043 + .maxlen = sizeof(int),
42045 + .proc_handler = &proc_dointvec,
42048 + .procname = "socket_client_gid",
42049 + .data = &grsec_socket_client_gid,
42050 + .maxlen = sizeof(int),
42052 + .proc_handler = &proc_dointvec,
42055 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42057 + .procname = "socket_server",
42058 + .data = &grsec_enable_socket_server,
42059 + .maxlen = sizeof(int),
42061 + .proc_handler = &proc_dointvec,
42064 + .procname = "socket_server_gid",
42065 + .data = &grsec_socket_server_gid,
42066 + .maxlen = sizeof(int),
42068 + .proc_handler = &proc_dointvec,
42071 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42073 + .procname = "audit_group",
42074 + .data = &grsec_enable_group,
42075 + .maxlen = sizeof(int),
42077 + .proc_handler = &proc_dointvec,
42080 + .procname = "audit_gid",
42081 + .data = &grsec_audit_gid,
42082 + .maxlen = sizeof(int),
42084 + .proc_handler = &proc_dointvec,
42087 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42089 + .procname = "audit_chdir",
42090 + .data = &grsec_enable_chdir,
42091 + .maxlen = sizeof(int),
42093 + .proc_handler = &proc_dointvec,
42096 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42098 + .procname = "audit_mount",
42099 + .data = &grsec_enable_mount,
42100 + .maxlen = sizeof(int),
42102 + .proc_handler = &proc_dointvec,
42105 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42107 + .procname = "audit_textrel",
42108 + .data = &grsec_enable_audit_textrel,
42109 + .maxlen = sizeof(int),
42111 + .proc_handler = &proc_dointvec,
42114 +#ifdef CONFIG_GRKERNSEC_DMESG
42116 + .procname = "dmesg",
42117 + .data = &grsec_enable_dmesg,
42118 + .maxlen = sizeof(int),
42120 + .proc_handler = &proc_dointvec,
42123 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42125 + .procname = "chroot_findtask",
42126 + .data = &grsec_enable_chroot_findtask,
42127 + .maxlen = sizeof(int),
42129 + .proc_handler = &proc_dointvec,
42132 +#ifdef CONFIG_GRKERNSEC_RESLOG
42134 + .procname = "resource_logging",
42135 + .data = &grsec_resource_logging,
42136 + .maxlen = sizeof(int),
42138 + .proc_handler = &proc_dointvec,
42141 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42143 + .procname = "audit_ptrace",
42144 + .data = &grsec_enable_audit_ptrace,
42145 + .maxlen = sizeof(int),
42147 + .proc_handler = &proc_dointvec,
42150 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42152 + .procname = "harden_ptrace",
42153 + .data = &grsec_enable_harden_ptrace,
42154 + .maxlen = sizeof(int),
42156 + .proc_handler = &proc_dointvec,
42160 + .procname = "grsec_lock",
42161 + .data = &grsec_lock,
42162 + .maxlen = sizeof(int),
42164 + .proc_handler = &proc_dointvec,
42167 +#ifdef CONFIG_GRKERNSEC_ROFS
42169 + .procname = "romount_protect",
42170 + .data = &grsec_enable_rofs,
42171 + .maxlen = sizeof(int),
42173 + .proc_handler = &proc_dointvec_minmax,
42181 diff -urNp linux-2.6.35.5/grsecurity/grsec_textrel.c linux-2.6.35.5/grsecurity/grsec_textrel.c
42182 --- linux-2.6.35.5/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
42183 +++ linux-2.6.35.5/grsecurity/grsec_textrel.c 2010-09-17 20:12:37.000000000 -0400
42185 +#include <linux/kernel.h>
42186 +#include <linux/sched.h>
42187 +#include <linux/mm.h>
42188 +#include <linux/file.h>
42189 +#include <linux/grinternal.h>
42190 +#include <linux/grsecurity.h>
42193 +gr_log_textrel(struct vm_area_struct * vma)
42195 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42196 + if (grsec_enable_audit_textrel)
42197 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42201 diff -urNp linux-2.6.35.5/grsecurity/grsec_time.c linux-2.6.35.5/grsecurity/grsec_time.c
42202 --- linux-2.6.35.5/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
42203 +++ linux-2.6.35.5/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
42205 +#include <linux/kernel.h>
42206 +#include <linux/sched.h>
42207 +#include <linux/grinternal.h>
42210 +gr_log_timechange(void)
42212 +#ifdef CONFIG_GRKERNSEC_TIME
42213 + if (grsec_enable_time)
42214 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
42218 diff -urNp linux-2.6.35.5/grsecurity/grsec_tpe.c linux-2.6.35.5/grsecurity/grsec_tpe.c
42219 --- linux-2.6.35.5/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
42220 +++ linux-2.6.35.5/grsecurity/grsec_tpe.c 2010-09-17 20:12:37.000000000 -0400
42222 +#include <linux/kernel.h>
42223 +#include <linux/sched.h>
42224 +#include <linux/file.h>
42225 +#include <linux/fs.h>
42226 +#include <linux/grinternal.h>
42228 +extern int gr_acl_tpe_check(void);
42231 +gr_tpe_allow(const struct file *file)
42233 +#ifdef CONFIG_GRKERNSEC
42234 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
42235 + const struct cred *cred = current_cred();
42237 + if (cred->uid && ((grsec_enable_tpe &&
42238 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42239 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
42240 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
42242 + in_group_p(grsec_tpe_gid)
42244 + ) || gr_acl_tpe_check()) &&
42245 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
42246 + (inode->i_mode & S_IWOTH))))) {
42247 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42250 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42251 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
42252 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
42253 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
42254 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42261 diff -urNp linux-2.6.35.5/grsecurity/grsum.c linux-2.6.35.5/grsecurity/grsum.c
42262 --- linux-2.6.35.5/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
42263 +++ linux-2.6.35.5/grsecurity/grsum.c 2010-09-17 20:12:37.000000000 -0400
42265 +#include <linux/err.h>
42266 +#include <linux/kernel.h>
42267 +#include <linux/sched.h>
42268 +#include <linux/mm.h>
42269 +#include <linux/scatterlist.h>
42270 +#include <linux/crypto.h>
42271 +#include <linux/gracl.h>
42274 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
42275 +#error "crypto and sha256 must be built into the kernel"
42279 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
42282 + struct crypto_hash *tfm;
42283 + struct hash_desc desc;
42284 + struct scatterlist sg;
42285 + unsigned char temp_sum[GR_SHA_LEN];
42286 + volatile int retval = 0;
42287 + volatile int dummy = 0;
42290 + sg_init_table(&sg, 1);
42292 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
42293 + if (IS_ERR(tfm)) {
42294 + /* should never happen, since sha256 should be built in */
42301 + crypto_hash_init(&desc);
42304 + sg_set_buf(&sg, p, GR_SALT_LEN);
42305 + crypto_hash_update(&desc, &sg, sg.length);
42308 + sg_set_buf(&sg, p, strlen(p));
42310 + crypto_hash_update(&desc, &sg, sg.length);
42312 + crypto_hash_final(&desc, temp_sum);
42314 + memset(entry->pw, 0, GR_PW_LEN);
42316 + for (i = 0; i < GR_SHA_LEN; i++)
42317 + if (sum[i] != temp_sum[i])
42320 + dummy = 1; // waste a cycle
42322 + crypto_free_hash(tfm);
42326 diff -urNp linux-2.6.35.5/grsecurity/Kconfig linux-2.6.35.5/grsecurity/Kconfig
42327 --- linux-2.6.35.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
42328 +++ linux-2.6.35.5/grsecurity/Kconfig 2010-09-17 20:12:37.000000000 -0400
42331 +# grecurity configuration
42337 + bool "Grsecurity"
42339 + select CRYPTO_SHA256
42341 + If you say Y here, you will be able to configure many features
42342 + that will enhance the security of your system. It is highly
42343 + recommended that you say Y here and read through the help
42344 + for each option so that you fully understand the features and
42345 + can evaluate their usefulness for your machine.
42348 + prompt "Security Level"
42349 + depends on GRKERNSEC
42350 + default GRKERNSEC_CUSTOM
42352 +config GRKERNSEC_LOW
42354 + select GRKERNSEC_LINK
42355 + select GRKERNSEC_FIFO
42356 + select GRKERNSEC_EXECVE
42357 + select GRKERNSEC_RANDNET
42358 + select GRKERNSEC_DMESG
42359 + select GRKERNSEC_CHROOT
42360 + select GRKERNSEC_CHROOT_CHDIR
42363 + If you choose this option, several of the grsecurity options will
42364 + be enabled that will give you greater protection against a number
42365 + of attacks, while assuring that none of your software will have any
42366 + conflicts with the additional security measures. If you run a lot
42367 + of unusual software, or you are having problems with the higher
42368 + security levels, you should say Y here. With this option, the
42369 + following features are enabled:
42371 + - Linking restrictions
42372 + - FIFO restrictions
42373 + - Enforcing RLIMIT_NPROC on execve
42374 + - Restricted dmesg
42375 + - Enforced chdir("/") on chroot
42376 + - Runtime module disabling
42378 +config GRKERNSEC_MEDIUM
42381 + select PAX_EI_PAX
42382 + select PAX_PT_PAX_FLAGS
42383 + select PAX_HAVE_ACL_FLAGS
42384 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42385 + select GRKERNSEC_CHROOT
42386 + select GRKERNSEC_CHROOT_SYSCTL
42387 + select GRKERNSEC_LINK
42388 + select GRKERNSEC_FIFO
42389 + select GRKERNSEC_EXECVE
42390 + select GRKERNSEC_DMESG
42391 + select GRKERNSEC_RANDNET
42392 + select GRKERNSEC_FORKFAIL
42393 + select GRKERNSEC_TIME
42394 + select GRKERNSEC_SIGNAL
42395 + select GRKERNSEC_CHROOT
42396 + select GRKERNSEC_CHROOT_UNIX
42397 + select GRKERNSEC_CHROOT_MOUNT
42398 + select GRKERNSEC_CHROOT_PIVOT
42399 + select GRKERNSEC_CHROOT_DOUBLE
42400 + select GRKERNSEC_CHROOT_CHDIR
42401 + select GRKERNSEC_CHROOT_MKNOD
42402 + select GRKERNSEC_PROC
42403 + select GRKERNSEC_PROC_USERGROUP
42404 + select PAX_RANDUSTACK
42406 + select PAX_RANDMMAP
42407 + select PAX_REFCOUNT if (X86 || SPARC64)
42408 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
42411 + If you say Y here, several features in addition to those included
42412 + in the low additional security level will be enabled. These
42413 + features provide even more security to your system, though in rare
42414 + cases they may be incompatible with very old or poorly written
42415 + software. If you enable this option, make sure that your auth
42416 + service (identd) is running as gid 1001. With this option,
42417 + the following features (in addition to those provided in the
42418 + low additional security level) will be enabled:
42420 + - Failed fork logging
42421 + - Time change logging
42423 + - Deny mounts in chroot
42424 + - Deny double chrooting
42425 + - Deny sysctl writes in chroot
42426 + - Deny mknod in chroot
42427 + - Deny access to abstract AF_UNIX sockets out of chroot
42428 + - Deny pivot_root in chroot
42429 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
42430 + - /proc restrictions with special GID set to 10 (usually wheel)
42431 + - Address Space Layout Randomization (ASLR)
42432 + - Prevent exploitation of most refcount overflows
42433 + - Bounds checking of copying between the kernel and userland
42435 +config GRKERNSEC_HIGH
42437 + select GRKERNSEC_LINK
42438 + select GRKERNSEC_FIFO
42439 + select GRKERNSEC_EXECVE
42440 + select GRKERNSEC_DMESG
42441 + select GRKERNSEC_FORKFAIL
42442 + select GRKERNSEC_TIME
42443 + select GRKERNSEC_SIGNAL
42444 + select GRKERNSEC_CHROOT
42445 + select GRKERNSEC_CHROOT_SHMAT
42446 + select GRKERNSEC_CHROOT_UNIX
42447 + select GRKERNSEC_CHROOT_MOUNT
42448 + select GRKERNSEC_CHROOT_FCHDIR
42449 + select GRKERNSEC_CHROOT_PIVOT
42450 + select GRKERNSEC_CHROOT_DOUBLE
42451 + select GRKERNSEC_CHROOT_CHDIR
42452 + select GRKERNSEC_CHROOT_MKNOD
42453 + select GRKERNSEC_CHROOT_CAPS
42454 + select GRKERNSEC_CHROOT_SYSCTL
42455 + select GRKERNSEC_CHROOT_FINDTASK
42456 + select GRKERNSEC_PROC
42457 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42458 + select GRKERNSEC_HIDESYM
42459 + select GRKERNSEC_BRUTE
42460 + select GRKERNSEC_PROC_USERGROUP
42461 + select GRKERNSEC_KMEM
42462 + select GRKERNSEC_RESLOG
42463 + select GRKERNSEC_RANDNET
42464 + select GRKERNSEC_PROC_ADD
42465 + select GRKERNSEC_CHROOT_CHMOD
42466 + select GRKERNSEC_CHROOT_NICE
42467 + select GRKERNSEC_AUDIT_MOUNT
42468 + select GRKERNSEC_MODHARDEN if (MODULES)
42469 + select GRKERNSEC_HARDEN_PTRACE
42470 + select GRKERNSEC_VM86 if (X86_32)
42472 + select PAX_RANDUSTACK
42474 + select PAX_RANDMMAP
42475 + select PAX_NOEXEC
42476 + select PAX_MPROTECT
42477 + select PAX_EI_PAX
42478 + select PAX_PT_PAX_FLAGS
42479 + select PAX_HAVE_ACL_FLAGS
42480 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
42481 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
42482 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
42483 + select PAX_SEGMEXEC if (X86_32)
42484 + select PAX_PAGEEXEC
42485 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
42486 + select PAX_EMUTRAMP if (PARISC)
42487 + select PAX_EMUSIGRT if (PARISC)
42488 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
42489 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
42490 + select PAX_REFCOUNT if (X86 || SPARC64)
42491 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
42493 + If you say Y here, many of the features of grsecurity will be
42494 + enabled, which will protect you against many kinds of attacks
42495 + against your system. The heightened security comes at a cost
42496 + of an increased chance of incompatibilities with rare software
42497 + on your machine. Since this security level enables PaX, you should
42498 + view <http://pax.grsecurity.net> and read about the PaX
42499 + project. While you are there, download chpax and run it on
42500 + binaries that cause problems with PaX. Also remember that
42501 + since the /proc restrictions are enabled, you must run your
42502 + identd as gid 1001. This security level enables the following
42503 + features in addition to those listed in the low and medium
42506 + - Additional /proc restrictions
42507 + - Chmod restrictions in chroot
42508 + - No signals, ptrace, or viewing of processes outside of chroot
42509 + - Capability restrictions in chroot
42510 + - Deny fchdir out of chroot
42511 + - Priority restrictions in chroot
42512 + - Segmentation-based implementation of PaX
42513 + - Mprotect restrictions
42514 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
42515 + - Kernel stack randomization
42516 + - Mount/unmount/remount logging
42517 + - Kernel symbol hiding
42518 + - Prevention of memory exhaustion-based exploits
42519 + - Hardening of module auto-loading
42520 + - Ptrace restrictions
42521 + - Restricted vm86 mode
42523 +config GRKERNSEC_CUSTOM
42526 + If you say Y here, you will be able to configure every grsecurity
42527 + option, which allows you to enable many more features that aren't
42528 + covered in the basic security levels. These additional features
42529 + include TPE, socket restrictions, and the sysctl system for
42530 + grsecurity. It is advised that you read through the help for
42531 + each option to determine its usefulness in your situation.
42535 +menu "Address Space Protection"
42536 +depends on GRKERNSEC
42538 +config GRKERNSEC_KMEM
42539 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
42541 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
42542 + be written to via mmap or otherwise to modify the running kernel.
42543 + /dev/port will also not be allowed to be opened. If you have module
42544 + support disabled, enabling this will close up four ways that are
42545 + currently used to insert malicious code into the running kernel.
42546 + Even with all these features enabled, we still highly recommend that
42547 + you use the RBAC system, as it is still possible for an attacker to
42548 + modify the running kernel through privileged I/O granted by ioperm/iopl.
42549 + If you are not using XFree86, you may be able to stop this additional
42550 + case by enabling the 'Disable privileged I/O' option. Though nothing
42551 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
42552 + but only to video memory, which is the only writing we allow in this
42553 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
42554 + not be allowed to mprotect it with PROT_WRITE later.
42555 + It is highly recommended that you say Y here if you meet all the
42556 + conditions above.
42558 +config GRKERNSEC_VM86
42559 + bool "Restrict VM86 mode"
42560 + depends on X86_32
42563 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
42564 + make use of a special execution mode on 32bit x86 processors called
42565 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
42566 + video cards and will still work with this option enabled. The purpose
42567 + of the option is to prevent exploitation of emulation errors in
42568 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
42569 + Nearly all users should be able to enable this option.
42571 +config GRKERNSEC_IO
42572 + bool "Disable privileged I/O"
42575 + select RTC_INTF_DEV
42576 + select RTC_DRV_CMOS
42579 + If you say Y here, all ioperm and iopl calls will return an error.
42580 + Ioperm and iopl can be used to modify the running kernel.
42581 + Unfortunately, some programs need this access to operate properly,
42582 + the most notable of which are XFree86 and hwclock. hwclock can be
42583 + remedied by having RTC support in the kernel, so real-time
42584 + clock support is enabled if this option is enabled, to ensure
42585 + that hwclock operates correctly. XFree86 still will not
42586 + operate correctly with this option enabled, so DO NOT CHOOSE Y
42587 + IF YOU USE XFree86. If you use XFree86 and you still want to
42588 + protect your kernel against modification, use the RBAC system.
42590 +config GRKERNSEC_PROC_MEMMAP
42591 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
42592 + default y if (PAX_NOEXEC || PAX_ASLR)
42593 + depends on PAX_NOEXEC || PAX_ASLR
42595 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
42596 + give no information about the addresses of its mappings if
42597 + PaX features that rely on random addresses are enabled on the task.
42598 + If you use PaX it is greatly recommended that you say Y here as it
42599 + closes up a hole that makes the full ASLR useless for suid
42602 +config GRKERNSEC_BRUTE
42603 + bool "Deter exploit bruteforcing"
42605 + If you say Y here, attempts to bruteforce exploits against forking
42606 + daemons such as apache or sshd will be deterred. When a child of a
42607 + forking daemon is killed by PaX or crashes due to an illegal
42608 + instruction, the parent process will be delayed 30 seconds upon every
42609 + subsequent fork until the administrator is able to assess the
42610 + situation and restart the daemon. It is recommended that you also
42611 + enable signal logging in the auditing section so that logs are
42612 + generated when a process performs an illegal instruction.
42614 +config GRKERNSEC_MODHARDEN
42615 + bool "Harden module auto-loading"
42616 + depends on MODULES
42618 + If you say Y here, module auto-loading in response to use of some
42619 + feature implemented by an unloaded module will be restricted to
42620 + root users. Enabling this option helps defend against attacks
42621 + by unprivileged users who abuse the auto-loading behavior to
42622 + cause a vulnerable module to load that is then exploited.
42624 + If this option prevents a legitimate use of auto-loading for a
42625 + non-root user, the administrator can execute modprobe manually
42626 + with the exact name of the module mentioned in the alert log.
42627 + Alternatively, the administrator can add the module to the list
42628 + of modules loaded at boot by modifying init scripts.
42630 + Modification of init scripts will most likely be needed on
42631 + Ubuntu servers with encrypted home directory support enabled,
42632 + as the first non-root user logging in will cause the ecb(aes),
42633 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
42635 +config GRKERNSEC_HIDESYM
42636 + bool "Hide kernel symbols"
42638 + If you say Y here, getting information on loaded modules, and
42639 + displaying all kernel symbols through a syscall will be restricted
42640 + to users with CAP_SYS_MODULE. For software compatibility reasons,
42641 + /proc/kallsyms will be restricted to the root user. The RBAC
42642 + system can hide that entry even from root.
42644 + This option also prevents leaking of kernel addresses through
42645 + several /proc entries.
42647 + Note that this option is only effective provided the following
42648 + conditions are met:
42649 + 1) The kernel using grsecurity is not precompiled by some distribution
42650 + 2) You are using the RBAC system and hiding other files such as your
42651 + kernel image and System.map. Alternatively, enabling this option
42652 + causes the permissions on /boot, /lib/modules, and the kernel
42653 + source directory to change at compile time to prevent
42654 + reading by non-root users.
42655 + If the above conditions are met, this option will aid in providing a
42656 + useful protection against local kernel exploitation of overflows
42657 + and arbitrary read/write vulnerabilities.
42660 +menu "Role Based Access Control Options"
42661 +depends on GRKERNSEC
42663 +config GRKERNSEC_NO_RBAC
42664 + bool "Disable RBAC system"
42666 + If you say Y here, the /dev/grsec device will be removed from the kernel,
42667 + preventing the RBAC system from being enabled. You should only say Y
42668 + here if you have no intention of using the RBAC system, so as to prevent
42669 + an attacker with root access from misusing the RBAC system to hide files
42670 + and processes when loadable module support and /dev/[k]mem have been
42673 +config GRKERNSEC_ACL_HIDEKERN
42674 + bool "Hide kernel processes"
42676 + If you say Y here, all kernel threads will be hidden to all
42677 + processes but those whose subject has the "view hidden processes"
42680 +config GRKERNSEC_ACL_MAXTRIES
42681 + int "Maximum tries before password lockout"
42684 + This option enforces the maximum number of times a user can attempt
42685 + to authorize themselves with the grsecurity RBAC system before being
42686 + denied the ability to attempt authorization again for a specified time.
42687 + The lower the number, the harder it will be to brute-force a password.
42689 +config GRKERNSEC_ACL_TIMEOUT
42690 + int "Time to wait after max password tries, in seconds"
42693 + This option specifies the time the user must wait after attempting to
42694 + authorize to the RBAC system with the maximum number of invalid
42695 + passwords. The higher the number, the harder it will be to brute-force
42699 +menu "Filesystem Protections"
42700 +depends on GRKERNSEC
42702 +config GRKERNSEC_PROC
42703 + bool "Proc restrictions"
42705 + If you say Y here, the permissions of the /proc filesystem
42706 + will be altered to enhance system security and privacy. You MUST
42707 + choose either a user only restriction or a user and group restriction.
42708 + Depending upon the option you choose, you can either restrict users to
42709 + see only the processes they themselves run, or choose a group that can
42710 + view all processes and files normally restricted to root if you choose
42711 + the "restrict to user only" option. NOTE: If you're running identd as
42712 + a non-root user, you will have to run it as the group you specify here.
42714 +config GRKERNSEC_PROC_USER
42715 + bool "Restrict /proc to user only"
42716 + depends on GRKERNSEC_PROC
42718 + If you say Y here, non-root users will only be able to view their own
42719 + processes, and restricts them from viewing network-related information,
42720 + and viewing kernel symbol and module information.
42722 +config GRKERNSEC_PROC_USERGROUP
42723 + bool "Allow special group"
42724 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
42726 + If you say Y here, you will be able to select a group that will be
42727 + able to view all processes, network-related information, and
42728 + kernel and symbol information. This option is useful if you want
42729 + to run identd as a non-root user.
42731 +config GRKERNSEC_PROC_GID
42732 + int "GID for special group"
42733 + depends on GRKERNSEC_PROC_USERGROUP
42736 +config GRKERNSEC_PROC_ADD
42737 + bool "Additional restrictions"
42738 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
42740 + If you say Y here, additional restrictions will be placed on
42741 + /proc that keep normal users from viewing device information and
42742 + slabinfo information that could be useful for exploits.
42744 +config GRKERNSEC_LINK
42745 + bool "Linking restrictions"
42747 + If you say Y here, /tmp race exploits will be prevented, since users
42748 + will no longer be able to follow symlinks owned by other users in
42749 + world-writable +t directories (i.e. /tmp), unless the owner of the
42750 + symlink is the owner of the directory. users will also not be
42751 + able to hardlink to files they do not own. If the sysctl option is
42752 + enabled, a sysctl option with name "linking_restrictions" is created.
42754 +config GRKERNSEC_FIFO
42755 + bool "FIFO restrictions"
42757 + If you say Y here, users will not be able to write to FIFOs they don't
42758 + own in world-writable +t directories (i.e. /tmp), unless the owner of
42759 + the FIFO is the same owner of the directory it's held in. If the sysctl
42760 + option is enabled, a sysctl option with name "fifo_restrictions" is
42763 +config GRKERNSEC_ROFS
42764 + bool "Runtime read-only mount protection"
42766 + If you say Y here, a sysctl option with name "romount_protect" will
42767 + be created. By setting this option to 1 at runtime, filesystems
42768 + will be protected in the following ways:
42769 + * No new writable mounts will be allowed
42770 + * Existing read-only mounts won't be able to be remounted read/write
42771 + * Write operations will be denied on all block devices
42772 + This option acts independently of grsec_lock: once it is set to 1,
42773 + it cannot be turned off. Therefore, please be mindful of the resulting
42774 + behavior if this option is enabled in an init script on a read-only
42775 + filesystem. This feature is mainly intended for secure embedded systems.
42777 +config GRKERNSEC_CHROOT
42778 + bool "Chroot jail restrictions"
42780 + If you say Y here, you will be able to choose several options that will
42781 + make breaking out of a chrooted jail much more difficult. If you
42782 + encounter no software incompatibilities with the following options, it
42783 + is recommended that you enable each one.
42785 +config GRKERNSEC_CHROOT_MOUNT
42786 + bool "Deny mounts"
42787 + depends on GRKERNSEC_CHROOT
42789 + If you say Y here, processes inside a chroot will not be able to
42790 + mount or remount filesystems. If the sysctl option is enabled, a
42791 + sysctl option with name "chroot_deny_mount" is created.
42793 +config GRKERNSEC_CHROOT_DOUBLE
42794 + bool "Deny double-chroots"
42795 + depends on GRKERNSEC_CHROOT
42797 + If you say Y here, processes inside a chroot will not be able to chroot
42798 + again outside the chroot. This is a widely used method of breaking
42799 + out of a chroot jail and should not be allowed. If the sysctl
42800 + option is enabled, a sysctl option with name
42801 + "chroot_deny_chroot" is created.
42803 +config GRKERNSEC_CHROOT_PIVOT
42804 + bool "Deny pivot_root in chroot"
42805 + depends on GRKERNSEC_CHROOT
42807 + If you say Y here, processes inside a chroot will not be able to use
42808 + a function called pivot_root() that was introduced in Linux 2.3.41. It
42809 + works similar to chroot in that it changes the root filesystem. This
42810 + function could be misused in a chrooted process to attempt to break out
42811 + of the chroot, and therefore should not be allowed. If the sysctl
42812 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
42815 +config GRKERNSEC_CHROOT_CHDIR
42816 + bool "Enforce chdir(\"/\") on all chroots"
42817 + depends on GRKERNSEC_CHROOT
42819 + If you say Y here, the current working directory of all newly-chrooted
42820 + applications will be set to the the root directory of the chroot.
42821 + The man page on chroot(2) states:
42822 + Note that this call does not change the current working
42823 + directory, so that `.' can be outside the tree rooted at
42824 + `/'. In particular, the super-user can escape from a
42825 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
42827 + It is recommended that you say Y here, since it's not known to break
42828 + any software. If the sysctl option is enabled, a sysctl option with
42829 + name "chroot_enforce_chdir" is created.
42831 +config GRKERNSEC_CHROOT_CHMOD
42832 + bool "Deny (f)chmod +s"
42833 + depends on GRKERNSEC_CHROOT
42835 + If you say Y here, processes inside a chroot will not be able to chmod
42836 + or fchmod files to make them have suid or sgid bits. This protects
42837 + against another published method of breaking a chroot. If the sysctl
42838 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
42841 +config GRKERNSEC_CHROOT_FCHDIR
42842 + bool "Deny fchdir out of chroot"
42843 + depends on GRKERNSEC_CHROOT
42845 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
42846 + to a file descriptor of the chrooting process that points to a directory
42847 + outside the filesystem will be stopped. If the sysctl option
42848 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
42850 +config GRKERNSEC_CHROOT_MKNOD
42851 + bool "Deny mknod"
42852 + depends on GRKERNSEC_CHROOT
42854 + If you say Y here, processes inside a chroot will not be allowed to
42855 + mknod. The problem with using mknod inside a chroot is that it
42856 + would allow an attacker to create a device entry that is the same
42857 + as one on the physical root of your system, which could range from
42858 + anything from the console device to a device for your harddrive (which
42859 + they could then use to wipe the drive or steal data). It is recommended
42860 + that you say Y here, unless you run into software incompatibilities.
42861 + If the sysctl option is enabled, a sysctl option with name
42862 + "chroot_deny_mknod" is created.
42864 +config GRKERNSEC_CHROOT_SHMAT
42865 + bool "Deny shmat() out of chroot"
42866 + depends on GRKERNSEC_CHROOT
42868 + If you say Y here, processes inside a chroot will not be able to attach
42869 + to shared memory segments that were created outside of the chroot jail.
42870 + It is recommended that you say Y here. If the sysctl option is enabled,
42871 + a sysctl option with name "chroot_deny_shmat" is created.
42873 +config GRKERNSEC_CHROOT_UNIX
42874 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
42875 + depends on GRKERNSEC_CHROOT
42877 + If you say Y here, processes inside a chroot will not be able to
42878 + connect to abstract (meaning not belonging to a filesystem) Unix
42879 + domain sockets that were bound outside of a chroot. It is recommended
42880 + that you say Y here. If the sysctl option is enabled, a sysctl option
42881 + with name "chroot_deny_unix" is created.
42883 +config GRKERNSEC_CHROOT_FINDTASK
42884 + bool "Protect outside processes"
42885 + depends on GRKERNSEC_CHROOT
42887 + If you say Y here, processes inside a chroot will not be able to
42888 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
42889 + getsid, or view any process outside of the chroot. If the sysctl
42890 + option is enabled, a sysctl option with name "chroot_findtask" is
42893 +config GRKERNSEC_CHROOT_NICE
42894 + bool "Restrict priority changes"
42895 + depends on GRKERNSEC_CHROOT
42897 + If you say Y here, processes inside a chroot will not be able to raise
42898 + the priority of processes in the chroot, or alter the priority of
42899 + processes outside the chroot. This provides more security than simply
42900 + removing CAP_SYS_NICE from the process' capability set. If the
42901 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
42904 +config GRKERNSEC_CHROOT_SYSCTL
42905 + bool "Deny sysctl writes"
42906 + depends on GRKERNSEC_CHROOT
42908 + If you say Y here, an attacker in a chroot will not be able to
42909 + write to sysctl entries, either by sysctl(2) or through a /proc
42910 + interface. It is strongly recommended that you say Y here. If the
42911 + sysctl option is enabled, a sysctl option with name
42912 + "chroot_deny_sysctl" is created.
42914 +config GRKERNSEC_CHROOT_CAPS
42915 + bool "Capability restrictions"
42916 + depends on GRKERNSEC_CHROOT
42918 + If you say Y here, the capabilities on all root processes within a
42919 + chroot jail will be lowered to stop module insertion, raw i/o,
42920 + system and net admin tasks, rebooting the system, modifying immutable
42921 + files, modifying IPC owned by another, and changing the system time.
42922 + This is left an option because it can break some apps. Disable this
42923 + if your chrooted apps are having problems performing those kinds of
42924 + tasks. If the sysctl option is enabled, a sysctl option with
42925 + name "chroot_caps" is created.
42928 +menu "Kernel Auditing"
42929 +depends on GRKERNSEC
42931 +config GRKERNSEC_AUDIT_GROUP
42932 + bool "Single group for auditing"
42934 + If you say Y here, the exec, chdir, and (un)mount logging features
42935 + will only operate on a group you specify. This option is recommended
42936 + if you only want to watch certain users instead of having a large
42937 + amount of logs from the entire system. If the sysctl option is enabled,
42938 + a sysctl option with name "audit_group" is created.
42940 +config GRKERNSEC_AUDIT_GID
42941 + int "GID for auditing"
42942 + depends on GRKERNSEC_AUDIT_GROUP
42945 +config GRKERNSEC_EXECLOG
42946 + bool "Exec logging"
42948 + If you say Y here, all execve() calls will be logged (since the
42949 + other exec*() calls are frontends to execve(), all execution
42950 + will be logged). Useful for shell-servers that like to keep track
42951 + of their users. If the sysctl option is enabled, a sysctl option with
42952 + name "exec_logging" is created.
42953 + WARNING: This option when enabled will produce a LOT of logs, especially
42954 + on an active system.
42956 +config GRKERNSEC_RESLOG
42957 + bool "Resource logging"
42959 + If you say Y here, all attempts to overstep resource limits will
42960 + be logged with the resource name, the requested size, and the current
42961 + limit. It is highly recommended that you say Y here. If the sysctl
42962 + option is enabled, a sysctl option with name "resource_logging" is
42963 + created. If the RBAC system is enabled, the sysctl value is ignored.
42965 +config GRKERNSEC_CHROOT_EXECLOG
42966 + bool "Log execs within chroot"
42968 + If you say Y here, all executions inside a chroot jail will be logged
42969 + to syslog. This can cause a large amount of logs if certain
42970 + applications (eg. djb's daemontools) are installed on the system, and
42971 + is therefore left as an option. If the sysctl option is enabled, a
42972 + sysctl option with name "chroot_execlog" is created.
42974 +config GRKERNSEC_AUDIT_PTRACE
42975 + bool "Ptrace logging"
42977 + If you say Y here, all attempts to attach to a process via ptrace
42978 + will be logged. If the sysctl option is enabled, a sysctl option
42979 + with name "audit_ptrace" is created.
42981 +config GRKERNSEC_AUDIT_CHDIR
42982 + bool "Chdir logging"
42984 + If you say Y here, all chdir() calls will be logged. If the sysctl
42985 + option is enabled, a sysctl option with name "audit_chdir" is created.
42987 +config GRKERNSEC_AUDIT_MOUNT
42988 + bool "(Un)Mount logging"
42990 + If you say Y here, all mounts and unmounts will be logged. If the
42991 + sysctl option is enabled, a sysctl option with name "audit_mount" is
42994 +config GRKERNSEC_SIGNAL
42995 + bool "Signal logging"
42997 + If you say Y here, certain important signals will be logged, such as
42998 + SIGSEGV, which will as a result inform you of when a error in a program
42999 + occurred, which in some cases could mean a possible exploit attempt.
43000 + If the sysctl option is enabled, a sysctl option with name
43001 + "signal_logging" is created.
43003 +config GRKERNSEC_FORKFAIL
43004 + bool "Fork failure logging"
43006 + If you say Y here, all failed fork() attempts will be logged.
43007 + This could suggest a fork bomb, or someone attempting to overstep
43008 + their process limit. If the sysctl option is enabled, a sysctl option
43009 + with name "forkfail_logging" is created.
43011 +config GRKERNSEC_TIME
43012 + bool "Time change logging"
43014 + If you say Y here, any changes of the system clock will be logged.
43015 + If the sysctl option is enabled, a sysctl option with name
43016 + "timechange_logging" is created.
43018 +config GRKERNSEC_PROC_IPADDR
43019 + bool "/proc/<pid>/ipaddr support"
43021 + If you say Y here, a new entry will be added to each /proc/<pid>
43022 + directory that contains the IP address of the person using the task.
43023 + The IP is carried across local TCP and AF_UNIX stream sockets.
43024 + This information can be useful for IDS/IPSes to perform remote response
43025 + to a local attack. The entry is readable by only the owner of the
43026 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
43027 + the RBAC system), and thus does not create privacy concerns.
43029 +config GRKERNSEC_AUDIT_TEXTREL
43030 + bool 'ELF text relocations logging (READ HELP)'
43031 + depends on PAX_MPROTECT
43033 + If you say Y here, text relocations will be logged with the filename
43034 + of the offending library or binary. The purpose of the feature is
43035 + to help Linux distribution developers get rid of libraries and
43036 + binaries that need text relocations which hinder the future progress
43037 + of PaX. Only Linux distribution developers should say Y here, and
43038 + never on a production machine, as this option creates an information
43039 + leak that could aid an attacker in defeating the randomization of
43040 + a single memory region. If the sysctl option is enabled, a sysctl
43041 + option with name "audit_textrel" is created.
43045 +menu "Executable Protections"
43046 +depends on GRKERNSEC
43048 +config GRKERNSEC_EXECVE
43049 + bool "Enforce RLIMIT_NPROC on execs"
43051 + If you say Y here, users with a resource limit on processes will
43052 + have the value checked during execve() calls. The current system
43053 + only checks the system limit during fork() calls. If the sysctl option
43054 + is enabled, a sysctl option with name "execve_limiting" is created.
43056 +config GRKERNSEC_DMESG
43057 + bool "Dmesg(8) restriction"
43059 + If you say Y here, non-root users will not be able to use dmesg(8)
43060 + to view up to the last 4kb of messages in the kernel's log buffer.
43061 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
43064 +config GRKERNSEC_HARDEN_PTRACE
43065 + bool "Deter ptrace-based process snooping"
43067 + If you say Y here, TTY sniffers and other malicious monitoring
43068 + programs implemented through ptrace will be defeated. If you
43069 + have been using the RBAC system, this option has already been
43070 + enabled for several years for all users, with the ability to make
43071 + fine-grained exceptions.
43073 + This option only affects the ability of non-root users to ptrace
43074 + processes that are not a descendent of the ptracing process.
43075 + This means that strace ./binary and gdb ./binary will still work,
43076 + but attaching to arbitrary processes will not. If the sysctl
43077 + option is enabled, a sysctl option with name "harden_ptrace" is
43080 +config GRKERNSEC_TPE
43081 + bool "Trusted Path Execution (TPE)"
43083 + If you say Y here, you will be able to choose a gid to add to the
43084 + supplementary groups of users you want to mark as "untrusted."
43085 + These users will not be able to execute any files that are not in
43086 + root-owned directories writable only by root. If the sysctl option
43087 + is enabled, a sysctl option with name "tpe" is created.
43089 +config GRKERNSEC_TPE_ALL
43090 + bool "Partially restrict all non-root users"
43091 + depends on GRKERNSEC_TPE
43093 + If you say Y here, all non-root users will be covered under
43094 + a weaker TPE restriction. This is separate from, and in addition to,
43095 + the main TPE options that you have selected elsewhere. Thus, if a
43096 + "trusted" GID is chosen, this restriction applies to even that GID.
43097 + Under this restriction, all non-root users will only be allowed to
43098 + execute files in directories they own that are not group or
43099 + world-writable, or in directories owned by root and writable only by
43100 + root. If the sysctl option is enabled, a sysctl option with name
43101 + "tpe_restrict_all" is created.
43103 +config GRKERNSEC_TPE_INVERT
43104 + bool "Invert GID option"
43105 + depends on GRKERNSEC_TPE
43107 + If you say Y here, the group you specify in the TPE configuration will
43108 + decide what group TPE restrictions will be *disabled* for. This
43109 + option is useful if you want TPE restrictions to be applied to most
43110 + users on the system. If the sysctl option is enabled, a sysctl option
43111 + with name "tpe_invert" is created. Unlike other sysctl options, this
43112 + entry will default to on for backward-compatibility.
43114 +config GRKERNSEC_TPE_GID
43115 + int "GID for untrusted users"
43116 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
43119 + Setting this GID determines what group TPE restrictions will be
43120 + *enabled* for. If the sysctl option is enabled, a sysctl option
43121 + with name "tpe_gid" is created.
43123 +config GRKERNSEC_TPE_GID
43124 + int "GID for trusted users"
43125 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
43128 + Setting this GID determines what group TPE restrictions will be
43129 + *disabled* for. If the sysctl option is enabled, a sysctl option
43130 + with name "tpe_gid" is created.
43133 +menu "Network Protections"
43134 +depends on GRKERNSEC
43136 +config GRKERNSEC_RANDNET
43137 + bool "Larger entropy pools"
43139 + If you say Y here, the entropy pools used for many features of Linux
43140 + and grsecurity will be doubled in size. Since several grsecurity
43141 + features use additional randomness, it is recommended that you say Y
43142 + here. Saying Y here has a similar effect as modifying
43143 + /proc/sys/kernel/random/poolsize.
43145 +config GRKERNSEC_BLACKHOLE
43146 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
43148 + If you say Y here, neither TCP resets nor ICMP
43149 + destination-unreachable packets will be sent in response to packets
43150 + sent to ports for which no associated listening process exists.
43151 + This feature supports both IPV4 and IPV6 and exempts the
43152 + loopback interface from blackholing. Enabling this feature
43153 + makes a host more resilient to DoS attacks and reduces network
43154 + visibility against scanners.
43156 + The blackhole feature as-implemented is equivalent to the FreeBSD
43157 + blackhole feature, as it prevents RST responses to all packets, not
43158 + just SYNs. Under most application behavior this causes no
43159 + problems, but applications (like haproxy) may not close certain
43160 + connections in a way that cleanly terminates them on the remote
43161 + end, leaving the remote host in LAST_ACK state. Because of this
43162 + side-effect and to prevent intentional LAST_ACK DoSes, this
43163 + feature also adds automatic mitigation against such attacks.
43164 + The mitigation drastically reduces the amount of time a socket
43165 + can spend in LAST_ACK state. If you're using haproxy and not
43166 + all servers it connects to have this option enabled, consider
43167 + disabling this feature on the haproxy host.
43169 + If the sysctl option is enabled, two sysctl options with names
43170 + "ip_blackhole" and "lastack_retries" will be created.
43171 + While "ip_blackhole" takes the standard zero/non-zero on/off
43172 + toggle, "lastack_retries" uses the same kinds of values as
43173 + "tcp_retries1" and "tcp_retries2". The default value of 4
43174 + prevents a socket from lasting more than 45 seconds in LAST_ACK
43177 +config GRKERNSEC_SOCKET
43178 + bool "Socket restrictions"
43180 + If you say Y here, you will be able to choose from several options.
43181 + If you assign a GID on your system and add it to the supplementary
43182 + groups of users you want to restrict socket access to, this patch
43183 + will perform up to three things, based on the option(s) you choose.
43185 +config GRKERNSEC_SOCKET_ALL
43186 + bool "Deny any sockets to group"
43187 + depends on GRKERNSEC_SOCKET
43189 + If you say Y here, you will be able to choose a GID of whose users will
43190 + be unable to connect to other hosts from your machine or run server
43191 + applications from your machine. If the sysctl option is enabled, a
43192 + sysctl option with name "socket_all" is created.
43194 +config GRKERNSEC_SOCKET_ALL_GID
43195 + int "GID to deny all sockets for"
43196 + depends on GRKERNSEC_SOCKET_ALL
43199 + Here you can choose the GID to disable socket access for. Remember to
43200 + add the users you want socket access disabled for to the GID
43201 + specified here. If the sysctl option is enabled, a sysctl option
43202 + with name "socket_all_gid" is created.
43204 +config GRKERNSEC_SOCKET_CLIENT
43205 + bool "Deny client sockets to group"
43206 + depends on GRKERNSEC_SOCKET
43208 + If you say Y here, you will be able to choose a GID of whose users will
43209 + be unable to connect to other hosts from your machine, but will be
43210 + able to run servers. If this option is enabled, all users in the group
43211 + you specify will have to use passive mode when initiating ftp transfers
43212 + from the shell on your machine. If the sysctl option is enabled, a
43213 + sysctl option with name "socket_client" is created.
43215 +config GRKERNSEC_SOCKET_CLIENT_GID
43216 + int "GID to deny client sockets for"
43217 + depends on GRKERNSEC_SOCKET_CLIENT
43220 + Here you can choose the GID to disable client socket access for.
43221 + Remember to add the users you want client socket access disabled for to
43222 + the GID specified here. If the sysctl option is enabled, a sysctl
43223 + option with name "socket_client_gid" is created.
43225 +config GRKERNSEC_SOCKET_SERVER
43226 + bool "Deny server sockets to group"
43227 + depends on GRKERNSEC_SOCKET
43229 + If you say Y here, you will be able to choose a GID of whose users will
43230 + be unable to run server applications from your machine. If the sysctl
43231 + option is enabled, a sysctl option with name "socket_server" is created.
43233 +config GRKERNSEC_SOCKET_SERVER_GID
43234 + int "GID to deny server sockets for"
43235 + depends on GRKERNSEC_SOCKET_SERVER
43238 + Here you can choose the GID to disable server socket access for.
43239 + Remember to add the users you want server socket access disabled for to
43240 + the GID specified here. If the sysctl option is enabled, a sysctl
43241 + option with name "socket_server_gid" is created.
43244 +menu "Sysctl support"
43245 +depends on GRKERNSEC && SYSCTL
43247 +config GRKERNSEC_SYSCTL
43248 + bool "Sysctl support"
43250 + If you say Y here, you will be able to change the options that
43251 + grsecurity runs with at bootup, without having to recompile your
43252 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
43253 + to enable (1) or disable (0) various features. All the sysctl entries
43254 + are mutable until the "grsec_lock" entry is set to a non-zero value.
43255 + All features enabled in the kernel configuration are disabled at boot
43256 + if you do not say Y to the "Turn on features by default" option.
43257 + All options should be set at startup, and the grsec_lock entry should
43258 + be set to a non-zero value after all the options are set.
43259 + *THIS IS EXTREMELY IMPORTANT*
43261 +config GRKERNSEC_SYSCTL_DISTRO
43262 + bool "Extra sysctl support for distro makers (READ HELP)"
43263 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
43265 + If you say Y here, additional sysctl options will be created
43266 + for features that affect processes running as root. Therefore,
43267 + it is critical when using this option that the grsec_lock entry be
43268 + enabled after boot. Only distros with prebuilt kernel packages
43269 + with this option enabled that can ensure grsec_lock is enabled
43270 + after boot should use this option.
43271 + *Failure to set grsec_lock after boot makes all grsec features
43272 + this option covers useless*
43274 + Currently this option creates the following sysctl entries:
43275 + "Disable Privileged I/O": "disable_priv_io"
43277 +config GRKERNSEC_SYSCTL_ON
43278 + bool "Turn on features by default"
43279 + depends on GRKERNSEC_SYSCTL
43281 + If you say Y here, instead of having all features enabled in the
43282 + kernel configuration disabled at boot time, the features will be
43283 + enabled at boot time. It is recommended you say Y here unless
43284 + there is some reason you would want all sysctl-tunable features to
43285 + be disabled by default. As mentioned elsewhere, it is important
43286 + to enable the grsec_lock entry once you have finished modifying
43287 + the sysctl entries.
43290 +menu "Logging Options"
43291 +depends on GRKERNSEC
43293 +config GRKERNSEC_FLOODTIME
43294 + int "Seconds in between log messages (minimum)"
43297 + This option allows you to enforce the number of seconds between
43298 + grsecurity log messages. The default should be suitable for most
43299 + people, however, if you choose to change it, choose a value small enough
43300 + to allow informative logs to be produced, but large enough to
43301 + prevent flooding.
43303 +config GRKERNSEC_FLOODBURST
43304 + int "Number of messages in a burst (maximum)"
43307 + This option allows you to choose the maximum number of messages allowed
43308 + within the flood time interval you chose in a separate option. The
43309 + default should be suitable for most people, however if you find that
43310 + many of your logs are being interpreted as flooding, you may want to
43311 + raise this value.
43316 diff -urNp linux-2.6.35.5/grsecurity/Makefile linux-2.6.35.5/grsecurity/Makefile
43317 --- linux-2.6.35.5/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
43318 +++ linux-2.6.35.5/grsecurity/Makefile 2010-09-17 20:12:37.000000000 -0400
43320 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
43321 +# during 2001-2009 it has been completely redesigned by Brad Spengler
43322 +# into an RBAC system
43324 +# All code in this directory and various hooks inserted throughout the kernel
43325 +# are copyright Brad Spengler - Open Source Security, Inc., and released
43326 +# under the GPL v2 or higher
43328 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
43329 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
43330 + grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
43332 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
43333 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
43334 + gracl_learn.o grsec_log.o
43335 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
43337 +ifndef CONFIG_GRKERNSEC
43338 +obj-y += grsec_disabled.o
43341 +ifdef CONFIG_GRKERNSEC_HIDESYM
43342 +extra-y := grsec_hidesym.o
43343 +$(obj)/grsec_hidesym.o:
43344 + @-chmod -f 500 /boot
43345 + @-chmod -f 500 /lib/modules
43347 + @echo ' grsec: protected kernel image paths'
43349 diff -urNp linux-2.6.35.5/include/acpi/acoutput.h linux-2.6.35.5/include/acpi/acoutput.h
43350 --- linux-2.6.35.5/include/acpi/acoutput.h 2010-08-26 19:47:12.000000000 -0400
43351 +++ linux-2.6.35.5/include/acpi/acoutput.h 2010-09-17 20:12:09.000000000 -0400
43352 @@ -268,8 +268,8 @@
43353 * leaving no executable debug code!
43355 #define ACPI_FUNCTION_NAME(a)
43356 -#define ACPI_DEBUG_PRINT(pl)
43357 -#define ACPI_DEBUG_PRINT_RAW(pl)
43358 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
43359 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
43361 #endif /* ACPI_DEBUG_OUTPUT */
43363 diff -urNp linux-2.6.35.5/include/acpi/acpi_drivers.h linux-2.6.35.5/include/acpi/acpi_drivers.h
43364 --- linux-2.6.35.5/include/acpi/acpi_drivers.h 2010-08-26 19:47:12.000000000 -0400
43365 +++ linux-2.6.35.5/include/acpi/acpi_drivers.h 2010-09-17 20:12:09.000000000 -0400
43366 @@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
43368 -------------------------------------------------------------------------- */
43369 struct acpi_dock_ops {
43370 - acpi_notify_handler handler;
43371 - acpi_notify_handler uevent;
43372 + const acpi_notify_handler handler;
43373 + const acpi_notify_handler uevent;
43376 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
43377 @@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
43378 extern int register_dock_notifier(struct notifier_block *nb);
43379 extern void unregister_dock_notifier(struct notifier_block *nb);
43380 extern int register_hotplug_dock_device(acpi_handle handle,
43381 - struct acpi_dock_ops *ops,
43382 + const struct acpi_dock_ops *ops,
43384 extern void unregister_hotplug_dock_device(acpi_handle handle);
43386 @@ -146,7 +146,7 @@ static inline void unregister_dock_notif
43389 static inline int register_hotplug_dock_device(acpi_handle handle,
43390 - struct acpi_dock_ops *ops,
43391 + const struct acpi_dock_ops *ops,
43395 diff -urNp linux-2.6.35.5/include/asm-generic/atomic-long.h linux-2.6.35.5/include/asm-generic/atomic-long.h
43396 --- linux-2.6.35.5/include/asm-generic/atomic-long.h 2010-08-26 19:47:12.000000000 -0400
43397 +++ linux-2.6.35.5/include/asm-generic/atomic-long.h 2010-09-17 20:12:09.000000000 -0400
43400 typedef atomic64_t atomic_long_t;
43402 +#ifdef CONFIG_PAX_REFCOUNT
43403 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
43405 +typedef atomic64_t atomic_long_unchecked_t;
43408 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
43410 static inline long atomic_long_read(atomic_long_t *l)
43411 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
43412 return (long)atomic64_read(v);
43415 +#ifdef CONFIG_PAX_REFCOUNT
43416 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43418 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43420 + return (long)atomic64_read_unchecked(v);
43424 static inline void atomic_long_set(atomic_long_t *l, long i)
43426 atomic64_t *v = (atomic64_t *)l;
43427 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
43428 atomic64_set(v, i);
43431 +#ifdef CONFIG_PAX_REFCOUNT
43432 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43434 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43436 + atomic64_set_unchecked(v, i);
43440 static inline void atomic_long_inc(atomic_long_t *l)
43442 atomic64_t *v = (atomic64_t *)l;
43443 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
43447 +#ifdef CONFIG_PAX_REFCOUNT
43448 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43450 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43452 + atomic64_inc_unchecked(v);
43456 static inline void atomic_long_dec(atomic_long_t *l)
43458 atomic64_t *v = (atomic64_t *)l;
43459 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
43463 +#ifdef CONFIG_PAX_REFCOUNT
43464 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43466 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43468 + atomic64_dec_unchecked(v);
43472 static inline void atomic_long_add(long i, atomic_long_t *l)
43474 atomic64_t *v = (atomic64_t *)l;
43475 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
43476 atomic64_add(i, v);
43479 +#ifdef CONFIG_PAX_REFCOUNT
43480 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43482 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43484 + atomic64_add_unchecked(i, v);
43488 static inline void atomic_long_sub(long i, atomic_long_t *l)
43490 atomic64_t *v = (atomic64_t *)l;
43491 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
43492 return (long)atomic64_inc_return(v);
43495 +#ifdef CONFIG_PAX_REFCOUNT
43496 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43498 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43500 + return (long)atomic64_inc_return_unchecked(v);
43504 static inline long atomic_long_dec_return(atomic_long_t *l)
43506 atomic64_t *v = (atomic64_t *)l;
43507 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
43509 typedef atomic_t atomic_long_t;
43511 +#ifdef CONFIG_PAX_REFCOUNT
43512 +typedef atomic_unchecked_t atomic_long_unchecked_t;
43514 +typedef atomic_t atomic_long_unchecked_t;
43517 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
43518 static inline long atomic_long_read(atomic_long_t *l)
43520 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
43521 return (long)atomic_read(v);
43524 +#ifdef CONFIG_PAX_REFCOUNT
43525 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43527 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43529 + return (long)atomic_read_unchecked(v);
43533 static inline void atomic_long_set(atomic_long_t *l, long i)
43535 atomic_t *v = (atomic_t *)l;
43536 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
43540 +#ifdef CONFIG_PAX_REFCOUNT
43541 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43543 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43545 + atomic_set_unchecked(v, i);
43549 static inline void atomic_long_inc(atomic_long_t *l)
43551 atomic_t *v = (atomic_t *)l;
43552 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
43556 +#ifdef CONFIG_PAX_REFCOUNT
43557 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43559 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43561 + atomic_inc_unchecked(v);
43565 static inline void atomic_long_dec(atomic_long_t *l)
43567 atomic_t *v = (atomic_t *)l;
43568 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
43572 +#ifdef CONFIG_PAX_REFCOUNT
43573 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43575 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43577 + atomic_dec_unchecked(v);
43581 static inline void atomic_long_add(long i, atomic_long_t *l)
43583 atomic_t *v = (atomic_t *)l;
43584 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
43588 +#ifdef CONFIG_PAX_REFCOUNT
43589 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43591 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43593 + atomic_add_unchecked(i, v);
43597 static inline void atomic_long_sub(long i, atomic_long_t *l)
43599 atomic_t *v = (atomic_t *)l;
43600 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
43601 return (long)atomic_inc_return(v);
43604 +#ifdef CONFIG_PAX_REFCOUNT
43605 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43607 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43609 + return (long)atomic_inc_return_unchecked(v);
43613 static inline long atomic_long_dec_return(atomic_long_t *l)
43615 atomic_t *v = (atomic_t *)l;
43616 @@ -255,4 +375,37 @@ static inline long atomic_long_add_unles
43618 #endif /* BITS_PER_LONG == 64 */
43620 +#ifdef CONFIG_PAX_REFCOUNT
43621 +static inline void pax_refcount_needs_these_functions(void)
43623 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
43624 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
43625 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
43626 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
43627 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
43628 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
43630 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
43631 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
43632 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
43633 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
43634 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
43635 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
43638 +#define atomic_read_unchecked(v) atomic_read(v)
43639 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
43640 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
43641 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
43642 +#define atomic_inc_unchecked(v) atomic_inc(v)
43643 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
43645 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
43646 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
43647 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
43648 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
43649 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
43650 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
43653 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
43654 diff -urNp linux-2.6.35.5/include/asm-generic/dma-mapping-common.h linux-2.6.35.5/include/asm-generic/dma-mapping-common.h
43655 --- linux-2.6.35.5/include/asm-generic/dma-mapping-common.h 2010-08-26 19:47:12.000000000 -0400
43656 +++ linux-2.6.35.5/include/asm-generic/dma-mapping-common.h 2010-09-17 20:12:09.000000000 -0400
43657 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
43658 enum dma_data_direction dir,
43659 struct dma_attrs *attrs)
43661 - struct dma_map_ops *ops = get_dma_ops(dev);
43662 + const struct dma_map_ops *ops = get_dma_ops(dev);
43665 kmemcheck_mark_initialized(ptr, size);
43666 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
43667 enum dma_data_direction dir,
43668 struct dma_attrs *attrs)
43670 - struct dma_map_ops *ops = get_dma_ops(dev);
43671 + const struct dma_map_ops *ops = get_dma_ops(dev);
43673 BUG_ON(!valid_dma_direction(dir));
43674 if (ops->unmap_page)
43675 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
43676 int nents, enum dma_data_direction dir,
43677 struct dma_attrs *attrs)
43679 - struct dma_map_ops *ops = get_dma_ops(dev);
43680 + const struct dma_map_ops *ops = get_dma_ops(dev);
43682 struct scatterlist *s;
43684 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
43685 int nents, enum dma_data_direction dir,
43686 struct dma_attrs *attrs)
43688 - struct dma_map_ops *ops = get_dma_ops(dev);
43689 + const struct dma_map_ops *ops = get_dma_ops(dev);
43691 BUG_ON(!valid_dma_direction(dir));
43692 debug_dma_unmap_sg(dev, sg, nents, dir);
43693 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
43694 size_t offset, size_t size,
43695 enum dma_data_direction dir)
43697 - struct dma_map_ops *ops = get_dma_ops(dev);
43698 + const struct dma_map_ops *ops = get_dma_ops(dev);
43701 kmemcheck_mark_initialized(page_address(page) + offset, size);
43702 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
43703 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
43704 size_t size, enum dma_data_direction dir)
43706 - struct dma_map_ops *ops = get_dma_ops(dev);
43707 + const struct dma_map_ops *ops = get_dma_ops(dev);
43709 BUG_ON(!valid_dma_direction(dir));
43710 if (ops->unmap_page)
43711 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
43713 enum dma_data_direction dir)
43715 - struct dma_map_ops *ops = get_dma_ops(dev);
43716 + const struct dma_map_ops *ops = get_dma_ops(dev);
43718 BUG_ON(!valid_dma_direction(dir));
43719 if (ops->sync_single_for_cpu)
43720 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
43721 dma_addr_t addr, size_t size,
43722 enum dma_data_direction dir)
43724 - struct dma_map_ops *ops = get_dma_ops(dev);
43725 + const struct dma_map_ops *ops = get_dma_ops(dev);
43727 BUG_ON(!valid_dma_direction(dir));
43728 if (ops->sync_single_for_device)
43729 @@ -139,7 +139,7 @@ static inline void
43730 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
43731 int nelems, enum dma_data_direction dir)
43733 - struct dma_map_ops *ops = get_dma_ops(dev);
43734 + const struct dma_map_ops *ops = get_dma_ops(dev);
43736 BUG_ON(!valid_dma_direction(dir));
43737 if (ops->sync_sg_for_cpu)
43738 @@ -151,7 +151,7 @@ static inline void
43739 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
43740 int nelems, enum dma_data_direction dir)
43742 - struct dma_map_ops *ops = get_dma_ops(dev);
43743 + const struct dma_map_ops *ops = get_dma_ops(dev);
43745 BUG_ON(!valid_dma_direction(dir));
43746 if (ops->sync_sg_for_device)
43747 diff -urNp linux-2.6.35.5/include/asm-generic/futex.h linux-2.6.35.5/include/asm-generic/futex.h
43748 --- linux-2.6.35.5/include/asm-generic/futex.h 2010-08-26 19:47:12.000000000 -0400
43749 +++ linux-2.6.35.5/include/asm-generic/futex.h 2010-09-17 20:12:09.000000000 -0400
43751 #include <asm/errno.h>
43754 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
43755 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
43757 int op = (encoded_op >> 28) & 7;
43758 int cmp = (encoded_op >> 24) & 15;
43759 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
43763 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
43764 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
43768 diff -urNp linux-2.6.35.5/include/asm-generic/int-l64.h linux-2.6.35.5/include/asm-generic/int-l64.h
43769 --- linux-2.6.35.5/include/asm-generic/int-l64.h 2010-08-26 19:47:12.000000000 -0400
43770 +++ linux-2.6.35.5/include/asm-generic/int-l64.h 2010-09-17 20:12:09.000000000 -0400
43771 @@ -46,6 +46,8 @@ typedef unsigned int u32;
43772 typedef signed long s64;
43773 typedef unsigned long u64;
43775 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
43778 #define U8_C(x) x ## U
43780 diff -urNp linux-2.6.35.5/include/asm-generic/int-ll64.h linux-2.6.35.5/include/asm-generic/int-ll64.h
43781 --- linux-2.6.35.5/include/asm-generic/int-ll64.h 2010-08-26 19:47:12.000000000 -0400
43782 +++ linux-2.6.35.5/include/asm-generic/int-ll64.h 2010-09-17 20:12:09.000000000 -0400
43783 @@ -51,6 +51,8 @@ typedef unsigned int u32;
43784 typedef signed long long s64;
43785 typedef unsigned long long u64;
43787 +typedef unsigned long long intoverflow_t;
43790 #define U8_C(x) x ## U
43792 diff -urNp linux-2.6.35.5/include/asm-generic/kmap_types.h linux-2.6.35.5/include/asm-generic/kmap_types.h
43793 --- linux-2.6.35.5/include/asm-generic/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
43794 +++ linux-2.6.35.5/include/asm-generic/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
43795 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
43797 KMAP_D(18) KM_NMI_PTE,
43799 +KMAP_D(20) KM_CLEARPAGE,
43801 * Remember to update debug_kmap_atomic() when adding new kmap types!
43803 -KMAP_D(20) KM_TYPE_NR
43804 +KMAP_D(21) KM_TYPE_NR
43808 diff -urNp linux-2.6.35.5/include/asm-generic/pgtable.h linux-2.6.35.5/include/asm-generic/pgtable.h
43809 --- linux-2.6.35.5/include/asm-generic/pgtable.h 2010-08-26 19:47:12.000000000 -0400
43810 +++ linux-2.6.35.5/include/asm-generic/pgtable.h 2010-09-17 20:12:09.000000000 -0400
43811 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
43812 unsigned long size);
43815 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
43816 +static inline unsigned long pax_open_kernel(void) { return 0; }
43819 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
43820 +static inline unsigned long pax_close_kernel(void) { return 0; }
43823 #endif /* !__ASSEMBLY__ */
43825 #endif /* _ASM_GENERIC_PGTABLE_H */
43826 diff -urNp linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h
43827 --- linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h 2010-08-26 19:47:12.000000000 -0400
43828 +++ linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h 2010-09-17 20:12:09.000000000 -0400
43830 #ifndef _PGTABLE_NOPMD_H
43831 #define _PGTABLE_NOPMD_H
43833 -#ifndef __ASSEMBLY__
43835 #include <asm-generic/pgtable-nopud.h>
43839 #define __PAGETABLE_PMD_FOLDED
43841 +#define PMD_SHIFT PUD_SHIFT
43842 +#define PTRS_PER_PMD 1
43843 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
43844 +#define PMD_MASK (~(PMD_SIZE-1))
43846 +#ifndef __ASSEMBLY__
43851 * Having the pmd type consist of a pud gets the size right, and allows
43852 * us to conceptually access the pud entry that this pmd is folded into
43853 @@ -16,11 +21,6 @@ struct mm_struct;
43855 typedef struct { pud_t pud; } pmd_t;
43857 -#define PMD_SHIFT PUD_SHIFT
43858 -#define PTRS_PER_PMD 1
43859 -#define PMD_SIZE (1UL << PMD_SHIFT)
43860 -#define PMD_MASK (~(PMD_SIZE-1))
43863 * The "pud_xxx()" functions here are trivial for a folded two-level
43864 * setup: the pmd is never bad, and a pmd always exists (as it's folded
43865 diff -urNp linux-2.6.35.5/include/asm-generic/pgtable-nopud.h linux-2.6.35.5/include/asm-generic/pgtable-nopud.h
43866 --- linux-2.6.35.5/include/asm-generic/pgtable-nopud.h 2010-08-26 19:47:12.000000000 -0400
43867 +++ linux-2.6.35.5/include/asm-generic/pgtable-nopud.h 2010-09-17 20:12:09.000000000 -0400
43869 #ifndef _PGTABLE_NOPUD_H
43870 #define _PGTABLE_NOPUD_H
43872 -#ifndef __ASSEMBLY__
43874 #define __PAGETABLE_PUD_FOLDED
43876 +#define PUD_SHIFT PGDIR_SHIFT
43877 +#define PTRS_PER_PUD 1
43878 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
43879 +#define PUD_MASK (~(PUD_SIZE-1))
43881 +#ifndef __ASSEMBLY__
43884 * Having the pud type consist of a pgd gets the size right, and allows
43885 * us to conceptually access the pgd entry that this pud is folded into
43888 typedef struct { pgd_t pgd; } pud_t;
43890 -#define PUD_SHIFT PGDIR_SHIFT
43891 -#define PTRS_PER_PUD 1
43892 -#define PUD_SIZE (1UL << PUD_SHIFT)
43893 -#define PUD_MASK (~(PUD_SIZE-1))
43896 * The "pgd_xxx()" functions here are trivial for a folded two-level
43897 * setup: the pud is never bad, and a pud always exists (as it's folded
43898 diff -urNp linux-2.6.35.5/include/asm-generic/vmlinux.lds.h linux-2.6.35.5/include/asm-generic/vmlinux.lds.h
43899 --- linux-2.6.35.5/include/asm-generic/vmlinux.lds.h 2010-08-26 19:47:12.000000000 -0400
43900 +++ linux-2.6.35.5/include/asm-generic/vmlinux.lds.h 2010-09-17 20:12:09.000000000 -0400
43901 @@ -213,6 +213,7 @@
43902 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
43903 VMLINUX_SYMBOL(__start_rodata) = .; \
43904 *(.rodata) *(.rodata.*) \
43905 + *(.data..read_only) \
43906 *(__vermagic) /* Kernel version magic */ \
43907 *(__markers_strings) /* Markers: strings */ \
43908 *(__tracepoints_strings)/* Tracepoints: strings */ \
43909 @@ -670,22 +671,24 @@
43910 * section in the linker script will go there too. @phdr should have
43913 - * Note that this macros defines __per_cpu_load as an absolute symbol.
43914 + * Note that this macros defines per_cpu_load as an absolute symbol.
43915 * If there is no need to put the percpu section at a predetermined
43916 * address, use PERCPU().
43918 #define PERCPU_VADDR(vaddr, phdr) \
43919 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
43920 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
43921 + per_cpu_load = .; \
43922 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
43924 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
43925 VMLINUX_SYMBOL(__per_cpu_start) = .; \
43926 *(.data..percpu..first) \
43927 - *(.data..percpu..page_aligned) \
43929 + . = ALIGN(PAGE_SIZE); \
43930 + *(.data..percpu..page_aligned) \
43931 *(.data..percpu..shared_aligned) \
43932 VMLINUX_SYMBOL(__per_cpu_end) = .; \
43934 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
43935 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
43938 * PERCPU - define output section for percpu area, simple version
43939 diff -urNp linux-2.6.35.5/include/drm/drm_pciids.h linux-2.6.35.5/include/drm/drm_pciids.h
43940 --- linux-2.6.35.5/include/drm/drm_pciids.h 2010-08-26 19:47:12.000000000 -0400
43941 +++ linux-2.6.35.5/include/drm/drm_pciids.h 2010-09-17 20:12:09.000000000 -0400
43942 @@ -419,7 +419,7 @@
43943 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43944 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43945 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43947 + {0, 0, 0, 0, 0, 0}
43949 #define r128_PCI_IDS \
43950 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43951 @@ -459,14 +459,14 @@
43952 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43953 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43954 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43956 + {0, 0, 0, 0, 0, 0}
43958 #define mga_PCI_IDS \
43959 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43960 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43961 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
43962 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
43964 + {0, 0, 0, 0, 0, 0}
43966 #define mach64_PCI_IDS \
43967 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43968 @@ -489,7 +489,7 @@
43969 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43970 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43971 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43973 + {0, 0, 0, 0, 0, 0}
43975 #define sisdrv_PCI_IDS \
43976 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43977 @@ -500,7 +500,7 @@
43978 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43979 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43980 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43982 + {0, 0, 0, 0, 0, 0}
43984 #define tdfx_PCI_IDS \
43985 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43986 @@ -509,7 +509,7 @@
43987 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43988 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43989 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43991 + {0, 0, 0, 0, 0, 0}
43993 #define viadrv_PCI_IDS \
43994 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43995 @@ -521,14 +521,14 @@
43996 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43997 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
43998 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
44000 + {0, 0, 0, 0, 0, 0}
44002 #define i810_PCI_IDS \
44003 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44004 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44005 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44006 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44008 + {0, 0, 0, 0, 0, 0}
44010 #define i830_PCI_IDS \
44011 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44012 @@ -536,11 +536,11 @@
44013 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44014 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44015 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44017 + {0, 0, 0, 0, 0, 0}
44019 #define gamma_PCI_IDS \
44020 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44022 + {0, 0, 0, 0, 0, 0}
44024 #define savage_PCI_IDS \
44025 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
44026 @@ -566,10 +566,10 @@
44027 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
44028 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44029 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44031 + {0, 0, 0, 0, 0, 0}
44033 #define ffb_PCI_IDS \
44035 + {0, 0, 0, 0, 0, 0}
44037 #define i915_PCI_IDS \
44038 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44039 @@ -603,4 +603,4 @@
44040 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44041 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44042 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44044 + {0, 0, 0, 0, 0, 0}
44045 diff -urNp linux-2.6.35.5/include/drm/drmP.h linux-2.6.35.5/include/drm/drmP.h
44046 --- linux-2.6.35.5/include/drm/drmP.h 2010-08-26 19:47:12.000000000 -0400
44047 +++ linux-2.6.35.5/include/drm/drmP.h 2010-09-17 20:12:09.000000000 -0400
44048 @@ -808,7 +808,7 @@ struct drm_driver {
44049 void (*vgaarb_irq)(struct drm_device *dev, bool state);
44051 /* Driver private ops for this object */
44052 - struct vm_operations_struct *gem_vm_ops;
44053 + const struct vm_operations_struct *gem_vm_ops;
44057 @@ -917,7 +917,7 @@ struct drm_device {
44059 /** \name Usage Counters */
44061 - int open_count; /**< Outstanding files open */
44062 + atomic_t open_count; /**< Outstanding files open */
44063 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
44064 atomic_t vma_count; /**< Outstanding vma areas open */
44065 int buf_use; /**< Buffers in use -- cannot alloc */
44066 @@ -928,7 +928,7 @@ struct drm_device {
44068 unsigned long counters;
44069 enum drm_stat_type types[15];
44070 - atomic_t counts[15];
44071 + atomic_unchecked_t counts[15];
44074 struct list_head filelist;
44075 diff -urNp linux-2.6.35.5/include/linux/a.out.h linux-2.6.35.5/include/linux/a.out.h
44076 --- linux-2.6.35.5/include/linux/a.out.h 2010-08-26 19:47:12.000000000 -0400
44077 +++ linux-2.6.35.5/include/linux/a.out.h 2010-09-17 20:12:09.000000000 -0400
44078 @@ -39,6 +39,14 @@ enum machine_type {
44079 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
44082 +/* Constants for the N_FLAGS field */
44083 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44084 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
44085 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
44086 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
44087 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44088 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44090 #if !defined (N_MAGIC)
44091 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
44093 diff -urNp linux-2.6.35.5/include/linux/atmdev.h linux-2.6.35.5/include/linux/atmdev.h
44094 --- linux-2.6.35.5/include/linux/atmdev.h 2010-08-26 19:47:12.000000000 -0400
44095 +++ linux-2.6.35.5/include/linux/atmdev.h 2010-09-17 20:12:09.000000000 -0400
44096 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
44099 struct k_atm_aal_stats {
44100 -#define __HANDLE_ITEM(i) atomic_t i
44101 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
44103 #undef __HANDLE_ITEM
44105 diff -urNp linux-2.6.35.5/include/linux/binfmts.h linux-2.6.35.5/include/linux/binfmts.h
44106 --- linux-2.6.35.5/include/linux/binfmts.h 2010-08-26 19:47:12.000000000 -0400
44107 +++ linux-2.6.35.5/include/linux/binfmts.h 2010-09-17 20:12:09.000000000 -0400
44108 @@ -87,6 +87,7 @@ struct linux_binfmt {
44109 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
44110 int (*load_shlib)(struct file *);
44111 int (*core_dump)(struct coredump_params *cprm);
44112 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
44113 unsigned long min_coredump; /* minimal dump size */
44116 diff -urNp linux-2.6.35.5/include/linux/blkdev.h linux-2.6.35.5/include/linux/blkdev.h
44117 --- linux-2.6.35.5/include/linux/blkdev.h 2010-08-26 19:47:12.000000000 -0400
44118 +++ linux-2.6.35.5/include/linux/blkdev.h 2010-09-17 20:12:09.000000000 -0400
44119 @@ -1331,20 +1331,20 @@ static inline int blk_integrity_rq(struc
44120 #endif /* CONFIG_BLK_DEV_INTEGRITY */
44122 struct block_device_operations {
44123 - int (*open) (struct block_device *, fmode_t);
44124 - int (*release) (struct gendisk *, fmode_t);
44125 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44126 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44127 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44128 - int (*direct_access) (struct block_device *, sector_t,
44129 + int (* const open) (struct block_device *, fmode_t);
44130 + int (* const release) (struct gendisk *, fmode_t);
44131 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44132 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44133 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44134 + int (* const direct_access) (struct block_device *, sector_t,
44135 void **, unsigned long *);
44136 - int (*media_changed) (struct gendisk *);
44137 - void (*unlock_native_capacity) (struct gendisk *);
44138 - int (*revalidate_disk) (struct gendisk *);
44139 - int (*getgeo)(struct block_device *, struct hd_geometry *);
44140 + int (* const media_changed) (struct gendisk *);
44141 + void (* const unlock_native_capacity) (struct gendisk *);
44142 + int (* const revalidate_disk) (struct gendisk *);
44143 + int (*const getgeo)(struct block_device *, struct hd_geometry *);
44144 /* this callback is with swap_lock and sometimes page table lock held */
44145 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
44146 - struct module *owner;
44147 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
44148 + struct module * const owner;
44151 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
44152 diff -urNp linux-2.6.35.5/include/linux/cache.h linux-2.6.35.5/include/linux/cache.h
44153 --- linux-2.6.35.5/include/linux/cache.h 2010-08-26 19:47:12.000000000 -0400
44154 +++ linux-2.6.35.5/include/linux/cache.h 2010-09-17 20:12:09.000000000 -0400
44156 #define __read_mostly
44159 +#ifndef __read_only
44160 +#define __read_only __read_mostly
44163 #ifndef ____cacheline_aligned
44164 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
44166 diff -urNp linux-2.6.35.5/include/linux/capability.h linux-2.6.35.5/include/linux/capability.h
44167 --- linux-2.6.35.5/include/linux/capability.h 2010-08-26 19:47:12.000000000 -0400
44168 +++ linux-2.6.35.5/include/linux/capability.h 2010-09-17 20:12:37.000000000 -0400
44169 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
44170 (security_real_capable_noaudit((t), (cap)) == 0)
44172 extern int capable(int cap);
44173 +int capable_nolog(int cap);
44175 /* audit system wants to get cap info from files as well */
44177 diff -urNp linux-2.6.35.5/include/linux/compiler-gcc4.h linux-2.6.35.5/include/linux/compiler-gcc4.h
44178 --- linux-2.6.35.5/include/linux/compiler-gcc4.h 2010-08-26 19:47:12.000000000 -0400
44179 +++ linux-2.6.35.5/include/linux/compiler-gcc4.h 2010-09-17 20:12:09.000000000 -0400
44184 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
44185 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
44186 +#define __bos0(ptr) __bos((ptr), 0)
44187 +#define __bos1(ptr) __bos((ptr), 1)
44190 #if __GNUC_MINOR__ > 0
44191 diff -urNp linux-2.6.35.5/include/linux/compiler.h linux-2.6.35.5/include/linux/compiler.h
44192 --- linux-2.6.35.5/include/linux/compiler.h 2010-08-26 19:47:12.000000000 -0400
44193 +++ linux-2.6.35.5/include/linux/compiler.h 2010-09-17 20:12:09.000000000 -0400
44194 @@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
44198 +#ifndef __alloc_size
44199 +#define __alloc_size
44214 /* Simple shorthand for a section definition */
44216 # define __section(S) __attribute__ ((__section__(#S)))
44217 diff -urNp linux-2.6.35.5/include/linux/decompress/mm.h linux-2.6.35.5/include/linux/decompress/mm.h
44218 --- linux-2.6.35.5/include/linux/decompress/mm.h 2010-08-26 19:47:12.000000000 -0400
44219 +++ linux-2.6.35.5/include/linux/decompress/mm.h 2010-09-17 20:12:09.000000000 -0400
44220 @@ -78,7 +78,7 @@ static void free(void *where)
44221 * warnings when not needed (indeed large_malloc / large_free are not
44222 * needed by inflate */
44224 -#define malloc(a) kmalloc(a, GFP_KERNEL)
44225 +#define malloc(a) kmalloc((a), GFP_KERNEL)
44226 #define free(a) kfree(a)
44228 #define large_malloc(a) vmalloc(a)
44229 diff -urNp linux-2.6.35.5/include/linux/dma-mapping.h linux-2.6.35.5/include/linux/dma-mapping.h
44230 --- linux-2.6.35.5/include/linux/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
44231 +++ linux-2.6.35.5/include/linux/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
44232 @@ -16,40 +16,40 @@ enum dma_data_direction {
44235 struct dma_map_ops {
44236 - void* (*alloc_coherent)(struct device *dev, size_t size,
44237 + void* (* const alloc_coherent)(struct device *dev, size_t size,
44238 dma_addr_t *dma_handle, gfp_t gfp);
44239 - void (*free_coherent)(struct device *dev, size_t size,
44240 + void (* const free_coherent)(struct device *dev, size_t size,
44241 void *vaddr, dma_addr_t dma_handle);
44242 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
44243 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
44244 unsigned long offset, size_t size,
44245 enum dma_data_direction dir,
44246 struct dma_attrs *attrs);
44247 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
44248 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
44249 size_t size, enum dma_data_direction dir,
44250 struct dma_attrs *attrs);
44251 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
44252 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
44253 int nents, enum dma_data_direction dir,
44254 struct dma_attrs *attrs);
44255 - void (*unmap_sg)(struct device *dev,
44256 + void (* const unmap_sg)(struct device *dev,
44257 struct scatterlist *sg, int nents,
44258 enum dma_data_direction dir,
44259 struct dma_attrs *attrs);
44260 - void (*sync_single_for_cpu)(struct device *dev,
44261 + void (* const sync_single_for_cpu)(struct device *dev,
44262 dma_addr_t dma_handle, size_t size,
44263 enum dma_data_direction dir);
44264 - void (*sync_single_for_device)(struct device *dev,
44265 + void (* const sync_single_for_device)(struct device *dev,
44266 dma_addr_t dma_handle, size_t size,
44267 enum dma_data_direction dir);
44268 - void (*sync_sg_for_cpu)(struct device *dev,
44269 + void (* const sync_sg_for_cpu)(struct device *dev,
44270 struct scatterlist *sg, int nents,
44271 enum dma_data_direction dir);
44272 - void (*sync_sg_for_device)(struct device *dev,
44273 + void (* const sync_sg_for_device)(struct device *dev,
44274 struct scatterlist *sg, int nents,
44275 enum dma_data_direction dir);
44276 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
44277 - int (*dma_supported)(struct device *dev, u64 mask);
44278 - int (*set_dma_mask)(struct device *dev, u64 mask);
44280 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
44281 + int (* const dma_supported)(struct device *dev, u64 mask);
44282 + int (* set_dma_mask)(struct device *dev, u64 mask);
44283 + const int is_phys;
44286 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
44287 diff -urNp linux-2.6.35.5/include/linux/elf.h linux-2.6.35.5/include/linux/elf.h
44288 --- linux-2.6.35.5/include/linux/elf.h 2010-08-26 19:47:12.000000000 -0400
44289 +++ linux-2.6.35.5/include/linux/elf.h 2010-09-17 20:12:09.000000000 -0400
44290 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
44291 #define PT_GNU_EH_FRAME 0x6474e550
44293 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
44294 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
44296 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
44298 +/* Constants for the e_flags field */
44299 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44300 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
44301 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
44302 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
44303 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44304 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44307 * Extended Numbering
44308 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
44309 #define DT_DEBUG 21
44310 #define DT_TEXTREL 22
44311 #define DT_JMPREL 23
44312 +#define DT_FLAGS 30
44313 + #define DF_TEXTREL 0x00000004
44314 #define DT_ENCODING 32
44315 #define OLD_DT_LOOS 0x60000000
44316 #define DT_LOOS 0x6000000d
44317 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
44321 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
44322 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
44323 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
44324 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
44325 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
44326 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
44327 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
44328 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
44329 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
44330 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
44331 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
44332 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
44334 typedef struct elf32_phdr{
44336 Elf32_Off p_offset;
44337 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
44343 #define ELFMAG0 0x7f /* EI_MAG */
44344 #define ELFMAG1 'E'
44345 #define ELFMAG2 'L'
44346 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
44347 #define elf_note elf32_note
44348 #define elf_addr_t Elf32_Off
44349 #define Elf_Half Elf32_Half
44350 +#define elf_dyn Elf32_Dyn
44354 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
44355 #define elf_note elf64_note
44356 #define elf_addr_t Elf64_Off
44357 #define Elf_Half Elf64_Half
44358 +#define elf_dyn Elf64_Dyn
44362 diff -urNp linux-2.6.35.5/include/linux/fs.h linux-2.6.35.5/include/linux/fs.h
44363 --- linux-2.6.35.5/include/linux/fs.h 2010-09-20 17:33:09.000000000 -0400
44364 +++ linux-2.6.35.5/include/linux/fs.h 2010-09-20 17:33:35.000000000 -0400
44365 @@ -90,6 +90,11 @@ struct inodes_stat_t {
44366 /* Expect random access pattern */
44367 #define FMODE_RANDOM ((__force fmode_t)0x1000)
44369 +/* Hack for grsec so as not to require read permission simply to execute
44372 +#define FMODE_GREXEC ((__force fmode_t)0x2000)
44375 * The below are the various read and write types that we support. Some of
44376 * them include behavioral modifiers that send information down to the
44377 @@ -572,41 +577,41 @@ typedef int (*read_actor_t)(read_descrip
44378 unsigned long, unsigned long);
44380 struct address_space_operations {
44381 - int (*writepage)(struct page *page, struct writeback_control *wbc);
44382 - int (*readpage)(struct file *, struct page *);
44383 - void (*sync_page)(struct page *);
44384 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
44385 + int (* const readpage)(struct file *, struct page *);
44386 + void (* const sync_page)(struct page *);
44388 /* Write back some dirty pages from this mapping. */
44389 - int (*writepages)(struct address_space *, struct writeback_control *);
44390 + int (* const writepages)(struct address_space *, struct writeback_control *);
44392 /* Set a page dirty. Return true if this dirtied it */
44393 - int (*set_page_dirty)(struct page *page);
44394 + int (* const set_page_dirty)(struct page *page);
44396 - int (*readpages)(struct file *filp, struct address_space *mapping,
44397 + int (* const readpages)(struct file *filp, struct address_space *mapping,
44398 struct list_head *pages, unsigned nr_pages);
44400 - int (*write_begin)(struct file *, struct address_space *mapping,
44401 + int (* const write_begin)(struct file *, struct address_space *mapping,
44402 loff_t pos, unsigned len, unsigned flags,
44403 struct page **pagep, void **fsdata);
44404 - int (*write_end)(struct file *, struct address_space *mapping,
44405 + int (* const write_end)(struct file *, struct address_space *mapping,
44406 loff_t pos, unsigned len, unsigned copied,
44407 struct page *page, void *fsdata);
44409 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
44410 - sector_t (*bmap)(struct address_space *, sector_t);
44411 - void (*invalidatepage) (struct page *, unsigned long);
44412 - int (*releasepage) (struct page *, gfp_t);
44413 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
44414 + sector_t (* const bmap)(struct address_space *, sector_t);
44415 + void (* const invalidatepage) (struct page *, unsigned long);
44416 + int (* const releasepage) (struct page *, gfp_t);
44417 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
44418 loff_t offset, unsigned long nr_segs);
44419 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
44420 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
44421 void **, unsigned long *);
44422 /* migrate the contents of a page to the specified target */
44423 - int (*migratepage) (struct address_space *,
44424 + int (* const migratepage) (struct address_space *,
44425 struct page *, struct page *);
44426 - int (*launder_page) (struct page *);
44427 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
44428 + int (* const launder_page) (struct page *);
44429 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
44431 - int (*error_remove_page)(struct address_space *, struct page *);
44432 + int (* const error_remove_page)(struct address_space *, struct page *);
44436 @@ -1036,19 +1041,19 @@ static inline int file_check_writeable(s
44437 typedef struct files_struct *fl_owner_t;
44439 struct file_lock_operations {
44440 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44441 - void (*fl_release_private)(struct file_lock *);
44442 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44443 + void (* const fl_release_private)(struct file_lock *);
44446 struct lock_manager_operations {
44447 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
44448 - void (*fl_notify)(struct file_lock *); /* unblock callback */
44449 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
44450 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44451 - void (*fl_release_private)(struct file_lock *);
44452 - void (*fl_break)(struct file_lock *);
44453 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
44454 - int (*fl_change)(struct file_lock **, int);
44455 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
44456 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
44457 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
44458 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44459 + void (* const fl_release_private)(struct file_lock *);
44460 + void (* const fl_break)(struct file_lock *);
44461 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
44462 + int (* const fl_change)(struct file_lock **, int);
44465 struct lock_manager {
44466 @@ -1441,7 +1446,7 @@ struct fiemap_extent_info {
44467 unsigned int fi_flags; /* Flags as passed from user */
44468 unsigned int fi_extents_mapped; /* Number of mapped extents */
44469 unsigned int fi_extents_max; /* Size of fiemap_extent array */
44470 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
44471 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
44474 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
44475 diff -urNp linux-2.6.35.5/include/linux/fs_struct.h linux-2.6.35.5/include/linux/fs_struct.h
44476 --- linux-2.6.35.5/include/linux/fs_struct.h 2010-08-26 19:47:12.000000000 -0400
44477 +++ linux-2.6.35.5/include/linux/fs_struct.h 2010-09-17 20:12:09.000000000 -0400
44479 #include <linux/path.h>
44487 diff -urNp linux-2.6.35.5/include/linux/genhd.h linux-2.6.35.5/include/linux/genhd.h
44488 --- linux-2.6.35.5/include/linux/genhd.h 2010-08-26 19:47:12.000000000 -0400
44489 +++ linux-2.6.35.5/include/linux/genhd.h 2010-09-17 20:12:09.000000000 -0400
44490 @@ -162,7 +162,7 @@ struct gendisk {
44492 struct timer_rand_state *random;
44494 - atomic_t sync_io; /* RAID */
44495 + atomic_unchecked_t sync_io; /* RAID */
44496 struct work_struct async_notify;
44497 #ifdef CONFIG_BLK_DEV_INTEGRITY
44498 struct blk_integrity *integrity;
44499 diff -urNp linux-2.6.35.5/include/linux/gracl.h linux-2.6.35.5/include/linux/gracl.h
44500 --- linux-2.6.35.5/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
44501 +++ linux-2.6.35.5/include/linux/gracl.h 2010-09-17 20:12:37.000000000 -0400
44506 +#include <linux/grdefs.h>
44507 +#include <linux/resource.h>
44508 +#include <linux/capability.h>
44509 +#include <linux/dcache.h>
44510 +#include <asm/resource.h>
44512 +/* Major status information */
44514 +#define GR_VERSION "grsecurity 2.2.0"
44515 +#define GRSECURITY_VERSION 0x2200
44526 + GR_SPROLEPAM = 8,
44529 +/* Password setup definitions
44530 + * kernel/grhash.c */
44533 + GR_SALT_LEN = 16,
44538 + GR_SPROLE_LEN = 64,
44541 +#define GR_NLIMITS 32
44543 +/* Begin Data Structures */
44545 +struct sprole_pw {
44546 + unsigned char *rolename;
44547 + unsigned char salt[GR_SALT_LEN];
44548 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
44551 +struct name_entry {
44558 + struct name_entry *prev;
44559 + struct name_entry *next;
44562 +struct inodev_entry {
44563 + struct name_entry *nentry;
44564 + struct inodev_entry *prev;
44565 + struct inodev_entry *next;
44568 +struct acl_role_db {
44569 + struct acl_role_label **r_hash;
44573 +struct inodev_db {
44574 + struct inodev_entry **i_hash;
44579 + struct name_entry **n_hash;
44583 +struct crash_uid {
44585 + unsigned long expires;
44588 +struct gr_hash_struct {
44590 + void **nametable;
44592 + __u32 table_size;
44597 +/* Userspace Grsecurity ACL data structures */
44599 +struct acl_subject_label {
44604 + kernel_cap_t cap_mask;
44605 + kernel_cap_t cap_lower;
44606 + kernel_cap_t cap_invert_audit;
44608 + struct rlimit res[GR_NLIMITS];
44611 + __u8 user_trans_type;
44612 + __u8 group_trans_type;
44613 + uid_t *user_transitions;
44614 + gid_t *group_transitions;
44615 + __u16 user_trans_num;
44616 + __u16 group_trans_num;
44618 + __u32 ip_proto[8];
44620 + struct acl_ip_label **ips;
44622 + __u32 inaddr_any_override;
44625 + unsigned long expires;
44627 + struct acl_subject_label *parent_subject;
44628 + struct gr_hash_struct *hash;
44629 + struct acl_subject_label *prev;
44630 + struct acl_subject_label *next;
44632 + struct acl_object_label **obj_hash;
44633 + __u32 obj_hash_size;
44637 +struct role_allowed_ip {
44641 + struct role_allowed_ip *prev;
44642 + struct role_allowed_ip *next;
44645 +struct role_transition {
44648 + struct role_transition *prev;
44649 + struct role_transition *next;
44652 +struct acl_role_label {
44657 + __u16 auth_attempts;
44658 + unsigned long expires;
44660 + struct acl_subject_label *root_label;
44661 + struct gr_hash_struct *hash;
44663 + struct acl_role_label *prev;
44664 + struct acl_role_label *next;
44666 + struct role_transition *transitions;
44667 + struct role_allowed_ip *allowed_ips;
44668 + uid_t *domain_children;
44669 + __u16 domain_child_num;
44671 + struct acl_subject_label **subj_hash;
44672 + __u32 subj_hash_size;
44675 +struct user_acl_role_db {
44676 + struct acl_role_label **r_table;
44677 + __u32 num_pointers; /* Number of allocations to track */
44678 + __u32 num_roles; /* Number of roles */
44679 + __u32 num_domain_children; /* Number of domain children */
44680 + __u32 num_subjects; /* Number of subjects */
44681 + __u32 num_objects; /* Number of objects */
44684 +struct acl_object_label {
44690 + struct acl_subject_label *nested;
44691 + struct acl_object_label *globbed;
44693 + /* next two structures not used */
44695 + struct acl_object_label *prev;
44696 + struct acl_object_label *next;
44699 +struct acl_ip_label {
44708 + /* next two structures not used */
44710 + struct acl_ip_label *prev;
44711 + struct acl_ip_label *next;
44715 + struct user_acl_role_db role_db;
44716 + unsigned char pw[GR_PW_LEN];
44717 + unsigned char salt[GR_SALT_LEN];
44718 + unsigned char sum[GR_SHA_LEN];
44719 + unsigned char sp_role[GR_SPROLE_LEN];
44720 + struct sprole_pw *sprole_pws;
44721 + dev_t segv_device;
44722 + ino_t segv_inode;
44724 + __u16 num_sprole_pws;
44728 +struct gr_arg_wrapper {
44729 + struct gr_arg *arg;
44734 +struct subject_map {
44735 + struct acl_subject_label *user;
44736 + struct acl_subject_label *kernel;
44737 + struct subject_map *prev;
44738 + struct subject_map *next;
44741 +struct acl_subj_map_db {
44742 + struct subject_map **s_hash;
44746 +/* End Data Structures Section */
44748 +/* Hash functions generated by empirical testing by Brad Spengler
44749 + Makes good use of the low bits of the inode. Generally 0-1 times
44750 + in loop for successful match. 0-3 for unsuccessful match.
44751 + Shift/add algorithm with modulus of table size and an XOR*/
44753 +static __inline__ unsigned int
44754 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
44756 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
44759 + static __inline__ unsigned int
44760 +shash(const struct acl_subject_label *userp, const unsigned int sz)
44762 + return ((const unsigned long)userp % sz);
44765 +static __inline__ unsigned int
44766 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
44768 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
44771 +static __inline__ unsigned int
44772 +nhash(const char *name, const __u16 len, const unsigned int sz)
44774 + return full_name_hash((const unsigned char *)name, len) % sz;
44777 +#define FOR_EACH_ROLE_START(role) \
44778 + role = role_list; \
44781 +#define FOR_EACH_ROLE_END(role) \
44782 + role = role->prev; \
44785 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
44788 + while (iter < role->subj_hash_size) { \
44789 + if (subj == NULL) \
44790 + subj = role->subj_hash[iter]; \
44791 + if (subj == NULL) { \
44796 +#define FOR_EACH_SUBJECT_END(subj,iter) \
44797 + subj = subj->next; \
44798 + if (subj == NULL) \
44803 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
44804 + subj = role->hash->first; \
44805 + while (subj != NULL) {
44807 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
44808 + subj = subj->next; \
44813 diff -urNp linux-2.6.35.5/include/linux/gralloc.h linux-2.6.35.5/include/linux/gralloc.h
44814 --- linux-2.6.35.5/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
44815 +++ linux-2.6.35.5/include/linux/gralloc.h 2010-09-17 20:12:37.000000000 -0400
44817 +#ifndef __GRALLOC_H
44818 +#define __GRALLOC_H
44820 +void acl_free_all(void);
44821 +int acl_alloc_stack_init(unsigned long size);
44822 +void *acl_alloc(unsigned long len);
44823 +void *acl_alloc_num(unsigned long num, unsigned long len);
44826 diff -urNp linux-2.6.35.5/include/linux/grdefs.h linux-2.6.35.5/include/linux/grdefs.h
44827 --- linux-2.6.35.5/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
44828 +++ linux-2.6.35.5/include/linux/grdefs.h 2010-09-17 20:12:37.000000000 -0400
44833 +/* Begin grsecurity status declarations */
44837 + GR_STATUS_INIT = 0x00 // disabled state
44840 +/* Begin ACL declarations */
44845 + GR_ROLE_USER = 0x0001,
44846 + GR_ROLE_GROUP = 0x0002,
44847 + GR_ROLE_DEFAULT = 0x0004,
44848 + GR_ROLE_SPECIAL = 0x0008,
44849 + GR_ROLE_AUTH = 0x0010,
44850 + GR_ROLE_NOPW = 0x0020,
44851 + GR_ROLE_GOD = 0x0040,
44852 + GR_ROLE_LEARN = 0x0080,
44853 + GR_ROLE_TPE = 0x0100,
44854 + GR_ROLE_DOMAIN = 0x0200,
44855 + GR_ROLE_PAM = 0x0400
44858 +/* ACL Subject and Object mode flags */
44860 + GR_DELETED = 0x80000000
44863 +/* ACL Object-only mode flags */
44865 + GR_READ = 0x00000001,
44866 + GR_APPEND = 0x00000002,
44867 + GR_WRITE = 0x00000004,
44868 + GR_EXEC = 0x00000008,
44869 + GR_FIND = 0x00000010,
44870 + GR_INHERIT = 0x00000020,
44871 + GR_SETID = 0x00000040,
44872 + GR_CREATE = 0x00000080,
44873 + GR_DELETE = 0x00000100,
44874 + GR_LINK = 0x00000200,
44875 + GR_AUDIT_READ = 0x00000400,
44876 + GR_AUDIT_APPEND = 0x00000800,
44877 + GR_AUDIT_WRITE = 0x00001000,
44878 + GR_AUDIT_EXEC = 0x00002000,
44879 + GR_AUDIT_FIND = 0x00004000,
44880 + GR_AUDIT_INHERIT= 0x00008000,
44881 + GR_AUDIT_SETID = 0x00010000,
44882 + GR_AUDIT_CREATE = 0x00020000,
44883 + GR_AUDIT_DELETE = 0x00040000,
44884 + GR_AUDIT_LINK = 0x00080000,
44885 + GR_PTRACERD = 0x00100000,
44886 + GR_NOPTRACE = 0x00200000,
44887 + GR_SUPPRESS = 0x00400000,
44888 + GR_NOLEARN = 0x00800000
44891 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
44892 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
44893 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
44895 +/* ACL subject-only mode flags */
44897 + GR_KILL = 0x00000001,
44898 + GR_VIEW = 0x00000002,
44899 + GR_PROTECTED = 0x00000004,
44900 + GR_LEARN = 0x00000008,
44901 + GR_OVERRIDE = 0x00000010,
44902 + /* just a placeholder, this mode is only used in userspace */
44903 + GR_DUMMY = 0x00000020,
44904 + GR_PROTSHM = 0x00000040,
44905 + GR_KILLPROC = 0x00000080,
44906 + GR_KILLIPPROC = 0x00000100,
44907 + /* just a placeholder, this mode is only used in userspace */
44908 + GR_NOTROJAN = 0x00000200,
44909 + GR_PROTPROCFD = 0x00000400,
44910 + GR_PROCACCT = 0x00000800,
44911 + GR_RELAXPTRACE = 0x00001000,
44912 + GR_NESTED = 0x00002000,
44913 + GR_INHERITLEARN = 0x00004000,
44914 + GR_PROCFIND = 0x00008000,
44915 + GR_POVERRIDE = 0x00010000,
44916 + GR_KERNELAUTH = 0x00020000,
44920 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
44921 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
44922 + GR_PAX_ENABLE_MPROTECT = 0x0004,
44923 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
44924 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
44925 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
44926 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
44927 + GR_PAX_DISABLE_MPROTECT = 0x0400,
44928 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
44929 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
44933 + GR_ID_USER = 0x01,
44934 + GR_ID_GROUP = 0x02,
44938 + GR_ID_ALLOW = 0x01,
44939 + GR_ID_DENY = 0x02,
44942 +#define GR_CRASH_RES 31
44943 +#define GR_UIDTABLE_MAX 500
44945 +/* begin resource learning section */
44947 + GR_RLIM_CPU_BUMP = 60,
44948 + GR_RLIM_FSIZE_BUMP = 50000,
44949 + GR_RLIM_DATA_BUMP = 10000,
44950 + GR_RLIM_STACK_BUMP = 1000,
44951 + GR_RLIM_CORE_BUMP = 10000,
44952 + GR_RLIM_RSS_BUMP = 500000,
44953 + GR_RLIM_NPROC_BUMP = 1,
44954 + GR_RLIM_NOFILE_BUMP = 5,
44955 + GR_RLIM_MEMLOCK_BUMP = 50000,
44956 + GR_RLIM_AS_BUMP = 500000,
44957 + GR_RLIM_LOCKS_BUMP = 2,
44958 + GR_RLIM_SIGPENDING_BUMP = 5,
44959 + GR_RLIM_MSGQUEUE_BUMP = 10000,
44960 + GR_RLIM_NICE_BUMP = 1,
44961 + GR_RLIM_RTPRIO_BUMP = 1,
44962 + GR_RLIM_RTTIME_BUMP = 1000000
44966 diff -urNp linux-2.6.35.5/include/linux/grinternal.h linux-2.6.35.5/include/linux/grinternal.h
44967 --- linux-2.6.35.5/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
44968 +++ linux-2.6.35.5/include/linux/grinternal.h 2010-09-17 20:12:37.000000000 -0400
44970 +#ifndef __GRINTERNAL_H
44971 +#define __GRINTERNAL_H
44973 +#ifdef CONFIG_GRKERNSEC
44975 +#include <linux/fs.h>
44976 +#include <linux/mnt_namespace.h>
44977 +#include <linux/nsproxy.h>
44978 +#include <linux/gracl.h>
44979 +#include <linux/grdefs.h>
44980 +#include <linux/grmsg.h>
44982 +void gr_add_learn_entry(const char *fmt, ...)
44983 + __attribute__ ((format (printf, 1, 2)));
44984 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
44985 + const struct vfsmount *mnt);
44986 +__u32 gr_check_create(const struct dentry *new_dentry,
44987 + const struct dentry *parent,
44988 + const struct vfsmount *mnt, const __u32 mode);
44989 +int gr_check_protected_task(const struct task_struct *task);
44990 +__u32 to_gr_audit(const __u32 reqmode);
44991 +int gr_set_acls(const int type);
44993 +int gr_acl_is_enabled(void);
44994 +char gr_roletype_to_char(void);
44996 +void gr_handle_alertkill(struct task_struct *task);
44997 +char *gr_to_filename(const struct dentry *dentry,
44998 + const struct vfsmount *mnt);
44999 +char *gr_to_filename1(const struct dentry *dentry,
45000 + const struct vfsmount *mnt);
45001 +char *gr_to_filename2(const struct dentry *dentry,
45002 + const struct vfsmount *mnt);
45003 +char *gr_to_filename3(const struct dentry *dentry,
45004 + const struct vfsmount *mnt);
45006 +extern int grsec_enable_harden_ptrace;
45007 +extern int grsec_enable_link;
45008 +extern int grsec_enable_fifo;
45009 +extern int grsec_enable_execve;
45010 +extern int grsec_enable_shm;
45011 +extern int grsec_enable_execlog;
45012 +extern int grsec_enable_signal;
45013 +extern int grsec_enable_audit_ptrace;
45014 +extern int grsec_enable_forkfail;
45015 +extern int grsec_enable_time;
45016 +extern int grsec_enable_rofs;
45017 +extern int grsec_enable_chroot_shmat;
45018 +extern int grsec_enable_chroot_findtask;
45019 +extern int grsec_enable_chroot_mount;
45020 +extern int grsec_enable_chroot_double;
45021 +extern int grsec_enable_chroot_pivot;
45022 +extern int grsec_enable_chroot_chdir;
45023 +extern int grsec_enable_chroot_chmod;
45024 +extern int grsec_enable_chroot_mknod;
45025 +extern int grsec_enable_chroot_fchdir;
45026 +extern int grsec_enable_chroot_nice;
45027 +extern int grsec_enable_chroot_execlog;
45028 +extern int grsec_enable_chroot_caps;
45029 +extern int grsec_enable_chroot_sysctl;
45030 +extern int grsec_enable_chroot_unix;
45031 +extern int grsec_enable_tpe;
45032 +extern int grsec_tpe_gid;
45033 +extern int grsec_enable_tpe_all;
45034 +extern int grsec_enable_tpe_invert;
45035 +extern int grsec_enable_socket_all;
45036 +extern int grsec_socket_all_gid;
45037 +extern int grsec_enable_socket_client;
45038 +extern int grsec_socket_client_gid;
45039 +extern int grsec_enable_socket_server;
45040 +extern int grsec_socket_server_gid;
45041 +extern int grsec_audit_gid;
45042 +extern int grsec_enable_group;
45043 +extern int grsec_enable_audit_textrel;
45044 +extern int grsec_enable_mount;
45045 +extern int grsec_enable_chdir;
45046 +extern int grsec_resource_logging;
45047 +extern int grsec_enable_blackhole;
45048 +extern int grsec_lastack_retries;
45049 +extern int grsec_lock;
45051 +extern spinlock_t grsec_alert_lock;
45052 +extern unsigned long grsec_alert_wtime;
45053 +extern unsigned long grsec_alert_fyet;
45055 +extern spinlock_t grsec_audit_lock;
45057 +extern rwlock_t grsec_exec_file_lock;
45059 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
45060 + gr_to_filename2(tsk->exec_file->f_path.dentry, \
45061 + tsk->exec_file->f_vfsmnt) : "/")
45063 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
45064 + gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
45065 + tsk->parent->exec_file->f_vfsmnt) : "/")
45067 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
45068 + gr_to_filename(tsk->exec_file->f_path.dentry, \
45069 + tsk->exec_file->f_vfsmnt) : "/")
45071 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
45072 + gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
45073 + tsk->parent->exec_file->f_vfsmnt) : "/")
45075 +#define proc_is_chrooted(tsk_a) (tsk_a->gr_is_chrooted)
45077 +#define have_same_root(tsk_a,tsk_b) (tsk_a->gr_chroot_dentry == tsk_b->gr_chroot_dentry)
45079 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
45080 + task->pid, cred->uid, \
45081 + cred->euid, cred->gid, cred->egid, \
45082 + gr_parent_task_fullpath(task), \
45083 + task->parent->comm, task->parent->pid, \
45084 + pcred->uid, pcred->euid, \
45085 + pcred->gid, pcred->egid
45087 +#define GR_CHROOT_CAPS {{ \
45088 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
45089 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
45090 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
45091 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
45092 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
45093 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
45095 +#define security_learn(normal_msg,args...) \
45097 + read_lock(&grsec_exec_file_lock); \
45098 + gr_add_learn_entry(normal_msg "\n", ## args); \
45099 + read_unlock(&grsec_exec_file_lock); \
45105 + GR_DONT_AUDIT_GOOD
45116 + GR_SYSCTL_HIDDEN,
45119 + GR_ONE_INT_TWO_STR,
45124 + GR_FIVE_INT_TWO_STR,
45130 + GR_FILENAME_TWO_INT,
45131 + GR_FILENAME_TWO_INT_STR,
45143 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
45144 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
45145 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
45146 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
45147 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
45148 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
45149 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
45150 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
45151 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
45152 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
45153 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
45154 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
45155 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
45156 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
45157 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
45158 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
45159 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
45160 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
45161 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
45162 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
45163 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
45164 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
45165 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
45166 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
45167 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
45168 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
45169 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
45170 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
45171 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
45172 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
45173 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
45174 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
45176 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
45181 diff -urNp linux-2.6.35.5/include/linux/grmsg.h linux-2.6.35.5/include/linux/grmsg.h
45182 --- linux-2.6.35.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
45183 +++ linux-2.6.35.5/include/linux/grmsg.h 2010-09-23 20:39:33.000000000 -0400
45185 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
45186 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
45187 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
45188 +#define GR_STOPMOD_MSG "denied modification of module state by "
45189 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
45190 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
45191 +#define GR_IOPERM_MSG "denied use of ioperm() by "
45192 +#define GR_IOPL_MSG "denied use of iopl() by "
45193 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
45194 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
45195 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
45196 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
45197 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
45198 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
45199 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
45200 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
45201 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
45202 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
45203 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
45204 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
45205 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
45206 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
45207 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
45208 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
45209 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
45210 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
45211 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
45212 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
45213 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
45214 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
45215 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
45216 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
45217 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
45218 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
45219 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
45220 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
45221 +#define GR_NPROC_MSG "denied overstep of process limit by "
45222 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
45223 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
45224 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
45225 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
45226 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
45227 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
45228 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
45229 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
45230 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
45231 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
45232 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
45233 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
45234 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
45235 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
45236 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
45237 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
45238 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
45239 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
45240 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
45241 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
45242 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
45243 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
45244 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
45245 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
45246 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
45247 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
45248 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
45249 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
45250 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
45251 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
45252 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
45253 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
45254 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
45255 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
45256 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
45257 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
45258 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
45259 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
45260 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
45261 +#define GR_NICE_CHROOT_MSG "denied priority change by "
45262 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
45263 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
45264 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
45265 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
45266 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
45267 +#define GR_TIME_MSG "time set by "
45268 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
45269 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
45270 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
45271 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
45272 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
45273 +#define GR_BIND_MSG "denied bind() by "
45274 +#define GR_CONNECT_MSG "denied connect() by "
45275 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
45276 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
45277 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
45278 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
45279 +#define GR_CAP_ACL_MSG "use of %s denied for "
45280 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
45281 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
45282 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
45283 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
45284 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
45285 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
45286 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
45287 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
45288 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
45289 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
45290 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
45291 +#define GR_VM86_MSG "denied use of vm86 by "
45292 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
45293 diff -urNp linux-2.6.35.5/include/linux/grsecurity.h linux-2.6.35.5/include/linux/grsecurity.h
45294 --- linux-2.6.35.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
45295 +++ linux-2.6.35.5/include/linux/grsecurity.h 2010-09-17 20:12:37.000000000 -0400
45297 +#ifndef GR_SECURITY_H
45298 +#define GR_SECURITY_H
45299 +#include <linux/fs.h>
45300 +#include <linux/fs_struct.h>
45301 +#include <linux/binfmts.h>
45302 +#include <linux/gracl.h>
45304 +/* notify of brain-dead configs */
45305 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
45306 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
45308 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45309 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45311 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45312 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45314 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
45315 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
45317 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
45318 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
45321 +void gr_handle_brute_attach(struct task_struct *p);
45322 +void gr_handle_brute_check(void);
45324 +char gr_roletype_to_char(void);
45326 +int gr_check_user_change(int real, int effective, int fs);
45327 +int gr_check_group_change(int real, int effective, int fs);
45329 +void gr_del_task_from_ip_table(struct task_struct *p);
45331 +int gr_pid_is_chrooted(struct task_struct *p);
45332 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
45333 +int gr_handle_chroot_nice(void);
45334 +int gr_handle_chroot_sysctl(const int op);
45335 +int gr_handle_chroot_setpriority(struct task_struct *p,
45336 + const int niceval);
45337 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
45338 +int gr_handle_chroot_chroot(const struct dentry *dentry,
45339 + const struct vfsmount *mnt);
45340 +int gr_handle_chroot_caps(struct path *path);
45341 +void gr_handle_chroot_chdir(struct path *path);
45342 +int gr_handle_chroot_chmod(const struct dentry *dentry,
45343 + const struct vfsmount *mnt, const int mode);
45344 +int gr_handle_chroot_mknod(const struct dentry *dentry,
45345 + const struct vfsmount *mnt, const int mode);
45346 +int gr_handle_chroot_mount(const struct dentry *dentry,
45347 + const struct vfsmount *mnt,
45348 + const char *dev_name);
45349 +int gr_handle_chroot_pivot(void);
45350 +int gr_handle_chroot_unix(const pid_t pid);
45352 +int gr_handle_rawio(const struct inode *inode);
45353 +int gr_handle_nproc(void);
45355 +void gr_handle_ioperm(void);
45356 +void gr_handle_iopl(void);
45358 +int gr_tpe_allow(const struct file *file);
45360 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
45361 +void gr_clear_chroot_entries(struct task_struct *task);
45363 +void gr_log_forkfail(const int retval);
45364 +void gr_log_timechange(void);
45365 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
45366 +void gr_log_chdir(const struct dentry *dentry,
45367 + const struct vfsmount *mnt);
45368 +void gr_log_chroot_exec(const struct dentry *dentry,
45369 + const struct vfsmount *mnt);
45370 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
45371 +void gr_log_remount(const char *devname, const int retval);
45372 +void gr_log_unmount(const char *devname, const int retval);
45373 +void gr_log_mount(const char *from, const char *to, const int retval);
45374 +void gr_log_textrel(struct vm_area_struct *vma);
45376 +int gr_handle_follow_link(const struct inode *parent,
45377 + const struct inode *inode,
45378 + const struct dentry *dentry,
45379 + const struct vfsmount *mnt);
45380 +int gr_handle_fifo(const struct dentry *dentry,
45381 + const struct vfsmount *mnt,
45382 + const struct dentry *dir, const int flag,
45383 + const int acc_mode);
45384 +int gr_handle_hardlink(const struct dentry *dentry,
45385 + const struct vfsmount *mnt,
45386 + struct inode *inode,
45387 + const int mode, const char *to);
45389 +int gr_is_capable(const int cap);
45390 +int gr_is_capable_nolog(const int cap);
45391 +void gr_learn_resource(const struct task_struct *task, const int limit,
45392 + const unsigned long wanted, const int gt);
45393 +void gr_copy_label(struct task_struct *tsk);
45394 +void gr_handle_crash(struct task_struct *task, const int sig);
45395 +int gr_handle_signal(const struct task_struct *p, const int sig);
45396 +int gr_check_crash_uid(const uid_t uid);
45397 +int gr_check_protected_task(const struct task_struct *task);
45398 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
45399 +int gr_acl_handle_mmap(const struct file *file,
45400 + const unsigned long prot);
45401 +int gr_acl_handle_mprotect(const struct file *file,
45402 + const unsigned long prot);
45403 +int gr_check_hidden_task(const struct task_struct *tsk);
45404 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
45405 + const struct vfsmount *mnt);
45406 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
45407 + const struct vfsmount *mnt);
45408 +__u32 gr_acl_handle_access(const struct dentry *dentry,
45409 + const struct vfsmount *mnt, const int fmode);
45410 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
45411 + const struct vfsmount *mnt, mode_t mode);
45412 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
45413 + const struct vfsmount *mnt, mode_t mode);
45414 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
45415 + const struct vfsmount *mnt);
45416 +int gr_handle_ptrace(struct task_struct *task, const long request);
45417 +int gr_handle_proc_ptrace(struct task_struct *task);
45418 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
45419 + const struct vfsmount *mnt);
45420 +int gr_check_crash_exec(const struct file *filp);
45421 +int gr_acl_is_enabled(void);
45422 +void gr_set_kernel_label(struct task_struct *task);
45423 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
45424 + const gid_t gid);
45425 +int gr_set_proc_label(const struct dentry *dentry,
45426 + const struct vfsmount *mnt,
45427 + const int unsafe_share);
45428 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
45429 + const struct vfsmount *mnt);
45430 +__u32 gr_acl_handle_open(const struct dentry *dentry,
45431 + const struct vfsmount *mnt, const int fmode);
45432 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
45433 + const struct dentry *p_dentry,
45434 + const struct vfsmount *p_mnt, const int fmode,
45435 + const int imode);
45436 +void gr_handle_create(const struct dentry *dentry,
45437 + const struct vfsmount *mnt);
45438 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
45439 + const struct dentry *parent_dentry,
45440 + const struct vfsmount *parent_mnt,
45442 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
45443 + const struct dentry *parent_dentry,
45444 + const struct vfsmount *parent_mnt);
45445 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
45446 + const struct vfsmount *mnt);
45447 +void gr_handle_delete(const ino_t ino, const dev_t dev);
45448 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
45449 + const struct vfsmount *mnt);
45450 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
45451 + const struct dentry *parent_dentry,
45452 + const struct vfsmount *parent_mnt,
45453 + const char *from);
45454 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
45455 + const struct dentry *parent_dentry,
45456 + const struct vfsmount *parent_mnt,
45457 + const struct dentry *old_dentry,
45458 + const struct vfsmount *old_mnt, const char *to);
45459 +int gr_acl_handle_rename(struct dentry *new_dentry,
45460 + struct dentry *parent_dentry,
45461 + const struct vfsmount *parent_mnt,
45462 + struct dentry *old_dentry,
45463 + struct inode *old_parent_inode,
45464 + struct vfsmount *old_mnt, const char *newname);
45465 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
45466 + struct dentry *old_dentry,
45467 + struct dentry *new_dentry,
45468 + struct vfsmount *mnt, const __u8 replace);
45469 +__u32 gr_check_link(const struct dentry *new_dentry,
45470 + const struct dentry *parent_dentry,
45471 + const struct vfsmount *parent_mnt,
45472 + const struct dentry *old_dentry,
45473 + const struct vfsmount *old_mnt);
45474 +int gr_acl_handle_filldir(const struct file *file, const char *name,
45475 + const unsigned int namelen, const ino_t ino);
45477 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
45478 + const struct vfsmount *mnt);
45479 +void gr_acl_handle_exit(void);
45480 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
45481 +int gr_acl_handle_procpidmem(const struct task_struct *task);
45482 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
45483 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
45484 +void gr_audit_ptrace(struct task_struct *task);
45486 +#ifdef CONFIG_GRKERNSEC
45487 +void gr_log_nonroot_mod_load(const char *modname);
45488 +void gr_handle_vm86(void);
45489 +void gr_handle_mem_write(void);
45490 +void gr_handle_kmem_write(void);
45491 +void gr_handle_open_port(void);
45492 +int gr_handle_mem_mmap(const unsigned long offset,
45493 + struct vm_area_struct *vma);
45495 +extern int grsec_enable_dmesg;
45496 +extern int grsec_disable_privio;
45500 diff -urNp linux-2.6.35.5/include/linux/grsock.h linux-2.6.35.5/include/linux/grsock.h
45501 --- linux-2.6.35.5/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
45502 +++ linux-2.6.35.5/include/linux/grsock.h 2010-09-17 20:12:37.000000000 -0400
45504 +#ifndef __GRSOCK_H
45505 +#define __GRSOCK_H
45507 +extern void gr_attach_curr_ip(const struct sock *sk);
45508 +extern int gr_handle_sock_all(const int family, const int type,
45509 + const int protocol);
45510 +extern int gr_handle_sock_server(const struct sockaddr *sck);
45511 +extern int gr_handle_sock_server_other(const struct sock *sck);
45512 +extern int gr_handle_sock_client(const struct sockaddr *sck);
45513 +extern int gr_search_connect(struct socket * sock,
45514 + struct sockaddr_in * addr);
45515 +extern int gr_search_bind(struct socket * sock,
45516 + struct sockaddr_in * addr);
45517 +extern int gr_search_listen(struct socket * sock);
45518 +extern int gr_search_accept(struct socket * sock);
45519 +extern int gr_search_socket(const int domain, const int type,
45520 + const int protocol);
45523 diff -urNp linux-2.6.35.5/include/linux/highmem.h linux-2.6.35.5/include/linux/highmem.h
45524 --- linux-2.6.35.5/include/linux/highmem.h 2010-08-26 19:47:12.000000000 -0400
45525 +++ linux-2.6.35.5/include/linux/highmem.h 2010-09-17 20:12:09.000000000 -0400
45526 @@ -143,6 +143,18 @@ static inline void clear_highpage(struct
45527 kunmap_atomic(kaddr, KM_USER0);
45530 +static inline void sanitize_highpage(struct page *page)
45533 + unsigned long flags;
45535 + local_irq_save(flags);
45536 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
45537 + clear_page(kaddr);
45538 + kunmap_atomic(kaddr, KM_CLEARPAGE);
45539 + local_irq_restore(flags);
45542 static inline void zero_user_segments(struct page *page,
45543 unsigned start1, unsigned end1,
45544 unsigned start2, unsigned end2)
45545 diff -urNp linux-2.6.35.5/include/linux/interrupt.h linux-2.6.35.5/include/linux/interrupt.h
45546 --- linux-2.6.35.5/include/linux/interrupt.h 2010-08-26 19:47:12.000000000 -0400
45547 +++ linux-2.6.35.5/include/linux/interrupt.h 2010-09-17 20:12:09.000000000 -0400
45548 @@ -392,7 +392,7 @@ enum
45549 /* map softirq index to softirq name. update 'softirq_to_name' in
45550 * kernel/softirq.c when adding a new softirq.
45552 -extern char *softirq_to_name[NR_SOFTIRQS];
45553 +extern const char * const softirq_to_name[NR_SOFTIRQS];
45555 /* softirq mask and active fields moved to irq_cpustat_t in
45556 * asm/hardirq.h to get better cache usage. KAO
45557 @@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
45559 struct softirq_action
45561 - void (*action)(struct softirq_action *);
45562 + void (*action)(void);
45565 asmlinkage void do_softirq(void);
45566 asmlinkage void __do_softirq(void);
45567 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
45568 +extern void open_softirq(int nr, void (*action)(void));
45569 extern void softirq_init(void);
45570 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
45571 extern void raise_softirq_irqoff(unsigned int nr);
45572 diff -urNp linux-2.6.35.5/include/linux/jbd2.h linux-2.6.35.5/include/linux/jbd2.h
45573 --- linux-2.6.35.5/include/linux/jbd2.h 2010-08-26 19:47:12.000000000 -0400
45574 +++ linux-2.6.35.5/include/linux/jbd2.h 2010-09-17 20:12:09.000000000 -0400
45575 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
45579 -#define jbd_debug(f, a...) /**/
45580 +#define jbd_debug(f, a...) do {} while (0)
45583 extern void *jbd2_alloc(size_t size, gfp_t flags);
45584 diff -urNp linux-2.6.35.5/include/linux/jbd.h linux-2.6.35.5/include/linux/jbd.h
45585 --- linux-2.6.35.5/include/linux/jbd.h 2010-08-26 19:47:12.000000000 -0400
45586 +++ linux-2.6.35.5/include/linux/jbd.h 2010-09-17 20:12:09.000000000 -0400
45587 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
45591 -#define jbd_debug(f, a...) /**/
45592 +#define jbd_debug(f, a...) do {} while (0)
45595 static inline void *jbd_alloc(size_t size, gfp_t flags)
45596 diff -urNp linux-2.6.35.5/include/linux/kallsyms.h linux-2.6.35.5/include/linux/kallsyms.h
45597 --- linux-2.6.35.5/include/linux/kallsyms.h 2010-08-26 19:47:12.000000000 -0400
45598 +++ linux-2.6.35.5/include/linux/kallsyms.h 2010-09-17 20:12:37.000000000 -0400
45603 -#ifdef CONFIG_KALLSYMS
45604 +#ifndef __INCLUDED_BY_HIDESYM
45605 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45606 /* Lookup the address for a symbol. Returns 0 if not found. */
45607 unsigned long kallsyms_lookup_name(const char *name);
45609 @@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
45610 /* Stupid that this does nothing, but I didn't create this mess. */
45611 #define __print_symbol(fmt, addr)
45612 #endif /*CONFIG_KALLSYMS*/
45613 +#else /* when included by kallsyms.c, with HIDESYM enabled */
45614 +extern void __print_symbol(const char *fmt, unsigned long address);
45617 /* This macro allows us to keep printk typechecking */
45618 static void __check_printsym_format(const char *fmt, ...)
45619 diff -urNp linux-2.6.35.5/include/linux/kgdb.h linux-2.6.35.5/include/linux/kgdb.h
45620 --- linux-2.6.35.5/include/linux/kgdb.h 2010-08-26 19:47:12.000000000 -0400
45621 +++ linux-2.6.35.5/include/linux/kgdb.h 2010-09-17 20:12:09.000000000 -0400
45622 @@ -263,22 +263,22 @@ struct kgdb_arch {
45626 - int (*read_char) (void);
45627 - void (*write_char) (u8);
45628 - void (*flush) (void);
45629 - int (*init) (void);
45630 - void (*pre_exception) (void);
45631 - void (*post_exception) (void);
45632 + int (* const read_char) (void);
45633 + void (* const write_char) (u8);
45634 + void (* const flush) (void);
45635 + int (* const init) (void);
45636 + void (* const pre_exception) (void);
45637 + void (* const post_exception) (void);
45641 -extern struct kgdb_arch arch_kgdb_ops;
45642 +extern const struct kgdb_arch arch_kgdb_ops;
45644 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
45646 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
45647 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
45648 -extern struct kgdb_io *dbg_io_ops;
45649 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
45650 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
45651 +extern const struct kgdb_io *dbg_io_ops;
45653 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
45654 extern int kgdb_mem2hex(char *mem, char *buf, int count);
45655 diff -urNp linux-2.6.35.5/include/linux/kvm_host.h linux-2.6.35.5/include/linux/kvm_host.h
45656 --- linux-2.6.35.5/include/linux/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
45657 +++ linux-2.6.35.5/include/linux/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
45658 @@ -243,7 +243,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
45659 void vcpu_load(struct kvm_vcpu *vcpu);
45660 void vcpu_put(struct kvm_vcpu *vcpu);
45662 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45663 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45664 struct module *module);
45665 void kvm_exit(void);
45667 @@ -367,7 +367,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
45668 struct kvm_guest_debug *dbg);
45669 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
45671 -int kvm_arch_init(void *opaque);
45672 +int kvm_arch_init(const void *opaque);
45673 void kvm_arch_exit(void);
45675 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
45676 diff -urNp linux-2.6.35.5/include/linux/libata.h linux-2.6.35.5/include/linux/libata.h
45677 --- linux-2.6.35.5/include/linux/libata.h 2010-09-20 17:33:09.000000000 -0400
45678 +++ linux-2.6.35.5/include/linux/libata.h 2010-09-20 17:33:35.000000000 -0400
45679 @@ -64,11 +64,11 @@
45680 #ifdef ATA_VERBOSE_DEBUG
45681 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45683 -#define VPRINTK(fmt, args...)
45684 +#define VPRINTK(fmt, args...) do {} while (0)
45685 #endif /* ATA_VERBOSE_DEBUG */
45687 -#define DPRINTK(fmt, args...)
45688 -#define VPRINTK(fmt, args...)
45689 +#define DPRINTK(fmt, args...) do {} while (0)
45690 +#define VPRINTK(fmt, args...) do {} while (0)
45691 #endif /* ATA_DEBUG */
45693 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45694 @@ -524,11 +524,11 @@ struct ata_ioports {
45698 - struct device *dev;
45699 + struct device *dev;
45700 void __iomem * const *iomap;
45701 unsigned int n_ports;
45702 void *private_data;
45703 - struct ata_port_operations *ops;
45704 + const struct ata_port_operations *ops;
45705 unsigned long flags;
45706 #ifdef CONFIG_ATA_ACPI
45707 acpi_handle acpi_handle;
45708 @@ -710,7 +710,7 @@ struct ata_link {
45711 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
45712 - struct ata_port_operations *ops;
45713 + const struct ata_port_operations *ops;
45715 /* Flags owned by the EH context. Only EH should touch these once the
45717 @@ -895,7 +895,7 @@ struct ata_port_info {
45718 unsigned long pio_mask;
45719 unsigned long mwdma_mask;
45720 unsigned long udma_mask;
45721 - struct ata_port_operations *port_ops;
45722 + const struct ata_port_operations *port_ops;
45723 void *private_data;
45726 @@ -919,7 +919,7 @@ extern const unsigned long sata_deb_timi
45727 extern const unsigned long sata_deb_timing_hotplug[];
45728 extern const unsigned long sata_deb_timing_long[];
45730 -extern struct ata_port_operations ata_dummy_port_ops;
45731 +extern const struct ata_port_operations ata_dummy_port_ops;
45732 extern const struct ata_port_info ata_dummy_port_info;
45734 static inline const unsigned long *
45735 @@ -963,7 +963,7 @@ extern int ata_host_activate(struct ata_
45736 struct scsi_host_template *sht);
45737 extern void ata_host_detach(struct ata_host *host);
45738 extern void ata_host_init(struct ata_host *, struct device *,
45739 - unsigned long, struct ata_port_operations *);
45740 + unsigned long, const struct ata_port_operations *);
45741 extern int ata_scsi_detect(struct scsi_host_template *sht);
45742 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
45743 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
45744 diff -urNp linux-2.6.35.5/include/linux/lockd/bind.h linux-2.6.35.5/include/linux/lockd/bind.h
45745 --- linux-2.6.35.5/include/linux/lockd/bind.h 2010-08-26 19:47:12.000000000 -0400
45746 +++ linux-2.6.35.5/include/linux/lockd/bind.h 2010-09-17 20:12:09.000000000 -0400
45747 @@ -23,13 +23,13 @@ struct svc_rqst;
45748 * This is the set of functions for lockd->nfsd communication
45750 struct nlmsvc_binding {
45751 - __be32 (*fopen)(struct svc_rqst *,
45752 + __be32 (* const fopen)(struct svc_rqst *,
45755 - void (*fclose)(struct file *);
45756 + void (* const fclose)(struct file *);
45759 -extern struct nlmsvc_binding * nlmsvc_ops;
45760 +extern const struct nlmsvc_binding * nlmsvc_ops;
45763 * Similar to nfs_client_initdata, but without the NFS-specific
45764 diff -urNp linux-2.6.35.5/include/linux/mm.h linux-2.6.35.5/include/linux/mm.h
45765 --- linux-2.6.35.5/include/linux/mm.h 2010-08-26 19:47:12.000000000 -0400
45766 +++ linux-2.6.35.5/include/linux/mm.h 2010-09-17 20:12:09.000000000 -0400
45767 @@ -103,7 +103,14 @@ extern unsigned int kobjsize(const void
45769 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
45770 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
45772 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
45773 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
45774 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
45776 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
45779 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
45780 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
45782 @@ -1010,6 +1017,8 @@ struct shrinker {
45783 extern void register_shrinker(struct shrinker *);
45784 extern void unregister_shrinker(struct shrinker *);
45786 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
45788 int vma_wants_writenotify(struct vm_area_struct *vma);
45790 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
45791 @@ -1286,6 +1295,7 @@ out:
45794 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
45795 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
45797 extern unsigned long do_brk(unsigned long, unsigned long);
45799 @@ -1340,6 +1350,10 @@ extern struct vm_area_struct * find_vma(
45800 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
45801 struct vm_area_struct **pprev);
45803 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
45804 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
45805 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
45807 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
45808 NULL if none. Assume start_addr < end_addr. */
45809 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
45810 @@ -1356,7 +1370,6 @@ static inline unsigned long vma_pages(st
45811 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
45814 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
45815 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
45816 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
45817 unsigned long pfn, unsigned long size, pgprot_t);
45818 @@ -1463,10 +1476,16 @@ extern int unpoison_memory(unsigned long
45819 extern int sysctl_memory_failure_early_kill;
45820 extern int sysctl_memory_failure_recovery;
45821 extern void shake_page(struct page *p, int access);
45822 -extern atomic_long_t mce_bad_pages;
45823 +extern atomic_long_unchecked_t mce_bad_pages;
45824 extern int soft_offline_page(struct page *page, int flags);
45826 extern void dump_page(struct page *page);
45828 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
45829 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
45831 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
45834 #endif /* __KERNEL__ */
45835 #endif /* _LINUX_MM_H */
45836 diff -urNp linux-2.6.35.5/include/linux/mm_types.h linux-2.6.35.5/include/linux/mm_types.h
45837 --- linux-2.6.35.5/include/linux/mm_types.h 2010-08-26 19:47:12.000000000 -0400
45838 +++ linux-2.6.35.5/include/linux/mm_types.h 2010-09-17 20:12:09.000000000 -0400
45839 @@ -183,6 +183,8 @@ struct vm_area_struct {
45841 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
45844 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
45847 struct core_thread {
45848 @@ -310,6 +312,24 @@ struct mm_struct {
45849 #ifdef CONFIG_MMU_NOTIFIER
45850 struct mmu_notifier_mm *mmu_notifier_mm;
45853 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45854 + unsigned long pax_flags;
45857 +#ifdef CONFIG_PAX_DLRESOLVE
45858 + unsigned long call_dl_resolve;
45861 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
45862 + unsigned long call_syscall;
45865 +#ifdef CONFIG_PAX_ASLR
45866 + unsigned long delta_mmap; /* randomized offset */
45867 + unsigned long delta_stack; /* randomized offset */
45872 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
45873 diff -urNp linux-2.6.35.5/include/linux/mmu_notifier.h linux-2.6.35.5/include/linux/mmu_notifier.h
45874 --- linux-2.6.35.5/include/linux/mmu_notifier.h 2010-08-26 19:47:12.000000000 -0400
45875 +++ linux-2.6.35.5/include/linux/mmu_notifier.h 2010-09-17 20:12:09.000000000 -0400
45876 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
45878 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
45882 struct vm_area_struct *___vma = __vma; \
45883 unsigned long ___address = __address; \
45884 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
45885 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
45886 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
45891 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
45892 diff -urNp linux-2.6.35.5/include/linux/mmzone.h linux-2.6.35.5/include/linux/mmzone.h
45893 --- linux-2.6.35.5/include/linux/mmzone.h 2010-08-26 19:47:12.000000000 -0400
45894 +++ linux-2.6.35.5/include/linux/mmzone.h 2010-09-17 20:12:09.000000000 -0400
45895 @@ -345,7 +345,7 @@ struct zone {
45896 unsigned long flags; /* zone flags, see below */
45898 /* Zone statistics */
45899 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45900 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45903 * prev_priority holds the scanning priority for this zone. It is
45904 diff -urNp linux-2.6.35.5/include/linux/mod_devicetable.h linux-2.6.35.5/include/linux/mod_devicetable.h
45905 --- linux-2.6.35.5/include/linux/mod_devicetable.h 2010-08-26 19:47:12.000000000 -0400
45906 +++ linux-2.6.35.5/include/linux/mod_devicetable.h 2010-09-17 20:12:09.000000000 -0400
45908 typedef unsigned long kernel_ulong_t;
45911 -#define PCI_ANY_ID (~0)
45912 +#define PCI_ANY_ID ((__u16)~0)
45914 struct pci_device_id {
45915 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
45916 @@ -131,7 +131,7 @@ struct usb_device_id {
45917 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
45918 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
45920 -#define HID_ANY_ID (~0)
45921 +#define HID_ANY_ID (~0U)
45923 struct hid_device_id {
45925 diff -urNp linux-2.6.35.5/include/linux/module.h linux-2.6.35.5/include/linux/module.h
45926 --- linux-2.6.35.5/include/linux/module.h 2010-08-26 19:47:12.000000000 -0400
45927 +++ linux-2.6.35.5/include/linux/module.h 2010-09-17 20:12:09.000000000 -0400
45928 @@ -297,16 +297,16 @@ struct module
45931 /* If this is non-NULL, vfree after init() returns */
45932 - void *module_init;
45933 + void *module_init_rx, *module_init_rw;
45935 /* Here is the actual code + data, vfree'd on unload. */
45936 - void *module_core;
45937 + void *module_core_rx, *module_core_rw;
45939 /* Here are the sizes of the init and core sections */
45940 - unsigned int init_size, core_size;
45941 + unsigned int init_size_rw, core_size_rw;
45943 /* The size of the executable code in each section. */
45944 - unsigned int init_text_size, core_text_size;
45945 + unsigned int init_size_rx, core_size_rx;
45947 /* Arch-specific module values */
45948 struct mod_arch_specific arch;
45949 @@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
45950 bool is_module_percpu_address(unsigned long addr);
45951 bool is_module_text_address(unsigned long addr);
45953 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
45956 +#ifdef CONFIG_PAX_KERNEXEC
45957 + if (ktla_ktva(addr) >= (unsigned long)start &&
45958 + ktla_ktva(addr) < (unsigned long)start + size)
45962 + return ((void *)addr >= start && (void *)addr < start + size);
45965 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
45967 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
45970 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
45972 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
45975 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
45977 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
45980 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
45982 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
45985 static inline int within_module_core(unsigned long addr, struct module *mod)
45987 - return (unsigned long)mod->module_core <= addr &&
45988 - addr < (unsigned long)mod->module_core + mod->core_size;
45989 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
45992 static inline int within_module_init(unsigned long addr, struct module *mod)
45994 - return (unsigned long)mod->module_init <= addr &&
45995 - addr < (unsigned long)mod->module_init + mod->init_size;
45996 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
45999 /* Search for module by name: must hold module_mutex. */
46000 diff -urNp linux-2.6.35.5/include/linux/moduleloader.h linux-2.6.35.5/include/linux/moduleloader.h
46001 --- linux-2.6.35.5/include/linux/moduleloader.h 2010-08-26 19:47:12.000000000 -0400
46002 +++ linux-2.6.35.5/include/linux/moduleloader.h 2010-09-17 20:12:09.000000000 -0400
46003 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
46004 sections. Returns NULL on failure. */
46005 void *module_alloc(unsigned long size);
46007 +#ifdef CONFIG_PAX_KERNEXEC
46008 +void *module_alloc_exec(unsigned long size);
46010 +#define module_alloc_exec(x) module_alloc(x)
46013 /* Free memory returned from module_alloc. */
46014 void module_free(struct module *mod, void *module_region);
46016 +#ifdef CONFIG_PAX_KERNEXEC
46017 +void module_free_exec(struct module *mod, void *module_region);
46019 +#define module_free_exec(x, y) module_free((x), (y))
46022 /* Apply the given relocation to the (simplified) ELF. Return -error
46024 int apply_relocate(Elf_Shdr *sechdrs,
46025 diff -urNp linux-2.6.35.5/include/linux/namei.h linux-2.6.35.5/include/linux/namei.h
46026 --- linux-2.6.35.5/include/linux/namei.h 2010-08-26 19:47:12.000000000 -0400
46027 +++ linux-2.6.35.5/include/linux/namei.h 2010-09-17 20:12:09.000000000 -0400
46028 @@ -22,7 +22,7 @@ struct nameidata {
46029 unsigned int flags;
46032 - char *saved_names[MAX_NESTED_LINKS + 1];
46033 + const char *saved_names[MAX_NESTED_LINKS + 1];
46037 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
46038 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
46039 extern void unlock_rename(struct dentry *, struct dentry *);
46041 -static inline void nd_set_link(struct nameidata *nd, char *path)
46042 +static inline void nd_set_link(struct nameidata *nd, const char *path)
46044 nd->saved_names[nd->depth] = path;
46047 -static inline char *nd_get_link(struct nameidata *nd)
46048 +static inline const char *nd_get_link(const struct nameidata *nd)
46050 return nd->saved_names[nd->depth];
46052 diff -urNp linux-2.6.35.5/include/linux/oprofile.h linux-2.6.35.5/include/linux/oprofile.h
46053 --- linux-2.6.35.5/include/linux/oprofile.h 2010-08-26 19:47:12.000000000 -0400
46054 +++ linux-2.6.35.5/include/linux/oprofile.h 2010-09-17 20:12:09.000000000 -0400
46055 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
46056 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
46057 char const * name, ulong * val);
46059 -/** Create a file for read-only access to an atomic_t. */
46060 +/** Create a file for read-only access to an atomic_unchecked_t. */
46061 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
46062 - char const * name, atomic_t * val);
46063 + char const * name, atomic_unchecked_t * val);
46065 /** create a directory */
46066 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
46067 diff -urNp linux-2.6.35.5/include/linux/pipe_fs_i.h linux-2.6.35.5/include/linux/pipe_fs_i.h
46068 --- linux-2.6.35.5/include/linux/pipe_fs_i.h 2010-08-26 19:47:12.000000000 -0400
46069 +++ linux-2.6.35.5/include/linux/pipe_fs_i.h 2010-09-17 20:12:09.000000000 -0400
46070 @@ -45,9 +45,9 @@ struct pipe_buffer {
46071 struct pipe_inode_info {
46072 wait_queue_head_t wait;
46073 unsigned int nrbufs, curbuf, buffers;
46074 - unsigned int readers;
46075 - unsigned int writers;
46076 - unsigned int waiting_writers;
46077 + atomic_t readers;
46078 + atomic_t writers;
46079 + atomic_t waiting_writers;
46080 unsigned int r_counter;
46081 unsigned int w_counter;
46082 struct page *tmp_page;
46083 diff -urNp linux-2.6.35.5/include/linux/poison.h linux-2.6.35.5/include/linux/poison.h
46084 --- linux-2.6.35.5/include/linux/poison.h 2010-08-26 19:47:12.000000000 -0400
46085 +++ linux-2.6.35.5/include/linux/poison.h 2010-09-17 20:12:09.000000000 -0400
46087 * under normal circumstances, used to verify that nobody uses
46088 * non-initialized list entries.
46090 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
46091 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
46092 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
46093 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
46095 /********** include/linux/timer.h **********/
46097 diff -urNp linux-2.6.35.5/include/linux/proc_fs.h linux-2.6.35.5/include/linux/proc_fs.h
46098 --- linux-2.6.35.5/include/linux/proc_fs.h 2010-08-26 19:47:12.000000000 -0400
46099 +++ linux-2.6.35.5/include/linux/proc_fs.h 2010-09-17 20:12:37.000000000 -0400
46100 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
46101 return proc_create_data(name, mode, parent, proc_fops, NULL);
46104 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
46105 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
46107 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46108 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
46109 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46110 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
46112 + return proc_create_data(name, mode, parent, proc_fops, NULL);
46117 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
46118 mode_t mode, struct proc_dir_entry *base,
46119 read_proc_t *read_proc, void * data)
46120 diff -urNp linux-2.6.35.5/include/linux/random.h linux-2.6.35.5/include/linux/random.h
46121 --- linux-2.6.35.5/include/linux/random.h 2010-08-26 19:47:12.000000000 -0400
46122 +++ linux-2.6.35.5/include/linux/random.h 2010-09-17 20:12:09.000000000 -0400
46123 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
46125 u32 prandom32(struct rnd_state *);
46127 +static inline unsigned long pax_get_random_long(void)
46129 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
46133 * Handle minimum values for seeds
46135 static inline u32 __seed(u32 x, u32 m)
46137 - return (x < m) ? x + m : x;
46138 + return (x <= m) ? x + m + 1 : x;
46142 diff -urNp linux-2.6.35.5/include/linux/reiserfs_fs.h linux-2.6.35.5/include/linux/reiserfs_fs.h
46143 --- linux-2.6.35.5/include/linux/reiserfs_fs.h 2010-08-26 19:47:12.000000000 -0400
46144 +++ linux-2.6.35.5/include/linux/reiserfs_fs.h 2010-09-17 20:12:09.000000000 -0400
46145 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
46146 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
46148 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
46149 -#define get_generation(s) atomic_read (&fs_generation(s))
46150 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
46151 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
46152 #define __fs_changed(gen,s) (gen != get_generation (s))
46153 #define fs_changed(gen,s) \
46154 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
46157 struct item_operations {
46158 - int (*bytes_number) (struct item_head * ih, int block_size);
46159 - void (*decrement_key) (struct cpu_key *);
46160 - int (*is_left_mergeable) (struct reiserfs_key * ih,
46161 + int (* const bytes_number) (struct item_head * ih, int block_size);
46162 + void (* const decrement_key) (struct cpu_key *);
46163 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
46164 unsigned long bsize);
46165 - void (*print_item) (struct item_head *, char *item);
46166 - void (*check_item) (struct item_head *, char *item);
46167 + void (* const print_item) (struct item_head *, char *item);
46168 + void (* const check_item) (struct item_head *, char *item);
46170 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46171 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46172 int is_affected, int insert_size);
46173 - int (*check_left) (struct virtual_item * vi, int free,
46174 + int (* const check_left) (struct virtual_item * vi, int free,
46175 int start_skip, int end_skip);
46176 - int (*check_right) (struct virtual_item * vi, int free);
46177 - int (*part_size) (struct virtual_item * vi, int from, int to);
46178 - int (*unit_num) (struct virtual_item * vi);
46179 - void (*print_vi) (struct virtual_item * vi);
46180 + int (* const check_right) (struct virtual_item * vi, int free);
46181 + int (* const part_size) (struct virtual_item * vi, int from, int to);
46182 + int (* const unit_num) (struct virtual_item * vi);
46183 + void (* const print_vi) (struct virtual_item * vi);
46186 -extern struct item_operations *item_ops[TYPE_ANY + 1];
46187 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
46189 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
46190 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
46191 diff -urNp linux-2.6.35.5/include/linux/reiserfs_fs_sb.h linux-2.6.35.5/include/linux/reiserfs_fs_sb.h
46192 --- linux-2.6.35.5/include/linux/reiserfs_fs_sb.h 2010-08-26 19:47:12.000000000 -0400
46193 +++ linux-2.6.35.5/include/linux/reiserfs_fs_sb.h 2010-09-17 20:12:09.000000000 -0400
46194 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
46195 /* Comment? -Hans */
46196 wait_queue_head_t s_wait;
46197 /* To be obsoleted soon by per buffer seals.. -Hans */
46198 - atomic_t s_generation_counter; // increased by one every time the
46199 + atomic_unchecked_t s_generation_counter; // increased by one every time the
46200 // tree gets re-balanced
46201 unsigned long s_properties; /* File system properties. Currently holds
46202 on-disk FS format */
46203 diff -urNp linux-2.6.35.5/include/linux/rmap.h linux-2.6.35.5/include/linux/rmap.h
46204 --- linux-2.6.35.5/include/linux/rmap.h 2010-08-26 19:47:12.000000000 -0400
46205 +++ linux-2.6.35.5/include/linux/rmap.h 2010-09-17 20:12:09.000000000 -0400
46206 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
46207 void anon_vma_init(void); /* create anon_vma_cachep */
46208 int anon_vma_prepare(struct vm_area_struct *);
46209 void unlink_anon_vmas(struct vm_area_struct *);
46210 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
46211 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
46212 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
46213 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
46214 void __anon_vma_link(struct vm_area_struct *);
46215 void anon_vma_free(struct anon_vma *);
46217 diff -urNp linux-2.6.35.5/include/linux/sched.h linux-2.6.35.5/include/linux/sched.h
46218 --- linux-2.6.35.5/include/linux/sched.h 2010-08-26 19:47:12.000000000 -0400
46219 +++ linux-2.6.35.5/include/linux/sched.h 2010-09-17 20:12:37.000000000 -0400
46220 @@ -100,6 +100,7 @@ struct robust_list_head;
46223 struct perf_event_context;
46224 +struct linux_binprm;
46227 * List of flags we want to share for kernel threads,
46228 @@ -381,10 +382,12 @@ struct user_namespace;
46229 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
46231 extern int sysctl_max_map_count;
46232 +extern unsigned long sysctl_heap_stack_gap;
46234 #include <linux/aio.h>
46237 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
46238 extern void arch_pick_mmap_layout(struct mm_struct *mm);
46239 extern unsigned long
46240 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
46241 @@ -628,6 +631,15 @@ struct signal_struct {
46242 struct tty_audit_buf *tty_audit_buf;
46245 +#ifdef CONFIG_GRKERNSEC
46251 + u8 used_accept:1;
46254 int oom_adj; /* OOM kill score adjustment (bit shift) */
46257 @@ -1166,7 +1178,7 @@ struct rcu_node;
46259 struct task_struct {
46260 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
46262 + struct thread_info *stack;
46264 unsigned int flags; /* per process flags, defined below */
46265 unsigned int ptrace;
46266 @@ -1274,8 +1286,8 @@ struct task_struct {
46267 struct list_head thread_group;
46269 struct completion *vfork_done; /* for vfork() */
46270 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
46271 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46272 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
46273 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46275 cputime_t utime, stime, utimescaled, stimescaled;
46277 @@ -1291,16 +1303,6 @@ struct task_struct {
46278 struct task_cputime cputime_expires;
46279 struct list_head cpu_timers[3];
46281 -/* process credentials */
46282 - const struct cred *real_cred; /* objective and real subjective task
46283 - * credentials (COW) */
46284 - const struct cred *cred; /* effective (overridable) subjective task
46285 - * credentials (COW) */
46286 - struct mutex cred_guard_mutex; /* guard against foreign influences on
46287 - * credential calculations
46288 - * (notably. ptrace) */
46289 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46291 char comm[TASK_COMM_LEN]; /* executable name excluding path
46292 - access with [gs]et_task_comm (which lock
46293 it with task_lock())
46294 @@ -1384,6 +1386,15 @@ struct task_struct {
46295 int softirqs_enabled;
46296 int softirq_context;
46299 +/* process credentials */
46300 + const struct cred *real_cred; /* objective and real subjective task
46301 + * credentials (COW) */
46302 + struct mutex cred_guard_mutex; /* guard against foreign influences on
46303 + * credential calculations
46304 + * (notably. ptrace) */
46305 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46307 #ifdef CONFIG_LOCKDEP
46308 # define MAX_LOCK_DEPTH 48UL
46309 u64 curr_chain_key;
46310 @@ -1404,6 +1415,9 @@ struct task_struct {
46312 struct backing_dev_info *backing_dev_info;
46314 + const struct cred *cred; /* effective (overridable) subjective task
46315 + * credentials (COW) */
46317 struct io_context *io_context;
46319 unsigned long ptrace_message;
46320 @@ -1469,6 +1483,20 @@ struct task_struct {
46321 unsigned long default_timer_slack_ns;
46323 struct list_head *scm_work_list;
46325 +#ifdef CONFIG_GRKERNSEC
46327 + struct dentry *gr_chroot_dentry;
46328 + struct acl_subject_label *acl;
46329 + struct acl_role_label *role;
46330 + struct file *exec_file;
46335 + u8 gr_is_chrooted;
46338 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
46339 /* Index of current stored address in ret_stack */
46340 int curr_ret_stack;
46341 @@ -1500,6 +1528,52 @@ struct task_struct {
46345 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
46346 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
46347 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
46348 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
46349 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
46350 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
46352 +#ifdef CONFIG_PAX_SOFTMODE
46353 +extern unsigned int pax_softmode;
46356 +extern int pax_check_flags(unsigned long *);
46358 +/* if tsk != current then task_lock must be held on it */
46359 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46360 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
46362 + if (likely(tsk->mm))
46363 + return tsk->mm->pax_flags;
46368 +/* if tsk != current then task_lock must be held on it */
46369 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
46371 + if (likely(tsk->mm)) {
46372 + tsk->mm->pax_flags = flags;
46379 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
46380 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
46381 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
46382 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
46385 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
46386 +void pax_report_insns(void *pc, void *sp);
46387 +void pax_report_refcount_overflow(struct pt_regs *regs);
46388 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
46389 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
46391 /* Future-safe accessor for struct task_struct's cpus_allowed. */
46392 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
46394 @@ -2101,7 +2175,7 @@ extern void __cleanup_sighand(struct sig
46395 extern void exit_itimers(struct signal_struct *);
46396 extern void flush_itimer_signals(void);
46398 -extern NORET_TYPE void do_group_exit(int);
46399 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
46401 extern void daemonize(const char *, ...);
46402 extern int allow_signal(int);
46403 @@ -2217,8 +2291,8 @@ static inline void unlock_task_sighand(s
46405 #ifndef __HAVE_THREAD_FUNCTIONS
46407 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
46408 -#define task_stack_page(task) ((task)->stack)
46409 +#define task_thread_info(task) ((task)->stack)
46410 +#define task_stack_page(task) ((void *)(task)->stack)
46412 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
46414 @@ -2233,13 +2307,17 @@ static inline unsigned long *end_of_stac
46418 -static inline int object_is_on_stack(void *obj)
46419 +static inline int object_starts_on_stack(void *obj)
46421 - void *stack = task_stack_page(current);
46422 + const void *stack = task_stack_page(current);
46424 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
46427 +#ifdef CONFIG_PAX_USERCOPY
46428 +extern int object_is_on_stack(const void *obj, unsigned long len);
46431 extern void thread_info_cache_init(void);
46433 #ifdef CONFIG_DEBUG_STACK_USAGE
46434 diff -urNp linux-2.6.35.5/include/linux/screen_info.h linux-2.6.35.5/include/linux/screen_info.h
46435 --- linux-2.6.35.5/include/linux/screen_info.h 2010-08-26 19:47:12.000000000 -0400
46436 +++ linux-2.6.35.5/include/linux/screen_info.h 2010-09-17 20:12:09.000000000 -0400
46437 @@ -43,7 +43,8 @@ struct screen_info {
46438 __u16 pages; /* 0x32 */
46439 __u16 vesa_attributes; /* 0x34 */
46440 __u32 capabilities; /* 0x36 */
46441 - __u8 _reserved[6]; /* 0x3a */
46442 + __u16 vesapm_size; /* 0x3a */
46443 + __u8 _reserved[4]; /* 0x3c */
46444 } __attribute__((packed));
46446 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
46447 diff -urNp linux-2.6.35.5/include/linux/security.h linux-2.6.35.5/include/linux/security.h
46448 --- linux-2.6.35.5/include/linux/security.h 2010-08-26 19:47:12.000000000 -0400
46449 +++ linux-2.6.35.5/include/linux/security.h 2010-09-17 20:12:37.000000000 -0400
46451 #include <linux/key.h>
46452 #include <linux/xfrm.h>
46453 #include <linux/slab.h>
46454 +#include <linux/grsecurity.h>
46455 #include <net/flow.h>
46457 /* Maximum number of letters for an LSM name string */
46458 diff -urNp linux-2.6.35.5/include/linux/shm.h linux-2.6.35.5/include/linux/shm.h
46459 --- linux-2.6.35.5/include/linux/shm.h 2010-08-26 19:47:12.000000000 -0400
46460 +++ linux-2.6.35.5/include/linux/shm.h 2010-09-17 20:12:37.000000000 -0400
46461 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
46464 struct user_struct *mlock_user;
46465 +#ifdef CONFIG_GRKERNSEC
46466 + time_t shm_createtime;
46471 /* shm_mode upper byte flags */
46472 diff -urNp linux-2.6.35.5/include/linux/slab.h linux-2.6.35.5/include/linux/slab.h
46473 --- linux-2.6.35.5/include/linux/slab.h 2010-08-26 19:47:12.000000000 -0400
46474 +++ linux-2.6.35.5/include/linux/slab.h 2010-09-17 20:12:09.000000000 -0400
46477 #include <linux/gfp.h>
46478 #include <linux/types.h>
46479 +#include <linux/err.h>
46482 * Flags to pass to kmem_cache_create().
46483 @@ -87,10 +88,13 @@
46484 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
46485 * Both make kfree a no-op.
46487 -#define ZERO_SIZE_PTR ((void *)16)
46488 +#define ZERO_SIZE_PTR \
46490 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
46491 + (void *)(-MAX_ERRNO-1L); \
46494 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
46495 - (unsigned long)ZERO_SIZE_PTR)
46496 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
46499 * struct kmem_cache related prototypes
46500 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
46501 void kfree(const void *);
46502 void kzfree(const void *);
46503 size_t ksize(const void *);
46504 +void check_object_size(const void *ptr, unsigned long n, bool to);
46507 * Allocator specific definitions. These are mainly used to establish optimized
46508 @@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
46510 void __init kmem_cache_init_late(void);
46512 +#define kmalloc(x, y) \
46514 + void *___retval; \
46515 + intoverflow_t ___x = (intoverflow_t)x; \
46516 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
46517 + ___retval = NULL; \
46519 + ___retval = kmalloc((size_t)___x, (y)); \
46523 +#define kmalloc_node(x, y, z) \
46525 + void *___retval; \
46526 + intoverflow_t ___x = (intoverflow_t)x; \
46527 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
46528 + ___retval = NULL; \
46530 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
46534 +#define kzalloc(x, y) \
46536 + void *___retval; \
46537 + intoverflow_t ___x = (intoverflow_t)x; \
46538 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
46539 + ___retval = NULL; \
46541 + ___retval = kzalloc((size_t)___x, (y)); \
46545 #endif /* _LINUX_SLAB_H */
46546 diff -urNp linux-2.6.35.5/include/linux/slub_def.h linux-2.6.35.5/include/linux/slub_def.h
46547 --- linux-2.6.35.5/include/linux/slub_def.h 2010-08-26 19:47:12.000000000 -0400
46548 +++ linux-2.6.35.5/include/linux/slub_def.h 2010-09-17 20:12:09.000000000 -0400
46549 @@ -79,7 +79,7 @@ struct kmem_cache {
46550 struct kmem_cache_order_objects max;
46551 struct kmem_cache_order_objects min;
46552 gfp_t allocflags; /* gfp flags to use on each alloc */
46553 - int refcount; /* Refcount for slab cache destroy */
46554 + atomic_t refcount; /* Refcount for slab cache destroy */
46555 void (*ctor)(void *);
46556 int inuse; /* Offset to metadata */
46557 int align; /* Alignment */
46558 diff -urNp linux-2.6.35.5/include/linux/sonet.h linux-2.6.35.5/include/linux/sonet.h
46559 --- linux-2.6.35.5/include/linux/sonet.h 2010-08-26 19:47:12.000000000 -0400
46560 +++ linux-2.6.35.5/include/linux/sonet.h 2010-09-17 20:12:09.000000000 -0400
46561 @@ -61,7 +61,7 @@ struct sonet_stats {
46562 #include <asm/atomic.h>
46564 struct k_sonet_stats {
46565 -#define __HANDLE_ITEM(i) atomic_t i
46566 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
46568 #undef __HANDLE_ITEM
46570 diff -urNp linux-2.6.35.5/include/linux/suspend.h linux-2.6.35.5/include/linux/suspend.h
46571 --- linux-2.6.35.5/include/linux/suspend.h 2010-08-26 19:47:12.000000000 -0400
46572 +++ linux-2.6.35.5/include/linux/suspend.h 2010-09-17 20:12:09.000000000 -0400
46573 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
46574 * which require special recovery actions in that situation.
46576 struct platform_suspend_ops {
46577 - int (*valid)(suspend_state_t state);
46578 - int (*begin)(suspend_state_t state);
46579 - int (*prepare)(void);
46580 - int (*prepare_late)(void);
46581 - int (*enter)(suspend_state_t state);
46582 - void (*wake)(void);
46583 - void (*finish)(void);
46584 - void (*end)(void);
46585 - void (*recover)(void);
46586 + int (* const valid)(suspend_state_t state);
46587 + int (* const begin)(suspend_state_t state);
46588 + int (* const prepare)(void);
46589 + int (* const prepare_late)(void);
46590 + int (* const enter)(suspend_state_t state);
46591 + void (* const wake)(void);
46592 + void (* const finish)(void);
46593 + void (* const end)(void);
46594 + void (* const recover)(void);
46597 #ifdef CONFIG_SUSPEND
46598 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
46599 * suspend_set_ops - set platform dependent suspend operations
46600 * @ops: The new suspend operations to set.
46602 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
46603 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
46604 extern int suspend_valid_only_mem(suspend_state_t state);
46607 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
46608 #else /* !CONFIG_SUSPEND */
46609 #define suspend_valid_only_mem NULL
46611 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
46612 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
46613 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
46614 #endif /* !CONFIG_SUSPEND */
46616 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
46617 * platforms which require special recovery actions in that situation.
46619 struct platform_hibernation_ops {
46620 - int (*begin)(void);
46621 - void (*end)(void);
46622 - int (*pre_snapshot)(void);
46623 - void (*finish)(void);
46624 - int (*prepare)(void);
46625 - int (*enter)(void);
46626 - void (*leave)(void);
46627 - int (*pre_restore)(void);
46628 - void (*restore_cleanup)(void);
46629 - void (*recover)(void);
46630 + int (* const begin)(void);
46631 + void (* const end)(void);
46632 + int (* const pre_snapshot)(void);
46633 + void (* const finish)(void);
46634 + int (* const prepare)(void);
46635 + int (* const enter)(void);
46636 + void (* const leave)(void);
46637 + int (* const pre_restore)(void);
46638 + void (* const restore_cleanup)(void);
46639 + void (* const recover)(void);
46642 #ifdef CONFIG_HIBERNATION
46643 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
46644 extern void swsusp_unset_page_free(struct page *);
46645 extern unsigned long get_safe_page(gfp_t gfp_mask);
46647 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
46648 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
46649 extern int hibernate(void);
46650 extern bool system_entering_hibernation(void);
46651 #else /* CONFIG_HIBERNATION */
46652 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
46653 static inline void swsusp_set_page_free(struct page *p) {}
46654 static inline void swsusp_unset_page_free(struct page *p) {}
46656 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
46657 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
46658 static inline int hibernate(void) { return -ENOSYS; }
46659 static inline bool system_entering_hibernation(void) { return false; }
46660 #endif /* CONFIG_HIBERNATION */
46661 diff -urNp linux-2.6.35.5/include/linux/sysctl.h linux-2.6.35.5/include/linux/sysctl.h
46662 --- linux-2.6.35.5/include/linux/sysctl.h 2010-08-26 19:47:12.000000000 -0400
46663 +++ linux-2.6.35.5/include/linux/sysctl.h 2010-09-17 20:12:09.000000000 -0400
46664 @@ -155,7 +155,11 @@ enum
46665 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
46669 +#ifdef CONFIG_PAX_SOFTMODE
46671 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
46675 /* CTL_VM names: */
46677 diff -urNp linux-2.6.35.5/include/linux/sysfs.h linux-2.6.35.5/include/linux/sysfs.h
46678 --- linux-2.6.35.5/include/linux/sysfs.h 2010-08-26 19:47:12.000000000 -0400
46679 +++ linux-2.6.35.5/include/linux/sysfs.h 2010-09-17 20:12:09.000000000 -0400
46680 @@ -115,8 +115,8 @@ struct bin_attribute {
46681 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
46684 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
46685 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
46686 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
46687 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
46690 struct sysfs_dirent;
46691 diff -urNp linux-2.6.35.5/include/linux/thread_info.h linux-2.6.35.5/include/linux/thread_info.h
46692 --- linux-2.6.35.5/include/linux/thread_info.h 2010-08-26 19:47:12.000000000 -0400
46693 +++ linux-2.6.35.5/include/linux/thread_info.h 2010-09-17 20:12:09.000000000 -0400
46694 @@ -23,7 +23,7 @@ struct restart_block {
46696 /* For futex_wait and futex_wait_requeue_pi */
46699 + u32 __user *uaddr;
46703 diff -urNp linux-2.6.35.5/include/linux/tty.h linux-2.6.35.5/include/linux/tty.h
46704 --- linux-2.6.35.5/include/linux/tty.h 2010-08-26 19:47:12.000000000 -0400
46705 +++ linux-2.6.35.5/include/linux/tty.h 2010-09-17 20:12:09.000000000 -0400
46707 #include <linux/tty_driver.h>
46708 #include <linux/tty_ldisc.h>
46709 #include <linux/mutex.h>
46710 +#include <linux/poll.h>
46712 #include <asm/system.h>
46714 @@ -453,7 +454,6 @@ extern int tty_perform_flush(struct tty_
46715 extern dev_t tty_devnum(struct tty_struct *tty);
46716 extern void proc_clear_tty(struct task_struct *p);
46717 extern struct tty_struct *get_current_tty(void);
46718 -extern void tty_default_fops(struct file_operations *fops);
46719 extern struct tty_struct *alloc_tty_struct(void);
46720 extern void free_tty_struct(struct tty_struct *tty);
46721 extern void initialize_tty_struct(struct tty_struct *tty,
46722 @@ -514,6 +514,18 @@ extern void tty_ldisc_begin(void);
46723 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
46724 extern void tty_ldisc_enable(struct tty_struct *tty);
46727 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
46728 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
46729 +extern unsigned int tty_poll(struct file *, poll_table *);
46730 +#ifdef CONFIG_COMPAT
46731 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
46732 + unsigned long arg);
46734 +#define tty_compat_ioctl NULL
46736 +extern int tty_release(struct inode *, struct file *);
46737 +extern int tty_fasync(int fd, struct file *filp, int on);
46740 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
46741 diff -urNp linux-2.6.35.5/include/linux/tty_ldisc.h linux-2.6.35.5/include/linux/tty_ldisc.h
46742 --- linux-2.6.35.5/include/linux/tty_ldisc.h 2010-08-26 19:47:12.000000000 -0400
46743 +++ linux-2.6.35.5/include/linux/tty_ldisc.h 2010-09-17 20:12:09.000000000 -0400
46744 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
46746 struct module *owner;
46749 + atomic_t refcount;
46753 diff -urNp linux-2.6.35.5/include/linux/types.h linux-2.6.35.5/include/linux/types.h
46754 --- linux-2.6.35.5/include/linux/types.h 2010-08-26 19:47:12.000000000 -0400
46755 +++ linux-2.6.35.5/include/linux/types.h 2010-09-17 20:12:09.000000000 -0400
46756 @@ -191,10 +191,26 @@ typedef struct {
46760 +#ifdef CONFIG_PAX_REFCOUNT
46763 +} atomic_unchecked_t;
46765 +typedef atomic_t atomic_unchecked_t;
46768 #ifdef CONFIG_64BIT
46773 +#ifdef CONFIG_PAX_REFCOUNT
46776 +} atomic64_unchecked_t;
46778 +typedef atomic64_t atomic64_unchecked_t;
46783 diff -urNp linux-2.6.35.5/include/linux/uaccess.h linux-2.6.35.5/include/linux/uaccess.h
46784 --- linux-2.6.35.5/include/linux/uaccess.h 2010-08-26 19:47:12.000000000 -0400
46785 +++ linux-2.6.35.5/include/linux/uaccess.h 2010-09-17 20:12:09.000000000 -0400
46786 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
46788 mm_segment_t old_fs = get_fs(); \
46790 - set_fs(KERNEL_DS); \
46791 pagefault_disable(); \
46792 + set_fs(KERNEL_DS); \
46793 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
46794 - pagefault_enable(); \
46796 + pagefault_enable(); \
46800 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
46801 * Safely read from address @src to the buffer at @dst. If a kernel fault
46802 * happens, handle that and return -EFAULT.
46804 -extern long probe_kernel_read(void *dst, void *src, size_t size);
46805 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
46806 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
46807 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
46810 * probe_kernel_write(): safely attempt to write to a location
46811 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
46812 * Safely write to address @dst from the buffer at @src. If a kernel fault
46813 * happens, handle that and return -EFAULT.
46815 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
46816 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
46817 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
46818 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
46820 #endif /* __LINUX_UACCESS_H__ */
46821 diff -urNp linux-2.6.35.5/include/linux/usb/hcd.h linux-2.6.35.5/include/linux/usb/hcd.h
46822 --- linux-2.6.35.5/include/linux/usb/hcd.h 2010-08-26 19:47:12.000000000 -0400
46823 +++ linux-2.6.35.5/include/linux/usb/hcd.h 2010-09-17 20:12:09.000000000 -0400
46824 @@ -559,7 +559,7 @@ struct usb_mon_operations {
46825 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
46828 -extern struct usb_mon_operations *mon_ops;
46829 +extern const struct usb_mon_operations *mon_ops;
46831 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
46833 @@ -581,7 +581,7 @@ static inline void usbmon_urb_complete(s
46834 (*mon_ops->urb_complete)(bus, urb, status);
46837 -int usb_mon_register(struct usb_mon_operations *ops);
46838 +int usb_mon_register(const struct usb_mon_operations *ops);
46839 void usb_mon_deregister(void);
46842 diff -urNp linux-2.6.35.5/include/linux/vmalloc.h linux-2.6.35.5/include/linux/vmalloc.h
46843 --- linux-2.6.35.5/include/linux/vmalloc.h 2010-08-26 19:47:12.000000000 -0400
46844 +++ linux-2.6.35.5/include/linux/vmalloc.h 2010-09-17 20:12:09.000000000 -0400
46845 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
46846 #define VM_MAP 0x00000004 /* vmap()ed pages */
46847 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
46848 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
46850 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
46851 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
46854 /* bits [20..32] reserved for arch specific ioremap internals */
46857 @@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
46859 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
46861 +#define vmalloc(x) \
46863 + void *___retval; \
46864 + intoverflow_t ___x = (intoverflow_t)x; \
46865 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
46866 + ___retval = NULL; \
46868 + ___retval = vmalloc((unsigned long)___x); \
46872 +#define __vmalloc(x, y, z) \
46874 + void *___retval; \
46875 + intoverflow_t ___x = (intoverflow_t)x; \
46876 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
46877 + ___retval = NULL; \
46879 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
46883 +#define vmalloc_user(x) \
46885 + void *___retval; \
46886 + intoverflow_t ___x = (intoverflow_t)x; \
46887 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
46888 + ___retval = NULL; \
46890 + ___retval = vmalloc_user((unsigned long)___x); \
46894 +#define vmalloc_exec(x) \
46896 + void *___retval; \
46897 + intoverflow_t ___x = (intoverflow_t)x; \
46898 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
46899 + ___retval = NULL; \
46901 + ___retval = vmalloc_exec((unsigned long)___x); \
46905 +#define vmalloc_node(x, y) \
46907 + void *___retval; \
46908 + intoverflow_t ___x = (intoverflow_t)x; \
46909 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
46910 + ___retval = NULL; \
46912 + ___retval = vmalloc_node((unsigned long)___x, (y));\
46916 +#define vmalloc_32(x) \
46918 + void *___retval; \
46919 + intoverflow_t ___x = (intoverflow_t)x; \
46920 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
46921 + ___retval = NULL; \
46923 + ___retval = vmalloc_32((unsigned long)___x); \
46927 +#define vmalloc_32_user(x) \
46929 + void *___retval; \
46930 + intoverflow_t ___x = (intoverflow_t)x; \
46931 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
46932 + ___retval = NULL; \
46934 + ___retval = vmalloc_32_user((unsigned long)___x);\
46938 #endif /* _LINUX_VMALLOC_H */
46939 diff -urNp linux-2.6.35.5/include/linux/vmstat.h linux-2.6.35.5/include/linux/vmstat.h
46940 --- linux-2.6.35.5/include/linux/vmstat.h 2010-08-26 19:47:12.000000000 -0400
46941 +++ linux-2.6.35.5/include/linux/vmstat.h 2010-09-17 20:12:09.000000000 -0400
46942 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
46944 * Zone based page accounting with per cpu differentials.
46946 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46947 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46949 static inline void zone_page_state_add(long x, struct zone *zone,
46950 enum zone_stat_item item)
46952 - atomic_long_add(x, &zone->vm_stat[item]);
46953 - atomic_long_add(x, &vm_stat[item]);
46954 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
46955 + atomic_long_add_unchecked(x, &vm_stat[item]);
46958 static inline unsigned long global_page_state(enum zone_stat_item item)
46960 - long x = atomic_long_read(&vm_stat[item]);
46961 + long x = atomic_long_read_unchecked(&vm_stat[item]);
46965 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
46966 static inline unsigned long zone_page_state(struct zone *zone,
46967 enum zone_stat_item item)
46969 - long x = atomic_long_read(&zone->vm_stat[item]);
46970 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
46974 @@ -246,8 +246,8 @@ static inline void __mod_zone_page_state
46976 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
46978 - atomic_long_inc(&zone->vm_stat[item]);
46979 - atomic_long_inc(&vm_stat[item]);
46980 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
46981 + atomic_long_inc_unchecked(&vm_stat[item]);
46984 static inline void __inc_zone_page_state(struct page *page,
46985 @@ -258,8 +258,8 @@ static inline void __inc_zone_page_state
46987 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
46989 - atomic_long_dec(&zone->vm_stat[item]);
46990 - atomic_long_dec(&vm_stat[item]);
46991 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
46992 + atomic_long_dec_unchecked(&vm_stat[item]);
46995 static inline void __dec_zone_page_state(struct page *page,
46996 diff -urNp linux-2.6.35.5/include/net/irda/ircomm_tty.h linux-2.6.35.5/include/net/irda/ircomm_tty.h
46997 --- linux-2.6.35.5/include/net/irda/ircomm_tty.h 2010-08-26 19:47:12.000000000 -0400
46998 +++ linux-2.6.35.5/include/net/irda/ircomm_tty.h 2010-09-17 20:12:09.000000000 -0400
46999 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
47000 unsigned short close_delay;
47001 unsigned short closing_wait; /* time to wait before closing */
47004 - int blocked_open; /* # of blocked opens */
47005 + atomic_t open_count;
47006 + atomic_t blocked_open; /* # of blocked opens */
47008 /* Protect concurent access to :
47009 * o self->open_count
47010 diff -urNp linux-2.6.35.5/include/net/neighbour.h linux-2.6.35.5/include/net/neighbour.h
47011 --- linux-2.6.35.5/include/net/neighbour.h 2010-08-26 19:47:12.000000000 -0400
47012 +++ linux-2.6.35.5/include/net/neighbour.h 2010-09-17 20:12:09.000000000 -0400
47013 @@ -116,12 +116,12 @@ struct neighbour {
47017 - void (*solicit)(struct neighbour *, struct sk_buff*);
47018 - void (*error_report)(struct neighbour *, struct sk_buff*);
47019 - int (*output)(struct sk_buff*);
47020 - int (*connected_output)(struct sk_buff*);
47021 - int (*hh_output)(struct sk_buff*);
47022 - int (*queue_xmit)(struct sk_buff*);
47023 + void (* const solicit)(struct neighbour *, struct sk_buff*);
47024 + void (* const error_report)(struct neighbour *, struct sk_buff*);
47025 + int (* const output)(struct sk_buff*);
47026 + int (* const connected_output)(struct sk_buff*);
47027 + int (* const hh_output)(struct sk_buff*);
47028 + int (* const queue_xmit)(struct sk_buff*);
47031 struct pneigh_entry {
47032 diff -urNp linux-2.6.35.5/include/net/sctp/sctp.h linux-2.6.35.5/include/net/sctp/sctp.h
47033 --- linux-2.6.35.5/include/net/sctp/sctp.h 2010-08-26 19:47:12.000000000 -0400
47034 +++ linux-2.6.35.5/include/net/sctp/sctp.h 2010-09-17 20:12:09.000000000 -0400
47035 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
47037 #else /* SCTP_DEBUG */
47039 -#define SCTP_DEBUG_PRINTK(whatever...)
47040 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
47041 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
47042 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
47043 #define SCTP_ENABLE_DEBUG
47044 #define SCTP_DISABLE_DEBUG
47045 #define SCTP_ASSERT(expr, str, func)
47046 diff -urNp linux-2.6.35.5/include/net/tcp.h linux-2.6.35.5/include/net/tcp.h
47047 --- linux-2.6.35.5/include/net/tcp.h 2010-08-26 19:47:12.000000000 -0400
47048 +++ linux-2.6.35.5/include/net/tcp.h 2010-09-17 20:12:09.000000000 -0400
47049 @@ -1404,6 +1404,7 @@ enum tcp_seq_states {
47050 struct tcp_seq_afinfo {
47052 sa_family_t family;
47053 + /* cannot be const */
47054 struct file_operations seq_fops;
47055 struct seq_operations seq_ops;
47057 diff -urNp linux-2.6.35.5/include/net/udp.h linux-2.6.35.5/include/net/udp.h
47058 --- linux-2.6.35.5/include/net/udp.h 2010-08-26 19:47:12.000000000 -0400
47059 +++ linux-2.6.35.5/include/net/udp.h 2010-09-17 20:12:09.000000000 -0400
47060 @@ -221,6 +221,7 @@ struct udp_seq_afinfo {
47062 sa_family_t family;
47063 struct udp_table *udp_table;
47064 + /* cannot be const */
47065 struct file_operations seq_fops;
47066 struct seq_operations seq_ops;
47068 diff -urNp linux-2.6.35.5/include/sound/ac97_codec.h linux-2.6.35.5/include/sound/ac97_codec.h
47069 --- linux-2.6.35.5/include/sound/ac97_codec.h 2010-08-26 19:47:12.000000000 -0400
47070 +++ linux-2.6.35.5/include/sound/ac97_codec.h 2010-09-17 20:12:09.000000000 -0400
47071 @@ -419,15 +419,15 @@
47074 struct snd_ac97_build_ops {
47075 - int (*build_3d) (struct snd_ac97 *ac97);
47076 - int (*build_specific) (struct snd_ac97 *ac97);
47077 - int (*build_spdif) (struct snd_ac97 *ac97);
47078 - int (*build_post_spdif) (struct snd_ac97 *ac97);
47079 + int (* const build_3d) (struct snd_ac97 *ac97);
47080 + int (* const build_specific) (struct snd_ac97 *ac97);
47081 + int (* const build_spdif) (struct snd_ac97 *ac97);
47082 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
47084 - void (*suspend) (struct snd_ac97 *ac97);
47085 - void (*resume) (struct snd_ac97 *ac97);
47086 + void (* const suspend) (struct snd_ac97 *ac97);
47087 + void (* const resume) (struct snd_ac97 *ac97);
47089 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47090 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47093 struct snd_ac97_bus_ops {
47094 @@ -477,7 +477,7 @@ struct snd_ac97_template {
47097 /* -- lowlevel (hardware) driver specific -- */
47098 - struct snd_ac97_build_ops * build_ops;
47099 + const struct snd_ac97_build_ops * build_ops;
47100 void *private_data;
47101 void (*private_free) (struct snd_ac97 *ac97);
47103 diff -urNp linux-2.6.35.5/include/trace/events/irq.h linux-2.6.35.5/include/trace/events/irq.h
47104 --- linux-2.6.35.5/include/trace/events/irq.h 2010-08-26 19:47:12.000000000 -0400
47105 +++ linux-2.6.35.5/include/trace/events/irq.h 2010-09-17 20:12:09.000000000 -0400
47108 TRACE_EVENT(irq_handler_entry,
47110 - TP_PROTO(int irq, struct irqaction *action),
47111 + TP_PROTO(int irq, const struct irqaction *action),
47113 TP_ARGS(irq, action),
47115 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
47117 TRACE_EVENT(irq_handler_exit,
47119 - TP_PROTO(int irq, struct irqaction *action, int ret),
47120 + TP_PROTO(int irq, const struct irqaction *action, int ret),
47122 TP_ARGS(irq, action, ret),
47124 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
47126 DECLARE_EVENT_CLASS(softirq,
47128 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47129 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47133 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
47135 DEFINE_EVENT(softirq, softirq_entry,
47137 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47138 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47142 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
47144 DEFINE_EVENT(softirq, softirq_exit,
47146 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47147 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47151 diff -urNp linux-2.6.35.5/include/video/uvesafb.h linux-2.6.35.5/include/video/uvesafb.h
47152 --- linux-2.6.35.5/include/video/uvesafb.h 2010-08-26 19:47:12.000000000 -0400
47153 +++ linux-2.6.35.5/include/video/uvesafb.h 2010-09-17 20:12:09.000000000 -0400
47154 @@ -177,6 +177,7 @@ struct uvesafb_par {
47155 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
47156 u8 pmi_setpal; /* PMI for palette changes */
47157 u16 *pmi_base; /* protected mode interface location */
47158 + u8 *pmi_code; /* protected mode code location */
47161 u8 *vbe_state_orig; /*
47162 diff -urNp linux-2.6.35.5/init/do_mounts.c linux-2.6.35.5/init/do_mounts.c
47163 --- linux-2.6.35.5/init/do_mounts.c 2010-08-26 19:47:12.000000000 -0400
47164 +++ linux-2.6.35.5/init/do_mounts.c 2010-09-17 20:12:09.000000000 -0400
47165 @@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
47167 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
47169 - int err = sys_mount(name, "/root", fs, flags, data);
47170 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
47174 - sys_chdir("/root");
47175 + sys_chdir((__force char __user *)"/root");
47176 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
47177 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
47178 current->fs->pwd.mnt->mnt_sb->s_type->name,
47179 @@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
47180 va_start(args, fmt);
47181 vsprintf(buf, fmt, args);
47183 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
47184 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
47186 sys_ioctl(fd, FDEJECT, 0);
47189 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
47190 - fd = sys_open("/dev/console", O_RDWR, 0);
47191 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
47193 sys_ioctl(fd, TCGETS, (long)&termios);
47194 termios.c_lflag &= ~ICANON;
47195 sys_ioctl(fd, TCSETSF, (long)&termios);
47196 - sys_read(fd, &c, 1);
47197 + sys_read(fd, (char __user *)&c, 1);
47198 termios.c_lflag |= ICANON;
47199 sys_ioctl(fd, TCSETSF, (long)&termios);
47201 @@ -417,6 +417,6 @@ void __init prepare_namespace(void)
47204 devtmpfs_mount("dev");
47205 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47207 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47208 + sys_chroot((__force char __user *)".");
47210 diff -urNp linux-2.6.35.5/init/do_mounts.h linux-2.6.35.5/init/do_mounts.h
47211 --- linux-2.6.35.5/init/do_mounts.h 2010-08-26 19:47:12.000000000 -0400
47212 +++ linux-2.6.35.5/init/do_mounts.h 2010-09-17 20:12:09.000000000 -0400
47213 @@ -15,15 +15,15 @@ extern int root_mountflags;
47215 static inline int create_dev(char *name, dev_t dev)
47217 - sys_unlink(name);
47218 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
47219 + sys_unlink((__force char __user *)name);
47220 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
47223 #if BITS_PER_LONG == 32
47224 static inline u32 bstat(char *name)
47226 struct stat64 stat;
47227 - if (sys_stat64(name, &stat) != 0)
47228 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
47230 if (!S_ISBLK(stat.st_mode))
47232 diff -urNp linux-2.6.35.5/init/do_mounts_initrd.c linux-2.6.35.5/init/do_mounts_initrd.c
47233 --- linux-2.6.35.5/init/do_mounts_initrd.c 2010-08-26 19:47:12.000000000 -0400
47234 +++ linux-2.6.35.5/init/do_mounts_initrd.c 2010-09-17 20:12:09.000000000 -0400
47235 @@ -43,13 +43,13 @@ static void __init handle_initrd(void)
47236 create_dev("/dev/root.old", Root_RAM0);
47237 /* mount initrd on rootfs' /root */
47238 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
47239 - sys_mkdir("/old", 0700);
47240 - root_fd = sys_open("/", 0, 0);
47241 - old_fd = sys_open("/old", 0, 0);
47242 + sys_mkdir((__force const char __user *)"/old", 0700);
47243 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
47244 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
47245 /* move initrd over / and chdir/chroot in initrd root */
47246 - sys_chdir("/root");
47247 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47249 + sys_chdir((__force const char __user *)"/root");
47250 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47251 + sys_chroot((__force const char __user *)".");
47254 * In case that a resume from disk is carried out by linuxrc or one of
47255 @@ -66,15 +66,15 @@ static void __init handle_initrd(void)
47257 /* move initrd to rootfs' /old */
47258 sys_fchdir(old_fd);
47259 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
47260 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
47261 /* switch root and cwd back to / of rootfs */
47262 sys_fchdir(root_fd);
47264 + sys_chroot((__force const char __user *)".");
47266 sys_close(root_fd);
47268 if (new_decode_dev(real_root_dev) == Root_RAM0) {
47269 - sys_chdir("/old");
47270 + sys_chdir((__force const char __user *)"/old");
47274 @@ -82,17 +82,17 @@ static void __init handle_initrd(void)
47277 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
47278 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
47279 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
47283 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
47284 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
47285 if (error == -ENOENT)
47286 printk("/initrd does not exist. Ignored.\n");
47288 printk("failed\n");
47289 printk(KERN_NOTICE "Unmounting old root\n");
47290 - sys_umount("/old", MNT_DETACH);
47291 + sys_umount((__force char __user *)"/old", MNT_DETACH);
47292 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
47295 @@ -115,11 +115,11 @@ int __init initrd_load(void)
47296 * mounted in the normal path.
47298 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
47299 - sys_unlink("/initrd.image");
47300 + sys_unlink((__force const char __user *)"/initrd.image");
47305 - sys_unlink("/initrd.image");
47306 + sys_unlink((__force const char __user *)"/initrd.image");
47309 diff -urNp linux-2.6.35.5/init/do_mounts_md.c linux-2.6.35.5/init/do_mounts_md.c
47310 --- linux-2.6.35.5/init/do_mounts_md.c 2010-08-26 19:47:12.000000000 -0400
47311 +++ linux-2.6.35.5/init/do_mounts_md.c 2010-09-17 20:12:09.000000000 -0400
47312 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
47313 partitioned ? "_d" : "", minor,
47314 md_setup_args[ent].device_names);
47316 - fd = sys_open(name, 0, 0);
47317 + fd = sys_open((__force char __user *)name, 0, 0);
47319 printk(KERN_ERR "md: open failed - cannot start "
47320 "array %s\n", name);
47321 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
47325 - fd = sys_open(name, 0, 0);
47326 + fd = sys_open((__force char __user *)name, 0, 0);
47327 sys_ioctl(fd, BLKRRPART, 0);
47330 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
47332 wait_for_device_probe();
47334 - fd = sys_open("/dev/md0", 0, 0);
47335 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
47337 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
47339 diff -urNp linux-2.6.35.5/init/initramfs.c linux-2.6.35.5/init/initramfs.c
47340 --- linux-2.6.35.5/init/initramfs.c 2010-08-26 19:47:12.000000000 -0400
47341 +++ linux-2.6.35.5/init/initramfs.c 2010-09-17 20:12:09.000000000 -0400
47342 @@ -74,7 +74,7 @@ static void __init free_hash(void)
47346 -static long __init do_utime(char __user *filename, time_t mtime)
47347 +static long __init do_utime(__force char __user *filename, time_t mtime)
47349 struct timespec t[2];
47351 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
47352 struct dir_entry *de, *tmp;
47353 list_for_each_entry_safe(de, tmp, &dir_list, list) {
47354 list_del(&de->list);
47355 - do_utime(de->name, de->mtime);
47356 + do_utime((__force char __user *)de->name, de->mtime);
47360 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
47362 char *old = find_link(major, minor, ino, mode, collected);
47364 - return (sys_link(old, collected) < 0) ? -1 : 1;
47365 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
47369 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
47373 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
47374 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
47375 if (S_ISDIR(st.st_mode))
47377 + sys_rmdir((__force char __user *)path);
47379 - sys_unlink(path);
47380 + sys_unlink((__force char __user *)path);
47384 @@ -305,7 +305,7 @@ static int __init do_name(void)
47385 int openflags = O_WRONLY|O_CREAT;
47387 openflags |= O_TRUNC;
47388 - wfd = sys_open(collected, openflags, mode);
47389 + wfd = sys_open((__force char __user *)collected, openflags, mode);
47392 sys_fchown(wfd, uid, gid);
47393 @@ -317,17 +317,17 @@ static int __init do_name(void)
47396 } else if (S_ISDIR(mode)) {
47397 - sys_mkdir(collected, mode);
47398 - sys_chown(collected, uid, gid);
47399 - sys_chmod(collected, mode);
47400 + sys_mkdir((__force char __user *)collected, mode);
47401 + sys_chown((__force char __user *)collected, uid, gid);
47402 + sys_chmod((__force char __user *)collected, mode);
47403 dir_add(collected, mtime);
47404 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
47405 S_ISFIFO(mode) || S_ISSOCK(mode)) {
47406 if (maybe_link() == 0) {
47407 - sys_mknod(collected, mode, rdev);
47408 - sys_chown(collected, uid, gid);
47409 - sys_chmod(collected, mode);
47410 - do_utime(collected, mtime);
47411 + sys_mknod((__force char __user *)collected, mode, rdev);
47412 + sys_chown((__force char __user *)collected, uid, gid);
47413 + sys_chmod((__force char __user *)collected, mode);
47414 + do_utime((__force char __user *)collected, mtime);
47418 @@ -336,15 +336,15 @@ static int __init do_name(void)
47419 static int __init do_copy(void)
47421 if (count >= body_len) {
47422 - sys_write(wfd, victim, body_len);
47423 + sys_write(wfd, (__force char __user *)victim, body_len);
47425 - do_utime(vcollected, mtime);
47426 + do_utime((__force char __user *)vcollected, mtime);
47432 - sys_write(wfd, victim, count);
47433 + sys_write(wfd, (__force char __user *)victim, count);
47437 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
47439 collected[N_ALIGN(name_len) + body_len] = '\0';
47440 clean_path(collected, 0);
47441 - sys_symlink(collected + N_ALIGN(name_len), collected);
47442 - sys_lchown(collected, uid, gid);
47443 - do_utime(collected, mtime);
47444 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
47445 + sys_lchown((__force char __user *)collected, uid, gid);
47446 + do_utime((__force char __user *)collected, mtime);
47448 next_state = Reset;
47450 diff -urNp linux-2.6.35.5/init/Kconfig linux-2.6.35.5/init/Kconfig
47451 --- linux-2.6.35.5/init/Kconfig 2010-08-26 19:47:12.000000000 -0400
47452 +++ linux-2.6.35.5/init/Kconfig 2010-09-17 20:12:09.000000000 -0400
47453 @@ -1063,7 +1063,7 @@ config SLUB_DEBUG
47456 bool "Disable heap randomization"
47460 Randomizing heap placement makes heap exploits harder, but it
47461 also breaks ancient binaries (including anything libc5 based).
47462 diff -urNp linux-2.6.35.5/init/main.c linux-2.6.35.5/init/main.c
47463 --- linux-2.6.35.5/init/main.c 2010-08-26 19:47:12.000000000 -0400
47464 +++ linux-2.6.35.5/init/main.c 2010-09-17 20:12:37.000000000 -0400
47465 @@ -98,6 +98,7 @@ static inline void mark_rodata_ro(void)
47467 extern void tc_init(void);
47469 +extern void grsecurity_init(void);
47471 enum system_states system_state __read_mostly;
47472 EXPORT_SYMBOL(system_state);
47473 @@ -200,6 +201,50 @@ static int __init set_reset_devices(char
47475 __setup("reset_devices", set_reset_devices);
47477 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
47478 +extern void pax_enter_kernel_user(void);
47479 +extern void pax_exit_kernel_user(void);
47480 +extern pgdval_t clone_pgd_mask;
47483 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
47484 +static int __init setup_pax_nouderef(char *str)
47486 +#ifdef CONFIG_X86_32
47487 + unsigned int cpu;
47489 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
47490 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
47491 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
47493 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
47494 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
47495 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
47498 + p = (char *)pax_enter_kernel_user;
47500 + p = (char *)pax_exit_kernel_user;
47502 + clone_pgd_mask = ~(pgdval_t)0UL;
47507 +early_param("pax_nouderef", setup_pax_nouderef);
47510 +#ifdef CONFIG_PAX_SOFTMODE
47511 +unsigned int pax_softmode;
47513 +static int __init setup_pax_softmode(char *str)
47515 + get_option(&str, &pax_softmode);
47518 +__setup("pax_softmode=", setup_pax_softmode);
47521 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
47522 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
47523 static const char *panic_later, *panic_param;
47524 @@ -725,52 +770,53 @@ int initcall_debug;
47525 core_param(initcall_debug, initcall_debug, bool, 0644);
47527 static char msgbuf[64];
47528 -static struct boot_trace_call call;
47529 -static struct boot_trace_ret ret;
47530 +static struct boot_trace_call trace_call;
47531 +static struct boot_trace_ret trace_ret;
47533 int do_one_initcall(initcall_t fn)
47535 int count = preempt_count();
47536 ktime_t calltime, delta, rettime;
47537 + const char *msg1 = "", *msg2 = "";
47539 if (initcall_debug) {
47540 - call.caller = task_pid_nr(current);
47541 - printk("calling %pF @ %i\n", fn, call.caller);
47542 + trace_call.caller = task_pid_nr(current);
47543 + printk("calling %pF @ %i\n", fn, trace_call.caller);
47544 calltime = ktime_get();
47545 - trace_boot_call(&call, fn);
47546 + trace_boot_call(&trace_call, fn);
47547 enable_boot_trace();
47550 - ret.result = fn();
47551 + trace_ret.result = fn();
47553 if (initcall_debug) {
47554 disable_boot_trace();
47555 rettime = ktime_get();
47556 delta = ktime_sub(rettime, calltime);
47557 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47558 - trace_boot_ret(&ret, fn);
47559 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47560 + trace_boot_ret(&trace_ret, fn);
47561 printk("initcall %pF returned %d after %Ld usecs\n", fn,
47562 - ret.result, ret.duration);
47563 + trace_ret.result, trace_ret.duration);
47568 - if (ret.result && ret.result != -ENODEV && initcall_debug)
47569 - sprintf(msgbuf, "error code %d ", ret.result);
47570 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
47571 + sprintf(msgbuf, "error code %d ", trace_ret.result);
47573 if (preempt_count() != count) {
47574 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
47575 + msg1 = " preemption imbalance";
47576 preempt_count() = count;
47578 if (irqs_disabled()) {
47579 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
47580 + msg2 = " disabled interrupts";
47581 local_irq_enable();
47584 - printk("initcall %pF returned with %s\n", fn, msgbuf);
47585 + if (msgbuf[0] || *msg1 || *msg2) {
47586 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
47589 - return ret.result;
47590 + return trace_ret.result;
47594 @@ -902,7 +948,7 @@ static int __init kernel_init(void * unu
47597 /* Open the /dev/console on the rootfs, this should never fail */
47598 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
47599 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
47600 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
47603 @@ -915,11 +961,13 @@ static int __init kernel_init(void * unu
47604 if (!ramdisk_execute_command)
47605 ramdisk_execute_command = "/init";
47607 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
47608 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
47609 ramdisk_execute_command = NULL;
47610 prepare_namespace();
47613 + grsecurity_init();
47616 * Ok, we have completed the initial bootup, and
47617 * we're essentially up and running. Get rid of the
47618 diff -urNp linux-2.6.35.5/init/noinitramfs.c linux-2.6.35.5/init/noinitramfs.c
47619 --- linux-2.6.35.5/init/noinitramfs.c 2010-08-26 19:47:12.000000000 -0400
47620 +++ linux-2.6.35.5/init/noinitramfs.c 2010-09-17 20:12:09.000000000 -0400
47621 @@ -29,17 +29,17 @@ static int __init default_rootfs(void)
47625 - err = sys_mkdir("/dev", 0755);
47626 + err = sys_mkdir((const char __user *)"/dev", 0755);
47630 - err = sys_mknod((const char __user *) "/dev/console",
47631 + err = sys_mknod((__force const char __user *) "/dev/console",
47632 S_IFCHR | S_IRUSR | S_IWUSR,
47633 new_encode_dev(MKDEV(5, 1)));
47637 - err = sys_mkdir("/root", 0700);
47638 + err = sys_mkdir((const char __user *)"/root", 0700);
47642 diff -urNp linux-2.6.35.5/ipc/mqueue.c linux-2.6.35.5/ipc/mqueue.c
47643 --- linux-2.6.35.5/ipc/mqueue.c 2010-08-26 19:47:12.000000000 -0400
47644 +++ linux-2.6.35.5/ipc/mqueue.c 2010-09-17 20:12:37.000000000 -0400
47645 @@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
47646 mq_bytes = (mq_msg_tblsz +
47647 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
47649 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
47650 spin_lock(&mq_lock);
47651 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
47652 u->mq_bytes + mq_bytes >
47653 diff -urNp linux-2.6.35.5/ipc/shm.c linux-2.6.35.5/ipc/shm.c
47654 --- linux-2.6.35.5/ipc/shm.c 2010-08-26 19:47:12.000000000 -0400
47655 +++ linux-2.6.35.5/ipc/shm.c 2010-09-17 20:12:37.000000000 -0400
47656 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
47657 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
47660 +#ifdef CONFIG_GRKERNSEC
47661 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47662 + const time_t shm_createtime, const uid_t cuid,
47663 + const int shmid);
47664 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47665 + const time_t shm_createtime);
47668 void shm_init_ns(struct ipc_namespace *ns)
47670 ns->shm_ctlmax = SHMMAX;
47671 @@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
47672 shp->shm_lprid = 0;
47673 shp->shm_atim = shp->shm_dtim = 0;
47674 shp->shm_ctim = get_seconds();
47675 +#ifdef CONFIG_GRKERNSEC
47677 + struct timespec timeval;
47678 + do_posix_clock_monotonic_gettime(&timeval);
47680 + shp->shm_createtime = timeval.tv_sec;
47683 shp->shm_segsz = size;
47684 shp->shm_nattch = 0;
47685 shp->shm_file = file;
47686 @@ -877,9 +893,21 @@ long do_shmat(int shmid, char __user *sh
47690 +#ifdef CONFIG_GRKERNSEC
47691 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
47692 + shp->shm_perm.cuid, shmid) ||
47693 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
47699 path = shp->shm_file->f_path;
47702 +#ifdef CONFIG_GRKERNSEC
47703 + shp->shm_lapid = current->pid;
47705 size = i_size_read(path.dentry->d_inode);
47708 diff -urNp linux-2.6.35.5/kernel/acct.c linux-2.6.35.5/kernel/acct.c
47709 --- linux-2.6.35.5/kernel/acct.c 2010-08-26 19:47:12.000000000 -0400
47710 +++ linux-2.6.35.5/kernel/acct.c 2010-09-17 20:12:09.000000000 -0400
47711 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
47713 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
47714 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
47715 - file->f_op->write(file, (char *)&ac,
47716 + file->f_op->write(file, (__force char __user *)&ac,
47717 sizeof(acct_t), &file->f_pos);
47718 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
47720 diff -urNp linux-2.6.35.5/kernel/capability.c linux-2.6.35.5/kernel/capability.c
47721 --- linux-2.6.35.5/kernel/capability.c 2010-08-26 19:47:12.000000000 -0400
47722 +++ linux-2.6.35.5/kernel/capability.c 2010-09-17 20:12:37.000000000 -0400
47723 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
47724 * before modification is attempted and the application
47727 + if (tocopy > ARRAY_SIZE(kdata))
47730 if (copy_to_user(dataptr, kdata, tocopy
47731 * sizeof(struct __user_cap_data_struct))) {
47733 @@ -306,10 +309,21 @@ int capable(int cap)
47737 - if (security_capable(cap) == 0) {
47738 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
47739 + current->flags |= PF_SUPERPRIV;
47745 +int capable_nolog(int cap)
47747 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
47748 current->flags |= PF_SUPERPRIV;
47754 EXPORT_SYMBOL(capable);
47755 +EXPORT_SYMBOL(capable_nolog);
47756 diff -urNp linux-2.6.35.5/kernel/compat.c linux-2.6.35.5/kernel/compat.c
47757 --- linux-2.6.35.5/kernel/compat.c 2010-09-20 17:33:09.000000000 -0400
47758 +++ linux-2.6.35.5/kernel/compat.c 2010-09-17 20:12:37.000000000 -0400
47761 #include <linux/linkage.h>
47762 #include <linux/compat.h>
47763 +#include <linux/module.h>
47764 #include <linux/errno.h>
47765 #include <linux/time.h>
47766 #include <linux/signal.h>
47767 diff -urNp linux-2.6.35.5/kernel/configs.c linux-2.6.35.5/kernel/configs.c
47768 --- linux-2.6.35.5/kernel/configs.c 2010-08-26 19:47:12.000000000 -0400
47769 +++ linux-2.6.35.5/kernel/configs.c 2010-09-17 20:12:37.000000000 -0400
47770 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
47771 struct proc_dir_entry *entry;
47773 /* create the current config file */
47774 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
47775 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
47776 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
47777 + &ikconfig_file_ops);
47778 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47779 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
47780 + &ikconfig_file_ops);
47783 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
47784 &ikconfig_file_ops);
47790 diff -urNp linux-2.6.35.5/kernel/cred.c linux-2.6.35.5/kernel/cred.c
47791 --- linux-2.6.35.5/kernel/cred.c 2010-08-26 19:47:12.000000000 -0400
47792 +++ linux-2.6.35.5/kernel/cred.c 2010-09-17 20:12:37.000000000 -0400
47793 @@ -489,6 +489,8 @@ int commit_creds(struct cred *new)
47795 get_cred(new); /* we will require a ref for the subj creds too */
47797 + gr_set_role_label(task, new->uid, new->gid);
47799 /* dumpability changes */
47800 if (old->euid != new->euid ||
47801 old->egid != new->egid ||
47802 diff -urNp linux-2.6.35.5/kernel/debug/debug_core.c linux-2.6.35.5/kernel/debug/debug_core.c
47803 --- linux-2.6.35.5/kernel/debug/debug_core.c 2010-08-26 19:47:12.000000000 -0400
47804 +++ linux-2.6.35.5/kernel/debug/debug_core.c 2010-09-17 20:12:09.000000000 -0400
47805 @@ -71,7 +71,7 @@ int kgdb_io_module_registered;
47806 /* Guard for recursive entry */
47807 static int exception_level;
47809 -struct kgdb_io *dbg_io_ops;
47810 +const struct kgdb_io *dbg_io_ops;
47811 static DEFINE_SPINLOCK(kgdb_registration_lock);
47813 /* kgdb console driver is loaded */
47814 @@ -871,7 +871,7 @@ static void kgdb_initial_breakpoint(void
47816 * Register it with the KGDB core.
47818 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
47819 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
47823 @@ -916,7 +916,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
47825 * Unregister it with the KGDB core.
47827 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
47828 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
47830 BUG_ON(kgdb_connected);
47832 diff -urNp linux-2.6.35.5/kernel/debug/kdb/kdb_main.c linux-2.6.35.5/kernel/debug/kdb/kdb_main.c
47833 --- linux-2.6.35.5/kernel/debug/kdb/kdb_main.c 2010-08-26 19:47:12.000000000 -0400
47834 +++ linux-2.6.35.5/kernel/debug/kdb/kdb_main.c 2010-09-17 20:12:09.000000000 -0400
47835 @@ -1872,7 +1872,7 @@ static int kdb_lsmod(int argc, const cha
47836 list_for_each_entry(mod, kdb_modules, list) {
47838 kdb_printf("%-20s%8u 0x%p ", mod->name,
47839 - mod->core_size, (void *)mod);
47840 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
47841 #ifdef CONFIG_MODULE_UNLOAD
47842 kdb_printf("%4d ", module_refcount(mod));
47844 @@ -1882,7 +1882,7 @@ static int kdb_lsmod(int argc, const cha
47845 kdb_printf(" (Loading)");
47847 kdb_printf(" (Live)");
47848 - kdb_printf(" 0x%p", mod->module_core);
47849 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
47851 #ifdef CONFIG_MODULE_UNLOAD
47853 diff -urNp linux-2.6.35.5/kernel/exit.c linux-2.6.35.5/kernel/exit.c
47854 --- linux-2.6.35.5/kernel/exit.c 2010-08-26 19:47:12.000000000 -0400
47855 +++ linux-2.6.35.5/kernel/exit.c 2010-09-17 20:13:49.000000000 -0400
47857 #include <asm/pgtable.h>
47858 #include <asm/mmu_context.h>
47860 +#ifdef CONFIG_GRKERNSEC
47861 +extern rwlock_t grsec_exec_file_lock;
47864 static void exit_mm(struct task_struct * tsk);
47866 static void __unhash_process(struct task_struct *p, bool group_dead)
47867 @@ -162,6 +166,8 @@ void release_task(struct task_struct * p
47868 struct task_struct *leader;
47871 + gr_del_task_from_ip_table(p);
47873 tracehook_prepare_release_task(p);
47874 /* don't need to get the RCU readlock here - the process is dead and
47875 * can't be modifying its own credentials. But shut RCU-lockdep up */
47876 @@ -331,11 +337,22 @@ static void reparent_to_kthreadd(void)
47878 write_lock_irq(&tasklist_lock);
47880 +#ifdef CONFIG_GRKERNSEC
47881 + write_lock(&grsec_exec_file_lock);
47882 + if (current->exec_file) {
47883 + fput(current->exec_file);
47884 + current->exec_file = NULL;
47886 + write_unlock(&grsec_exec_file_lock);
47889 ptrace_unlink(current);
47890 /* Reparent to init */
47891 current->real_parent = current->parent = kthreadd_task;
47892 list_move_tail(¤t->sibling, ¤t->real_parent->children);
47894 + gr_set_kernel_label(current);
47896 /* Set the exit signal to SIGCHLD so we signal init on exit */
47897 current->exit_signal = SIGCHLD;
47899 @@ -387,7 +404,7 @@ int allow_signal(int sig)
47900 * know it'll be handled, so that they don't get converted to
47901 * SIGKILL or just silently dropped.
47903 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
47904 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
47905 recalc_sigpending();
47906 spin_unlock_irq(¤t->sighand->siglock);
47908 @@ -423,6 +440,17 @@ void daemonize(const char *name, ...)
47909 vsnprintf(current->comm, sizeof(current->comm), name, args);
47912 +#ifdef CONFIG_GRKERNSEC
47913 + write_lock(&grsec_exec_file_lock);
47914 + if (current->exec_file) {
47915 + fput(current->exec_file);
47916 + current->exec_file = NULL;
47918 + write_unlock(&grsec_exec_file_lock);
47921 + gr_set_kernel_label(current);
47924 * If we were started as result of loading a module, close all of the
47925 * user space pages. We don't need them, and if we didn't close them
47926 @@ -960,6 +988,9 @@ NORET_TYPE void do_exit(long code)
47927 tsk->exit_code = code;
47928 taskstats_exit(tsk, group_dead);
47930 + gr_acl_handle_psacct(tsk, code);
47931 + gr_acl_handle_exit();
47936 diff -urNp linux-2.6.35.5/kernel/fork.c linux-2.6.35.5/kernel/fork.c
47937 --- linux-2.6.35.5/kernel/fork.c 2010-08-26 19:47:12.000000000 -0400
47938 +++ linux-2.6.35.5/kernel/fork.c 2010-09-17 20:12:37.000000000 -0400
47939 @@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
47940 *stackend = STACK_END_MAGIC; /* for overflow detection */
47942 #ifdef CONFIG_CC_STACKPROTECTOR
47943 - tsk->stack_canary = get_random_int();
47944 + tsk->stack_canary = pax_get_random_long();
47947 /* One for us, one for whoever does the "release_task()" (usually parent) */
47948 @@ -298,13 +298,78 @@ out:
47952 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
47954 + struct vm_area_struct *tmp;
47955 + unsigned long charge;
47956 + struct mempolicy *pol;
47957 + struct file *file;
47960 + if (mpnt->vm_flags & VM_ACCOUNT) {
47961 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
47962 + if (security_vm_enough_memory(len))
47966 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
47971 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
47972 + pol = mpol_dup(vma_policy(mpnt));
47974 + goto fail_nomem_policy;
47975 + vma_set_policy(tmp, pol);
47976 + if (anon_vma_fork(tmp, mpnt))
47977 + goto fail_nomem_anon_vma_fork;
47978 + tmp->vm_flags &= ~VM_LOCKED;
47979 + tmp->vm_next = NULL;
47980 + tmp->vm_mirror = NULL;
47981 + file = tmp->vm_file;
47983 + struct inode *inode = file->f_path.dentry->d_inode;
47984 + struct address_space *mapping = file->f_mapping;
47987 + if (tmp->vm_flags & VM_DENYWRITE)
47988 + atomic_dec(&inode->i_writecount);
47989 + spin_lock(&mapping->i_mmap_lock);
47990 + if (tmp->vm_flags & VM_SHARED)
47991 + mapping->i_mmap_writable++;
47992 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
47993 + flush_dcache_mmap_lock(mapping);
47994 + /* insert tmp into the share list, just after mpnt */
47995 + vma_prio_tree_add(tmp, mpnt);
47996 + flush_dcache_mmap_unlock(mapping);
47997 + spin_unlock(&mapping->i_mmap_lock);
48001 + * Clear hugetlb-related page reserves for children. This only
48002 + * affects MAP_PRIVATE mappings. Faults generated by the child
48003 + * are not guaranteed to succeed, even if read-only
48005 + if (is_vm_hugetlb_page(tmp))
48006 + reset_vma_resv_huge_pages(tmp);
48010 +fail_nomem_anon_vma_fork:
48012 +fail_nomem_policy:
48013 + kmem_cache_free(vm_area_cachep, tmp);
48015 + vm_unacct_memory(charge);
48019 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
48021 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
48022 struct rb_node **rb_link, *rb_parent;
48024 - unsigned long charge;
48025 - struct mempolicy *pol;
48027 down_write(&oldmm->mmap_sem);
48028 flush_cache_dup_mm(oldmm);
48029 @@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
48032 mm->mmap_cache = NULL;
48033 - mm->free_area_cache = oldmm->mmap_base;
48034 - mm->cached_hole_size = ~0UL;
48035 + mm->free_area_cache = oldmm->free_area_cache;
48036 + mm->cached_hole_size = oldmm->cached_hole_size;
48038 cpumask_clear(mm_cpumask(mm));
48039 mm->mm_rb = RB_ROOT;
48040 @@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
48043 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
48044 - struct file *file;
48046 if (mpnt->vm_flags & VM_DONTCOPY) {
48047 long pages = vma_pages(mpnt);
48048 mm->total_vm -= pages;
48049 @@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
48054 - if (mpnt->vm_flags & VM_ACCOUNT) {
48055 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48056 - if (security_vm_enough_memory(len))
48060 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48064 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
48065 - pol = mpol_dup(vma_policy(mpnt));
48066 - retval = PTR_ERR(pol);
48068 - goto fail_nomem_policy;
48069 - vma_set_policy(tmp, pol);
48070 - if (anon_vma_fork(tmp, mpnt))
48071 - goto fail_nomem_anon_vma_fork;
48072 - tmp->vm_flags &= ~VM_LOCKED;
48074 - tmp->vm_next = tmp->vm_prev = NULL;
48075 - file = tmp->vm_file;
48077 - struct inode *inode = file->f_path.dentry->d_inode;
48078 - struct address_space *mapping = file->f_mapping;
48081 - if (tmp->vm_flags & VM_DENYWRITE)
48082 - atomic_dec(&inode->i_writecount);
48083 - spin_lock(&mapping->i_mmap_lock);
48084 - if (tmp->vm_flags & VM_SHARED)
48085 - mapping->i_mmap_writable++;
48086 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
48087 - flush_dcache_mmap_lock(mapping);
48088 - /* insert tmp into the share list, just after mpnt */
48089 - vma_prio_tree_add(tmp, mpnt);
48090 - flush_dcache_mmap_unlock(mapping);
48091 - spin_unlock(&mapping->i_mmap_lock);
48092 + tmp = dup_vma(mm, mpnt);
48094 + retval = -ENOMEM;
48099 - * Clear hugetlb-related page reserves for children. This only
48100 - * affects MAP_PRIVATE mappings. Faults generated by the child
48101 - * are not guaranteed to succeed, even if read-only
48103 - if (is_vm_hugetlb_page(tmp))
48104 - reset_vma_resv_huge_pages(tmp);
48107 * Link in the new vma and copy the page table entries.
48110 @@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
48115 +#ifdef CONFIG_PAX_SEGMEXEC
48116 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
48117 + struct vm_area_struct *mpnt_m;
48119 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
48120 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
48122 + if (!mpnt->vm_mirror)
48125 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
48126 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
48127 + mpnt->vm_mirror = mpnt_m;
48129 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
48130 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
48131 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
48132 + mpnt->vm_mirror->vm_mirror = mpnt;
48139 /* a new mm has just been created */
48140 arch_dup_mmap(oldmm, mm);
48142 @@ -417,14 +462,6 @@ out:
48143 flush_tlb_mm(oldmm);
48144 up_write(&oldmm->mmap_sem);
48146 -fail_nomem_anon_vma_fork:
48148 -fail_nomem_policy:
48149 - kmem_cache_free(vm_area_cachep, tmp);
48151 - retval = -ENOMEM;
48152 - vm_unacct_memory(charge);
48156 static inline int mm_alloc_pgd(struct mm_struct * mm)
48157 @@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
48158 write_unlock(&fs->lock);
48162 + atomic_inc(&fs->users);
48163 write_unlock(&fs->lock);
48166 tsk->fs = copy_fs_struct(fs);
48169 + gr_set_chroot_entries(tsk, &tsk->fs->root);
48173 @@ -1019,10 +1057,13 @@ static struct task_struct *copy_process(
48175 if (!vx_nproc_avail(1))
48176 goto bad_fork_free;
48178 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
48180 if (atomic_read(&p->real_cred->user->processes) >=
48181 task_rlimit(p, RLIMIT_NPROC)) {
48182 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
48183 - p->real_cred->user != INIT_USER)
48184 + if (p->real_cred->user != INIT_USER &&
48185 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
48186 goto bad_fork_free;
48189 @@ -1176,6 +1217,8 @@ static struct task_struct *copy_process(
48190 goto bad_fork_free_pid;
48193 + gr_copy_label(p);
48195 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
48197 * Clear TID on mm_release()?
48198 @@ -1328,6 +1371,8 @@ bad_fork_cleanup_count:
48202 + gr_log_forkfail(retval);
48204 return ERR_PTR(retval);
48207 @@ -1433,6 +1478,8 @@ long do_fork(unsigned long clone_flags,
48208 if (clone_flags & CLONE_PARENT_SETTID)
48209 put_user(nr, parent_tidptr);
48211 + gr_handle_brute_check();
48213 if (clone_flags & CLONE_VFORK) {
48214 p->vfork_done = &vfork;
48215 init_completion(&vfork);
48216 @@ -1557,7 +1604,7 @@ static int unshare_fs(unsigned long unsh
48219 /* don't need lock here; in the worst case we'll do useless copy */
48220 - if (fs->users == 1)
48221 + if (atomic_read(&fs->users) == 1)
48224 *new_fsp = copy_fs_struct(fs);
48225 @@ -1680,7 +1727,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
48227 write_lock(&fs->lock);
48228 current->fs = new_fs;
48230 + gr_set_chroot_entries(current, ¤t->fs->root);
48231 + if (atomic_dec_return(&fs->users))
48235 diff -urNp linux-2.6.35.5/kernel/futex.c linux-2.6.35.5/kernel/futex.c
48236 --- linux-2.6.35.5/kernel/futex.c 2010-08-26 19:47:12.000000000 -0400
48237 +++ linux-2.6.35.5/kernel/futex.c 2010-09-17 20:12:37.000000000 -0400
48239 #include <linux/mount.h>
48240 #include <linux/pagemap.h>
48241 #include <linux/syscalls.h>
48242 +#include <linux/ptrace.h>
48243 #include <linux/signal.h>
48244 #include <linux/module.h>
48245 #include <linux/magic.h>
48246 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
48250 +#ifdef CONFIG_PAX_SEGMEXEC
48251 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
48256 * The futex address must be "naturally" aligned.
48258 @@ -1843,7 +1849,7 @@ retry:
48260 restart = ¤t_thread_info()->restart_block;
48261 restart->fn = futex_wait_restart;
48262 - restart->futex.uaddr = (u32 *)uaddr;
48263 + restart->futex.uaddr = uaddr;
48264 restart->futex.val = val;
48265 restart->futex.time = abs_time->tv64;
48266 restart->futex.bitset = bitset;
48267 @@ -2376,7 +2382,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48269 struct robust_list_head __user *head;
48271 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48272 const struct cred *cred = current_cred(), *pcred;
48275 if (!futex_cmpxchg_enabled)
48277 @@ -2392,11 +2400,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48281 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48282 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48285 pcred = __task_cred(p);
48286 if (cred->euid != pcred->euid &&
48287 cred->euid != pcred->uid &&
48288 !capable(CAP_SYS_PTRACE))
48291 head = p->robust_list;
48294 @@ -2458,7 +2471,7 @@ retry:
48296 static inline int fetch_robust_entry(struct robust_list __user **entry,
48297 struct robust_list __user * __user *head,
48299 + unsigned int *pi)
48301 unsigned long uentry;
48303 diff -urNp linux-2.6.35.5/kernel/futex_compat.c linux-2.6.35.5/kernel/futex_compat.c
48304 --- linux-2.6.35.5/kernel/futex_compat.c 2010-08-26 19:47:12.000000000 -0400
48305 +++ linux-2.6.35.5/kernel/futex_compat.c 2010-09-17 20:12:37.000000000 -0400
48307 #include <linux/compat.h>
48308 #include <linux/nsproxy.h>
48309 #include <linux/futex.h>
48310 +#include <linux/ptrace.h>
48312 #include <asm/uaccess.h>
48314 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
48316 struct compat_robust_list_head __user *head;
48318 - const struct cred *cred = current_cred(), *pcred;
48319 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48320 + const struct cred *cred = current_cred();
48321 + const struct cred *pcred;
48324 if (!futex_cmpxchg_enabled)
48326 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
48330 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48331 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48334 pcred = __task_cred(p);
48335 if (cred->euid != pcred->euid &&
48336 cred->euid != pcred->uid &&
48337 !capable(CAP_SYS_PTRACE))
48340 head = p->compat_robust_list;
48343 diff -urNp linux-2.6.35.5/kernel/gcov/base.c linux-2.6.35.5/kernel/gcov/base.c
48344 --- linux-2.6.35.5/kernel/gcov/base.c 2010-08-26 19:47:12.000000000 -0400
48345 +++ linux-2.6.35.5/kernel/gcov/base.c 2010-09-17 20:12:09.000000000 -0400
48346 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
48349 #ifdef CONFIG_MODULES
48350 -static inline int within(void *addr, void *start, unsigned long size)
48352 - return ((addr >= start) && (addr < start + size));
48355 /* Update list and generate events when modules are unloaded. */
48356 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
48358 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
48360 /* Remove entries located in module from linked list. */
48361 for (info = gcov_info_head; info; info = info->next) {
48362 - if (within(info, mod->module_core, mod->core_size)) {
48363 + if (within_module_core_rw((unsigned long)info, mod)) {
48365 prev->next = info->next;
48367 diff -urNp linux-2.6.35.5/kernel/hrtimer.c linux-2.6.35.5/kernel/hrtimer.c
48368 --- linux-2.6.35.5/kernel/hrtimer.c 2010-08-26 19:47:12.000000000 -0400
48369 +++ linux-2.6.35.5/kernel/hrtimer.c 2010-09-17 20:12:09.000000000 -0400
48370 @@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
48371 local_irq_restore(flags);
48374 -static void run_hrtimer_softirq(struct softirq_action *h)
48375 +static void run_hrtimer_softirq(void)
48377 hrtimer_peek_ahead_timers();
48379 diff -urNp linux-2.6.35.5/kernel/kallsyms.c linux-2.6.35.5/kernel/kallsyms.c
48380 --- linux-2.6.35.5/kernel/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
48381 +++ linux-2.6.35.5/kernel/kallsyms.c 2010-09-17 20:12:37.000000000 -0400
48383 * Changed the compression method from stem compression to "table lookup"
48384 * compression (see scripts/kallsyms.c for a more complete description)
48386 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48387 +#define __INCLUDED_BY_HIDESYM 1
48389 #include <linux/kallsyms.h>
48390 #include <linux/module.h>
48391 #include <linux/init.h>
48392 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
48394 static inline int is_kernel_inittext(unsigned long addr)
48396 + if (system_state != SYSTEM_BOOTING)
48399 if (addr >= (unsigned long)_sinittext
48400 && addr <= (unsigned long)_einittext)
48405 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48406 +#ifdef CONFIG_MODULES
48407 +static inline int is_module_text(unsigned long addr)
48409 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
48412 + addr = ktla_ktva(addr);
48413 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
48416 +static inline int is_module_text(unsigned long addr)
48423 static inline int is_kernel_text(unsigned long addr)
48425 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
48426 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
48428 static inline int is_kernel(unsigned long addr)
48431 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48432 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
48435 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
48437 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
48441 return in_gate_area_no_task(addr);
48444 static int is_ksym_addr(unsigned long addr)
48447 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48448 + if (is_module_text(addr))
48453 return is_kernel(addr);
48455 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
48457 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
48459 - iter->name[0] = '\0';
48460 iter->nameoff = get_symbol_offset(new_pos);
48461 iter->pos = new_pos;
48463 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
48465 struct kallsym_iter *iter = m->private;
48467 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48468 + if (current_uid())
48472 /* Some debugging symbols have no name. Ignore them. */
48473 if (!iter->name[0])
48475 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
48476 struct kallsym_iter *iter;
48479 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
48480 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
48483 reset_iter(iter, 0);
48484 diff -urNp linux-2.6.35.5/kernel/kmod.c linux-2.6.35.5/kernel/kmod.c
48485 --- linux-2.6.35.5/kernel/kmod.c 2010-08-26 19:47:12.000000000 -0400
48486 +++ linux-2.6.35.5/kernel/kmod.c 2010-09-17 20:12:37.000000000 -0400
48487 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
48491 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
48492 + /* we could do a tighter check here, but some distros
48493 + are taking it upon themselves to remove CAP_SYS_MODULE
48494 + from even root-running apps which cause modules to be
48497 + if (current_uid()) {
48498 + gr_log_nonroot_mod_load(module_name);
48503 /* If modprobe needs a service that is in a module, we get a recursive
48504 * loop. Limit the number of running kmod threads to max_threads/2 or
48505 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
48506 diff -urNp linux-2.6.35.5/kernel/kprobes.c linux-2.6.35.5/kernel/kprobes.c
48507 --- linux-2.6.35.5/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
48508 +++ linux-2.6.35.5/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
48509 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
48510 * kernel image and loaded module images reside. This is required
48511 * so x86_64 can correctly handle the %rip-relative fixups.
48513 - kip->insns = module_alloc(PAGE_SIZE);
48514 + kip->insns = module_alloc_exec(PAGE_SIZE);
48518 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
48520 if (!list_is_singular(&kip->list)) {
48521 list_del(&kip->list);
48522 - module_free(NULL, kip->insns);
48523 + module_free_exec(NULL, kip->insns);
48527 @@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
48530 unsigned long offset = 0, size = 0;
48531 - char *modname, namebuf[128];
48532 + char *modname, namebuf[KSYM_NAME_LEN];
48533 const char *symbol_name;
48535 struct kprobe_blackpoint *kb;
48536 @@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
48537 const char *sym = NULL;
48538 unsigned int i = *(loff_t *) v;
48539 unsigned long offset = 0;
48540 - char *modname, namebuf[128];
48541 + char *modname, namebuf[KSYM_NAME_LEN];
48543 head = &kprobe_table[i];
48545 diff -urNp linux-2.6.35.5/kernel/lockdep.c linux-2.6.35.5/kernel/lockdep.c
48546 --- linux-2.6.35.5/kernel/lockdep.c 2010-08-26 19:47:12.000000000 -0400
48547 +++ linux-2.6.35.5/kernel/lockdep.c 2010-09-17 20:12:09.000000000 -0400
48548 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
48549 end = (unsigned long) &_end,
48550 addr = (unsigned long) obj;
48552 +#ifdef CONFIG_PAX_KERNEXEC
48553 + start = ktla_ktva(start);
48559 @@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
48560 if (!static_obj(lock->key)) {
48562 printk("INFO: trying to register non-static key.\n");
48563 + printk("lock:%pS key:%pS.\n", lock, lock->key);
48564 printk("the code is fine but needs lockdep annotation.\n");
48565 printk("turning off the locking correctness validator.\n");
48567 diff -urNp linux-2.6.35.5/kernel/lockdep_proc.c linux-2.6.35.5/kernel/lockdep_proc.c
48568 --- linux-2.6.35.5/kernel/lockdep_proc.c 2010-08-26 19:47:12.000000000 -0400
48569 +++ linux-2.6.35.5/kernel/lockdep_proc.c 2010-09-17 20:12:09.000000000 -0400
48570 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
48572 static void print_name(struct seq_file *m, struct lock_class *class)
48575 + char str[KSYM_NAME_LEN];
48576 const char *name = class->name;
48579 diff -urNp linux-2.6.35.5/kernel/module.c linux-2.6.35.5/kernel/module.c
48580 --- linux-2.6.35.5/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
48581 +++ linux-2.6.35.5/kernel/module.c 2010-09-17 20:12:37.000000000 -0400
48582 @@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
48584 /* Bounds of module allocation, for speeding __module_address.
48585 * Protected by module_mutex. */
48586 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
48587 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
48588 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
48590 int register_module_notifier(struct notifier_block * nb)
48592 @@ -250,7 +251,7 @@ bool each_symbol(bool (*fn)(const struct
48595 list_for_each_entry_rcu(mod, &modules, list) {
48596 - struct symsearch arr[] = {
48597 + struct symsearch modarr[] = {
48598 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
48599 NOT_GPL_ONLY, false },
48600 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
48601 @@ -272,7 +273,7 @@ bool each_symbol(bool (*fn)(const struct
48605 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
48606 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
48610 @@ -383,7 +384,7 @@ static inline void __percpu *mod_percpu(
48611 static int percpu_modalloc(struct module *mod,
48612 unsigned long size, unsigned long align)
48614 - if (align > PAGE_SIZE) {
48615 + if (align-1 >= PAGE_SIZE) {
48616 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
48617 mod->name, align, PAGE_SIZE);
48619 @@ -1562,7 +1563,8 @@ static void free_module(struct module *m
48620 destroy_params(mod->kp, mod->num_kp);
48622 /* This may be NULL, but that's OK */
48623 - module_free(mod, mod->module_init);
48624 + module_free(mod, mod->module_init_rw);
48625 + module_free_exec(mod, mod->module_init_rx);
48627 percpu_modfree(mod);
48628 #if defined(CONFIG_MODULE_UNLOAD)
48629 @@ -1570,10 +1572,12 @@ static void free_module(struct module *m
48630 free_percpu(mod->refptr);
48632 /* Free lock-classes: */
48633 - lockdep_free_key_range(mod->module_core, mod->core_size);
48634 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
48635 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
48637 /* Finally, free the core (containing the module structure) */
48638 - module_free(mod, mod->module_core);
48639 + module_free_exec(mod, mod->module_core_rx);
48640 + module_free(mod, mod->module_core_rw);
48643 update_protections(current->mm);
48644 @@ -1670,7 +1674,9 @@ static int simplify_symbols(Elf_Shdr *se
48646 /* Ok if resolved. */
48647 if (ksym && !IS_ERR(ksym)) {
48648 + pax_open_kernel();
48649 sym[i].st_value = ksym->value;
48650 + pax_close_kernel();
48654 @@ -1690,7 +1696,9 @@ static int simplify_symbols(Elf_Shdr *se
48655 secbase = (unsigned long)mod_percpu(mod);
48657 secbase = sechdrs[sym[i].st_shndx].sh_addr;
48658 + pax_open_kernel();
48659 sym[i].st_value += secbase;
48660 + pax_close_kernel();
48664 @@ -1751,11 +1759,12 @@ static void layout_sections(struct modul
48665 || s->sh_entsize != ~0UL
48666 || strstarts(secstrings + s->sh_name, ".init"))
48668 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
48669 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48670 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
48672 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
48673 DEBUGP("\t%s\n", secstrings + s->sh_name);
48676 - mod->core_text_size = mod->core_size;
48679 DEBUGP("Init section allocation order:\n");
48680 @@ -1768,12 +1777,13 @@ static void layout_sections(struct modul
48681 || s->sh_entsize != ~0UL
48682 || !strstarts(secstrings + s->sh_name, ".init"))
48684 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
48685 - | INIT_OFFSET_MASK);
48686 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48687 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
48689 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
48690 + s->sh_entsize |= INIT_OFFSET_MASK;
48691 DEBUGP("\t%s\n", secstrings + s->sh_name);
48694 - mod->init_text_size = mod->init_size;
48698 @@ -1877,9 +1887,8 @@ static int is_exported(const char *name,
48701 static char elf_type(const Elf_Sym *sym,
48702 - Elf_Shdr *sechdrs,
48703 - const char *secstrings,
48704 - struct module *mod)
48705 + const Elf_Shdr *sechdrs,
48706 + const char *secstrings)
48708 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
48709 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
48710 @@ -1954,7 +1963,7 @@ static unsigned long layout_symtab(struc
48712 /* Put symbol section at end of init part of module. */
48713 symsect->sh_flags |= SHF_ALLOC;
48714 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
48715 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
48716 symindex) | INIT_OFFSET_MASK;
48717 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
48719 @@ -1971,19 +1980,19 @@ static unsigned long layout_symtab(struc
48722 /* Append room for core symbols at end of core part. */
48723 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
48724 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
48725 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
48726 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
48728 /* Put string table section at end of init part of module. */
48729 strsect->sh_flags |= SHF_ALLOC;
48730 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
48731 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
48732 strindex) | INIT_OFFSET_MASK;
48733 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
48735 /* Append room for core symbols' strings at end of core part. */
48736 - *pstroffs = mod->core_size;
48737 + *pstroffs = mod->core_size_rx;
48738 __set_bit(0, strmap);
48739 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
48740 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
48744 @@ -2007,12 +2016,14 @@ static void add_kallsyms(struct module *
48745 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
48746 mod->strtab = (void *)sechdrs[strindex].sh_addr;
48748 + pax_open_kernel();
48750 /* Set types up while we still have access to sections. */
48751 for (i = 0; i < mod->num_symtab; i++)
48752 mod->symtab[i].st_info
48753 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
48754 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
48756 - mod->core_symtab = dst = mod->module_core + symoffs;
48757 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
48760 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
48761 @@ -2024,10 +2035,12 @@ static void add_kallsyms(struct module *
48763 mod->core_num_syms = ndst;
48765 - mod->core_strtab = s = mod->module_core + stroffs;
48766 + mod->core_strtab = s = mod->module_core_rx + stroffs;
48767 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
48768 if (test_bit(i, strmap))
48769 *++s = mod->strtab[i];
48771 + pax_close_kernel();
48774 static inline unsigned long layout_symtab(struct module *mod,
48775 @@ -2070,17 +2083,33 @@ static void dynamic_debug_remove(struct
48776 ddebug_remove_module(debug->modname);
48779 -static void *module_alloc_update_bounds(unsigned long size)
48780 +static void *module_alloc_update_bounds_rw(unsigned long size)
48782 void *ret = module_alloc(size);
48785 mutex_lock(&module_mutex);
48786 /* Update module bounds. */
48787 - if ((unsigned long)ret < module_addr_min)
48788 - module_addr_min = (unsigned long)ret;
48789 - if ((unsigned long)ret + size > module_addr_max)
48790 - module_addr_max = (unsigned long)ret + size;
48791 + if ((unsigned long)ret < module_addr_min_rw)
48792 + module_addr_min_rw = (unsigned long)ret;
48793 + if ((unsigned long)ret + size > module_addr_max_rw)
48794 + module_addr_max_rw = (unsigned long)ret + size;
48795 + mutex_unlock(&module_mutex);
48800 +static void *module_alloc_update_bounds_rx(unsigned long size)
48802 + void *ret = module_alloc_exec(size);
48805 + mutex_lock(&module_mutex);
48806 + /* Update module bounds. */
48807 + if ((unsigned long)ret < module_addr_min_rx)
48808 + module_addr_min_rx = (unsigned long)ret;
48809 + if ((unsigned long)ret + size > module_addr_max_rx)
48810 + module_addr_max_rx = (unsigned long)ret + size;
48811 mutex_unlock(&module_mutex);
48814 @@ -2284,7 +2313,7 @@ static noinline struct module *load_modu
48815 secstrings, &stroffs, strmap);
48817 /* Do the allocs. */
48818 - ptr = module_alloc_update_bounds(mod->core_size);
48819 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
48821 * The pointer to this block is stored in the module structure
48822 * which is inside the block. Just mark it as not being a
48823 @@ -2295,23 +2324,47 @@ static noinline struct module *load_modu
48827 - memset(ptr, 0, mod->core_size);
48828 - mod->module_core = ptr;
48829 + memset(ptr, 0, mod->core_size_rw);
48830 + mod->module_core_rw = ptr;
48832 - ptr = module_alloc_update_bounds(mod->init_size);
48833 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
48835 * The pointer to this block is stored in the module structure
48836 * which is inside the block. This block doesn't need to be
48837 * scanned as it contains data and code that will be freed
48838 * after the module is initialized.
48840 - kmemleak_ignore(ptr);
48841 - if (!ptr && mod->init_size) {
48842 + kmemleak_not_leak(ptr);
48843 + if (!ptr && mod->init_size_rw) {
48845 + goto free_core_rw;
48847 + memset(ptr, 0, mod->init_size_rw);
48848 + mod->module_init_rw = ptr;
48850 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
48851 + kmemleak_not_leak(ptr);
48854 + goto free_init_rw;
48857 + pax_open_kernel();
48858 + memset(ptr, 0, mod->core_size_rx);
48859 + pax_close_kernel();
48860 + mod->module_core_rx = ptr;
48862 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
48863 + kmemleak_not_leak(ptr);
48864 + if (!ptr && mod->init_size_rx) {
48867 + goto free_core_rx;
48869 - memset(ptr, 0, mod->init_size);
48870 - mod->module_init = ptr;
48872 + pax_open_kernel();
48873 + memset(ptr, 0, mod->init_size_rx);
48874 + pax_close_kernel();
48875 + mod->module_init_rx = ptr;
48877 /* Transfer each section which specifies SHF_ALLOC */
48878 DEBUGP("final section addresses:\n");
48879 @@ -2321,17 +2374,41 @@ static noinline struct module *load_modu
48880 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
48883 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
48884 - dest = mod->module_init
48885 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48887 - dest = mod->module_core + sechdrs[i].sh_entsize;
48888 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
48889 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48890 + dest = mod->module_init_rw
48891 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48893 + dest = mod->module_init_rx
48894 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48896 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48897 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
48899 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
48902 + if (sechdrs[i].sh_type != SHT_NOBITS) {
48904 - if (sechdrs[i].sh_type != SHT_NOBITS)
48905 - memcpy(dest, (void *)sechdrs[i].sh_addr,
48906 - sechdrs[i].sh_size);
48907 +#ifdef CONFIG_PAX_KERNEXEC
48908 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
48909 + pax_open_kernel();
48910 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48911 + pax_close_kernel();
48915 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48917 /* Update sh_addr to point to copy in image. */
48918 - sechdrs[i].sh_addr = (unsigned long)dest;
48920 +#ifdef CONFIG_PAX_KERNEXEC
48921 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
48922 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
48926 + sechdrs[i].sh_addr = (unsigned long)dest;
48927 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
48929 /* Module has been moved. */
48930 @@ -2342,7 +2419,7 @@ static noinline struct module *load_modu
48931 mod->refptr = alloc_percpu(struct module_ref);
48932 if (!mod->refptr) {
48935 + goto free_init_rx;
48938 /* Now we've moved module, initialize linked lists, etc. */
48939 @@ -2452,8 +2529,8 @@ static noinline struct module *load_modu
48941 /* Now do relocations. */
48942 for (i = 1; i < hdr->e_shnum; i++) {
48943 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
48944 unsigned int info = sechdrs[i].sh_info;
48945 + strtab = (char *)sechdrs[strindex].sh_addr;
48947 /* Not a valid relocation section? */
48948 if (info >= hdr->e_shnum)
48949 @@ -2503,12 +2580,12 @@ static noinline struct module *load_modu
48950 * Do it before processing of module parameters, so the module
48951 * can provide parameter accessor functions of its own.
48953 - if (mod->module_init)
48954 - flush_icache_range((unsigned long)mod->module_init,
48955 - (unsigned long)mod->module_init
48956 - + mod->init_size);
48957 - flush_icache_range((unsigned long)mod->module_core,
48958 - (unsigned long)mod->module_core + mod->core_size);
48959 + if (mod->module_init_rx)
48960 + flush_icache_range((unsigned long)mod->module_init_rx,
48961 + (unsigned long)mod->module_init_rx
48962 + + mod->init_size_rx);
48963 + flush_icache_range((unsigned long)mod->module_core_rx,
48964 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
48968 @@ -2574,12 +2651,16 @@ static noinline struct module *load_modu
48970 module_unload_free(mod);
48971 #if defined(CONFIG_MODULE_UNLOAD)
48973 free_percpu(mod->refptr);
48976 - module_free(mod, mod->module_init);
48978 - module_free(mod, mod->module_core);
48979 + module_free_exec(mod, mod->module_init_rx);
48981 + module_free_exec(mod, mod->module_core_rx);
48983 + module_free(mod, mod->module_init_rw);
48985 + module_free(mod, mod->module_core_rw);
48986 /* mod will be freed with core. Don't access it beyond this line! */
48988 free_percpu(percpu);
48989 @@ -2669,10 +2750,12 @@ SYSCALL_DEFINE3(init_module, void __user
48990 mod->symtab = mod->core_symtab;
48991 mod->strtab = mod->core_strtab;
48993 - module_free(mod, mod->module_init);
48994 - mod->module_init = NULL;
48995 - mod->init_size = 0;
48996 - mod->init_text_size = 0;
48997 + module_free(mod, mod->module_init_rw);
48998 + module_free_exec(mod, mod->module_init_rx);
48999 + mod->module_init_rw = NULL;
49000 + mod->module_init_rx = NULL;
49001 + mod->init_size_rw = 0;
49002 + mod->init_size_rx = 0;
49003 mutex_unlock(&module_mutex);
49006 @@ -2703,10 +2786,16 @@ static const char *get_ksymbol(struct mo
49007 unsigned long nextval;
49009 /* At worse, next value is at end of module */
49010 - if (within_module_init(addr, mod))
49011 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
49012 + if (within_module_init_rx(addr, mod))
49013 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
49014 + else if (within_module_init_rw(addr, mod))
49015 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
49016 + else if (within_module_core_rx(addr, mod))
49017 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
49018 + else if (within_module_core_rw(addr, mod))
49019 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
49021 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
49024 /* Scan for closest preceeding symbol, and next symbol. (ELF
49025 starts real symbols at 1). */
49026 @@ -2952,7 +3041,7 @@ static int m_show(struct seq_file *m, vo
49029 seq_printf(m, "%s %u",
49030 - mod->name, mod->init_size + mod->core_size);
49031 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
49032 print_unload_info(m, mod);
49034 /* Informative for users. */
49035 @@ -2961,7 +3050,7 @@ static int m_show(struct seq_file *m, vo
49036 mod->state == MODULE_STATE_COMING ? "Loading":
49038 /* Used by oprofile and other similar tools. */
49039 - seq_printf(m, " 0x%p", mod->module_core);
49040 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49044 @@ -2997,7 +3086,17 @@ static const struct file_operations proc
49046 static int __init proc_modules_init(void)
49048 +#ifndef CONFIG_GRKERNSEC_HIDESYM
49049 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49050 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49051 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49052 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
49054 proc_create("modules", 0, NULL, &proc_modules_operations);
49057 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49061 module_init(proc_modules_init);
49062 @@ -3056,12 +3155,12 @@ struct module *__module_address(unsigned
49064 struct module *mod;
49066 - if (addr < module_addr_min || addr > module_addr_max)
49067 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
49068 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
49071 list_for_each_entry_rcu(mod, &modules, list)
49072 - if (within_module_core(addr, mod)
49073 - || within_module_init(addr, mod))
49074 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
49078 @@ -3095,11 +3194,20 @@ bool is_module_text_address(unsigned lon
49080 struct module *__module_text_address(unsigned long addr)
49082 - struct module *mod = __module_address(addr);
49083 + struct module *mod;
49085 +#ifdef CONFIG_X86_32
49086 + addr = ktla_ktva(addr);
49089 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
49092 + mod = __module_address(addr);
49095 /* Make sure it's within the text section. */
49096 - if (!within(addr, mod->module_init, mod->init_text_size)
49097 - && !within(addr, mod->module_core, mod->core_text_size))
49098 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
49102 diff -urNp linux-2.6.35.5/kernel/panic.c linux-2.6.35.5/kernel/panic.c
49103 --- linux-2.6.35.5/kernel/panic.c 2010-08-26 19:47:12.000000000 -0400
49104 +++ linux-2.6.35.5/kernel/panic.c 2010-09-17 20:12:09.000000000 -0400
49105 @@ -429,7 +429,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
49107 void __stack_chk_fail(void)
49109 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
49111 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
49112 __builtin_return_address(0));
49114 EXPORT_SYMBOL(__stack_chk_fail);
49115 diff -urNp linux-2.6.35.5/kernel/pid.c linux-2.6.35.5/kernel/pid.c
49116 --- linux-2.6.35.5/kernel/pid.c 2010-08-26 19:47:12.000000000 -0400
49117 +++ linux-2.6.35.5/kernel/pid.c 2010-09-17 20:12:37.000000000 -0400
49119 #include <linux/rculist.h>
49120 #include <linux/bootmem.h>
49121 #include <linux/hash.h>
49122 +#include <linux/security.h>
49123 #include <linux/pid_namespace.h>
49124 #include <linux/init_task.h>
49125 #include <linux/syscalls.h>
49126 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
49128 int pid_max = PID_MAX_DEFAULT;
49130 -#define RESERVED_PIDS 300
49131 +#define RESERVED_PIDS 500
49133 int pid_max_min = RESERVED_PIDS + 1;
49134 int pid_max_max = PID_MAX_LIMIT;
49135 @@ -382,7 +383,14 @@ EXPORT_SYMBOL(pid_task);
49137 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
49139 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49140 + struct task_struct *task;
49142 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49144 + if (gr_pid_is_chrooted(task))
49150 struct task_struct *find_task_by_vpid(pid_t vnr)
49151 diff -urNp linux-2.6.35.5/kernel/posix-cpu-timers.c linux-2.6.35.5/kernel/posix-cpu-timers.c
49152 --- linux-2.6.35.5/kernel/posix-cpu-timers.c 2010-08-26 19:47:12.000000000 -0400
49153 +++ linux-2.6.35.5/kernel/posix-cpu-timers.c 2010-09-17 20:12:37.000000000 -0400
49155 #include <linux/posix-timers.h>
49156 #include <linux/errno.h>
49157 #include <linux/math64.h>
49158 +#include <linux/security.h>
49159 #include <asm/uaccess.h>
49160 #include <linux/kernel_stat.h>
49161 #include <trace/events/timer.h>
49162 @@ -972,6 +973,7 @@ static void check_thread_timers(struct t
49163 unsigned long hard =
49164 ACCESS_ONCE(sig->rlim[RLIMIT_RTTIME].rlim_max);
49166 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout * (USEC_PER_SEC/HZ), 1);
49167 if (hard != RLIM_INFINITY &&
49168 tsk->rt.timeout > DIV_ROUND_UP(hard, USEC_PER_SEC/HZ)) {
49170 @@ -1138,6 +1140,7 @@ static void check_process_timers(struct
49171 unsigned long hard =
49172 ACCESS_ONCE(sig->rlim[RLIMIT_CPU].rlim_max);
49174 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
49175 if (psecs >= hard) {
49177 * At the hard limit, we just die.
49178 diff -urNp linux-2.6.35.5/kernel/power/hibernate.c linux-2.6.35.5/kernel/power/hibernate.c
49179 --- linux-2.6.35.5/kernel/power/hibernate.c 2010-08-26 19:47:12.000000000 -0400
49180 +++ linux-2.6.35.5/kernel/power/hibernate.c 2010-09-17 20:12:09.000000000 -0400
49181 @@ -50,14 +50,14 @@ enum {
49183 static int hibernation_mode = HIBERNATION_SHUTDOWN;
49185 -static struct platform_hibernation_ops *hibernation_ops;
49186 +static const struct platform_hibernation_ops *hibernation_ops;
49189 * hibernation_set_ops - set the global hibernate operations
49190 * @ops: the hibernation operations to use in subsequent hibernation transitions
49193 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
49194 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
49196 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
49197 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
49198 diff -urNp linux-2.6.35.5/kernel/power/poweroff.c linux-2.6.35.5/kernel/power/poweroff.c
49199 --- linux-2.6.35.5/kernel/power/poweroff.c 2010-08-26 19:47:12.000000000 -0400
49200 +++ linux-2.6.35.5/kernel/power/poweroff.c 2010-09-17 20:12:09.000000000 -0400
49201 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
49202 .enable_mask = SYSRQ_ENABLE_BOOT,
49205 -static int pm_sysrq_init(void)
49206 +static int __init pm_sysrq_init(void)
49208 register_sysrq_key('o', &sysrq_poweroff_op);
49210 diff -urNp linux-2.6.35.5/kernel/power/process.c linux-2.6.35.5/kernel/power/process.c
49211 --- linux-2.6.35.5/kernel/power/process.c 2010-08-26 19:47:12.000000000 -0400
49212 +++ linux-2.6.35.5/kernel/power/process.c 2010-09-17 20:12:09.000000000 -0400
49213 @@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
49214 struct timeval start, end;
49215 u64 elapsed_csecs64;
49216 unsigned int elapsed_csecs;
49217 + bool timedout = false;
49219 do_gettimeofday(&start);
49221 end_time = jiffies + TIMEOUT;
49224 + if (time_after(jiffies, end_time))
49226 read_lock(&tasklist_lock);
49227 do_each_thread(g, p) {
49228 if (frozen(p) || !freezeable(p))
49229 @@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
49230 * It is "frozen enough". If the task does wake
49231 * up, it will immediately call try_to_freeze.
49233 - if (!task_is_stopped_or_traced(p) &&
49234 - !freezer_should_skip(p))
49235 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
49238 + printk(KERN_ERR "Task refusing to freeze:\n");
49239 + sched_show_task(p);
49242 } while_each_thread(g, p);
49243 read_unlock(&tasklist_lock);
49244 - if (!todo || time_after(jiffies, end_time))
49245 + if (!todo || timedout)
49249 diff -urNp linux-2.6.35.5/kernel/power/suspend.c linux-2.6.35.5/kernel/power/suspend.c
49250 --- linux-2.6.35.5/kernel/power/suspend.c 2010-08-26 19:47:12.000000000 -0400
49251 +++ linux-2.6.35.5/kernel/power/suspend.c 2010-09-17 20:12:09.000000000 -0400
49252 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
49253 [PM_SUSPEND_MEM] = "mem",
49256 -static struct platform_suspend_ops *suspend_ops;
49257 +static const struct platform_suspend_ops *suspend_ops;
49260 * suspend_set_ops - Set the global suspend method table.
49261 * @ops: Pointer to ops structure.
49263 -void suspend_set_ops(struct platform_suspend_ops *ops)
49264 +void suspend_set_ops(const struct platform_suspend_ops *ops)
49266 mutex_lock(&pm_mutex);
49268 diff -urNp linux-2.6.35.5/kernel/printk.c linux-2.6.35.5/kernel/printk.c
49269 --- linux-2.6.35.5/kernel/printk.c 2010-08-26 19:47:12.000000000 -0400
49270 +++ linux-2.6.35.5/kernel/printk.c 2010-09-17 20:12:37.000000000 -0400
49271 @@ -266,6 +266,11 @@ int do_syslog(int type, char __user *buf
49275 +#ifdef CONFIG_GRKERNSEC_DMESG
49276 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
49280 error = security_syslog(type, from_file);
49283 diff -urNp linux-2.6.35.5/kernel/ptrace.c linux-2.6.35.5/kernel/ptrace.c
49284 --- linux-2.6.35.5/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
49285 +++ linux-2.6.35.5/kernel/ptrace.c 2010-09-17 20:12:37.000000000 -0400
49286 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
49287 cred->gid != tcred->egid ||
49288 cred->gid != tcred->sgid ||
49289 cred->gid != tcred->gid) &&
49290 - !capable(CAP_SYS_PTRACE)) {
49291 + !capable_nolog(CAP_SYS_PTRACE)) {
49295 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
49298 dumpable = get_dumpable(task->mm);
49299 - if (!dumpable && !capable(CAP_SYS_PTRACE))
49300 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
49303 return security_ptrace_access_check(task, mode);
49304 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
49305 goto unlock_tasklist;
49307 task->ptrace = PT_PTRACED;
49308 - if (capable(CAP_SYS_PTRACE))
49309 + if (capable_nolog(CAP_SYS_PTRACE))
49310 task->ptrace |= PT_PTRACE_CAP;
49312 __ptrace_link(task, current);
49313 @@ -361,7 +361,7 @@ int ptrace_readdata(struct task_struct *
49317 - if (copy_to_user(dst, buf, retval))
49318 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
49322 @@ -572,18 +572,18 @@ int ptrace_request(struct task_struct *c
49323 ret = ptrace_setoptions(child, data);
49325 case PTRACE_GETEVENTMSG:
49326 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
49327 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
49330 case PTRACE_GETSIGINFO:
49331 ret = ptrace_getsiginfo(child, &siginfo);
49333 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
49334 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
49338 case PTRACE_SETSIGINFO:
49339 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
49340 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
49344 @@ -703,14 +703,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
49348 + if (gr_handle_ptrace(child, request)) {
49350 + goto out_put_task_struct;
49353 if (request == PTRACE_ATTACH) {
49354 ret = ptrace_attach(child);
49356 * Some architectures need to do book-keeping after
49361 arch_ptrace_attach(child);
49362 + gr_audit_ptrace(child);
49364 goto out_put_task_struct;
49367 diff -urNp linux-2.6.35.5/kernel/rcutree.c linux-2.6.35.5/kernel/rcutree.c
49368 --- linux-2.6.35.5/kernel/rcutree.c 2010-08-26 19:47:12.000000000 -0400
49369 +++ linux-2.6.35.5/kernel/rcutree.c 2010-09-17 20:12:09.000000000 -0400
49370 @@ -1356,7 +1356,7 @@ __rcu_process_callbacks(struct rcu_state
49372 * Do softirq processing for the current CPU.
49374 -static void rcu_process_callbacks(struct softirq_action *unused)
49375 +static void rcu_process_callbacks(void)
49378 * Memory references from any prior RCU read-side critical sections
49379 diff -urNp linux-2.6.35.5/kernel/resource.c linux-2.6.35.5/kernel/resource.c
49380 --- linux-2.6.35.5/kernel/resource.c 2010-08-26 19:47:12.000000000 -0400
49381 +++ linux-2.6.35.5/kernel/resource.c 2010-09-17 20:12:37.000000000 -0400
49382 @@ -133,8 +133,18 @@ static const struct file_operations proc
49384 static int __init ioresources_init(void)
49386 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49387 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49388 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
49389 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
49390 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49391 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
49392 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
49395 proc_create("ioports", 0, NULL, &proc_ioports_operations);
49396 proc_create("iomem", 0, NULL, &proc_iomem_operations);
49400 __initcall(ioresources_init);
49401 diff -urNp linux-2.6.35.5/kernel/sched.c linux-2.6.35.5/kernel/sched.c
49402 --- linux-2.6.35.5/kernel/sched.c 2010-08-26 19:47:12.000000000 -0400
49403 +++ linux-2.6.35.5/kernel/sched.c 2010-09-17 20:12:37.000000000 -0400
49404 @@ -4266,6 +4266,8 @@ int can_nice(const struct task_struct *p
49405 /* convert nice value [19,-20] to rlimit style value [1,40] */
49406 int nice_rlim = 20 - nice;
49408 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
49410 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
49411 capable(CAP_SYS_NICE));
49413 @@ -4299,7 +4301,8 @@ SYSCALL_DEFINE1(nice, int, increment)
49417 - if (increment < 0 && !can_nice(current, nice))
49418 + if (increment < 0 && (!can_nice(current, nice) ||
49419 + gr_handle_chroot_nice()))
49420 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
49422 retval = security_task_setnice(current, nice);
49423 @@ -4446,6 +4449,7 @@ recheck:
49424 rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO);
49425 unlock_task_sighand(p, &flags);
49427 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
49428 /* can't set/change the rt policy */
49429 if (policy != p->policy && !rlim_rtprio)
49431 diff -urNp linux-2.6.35.5/kernel/sched_fair.c linux-2.6.35.5/kernel/sched_fair.c
49432 --- linux-2.6.35.5/kernel/sched_fair.c 2010-08-26 19:47:12.000000000 -0400
49433 +++ linux-2.6.35.5/kernel/sched_fair.c 2010-09-17 20:12:09.000000000 -0400
49434 @@ -3390,7 +3390,7 @@ out:
49435 * In CONFIG_NO_HZ case, the idle load balance owner will do the
49436 * rebalancing for all the cpus for whom scheduler ticks are stopped.
49438 -static void run_rebalance_domains(struct softirq_action *h)
49439 +static void run_rebalance_domains(void)
49441 int this_cpu = smp_processor_id();
49442 struct rq *this_rq = cpu_rq(this_cpu);
49443 diff -urNp linux-2.6.35.5/kernel/signal.c linux-2.6.35.5/kernel/signal.c
49444 --- linux-2.6.35.5/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
49445 +++ linux-2.6.35.5/kernel/signal.c 2010-09-17 20:20:18.000000000 -0400
49446 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
49448 int print_fatal_signals __read_mostly;
49450 -static void __user *sig_handler(struct task_struct *t, int sig)
49451 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
49453 return t->sighand->action[sig - 1].sa.sa_handler;
49456 -static int sig_handler_ignored(void __user *handler, int sig)
49457 +static int sig_handler_ignored(__sighandler_t handler, int sig)
49459 /* Is it explicitly or implicitly ignored? */
49460 return handler == SIG_IGN ||
49461 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
49462 static int sig_task_ignored(struct task_struct *t, int sig,
49463 int from_ancestor_ns)
49465 - void __user *handler;
49466 + __sighandler_t handler;
49468 handler = sig_handler(t, sig);
49470 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
49471 atomic_inc(&user->sigpending);
49474 + if (!override_rlimit)
49475 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
49477 if (override_rlimit ||
49478 atomic_read(&user->sigpending) <=
49479 task_rlimit(t, RLIMIT_SIGPENDING)) {
49480 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
49482 int unhandled_signal(struct task_struct *tsk, int sig)
49484 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
49485 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
49486 if (is_global_init(tsk))
49488 if (handler != SIG_IGN && handler != SIG_DFL)
49489 @@ -705,6 +705,10 @@ static int check_kill_permission(int sig
49490 sig, info, t, vx_task_xid(t), t->pid, current->xid);
49494 + if (gr_handle_signal(t, sig))
49498 return security_task_kill(t, info, sig, 0);
49500 @@ -1025,7 +1031,7 @@ __group_send_sig_info(int sig, struct si
49501 return send_signal(sig, info, p, 1);
49506 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
49508 return send_signal(sig, info, t, 0);
49509 @@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
49510 ret = specific_send_sig_info(sig, info, t);
49511 spin_unlock_irqrestore(&t->sighand->siglock, flags);
49513 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
49514 + gr_handle_crash(t, sig);
49519 @@ -1136,8 +1145,11 @@ int group_send_sig_info(int sig, struct
49520 ret = check_kill_permission(sig, info, p);
49524 + if (!ret && sig) {
49525 ret = do_send_sig_info(sig, info, p, true);
49527 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
49532 diff -urNp linux-2.6.35.5/kernel/smp.c linux-2.6.35.5/kernel/smp.c
49533 --- linux-2.6.35.5/kernel/smp.c 2010-08-26 19:47:12.000000000 -0400
49534 +++ linux-2.6.35.5/kernel/smp.c 2010-09-17 20:12:09.000000000 -0400
49535 @@ -499,22 +499,22 @@ int smp_call_function(void (*func)(void
49537 EXPORT_SYMBOL(smp_call_function);
49539 -void ipi_call_lock(void)
49540 +void ipi_call_lock(void) __acquires(call_function.lock)
49542 raw_spin_lock(&call_function.lock);
49545 -void ipi_call_unlock(void)
49546 +void ipi_call_unlock(void) __releases(call_function.lock)
49548 raw_spin_unlock(&call_function.lock);
49551 -void ipi_call_lock_irq(void)
49552 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
49554 raw_spin_lock_irq(&call_function.lock);
49557 -void ipi_call_unlock_irq(void)
49558 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
49560 raw_spin_unlock_irq(&call_function.lock);
49562 diff -urNp linux-2.6.35.5/kernel/softirq.c linux-2.6.35.5/kernel/softirq.c
49563 --- linux-2.6.35.5/kernel/softirq.c 2010-08-26 19:47:12.000000000 -0400
49564 +++ linux-2.6.35.5/kernel/softirq.c 2010-09-17 20:12:09.000000000 -0400
49565 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
49567 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
49569 -char *softirq_to_name[NR_SOFTIRQS] = {
49570 +const char * const softirq_to_name[NR_SOFTIRQS] = {
49571 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
49572 "TASKLET", "SCHED", "HRTIMER", "RCU"
49574 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
49576 asmlinkage void __do_softirq(void)
49578 - struct softirq_action *h;
49579 + const struct softirq_action *h;
49581 int max_restart = MAX_SOFTIRQ_RESTART;
49583 @@ -216,7 +216,7 @@ restart:
49584 kstat_incr_softirqs_this_cpu(h - softirq_vec);
49586 trace_softirq_entry(h, softirq_vec);
49589 trace_softirq_exit(h, softirq_vec);
49590 if (unlikely(prev_count != preempt_count())) {
49591 printk(KERN_ERR "huh, entered softirq %td %s %p"
49592 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
49593 local_irq_restore(flags);
49596 -void open_softirq(int nr, void (*action)(struct softirq_action *))
49597 +void open_softirq(int nr, void (*action)(void))
49599 softirq_vec[nr].action = action;
49601 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
49603 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
49605 -static void tasklet_action(struct softirq_action *a)
49606 +static void tasklet_action(void)
49608 struct tasklet_struct *list;
49610 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
49614 -static void tasklet_hi_action(struct softirq_action *a)
49615 +static void tasklet_hi_action(void)
49617 struct tasklet_struct *list;
49619 diff -urNp linux-2.6.35.5/kernel/sys.c linux-2.6.35.5/kernel/sys.c
49620 --- linux-2.6.35.5/kernel/sys.c 2010-08-26 19:47:12.000000000 -0400
49621 +++ linux-2.6.35.5/kernel/sys.c 2010-09-17 20:28:33.000000000 -0400
49622 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
49627 + if (gr_handle_chroot_setpriority(p, niceval)) {
49632 no_nice = security_task_setnice(p, niceval);
49635 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
49639 + if (gr_check_group_change(new->gid, new->egid, -1))
49642 if (rgid != (gid_t) -1 ||
49643 (egid != (gid_t) -1 && egid != old->gid))
49644 new->sgid = new->egid;
49645 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
49646 old = current_cred();
49650 + if (gr_check_group_change(gid, gid, gid))
49653 if (capable(CAP_SETGID))
49654 new->gid = new->egid = new->sgid = new->fsgid = gid;
49655 else if (gid == old->gid || gid == old->sgid)
49656 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
49660 + if (gr_check_user_change(new->uid, new->euid, -1))
49663 if (new->uid != old->uid) {
49664 retval = set_user(new);
49666 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
49667 old = current_cred();
49671 + if (gr_check_crash_uid(uid))
49673 + if (gr_check_user_change(uid, uid, uid))
49676 if (capable(CAP_SETUID)) {
49677 new->suid = new->uid = uid;
49678 if (uid != old->uid) {
49679 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
49683 + if (gr_check_user_change(ruid, euid, -1))
49686 if (ruid != (uid_t) -1) {
49688 if (ruid != old->uid) {
49689 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
49693 + if (gr_check_group_change(rgid, egid, -1))
49696 if (rgid != (gid_t) -1)
49698 if (egid != (gid_t) -1)
49699 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49700 old = current_cred();
49701 old_fsuid = old->fsuid;
49703 + if (gr_check_user_change(-1, -1, uid))
49706 if (uid == old->uid || uid == old->euid ||
49707 uid == old->suid || uid == old->fsuid ||
49708 capable(CAP_SETUID)) {
49709 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49717 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
49718 if (gid == old->gid || gid == old->egid ||
49719 gid == old->sgid || gid == old->fsgid ||
49720 capable(CAP_SETGID)) {
49721 + if (gr_check_group_change(-1, -1, gid))
49724 if (gid != old_fsgid) {
49734 @@ -1491,7 +1527,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
49735 error = get_dumpable(me->mm);
49737 case PR_SET_DUMPABLE:
49738 - if (arg2 < 0 || arg2 > 1) {
49743 diff -urNp linux-2.6.35.5/kernel/sysctl.c linux-2.6.35.5/kernel/sysctl.c
49744 --- linux-2.6.35.5/kernel/sysctl.c 2010-08-26 19:47:12.000000000 -0400
49745 +++ linux-2.6.35.5/kernel/sysctl.c 2010-09-17 20:18:09.000000000 -0400
49749 #if defined(CONFIG_SYSCTL)
49750 +#include <linux/grsecurity.h>
49751 +#include <linux/grinternal.h>
49753 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
49754 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
49756 +extern int gr_handle_chroot_sysctl(const int op);
49758 /* External variables not in a header file. */
49759 extern int sysctl_overcommit_memory;
49760 @@ -185,6 +192,7 @@ static int sysrq_sysctl_handler(ctl_tabl
49764 +extern struct ctl_table grsecurity_table[];
49766 static struct ctl_table root_table[];
49767 static struct ctl_table_root sysctl_table_root;
49768 @@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
49769 int sysctl_legacy_va_layout;
49772 +#ifdef CONFIG_PAX_SOFTMODE
49773 +static ctl_table pax_table[] = {
49775 + .procname = "softmode",
49776 + .data = &pax_softmode,
49777 + .maxlen = sizeof(unsigned int),
49779 + .proc_handler = &proc_dointvec,
49786 /* The default sysctl tables: */
49788 static struct ctl_table root_table[] = {
49789 @@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
49792 static struct ctl_table kern_table[] = {
49793 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
49795 + .procname = "grsecurity",
49797 + .child = grsecurity_table,
49801 +#ifdef CONFIG_PAX_SOFTMODE
49803 + .procname = "pax",
49805 + .child = pax_table,
49810 .procname = "sched_child_runs_first",
49811 .data = &sysctl_sched_child_runs_first,
49812 @@ -1171,6 +1209,13 @@ static struct ctl_table vm_table[] = {
49813 .proc_handler = proc_dointvec_minmax,
49817 + .procname = "heap_stack_gap",
49818 + .data = &sysctl_heap_stack_gap,
49819 + .maxlen = sizeof(sysctl_heap_stack_gap),
49821 + .proc_handler = proc_doulongvec_minmax,
49825 .procname = "nr_trim_pages",
49826 @@ -1686,6 +1731,16 @@ int sysctl_perm(struct ctl_table_root *r
49830 + if (table->parent != NULL && table->parent->procname != NULL &&
49831 + table->procname != NULL &&
49832 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
49834 + if (gr_handle_chroot_sysctl(op))
49836 + error = gr_handle_sysctl(table, op);
49840 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
49843 @@ -2201,6 +2256,8 @@ static int proc_put_long(void __user **b
49847 + if (len > sizeof(tmp))
49848 + len = sizeof(tmp);
49849 if (copy_to_user(*buf, tmp, len))
49852 diff -urNp linux-2.6.35.5/kernel/taskstats.c linux-2.6.35.5/kernel/taskstats.c
49853 --- linux-2.6.35.5/kernel/taskstats.c 2010-08-26 19:47:12.000000000 -0400
49854 +++ linux-2.6.35.5/kernel/taskstats.c 2010-09-17 20:12:37.000000000 -0400
49856 #include <linux/cgroup.h>
49857 #include <linux/fs.h>
49858 #include <linux/file.h>
49859 +#include <linux/grsecurity.h>
49860 #include <net/genetlink.h>
49861 #include <asm/atomic.h>
49863 +extern int gr_is_taskstats_denied(int pid);
49866 * Maximum length of a cpumask that can be specified in
49867 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
49868 @@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
49870 cpumask_var_t mask;
49872 + if (gr_is_taskstats_denied(current->pid))
49875 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
49878 diff -urNp linux-2.6.35.5/kernel/time/tick-broadcast.c linux-2.6.35.5/kernel/time/tick-broadcast.c
49879 --- linux-2.6.35.5/kernel/time/tick-broadcast.c 2010-08-26 19:47:12.000000000 -0400
49880 +++ linux-2.6.35.5/kernel/time/tick-broadcast.c 2010-09-17 20:12:09.000000000 -0400
49881 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
49882 * then clear the broadcast bit.
49884 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
49885 - int cpu = smp_processor_id();
49886 + cpu = smp_processor_id();
49888 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
49889 tick_broadcast_clear_oneshot(cpu);
49890 diff -urNp linux-2.6.35.5/kernel/time/timer_list.c linux-2.6.35.5/kernel/time/timer_list.c
49891 --- linux-2.6.35.5/kernel/time/timer_list.c 2010-08-26 19:47:12.000000000 -0400
49892 +++ linux-2.6.35.5/kernel/time/timer_list.c 2010-09-17 20:12:37.000000000 -0400
49893 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
49895 static void print_name_offset(struct seq_file *m, void *sym)
49897 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49898 + SEQ_printf(m, "<%p>", NULL);
49900 char symname[KSYM_NAME_LEN];
49902 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
49903 SEQ_printf(m, "<%p>", sym);
49905 SEQ_printf(m, "%s", symname);
49910 @@ -112,7 +116,11 @@ next_one:
49912 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
49914 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49915 + SEQ_printf(m, " .base: %p\n", NULL);
49917 SEQ_printf(m, " .base: %p\n", base);
49919 SEQ_printf(m, " .index: %d\n",
49921 SEQ_printf(m, " .resolution: %Lu nsecs\n",
49922 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
49924 struct proc_dir_entry *pe;
49926 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49927 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
49929 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
49934 diff -urNp linux-2.6.35.5/kernel/time/timer_stats.c linux-2.6.35.5/kernel/time/timer_stats.c
49935 --- linux-2.6.35.5/kernel/time/timer_stats.c 2010-08-26 19:47:12.000000000 -0400
49936 +++ linux-2.6.35.5/kernel/time/timer_stats.c 2010-09-17 20:12:37.000000000 -0400
49937 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
49939 static void print_name_offset(struct seq_file *m, unsigned long addr)
49941 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49942 + seq_printf(m, "<%p>", NULL);
49944 char symname[KSYM_NAME_LEN];
49946 if (lookup_symbol_name(addr, symname) < 0)
49947 seq_printf(m, "<%p>", (void *)addr);
49949 seq_printf(m, "%s", symname);
49953 static int tstats_show(struct seq_file *m, void *v)
49954 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
49956 struct proc_dir_entry *pe;
49958 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49959 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
49961 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
49966 diff -urNp linux-2.6.35.5/kernel/time.c linux-2.6.35.5/kernel/time.c
49967 --- linux-2.6.35.5/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
49968 +++ linux-2.6.35.5/kernel/time.c 2010-09-17 20:12:37.000000000 -0400
49969 @@ -94,6 +94,8 @@ SYSCALL_DEFINE1(stime, time_t __user *,
49972 vx_settimeofday(&tv);
49973 + gr_log_timechange();
49978 @@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
49982 + gr_log_timechange();
49984 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
49987 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
49988 * Avoid unnecessary multiplications/divisions in the
49989 * two most common HZ cases:
49991 -unsigned int inline jiffies_to_msecs(const unsigned long j)
49992 +inline unsigned int jiffies_to_msecs(const unsigned long j)
49994 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
49995 return (MSEC_PER_SEC / HZ) * j;
49996 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
49998 EXPORT_SYMBOL(jiffies_to_msecs);
50000 -unsigned int inline jiffies_to_usecs(const unsigned long j)
50001 +inline unsigned int jiffies_to_usecs(const unsigned long j)
50003 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
50004 return (USEC_PER_SEC / HZ) * j;
50005 diff -urNp linux-2.6.35.5/kernel/timer.c linux-2.6.35.5/kernel/timer.c
50006 --- linux-2.6.35.5/kernel/timer.c 2010-08-26 19:47:12.000000000 -0400
50007 +++ linux-2.6.35.5/kernel/timer.c 2010-09-17 20:12:09.000000000 -0400
50008 @@ -1272,7 +1272,7 @@ void update_process_times(int user_tick)
50010 * This function runs timers and the timer-tq in bottom half context.
50012 -static void run_timer_softirq(struct softirq_action *h)
50013 +static void run_timer_softirq(void)
50015 struct tvec_base *base = __get_cpu_var(tvec_bases);
50017 diff -urNp linux-2.6.35.5/kernel/trace/ftrace.c linux-2.6.35.5/kernel/trace/ftrace.c
50018 --- linux-2.6.35.5/kernel/trace/ftrace.c 2010-09-20 17:33:09.000000000 -0400
50019 +++ linux-2.6.35.5/kernel/trace/ftrace.c 2010-09-20 17:33:37.000000000 -0400
50020 @@ -1108,13 +1108,18 @@ ftrace_code_disable(struct module *mod,
50024 + ret = ftrace_arch_code_modify_prepare();
50025 + FTRACE_WARN_ON(ret);
50029 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
50030 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
50032 ftrace_bug(ret, ip);
50033 rec->flags |= FTRACE_FL_FAILED;
50037 + return ret ? 0 : 1;
50041 diff -urNp linux-2.6.35.5/kernel/trace/ring_buffer.c linux-2.6.35.5/kernel/trace/ring_buffer.c
50042 --- linux-2.6.35.5/kernel/trace/ring_buffer.c 2010-08-26 19:47:12.000000000 -0400
50043 +++ linux-2.6.35.5/kernel/trace/ring_buffer.c 2010-09-17 20:12:09.000000000 -0400
50044 @@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
50045 * the reader page). But if the next page is a header page,
50046 * its flags will be non zero.
50050 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
50051 struct buffer_page *page, struct list_head *list)
50053 diff -urNp linux-2.6.35.5/kernel/trace/trace.c linux-2.6.35.5/kernel/trace/trace.c
50054 --- linux-2.6.35.5/kernel/trace/trace.c 2010-08-26 19:47:12.000000000 -0400
50055 +++ linux-2.6.35.5/kernel/trace/trace.c 2010-09-17 20:12:09.000000000 -0400
50056 @@ -3965,10 +3965,9 @@ static const struct file_operations trac
50060 -static struct dentry *d_tracer;
50062 struct dentry *tracing_init_dentry(void)
50064 + static struct dentry *d_tracer;
50068 @@ -3988,10 +3987,9 @@ struct dentry *tracing_init_dentry(void)
50072 -static struct dentry *d_percpu;
50074 struct dentry *tracing_dentry_percpu(void)
50076 + static struct dentry *d_percpu;
50078 struct dentry *d_tracer;
50080 diff -urNp linux-2.6.35.5/kernel/trace/trace_output.c linux-2.6.35.5/kernel/trace/trace_output.c
50081 --- linux-2.6.35.5/kernel/trace/trace_output.c 2010-08-26 19:47:12.000000000 -0400
50082 +++ linux-2.6.35.5/kernel/trace/trace_output.c 2010-09-17 20:12:09.000000000 -0400
50083 @@ -281,7 +281,7 @@ int trace_seq_path(struct trace_seq *s,
50085 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
50087 - p = mangle_path(s->buffer + s->len, p, "\n");
50088 + p = mangle_path(s->buffer + s->len, p, "\n\\");
50090 s->len = p - s->buffer;
50092 diff -urNp linux-2.6.35.5/kernel/trace/trace_stack.c linux-2.6.35.5/kernel/trace/trace_stack.c
50093 --- linux-2.6.35.5/kernel/trace/trace_stack.c 2010-08-26 19:47:12.000000000 -0400
50094 +++ linux-2.6.35.5/kernel/trace/trace_stack.c 2010-09-17 20:12:09.000000000 -0400
50095 @@ -50,7 +50,7 @@ static inline void check_stack(void)
50098 /* we do not handle interrupt stacks yet */
50099 - if (!object_is_on_stack(&this_size))
50100 + if (!object_starts_on_stack(&this_size))
50103 local_irq_save(flags);
50104 diff -urNp linux-2.6.35.5/lib/bug.c linux-2.6.35.5/lib/bug.c
50105 --- linux-2.6.35.5/lib/bug.c 2010-08-26 19:47:12.000000000 -0400
50106 +++ linux-2.6.35.5/lib/bug.c 2010-09-17 20:12:09.000000000 -0400
50107 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
50108 return BUG_TRAP_TYPE_NONE;
50110 bug = find_bug(bugaddr);
50112 + return BUG_TRAP_TYPE_NONE;
50114 printk(KERN_EMERG "------------[ cut here ]------------\n");
50116 diff -urNp linux-2.6.35.5/lib/debugobjects.c linux-2.6.35.5/lib/debugobjects.c
50117 --- linux-2.6.35.5/lib/debugobjects.c 2010-08-26 19:47:12.000000000 -0400
50118 +++ linux-2.6.35.5/lib/debugobjects.c 2010-09-17 20:12:09.000000000 -0400
50119 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
50123 - is_on_stack = object_is_on_stack(addr);
50124 + is_on_stack = object_starts_on_stack(addr);
50125 if (is_on_stack == onstack)
50128 diff -urNp linux-2.6.35.5/lib/dma-debug.c linux-2.6.35.5/lib/dma-debug.c
50129 --- linux-2.6.35.5/lib/dma-debug.c 2010-08-26 19:47:12.000000000 -0400
50130 +++ linux-2.6.35.5/lib/dma-debug.c 2010-09-17 20:12:09.000000000 -0400
50131 @@ -861,7 +861,7 @@ out:
50133 static void check_for_stack(struct device *dev, void *addr)
50135 - if (object_is_on_stack(addr))
50136 + if (object_starts_on_stack(addr))
50137 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
50138 "stack [addr=%p]\n", addr);
50140 diff -urNp linux-2.6.35.5/lib/inflate.c linux-2.6.35.5/lib/inflate.c
50141 --- linux-2.6.35.5/lib/inflate.c 2010-08-26 19:47:12.000000000 -0400
50142 +++ linux-2.6.35.5/lib/inflate.c 2010-09-17 20:12:09.000000000 -0400
50143 @@ -267,7 +267,7 @@ static void free(void *where)
50144 malloc_ptr = free_mem_ptr;
50147 -#define malloc(a) kmalloc(a, GFP_KERNEL)
50148 +#define malloc(a) kmalloc((a), GFP_KERNEL)
50149 #define free(a) kfree(a)
50152 diff -urNp linux-2.6.35.5/lib/Kconfig.debug linux-2.6.35.5/lib/Kconfig.debug
50153 --- linux-2.6.35.5/lib/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
50154 +++ linux-2.6.35.5/lib/Kconfig.debug 2010-09-17 20:12:37.000000000 -0400
50155 @@ -970,7 +970,7 @@ config LATENCYTOP
50159 - depends on HAVE_LATENCYTOP_SUPPORT
50160 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
50162 Enable this option if you want to use the LatencyTOP tool
50163 to find out which userspace is blocking on what kernel operations.
50164 diff -urNp linux-2.6.35.5/lib/parser.c linux-2.6.35.5/lib/parser.c
50165 --- linux-2.6.35.5/lib/parser.c 2010-08-26 19:47:12.000000000 -0400
50166 +++ linux-2.6.35.5/lib/parser.c 2010-09-17 20:12:09.000000000 -0400
50167 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
50171 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
50172 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
50175 memcpy(buf, s->from, s->to - s->from);
50176 diff -urNp linux-2.6.35.5/lib/radix-tree.c linux-2.6.35.5/lib/radix-tree.c
50177 --- linux-2.6.35.5/lib/radix-tree.c 2010-08-26 19:47:12.000000000 -0400
50178 +++ linux-2.6.35.5/lib/radix-tree.c 2010-09-17 20:12:09.000000000 -0400
50179 @@ -80,7 +80,7 @@ struct radix_tree_preload {
50181 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
50183 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
50184 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
50186 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
50188 diff -urNp linux-2.6.35.5/lib/vsprintf.c linux-2.6.35.5/lib/vsprintf.c
50189 --- linux-2.6.35.5/lib/vsprintf.c 2010-08-26 19:47:12.000000000 -0400
50190 +++ linux-2.6.35.5/lib/vsprintf.c 2010-09-22 19:19:27.000000000 -0400
50191 @@ -990,7 +990,7 @@ char *pointer(const char *fmt, char *buf
50192 struct printf_spec spec)
50195 - return string(buf, end, "(null)", spec);
50196 + return string(buf, end, "(nil)", spec);
50200 diff -urNp linux-2.6.35.5/localversion-grsec linux-2.6.35.5/localversion-grsec
50201 --- linux-2.6.35.5/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
50202 +++ linux-2.6.35.5/localversion-grsec 2010-09-17 20:12:37.000000000 -0400
50205 diff -urNp linux-2.6.35.5/Makefile linux-2.6.35.5/Makefile
50206 --- linux-2.6.35.5/Makefile 2010-09-20 17:33:09.000000000 -0400
50207 +++ linux-2.6.35.5/Makefile 2010-09-20 17:33:17.000000000 -0400
50208 @@ -230,8 +230,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
50212 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
50213 -HOSTCXXFLAGS = -O2
50214 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
50215 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
50217 # Decide whether to build built-in, modular, or both.
50218 # Normally, just do built-in.
50219 @@ -650,7 +650,7 @@ export mod_strip_cmd
50222 ifeq ($(KBUILD_EXTMOD),)
50223 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
50224 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
50226 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
50227 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
50228 diff -urNp linux-2.6.35.5/mm/bootmem.c linux-2.6.35.5/mm/bootmem.c
50229 --- linux-2.6.35.5/mm/bootmem.c 2010-08-26 19:47:12.000000000 -0400
50230 +++ linux-2.6.35.5/mm/bootmem.c 2010-09-17 20:12:09.000000000 -0400
50231 @@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
50232 unsigned long __init free_all_memory_core_early(int nodeid)
50236 + u64 start, end, startrange, endrange;
50237 unsigned long count = 0;
50238 - struct range *range = NULL;
50239 + struct range *range = NULL, rangerange = { 0, 0 };
50242 nr_range = get_free_all_memory_range(&range, nodeid);
50243 + startrange = __pa(range) >> PAGE_SHIFT;
50244 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
50246 for (i = 0; i < nr_range; i++) {
50247 start = range[i].start;
50248 end = range[i].end;
50249 + if (start <= endrange && startrange < end) {
50250 + BUG_ON(rangerange.start | rangerange.end);
50251 + rangerange = range[i];
50254 count += end - start;
50255 __free_pages_memory(start, end);
50257 + start = rangerange.start;
50258 + end = rangerange.end;
50259 + count += end - start;
50260 + __free_pages_memory(start, end);
50264 diff -urNp linux-2.6.35.5/mm/filemap.c linux-2.6.35.5/mm/filemap.c
50265 --- linux-2.6.35.5/mm/filemap.c 2010-08-26 19:47:12.000000000 -0400
50266 +++ linux-2.6.35.5/mm/filemap.c 2010-09-17 20:12:37.000000000 -0400
50267 @@ -1640,7 +1640,7 @@ int generic_file_mmap(struct file * file
50268 struct address_space *mapping = file->f_mapping;
50270 if (!mapping->a_ops->readpage)
50273 file_accessed(file);
50274 vma->vm_ops = &generic_file_vm_ops;
50275 vma->vm_flags |= VM_CAN_NONLINEAR;
50276 @@ -2036,6 +2036,7 @@ inline int generic_write_checks(struct f
50277 *pos = i_size_read(inode);
50279 if (limit != RLIM_INFINITY) {
50280 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
50281 if (*pos >= limit) {
50282 send_sig(SIGXFSZ, current, 0);
50284 diff -urNp linux-2.6.35.5/mm/fremap.c linux-2.6.35.5/mm/fremap.c
50285 --- linux-2.6.35.5/mm/fremap.c 2010-08-26 19:47:12.000000000 -0400
50286 +++ linux-2.6.35.5/mm/fremap.c 2010-09-17 20:12:09.000000000 -0400
50287 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50289 vma = find_vma(mm, start);
50291 +#ifdef CONFIG_PAX_SEGMEXEC
50292 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
50297 * Make sure the vma is shared, that it supports prefaulting,
50298 * and that the remapped range is valid and fully within
50299 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50301 * drop PG_Mlocked flag for over-mapped range
50303 - unsigned int saved_flags = vma->vm_flags;
50304 + unsigned long saved_flags = vma->vm_flags;
50305 munlock_vma_pages_range(vma, start, start + size);
50306 vma->vm_flags = saved_flags;
50308 diff -urNp linux-2.6.35.5/mm/highmem.c linux-2.6.35.5/mm/highmem.c
50309 --- linux-2.6.35.5/mm/highmem.c 2010-08-26 19:47:12.000000000 -0400
50310 +++ linux-2.6.35.5/mm/highmem.c 2010-09-17 20:12:09.000000000 -0400
50311 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
50312 * So no dangers, even with speculative execution.
50314 page = pte_page(pkmap_page_table[i]);
50315 + pax_open_kernel();
50316 pte_clear(&init_mm, (unsigned long)page_address(page),
50317 &pkmap_page_table[i]);
50319 + pax_close_kernel();
50320 set_page_address(page, NULL);
50323 @@ -177,9 +178,11 @@ start:
50326 vaddr = PKMAP_ADDR(last_pkmap_nr);
50328 + pax_open_kernel();
50329 set_pte_at(&init_mm, vaddr,
50330 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
50332 + pax_close_kernel();
50333 pkmap_count[last_pkmap_nr] = 1;
50334 set_page_address(page, (void *)vaddr);
50336 diff -urNp linux-2.6.35.5/mm/hugetlb.c linux-2.6.35.5/mm/hugetlb.c
50337 --- linux-2.6.35.5/mm/hugetlb.c 2010-08-26 19:47:12.000000000 -0400
50338 +++ linux-2.6.35.5/mm/hugetlb.c 2010-09-17 20:12:09.000000000 -0400
50339 @@ -2272,6 +2272,26 @@ static int unmap_ref_private(struct mm_s
50343 +#ifdef CONFIG_PAX_SEGMEXEC
50344 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
50346 + struct mm_struct *mm = vma->vm_mm;
50347 + struct vm_area_struct *vma_m;
50348 + unsigned long address_m;
50351 + vma_m = pax_find_mirror_vma(vma);
50355 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50356 + address_m = address + SEGMEXEC_TASK_SIZE;
50357 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
50358 + get_page(page_m);
50359 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
50363 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
50364 unsigned long address, pte_t *ptep, pte_t pte,
50365 struct page *pagecache_page)
50366 @@ -2352,6 +2372,11 @@ retry_avoidcopy:
50367 huge_ptep_clear_flush(vma, address, ptep);
50368 set_huge_pte_at(mm, address, ptep,
50369 make_huge_pte(vma, new_page, 1));
50371 +#ifdef CONFIG_PAX_SEGMEXEC
50372 + pax_mirror_huge_pte(vma, address, new_page);
50375 /* Make the old page be freed below */
50376 new_page = old_page;
50378 @@ -2483,6 +2508,10 @@ retry:
50379 && (vma->vm_flags & VM_SHARED)));
50380 set_huge_pte_at(mm, address, ptep, new_pte);
50382 +#ifdef CONFIG_PAX_SEGMEXEC
50383 + pax_mirror_huge_pte(vma, address, page);
50386 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
50387 /* Optimization, do the COW without a second fault */
50388 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
50389 @@ -2511,6 +2540,28 @@ int hugetlb_fault(struct mm_struct *mm,
50390 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
50391 struct hstate *h = hstate_vma(vma);
50393 +#ifdef CONFIG_PAX_SEGMEXEC
50394 + struct vm_area_struct *vma_m;
50396 + vma_m = pax_find_mirror_vma(vma);
50398 + unsigned long address_m;
50400 + if (vma->vm_start > vma_m->vm_start) {
50401 + address_m = address;
50402 + address -= SEGMEXEC_TASK_SIZE;
50404 + h = hstate_vma(vma);
50406 + address_m = address + SEGMEXEC_TASK_SIZE;
50408 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
50409 + return VM_FAULT_OOM;
50410 + address_m &= HPAGE_MASK;
50411 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
50415 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
50417 return VM_FAULT_OOM;
50418 diff -urNp linux-2.6.35.5/mm/Kconfig linux-2.6.35.5/mm/Kconfig
50419 --- linux-2.6.35.5/mm/Kconfig 2010-08-26 19:47:12.000000000 -0400
50420 +++ linux-2.6.35.5/mm/Kconfig 2010-09-17 20:12:37.000000000 -0400
50421 @@ -240,7 +240,7 @@ config KSM
50422 config DEFAULT_MMAP_MIN_ADDR
50423 int "Low address space to protect from user allocation"
50428 This is the portion of low virtual memory which should be protected
50429 from userspace allocation. Keeping a user from writing to low pages
50430 diff -urNp linux-2.6.35.5/mm/maccess.c linux-2.6.35.5/mm/maccess.c
50431 --- linux-2.6.35.5/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
50432 +++ linux-2.6.35.5/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
50433 @@ -15,10 +15,10 @@
50434 * happens, handle that and return -EFAULT.
50437 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
50438 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
50439 __attribute__((alias("__probe_kernel_read")));
50441 -long __probe_kernel_read(void *dst, void *src, size_t size)
50442 +long __probe_kernel_read(void *dst, const void *src, size_t size)
50445 mm_segment_t old_fs = get_fs();
50446 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
50447 * Safely write to address @dst from the buffer at @src. If a kernel fault
50448 * happens, handle that and return -EFAULT.
50450 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
50451 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
50452 __attribute__((alias("__probe_kernel_write")));
50454 -long __probe_kernel_write(void *dst, void *src, size_t size)
50455 +long __probe_kernel_write(void *dst, const void *src, size_t size)
50458 mm_segment_t old_fs = get_fs();
50459 diff -urNp linux-2.6.35.5/mm/madvise.c linux-2.6.35.5/mm/madvise.c
50460 --- linux-2.6.35.5/mm/madvise.c 2010-08-26 19:47:12.000000000 -0400
50461 +++ linux-2.6.35.5/mm/madvise.c 2010-09-17 20:12:09.000000000 -0400
50462 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
50464 unsigned long new_flags = vma->vm_flags;
50466 +#ifdef CONFIG_PAX_SEGMEXEC
50467 + struct vm_area_struct *vma_m;
50470 switch (behavior) {
50472 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
50473 @@ -104,6 +108,13 @@ success:
50475 * vm_flags is protected by the mmap_sem held in write mode.
50478 +#ifdef CONFIG_PAX_SEGMEXEC
50479 + vma_m = pax_find_mirror_vma(vma);
50481 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
50484 vma->vm_flags = new_flags;
50487 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
50488 struct vm_area_struct ** prev,
50489 unsigned long start, unsigned long end)
50492 +#ifdef CONFIG_PAX_SEGMEXEC
50493 + struct vm_area_struct *vma_m;
50497 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
50499 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
50500 zap_page_range(vma, start, end - start, &details);
50502 zap_page_range(vma, start, end - start, NULL);
50504 +#ifdef CONFIG_PAX_SEGMEXEC
50505 + vma_m = pax_find_mirror_vma(vma);
50507 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
50508 + struct zap_details details = {
50509 + .nonlinear_vma = vma_m,
50510 + .last_index = ULONG_MAX,
50512 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
50514 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
50521 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
50525 +#ifdef CONFIG_PAX_SEGMEXEC
50526 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50527 + if (end > SEGMEXEC_TASK_SIZE)
50532 + if (end > TASK_SIZE)
50538 diff -urNp linux-2.6.35.5/mm/memory.c linux-2.6.35.5/mm/memory.c
50539 --- linux-2.6.35.5/mm/memory.c 2010-08-26 19:47:12.000000000 -0400
50540 +++ linux-2.6.35.5/mm/memory.c 2010-09-17 20:12:09.000000000 -0400
50541 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
50544 pmd = pmd_offset(pud, start);
50546 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
50548 pmd_free_tlb(tlb, pmd, start);
50553 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
50554 @@ -292,8 +296,12 @@ static inline void free_pud_range(struct
50557 pud = pud_offset(pgd, start);
50559 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
50561 pud_free_tlb(tlb, pud, start);
50567 @@ -1363,10 +1371,10 @@ int __get_user_pages(struct task_struct
50568 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
50572 + while (nr_pages) {
50573 struct vm_area_struct *vma;
50575 - vma = find_extend_vma(mm, start);
50576 + vma = find_vma(mm, start);
50577 if (!vma && in_gate_area(tsk, start)) {
50578 unsigned long pg = start & PAGE_MASK;
50579 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
50580 @@ -1418,7 +1426,7 @@ int __get_user_pages(struct task_struct
50585 + if (!vma || start < vma->vm_start ||
50586 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
50587 !(vm_flags & vma->vm_flags))
50588 return i ? : -EFAULT;
50589 @@ -1493,7 +1501,7 @@ int __get_user_pages(struct task_struct
50590 start += PAGE_SIZE;
50592 } while (nr_pages && start < vma->vm_end);
50593 - } while (nr_pages);
50598 @@ -2089,6 +2097,186 @@ static inline void cow_user_page(struct
50599 copy_user_highpage(dst, src, va, vma);
50602 +#ifdef CONFIG_PAX_SEGMEXEC
50603 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
50605 + struct mm_struct *mm = vma->vm_mm;
50607 + pte_t *pte, entry;
50609 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
50611 + if (!pte_present(entry)) {
50612 + if (!pte_none(entry)) {
50613 + BUG_ON(pte_file(entry));
50614 + free_swap_and_cache(pte_to_swp_entry(entry));
50615 + pte_clear_not_present_full(mm, address, pte, 0);
50618 + struct page *page;
50620 + flush_cache_page(vma, address, pte_pfn(entry));
50621 + entry = ptep_clear_flush(vma, address, pte);
50622 + BUG_ON(pte_dirty(entry));
50623 + page = vm_normal_page(vma, address, entry);
50625 + update_hiwater_rss(mm);
50626 + if (PageAnon(page))
50627 + dec_mm_counter_fast(mm, MM_ANONPAGES);
50629 + dec_mm_counter_fast(mm, MM_FILEPAGES);
50630 + page_remove_rmap(page);
50631 + page_cache_release(page);
50634 + pte_unmap_unlock(pte, ptl);
50637 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
50639 + * the ptl of the lower mapped page is held on entry and is not released on exit
50640 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
50642 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50644 + struct mm_struct *mm = vma->vm_mm;
50645 + unsigned long address_m;
50646 + spinlock_t *ptl_m;
50647 + struct vm_area_struct *vma_m;
50649 + pte_t *pte_m, entry_m;
50651 + BUG_ON(!page_m || !PageAnon(page_m));
50653 + vma_m = pax_find_mirror_vma(vma);
50657 + BUG_ON(!PageLocked(page_m));
50658 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50659 + address_m = address + SEGMEXEC_TASK_SIZE;
50660 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50661 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50662 + ptl_m = pte_lockptr(mm, pmd_m);
50663 + if (ptl != ptl_m) {
50664 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50665 + if (!pte_none(*pte_m))
50669 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50670 + page_cache_get(page_m);
50671 + page_add_anon_rmap(page_m, vma_m, address_m);
50672 + inc_mm_counter_fast(mm, MM_ANONPAGES);
50673 + set_pte_at(mm, address_m, pte_m, entry_m);
50674 + update_mmu_cache(vma_m, address_m, entry_m);
50676 + if (ptl != ptl_m)
50677 + spin_unlock(ptl_m);
50678 + pte_unmap_nested(pte_m);
50679 + unlock_page(page_m);
50682 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50684 + struct mm_struct *mm = vma->vm_mm;
50685 + unsigned long address_m;
50686 + spinlock_t *ptl_m;
50687 + struct vm_area_struct *vma_m;
50689 + pte_t *pte_m, entry_m;
50691 + BUG_ON(!page_m || PageAnon(page_m));
50693 + vma_m = pax_find_mirror_vma(vma);
50697 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50698 + address_m = address + SEGMEXEC_TASK_SIZE;
50699 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50700 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50701 + ptl_m = pte_lockptr(mm, pmd_m);
50702 + if (ptl != ptl_m) {
50703 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50704 + if (!pte_none(*pte_m))
50708 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50709 + page_cache_get(page_m);
50710 + page_add_file_rmap(page_m);
50711 + inc_mm_counter_fast(mm, MM_FILEPAGES);
50712 + set_pte_at(mm, address_m, pte_m, entry_m);
50713 + update_mmu_cache(vma_m, address_m, entry_m);
50715 + if (ptl != ptl_m)
50716 + spin_unlock(ptl_m);
50717 + pte_unmap_nested(pte_m);
50720 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
50722 + struct mm_struct *mm = vma->vm_mm;
50723 + unsigned long address_m;
50724 + spinlock_t *ptl_m;
50725 + struct vm_area_struct *vma_m;
50727 + pte_t *pte_m, entry_m;
50729 + vma_m = pax_find_mirror_vma(vma);
50733 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50734 + address_m = address + SEGMEXEC_TASK_SIZE;
50735 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50736 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50737 + ptl_m = pte_lockptr(mm, pmd_m);
50738 + if (ptl != ptl_m) {
50739 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50740 + if (!pte_none(*pte_m))
50744 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
50745 + set_pte_at(mm, address_m, pte_m, entry_m);
50747 + if (ptl != ptl_m)
50748 + spin_unlock(ptl_m);
50749 + pte_unmap_nested(pte_m);
50752 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
50754 + struct page *page_m;
50757 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
50761 + page_m = vm_normal_page(vma, address, entry);
50763 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
50764 + else if (PageAnon(page_m)) {
50765 + if (pax_find_mirror_vma(vma)) {
50766 + pte_unmap_unlock(pte, ptl);
50767 + lock_page(page_m);
50768 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
50769 + if (pte_same(entry, *pte))
50770 + pax_mirror_anon_pte(vma, address, page_m, ptl);
50772 + unlock_page(page_m);
50775 + pax_mirror_file_pte(vma, address, page_m, ptl);
50778 + pte_unmap_unlock(pte, ptl);
50783 * This routine handles present pages, when users try to write
50784 * to a shared page. It is done by copying the page to a new address
50785 @@ -2275,6 +2463,12 @@ gotten:
50787 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50788 if (likely(pte_same(*page_table, orig_pte))) {
50790 +#ifdef CONFIG_PAX_SEGMEXEC
50791 + if (pax_find_mirror_vma(vma))
50792 + BUG_ON(!trylock_page(new_page));
50796 if (!PageAnon(old_page)) {
50797 dec_mm_counter_fast(mm, MM_FILEPAGES);
50798 @@ -2326,6 +2520,10 @@ gotten:
50799 page_remove_rmap(old_page);
50802 +#ifdef CONFIG_PAX_SEGMEXEC
50803 + pax_mirror_anon_pte(vma, address, new_page, ptl);
50806 /* Free the old page.. */
50807 new_page = old_page;
50808 ret |= VM_FAULT_WRITE;
50809 @@ -2734,6 +2932,11 @@ static int do_swap_page(struct mm_struct
50811 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
50812 try_to_free_swap(page);
50814 +#ifdef CONFIG_PAX_SEGMEXEC
50815 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
50820 if (flags & FAULT_FLAG_WRITE) {
50821 @@ -2745,6 +2948,11 @@ static int do_swap_page(struct mm_struct
50823 /* No need to invalidate - it was non-present before */
50824 update_mmu_cache(vma, address, page_table);
50826 +#ifdef CONFIG_PAX_SEGMEXEC
50827 + pax_mirror_anon_pte(vma, address, page, ptl);
50831 pte_unmap_unlock(page_table, ptl);
50833 @@ -2760,33 +2968,6 @@ out_release:
50837 - * This is like a special single-page "expand_downwards()",
50838 - * except we must first make sure that 'address-PAGE_SIZE'
50839 - * doesn't hit another vma.
50841 - * The "find_vma()" will do the right thing even if we wrap
50843 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
50845 - address &= PAGE_MASK;
50846 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
50847 - struct vm_area_struct *prev = vma->vm_prev;
50850 - * Is there a mapping abutting this one below?
50852 - * That's only ok if it's the same stack mapping
50853 - * that has gotten split..
50855 - if (prev && prev->vm_end == address)
50856 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
50858 - expand_stack(vma, address - PAGE_SIZE);
50864 * We enter with non-exclusive mmap_sem (to exclude vma changes,
50865 * but allow concurrent faults), and pte mapped but not yet locked.
50866 * We return with mmap_sem still held, but pte unmapped and unlocked.
50867 @@ -2795,27 +2976,23 @@ static int do_anonymous_page(struct mm_s
50868 unsigned long address, pte_t *page_table, pmd_t *pmd,
50869 unsigned int flags)
50871 - struct page *page;
50872 + struct page *page = NULL;
50876 - pte_unmap(page_table);
50878 - /* Check if we need to add a guard page to the stack */
50879 - if (check_stack_guard_page(vma, address) < 0)
50880 - return VM_FAULT_SIGBUS;
50882 - /* Use the zero-page for reads */
50883 if (!(flags & FAULT_FLAG_WRITE)) {
50884 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
50885 vma->vm_page_prot));
50886 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50887 + ptl = pte_lockptr(mm, pmd);
50889 if (!pte_none(*page_table))
50894 /* Allocate our own private page. */
50895 + pte_unmap(page_table);
50897 if (unlikely(anon_vma_prepare(vma)))
50899 page = alloc_zeroed_user_highpage_movable(vma, address);
50900 @@ -2834,6 +3011,11 @@ static int do_anonymous_page(struct mm_s
50901 if (!pte_none(*page_table))
50904 +#ifdef CONFIG_PAX_SEGMEXEC
50905 + if (pax_find_mirror_vma(vma))
50906 + BUG_ON(!trylock_page(page));
50909 inc_mm_counter_fast(mm, MM_ANONPAGES);
50910 page_add_new_anon_rmap(page, vma, address);
50912 @@ -2841,6 +3023,12 @@ setpte:
50914 /* No need to invalidate - it was non-present before */
50915 update_mmu_cache(vma, address, page_table);
50917 +#ifdef CONFIG_PAX_SEGMEXEC
50919 + pax_mirror_anon_pte(vma, address, page, ptl);
50923 pte_unmap_unlock(page_table, ptl);
50925 @@ -2983,6 +3171,12 @@ static int __do_fault(struct mm_struct *
50927 /* Only go through if we didn't race with anybody else... */
50928 if (likely(pte_same(*page_table, orig_pte))) {
50930 +#ifdef CONFIG_PAX_SEGMEXEC
50931 + if (anon && pax_find_mirror_vma(vma))
50932 + BUG_ON(!trylock_page(page));
50935 flush_icache_page(vma, page);
50936 entry = mk_pte(page, vma->vm_page_prot);
50937 if (flags & FAULT_FLAG_WRITE)
50938 @@ -3002,6 +3196,14 @@ static int __do_fault(struct mm_struct *
50940 /* no need to invalidate: a not-present page won't be cached */
50941 update_mmu_cache(vma, address, page_table);
50943 +#ifdef CONFIG_PAX_SEGMEXEC
50945 + pax_mirror_anon_pte(vma, address, page, ptl);
50947 + pax_mirror_file_pte(vma, address, page, ptl);
50952 mem_cgroup_uncharge_page(page);
50953 @@ -3149,6 +3351,12 @@ static inline int handle_pte_fault(struc
50954 if (flags & FAULT_FLAG_WRITE)
50955 flush_tlb_page(vma, address);
50958 +#ifdef CONFIG_PAX_SEGMEXEC
50959 + pax_mirror_pte(vma, address, pte, pmd, ptl);
50964 pte_unmap_unlock(pte, ptl);
50966 @@ -3165,6 +3373,10 @@ int handle_mm_fault(struct mm_struct *mm
50970 +#ifdef CONFIG_PAX_SEGMEXEC
50971 + struct vm_area_struct *vma_m;
50974 __set_current_state(TASK_RUNNING);
50976 count_vm_event(PGFAULT);
50977 @@ -3175,6 +3387,34 @@ int handle_mm_fault(struct mm_struct *mm
50978 if (unlikely(is_vm_hugetlb_page(vma)))
50979 return hugetlb_fault(mm, vma, address, flags);
50981 +#ifdef CONFIG_PAX_SEGMEXEC
50982 + vma_m = pax_find_mirror_vma(vma);
50984 + unsigned long address_m;
50989 + if (vma->vm_start > vma_m->vm_start) {
50990 + address_m = address;
50991 + address -= SEGMEXEC_TASK_SIZE;
50994 + address_m = address + SEGMEXEC_TASK_SIZE;
50996 + pgd_m = pgd_offset(mm, address_m);
50997 + pud_m = pud_alloc(mm, pgd_m, address_m);
50999 + return VM_FAULT_OOM;
51000 + pmd_m = pmd_alloc(mm, pud_m, address_m);
51002 + return VM_FAULT_OOM;
51003 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
51004 + return VM_FAULT_OOM;
51005 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
51009 pgd = pgd_offset(mm, address);
51010 pud = pud_alloc(mm, pgd, address);
51012 @@ -3272,7 +3512,7 @@ static int __init gate_vma_init(void)
51013 gate_vma.vm_start = FIXADDR_USER_START;
51014 gate_vma.vm_end = FIXADDR_USER_END;
51015 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
51016 - gate_vma.vm_page_prot = __P101;
51017 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
51019 * Make sure the vDSO gets into every core dump.
51020 * Dumping its contents makes post-mortem fully interpretable later
51021 diff -urNp linux-2.6.35.5/mm/memory-failure.c linux-2.6.35.5/mm/memory-failure.c
51022 --- linux-2.6.35.5/mm/memory-failure.c 2010-08-26 19:47:12.000000000 -0400
51023 +++ linux-2.6.35.5/mm/memory-failure.c 2010-09-17 20:12:09.000000000 -0400
51024 @@ -51,7 +51,7 @@ int sysctl_memory_failure_early_kill __r
51026 int sysctl_memory_failure_recovery __read_mostly = 1;
51028 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51029 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51031 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
51033 @@ -939,7 +939,7 @@ int __memory_failure(unsigned long pfn,
51037 - atomic_long_add(1, &mce_bad_pages);
51038 + atomic_long_add_unchecked(1, &mce_bad_pages);
51041 * We need/can do nothing about count=0 pages.
51042 @@ -1003,7 +1003,7 @@ int __memory_failure(unsigned long pfn,
51044 if (hwpoison_filter(p)) {
51045 if (TestClearPageHWPoison(p))
51046 - atomic_long_dec(&mce_bad_pages);
51047 + atomic_long_dec_unchecked(&mce_bad_pages);
51051 @@ -1096,7 +1096,7 @@ int unpoison_memory(unsigned long pfn)
51053 if (!get_page_unless_zero(page)) {
51054 if (TestClearPageHWPoison(p))
51055 - atomic_long_dec(&mce_bad_pages);
51056 + atomic_long_dec_unchecked(&mce_bad_pages);
51057 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
51060 @@ -1110,7 +1110,7 @@ int unpoison_memory(unsigned long pfn)
51062 if (TestClearPageHWPoison(p)) {
51063 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
51064 - atomic_long_dec(&mce_bad_pages);
51065 + atomic_long_dec_unchecked(&mce_bad_pages);
51069 @@ -1291,7 +1291,7 @@ int soft_offline_page(struct page *page,
51073 - atomic_long_add(1, &mce_bad_pages);
51074 + atomic_long_add_unchecked(1, &mce_bad_pages);
51075 SetPageHWPoison(page);
51076 /* keep elevated page count for bad page */
51078 diff -urNp linux-2.6.35.5/mm/mempolicy.c linux-2.6.35.5/mm/mempolicy.c
51079 --- linux-2.6.35.5/mm/mempolicy.c 2010-08-26 19:47:12.000000000 -0400
51080 +++ linux-2.6.35.5/mm/mempolicy.c 2010-09-17 20:12:37.000000000 -0400
51081 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
51082 unsigned long vmstart;
51083 unsigned long vmend;
51085 +#ifdef CONFIG_PAX_SEGMEXEC
51086 + struct vm_area_struct *vma_m;
51089 vma = find_vma_prev(mm, start, &prev);
51090 if (!vma || vma->vm_start > start)
51092 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
51093 err = policy_vma(vma, new_pol);
51097 +#ifdef CONFIG_PAX_SEGMEXEC
51098 + vma_m = pax_find_mirror_vma(vma);
51100 + err = policy_vma(vma_m, new_pol);
51109 @@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
51114 +#ifdef CONFIG_PAX_SEGMEXEC
51115 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
51116 + if (end > SEGMEXEC_TASK_SIZE)
51121 + if (end > TASK_SIZE)
51127 @@ -1303,6 +1328,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51131 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51132 + if (mm != current->mm &&
51133 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51140 * Check if this process has the right to modify the specified
51141 * process. The right exists if the process has administrative
51142 @@ -1312,8 +1345,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51144 tcred = __task_cred(task);
51145 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51146 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51147 - !capable(CAP_SYS_NICE)) {
51148 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51152 @@ -2564,7 +2596,7 @@ int show_numa_map(struct seq_file *m, vo
51155 seq_printf(m, " file=");
51156 - seq_path(m, &file->f_path, "\n\t= ");
51157 + seq_path(m, &file->f_path, "\n\t\\= ");
51158 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
51159 seq_printf(m, " heap");
51160 } else if (vma->vm_start <= mm->start_stack &&
51161 diff -urNp linux-2.6.35.5/mm/migrate.c linux-2.6.35.5/mm/migrate.c
51162 --- linux-2.6.35.5/mm/migrate.c 2010-08-26 19:47:12.000000000 -0400
51163 +++ linux-2.6.35.5/mm/migrate.c 2010-09-17 20:12:37.000000000 -0400
51164 @@ -1102,6 +1102,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51168 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51169 + if (mm != current->mm &&
51170 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51177 * Check if this process has the right to modify the specified
51178 * process. The right exists if the process has administrative
51179 @@ -1111,8 +1119,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51181 tcred = __task_cred(task);
51182 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51183 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51184 - !capable(CAP_SYS_NICE)) {
51185 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51189 diff -urNp linux-2.6.35.5/mm/mlock.c linux-2.6.35.5/mm/mlock.c
51190 --- linux-2.6.35.5/mm/mlock.c 2010-08-26 19:47:12.000000000 -0400
51191 +++ linux-2.6.35.5/mm/mlock.c 2010-09-17 20:12:37.000000000 -0400
51193 #include <linux/pagemap.h>
51194 #include <linux/mempolicy.h>
51195 #include <linux/syscalls.h>
51196 +#include <linux/security.h>
51197 #include <linux/sched.h>
51198 #include <linux/module.h>
51199 #include <linux/rmap.h>
51200 @@ -135,19 +136,6 @@ void munlock_vma_page(struct page *page)
51204 -/* Is the vma a continuation of the stack vma above it? */
51205 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
51207 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
51210 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
51212 - return (vma->vm_flags & VM_GROWSDOWN) &&
51213 - (vma->vm_start == addr) &&
51214 - !vma_stack_continue(vma->vm_prev, addr);
51218 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
51220 @@ -180,12 +168,6 @@ static long __mlock_vma_pages_range(stru
51221 if (vma->vm_flags & VM_WRITE)
51222 gup_flags |= FOLL_WRITE;
51224 - /* We don't try to access the guard page of a stack vma */
51225 - if (stack_guard_page(vma, start)) {
51226 - addr += PAGE_SIZE;
51230 while (nr_pages > 0) {
51233 @@ -451,6 +433,9 @@ static int do_mlock(unsigned long start,
51237 + if (end > TASK_SIZE)
51240 vma = find_vma_prev(current->mm, start, &prev);
51241 if (!vma || vma->vm_start > start)
51243 @@ -461,6 +446,11 @@ static int do_mlock(unsigned long start,
51244 for (nstart = start ; ; ) {
51245 unsigned int newflags;
51247 +#ifdef CONFIG_PAX_SEGMEXEC
51248 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51252 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
51254 newflags = vma->vm_flags | VM_LOCKED;
51255 @@ -510,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
51256 lock_limit >>= PAGE_SHIFT;
51258 /* check against resource limits */
51259 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
51260 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
51261 error = do_mlock(start, len, 1);
51262 up_write(¤t->mm->mmap_sem);
51263 @@ -531,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
51264 static int do_mlockall(int flags)
51266 struct vm_area_struct * vma, * prev = NULL;
51267 - unsigned int def_flags = 0;
51269 if (flags & MCL_FUTURE)
51270 - def_flags = VM_LOCKED;
51271 - current->mm->def_flags = def_flags;
51272 + current->mm->def_flags |= VM_LOCKED;
51274 + current->mm->def_flags &= ~VM_LOCKED;
51275 if (flags == MCL_FUTURE)
51278 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
51279 - unsigned int newflags;
51280 + unsigned long newflags;
51282 +#ifdef CONFIG_PAX_SEGMEXEC
51283 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51287 + BUG_ON(vma->vm_end > TASK_SIZE);
51288 newflags = vma->vm_flags | VM_LOCKED;
51289 if (!(flags & MCL_CURRENT))
51290 newflags &= ~VM_LOCKED;
51291 @@ -573,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
51292 lock_limit >>= PAGE_SHIFT;
51295 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
51296 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
51297 capable(CAP_IPC_LOCK))
51298 ret = do_mlockall(flags);
51299 diff -urNp linux-2.6.35.5/mm/mmap.c linux-2.6.35.5/mm/mmap.c
51300 --- linux-2.6.35.5/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
51301 +++ linux-2.6.35.5/mm/mmap.c 2010-09-17 20:12:37.000000000 -0400
51303 #define arch_rebalance_pgtables(addr, len) (addr)
51306 +static inline void verify_mm_writelocked(struct mm_struct *mm)
51308 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
51309 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
51310 + up_read(&mm->mmap_sem);
51316 static void unmap_region(struct mm_struct *mm,
51317 struct vm_area_struct *vma, struct vm_area_struct *prev,
51318 unsigned long start, unsigned long end);
51319 @@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
51320 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
51323 -pgprot_t protection_map[16] = {
51324 +pgprot_t protection_map[16] __read_only = {
51325 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
51326 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
51329 pgprot_t vm_get_page_prot(unsigned long vm_flags)
51331 - return __pgprot(pgprot_val(protection_map[vm_flags &
51332 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
51333 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
51334 pgprot_val(arch_vm_get_page_prot(vm_flags)));
51336 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51337 + if (!(__supported_pte_mask & _PAGE_NX) &&
51338 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
51339 + (vm_flags & (VM_READ | VM_WRITE)))
51340 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
51345 EXPORT_SYMBOL(vm_get_page_prot);
51347 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
51348 int sysctl_overcommit_ratio = 50; /* default is 50% */
51349 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
51350 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
51351 struct percpu_counter vm_committed_as;
51354 @@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
51355 struct vm_area_struct *next = vma->vm_next;
51358 + BUG_ON(vma->vm_mirror);
51359 if (vma->vm_ops && vma->vm_ops->close)
51360 vma->vm_ops->close(vma);
51361 if (vma->vm_file) {
51362 @@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
51363 * not page aligned -Ram Gupta
51365 rlim = rlimit(RLIMIT_DATA);
51366 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
51367 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
51368 (mm->end_data - mm->start_data) > rlim)
51370 @@ -695,6 +717,12 @@ static int
51371 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
51372 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51375 +#ifdef CONFIG_PAX_SEGMEXEC
51376 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
51380 if (is_mergeable_vma(vma, file, vm_flags) &&
51381 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51382 if (vma->vm_pgoff == vm_pgoff)
51383 @@ -714,6 +742,12 @@ static int
51384 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
51385 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51388 +#ifdef CONFIG_PAX_SEGMEXEC
51389 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
51393 if (is_mergeable_vma(vma, file, vm_flags) &&
51394 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51396 @@ -756,13 +790,20 @@ can_vma_merge_after(struct vm_area_struc
51397 struct vm_area_struct *vma_merge(struct mm_struct *mm,
51398 struct vm_area_struct *prev, unsigned long addr,
51399 unsigned long end, unsigned long vm_flags,
51400 - struct anon_vma *anon_vma, struct file *file,
51401 + struct anon_vma *anon_vma, struct file *file,
51402 pgoff_t pgoff, struct mempolicy *policy)
51404 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
51405 struct vm_area_struct *area, *next;
51408 +#ifdef CONFIG_PAX_SEGMEXEC
51409 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
51410 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
51412 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
51416 * We later require that vma->vm_flags == vm_flags,
51417 * so this tests vma->vm_flags & VM_SPECIAL, too.
51418 @@ -778,6 +819,15 @@ struct vm_area_struct *vma_merge(struct
51419 if (next && next->vm_end == end) /* cases 6, 7, 8 */
51420 next = next->vm_next;
51422 +#ifdef CONFIG_PAX_SEGMEXEC
51424 + prev_m = pax_find_mirror_vma(prev);
51426 + area_m = pax_find_mirror_vma(area);
51428 + next_m = pax_find_mirror_vma(next);
51432 * Can it merge with the predecessor?
51434 @@ -797,9 +847,24 @@ struct vm_area_struct *vma_merge(struct
51436 err = vma_adjust(prev, prev->vm_start,
51437 next->vm_end, prev->vm_pgoff, NULL);
51438 - } else /* cases 2, 5, 7 */
51440 +#ifdef CONFIG_PAX_SEGMEXEC
51441 + if (!err && prev_m)
51442 + err = vma_adjust(prev_m, prev_m->vm_start,
51443 + next_m->vm_end, prev_m->vm_pgoff, NULL);
51446 + } else { /* cases 2, 5, 7 */
51447 err = vma_adjust(prev, prev->vm_start,
51448 end, prev->vm_pgoff, NULL);
51450 +#ifdef CONFIG_PAX_SEGMEXEC
51451 + if (!err && prev_m)
51452 + err = vma_adjust(prev_m, prev_m->vm_start,
51453 + end_m, prev_m->vm_pgoff, NULL);
51460 @@ -812,12 +877,27 @@ struct vm_area_struct *vma_merge(struct
51461 mpol_equal(policy, vma_policy(next)) &&
51462 can_vma_merge_before(next, vm_flags,
51463 anon_vma, file, pgoff+pglen)) {
51464 - if (prev && addr < prev->vm_end) /* case 4 */
51465 + if (prev && addr < prev->vm_end) { /* case 4 */
51466 err = vma_adjust(prev, prev->vm_start,
51467 addr, prev->vm_pgoff, NULL);
51468 - else /* cases 3, 8 */
51470 +#ifdef CONFIG_PAX_SEGMEXEC
51471 + if (!err && prev_m)
51472 + err = vma_adjust(prev_m, prev_m->vm_start,
51473 + addr_m, prev_m->vm_pgoff, NULL);
51476 + } else { /* cases 3, 8 */
51477 err = vma_adjust(area, addr, next->vm_end,
51478 next->vm_pgoff - pglen, NULL);
51480 +#ifdef CONFIG_PAX_SEGMEXEC
51481 + if (!err && area_m)
51482 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
51483 + next_m->vm_pgoff - pglen, NULL);
51490 @@ -932,14 +1012,11 @@ none:
51491 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
51492 struct file *file, long pages)
51494 - const unsigned long stack_flags
51495 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
51498 mm->shared_vm += pages;
51499 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
51500 mm->exec_vm += pages;
51501 - } else if (flags & stack_flags)
51502 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
51503 mm->stack_vm += pages;
51504 if (flags & (VM_RESERVED|VM_IO))
51505 mm->reserved_vm += pages;
51506 @@ -966,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file
51507 * (the exception is when the underlying filesystem is noexec
51508 * mounted, in which case we dont add PROT_EXEC.)
51510 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
51511 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
51512 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
51515 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
51516 /* Obtain the address to map to. we verify (or select) it and ensure
51517 * that it represents a valid section of the address space.
51519 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
51520 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
51521 if (addr & ~PAGE_MASK)
51524 @@ -1003,6 +1080,28 @@ unsigned long do_mmap_pgoff(struct file
51525 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
51526 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
51528 +#ifdef CONFIG_PAX_MPROTECT
51529 + if (mm->pax_flags & MF_PAX_MPROTECT) {
51530 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
51532 +#ifdef CONFIG_PAX_EMUPLT
51533 + vm_flags &= ~VM_EXEC;
51538 + if (!(vm_flags & VM_EXEC))
51539 + vm_flags &= ~VM_MAYEXEC;
51541 + vm_flags &= ~VM_MAYWRITE;
51545 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51546 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
51547 + vm_flags &= ~VM_PAGEEXEC;
51550 if (flags & MAP_LOCKED)
51551 if (!can_do_mlock())
51553 @@ -1014,6 +1113,7 @@ unsigned long do_mmap_pgoff(struct file
51554 locked += mm->locked_vm;
51555 lock_limit = rlimit(RLIMIT_MEMLOCK);
51556 lock_limit >>= PAGE_SHIFT;
51557 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51558 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
51561 @@ -1084,6 +1184,9 @@ unsigned long do_mmap_pgoff(struct file
51565 + if (!gr_acl_handle_mmap(file, prot))
51568 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
51570 EXPORT_SYMBOL(do_mmap_pgoff);
51571 @@ -1160,10 +1263,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
51573 int vma_wants_writenotify(struct vm_area_struct *vma)
51575 - unsigned int vm_flags = vma->vm_flags;
51576 + unsigned long vm_flags = vma->vm_flags;
51578 /* If it was private or non-writable, the write bit is already clear */
51579 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
51580 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
51583 /* The backer wishes to know when pages are first written to? */
51584 @@ -1212,14 +1315,24 @@ unsigned long mmap_region(struct file *f
51585 unsigned long charged = 0;
51586 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
51588 +#ifdef CONFIG_PAX_SEGMEXEC
51589 + struct vm_area_struct *vma_m = NULL;
51593 + * mm->mmap_sem is required to protect against another thread
51594 + * changing the mappings in case we sleep.
51596 + verify_mm_writelocked(mm);
51598 /* Clear old maps */
51601 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51602 if (vma && vma->vm_start < addr + len) {
51603 if (do_munmap(mm, addr, len))
51605 - goto munmap_back;
51606 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51607 + BUG_ON(vma && vma->vm_start < addr + len);
51610 /* Check against address space limit. */
51611 @@ -1268,6 +1381,16 @@ munmap_back:
51615 +#ifdef CONFIG_PAX_SEGMEXEC
51616 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
51617 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
51626 vma->vm_start = addr;
51627 vma->vm_end = addr + len;
51628 @@ -1291,6 +1414,19 @@ munmap_back:
51629 error = file->f_op->mmap(file, vma);
51631 goto unmap_and_free_vma;
51633 +#ifdef CONFIG_PAX_SEGMEXEC
51634 + if (vma_m && (vm_flags & VM_EXECUTABLE))
51635 + added_exe_file_vma(mm);
51638 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51639 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
51640 + vma->vm_flags |= VM_PAGEEXEC;
51641 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
51645 if (vm_flags & VM_EXECUTABLE)
51646 added_exe_file_vma(mm);
51648 @@ -1326,6 +1462,11 @@ munmap_back:
51649 vma_link(mm, vma, prev, rb_link, rb_parent);
51650 file = vma->vm_file;
51652 +#ifdef CONFIG_PAX_SEGMEXEC
51654 + BUG_ON(pax_mirror_vma(vma_m, vma));
51657 /* Once vma denies write, undo our temporary denial count */
51658 if (correct_wcount)
51659 atomic_inc(&inode->i_writecount);
51660 @@ -1334,6 +1475,7 @@ out:
51662 mm->total_vm += len >> PAGE_SHIFT;
51663 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
51664 + track_exec_limit(mm, addr, addr + len, vm_flags);
51665 if (vm_flags & VM_LOCKED) {
51666 if (!mlock_vma_pages_range(vma, addr, addr + len))
51667 mm->locked_vm += (len >> PAGE_SHIFT);
51668 @@ -1351,6 +1493,12 @@ unmap_and_free_vma:
51669 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
51673 +#ifdef CONFIG_PAX_SEGMEXEC
51675 + kmem_cache_free(vm_area_cachep, vma_m);
51678 kmem_cache_free(vm_area_cachep, vma);
51681 @@ -1358,6 +1506,33 @@ unacct_error:
51685 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
51688 +#ifdef CONFIG_STACK_GROWSUP
51689 + if (addr > sysctl_heap_stack_gap)
51690 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
51692 + vma = find_vma(current->mm, 0);
51693 + if (vma && (vma->vm_flags & VM_GROWSUP))
51699 + if (addr + len > vma->vm_start)
51702 + if (vma->vm_flags & VM_GROWSDOWN)
51703 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
51704 +#ifdef CONFIG_STACK_GROWSUP
51705 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
51706 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
51712 /* Get an address range which is currently unmapped.
51713 * For shmat() with addr=0.
51715 @@ -1384,18 +1559,23 @@ arch_get_unmapped_area(struct file *filp
51716 if (flags & MAP_FIXED)
51719 +#ifdef CONFIG_PAX_RANDMMAP
51720 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51724 addr = PAGE_ALIGN(addr);
51725 - vma = find_vma(mm, addr);
51726 - if (TASK_SIZE - len >= addr &&
51727 - (!vma || addr + len <= vma->vm_start))
51729 + if (TASK_SIZE - len >= addr) {
51730 + vma = find_vma(mm, addr);
51731 + if (check_heap_stack_gap(vma, addr, len))
51735 if (len > mm->cached_hole_size) {
51736 - start_addr = addr = mm->free_area_cache;
51737 + start_addr = addr = mm->free_area_cache;
51739 - start_addr = addr = TASK_UNMAPPED_BASE;
51740 - mm->cached_hole_size = 0;
51741 + start_addr = addr = mm->mmap_base;
51742 + mm->cached_hole_size = 0;
51746 @@ -1406,34 +1586,40 @@ full_search:
51747 * Start a new search - just in case we missed
51750 - if (start_addr != TASK_UNMAPPED_BASE) {
51751 - addr = TASK_UNMAPPED_BASE;
51752 - start_addr = addr;
51753 + if (start_addr != mm->mmap_base) {
51754 + start_addr = addr = mm->mmap_base;
51755 mm->cached_hole_size = 0;
51760 - if (!vma || addr + len <= vma->vm_start) {
51762 - * Remember the place where we stopped the search:
51764 - mm->free_area_cache = addr + len;
51767 + if (check_heap_stack_gap(vma, addr, len))
51769 if (addr + mm->cached_hole_size < vma->vm_start)
51770 mm->cached_hole_size = vma->vm_start - addr;
51771 addr = vma->vm_end;
51775 + * Remember the place where we stopped the search:
51777 + mm->free_area_cache = addr + len;
51782 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
51785 +#ifdef CONFIG_PAX_SEGMEXEC
51786 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51791 * Is this a new hole at the lowest possible address?
51793 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
51794 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
51795 mm->free_area_cache = addr;
51796 mm->cached_hole_size = ~0UL;
51798 @@ -1451,7 +1637,7 @@ arch_get_unmapped_area_topdown(struct fi
51800 struct vm_area_struct *vma;
51801 struct mm_struct *mm = current->mm;
51802 - unsigned long addr = addr0;
51803 + unsigned long base = mm->mmap_base, addr = addr0;
51805 /* requested length too big for entire address space */
51806 if (len > TASK_SIZE)
51807 @@ -1460,13 +1646,18 @@ arch_get_unmapped_area_topdown(struct fi
51808 if (flags & MAP_FIXED)
51811 +#ifdef CONFIG_PAX_RANDMMAP
51812 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51815 /* requesting a specific address */
51817 addr = PAGE_ALIGN(addr);
51818 - vma = find_vma(mm, addr);
51819 - if (TASK_SIZE - len >= addr &&
51820 - (!vma || addr + len <= vma->vm_start))
51822 + if (TASK_SIZE - len >= addr) {
51823 + vma = find_vma(mm, addr);
51824 + if (check_heap_stack_gap(vma, addr, len))
51829 /* check if free_area_cache is useful for us */
51830 @@ -1481,7 +1672,7 @@ arch_get_unmapped_area_topdown(struct fi
51831 /* make sure it can fit in the remaining address space */
51833 vma = find_vma(mm, addr-len);
51834 - if (!vma || addr <= vma->vm_start)
51835 + if (check_heap_stack_gap(vma, addr - len, len))
51836 /* remember the address as a hint for next time */
51837 return (mm->free_area_cache = addr-len);
51839 @@ -1498,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
51840 * return with success:
51842 vma = find_vma(mm, addr);
51843 - if (!vma || addr+len <= vma->vm_start)
51844 + if (check_heap_stack_gap(vma, addr, len))
51845 /* remember the address as a hint for next time */
51846 return (mm->free_area_cache = addr);
51848 @@ -1517,13 +1708,21 @@ bottomup:
51849 * can happen with large stack limits and large mmap()
51852 + mm->mmap_base = TASK_UNMAPPED_BASE;
51854 +#ifdef CONFIG_PAX_RANDMMAP
51855 + if (mm->pax_flags & MF_PAX_RANDMMAP)
51856 + mm->mmap_base += mm->delta_mmap;
51859 + mm->free_area_cache = mm->mmap_base;
51860 mm->cached_hole_size = ~0UL;
51861 - mm->free_area_cache = TASK_UNMAPPED_BASE;
51862 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
51864 * Restore the topdown base:
51866 - mm->free_area_cache = mm->mmap_base;
51867 + mm->mmap_base = base;
51868 + mm->free_area_cache = base;
51869 mm->cached_hole_size = ~0UL;
51872 @@ -1532,6 +1731,12 @@ bottomup:
51874 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
51877 +#ifdef CONFIG_PAX_SEGMEXEC
51878 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51883 * Is this a new hole at the highest possible address?
51885 @@ -1539,8 +1744,10 @@ void arch_unmap_area_topdown(struct mm_s
51886 mm->free_area_cache = addr;
51888 /* dont allow allocations above current base */
51889 - if (mm->free_area_cache > mm->mmap_base)
51890 + if (mm->free_area_cache > mm->mmap_base) {
51891 mm->free_area_cache = mm->mmap_base;
51892 + mm->cached_hole_size = ~0UL;
51897 @@ -1648,6 +1855,34 @@ out:
51898 return prev ? prev->vm_next : vma;
51901 +#ifdef CONFIG_PAX_SEGMEXEC
51902 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
51904 + struct vm_area_struct *vma_m;
51906 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
51907 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
51908 + BUG_ON(vma->vm_mirror);
51911 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
51912 + vma_m = vma->vm_mirror;
51913 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
51914 + BUG_ON(vma->vm_file != vma_m->vm_file);
51915 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
51916 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
51917 + if (vma->anon_vma != vma_m->anon_vma) {
51918 + struct anon_vma_chain *avc, *avc_m;
51920 + avc = list_entry(vma->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51921 + avc_m = list_entry(vma_m->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51922 + BUG_ON(avc->anon_vma != avc_m->anon_vma);
51924 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
51930 * Verify that the stack growth is acceptable and
51931 * update accounting. This is shared with both the
51932 @@ -1664,6 +1899,7 @@ static int acct_stack_growth(struct vm_a
51935 /* Stack limit test */
51936 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
51937 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
51940 @@ -1674,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
51941 locked = mm->locked_vm + grow;
51942 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
51943 limit >>= PAGE_SHIFT;
51944 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51945 if (locked > limit && !capable(CAP_IPC_LOCK))
51948 @@ -1709,35 +1946,42 @@ static
51950 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
51953 + int error, locknext;
51955 if (!(vma->vm_flags & VM_GROWSUP))
51958 + /* Also guard against wrapping around to address 0. */
51959 + if (address < PAGE_ALIGN(address+1))
51960 + address = PAGE_ALIGN(address+1);
51965 * We must make sure the anon_vma is allocated
51966 * so that the anon_vma locking is not a noop.
51968 if (unlikely(anon_vma_prepare(vma)))
51970 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
51971 + if (locknext && anon_vma_prepare(vma->vm_next))
51973 anon_vma_lock(vma);
51975 + anon_vma_lock(vma->vm_next);
51978 * vma->vm_start/vm_end cannot change under us because the caller
51979 * is required to hold the mmap_sem in read mode. We need the
51980 - * anon_vma lock to serialize against concurrent expand_stacks.
51981 - * Also guard against wrapping around to address 0.
51982 + * anon_vma locks to serialize against concurrent expand_stacks
51983 + * and expand_upwards.
51985 - if (address < PAGE_ALIGN(address+4))
51986 - address = PAGE_ALIGN(address+4);
51988 - anon_vma_unlock(vma);
51993 /* Somebody else might have raced and expanded it already */
51994 - if (address > vma->vm_end) {
51995 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
51997 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
51998 unsigned long size, grow;
52000 size = address - vma->vm_start;
52001 @@ -1747,6 +1991,8 @@ int expand_upwards(struct vm_area_struct
52003 vma->vm_end = address;
52006 + anon_vma_unlock(vma->vm_next);
52007 anon_vma_unlock(vma);
52010 @@ -1758,7 +2004,8 @@ int expand_upwards(struct vm_area_struct
52011 static int expand_downwards(struct vm_area_struct *vma,
52012 unsigned long address)
52015 + int error, lockprev = 0;
52016 + struct vm_area_struct *prev;
52019 * We must make sure the anon_vma is allocated
52020 @@ -1772,6 +2019,15 @@ static int expand_downwards(struct vm_ar
52024 + prev = vma->vm_prev;
52025 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
52026 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
52028 + if (lockprev && anon_vma_prepare(prev))
52031 + anon_vma_lock(prev);
52033 anon_vma_lock(vma);
52036 @@ -1781,9 +2037,17 @@ static int expand_downwards(struct vm_ar
52039 /* Somebody else might have raced and expanded it already */
52040 - if (address < vma->vm_start) {
52041 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
52043 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
52044 unsigned long size, grow;
52046 +#ifdef CONFIG_PAX_SEGMEXEC
52047 + struct vm_area_struct *vma_m;
52049 + vma_m = pax_find_mirror_vma(vma);
52052 size = vma->vm_end - address;
52053 grow = (vma->vm_start - address) >> PAGE_SHIFT;
52055 @@ -1791,9 +2055,20 @@ static int expand_downwards(struct vm_ar
52057 vma->vm_start = address;
52058 vma->vm_pgoff -= grow;
52059 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
52061 +#ifdef CONFIG_PAX_SEGMEXEC
52063 + vma_m->vm_start -= grow << PAGE_SHIFT;
52064 + vma_m->vm_pgoff -= grow;
52070 anon_vma_unlock(vma);
52072 + anon_vma_unlock(prev);
52076 @@ -1867,6 +2142,13 @@ static void remove_vma_list(struct mm_st
52078 long nrpages = vma_pages(vma);
52080 +#ifdef CONFIG_PAX_SEGMEXEC
52081 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
52082 + vma = remove_vma(vma);
52087 mm->total_vm -= nrpages;
52088 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
52089 vma = remove_vma(vma);
52090 @@ -1912,6 +2194,16 @@ detach_vmas_to_be_unmapped(struct mm_str
52091 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
52092 vma->vm_prev = NULL;
52095 +#ifdef CONFIG_PAX_SEGMEXEC
52096 + if (vma->vm_mirror) {
52097 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
52098 + vma->vm_mirror->vm_mirror = NULL;
52099 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
52100 + vma->vm_mirror = NULL;
52104 rb_erase(&vma->vm_rb, &mm->mm_rb);
52107 @@ -1940,14 +2232,33 @@ static int __split_vma(struct mm_struct
52108 struct vm_area_struct *new;
52111 +#ifdef CONFIG_PAX_SEGMEXEC
52112 + struct vm_area_struct *vma_m, *new_m = NULL;
52113 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
52116 if (is_vm_hugetlb_page(vma) && (addr &
52117 ~(huge_page_mask(hstate_vma(vma)))))
52120 +#ifdef CONFIG_PAX_SEGMEXEC
52121 + vma_m = pax_find_mirror_vma(vma);
52124 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52128 +#ifdef CONFIG_PAX_SEGMEXEC
52130 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52132 + kmem_cache_free(vm_area_cachep, new);
52138 /* most fields are the same, copy all, and then fixup */
52141 @@ -1960,6 +2271,22 @@ static int __split_vma(struct mm_struct
52142 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
52145 +#ifdef CONFIG_PAX_SEGMEXEC
52148 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
52149 + new_m->vm_mirror = new;
52150 + new->vm_mirror = new_m;
52153 + new_m->vm_end = addr_m;
52155 + new_m->vm_start = addr_m;
52156 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
52161 pol = mpol_dup(vma_policy(vma));
52163 err = PTR_ERR(pol);
52164 @@ -1985,6 +2312,42 @@ static int __split_vma(struct mm_struct
52166 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
52168 +#ifdef CONFIG_PAX_SEGMEXEC
52169 + if (!err && vma_m) {
52170 + if (anon_vma_clone(new_m, vma_m))
52171 + goto out_free_mpol;
52174 + vma_set_policy(new_m, pol);
52176 + if (new_m->vm_file) {
52177 + get_file(new_m->vm_file);
52178 + if (vma_m->vm_flags & VM_EXECUTABLE)
52179 + added_exe_file_vma(mm);
52182 + if (new_m->vm_ops && new_m->vm_ops->open)
52183 + new_m->vm_ops->open(new_m);
52186 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
52187 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
52189 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
52192 + if (new_m->vm_ops && new_m->vm_ops->close)
52193 + new_m->vm_ops->close(new_m);
52194 + if (new_m->vm_file) {
52195 + if (vma_m->vm_flags & VM_EXECUTABLE)
52196 + removed_exe_file_vma(mm);
52197 + fput(new_m->vm_file);
52207 @@ -2000,6 +2363,15 @@ static int __split_vma(struct mm_struct
52212 +#ifdef CONFIG_PAX_SEGMEXEC
52214 + unlink_anon_vmas(new_m);
52215 + kmem_cache_free(vm_area_cachep, new_m);
52219 + unlink_anon_vmas(new);
52220 kmem_cache_free(vm_area_cachep, new);
52223 @@ -2012,6 +2384,15 @@ static int __split_vma(struct mm_struct
52224 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
52225 unsigned long addr, int new_below)
52228 +#ifdef CONFIG_PAX_SEGMEXEC
52229 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52230 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
52231 + if (mm->map_count >= sysctl_max_map_count-1)
52236 if (mm->map_count >= sysctl_max_map_count)
52239 @@ -2023,11 +2404,30 @@ int split_vma(struct mm_struct *mm, stru
52240 * work. This now handles partial unmappings.
52241 * Jeremy Fitzhardinge <jeremy@goop.org>
52243 +#ifdef CONFIG_PAX_SEGMEXEC
52244 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52246 + int ret = __do_munmap(mm, start, len);
52247 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
52250 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
52253 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52255 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52259 struct vm_area_struct *vma, *prev, *last;
52262 + * mm->mmap_sem is required to protect against another thread
52263 + * changing the mappings in case we sleep.
52265 + verify_mm_writelocked(mm);
52267 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
52270 @@ -2101,6 +2501,8 @@ int do_munmap(struct mm_struct *mm, unsi
52271 /* Fix up all other VM information */
52272 remove_vma_list(mm, vma);
52274 + track_exec_limit(mm, start, end, 0UL);
52279 @@ -2113,22 +2515,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
52281 profile_munmap(addr);
52283 +#ifdef CONFIG_PAX_SEGMEXEC
52284 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
52285 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
52289 down_write(&mm->mmap_sem);
52290 ret = do_munmap(mm, addr, len);
52291 up_write(&mm->mmap_sem);
52295 -static inline void verify_mm_writelocked(struct mm_struct *mm)
52297 -#ifdef CONFIG_DEBUG_VM
52298 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52300 - up_read(&mm->mmap_sem);
52306 * this is really a simplified "do_mmap". it only handles
52307 * anonymous maps. eventually we may be able to do some
52308 @@ -2142,6 +2540,7 @@ unsigned long do_brk(unsigned long addr,
52309 struct rb_node ** rb_link, * rb_parent;
52310 pgoff_t pgoff = addr >> PAGE_SHIFT;
52312 + unsigned long charged;
52314 len = PAGE_ALIGN(len);
52316 @@ -2153,16 +2552,30 @@ unsigned long do_brk(unsigned long addr,
52318 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
52320 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
52321 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52322 + flags &= ~VM_EXEC;
52324 +#ifdef CONFIG_PAX_MPROTECT
52325 + if (mm->pax_flags & MF_PAX_MPROTECT)
52326 + flags &= ~VM_MAYEXEC;
52332 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
52333 if (error & ~PAGE_MASK)
52336 + charged = len >> PAGE_SHIFT;
52339 * mlock MCL_FUTURE?
52341 if (mm->def_flags & VM_LOCKED) {
52342 unsigned long locked, lock_limit;
52343 - locked = len >> PAGE_SHIFT;
52344 + locked = charged;
52345 locked += mm->locked_vm;
52346 lock_limit = rlimit(RLIMIT_MEMLOCK);
52347 lock_limit >>= PAGE_SHIFT;
52348 @@ -2179,22 +2592,22 @@ unsigned long do_brk(unsigned long addr,
52350 * Clear old maps. this also does some error checking for us
52353 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52354 if (vma && vma->vm_start < addr + len) {
52355 if (do_munmap(mm, addr, len))
52357 - goto munmap_back;
52358 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52359 + BUG_ON(vma && vma->vm_start < addr + len);
52362 /* Check against address space limits *after* clearing old maps... */
52363 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
52364 + if (!may_expand_vm(mm, charged))
52367 if (mm->map_count > sysctl_max_map_count)
52370 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
52371 + if (security_vm_enough_memory(charged))
52374 /* Can we just expand an old private anonymous mapping? */
52375 @@ -2208,7 +2621,7 @@ unsigned long do_brk(unsigned long addr,
52377 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52379 - vm_unacct_memory(len >> PAGE_SHIFT);
52380 + vm_unacct_memory(charged);
52384 @@ -2221,11 +2634,12 @@ unsigned long do_brk(unsigned long addr,
52385 vma->vm_page_prot = vm_get_page_prot(flags);
52386 vma_link(mm, vma, prev, rb_link, rb_parent);
52388 - mm->total_vm += len >> PAGE_SHIFT;
52389 + mm->total_vm += charged;
52390 if (flags & VM_LOCKED) {
52391 if (!mlock_vma_pages_range(vma, addr, addr + len))
52392 - mm->locked_vm += (len >> PAGE_SHIFT);
52393 + mm->locked_vm += charged;
52395 + track_exec_limit(mm, addr, addr + len, flags);
52399 @@ -2272,8 +2686,10 @@ void exit_mmap(struct mm_struct *mm)
52400 * Walk the list again, actually closing and freeing it,
52401 * with preemption enabled, without holding any MM locks.
52405 + vma->vm_mirror = NULL;
52406 vma = remove_vma(vma);
52409 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
52411 @@ -2287,6 +2703,10 @@ int insert_vm_struct(struct mm_struct *
52412 struct vm_area_struct * __vma, * prev;
52413 struct rb_node ** rb_link, * rb_parent;
52415 +#ifdef CONFIG_PAX_SEGMEXEC
52416 + struct vm_area_struct *vma_m = NULL;
52420 * The vm_pgoff of a purely anonymous vma should be irrelevant
52421 * until its first write fault, when page's anon_vma and index
52422 @@ -2309,7 +2729,22 @@ int insert_vm_struct(struct mm_struct *
52423 if ((vma->vm_flags & VM_ACCOUNT) &&
52424 security_vm_enough_memory_mm(mm, vma_pages(vma)))
52427 +#ifdef CONFIG_PAX_SEGMEXEC
52428 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
52429 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52435 vma_link(mm, vma, prev, rb_link, rb_parent);
52437 +#ifdef CONFIG_PAX_SEGMEXEC
52439 + BUG_ON(pax_mirror_vma(vma_m, vma));
52445 @@ -2327,6 +2762,8 @@ struct vm_area_struct *copy_vma(struct v
52446 struct rb_node **rb_link, *rb_parent;
52447 struct mempolicy *pol;
52449 + BUG_ON(vma->vm_mirror);
52452 * If anonymous vma has not yet been faulted, update new pgoff
52453 * to match new location, to increase its chance of merging.
52454 @@ -2376,6 +2813,39 @@ struct vm_area_struct *copy_vma(struct v
52455 kmem_cache_free(vm_area_cachep, new_vma);
52459 +#ifdef CONFIG_PAX_SEGMEXEC
52460 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
52462 + struct vm_area_struct *prev_m;
52463 + struct rb_node **rb_link_m, *rb_parent_m;
52464 + struct mempolicy *pol_m;
52466 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
52467 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
52468 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
52470 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
52471 + if (anon_vma_clone(vma_m, vma))
52473 + pol_m = vma_policy(vma_m);
52475 + vma_set_policy(vma_m, pol_m);
52476 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
52477 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
52478 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
52479 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
52480 + if (vma_m->vm_file)
52481 + get_file(vma_m->vm_file);
52482 + if (vma_m->vm_ops && vma_m->vm_ops->open)
52483 + vma_m->vm_ops->open(vma_m);
52484 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
52485 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
52486 + vma_m->vm_mirror = vma;
52487 + vma->vm_mirror = vma_m;
52493 * Return true if the calling process may expand its vm space by the passed
52494 @@ -2387,7 +2857,7 @@ int may_expand_vm(struct mm_struct *mm,
52497 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
52499 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
52500 if (cur + npages > lim)
52503 @@ -2457,6 +2927,17 @@ int install_special_mapping(struct mm_st
52504 vma->vm_start = addr;
52505 vma->vm_end = addr + len;
52507 +#ifdef CONFIG_PAX_MPROTECT
52508 + if (mm->pax_flags & MF_PAX_MPROTECT) {
52509 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
52511 + if (!(vm_flags & VM_EXEC))
52512 + vm_flags &= ~VM_MAYEXEC;
52514 + vm_flags &= ~VM_MAYWRITE;
52518 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
52519 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52521 diff -urNp linux-2.6.35.5/mm/mprotect.c linux-2.6.35.5/mm/mprotect.c
52522 --- linux-2.6.35.5/mm/mprotect.c 2010-08-26 19:47:12.000000000 -0400
52523 +++ linux-2.6.35.5/mm/mprotect.c 2010-09-17 20:12:37.000000000 -0400
52524 @@ -23,10 +23,16 @@
52525 #include <linux/mmu_notifier.h>
52526 #include <linux/migrate.h>
52527 #include <linux/perf_event.h>
52529 +#ifdef CONFIG_PAX_MPROTECT
52530 +#include <linux/elf.h>
52533 #include <asm/uaccess.h>
52534 #include <asm/pgtable.h>
52535 #include <asm/cacheflush.h>
52536 #include <asm/tlbflush.h>
52537 +#include <asm/mmu_context.h>
52539 #ifndef pgprot_modify
52540 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
52541 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
52542 flush_tlb_range(vma, start, end);
52545 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52546 +/* called while holding the mmap semaphor for writing except stack expansion */
52547 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
52549 + unsigned long oldlimit, newlimit = 0UL;
52551 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
52554 + spin_lock(&mm->page_table_lock);
52555 + oldlimit = mm->context.user_cs_limit;
52556 + if ((prot & VM_EXEC) && oldlimit < end)
52557 + /* USER_CS limit moved up */
52559 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
52560 + /* USER_CS limit moved down */
52561 + newlimit = start;
52564 + mm->context.user_cs_limit = newlimit;
52568 + cpus_clear(mm->context.cpu_user_cs_mask);
52569 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
52572 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
52574 + spin_unlock(&mm->page_table_lock);
52575 + if (newlimit == end) {
52576 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
52578 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
52579 + if (is_vm_hugetlb_page(vma))
52580 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
52582 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
52588 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
52589 unsigned long start, unsigned long end, unsigned long newflags)
52590 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
52592 int dirty_accountable = 0;
52594 +#ifdef CONFIG_PAX_SEGMEXEC
52595 + struct vm_area_struct *vma_m = NULL;
52596 + unsigned long start_m, end_m;
52598 + start_m = start + SEGMEXEC_TASK_SIZE;
52599 + end_m = end + SEGMEXEC_TASK_SIZE;
52602 if (newflags == oldflags) {
52607 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
52608 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
52610 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
52613 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
52618 * If we make a private mapping writable we increase our commit;
52619 * but (without finer accounting) cannot reduce our commit if we
52620 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
52624 +#ifdef CONFIG_PAX_SEGMEXEC
52625 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
52626 + if (start != vma->vm_start) {
52627 + error = split_vma(mm, vma, start, 1);
52630 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
52631 + *pprev = (*pprev)->vm_next;
52634 + if (end != vma->vm_end) {
52635 + error = split_vma(mm, vma, end, 0);
52640 + if (pax_find_mirror_vma(vma)) {
52641 + error = __do_munmap(mm, start_m, end_m - start_m);
52645 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52650 + vma->vm_flags = newflags;
52651 + error = pax_mirror_vma(vma_m, vma);
52653 + vma->vm_flags = oldflags;
52661 * First try to merge with previous and/or next vma.
52663 @@ -194,9 +296,21 @@ success:
52664 * vm_flags and vm_page_prot are protected by the mmap_sem
52665 * held in write mode.
52668 +#ifdef CONFIG_PAX_SEGMEXEC
52669 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
52670 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
52673 vma->vm_flags = newflags;
52675 +#ifdef CONFIG_PAX_MPROTECT
52676 + if (mm->binfmt && mm->binfmt->handle_mprotect)
52677 + mm->binfmt->handle_mprotect(vma, newflags);
52680 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
52681 - vm_get_page_prot(newflags));
52682 + vm_get_page_prot(vma->vm_flags));
52684 if (vma_wants_writenotify(vma)) {
52685 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
52686 @@ -237,6 +351,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52691 +#ifdef CONFIG_PAX_SEGMEXEC
52692 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52693 + if (end > SEGMEXEC_TASK_SIZE)
52698 + if (end > TASK_SIZE)
52701 if (!arch_validate_prot(prot))
52704 @@ -244,7 +369,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52706 * Does the application expect PROT_READ to imply PROT_EXEC:
52708 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
52709 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
52712 vm_flags = calc_vm_prot_bits(prot);
52713 @@ -276,6 +401,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52714 if (start > vma->vm_start)
52717 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
52722 +#ifdef CONFIG_PAX_MPROTECT
52723 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
52724 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
52727 for (nstart = start ; ; ) {
52728 unsigned long newflags;
52730 @@ -300,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52733 perf_event_mmap(vma);
52735 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
52739 if (nstart < prev->vm_end)
52740 diff -urNp linux-2.6.35.5/mm/mremap.c linux-2.6.35.5/mm/mremap.c
52741 --- linux-2.6.35.5/mm/mremap.c 2010-08-26 19:47:12.000000000 -0400
52742 +++ linux-2.6.35.5/mm/mremap.c 2010-09-17 20:12:09.000000000 -0400
52743 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
52745 pte = ptep_clear_flush(vma, old_addr, old_pte);
52746 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
52748 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52749 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
52750 + pte = pte_exprotect(pte);
52753 set_pte_at(mm, new_addr, new_pte, pte);
52756 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
52757 if (is_vm_hugetlb_page(vma))
52760 +#ifdef CONFIG_PAX_SEGMEXEC
52761 + if (pax_find_mirror_vma(vma))
52765 /* We can't remap across vm area boundaries */
52766 if (old_len > vma->vm_end - addr)
52768 @@ -321,20 +332,23 @@ static unsigned long mremap_to(unsigned
52769 unsigned long ret = -EINVAL;
52770 unsigned long charged = 0;
52771 unsigned long map_flags;
52772 + unsigned long pax_task_size = TASK_SIZE;
52774 if (new_addr & ~PAGE_MASK)
52777 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
52778 +#ifdef CONFIG_PAX_SEGMEXEC
52779 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52780 + pax_task_size = SEGMEXEC_TASK_SIZE;
52783 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
52786 /* Check if the location we're moving into overlaps the
52787 * old location at all, and fail if it does.
52789 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
52792 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
52793 + if (addr + old_len > new_addr && new_addr + new_len > addr)
52796 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52797 @@ -406,6 +420,7 @@ unsigned long do_mremap(unsigned long ad
52798 struct vm_area_struct *vma;
52799 unsigned long ret = -EINVAL;
52800 unsigned long charged = 0;
52801 + unsigned long pax_task_size = TASK_SIZE;
52803 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
52805 @@ -424,6 +439,15 @@ unsigned long do_mremap(unsigned long ad
52809 +#ifdef CONFIG_PAX_SEGMEXEC
52810 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52811 + pax_task_size = SEGMEXEC_TASK_SIZE;
52814 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
52815 + old_len > pax_task_size || addr > pax_task_size-old_len)
52818 if (flags & MREMAP_FIXED) {
52819 if (flags & MREMAP_MAYMOVE)
52820 ret = mremap_to(addr, old_len, new_addr, new_len);
52821 @@ -473,6 +497,7 @@ unsigned long do_mremap(unsigned long ad
52825 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
52829 @@ -499,7 +524,13 @@ unsigned long do_mremap(unsigned long ad
52830 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52834 + map_flags = vma->vm_flags;
52835 ret = move_vma(vma, addr, old_len, new_len, new_addr);
52836 + if (!(ret & ~PAGE_MASK)) {
52837 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
52838 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
52842 if (ret & ~PAGE_MASK)
52843 diff -urNp linux-2.6.35.5/mm/nommu.c linux-2.6.35.5/mm/nommu.c
52844 --- linux-2.6.35.5/mm/nommu.c 2010-08-26 19:47:12.000000000 -0400
52845 +++ linux-2.6.35.5/mm/nommu.c 2010-09-17 20:12:09.000000000 -0400
52846 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
52847 int sysctl_overcommit_ratio = 50; /* default is 50% */
52848 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
52849 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
52850 -int heap_stack_gap = 0;
52852 atomic_long_t mmap_pages_allocated;
52854 @@ -762,15 +761,6 @@ struct vm_area_struct *find_vma(struct m
52855 EXPORT_SYMBOL(find_vma);
52859 - * - we don't extend stack VMAs under NOMMU conditions
52861 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
52863 - return find_vma(mm, addr);
52867 * expand a stack to a given address
52868 * - not supported under NOMMU conditions
52870 @@ -1491,6 +1481,7 @@ int split_vma(struct mm_struct *mm, stru
52872 /* most fields are the same, copy all, and then fixup */
52874 + INIT_LIST_HEAD(&new->anon_vma_chain);
52875 *region = *vma->vm_region;
52876 new->vm_region = region;
52878 diff -urNp linux-2.6.35.5/mm/page_alloc.c linux-2.6.35.5/mm/page_alloc.c
52879 --- linux-2.6.35.5/mm/page_alloc.c 2010-08-26 19:47:12.000000000 -0400
52880 +++ linux-2.6.35.5/mm/page_alloc.c 2010-09-17 20:12:09.000000000 -0400
52881 @@ -641,6 +641,10 @@ static bool free_pages_prepare(struct pa
52885 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52886 + unsigned long index = 1UL << order;
52889 trace_mm_page_free_direct(page, order);
52890 kmemcheck_free_shadow(page, order);
52892 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
52893 debug_check_no_obj_freed(page_address(page),
52894 PAGE_SIZE << order);
52897 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52898 + for (; index; --index)
52899 + sanitize_highpage(page + index - 1);
52902 arch_free_page(page, order);
52903 kernel_map_pages(page, 1 << order, 0);
52905 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
52906 arch_alloc_page(page, order);
52907 kernel_map_pages(page, 1 << order, 1);
52909 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
52910 if (gfp_flags & __GFP_ZERO)
52911 prep_zero_page(page, order, gfp_flags);
52914 if (order && (gfp_flags & __GFP_COMP))
52915 prep_compound_page(page, order);
52916 @@ -3973,7 +3985,7 @@ static void __init setup_usemap(struct p
52917 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
52920 -static void inline setup_usemap(struct pglist_data *pgdat,
52921 +static inline void setup_usemap(struct pglist_data *pgdat,
52922 struct zone *zone, unsigned long zonesize) {}
52923 #endif /* CONFIG_SPARSEMEM */
52925 diff -urNp linux-2.6.35.5/mm/percpu.c linux-2.6.35.5/mm/percpu.c
52926 --- linux-2.6.35.5/mm/percpu.c 2010-08-26 19:47:12.000000000 -0400
52927 +++ linux-2.6.35.5/mm/percpu.c 2010-09-17 20:12:09.000000000 -0400
52928 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
52929 static unsigned int pcpu_last_unit_cpu __read_mostly;
52931 /* the address of the first chunk which starts with the kernel static area */
52932 -void *pcpu_base_addr __read_mostly;
52933 +void *pcpu_base_addr __read_only;
52934 EXPORT_SYMBOL_GPL(pcpu_base_addr);
52936 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
52937 diff -urNp linux-2.6.35.5/mm/rmap.c linux-2.6.35.5/mm/rmap.c
52938 --- linux-2.6.35.5/mm/rmap.c 2010-08-26 19:47:12.000000000 -0400
52939 +++ linux-2.6.35.5/mm/rmap.c 2010-09-17 20:12:09.000000000 -0400
52940 @@ -116,6 +116,10 @@ int anon_vma_prepare(struct vm_area_stru
52941 struct anon_vma *anon_vma = vma->anon_vma;
52942 struct anon_vma_chain *avc;
52944 +#ifdef CONFIG_PAX_SEGMEXEC
52945 + struct anon_vma_chain *avc_m = NULL;
52949 if (unlikely(!anon_vma)) {
52950 struct mm_struct *mm = vma->vm_mm;
52951 @@ -125,6 +129,12 @@ int anon_vma_prepare(struct vm_area_stru
52955 +#ifdef CONFIG_PAX_SEGMEXEC
52956 + avc_m = anon_vma_chain_alloc();
52958 + goto out_enomem_free_avc;
52961 anon_vma = find_mergeable_anon_vma(vma);
52964 @@ -138,6 +148,21 @@ int anon_vma_prepare(struct vm_area_stru
52965 /* page_table_lock to protect against threads */
52966 spin_lock(&mm->page_table_lock);
52967 if (likely(!vma->anon_vma)) {
52969 +#ifdef CONFIG_PAX_SEGMEXEC
52970 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
52973 + BUG_ON(vma_m->anon_vma);
52974 + vma_m->anon_vma = anon_vma;
52975 + avc_m->anon_vma = anon_vma;
52976 + avc_m->vma = vma;
52977 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
52978 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
52983 vma->anon_vma = anon_vma;
52984 avc->anon_vma = anon_vma;
52986 @@ -151,12 +176,24 @@ int anon_vma_prepare(struct vm_area_stru
52988 if (unlikely(allocated))
52989 anon_vma_free(allocated);
52991 +#ifdef CONFIG_PAX_SEGMEXEC
52992 + if (unlikely(avc_m))
52993 + anon_vma_chain_free(avc_m);
52997 anon_vma_chain_free(avc);
53001 out_enomem_free_avc:
53003 +#ifdef CONFIG_PAX_SEGMEXEC
53005 + anon_vma_chain_free(avc_m);
53008 anon_vma_chain_free(avc);
53011 @@ -179,7 +216,7 @@ static void anon_vma_chain_link(struct v
53012 * Attach the anon_vmas from src to dst.
53013 * Returns 0 on success, -ENOMEM on failure.
53015 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
53016 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
53018 struct anon_vma_chain *avc, *pavc;
53020 @@ -201,7 +238,7 @@ int anon_vma_clone(struct vm_area_struct
53021 * the corresponding VMA in the parent process is attached to.
53022 * Returns 0 on success, non-zero on failure.
53024 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
53025 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
53027 struct anon_vma_chain *avc;
53028 struct anon_vma *anon_vma;
53029 diff -urNp linux-2.6.35.5/mm/shmem.c linux-2.6.35.5/mm/shmem.c
53030 --- linux-2.6.35.5/mm/shmem.c 2010-08-26 19:47:12.000000000 -0400
53031 +++ linux-2.6.35.5/mm/shmem.c 2010-09-17 20:12:37.000000000 -0400
53033 #include <linux/module.h>
53034 #include <linux/swap.h>
53036 -static struct vfsmount *shm_mnt;
53037 +struct vfsmount *shm_mnt;
53039 #ifdef CONFIG_SHMEM
53041 diff -urNp linux-2.6.35.5/mm/slab.c linux-2.6.35.5/mm/slab.c
53042 --- linux-2.6.35.5/mm/slab.c 2010-08-26 19:47:12.000000000 -0400
53043 +++ linux-2.6.35.5/mm/slab.c 2010-09-17 20:12:37.000000000 -0400
53044 @@ -285,7 +285,7 @@ struct kmem_list3 {
53045 * Need this for bootstrapping a per node allocator.
53047 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
53048 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
53049 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
53050 #define CACHE_CACHE 0
53051 #define SIZE_AC MAX_NUMNODES
53052 #define SIZE_L3 (2 * MAX_NUMNODES)
53053 @@ -535,7 +535,7 @@ static inline void *index_to_obj(struct
53054 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
53056 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
53057 - const struct slab *slab, void *obj)
53058 + const struct slab *slab, const void *obj)
53060 u32 offset = (obj - slab->s_mem);
53061 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
53062 @@ -561,14 +561,14 @@ struct cache_names {
53063 static struct cache_names __initdata cache_names[] = {
53064 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
53065 #include <linux/kmalloc_sizes.h>
53071 static struct arraycache_init initarray_cache __initdata =
53072 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53073 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53074 static struct arraycache_init initarray_generic =
53075 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53076 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53078 /* internal cache of cache description objs */
53079 static struct kmem_cache cache_cache = {
53080 @@ -4558,15 +4558,66 @@ static const struct file_operations proc
53082 static int __init slab_proc_init(void)
53084 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
53085 + mode_t gr_mode = S_IRUGO;
53087 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53088 + gr_mode = S_IRUSR;
53091 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
53092 #ifdef CONFIG_DEBUG_SLAB_LEAK
53093 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
53094 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
53098 module_init(slab_proc_init);
53101 +void check_object_size(const void *ptr, unsigned long n, bool to)
53104 +#ifdef CONFIG_PAX_USERCOPY
53105 + struct kmem_cache *cachep;
53106 + struct slab *slabp;
53107 + struct page *page;
53108 + unsigned int objnr;
53109 + unsigned long offset;
53114 + if (ZERO_OR_NULL_PTR(ptr))
53117 + if (!virt_addr_valid(ptr))
53120 + page = virt_to_head_page(ptr);
53122 + if (!PageSlab(page)) {
53123 + if (object_is_on_stack(ptr, n) == -1)
53128 + cachep = page_get_cache(page);
53129 + slabp = page_get_slab(page);
53130 + objnr = obj_to_index(cachep, slabp, ptr);
53131 + BUG_ON(objnr >= cachep->num);
53132 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
53133 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
53138 + pax_report_leak_to_user(ptr, n);
53140 + pax_report_overflow_from_user(ptr, n);
53144 +EXPORT_SYMBOL(check_object_size);
53147 * ksize - get the actual amount of memory allocated for a given object
53148 * @objp: Pointer to the object
53149 diff -urNp linux-2.6.35.5/mm/slob.c linux-2.6.35.5/mm/slob.c
53150 --- linux-2.6.35.5/mm/slob.c 2010-08-26 19:47:12.000000000 -0400
53151 +++ linux-2.6.35.5/mm/slob.c 2010-09-17 20:12:09.000000000 -0400
53153 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
53154 * alloc_pages() directly, allocating compound pages so the page order
53155 * does not have to be separately tracked, and also stores the exact
53156 - * allocation size in page->private so that it can be used to accurately
53157 + * allocation size in slob_page->size so that it can be used to accurately
53158 * provide ksize(). These objects are detected in kfree() because slob_page()
53159 * is false for them.
53164 #include <linux/kernel.h>
53165 +#include <linux/sched.h>
53166 #include <linux/slab.h>
53167 #include <linux/mm.h>
53168 #include <linux/swap.h> /* struct reclaim_state */
53169 @@ -100,7 +101,8 @@ struct slob_page {
53170 unsigned long flags; /* mandatory */
53171 atomic_t _count; /* mandatory */
53172 slobidx_t units; /* free units left in page */
53173 - unsigned long pad[2];
53174 + unsigned long pad[1];
53175 + unsigned long size; /* size when >=PAGE_SIZE */
53176 slob_t *free; /* first free slob_t in page */
53177 struct list_head list; /* linked list of free pages */
53179 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
53181 static inline int is_slob_page(struct slob_page *sp)
53183 - return PageSlab((struct page *)sp);
53184 + return PageSlab((struct page *)sp) && !sp->size;
53187 static inline void set_slob_page(struct slob_page *sp)
53188 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
53190 static inline struct slob_page *slob_page(const void *addr)
53192 - return (struct slob_page *)virt_to_page(addr);
53193 + return (struct slob_page *)virt_to_head_page(addr);
53197 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
53199 * Return the size of a slob block.
53201 -static slobidx_t slob_units(slob_t *s)
53202 +static slobidx_t slob_units(const slob_t *s)
53206 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
53208 * Return the next free slob block pointer after this one.
53210 -static slob_t *slob_next(slob_t *s)
53211 +static slob_t *slob_next(const slob_t *s)
53213 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
53215 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
53217 * Returns true if s is the last free block in its page.
53219 -static int slob_last(slob_t *s)
53220 +static int slob_last(const slob_t *s)
53222 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
53224 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
53228 + set_slob_page(page);
53229 return page_address(page);
53232 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
53236 - set_slob_page(sp);
53238 spin_lock_irqsave(&slob_lock, flags);
53239 sp->units = SLOB_UNITS(PAGE_SIZE);
53242 INIT_LIST_HEAD(&sp->list);
53243 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
53244 set_slob_page_free(sp, slob_list);
53245 @@ -467,10 +470,9 @@ out:
53246 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
53249 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53250 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
53253 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53257 lockdep_trace_alloc(gfp);
53258 @@ -483,7 +485,10 @@ void *__kmalloc_node(size_t size, gfp_t
53263 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
53264 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
53265 + m[0].units = size;
53266 + m[1].units = align;
53267 ret = (void *)m + align;
53269 trace_kmalloc_node(_RET_IP_, ret,
53270 @@ -493,9 +498,9 @@ void *__kmalloc_node(size_t size, gfp_t
53272 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
53274 - struct page *page;
53275 - page = virt_to_page(ret);
53276 - page->private = size;
53277 + struct slob_page *sp;
53278 + sp = slob_page(ret);
53282 trace_kmalloc_node(_RET_IP_, ret,
53283 @@ -505,6 +510,13 @@ void *__kmalloc_node(size_t size, gfp_t
53284 kmemleak_alloc(ret, size, 1, gfp);
53288 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53290 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53292 + return __kmalloc_node_align(size, gfp, node, align);
53294 EXPORT_SYMBOL(__kmalloc_node);
53296 void kfree(const void *block)
53297 @@ -520,13 +532,84 @@ void kfree(const void *block)
53298 sp = slob_page(block);
53299 if (is_slob_page(sp)) {
53300 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53301 - unsigned int *m = (unsigned int *)(block - align);
53302 - slob_free(m, *m + align);
53304 + slob_t *m = (slob_t *)(block - align);
53305 + slob_free(m, m[0].units + align);
53307 + clear_slob_page(sp);
53308 + free_slob_page(sp);
53310 put_page(&sp->page);
53313 EXPORT_SYMBOL(kfree);
53315 +void check_object_size(const void *ptr, unsigned long n, bool to)
53318 +#ifdef CONFIG_PAX_USERCOPY
53319 + struct slob_page *sp;
53320 + const slob_t *free;
53321 + const void *base;
53326 + if (ZERO_OR_NULL_PTR(ptr))
53329 + if (!virt_addr_valid(ptr))
53332 + sp = slob_page(ptr);
53333 + if (!PageSlab((struct page*)sp)) {
53334 + if (object_is_on_stack(ptr, n) == -1)
53340 + base = page_address(&sp->page);
53341 + if (base <= ptr && n <= sp->size - (ptr - base))
53346 + /* some tricky double walking to find the chunk */
53347 + base = (void *)((unsigned long)ptr & PAGE_MASK);
53350 + while (!slob_last(free) && (void *)free <= ptr) {
53351 + base = free + slob_units(free);
53352 + free = slob_next(free);
53355 + while (base < (void *)free) {
53356 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
53357 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
53360 + if (ptr < base + align)
53363 + offset = ptr - base - align;
53364 + if (offset < m) {
53365 + if (n <= m - offset)
53374 + pax_report_leak_to_user(ptr, n);
53376 + pax_report_overflow_from_user(ptr, n);
53380 +EXPORT_SYMBOL(check_object_size);
53382 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
53383 size_t ksize(const void *block)
53385 @@ -539,10 +622,10 @@ size_t ksize(const void *block)
53386 sp = slob_page(block);
53387 if (is_slob_page(sp)) {
53388 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53389 - unsigned int *m = (unsigned int *)(block - align);
53390 - return SLOB_UNITS(*m) * SLOB_UNIT;
53391 + slob_t *m = (slob_t *)(block - align);
53392 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
53394 - return sp->page.private;
53397 EXPORT_SYMBOL(ksize);
53399 @@ -597,17 +680,25 @@ void *kmem_cache_alloc_node(struct kmem_
53403 +#ifdef CONFIG_PAX_USERCOPY
53404 + b = __kmalloc_node_align(c->size, flags, node, c->align);
53406 if (c->size < PAGE_SIZE) {
53407 b = slob_alloc(c->size, flags, c->align, node);
53408 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53409 SLOB_UNITS(c->size) * SLOB_UNIT,
53412 + struct slob_page *sp;
53414 b = slob_new_pages(flags, get_order(c->size), node);
53415 + sp = slob_page(b);
53416 + sp->size = c->size;
53417 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53418 PAGE_SIZE << get_order(c->size),
53425 @@ -619,10 +710,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
53427 static void __kmem_cache_free(void *b, int size)
53429 - if (size < PAGE_SIZE)
53430 + struct slob_page *sp = slob_page(b);
53432 + if (is_slob_page(sp))
53433 slob_free(b, size);
53436 + clear_slob_page(sp);
53437 + free_slob_page(sp);
53439 slob_free_pages(b, get_order(size));
53443 static void kmem_rcu_free(struct rcu_head *head)
53444 @@ -635,15 +732,24 @@ static void kmem_rcu_free(struct rcu_hea
53446 void kmem_cache_free(struct kmem_cache *c, void *b)
53448 + int size = c->size;
53450 +#ifdef CONFIG_PAX_USERCOPY
53451 + if (size + c->align < PAGE_SIZE) {
53452 + size += c->align;
53457 kmemleak_free_recursive(b, c->flags);
53458 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
53459 struct slob_rcu *slob_rcu;
53460 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
53461 + slob_rcu = b + (size - sizeof(struct slob_rcu));
53462 INIT_RCU_HEAD(&slob_rcu->head);
53463 - slob_rcu->size = c->size;
53464 + slob_rcu->size = size;
53465 call_rcu(&slob_rcu->head, kmem_rcu_free);
53467 - __kmem_cache_free(b, c->size);
53468 + __kmem_cache_free(b, size);
53471 trace_kmem_cache_free(_RET_IP_, b);
53472 diff -urNp linux-2.6.35.5/mm/slub.c linux-2.6.35.5/mm/slub.c
53473 --- linux-2.6.35.5/mm/slub.c 2010-08-26 19:47:12.000000000 -0400
53474 +++ linux-2.6.35.5/mm/slub.c 2010-09-17 20:12:37.000000000 -0400
53475 @@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
53477 page = virt_to_head_page(x);
53479 + BUG_ON(!PageSlab(page));
53481 slab_free(s, page, x, _RET_IP_);
53483 trace_kmem_cache_free(_RET_IP_, x);
53484 @@ -1917,7 +1919,7 @@ static int slub_min_objects;
53485 * Merge control. If this is set then no merging of slab caches will occur.
53486 * (Could be removed. This was introduced to pacify the merge skeptics.)
53488 -static int slub_nomerge;
53489 +static int slub_nomerge = 1;
53492 * Calculate the order of allocation given an slab object size.
53493 @@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
53494 * list to avoid pounding the page allocator excessively.
53496 set_min_partial(s, ilog2(s->size));
53498 + atomic_set(&s->refcount, 1);
53500 s->remote_node_defrag_ratio = 1000;
53502 @@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
53503 void kmem_cache_destroy(struct kmem_cache *s)
53505 down_write(&slub_lock);
53507 - if (!s->refcount) {
53508 + if (atomic_dec_and_test(&s->refcount)) {
53509 list_del(&s->list);
53510 up_write(&slub_lock);
53511 if (kmem_cache_close(s)) {
53512 @@ -2780,6 +2781,46 @@ void *__kmalloc_node(size_t size, gfp_t
53513 EXPORT_SYMBOL(__kmalloc_node);
53516 +void check_object_size(const void *ptr, unsigned long n, bool to)
53519 +#ifdef CONFIG_PAX_USERCOPY
53520 + struct page *page;
53521 + struct kmem_cache *s;
53522 + unsigned long offset;
53527 + if (ZERO_OR_NULL_PTR(ptr))
53530 + if (!virt_addr_valid(ptr))
53533 + page = get_object_page(ptr);
53536 + if (object_is_on_stack(ptr, n) == -1)
53542 + offset = (ptr - page_address(page)) % s->size;
53543 + if (offset <= s->objsize && n <= s->objsize - offset)
53548 + pax_report_leak_to_user(ptr, n);
53550 + pax_report_overflow_from_user(ptr, n);
53554 +EXPORT_SYMBOL(check_object_size);
53556 size_t ksize(const void *object)
53559 @@ -3049,7 +3090,7 @@ void __init kmem_cache_init(void)
53561 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
53562 sizeof(struct kmem_cache_node), GFP_NOWAIT);
53563 - kmalloc_caches[0].refcount = -1;
53564 + atomic_set(&kmalloc_caches[0].refcount, -1);
53567 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
53568 @@ -3158,7 +3199,7 @@ static int slab_unmergeable(struct kmem_
53570 * We may have set a slab to be unmergeable during bootstrap.
53572 - if (s->refcount < 0)
53573 + if (atomic_read(&s->refcount) < 0)
53577 @@ -3216,7 +3257,7 @@ struct kmem_cache *kmem_cache_create(con
53578 down_write(&slub_lock);
53579 s = find_mergeable(size, align, flags, name, ctor);
53582 + atomic_inc(&s->refcount);
53584 * Adjust the object sizes so that we clear
53585 * the complete object on kzalloc.
53586 @@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
53588 if (sysfs_slab_alias(s, name)) {
53589 down_write(&slub_lock);
53591 + atomic_dec(&s->refcount);
53592 up_write(&slub_lock);
53595 @@ -3953,7 +3994,7 @@ SLAB_ATTR_RO(ctor);
53597 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
53599 - return sprintf(buf, "%d\n", s->refcount - 1);
53600 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
53602 SLAB_ATTR_RO(aliases);
53604 @@ -4674,7 +4715,13 @@ static const struct file_operations proc
53606 static int __init slab_proc_init(void)
53608 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
53609 + mode_t gr_mode = S_IRUGO;
53611 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53612 + gr_mode = S_IRUSR;
53615 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
53618 module_init(slab_proc_init);
53619 diff -urNp linux-2.6.35.5/mm/util.c linux-2.6.35.5/mm/util.c
53620 --- linux-2.6.35.5/mm/util.c 2010-08-26 19:47:12.000000000 -0400
53621 +++ linux-2.6.35.5/mm/util.c 2010-09-17 20:12:09.000000000 -0400
53622 @@ -245,6 +245,12 @@ EXPORT_SYMBOL(strndup_user);
53623 void arch_pick_mmap_layout(struct mm_struct *mm)
53625 mm->mmap_base = TASK_UNMAPPED_BASE;
53627 +#ifdef CONFIG_PAX_RANDMMAP
53628 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53629 + mm->mmap_base += mm->delta_mmap;
53632 mm->get_unmapped_area = arch_get_unmapped_area;
53633 mm->unmap_area = arch_unmap_area;
53635 diff -urNp linux-2.6.35.5/mm/vmalloc.c linux-2.6.35.5/mm/vmalloc.c
53636 --- linux-2.6.35.5/mm/vmalloc.c 2010-08-26 19:47:12.000000000 -0400
53637 +++ linux-2.6.35.5/mm/vmalloc.c 2010-09-17 20:12:09.000000000 -0400
53638 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
53640 pte = pte_offset_kernel(pmd, addr);
53642 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53643 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53645 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53646 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
53647 + BUG_ON(!pte_exec(*pte));
53648 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
53654 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53655 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53657 } while (pte++, addr += PAGE_SIZE, addr != end);
53660 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
53661 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
53664 + int ret = -ENOMEM;
53667 * nr is a running index into the array which helps higher level
53668 @@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
53669 pte = pte_alloc_kernel(pmd, addr);
53673 + pax_open_kernel();
53675 struct page *page = pages[*nr];
53677 - if (WARN_ON(!pte_none(*pte)))
53679 - if (WARN_ON(!page))
53681 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53682 + if (pgprot_val(prot) & _PAGE_NX)
53685 + if (WARN_ON(!pte_none(*pte))) {
53689 + if (WARN_ON(!page)) {
53693 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
53695 } while (pte++, addr += PAGE_SIZE, addr != end);
53699 + pax_close_kernel();
53703 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
53704 @@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
53705 * and fall back on vmalloc() if that fails. Others
53706 * just put it in the vmalloc space.
53708 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
53709 +#ifdef CONFIG_MODULES
53710 +#ifdef MODULES_VADDR
53711 unsigned long addr = (unsigned long)x;
53712 if (addr >= MODULES_VADDR && addr < MODULES_END)
53716 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53717 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
53723 return is_vmalloc_addr(x);
53726 @@ -217,8 +251,14 @@ struct page *vmalloc_to_page(const void
53728 if (!pgd_none(*pgd)) {
53729 pud_t *pud = pud_offset(pgd, addr);
53731 + if (!pud_large(*pud))
53733 if (!pud_none(*pud)) {
53734 pmd_t *pmd = pmd_offset(pud, addr);
53736 + if (!pmd_large(*pmd))
53738 if (!pmd_none(*pmd)) {
53741 @@ -292,13 +332,13 @@ static void __insert_vmap_area(struct vm
53742 struct rb_node *tmp;
53745 - struct vmap_area *tmp;
53746 + struct vmap_area *varea;
53749 - tmp = rb_entry(parent, struct vmap_area, rb_node);
53750 - if (va->va_start < tmp->va_end)
53751 + varea = rb_entry(parent, struct vmap_area, rb_node);
53752 + if (va->va_start < varea->va_end)
53753 p = &(*p)->rb_left;
53754 - else if (va->va_end > tmp->va_start)
53755 + else if (va->va_end > varea->va_start)
53756 p = &(*p)->rb_right;
53759 @@ -1224,6 +1264,16 @@ static struct vm_struct *__get_vm_area_n
53760 struct vm_struct *area;
53762 BUG_ON(in_interrupt());
53764 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53765 + if (flags & VM_KERNEXEC) {
53766 + if (start != VMALLOC_START || end != VMALLOC_END)
53768 + start = (unsigned long)MODULES_EXEC_VADDR;
53769 + end = (unsigned long)MODULES_EXEC_END;
53773 if (flags & VM_IOREMAP) {
53774 int bit = fls(size);
53776 @@ -1449,6 +1499,11 @@ void *vmap(struct page **pages, unsigned
53777 if (count > totalram_pages)
53780 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53781 + if (!(pgprot_val(prot) & _PAGE_NX))
53782 + flags |= VM_KERNEXEC;
53785 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
53786 __builtin_return_address(0));
53788 @@ -1558,6 +1613,13 @@ static void *__vmalloc_node(unsigned lon
53789 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
53792 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53793 + if (!(pgprot_val(prot) & _PAGE_NX))
53794 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
53795 + node, gfp_mask, caller);
53799 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
53800 VMALLOC_END, node, gfp_mask, caller);
53802 @@ -1576,6 +1638,7 @@ static void *__vmalloc_node(unsigned lon
53807 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
53809 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
53810 @@ -1592,6 +1655,7 @@ EXPORT_SYMBOL(__vmalloc);
53811 * For tight control over page level allocator and protection flags
53812 * use __vmalloc() instead.
53815 void *vmalloc(unsigned long size)
53817 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53818 @@ -1606,6 +1670,7 @@ EXPORT_SYMBOL(vmalloc);
53819 * The resulting memory area is zeroed so it can be mapped to userspace
53820 * without leaking data.
53822 +#undef vmalloc_user
53823 void *vmalloc_user(unsigned long size)
53825 struct vm_struct *area;
53826 @@ -1633,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc_user);
53827 * For tight control over page level allocator and protection flags
53828 * use __vmalloc() instead.
53830 +#undef vmalloc_node
53831 void *vmalloc_node(unsigned long size, int node)
53833 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53834 @@ -1655,10 +1721,10 @@ EXPORT_SYMBOL(vmalloc_node);
53835 * For tight control over page level allocator and protection flags
53836 * use __vmalloc() instead.
53839 +#undef vmalloc_exec
53840 void *vmalloc_exec(unsigned long size)
53842 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
53843 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
53844 -1, __builtin_return_address(0));
53847 @@ -1677,6 +1743,7 @@ void *vmalloc_exec(unsigned long size)
53848 * Allocate enough 32bit PA addressable pages to cover @size from the
53849 * page level allocator and map them into contiguous kernel virtual space.
53852 void *vmalloc_32(unsigned long size)
53854 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
53855 @@ -1691,6 +1758,7 @@ EXPORT_SYMBOL(vmalloc_32);
53856 * The resulting memory area is 32bit addressable and zeroed so it can be
53857 * mapped to userspace without leaking data.
53859 +#undef vmalloc_32_user
53860 void *vmalloc_32_user(unsigned long size)
53862 struct vm_struct *area;
53863 diff -urNp linux-2.6.35.5/mm/vmstat.c linux-2.6.35.5/mm/vmstat.c
53864 --- linux-2.6.35.5/mm/vmstat.c 2010-08-26 19:47:12.000000000 -0400
53865 +++ linux-2.6.35.5/mm/vmstat.c 2010-09-17 20:12:37.000000000 -0400
53866 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
53868 * vm_stat contains the global counters
53870 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53871 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53872 EXPORT_SYMBOL(vm_stat);
53875 @@ -315,7 +315,7 @@ void refresh_cpu_vm_stats(int cpu)
53876 v = p->vm_stat_diff[i];
53877 p->vm_stat_diff[i] = 0;
53878 local_irq_restore(flags);
53879 - atomic_long_add(v, &zone->vm_stat[i]);
53880 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
53881 global_diff[i] += v;
53883 /* 3 seconds idle till flush */
53884 @@ -353,7 +353,7 @@ void refresh_cpu_vm_stats(int cpu)
53886 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
53887 if (global_diff[i])
53888 - atomic_long_add(global_diff[i], &vm_stat[i]);
53889 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
53893 @@ -1038,10 +1038,16 @@ static int __init setup_vmstat(void)
53894 start_cpu_timer(cpu);
53896 #ifdef CONFIG_PROC_FS
53897 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
53898 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
53899 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
53900 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
53902 + mode_t gr_mode = S_IRUGO;
53903 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53904 + gr_mode = S_IRUSR;
53906 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
53907 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
53908 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
53909 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
53914 diff -urNp linux-2.6.35.5/net/8021q/vlan.c linux-2.6.35.5/net/8021q/vlan.c
53915 --- linux-2.6.35.5/net/8021q/vlan.c 2010-08-26 19:47:12.000000000 -0400
53916 +++ linux-2.6.35.5/net/8021q/vlan.c 2010-09-17 20:12:09.000000000 -0400
53917 @@ -618,8 +618,7 @@ static int vlan_ioctl_handler(struct net
53919 if (!capable(CAP_NET_ADMIN))
53921 - if ((args.u.name_type >= 0) &&
53922 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
53923 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
53924 struct vlan_net *vn;
53926 vn = net_generic(net, vlan_net_id);
53927 diff -urNp linux-2.6.35.5/net/atm/atm_misc.c linux-2.6.35.5/net/atm/atm_misc.c
53928 --- linux-2.6.35.5/net/atm/atm_misc.c 2010-08-26 19:47:12.000000000 -0400
53929 +++ linux-2.6.35.5/net/atm/atm_misc.c 2010-09-17 20:12:09.000000000 -0400
53930 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
53931 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
53933 atm_return(vcc, truesize);
53934 - atomic_inc(&vcc->stats->rx_drop);
53935 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53938 EXPORT_SYMBOL(atm_charge);
53939 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
53942 atm_return(vcc, guess);
53943 - atomic_inc(&vcc->stats->rx_drop);
53944 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53947 EXPORT_SYMBOL(atm_alloc_charge);
53948 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
53950 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53952 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
53953 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
53955 #undef __HANDLE_ITEM
53957 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
53959 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53961 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
53962 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
53964 #undef __HANDLE_ITEM
53966 diff -urNp linux-2.6.35.5/net/atm/proc.c linux-2.6.35.5/net/atm/proc.c
53967 --- linux-2.6.35.5/net/atm/proc.c 2010-08-26 19:47:12.000000000 -0400
53968 +++ linux-2.6.35.5/net/atm/proc.c 2010-09-17 20:12:37.000000000 -0400
53969 @@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
53970 const struct k_atm_aal_stats *stats)
53972 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
53973 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
53974 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
53975 - atomic_read(&stats->rx_drop));
53976 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
53977 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
53978 + atomic_read_unchecked(&stats->rx_drop));
53981 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
53982 @@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
53984 struct sock *sk = sk_atm(vcc);
53986 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53987 + seq_printf(seq, "%p ", NULL);
53989 seq_printf(seq, "%p ", vcc);
53993 seq_printf(seq, "Unassigned ");
53995 diff -urNp linux-2.6.35.5/net/atm/resources.c linux-2.6.35.5/net/atm/resources.c
53996 --- linux-2.6.35.5/net/atm/resources.c 2010-08-26 19:47:12.000000000 -0400
53997 +++ linux-2.6.35.5/net/atm/resources.c 2010-09-17 20:12:09.000000000 -0400
53998 @@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
53999 static void copy_aal_stats(struct k_atm_aal_stats *from,
54000 struct atm_aal_stats *to)
54002 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
54003 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
54005 #undef __HANDLE_ITEM
54007 @@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
54008 static void subtract_aal_stats(struct k_atm_aal_stats *from,
54009 struct atm_aal_stats *to)
54011 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
54012 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
54014 #undef __HANDLE_ITEM
54016 diff -urNp linux-2.6.35.5/net/bridge/br_stp_if.c linux-2.6.35.5/net/bridge/br_stp_if.c
54017 --- linux-2.6.35.5/net/bridge/br_stp_if.c 2010-08-26 19:47:12.000000000 -0400
54018 +++ linux-2.6.35.5/net/bridge/br_stp_if.c 2010-09-17 20:12:09.000000000 -0400
54019 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
54020 char *envp[] = { NULL };
54022 if (br->stp_enabled == BR_USER_STP) {
54023 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
54024 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
54025 br_info(br, "userspace STP stopped, return code %d\n", r);
54027 /* To start timers on any ports left in blocking */
54028 diff -urNp linux-2.6.35.5/net/bridge/netfilter/ebtables.c linux-2.6.35.5/net/bridge/netfilter/ebtables.c
54029 --- linux-2.6.35.5/net/bridge/netfilter/ebtables.c 2010-08-26 19:47:12.000000000 -0400
54030 +++ linux-2.6.35.5/net/bridge/netfilter/ebtables.c 2010-09-17 20:12:09.000000000 -0400
54031 @@ -1501,7 +1501,7 @@ static int do_ebt_get_ctl(struct sock *s
54032 tmp.valid_hooks = t->table->valid_hooks;
54034 mutex_unlock(&ebt_mutex);
54035 - if (copy_to_user(user, &tmp, *len) != 0){
54036 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
54037 BUGPRINT("c2u Didn't work\n");
54040 diff -urNp linux-2.6.35.5/net/core/dev.c linux-2.6.35.5/net/core/dev.c
54041 --- linux-2.6.35.5/net/core/dev.c 2010-08-26 19:47:12.000000000 -0400
54042 +++ linux-2.6.35.5/net/core/dev.c 2010-09-17 20:12:09.000000000 -0400
54043 @@ -2541,7 +2541,7 @@ int netif_rx_ni(struct sk_buff *skb)
54045 EXPORT_SYMBOL(netif_rx_ni);
54047 -static void net_tx_action(struct softirq_action *h)
54048 +static void net_tx_action(void)
54050 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54052 @@ -3474,7 +3474,7 @@ void netif_napi_del(struct napi_struct *
54054 EXPORT_SYMBOL(netif_napi_del);
54056 -static void net_rx_action(struct softirq_action *h)
54057 +static void net_rx_action(void)
54059 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54060 unsigned long time_limit = jiffies + 2;
54061 diff -urNp linux-2.6.35.5/net/core/net-sysfs.c linux-2.6.35.5/net/core/net-sysfs.c
54062 --- linux-2.6.35.5/net/core/net-sysfs.c 2010-08-26 19:47:12.000000000 -0400
54063 +++ linux-2.6.35.5/net/core/net-sysfs.c 2010-09-17 20:12:09.000000000 -0400
54064 @@ -511,7 +511,7 @@ static ssize_t rx_queue_attr_store(struc
54065 return attribute->store(queue, attribute, buf, count);
54068 -static struct sysfs_ops rx_queue_sysfs_ops = {
54069 +static const struct sysfs_ops rx_queue_sysfs_ops = {
54070 .show = rx_queue_attr_show,
54071 .store = rx_queue_attr_store,
54073 diff -urNp linux-2.6.35.5/net/core/sock.c linux-2.6.35.5/net/core/sock.c
54074 --- linux-2.6.35.5/net/core/sock.c 2010-08-26 19:47:12.000000000 -0400
54075 +++ linux-2.6.35.5/net/core/sock.c 2010-09-17 20:12:09.000000000 -0400
54076 @@ -915,7 +915,7 @@ int sock_getsockopt(struct socket *sock,
54080 - if (copy_to_user(optval, address, len))
54081 + if (len > sizeof(address) || copy_to_user(optval, address, len))
54085 @@ -948,7 +948,7 @@ int sock_getsockopt(struct socket *sock,
54089 - if (copy_to_user(optval, &v, len))
54090 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
54093 if (put_user(len, optlen))
54094 diff -urNp linux-2.6.35.5/net/dccp/ccids/ccid3.c linux-2.6.35.5/net/dccp/ccids/ccid3.c
54095 --- linux-2.6.35.5/net/dccp/ccids/ccid3.c 2010-08-26 19:47:12.000000000 -0400
54096 +++ linux-2.6.35.5/net/dccp/ccids/ccid3.c 2010-09-17 20:12:09.000000000 -0400
54098 static int ccid3_debug;
54099 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
54101 -#define ccid3_pr_debug(format, a...)
54102 +#define ccid3_pr_debug(format, a...) do {} while (0)
54106 diff -urNp linux-2.6.35.5/net/dccp/dccp.h linux-2.6.35.5/net/dccp/dccp.h
54107 --- linux-2.6.35.5/net/dccp/dccp.h 2010-08-26 19:47:12.000000000 -0400
54108 +++ linux-2.6.35.5/net/dccp/dccp.h 2010-09-17 20:12:09.000000000 -0400
54109 @@ -44,9 +44,9 @@ extern int dccp_debug;
54110 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
54111 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
54113 -#define dccp_pr_debug(format, a...)
54114 -#define dccp_pr_debug_cat(format, a...)
54115 -#define dccp_debug(format, a...)
54116 +#define dccp_pr_debug(format, a...) do {} while (0)
54117 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
54118 +#define dccp_debug(format, a...) do {} while (0)
54121 extern struct inet_hashinfo dccp_hashinfo;
54122 diff -urNp linux-2.6.35.5/net/decnet/sysctl_net_decnet.c linux-2.6.35.5/net/decnet/sysctl_net_decnet.c
54123 --- linux-2.6.35.5/net/decnet/sysctl_net_decnet.c 2010-08-26 19:47:12.000000000 -0400
54124 +++ linux-2.6.35.5/net/decnet/sysctl_net_decnet.c 2010-09-17 20:12:37.000000000 -0400
54125 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
54127 if (len > *lenp) len = *lenp;
54129 - if (copy_to_user(buffer, addr, len))
54130 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
54134 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
54136 if (len > *lenp) len = *lenp;
54138 - if (copy_to_user(buffer, devname, len))
54139 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
54143 diff -urNp linux-2.6.35.5/net/ipv4/inet_hashtables.c linux-2.6.35.5/net/ipv4/inet_hashtables.c
54144 --- linux-2.6.35.5/net/ipv4/inet_hashtables.c 2010-08-26 19:47:12.000000000 -0400
54145 +++ linux-2.6.35.5/net/ipv4/inet_hashtables.c 2010-09-17 20:12:37.000000000 -0400
54146 @@ -18,11 +18,14 @@
54147 #include <linux/sched.h>
54148 #include <linux/slab.h>
54149 #include <linux/wait.h>
54150 +#include <linux/security.h>
54152 #include <net/inet_connection_sock.h>
54153 #include <net/inet_hashtables.h>
54154 #include <net/route.h>
54155 #include <net/ip.h>
54157 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
54160 * Allocate and initialize a new local port bind bucket.
54161 @@ -508,6 +511,8 @@ ok:
54162 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
54163 spin_unlock(&head->lock);
54165 + gr_update_task_in_ip_table(current, inet_sk(sk));
54168 inet_twsk_deschedule(tw, death_row);
54170 diff -urNp linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c
54171 --- linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400
54172 +++ linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400
54173 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
54177 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
54178 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
54179 if (*octets == NULL) {
54180 if (net_ratelimit())
54181 pr_notice("OOM in bsalg (%d)\n", __LINE__);
54182 diff -urNp linux-2.6.35.5/net/ipv4/tcp_ipv4.c linux-2.6.35.5/net/ipv4/tcp_ipv4.c
54183 --- linux-2.6.35.5/net/ipv4/tcp_ipv4.c 2010-08-26 19:47:12.000000000 -0400
54184 +++ linux-2.6.35.5/net/ipv4/tcp_ipv4.c 2010-09-17 20:12:37.000000000 -0400
54186 int sysctl_tcp_tw_reuse __read_mostly;
54187 int sysctl_tcp_low_latency __read_mostly;
54189 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54190 +extern int grsec_enable_blackhole;
54193 #ifdef CONFIG_TCP_MD5SIG
54194 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
54195 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
54199 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54200 + if (!grsec_enable_blackhole)
54202 tcp_v4_send_reset(rsk, skb);
54205 @@ -1654,12 +1660,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
54206 TCP_SKB_CB(skb)->sacked = 0;
54208 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54211 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54214 goto no_tcp_socket;
54218 - if (sk->sk_state == TCP_TIME_WAIT)
54219 + if (sk->sk_state == TCP_TIME_WAIT) {
54220 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54226 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
54227 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54228 @@ -1709,6 +1722,10 @@ no_tcp_socket:
54230 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54232 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54233 + if (!grsec_enable_blackhole || (ret == 1 &&
54234 + (skb->dev->flags & IFF_LOOPBACK)))
54236 tcp_v4_send_reset(NULL, skb);
54239 @@ -2316,7 +2333,11 @@ static void get_openreq4(struct sock *sk
54240 0, /* non standard timer */
54241 0, /* open_requests have no inode */
54242 atomic_read(&sk->sk_refcnt),
54243 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54251 @@ -2366,7 +2387,12 @@ static void get_tcp4_sock(struct sock *s
54253 icsk->icsk_probes_out,
54255 - atomic_read(&sk->sk_refcnt), sk,
54256 + atomic_read(&sk->sk_refcnt),
54257 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54262 jiffies_to_clock_t(icsk->icsk_rto),
54263 jiffies_to_clock_t(icsk->icsk_ack.ato),
54264 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
54265 @@ -2394,7 +2420,13 @@ static void get_timewait4_sock(struct in
54266 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
54267 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
54268 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
54269 - atomic_read(&tw->tw_refcnt), tw, len);
54270 + atomic_read(&tw->tw_refcnt),
54271 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54280 diff -urNp linux-2.6.35.5/net/ipv4/tcp_minisocks.c linux-2.6.35.5/net/ipv4/tcp_minisocks.c
54281 --- linux-2.6.35.5/net/ipv4/tcp_minisocks.c 2010-08-26 19:47:12.000000000 -0400
54282 +++ linux-2.6.35.5/net/ipv4/tcp_minisocks.c 2010-09-17 20:12:37.000000000 -0400
54284 #include <net/inet_common.h>
54285 #include <net/xfrm.h>
54287 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54288 +extern int grsec_enable_blackhole;
54291 int sysctl_tcp_syncookies __read_mostly = 1;
54292 EXPORT_SYMBOL(sysctl_tcp_syncookies);
54294 @@ -700,6 +704,10 @@ listen_overflow:
54297 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
54299 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54300 + if (!grsec_enable_blackhole)
54302 if (!(flg & TCP_FLAG_RST))
54303 req->rsk_ops->send_reset(sk, skb);
54305 diff -urNp linux-2.6.35.5/net/ipv4/tcp_probe.c linux-2.6.35.5/net/ipv4/tcp_probe.c
54306 --- linux-2.6.35.5/net/ipv4/tcp_probe.c 2010-08-26 19:47:12.000000000 -0400
54307 +++ linux-2.6.35.5/net/ipv4/tcp_probe.c 2010-09-17 20:12:37.000000000 -0400
54308 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
54309 if (cnt + width >= len)
54312 - if (copy_to_user(buf + cnt, tbuf, width))
54313 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
54317 diff -urNp linux-2.6.35.5/net/ipv4/tcp_timer.c linux-2.6.35.5/net/ipv4/tcp_timer.c
54318 --- linux-2.6.35.5/net/ipv4/tcp_timer.c 2010-08-26 19:47:12.000000000 -0400
54319 +++ linux-2.6.35.5/net/ipv4/tcp_timer.c 2010-09-17 20:12:37.000000000 -0400
54321 #include <linux/gfp.h>
54322 #include <net/tcp.h>
54324 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54325 +extern int grsec_lastack_retries;
54328 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
54329 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
54330 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
54331 @@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock
54335 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54336 + if ((sk->sk_state == TCP_LAST_ACK) &&
54337 + (grsec_lastack_retries > 0) &&
54338 + (grsec_lastack_retries < retry_until))
54339 + retry_until = grsec_lastack_retries;
54342 if (retransmits_timed_out(sk, retry_until)) {
54343 /* Has it gone just too far? */
54345 diff -urNp linux-2.6.35.5/net/ipv4/udp.c linux-2.6.35.5/net/ipv4/udp.c
54346 --- linux-2.6.35.5/net/ipv4/udp.c 2010-08-26 19:47:12.000000000 -0400
54347 +++ linux-2.6.35.5/net/ipv4/udp.c 2010-09-17 20:12:37.000000000 -0400
54349 #include <linux/types.h>
54350 #include <linux/fcntl.h>
54351 #include <linux/module.h>
54352 +#include <linux/security.h>
54353 #include <linux/socket.h>
54354 #include <linux/sockios.h>
54355 #include <linux/igmp.h>
54356 @@ -107,6 +108,10 @@
54357 #include <net/xfrm.h>
54358 #include "udp_impl.h"
54360 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54361 +extern int grsec_enable_blackhole;
54364 struct udp_table udp_table __read_mostly;
54365 EXPORT_SYMBOL(udp_table);
54367 @@ -564,6 +569,9 @@ found:
54371 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
54372 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
54375 * This routine is called by the ICMP module when it gets some
54376 * sort of error condition. If err < 0 then the socket should
54377 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
54378 dport = usin->sin_port;
54382 + err = gr_search_udp_sendmsg(sk, usin);
54386 if (sk->sk_state != TCP_ESTABLISHED)
54387 return -EDESTADDRREQ;
54389 + err = gr_search_udp_sendmsg(sk, NULL);
54393 daddr = inet->inet_daddr;
54394 dport = inet->inet_dport;
54395 /* Open fast path for connected socket.
54396 @@ -1141,6 +1158,10 @@ try_again:
54400 + err = gr_search_udp_recvmsg(sk, skb);
54404 ulen = skb->len - sizeof(struct udphdr);
54407 @@ -1582,6 +1603,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
54410 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
54411 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54412 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54414 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
54417 @@ -2007,7 +2031,12 @@ static void udp4_format_sock(struct sock
54418 sk_wmem_alloc_get(sp),
54419 sk_rmem_alloc_get(sp),
54420 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
54421 - atomic_read(&sp->sk_refcnt), sp,
54422 + atomic_read(&sp->sk_refcnt),
54423 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54428 atomic_read(&sp->sk_drops), len);
54431 diff -urNp linux-2.6.35.5/net/ipv6/exthdrs.c linux-2.6.35.5/net/ipv6/exthdrs.c
54432 --- linux-2.6.35.5/net/ipv6/exthdrs.c 2010-08-26 19:47:12.000000000 -0400
54433 +++ linux-2.6.35.5/net/ipv6/exthdrs.c 2010-09-17 20:12:09.000000000 -0400
54434 @@ -636,7 +636,7 @@ static struct tlvtype_proc tlvprochopopt
54435 .type = IPV6_TLV_JUMBO,
54436 .func = ipv6_hop_jumbo,
54442 int ipv6_parse_hopopts(struct sk_buff *skb)
54443 diff -urNp linux-2.6.35.5/net/ipv6/raw.c linux-2.6.35.5/net/ipv6/raw.c
54444 --- linux-2.6.35.5/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400
54445 +++ linux-2.6.35.5/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400
54446 @@ -601,7 +601,7 @@ out:
54450 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
54451 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
54452 struct flowi *fl, struct rt6_info *rt,
54453 unsigned int flags)
54455 diff -urNp linux-2.6.35.5/net/ipv6/tcp_ipv6.c linux-2.6.35.5/net/ipv6/tcp_ipv6.c
54456 --- linux-2.6.35.5/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400
54457 +++ linux-2.6.35.5/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400
54458 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
54462 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54463 +extern int grsec_enable_blackhole;
54466 static void tcp_v6_hash(struct sock *sk)
54468 if (sk->sk_state != TCP_CLOSE) {
54469 @@ -1641,6 +1645,9 @@ static int tcp_v6_do_rcv(struct sock *sk
54473 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54474 + if (!grsec_enable_blackhole)
54476 tcp_v6_send_reset(sk, skb);
54479 @@ -1720,12 +1727,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
54480 TCP_SKB_CB(skb)->sacked = 0;
54482 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54485 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54488 goto no_tcp_socket;
54492 - if (sk->sk_state == TCP_TIME_WAIT)
54493 + if (sk->sk_state == TCP_TIME_WAIT) {
54494 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54500 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
54501 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54502 @@ -1773,6 +1788,10 @@ no_tcp_socket:
54504 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54506 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54507 + if (!grsec_enable_blackhole || (ret == 1 &&
54508 + (skb->dev->flags & IFF_LOOPBACK)))
54510 tcp_v6_send_reset(NULL, skb);
54513 diff -urNp linux-2.6.35.5/net/ipv6/udp.c linux-2.6.35.5/net/ipv6/udp.c
54514 --- linux-2.6.35.5/net/ipv6/udp.c 2010-08-26 19:47:12.000000000 -0400
54515 +++ linux-2.6.35.5/net/ipv6/udp.c 2010-09-17 20:12:37.000000000 -0400
54517 #include <linux/seq_file.h>
54518 #include "udp_impl.h"
54520 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54521 +extern int grsec_enable_blackhole;
54524 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
54526 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
54527 @@ -756,6 +760,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
54528 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
54529 proto == IPPROTO_UDPLITE);
54531 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54532 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54534 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
54537 diff -urNp linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c
54538 --- linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400
54539 +++ linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400
54540 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
54541 add_wait_queue(&self->open_wait, &wait);
54543 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
54544 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54545 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54547 /* As far as I can see, we protect open_count - Jean II */
54548 spin_lock_irqsave(&self->spinlock, flags);
54549 if (!tty_hung_up_p(filp)) {
54551 - self->open_count--;
54552 + atomic_dec(&self->open_count);
54554 spin_unlock_irqrestore(&self->spinlock, flags);
54555 - self->blocked_open++;
54556 + atomic_inc(&self->blocked_open);
54559 if (tty->termios->c_cflag & CBAUD) {
54560 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
54563 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
54564 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54565 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54569 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
54571 /* ++ is not atomic, so this should be protected - Jean II */
54572 spin_lock_irqsave(&self->spinlock, flags);
54573 - self->open_count++;
54574 + atomic_inc(&self->open_count);
54575 spin_unlock_irqrestore(&self->spinlock, flags);
54577 - self->blocked_open--;
54578 + atomic_dec(&self->blocked_open);
54580 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
54581 - __FILE__,__LINE__, tty->driver->name, self->open_count);
54582 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
54585 self->flags |= ASYNC_NORMAL_ACTIVE;
54586 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
54588 /* ++ is not atomic, so this should be protected - Jean II */
54589 spin_lock_irqsave(&self->spinlock, flags);
54590 - self->open_count++;
54591 + atomic_inc(&self->open_count);
54593 tty->driver_data = self;
54595 spin_unlock_irqrestore(&self->spinlock, flags);
54597 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
54598 - self->line, self->open_count);
54599 + self->line, atomic_read(&self->open_count));
54601 /* Not really used by us, but lets do it anyway */
54602 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
54603 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
54607 - if ((tty->count == 1) && (self->open_count != 1)) {
54608 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
54610 * Uh, oh. tty->count is 1, which means that the tty
54611 * structure will be freed. state->count should always
54612 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
54614 IRDA_DEBUG(0, "%s(), bad serial port count; "
54615 "tty->count is 1, state->count is %d\n", __func__ ,
54616 - self->open_count);
54617 - self->open_count = 1;
54618 + atomic_read(&self->open_count));
54619 + atomic_set(&self->open_count, 1);
54622 - if (--self->open_count < 0) {
54623 + if (atomic_dec_return(&self->open_count) < 0) {
54624 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
54625 - __func__, self->line, self->open_count);
54626 - self->open_count = 0;
54627 + __func__, self->line, atomic_read(&self->open_count));
54628 + atomic_set(&self->open_count, 0);
54630 - if (self->open_count) {
54631 + if (atomic_read(&self->open_count)) {
54632 spin_unlock_irqrestore(&self->spinlock, flags);
54634 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
54635 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
54639 - if (self->blocked_open) {
54640 + if (atomic_read(&self->blocked_open)) {
54641 if (self->close_delay)
54642 schedule_timeout_interruptible(self->close_delay);
54643 wake_up_interruptible(&self->open_wait);
54644 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
54645 spin_lock_irqsave(&self->spinlock, flags);
54646 self->flags &= ~ASYNC_NORMAL_ACTIVE;
54648 - self->open_count = 0;
54649 + atomic_set(&self->open_count, 0);
54650 spin_unlock_irqrestore(&self->spinlock, flags);
54652 wake_up_interruptible(&self->open_wait);
54653 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
54656 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
54657 - seq_printf(m, "Open count: %d\n", self->open_count);
54658 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
54659 seq_printf(m, "Max data size: %d\n", self->max_data_size);
54660 seq_printf(m, "Max header size: %d\n", self->max_header_size);
54662 diff -urNp linux-2.6.35.5/net/key/af_key.c linux-2.6.35.5/net/key/af_key.c
54663 --- linux-2.6.35.5/net/key/af_key.c 2010-08-26 19:47:12.000000000 -0400
54664 +++ linux-2.6.35.5/net/key/af_key.c 2010-09-17 20:12:37.000000000 -0400
54665 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
54666 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
54668 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
54669 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54674 atomic_read(&s->sk_refcnt),
54675 sk_rmem_alloc_get(s),
54676 sk_wmem_alloc_get(s),
54677 diff -urNp linux-2.6.35.5/net/mac80211/ieee80211_i.h linux-2.6.35.5/net/mac80211/ieee80211_i.h
54678 --- linux-2.6.35.5/net/mac80211/ieee80211_i.h 2010-08-26 19:47:12.000000000 -0400
54679 +++ linux-2.6.35.5/net/mac80211/ieee80211_i.h 2010-09-17 20:12:09.000000000 -0400
54680 @@ -649,7 +649,7 @@ struct ieee80211_local {
54681 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
54682 spinlock_t queue_stop_reason_lock;
54685 + atomic_t open_count;
54686 int monitors, cooked_mntrs;
54687 /* number of interfaces with corresponding FIF_ flags */
54688 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
54689 diff -urNp linux-2.6.35.5/net/mac80211/iface.c linux-2.6.35.5/net/mac80211/iface.c
54690 --- linux-2.6.35.5/net/mac80211/iface.c 2010-08-26 19:47:12.000000000 -0400
54691 +++ linux-2.6.35.5/net/mac80211/iface.c 2010-09-17 20:12:09.000000000 -0400
54692 @@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
54696 - if (local->open_count == 0) {
54697 + if (atomic_read(&local->open_count) == 0) {
54698 res = drv_start(local);
54701 @@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
54702 * Validate the MAC address for this device.
54704 if (!is_valid_ether_addr(dev->dev_addr)) {
54705 - if (!local->open_count)
54706 + if (!atomic_read(&local->open_count))
54708 return -EADDRNOTAVAIL;
54710 @@ -308,7 +308,7 @@ static int ieee80211_open(struct net_dev
54712 hw_reconf_flags |= __ieee80211_recalc_idle(local);
54714 - local->open_count++;
54715 + atomic_inc(&local->open_count);
54716 if (hw_reconf_flags) {
54717 ieee80211_hw_config(local, hw_reconf_flags);
54719 @@ -336,7 +336,7 @@ static int ieee80211_open(struct net_dev
54721 drv_remove_interface(local, &sdata->vif);
54723 - if (!local->open_count)
54724 + if (!atomic_read(&local->open_count))
54728 @@ -439,7 +439,7 @@ static int ieee80211_stop(struct net_dev
54729 WARN_ON(!list_empty(&sdata->u.ap.vlans));
54732 - local->open_count--;
54733 + atomic_dec(&local->open_count);
54735 switch (sdata->vif.type) {
54736 case NL80211_IFTYPE_AP_VLAN:
54737 @@ -542,7 +542,7 @@ static int ieee80211_stop(struct net_dev
54739 ieee80211_recalc_ps(local, -1);
54741 - if (local->open_count == 0) {
54742 + if (atomic_read(&local->open_count) == 0) {
54743 ieee80211_clear_tx_pending(local);
54744 ieee80211_stop_device(local);
54746 diff -urNp linux-2.6.35.5/net/mac80211/main.c linux-2.6.35.5/net/mac80211/main.c
54747 --- linux-2.6.35.5/net/mac80211/main.c 2010-09-20 17:33:09.000000000 -0400
54748 +++ linux-2.6.35.5/net/mac80211/main.c 2010-09-20 17:33:37.000000000 -0400
54749 @@ -148,7 +148,7 @@ int ieee80211_hw_config(struct ieee80211
54750 local->hw.conf.power_level = power;
54753 - if (changed && local->open_count) {
54754 + if (changed && atomic_read(&local->open_count)) {
54755 ret = drv_config(local, changed);
54758 diff -urNp linux-2.6.35.5/net/mac80211/pm.c linux-2.6.35.5/net/mac80211/pm.c
54759 --- linux-2.6.35.5/net/mac80211/pm.c 2010-08-26 19:47:12.000000000 -0400
54760 +++ linux-2.6.35.5/net/mac80211/pm.c 2010-09-17 20:12:09.000000000 -0400
54761 @@ -101,7 +101,7 @@ int __ieee80211_suspend(struct ieee80211
54764 /* stop hardware - this must stop RX */
54765 - if (local->open_count)
54766 + if (atomic_read(&local->open_count))
54767 ieee80211_stop_device(local);
54769 local->suspended = true;
54770 diff -urNp linux-2.6.35.5/net/mac80211/rate.c linux-2.6.35.5/net/mac80211/rate.c
54771 --- linux-2.6.35.5/net/mac80211/rate.c 2010-08-26 19:47:12.000000000 -0400
54772 +++ linux-2.6.35.5/net/mac80211/rate.c 2010-09-17 20:12:09.000000000 -0400
54773 @@ -355,7 +355,7 @@ int ieee80211_init_rate_ctrl_alg(struct
54777 - if (local->open_count)
54778 + if (atomic_read(&local->open_count))
54781 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
54782 diff -urNp linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c
54783 --- linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c 2010-08-26 19:47:12.000000000 -0400
54784 +++ linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c 2010-09-17 20:12:09.000000000 -0400
54785 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
54787 spin_unlock_irqrestore(&events->lock, status);
54789 - if (copy_to_user(buf, pb, p))
54790 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
54794 diff -urNp linux-2.6.35.5/net/mac80211/tx.c linux-2.6.35.5/net/mac80211/tx.c
54795 --- linux-2.6.35.5/net/mac80211/tx.c 2010-08-26 19:47:12.000000000 -0400
54796 +++ linux-2.6.35.5/net/mac80211/tx.c 2010-09-17 20:12:09.000000000 -0400
54797 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
54798 return cpu_to_le16(dur);
54801 -static int inline is_ieee80211_device(struct ieee80211_local *local,
54802 +static inline int is_ieee80211_device(struct ieee80211_local *local,
54803 struct net_device *dev)
54805 return local == wdev_priv(dev->ieee80211_ptr);
54806 diff -urNp linux-2.6.35.5/net/mac80211/util.c linux-2.6.35.5/net/mac80211/util.c
54807 --- linux-2.6.35.5/net/mac80211/util.c 2010-08-26 19:47:12.000000000 -0400
54808 +++ linux-2.6.35.5/net/mac80211/util.c 2010-09-17 20:12:09.000000000 -0400
54809 @@ -1097,7 +1097,7 @@ int ieee80211_reconfig(struct ieee80211_
54810 local->resuming = true;
54812 /* restart hardware */
54813 - if (local->open_count) {
54814 + if (atomic_read(&local->open_count)) {
54816 * Upon resume hardware can sometimes be goofy due to
54817 * various platform / driver / bus issues, so restarting
54818 diff -urNp linux-2.6.35.5/net/netlink/af_netlink.c linux-2.6.35.5/net/netlink/af_netlink.c
54819 --- linux-2.6.35.5/net/netlink/af_netlink.c 2010-08-26 19:47:12.000000000 -0400
54820 +++ linux-2.6.35.5/net/netlink/af_netlink.c 2010-09-17 20:12:37.000000000 -0400
54821 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
54822 struct netlink_sock *nlk = nlk_sk(s);
54824 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
54825 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54832 nlk->groups ? (u32)nlk->groups[0] : 0,
54833 sk_rmem_alloc_get(s),
54834 sk_wmem_alloc_get(s),
54835 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54840 atomic_read(&s->sk_refcnt),
54841 atomic_read(&s->sk_drops),
54843 diff -urNp linux-2.6.35.5/net/packet/af_packet.c linux-2.6.35.5/net/packet/af_packet.c
54844 --- linux-2.6.35.5/net/packet/af_packet.c 2010-08-26 19:47:12.000000000 -0400
54845 +++ linux-2.6.35.5/net/packet/af_packet.c 2010-09-17 20:12:37.000000000 -0400
54846 @@ -2093,7 +2093,7 @@ static int packet_getsockopt(struct sock
54847 case PACKET_HDRLEN:
54848 if (len > sizeof(int))
54850 - if (copy_from_user(&val, optval, len))
54851 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
54855 @@ -2125,7 +2125,7 @@ static int packet_getsockopt(struct sock
54857 if (put_user(len, optlen))
54859 - if (copy_to_user(optval, data, len))
54860 + if (len > sizeof(st) || copy_to_user(optval, data, len))
54864 @@ -2604,7 +2604,11 @@ static int packet_seq_show(struct seq_fi
54867 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
54868 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54873 atomic_read(&s->sk_refcnt),
54876 diff -urNp linux-2.6.35.5/net/rose/af_rose.c linux-2.6.35.5/net/rose/af_rose.c
54877 --- linux-2.6.35.5/net/rose/af_rose.c 2010-08-26 19:47:12.000000000 -0400
54878 +++ linux-2.6.35.5/net/rose/af_rose.c 2010-09-20 17:16:28.000000000 -0400
54879 @@ -679,7 +679,7 @@ static int rose_bind(struct socket *sock
54880 if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
54883 - if (addr->srose_ndigis > ROSE_MAX_DIGIS)
54884 + if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
54887 if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
54888 @@ -739,7 +739,7 @@ static int rose_connect(struct socket *s
54889 if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
54892 - if (addr->srose_ndigis > ROSE_MAX_DIGIS)
54893 + if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
54896 /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
54897 diff -urNp linux-2.6.35.5/net/sctp/output.c linux-2.6.35.5/net/sctp/output.c
54898 --- linux-2.6.35.5/net/sctp/output.c 2010-08-26 19:47:12.000000000 -0400
54899 +++ linux-2.6.35.5/net/sctp/output.c 2010-09-23 20:47:39.000000000 -0400
54900 @@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s
54901 SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
54904 - sctp_packet_reset(packet);
54905 packet->vtag = vtag;
54907 if (ecn_capable && sctp_packet_empty(packet)) {
54908 diff -urNp linux-2.6.35.5/net/sctp/socket.c linux-2.6.35.5/net/sctp/socket.c
54909 --- linux-2.6.35.5/net/sctp/socket.c 2010-08-26 19:47:12.000000000 -0400
54910 +++ linux-2.6.35.5/net/sctp/socket.c 2010-09-17 20:12:09.000000000 -0400
54911 @@ -1483,7 +1483,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
54912 struct sctp_sndrcvinfo *sinfo;
54913 struct sctp_initmsg *sinit;
54914 sctp_assoc_t associd = 0;
54915 - sctp_cmsgs_t cmsgs = { NULL };
54916 + sctp_cmsgs_t cmsgs = { NULL, NULL };
54918 sctp_scope_t scope;
54920 @@ -4387,7 +4387,7 @@ static int sctp_getsockopt_peer_addrs(st
54921 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
54922 if (space_left < addrlen)
54924 - if (copy_to_user(to, &temp, addrlen))
54925 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
54929 diff -urNp linux-2.6.35.5/net/socket.c linux-2.6.35.5/net/socket.c
54930 --- linux-2.6.35.5/net/socket.c 2010-08-26 19:47:12.000000000 -0400
54931 +++ linux-2.6.35.5/net/socket.c 2010-09-17 20:12:37.000000000 -0400
54933 #include <linux/nsproxy.h>
54934 #include <linux/magic.h>
54935 #include <linux/slab.h>
54936 +#include <linux/in.h>
54938 #include <asm/uaccess.h>
54939 #include <asm/unistd.h>
54940 @@ -105,6 +106,8 @@
54941 #include <linux/sockios.h>
54942 #include <linux/atalk.h>
54944 +#include <linux/grsock.h>
54946 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
54947 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
54948 unsigned long nr_segs, loff_t pos);
54949 @@ -322,7 +325,7 @@ static int sockfs_get_sb(struct file_sys
54953 -static struct vfsmount *sock_mnt __read_mostly;
54954 +struct vfsmount *sock_mnt __read_mostly;
54956 static struct file_system_type sock_fs_type = {
54958 @@ -1291,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
54959 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
54960 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
54962 + if(!gr_search_socket(family, type, protocol)) {
54963 + retval = -EACCES;
54967 + if (gr_handle_sock_all(family, type, protocol)) {
54968 + retval = -EACCES;
54972 retval = sock_create(family, type, protocol, &sock);
54975 @@ -1403,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54977 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
54979 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
54983 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
54987 err = security_socket_bind(sock,
54988 (struct sockaddr *)&address,
54990 @@ -1411,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54991 (struct sockaddr *)
54992 &address, addrlen);
54995 fput_light(sock->file, fput_needed);
54998 @@ -1434,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
54999 if ((unsigned)backlog > somaxconn)
55000 backlog = somaxconn;
55002 + if (gr_handle_sock_server_other(sock->sk)) {
55007 + err = gr_search_listen(sock);
55011 err = security_socket_listen(sock, backlog);
55013 err = sock->ops->listen(sock, backlog);
55016 fput_light(sock->file, fput_needed);
55019 @@ -1480,6 +1512,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
55020 newsock->type = sock->type;
55021 newsock->ops = sock->ops;
55023 + if (gr_handle_sock_server_other(sock->sk)) {
55025 + sock_release(newsock);
55029 + err = gr_search_accept(sock);
55031 + sock_release(newsock);
55036 * We don't need try_module_get here, as the listening socket (sock)
55037 * has the protocol module (sock->ops->owner) held.
55038 @@ -1518,6 +1562,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
55039 fd_install(newfd, newfile);
55042 + gr_attach_curr_ip(newsock->sk);
55045 fput_light(sock->file, fput_needed);
55047 @@ -1550,6 +1596,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55050 struct socket *sock;
55051 + struct sockaddr *sck;
55052 struct sockaddr_storage address;
55053 int err, fput_needed;
55055 @@ -1560,6 +1607,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55059 + sck = (struct sockaddr *)&address;
55061 + if (gr_handle_sock_client(sck)) {
55066 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
55071 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
55073 diff -urNp linux-2.6.35.5/net/sunrpc/sched.c linux-2.6.35.5/net/sunrpc/sched.c
55074 --- linux-2.6.35.5/net/sunrpc/sched.c 2010-08-26 19:47:12.000000000 -0400
55075 +++ linux-2.6.35.5/net/sunrpc/sched.c 2010-09-17 20:12:09.000000000 -0400
55076 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
55078 static void rpc_task_set_debuginfo(struct rpc_task *task)
55080 - static atomic_t rpc_pid;
55081 + static atomic_unchecked_t rpc_pid;
55083 - task->tk_pid = atomic_inc_return(&rpc_pid);
55084 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
55087 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
55088 diff -urNp linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c
55089 --- linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-26 19:47:12.000000000 -0400
55090 +++ linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c 2010-09-17 20:12:37.000000000 -0400
55091 @@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
55095 - if (len && copy_to_user(buffer, str_buf, len))
55096 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
55100 diff -urNp linux-2.6.35.5/net/sysctl_net.c linux-2.6.35.5/net/sysctl_net.c
55101 --- linux-2.6.35.5/net/sysctl_net.c 2010-08-26 19:47:12.000000000 -0400
55102 +++ linux-2.6.35.5/net/sysctl_net.c 2010-09-17 20:12:37.000000000 -0400
55103 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
55104 struct ctl_table *table)
55106 /* Allow network administrator to have same access as root. */
55107 - if (capable(CAP_NET_ADMIN)) {
55108 + if (capable_nolog(CAP_NET_ADMIN)) {
55109 int mode = (table->mode >> 6) & 7;
55110 return (mode << 6) | (mode << 3) | mode;
55112 diff -urNp linux-2.6.35.5/net/tipc/socket.c linux-2.6.35.5/net/tipc/socket.c
55113 --- linux-2.6.35.5/net/tipc/socket.c 2010-08-26 19:47:12.000000000 -0400
55114 +++ linux-2.6.35.5/net/tipc/socket.c 2010-09-17 20:12:09.000000000 -0400
55115 @@ -1451,8 +1451,9 @@ static int connect(struct socket *sock,
55120 - ; /* leave "res" unchanged */
55122 + /* leave "res" unchanged */
55124 sock->state = SS_DISCONNECTING;
55127 diff -urNp linux-2.6.35.5/net/unix/af_unix.c linux-2.6.35.5/net/unix/af_unix.c
55128 --- linux-2.6.35.5/net/unix/af_unix.c 2010-08-26 19:47:12.000000000 -0400
55129 +++ linux-2.6.35.5/net/unix/af_unix.c 2010-09-17 20:12:37.000000000 -0400
55130 @@ -736,6 +736,12 @@ static struct sock *unix_find_other(stru
55131 err = -ECONNREFUSED;
55132 if (!S_ISSOCK(inode->i_mode))
55135 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
55140 u = unix_find_socket_byinode(net, inode);
55143 @@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
55145 struct dentry *dentry;
55146 dentry = unix_sk(u)->dentry;
55148 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
55155 touch_atime(unix_sk(u)->mnt, dentry);
55157 @@ -841,11 +854,18 @@ static int unix_bind(struct socket *sock
55158 err = security_path_mknod(&nd.path, dentry, mode, 0);
55160 goto out_mknod_drop_write;
55161 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
55163 + goto out_mknod_drop_write;
55165 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
55166 out_mknod_drop_write:
55167 mnt_drop_write(nd.path.mnt);
55169 goto out_mknod_dput;
55171 + gr_handle_create(dentry, nd.path.mnt);
55173 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
55174 dput(nd.path.dentry);
55175 nd.path.dentry = dentry;
55176 @@ -863,6 +883,10 @@ out_mknod_drop_write:
55180 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55181 + sk->sk_peercred.pid = current->pid;
55184 list = &unix_socket_table[addr->hash];
55186 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
55187 @@ -2161,7 +2185,11 @@ static int unix_seq_show(struct seq_file
55188 unix_state_lock(s);
55190 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
55191 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55196 atomic_read(&s->sk_refcnt),
55198 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
55199 diff -urNp linux-2.6.35.5/net/wireless/reg.c linux-2.6.35.5/net/wireless/reg.c
55200 --- linux-2.6.35.5/net/wireless/reg.c 2010-08-26 19:47:12.000000000 -0400
55201 +++ linux-2.6.35.5/net/wireless/reg.c 2010-09-17 20:12:09.000000000 -0400
55203 printk(KERN_DEBUG format , ## args); \
55206 -#define REG_DBG_PRINT(args...)
55207 +#define REG_DBG_PRINT(args...) do {} while (0)
55210 /* Receipt of information from last regulatory request */
55211 diff -urNp linux-2.6.35.5/net/wireless/wext-core.c linux-2.6.35.5/net/wireless/wext-core.c
55212 --- linux-2.6.35.5/net/wireless/wext-core.c 2010-09-20 17:33:09.000000000 -0400
55213 +++ linux-2.6.35.5/net/wireless/wext-core.c 2010-09-23 19:57:26.000000000 -0400
55214 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
55217 /* Support for very large requests */
55218 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
55219 - (user_length > descr->max_tokens)) {
55220 + if (user_length > descr->max_tokens) {
55221 /* Allow userspace to GET more than max so
55222 * we can support any size GET requests.
55223 * There is still a limit : -ENOMEM.
55224 @@ -782,22 +781,6 @@ static int ioctl_standard_iw_point(struc
55228 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
55230 - * If this is a GET, but not NOMAX, it means that the extra
55231 - * data is not bounded by userspace, but by max_tokens. Thus
55232 - * set the length to max_tokens. This matches the extra data
55234 - * The driver should fill it with the number of tokens it
55235 - * provided, and it may check iwp->length rather than having
55236 - * knowledge of max_tokens. If the driver doesn't change the
55237 - * iwp->length, this ioctl just copies back max_token tokens
55238 - * filled with zeroes. Hopefully the driver isn't claiming
55239 - * them to be valid data.
55241 - iwp->length = descr->max_tokens;
55244 err = handler(dev, info, (union iwreq_data *) iwp, extra);
55246 iwp->length += essid_compat;
55247 diff -urNp linux-2.6.35.5/net/xfrm/xfrm_policy.c linux-2.6.35.5/net/xfrm/xfrm_policy.c
55248 --- linux-2.6.35.5/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400
55249 +++ linux-2.6.35.5/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400
55250 @@ -1502,7 +1502,7 @@ free_dst:
55256 xfrm_dst_alloc_copy(void **target, void *src, int size)
55259 @@ -1514,7 +1514,7 @@ xfrm_dst_alloc_copy(void **target, void
55265 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
55267 #ifdef CONFIG_XFRM_SUB_POLICY
55268 @@ -1526,7 +1526,7 @@ xfrm_dst_update_parent(struct dst_entry
55274 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
55276 #ifdef CONFIG_XFRM_SUB_POLICY
55277 diff -urNp linux-2.6.35.5/scripts/basic/fixdep.c linux-2.6.35.5/scripts/basic/fixdep.c
55278 --- linux-2.6.35.5/scripts/basic/fixdep.c 2010-08-26 19:47:12.000000000 -0400
55279 +++ linux-2.6.35.5/scripts/basic/fixdep.c 2010-09-17 20:12:09.000000000 -0400
55280 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
55282 static void parse_config_file(char *map, size_t len)
55284 - int *end = (int *) (map + len);
55285 + unsigned int *end = (unsigned int *) (map + len);
55286 /* start at +1, so that p can never be < map */
55287 - int *m = (int *) map + 1;
55288 + unsigned int *m = (unsigned int *) map + 1;
55291 for (; m < end; m++) {
55292 @@ -371,7 +371,7 @@ static void print_deps(void)
55293 static void traps(void)
55295 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
55296 - int *p = (int *)test;
55297 + unsigned int *p = (unsigned int *)test;
55299 if (*p != INT_CONF) {
55300 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
55301 diff -urNp linux-2.6.35.5/scripts/kallsyms.c linux-2.6.35.5/scripts/kallsyms.c
55302 --- linux-2.6.35.5/scripts/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
55303 +++ linux-2.6.35.5/scripts/kallsyms.c 2010-09-17 20:12:09.000000000 -0400
55304 @@ -43,10 +43,10 @@ struct text_range {
55306 static unsigned long long _text;
55307 static struct text_range text_ranges[] = {
55308 - { "_stext", "_etext" },
55309 - { "_sinittext", "_einittext" },
55310 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
55311 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
55312 + { "_stext", "_etext", 0, 0 },
55313 + { "_sinittext", "_einittext", 0, 0 },
55314 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
55315 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
55317 #define text_range_text (&text_ranges[0])
55318 #define text_range_inittext (&text_ranges[1])
55319 diff -urNp linux-2.6.35.5/scripts/mod/file2alias.c linux-2.6.35.5/scripts/mod/file2alias.c
55320 --- linux-2.6.35.5/scripts/mod/file2alias.c 2010-08-26 19:47:12.000000000 -0400
55321 +++ linux-2.6.35.5/scripts/mod/file2alias.c 2010-09-17 20:12:09.000000000 -0400
55322 @@ -72,7 +72,7 @@ static void device_id_check(const char *
55323 unsigned long size, unsigned long id_size,
55329 if (size % id_size || size < id_size) {
55330 if (cross_build != 0)
55331 @@ -102,7 +102,7 @@ static void device_id_check(const char *
55332 /* USB is special because the bcdDevice can be matched against a numeric range */
55333 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
55334 static void do_usb_entry(struct usb_device_id *id,
55335 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
55336 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
55337 unsigned char range_lo, unsigned char range_hi,
55338 unsigned char max, struct module *mod)
55340 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
55341 for (i = 0; i < count; i++) {
55342 const char *id = (char *)devs[i].id;
55343 char acpi_id[sizeof(devs[0].id)];
55347 buf_printf(&mod->dev_table_buf,
55348 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55349 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
55351 for (j = 0; j < PNP_MAX_DEVICES; j++) {
55352 const char *id = (char *)card->devs[j].id;
55354 + unsigned int i2, j2;
55358 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
55359 /* add an individual alias for every device entry */
55361 char acpi_id[sizeof(card->devs[0].id)];
55365 buf_printf(&mod->dev_table_buf,
55366 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55367 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
55368 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
55372 + unsigned int i, j;
55374 sprintf(alias, "dmi*");
55376 diff -urNp linux-2.6.35.5/scripts/mod/modpost.c linux-2.6.35.5/scripts/mod/modpost.c
55377 --- linux-2.6.35.5/scripts/mod/modpost.c 2010-08-26 19:47:12.000000000 -0400
55378 +++ linux-2.6.35.5/scripts/mod/modpost.c 2010-09-17 20:12:09.000000000 -0400
55379 @@ -846,6 +846,7 @@ enum mismatch {
55380 ANY_INIT_TO_ANY_EXIT,
55381 ANY_EXIT_TO_ANY_INIT,
55382 EXPORT_TO_INIT_EXIT,
55386 struct sectioncheck {
55387 @@ -954,6 +955,12 @@ const struct sectioncheck sectioncheck[]
55388 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
55389 .mismatch = EXPORT_TO_INIT_EXIT,
55390 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
55392 +/* Do not reference code from writable data */
55394 + .fromsec = { DATA_SECTIONS, NULL },
55395 + .tosec = { TEXT_SECTIONS, NULL },
55396 + .mismatch = DATA_TO_TEXT
55400 @@ -1060,10 +1067,10 @@ static Elf_Sym *find_elf_symbol(struct e
55402 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
55404 - if (sym->st_value == addr)
55406 /* Find a symbol nearby - addr are maybe negative */
55407 d = sym->st_value - addr;
55411 d = addr - sym->st_value;
55412 if (d < distance) {
55413 @@ -1306,6 +1313,14 @@ static void report_sec_mismatch(const ch
55414 "or drop the export.\n",
55415 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
55417 + case DATA_TO_TEXT:
55420 + "The variable %s references\n"
55421 + "the %s %s%s%s\n",
55422 + fromsym, to, sec2annotation(tosec), tosym, to_p);
55426 fprintf(stderr, "\n");
55428 @@ -1629,7 +1644,7 @@ void __attribute__((format(printf, 2, 3)
55432 -void buf_write(struct buffer *buf, const char *s, int len)
55433 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
55435 if (buf->size - buf->pos < len) {
55436 buf->size += len + SZ;
55437 @@ -1841,7 +1856,7 @@ static void write_if_changed(struct buff
55438 if (fstat(fileno(file), &st) < 0)
55441 - if (st.st_size != b->pos)
55442 + if (st.st_size != (off_t)b->pos)
55445 tmp = NOFAIL(malloc(b->pos));
55446 diff -urNp linux-2.6.35.5/scripts/mod/modpost.h linux-2.6.35.5/scripts/mod/modpost.h
55447 --- linux-2.6.35.5/scripts/mod/modpost.h 2010-08-26 19:47:12.000000000 -0400
55448 +++ linux-2.6.35.5/scripts/mod/modpost.h 2010-09-17 20:12:09.000000000 -0400
55449 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
55455 + unsigned int pos;
55456 + unsigned int size;
55459 void __attribute__((format(printf, 2, 3)))
55460 buf_printf(struct buffer *buf, const char *fmt, ...);
55463 -buf_write(struct buffer *buf, const char *s, int len);
55464 +buf_write(struct buffer *buf, const char *s, unsigned int len);
55467 struct module *next;
55468 diff -urNp linux-2.6.35.5/scripts/mod/sumversion.c linux-2.6.35.5/scripts/mod/sumversion.c
55469 --- linux-2.6.35.5/scripts/mod/sumversion.c 2010-08-26 19:47:12.000000000 -0400
55470 +++ linux-2.6.35.5/scripts/mod/sumversion.c 2010-09-17 20:12:09.000000000 -0400
55471 @@ -455,7 +455,7 @@ static void write_version(const char *fi
55475 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
55476 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
55477 warn("writing sum in %s failed: %s\n",
55478 filename, strerror(errno));
55480 diff -urNp linux-2.6.35.5/scripts/pnmtologo.c linux-2.6.35.5/scripts/pnmtologo.c
55481 --- linux-2.6.35.5/scripts/pnmtologo.c 2010-08-26 19:47:12.000000000 -0400
55482 +++ linux-2.6.35.5/scripts/pnmtologo.c 2010-09-17 20:12:09.000000000 -0400
55483 @@ -237,14 +237,14 @@ static void write_header(void)
55484 fprintf(out, " * Linux logo %s\n", logoname);
55485 fputs(" */\n\n", out);
55486 fputs("#include <linux/linux_logo.h>\n\n", out);
55487 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
55488 + fprintf(out, "static unsigned char %s_data[] = {\n",
55492 static void write_footer(void)
55494 fputs("\n};\n\n", out);
55495 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
55496 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
55497 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
55498 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
55499 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
55500 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
55501 fputs("\n};\n\n", out);
55503 /* write logo clut */
55504 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
55505 + fprintf(out, "static unsigned char %s_clut[] = {\n",
55508 for (i = 0; i < logo_clutsize; i++) {
55509 diff -urNp linux-2.6.35.5/security/commoncap.c linux-2.6.35.5/security/commoncap.c
55510 --- linux-2.6.35.5/security/commoncap.c 2010-08-26 19:47:12.000000000 -0400
55511 +++ linux-2.6.35.5/security/commoncap.c 2010-09-17 20:12:37.000000000 -0400
55513 #include <linux/securebits.h>
55514 #include <linux/syslog.h>
55515 #include <linux/vs_context.h>
55516 +#include <net/sock.h>
55519 * If a non-root user executes a setuid-root binary in
55520 @@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
55524 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
55526 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
55528 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
55529 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
55533 diff -urNp linux-2.6.35.5/security/integrity/ima/ima_api.c linux-2.6.35.5/security/integrity/ima/ima_api.c
55534 --- linux-2.6.35.5/security/integrity/ima/ima_api.c 2010-08-26 19:47:12.000000000 -0400
55535 +++ linux-2.6.35.5/security/integrity/ima/ima_api.c 2010-09-17 20:12:09.000000000 -0400
55536 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
55539 /* can overflow, only indicator */
55540 - atomic_long_inc(&ima_htable.violations);
55541 + atomic_long_inc_unchecked(&ima_htable.violations);
55543 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
55545 diff -urNp linux-2.6.35.5/security/integrity/ima/ima_fs.c linux-2.6.35.5/security/integrity/ima/ima_fs.c
55546 --- linux-2.6.35.5/security/integrity/ima/ima_fs.c 2010-08-26 19:47:12.000000000 -0400
55547 +++ linux-2.6.35.5/security/integrity/ima/ima_fs.c 2010-09-17 20:12:09.000000000 -0400
55548 @@ -28,12 +28,12 @@
55549 static int valid_policy = 1;
55550 #define TMPBUFLEN 12
55551 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
55552 - loff_t *ppos, atomic_long_t *val)
55553 + loff_t *ppos, atomic_long_unchecked_t *val)
55555 char tmpbuf[TMPBUFLEN];
55558 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
55559 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
55560 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
55563 diff -urNp linux-2.6.35.5/security/integrity/ima/ima.h linux-2.6.35.5/security/integrity/ima/ima.h
55564 --- linux-2.6.35.5/security/integrity/ima/ima.h 2010-09-20 17:33:09.000000000 -0400
55565 +++ linux-2.6.35.5/security/integrity/ima/ima.h 2010-09-20 17:33:37.000000000 -0400
55566 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
55567 extern spinlock_t ima_queue_lock;
55569 struct ima_h_table {
55570 - atomic_long_t len; /* number of stored measurements in the list */
55571 - atomic_long_t violations;
55572 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
55573 + atomic_long_unchecked_t violations;
55574 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
55576 extern struct ima_h_table ima_htable;
55577 diff -urNp linux-2.6.35.5/security/integrity/ima/ima_queue.c linux-2.6.35.5/security/integrity/ima/ima_queue.c
55578 --- linux-2.6.35.5/security/integrity/ima/ima_queue.c 2010-08-26 19:47:12.000000000 -0400
55579 +++ linux-2.6.35.5/security/integrity/ima/ima_queue.c 2010-09-17 20:12:09.000000000 -0400
55580 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
55581 INIT_LIST_HEAD(&qe->later);
55582 list_add_tail_rcu(&qe->later, &ima_measurements);
55584 - atomic_long_inc(&ima_htable.len);
55585 + atomic_long_inc_unchecked(&ima_htable.len);
55586 key = ima_hash_key(entry->digest);
55587 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
55589 diff -urNp linux-2.6.35.5/security/Kconfig linux-2.6.35.5/security/Kconfig
55590 --- linux-2.6.35.5/security/Kconfig 2010-08-26 19:47:12.000000000 -0400
55591 +++ linux-2.6.35.5/security/Kconfig 2010-09-17 20:12:37.000000000 -0400
55594 menu "Security options"
55596 +source grsecurity/Kconfig
55600 + config PAX_PER_CPU_PGD
55603 + config TASK_SIZE_MAX_SHIFT
55605 + depends on X86_64
55606 + default 47 if !PAX_PER_CPU_PGD
55607 + default 42 if PAX_PER_CPU_PGD
55609 + config PAX_ENABLE_PAE
55611 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
55614 + bool "Enable various PaX features"
55615 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
55617 + This allows you to enable various PaX features. PaX adds
55618 + intrusion prevention mechanisms to the kernel that reduce
55619 + the risks posed by exploitable memory corruption bugs.
55621 +menu "PaX Control"
55624 +config PAX_SOFTMODE
55625 + bool 'Support soft mode'
55626 + select PAX_PT_PAX_FLAGS
55628 + Enabling this option will allow you to run PaX in soft mode, that
55629 + is, PaX features will not be enforced by default, only on executables
55630 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
55631 + is the only way to mark executables for soft mode use.
55633 + Soft mode can be activated by using the "pax_softmode=1" kernel command
55634 + line option on boot. Furthermore you can control various PaX features
55635 + at runtime via the entries in /proc/sys/kernel/pax.
55638 + bool 'Use legacy ELF header marking'
55640 + Enabling this option will allow you to control PaX features on
55641 + a per executable basis via the 'chpax' utility available at
55642 + http://pax.grsecurity.net/. The control flags will be read from
55643 + an otherwise reserved part of the ELF header. This marking has
55644 + numerous drawbacks (no support for soft-mode, toolchain does not
55645 + know about the non-standard use of the ELF header) therefore it
55646 + has been deprecated in favour of PT_PAX_FLAGS support.
55648 + If you have applications not marked by the PT_PAX_FLAGS ELF
55649 + program header then you MUST enable this option otherwise they
55650 + will not get any protection.
55652 + Note that if you enable PT_PAX_FLAGS marking support as well,
55653 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
55655 +config PAX_PT_PAX_FLAGS
55656 + bool 'Use ELF program header marking'
55658 + Enabling this option will allow you to control PaX features on
55659 + a per executable basis via the 'paxctl' utility available at
55660 + http://pax.grsecurity.net/. The control flags will be read from
55661 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
55662 + has the benefits of supporting both soft mode and being fully
55663 + integrated into the toolchain (the binutils patch is available
55664 + from http://pax.grsecurity.net).
55666 + If you have applications not marked by the PT_PAX_FLAGS ELF
55667 + program header then you MUST enable the EI_PAX marking support
55668 + otherwise they will not get any protection.
55670 + Note that if you enable the legacy EI_PAX marking support as well,
55671 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
55674 + prompt 'MAC system integration'
55675 + default PAX_HAVE_ACL_FLAGS
55677 + Mandatory Access Control systems have the option of controlling
55678 + PaX flags on a per executable basis, choose the method supported
55679 + by your particular system.
55681 + - "none": if your MAC system does not interact with PaX,
55682 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
55683 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
55685 + NOTE: this option is for developers/integrators only.
55687 + config PAX_NO_ACL_FLAGS
55690 + config PAX_HAVE_ACL_FLAGS
55693 + config PAX_HOOK_ACL_FLAGS
55699 +menu "Non-executable pages"
55703 + bool "Enforce non-executable pages"
55704 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
55706 + By design some architectures do not allow for protecting memory
55707 + pages against execution or even if they do, Linux does not make
55708 + use of this feature. In practice this means that if a page is
55709 + readable (such as the stack or heap) it is also executable.
55711 + There is a well known exploit technique that makes use of this
55712 + fact and a common programming mistake where an attacker can
55713 + introduce code of his choice somewhere in the attacked program's
55714 + memory (typically the stack or the heap) and then execute it.
55716 + If the attacked program was running with different (typically
55717 + higher) privileges than that of the attacker, then he can elevate
55718 + his own privilege level (e.g. get a root shell, write to files for
55719 + which he does not have write access to, etc).
55721 + Enabling this option will let you choose from various features
55722 + that prevent the injection and execution of 'foreign' code in
55725 + This will also break programs that rely on the old behaviour and
55726 + expect that dynamically allocated memory via the malloc() family
55727 + of functions is executable (which it is not). Notable examples
55728 + are the XFree86 4.x server, the java runtime and wine.
55730 +config PAX_PAGEEXEC
55731 + bool "Paging based non-executable pages"
55732 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
55733 + select S390_SWITCH_AMODE if S390
55734 + select S390_EXEC_PROTECT if S390
55736 + This implementation is based on the paging feature of the CPU.
55737 + On i386 without hardware non-executable bit support there is a
55738 + variable but usually low performance impact, however on Intel's
55739 + P4 core based CPUs it is very high so you should not enable this
55740 + for kernels meant to be used on such CPUs.
55742 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
55743 + with hardware non-executable bit support there is no performance
55744 + impact, on ppc the impact is negligible.
55746 + Note that several architectures require various emulations due to
55747 + badly designed userland ABIs, this will cause a performance impact
55748 + but will disappear as soon as userland is fixed. For example, ppc
55749 + userland MUST have been built with secure-plt by a recent toolchain.
55751 +config PAX_SEGMEXEC
55752 + bool "Segmentation based non-executable pages"
55753 + depends on PAX_NOEXEC && X86_32
55755 + This implementation is based on the segmentation feature of the
55756 + CPU and has a very small performance impact, however applications
55757 + will be limited to a 1.5 GB address space instead of the normal
55760 +config PAX_EMUTRAMP
55761 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
55762 + default y if PARISC
55764 + There are some programs and libraries that for one reason or
55765 + another attempt to execute special small code snippets from
55766 + non-executable memory pages. Most notable examples are the
55767 + signal handler return code generated by the kernel itself and
55768 + the GCC trampolines.
55770 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
55771 + such programs will no longer work under your kernel.
55773 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
55774 + utilities to enable trampoline emulation for the affected programs
55775 + yet still have the protection provided by the non-executable pages.
55777 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
55778 + your system will not even boot.
55780 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
55781 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
55782 + for the affected files.
55784 + NOTE: enabling this feature *may* open up a loophole in the
55785 + protection provided by non-executable pages that an attacker
55786 + could abuse. Therefore the best solution is to not have any
55787 + files on your system that would require this option. This can
55788 + be achieved by not using libc5 (which relies on the kernel
55789 + signal handler return code) and not using or rewriting programs
55790 + that make use of the nested function implementation of GCC.
55791 + Skilled users can just fix GCC itself so that it implements
55792 + nested function calls in a way that does not interfere with PaX.
55794 +config PAX_EMUSIGRT
55795 + bool "Automatically emulate sigreturn trampolines"
55796 + depends on PAX_EMUTRAMP && PARISC
55799 + Enabling this option will have the kernel automatically detect
55800 + and emulate signal return trampolines executing on the stack
55801 + that would otherwise lead to task termination.
55803 + This solution is intended as a temporary one for users with
55804 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
55805 + Modula-3 runtime, etc) or executables linked to such, basically
55806 + everything that does not specify its own SA_RESTORER function in
55807 + normal executable memory like glibc 2.1+ does.
55809 + On parisc you MUST enable this option, otherwise your system will
55812 + NOTE: this feature cannot be disabled on a per executable basis
55813 + and since it *does* open up a loophole in the protection provided
55814 + by non-executable pages, the best solution is to not have any
55815 + files on your system that would require this option.
55817 +config PAX_MPROTECT
55818 + bool "Restrict mprotect()"
55819 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
55821 + Enabling this option will prevent programs from
55822 + - changing the executable status of memory pages that were
55823 + not originally created as executable,
55824 + - making read-only executable pages writable again,
55825 + - creating executable pages from anonymous memory,
55826 + - making read-only-after-relocations (RELRO) data pages writable again.
55828 + You should say Y here to complete the protection provided by
55829 + the enforcement of non-executable pages.
55831 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55832 + this feature on a per file basis.
55834 +config PAX_ELFRELOCS
55835 + bool "Allow ELF text relocations (read help)"
55836 + depends on PAX_MPROTECT
55839 + Non-executable pages and mprotect() restrictions are effective
55840 + in preventing the introduction of new executable code into an
55841 + attacked task's address space. There remain only two venues
55842 + for this kind of attack: if the attacker can execute already
55843 + existing code in the attacked task then he can either have it
55844 + create and mmap() a file containing his code or have it mmap()
55845 + an already existing ELF library that does not have position
55846 + independent code in it and use mprotect() on it to make it
55847 + writable and copy his code there. While protecting against
55848 + the former approach is beyond PaX, the latter can be prevented
55849 + by having only PIC ELF libraries on one's system (which do not
55850 + need to relocate their code). If you are sure this is your case,
55851 + as is the case with all modern Linux distributions, then leave
55852 + this option disabled. You should say 'n' here.
55854 +config PAX_ETEXECRELOCS
55855 + bool "Allow ELF ET_EXEC text relocations"
55856 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
55857 + select PAX_ELFRELOCS
55860 + On some architectures there are incorrectly created applications
55861 + that require text relocations and would not work without enabling
55862 + this option. If you are an alpha, ia64 or parisc user, you should
55863 + enable this option and disable it once you have made sure that
55864 + none of your applications need it.
55867 + bool "Automatically emulate ELF PLT"
55868 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
55871 + Enabling this option will have the kernel automatically detect
55872 + and emulate the Procedure Linkage Table entries in ELF files.
55873 + On some architectures such entries are in writable memory, and
55874 + become non-executable leading to task termination. Therefore
55875 + it is mandatory that you enable this option on alpha, parisc,
55876 + sparc and sparc64, otherwise your system would not even boot.
55878 + NOTE: this feature *does* open up a loophole in the protection
55879 + provided by the non-executable pages, therefore the proper
55880 + solution is to modify the toolchain to produce a PLT that does
55881 + not need to be writable.
55883 +config PAX_DLRESOLVE
55884 + bool 'Emulate old glibc resolver stub'
55885 + depends on PAX_EMUPLT && SPARC
55888 + This option is needed if userland has an old glibc (before 2.4)
55889 + that puts a 'save' instruction into the runtime generated resolver
55890 + stub that needs special emulation.
55892 +config PAX_KERNEXEC
55893 + bool "Enforce non-executable kernel pages"
55894 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
55895 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
55897 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
55898 + that is, enabling this option will make it harder to inject
55899 + and execute 'foreign' code in kernel memory itself.
55901 +config PAX_KERNEXEC_MODULE_TEXT
55902 + int "Minimum amount of memory reserved for module code"
55904 + depends on PAX_KERNEXEC && X86_32 && MODULES
55906 + Due to implementation details the kernel must reserve a fixed
55907 + amount of memory for module code at compile time that cannot be
55908 + changed at runtime. Here you can specify the minimum amount
55909 + in MB that will be reserved. Due to the same implementation
55910 + details this size will always be rounded up to the next 2/4 MB
55911 + boundary (depends on PAE) so the actually available memory for
55912 + module code will usually be more than this minimum.
55914 + The default 4 MB should be enough for most users but if you have
55915 + an excessive number of modules (e.g., most distribution configs
55916 + compile many drivers as modules) or use huge modules such as
55917 + nvidia's kernel driver, you will need to adjust this amount.
55918 + A good rule of thumb is to look at your currently loaded kernel
55919 + modules and add up their sizes.
55923 +menu "Address Space Layout Randomization"
55927 + bool "Address Space Layout Randomization"
55928 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
55930 + Many if not most exploit techniques rely on the knowledge of
55931 + certain addresses in the attacked program. The following options
55932 + will allow the kernel to apply a certain amount of randomization
55933 + to specific parts of the program thereby forcing an attacker to
55934 + guess them in most cases. Any failed guess will most likely crash
55935 + the attacked program which allows the kernel to detect such attempts
55936 + and react on them. PaX itself provides no reaction mechanisms,
55937 + instead it is strongly encouraged that you make use of Nergal's
55938 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
55939 + (http://www.grsecurity.net/) built-in crash detection features or
55940 + develop one yourself.
55942 + By saying Y here you can choose to randomize the following areas:
55943 + - top of the task's kernel stack
55944 + - top of the task's userland stack
55945 + - base address for mmap() requests that do not specify one
55946 + (this includes all libraries)
55947 + - base address of the main executable
55949 + It is strongly recommended to say Y here as address space layout
55950 + randomization has negligible impact on performance yet it provides
55951 + a very effective protection.
55953 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55954 + this feature on a per file basis.
55956 +config PAX_RANDKSTACK
55957 + bool "Randomize kernel stack base"
55958 + depends on PAX_ASLR && X86_TSC && X86_32
55960 + By saying Y here the kernel will randomize every task's kernel
55961 + stack on every system call. This will not only force an attacker
55962 + to guess it but also prevent him from making use of possible
55963 + leaked information about it.
55965 + Since the kernel stack is a rather scarce resource, randomization
55966 + may cause unexpected stack overflows, therefore you should very
55967 + carefully test your system. Note that once enabled in the kernel
55968 + configuration, this feature cannot be disabled on a per file basis.
55970 +config PAX_RANDUSTACK
55971 + bool "Randomize user stack base"
55972 + depends on PAX_ASLR
55974 + By saying Y here the kernel will randomize every task's userland
55975 + stack. The randomization is done in two steps where the second
55976 + one may apply a big amount of shift to the top of the stack and
55977 + cause problems for programs that want to use lots of memory (more
55978 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
55979 + For this reason the second step can be controlled by 'chpax' or
55980 + 'paxctl' on a per file basis.
55982 +config PAX_RANDMMAP
55983 + bool "Randomize mmap() base"
55984 + depends on PAX_ASLR
55986 + By saying Y here the kernel will use a randomized base address for
55987 + mmap() requests that do not specify one themselves. As a result
55988 + all dynamically loaded libraries will appear at random addresses
55989 + and therefore be harder to exploit by a technique where an attacker
55990 + attempts to execute library code for his purposes (e.g. spawn a
55991 + shell from an exploited program that is running at an elevated
55992 + privilege level).
55994 + Furthermore, if a program is relinked as a dynamic ELF file, its
55995 + base address will be randomized as well, completing the full
55996 + randomization of the address space layout. Attacking such programs
55997 + becomes a guess game. You can find an example of doing this at
55998 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
55999 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
56001 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
56002 + feature on a per file basis.
56006 +menu "Miscellaneous hardening features"
56008 +config PAX_MEMORY_SANITIZE
56009 + bool "Sanitize all freed memory"
56011 + By saying Y here the kernel will erase memory pages as soon as they
56012 + are freed. This in turn reduces the lifetime of data stored in the
56013 + pages, making it less likely that sensitive information such as
56014 + passwords, cryptographic secrets, etc stay in memory for too long.
56016 + This is especially useful for programs whose runtime is short, long
56017 + lived processes and the kernel itself benefit from this as long as
56018 + they operate on whole memory pages and ensure timely freeing of pages
56019 + that may hold sensitive information.
56021 + The tradeoff is performance impact, on a single CPU system kernel
56022 + compilation sees a 3% slowdown, other systems and workloads may vary
56023 + and you are advised to test this feature on your expected workload
56024 + before deploying it.
56026 + Note that this feature does not protect data stored in live pages,
56027 + e.g., process memory swapped to disk may stay there for a long time.
56029 +config PAX_MEMORY_UDEREF
56030 + bool "Prevent invalid userland pointer dereference"
56031 + depends on X86 && !UML_X86 && !XEN
56032 + select PAX_PER_CPU_PGD if X86_64
56034 + By saying Y here the kernel will be prevented from dereferencing
56035 + userland pointers in contexts where the kernel expects only kernel
56036 + pointers. This is both a useful runtime debugging feature and a
56037 + security measure that prevents exploiting a class of kernel bugs.
56039 + The tradeoff is that some virtualization solutions may experience
56040 + a huge slowdown and therefore you should not enable this feature
56041 + for kernels meant to run in such environments. Whether a given VM
56042 + solution is affected or not is best determined by simply trying it
56043 + out, the performance impact will be obvious right on boot as this
56044 + mechanism engages from very early on. A good rule of thumb is that
56045 + VMs running on CPUs without hardware virtualization support (i.e.,
56046 + the majority of IA-32 CPUs) will likely experience the slowdown.
56048 +config PAX_REFCOUNT
56049 + bool "Prevent various kernel object reference counter overflows"
56050 + depends on GRKERNSEC && (X86 || SPARC64)
56052 + By saying Y here the kernel will detect and prevent overflowing
56053 + various (but not all) kinds of object reference counters. Such
56054 + overflows can normally occur due to bugs only and are often, if
56055 + not always, exploitable.
56057 + The tradeoff is that data structures protected by an overflowed
56058 + refcount will never be freed and therefore will leak memory. Note
56059 + that this leak also happens even without this protection but in
56060 + that case the overflow can eventually trigger the freeing of the
56061 + data structure while it is still being used elsewhere, resulting
56062 + in the exploitable situation that this feature prevents.
56064 + Since this has a negligible performance impact, you should enable
56067 +config PAX_USERCOPY
56068 + bool "Bounds check heap object copies between kernel and userland"
56069 + depends on X86 || PPC || SPARC
56070 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
56072 + By saying Y here the kernel will enforce the size of heap objects
56073 + when they are copied in either direction between the kernel and
56074 + userland, even if only a part of the heap object is copied.
56076 + Specifically, this checking prevents information leaking from the
56077 + kernel heap during kernel to userland copies (if the kernel heap
56078 + object is otherwise fully initialized) and prevents kernel heap
56079 + overflows during userland to kernel copies.
56081 + Note that the current implementation provides the strictest checks
56082 + for the SLUB allocator.
56084 + If frame pointers are enabled on x86, this option will also
56085 + restrict copies into and out of the kernel stack to local variables
56086 + within a single frame.
56088 + Since this has a negligible performance impact, you should enable
56096 bool "Enable access key retention support"
56098 @@ -124,7 +623,7 @@ config INTEL_TXT
56099 config LSM_MMAP_MIN_ADDR
56100 int "Low address space for LSM to protect from user allocation"
56101 depends on SECURITY && SECURITY_SELINUX
56105 This is the portion of low virtual memory which should be protected
56106 from userspace allocation. Keeping a user from writing to low pages
56107 diff -urNp linux-2.6.35.5/security/min_addr.c linux-2.6.35.5/security/min_addr.c
56108 --- linux-2.6.35.5/security/min_addr.c 2010-08-26 19:47:12.000000000 -0400
56109 +++ linux-2.6.35.5/security/min_addr.c 2010-09-17 20:12:37.000000000 -0400
56110 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
56112 static void update_mmap_min_addr(void)
56115 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
56116 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
56117 mmap_min_addr = dac_mmap_min_addr;
56118 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
56120 mmap_min_addr = dac_mmap_min_addr;
56126 diff -urNp linux-2.6.35.5/security/security.c linux-2.6.35.5/security/security.c
56127 --- linux-2.6.35.5/security/security.c 2010-08-26 19:47:12.000000000 -0400
56128 +++ linux-2.6.35.5/security/security.c 2010-09-17 20:12:37.000000000 -0400
56129 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
56130 /* things that live in capability.c */
56131 extern void __init security_fixup_ops(struct security_operations *ops);
56133 -static struct security_operations *security_ops;
56134 -static struct security_operations default_security_ops = {
56135 +static struct security_operations *security_ops __read_only;
56136 +static struct security_operations default_security_ops __read_only = {
56140 @@ -67,7 +67,9 @@ int __init security_init(void)
56142 void reset_security_ops(void)
56144 + pax_open_kernel();
56145 security_ops = &default_security_ops;
56146 + pax_close_kernel();
56149 /* Save user chosen LSM */
56150 diff -urNp linux-2.6.35.5/security/selinux/hooks.c linux-2.6.35.5/security/selinux/hooks.c
56151 --- linux-2.6.35.5/security/selinux/hooks.c 2010-08-26 19:47:12.000000000 -0400
56152 +++ linux-2.6.35.5/security/selinux/hooks.c 2010-09-17 20:12:37.000000000 -0400
56154 #define NUM_SEL_MNT_OPTS 5
56156 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
56157 -extern struct security_operations *security_ops;
56159 /* SECMARK reference count */
56160 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
56161 @@ -5428,7 +5427,7 @@ static int selinux_key_getsecurity(struc
56165 -static struct security_operations selinux_ops = {
56166 +static struct security_operations selinux_ops __read_only = {
56169 .ptrace_access_check = selinux_ptrace_access_check,
56170 diff -urNp linux-2.6.35.5/security/smack/smack_lsm.c linux-2.6.35.5/security/smack/smack_lsm.c
56171 --- linux-2.6.35.5/security/smack/smack_lsm.c 2010-08-26 19:47:12.000000000 -0400
56172 +++ linux-2.6.35.5/security/smack/smack_lsm.c 2010-09-17 20:12:09.000000000 -0400
56173 @@ -3064,7 +3064,7 @@ static int smack_inode_getsecctx(struct
56177 -struct security_operations smack_ops = {
56178 +struct security_operations smack_ops __read_only = {
56181 .ptrace_access_check = smack_ptrace_access_check,
56182 diff -urNp linux-2.6.35.5/security/tomoyo/tomoyo.c linux-2.6.35.5/security/tomoyo/tomoyo.c
56183 --- linux-2.6.35.5/security/tomoyo/tomoyo.c 2010-08-26 19:47:12.000000000 -0400
56184 +++ linux-2.6.35.5/security/tomoyo/tomoyo.c 2010-09-17 20:12:09.000000000 -0400
56185 @@ -235,7 +235,7 @@ static int tomoyo_sb_pivotroot(struct pa
56186 * tomoyo_security_ops is a "struct security_operations" which is used for
56187 * registering TOMOYO.
56189 -static struct security_operations tomoyo_security_ops = {
56190 +static struct security_operations tomoyo_security_ops __read_only = {
56192 .cred_alloc_blank = tomoyo_cred_alloc_blank,
56193 .cred_prepare = tomoyo_cred_prepare,
56194 diff -urNp linux-2.6.35.5/sound/aoa/codecs/onyx.c linux-2.6.35.5/sound/aoa/codecs/onyx.c
56195 --- linux-2.6.35.5/sound/aoa/codecs/onyx.c 2010-08-26 19:47:12.000000000 -0400
56196 +++ linux-2.6.35.5/sound/aoa/codecs/onyx.c 2010-09-17 20:12:09.000000000 -0400
56197 @@ -54,7 +54,7 @@ struct onyx {
56202 + atomic_t open_count;
56203 struct codec_info *codec_info;
56205 /* mutex serializes concurrent access to the device
56206 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
56207 struct onyx *onyx = cii->codec_data;
56209 mutex_lock(&onyx->mutex);
56210 - onyx->open_count++;
56211 + atomic_inc(&onyx->open_count);
56212 mutex_unlock(&onyx->mutex);
56215 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
56216 struct onyx *onyx = cii->codec_data;
56218 mutex_lock(&onyx->mutex);
56219 - onyx->open_count--;
56220 - if (!onyx->open_count)
56221 + if (atomic_dec_and_test(&onyx->open_count))
56222 onyx->spdif_locked = onyx->analog_locked = 0;
56223 mutex_unlock(&onyx->mutex);
56225 diff -urNp linux-2.6.35.5/sound/core/oss/pcm_oss.c linux-2.6.35.5/sound/core/oss/pcm_oss.c
56226 --- linux-2.6.35.5/sound/core/oss/pcm_oss.c 2010-08-26 19:47:12.000000000 -0400
56227 +++ linux-2.6.35.5/sound/core/oss/pcm_oss.c 2010-09-17 20:12:09.000000000 -0400
56228 @@ -2966,8 +2966,8 @@ static void snd_pcm_oss_proc_done(struct
56231 #else /* !CONFIG_SND_VERBOSE_PROCFS */
56232 -#define snd_pcm_oss_proc_init(pcm)
56233 -#define snd_pcm_oss_proc_done(pcm)
56234 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
56235 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
56236 #endif /* CONFIG_SND_VERBOSE_PROCFS */
56239 diff -urNp linux-2.6.35.5/sound/core/seq/seq_lock.h linux-2.6.35.5/sound/core/seq/seq_lock.h
56240 --- linux-2.6.35.5/sound/core/seq/seq_lock.h 2010-08-26 19:47:12.000000000 -0400
56241 +++ linux-2.6.35.5/sound/core/seq/seq_lock.h 2010-09-17 20:12:09.000000000 -0400
56242 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
56243 #else /* SMP || CONFIG_SND_DEBUG */
56245 typedef spinlock_t snd_use_lock_t; /* dummy */
56246 -#define snd_use_lock_init(lockp) /**/
56247 -#define snd_use_lock_use(lockp) /**/
56248 -#define snd_use_lock_free(lockp) /**/
56249 -#define snd_use_lock_sync(lockp) /**/
56250 +#define snd_use_lock_init(lockp) do {} while (0)
56251 +#define snd_use_lock_use(lockp) do {} while (0)
56252 +#define snd_use_lock_free(lockp) do {} while (0)
56253 +#define snd_use_lock_sync(lockp) do {} while (0)
56255 #endif /* SMP || CONFIG_SND_DEBUG */
56257 diff -urNp linux-2.6.35.5/sound/drivers/mts64.c linux-2.6.35.5/sound/drivers/mts64.c
56258 --- linux-2.6.35.5/sound/drivers/mts64.c 2010-08-26 19:47:12.000000000 -0400
56259 +++ linux-2.6.35.5/sound/drivers/mts64.c 2010-09-17 20:12:09.000000000 -0400
56260 @@ -66,7 +66,7 @@ struct mts64 {
56261 struct pardevice *pardev;
56262 int pardev_claimed;
56265 + atomic_t open_count;
56266 int current_midi_output_port;
56267 int current_midi_input_port;
56268 u8 mode[MTS64_NUM_INPUT_PORTS];
56269 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
56271 struct mts64 *mts = substream->rmidi->private_data;
56273 - if (mts->open_count == 0) {
56274 + if (atomic_read(&mts->open_count) == 0) {
56275 /* We don't need a spinlock here, because this is just called
56276 if the device has not been opened before.
56277 So there aren't any IRQs from the device */
56278 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
56282 - ++(mts->open_count);
56283 + atomic_inc(&mts->open_count);
56287 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
56288 struct mts64 *mts = substream->rmidi->private_data;
56289 unsigned long flags;
56291 - --(mts->open_count);
56292 - if (mts->open_count == 0) {
56293 + if (atomic_dec_return(&mts->open_count) == 0) {
56294 /* We need the spinlock_irqsave here because we can still
56295 have IRQs at this point */
56296 spin_lock_irqsave(&mts->lock, flags);
56297 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
56301 - } else if (mts->open_count < 0)
56302 - mts->open_count = 0;
56303 + } else if (atomic_read(&mts->open_count) < 0)
56304 + atomic_set(&mts->open_count, 0);
56308 diff -urNp linux-2.6.35.5/sound/drivers/portman2x4.c linux-2.6.35.5/sound/drivers/portman2x4.c
56309 --- linux-2.6.35.5/sound/drivers/portman2x4.c 2010-08-26 19:47:12.000000000 -0400
56310 +++ linux-2.6.35.5/sound/drivers/portman2x4.c 2010-09-17 20:12:09.000000000 -0400
56311 @@ -84,7 +84,7 @@ struct portman {
56312 struct pardevice *pardev;
56313 int pardev_claimed;
56316 + atomic_t open_count;
56317 int mode[PORTMAN_NUM_INPUT_PORTS];
56318 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
56320 diff -urNp linux-2.6.35.5/sound/oss/sb_audio.c linux-2.6.35.5/sound/oss/sb_audio.c
56321 --- linux-2.6.35.5/sound/oss/sb_audio.c 2010-08-26 19:47:12.000000000 -0400
56322 +++ linux-2.6.35.5/sound/oss/sb_audio.c 2010-09-17 20:12:09.000000000 -0400
56323 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
56324 buf16 = (signed short *)(localbuf + localoffs);
56327 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56328 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56329 if (copy_from_user(lbuf8,
56330 userbuf+useroffs + p,
56332 diff -urNp linux-2.6.35.5/sound/pci/ac97/ac97_codec.c linux-2.6.35.5/sound/pci/ac97/ac97_codec.c
56333 --- linux-2.6.35.5/sound/pci/ac97/ac97_codec.c 2010-08-26 19:47:12.000000000 -0400
56334 +++ linux-2.6.35.5/sound/pci/ac97/ac97_codec.c 2010-09-17 20:12:09.000000000 -0400
56335 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
56338 /* build_ops to do nothing */
56339 -static struct snd_ac97_build_ops null_build_ops;
56340 +static const struct snd_ac97_build_ops null_build_ops;
56342 #ifdef CONFIG_SND_AC97_POWER_SAVE
56343 static void do_update_power(struct work_struct *work)
56344 diff -urNp linux-2.6.35.5/sound/pci/ac97/ac97_patch.c linux-2.6.35.5/sound/pci/ac97/ac97_patch.c
56345 --- linux-2.6.35.5/sound/pci/ac97/ac97_patch.c 2010-08-26 19:47:12.000000000 -0400
56346 +++ linux-2.6.35.5/sound/pci/ac97/ac97_patch.c 2010-09-17 20:12:09.000000000 -0400
56347 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
56351 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56352 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56353 .build_spdif = patch_yamaha_ymf743_build_spdif,
56354 .build_3d = patch_yamaha_ymf7x3_3d,
56356 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
56360 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56361 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56362 .build_3d = patch_yamaha_ymf7x3_3d,
56363 .build_post_spdif = patch_yamaha_ymf753_post_spdif
56365 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
56369 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56370 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56371 .build_specific = patch_wolfson_wm9703_specific,
56374 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
56378 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56379 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56380 .build_specific = patch_wolfson_wm9704_specific,
56383 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
56387 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56388 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56389 .build_specific = patch_wolfson_wm9711_specific,
56392 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
56396 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56397 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56398 .build_specific = patch_wolfson_wm9713_specific,
56399 .build_3d = patch_wolfson_wm9713_3d,
56401 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
56405 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56406 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56407 .build_3d = patch_sigmatel_stac9700_3d,
56408 .build_specific = patch_sigmatel_stac97xx_specific
56410 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
56411 return patch_sigmatel_stac97xx_specific(ac97);
56414 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56415 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56416 .build_3d = patch_sigmatel_stac9708_3d,
56417 .build_specific = patch_sigmatel_stac9708_specific
56419 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
56423 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56424 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56425 .build_3d = patch_sigmatel_stac9700_3d,
56426 .build_specific = patch_sigmatel_stac9758_specific
56428 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
56432 -static struct snd_ac97_build_ops patch_cirrus_ops = {
56433 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
56434 .build_spdif = patch_cirrus_build_spdif
56437 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
56441 -static struct snd_ac97_build_ops patch_conexant_ops = {
56442 +static const struct snd_ac97_build_ops patch_conexant_ops = {
56443 .build_spdif = patch_conexant_build_spdif
56446 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
56447 { AC97_VIDEO, 0x9f1f },
56448 { AC97_AUX, 0x9f1f },
56449 { AC97_PCM, 0x9f1f },
56450 - { } /* terminator */
56451 + { 0, 0 } /* terminator */
56454 static int patch_ad1819(struct snd_ac97 * ac97)
56455 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
56459 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
56460 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
56462 .resume = ad18xx_resume
56464 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
56468 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
56469 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
56470 .build_specific = &patch_ad1885_specific,
56472 .resume = ad18xx_resume
56473 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
56477 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
56478 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
56479 .build_specific = &patch_ad1886_specific,
56481 .resume = ad18xx_resume
56482 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
56483 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56486 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56487 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56488 .build_post_spdif = patch_ad198x_post_spdif,
56489 .build_specific = patch_ad1981a_specific,
56491 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
56492 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56495 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56496 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56497 .build_post_spdif = patch_ad198x_post_spdif,
56498 .build_specific = patch_ad1981b_specific,
56500 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
56501 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
56504 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
56505 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
56506 .build_post_spdif = patch_ad198x_post_spdif,
56507 .build_specific = patch_ad1888_specific,
56509 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
56510 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
56513 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
56514 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
56515 .build_post_spdif = patch_ad198x_post_spdif,
56516 .build_specific = patch_ad1980_specific,
56518 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
56519 ARRAY_SIZE(snd_ac97_ad1985_controls));
56522 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
56523 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
56524 .build_post_spdif = patch_ad198x_post_spdif,
56525 .build_specific = patch_ad1985_specific,
56527 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
56528 ARRAY_SIZE(snd_ac97_ad1985_controls));
56531 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
56532 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
56533 .build_post_spdif = patch_ad198x_post_spdif,
56534 .build_specific = patch_ad1986_specific,
56536 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
56540 -static struct snd_ac97_build_ops patch_alc650_ops = {
56541 +static const struct snd_ac97_build_ops patch_alc650_ops = {
56542 .build_specific = patch_alc650_specific,
56543 .update_jacks = alc650_update_jacks
56545 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
56549 -static struct snd_ac97_build_ops patch_alc655_ops = {
56550 +static const struct snd_ac97_build_ops patch_alc655_ops = {
56551 .build_specific = patch_alc655_specific,
56552 .update_jacks = alc655_update_jacks
56554 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
56558 -static struct snd_ac97_build_ops patch_alc850_ops = {
56559 +static const struct snd_ac97_build_ops patch_alc850_ops = {
56560 .build_specific = patch_alc850_specific,
56561 .update_jacks = alc850_update_jacks
56563 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
56564 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
56567 -static struct snd_ac97_build_ops patch_cm9738_ops = {
56568 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
56569 .build_specific = patch_cm9738_specific,
56570 .update_jacks = cm9738_update_jacks
56572 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
56573 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
56576 -static struct snd_ac97_build_ops patch_cm9739_ops = {
56577 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
56578 .build_specific = patch_cm9739_specific,
56579 .build_post_spdif = patch_cm9739_post_spdif,
56580 .update_jacks = cm9739_update_jacks
56581 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
56582 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
56585 -static struct snd_ac97_build_ops patch_cm9761_ops = {
56586 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
56587 .build_specific = patch_cm9761_specific,
56588 .build_post_spdif = patch_cm9761_post_spdif,
56589 .update_jacks = cm9761_update_jacks
56590 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
56591 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
56594 -static struct snd_ac97_build_ops patch_cm9780_ops = {
56595 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
56596 .build_specific = patch_cm9780_specific,
56597 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
56599 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
56603 -static struct snd_ac97_build_ops patch_vt1616_ops = {
56604 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
56605 .build_specific = patch_vt1616_specific
56608 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
56612 -static struct snd_ac97_build_ops patch_it2646_ops = {
56613 +static const struct snd_ac97_build_ops patch_it2646_ops = {
56614 .build_specific = patch_it2646_specific,
56615 .update_jacks = it2646_update_jacks
56617 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
56621 -static struct snd_ac97_build_ops patch_si3036_ops = {
56622 +static const struct snd_ac97_build_ops patch_si3036_ops = {
56623 .build_specific = patch_si3036_specific,
56626 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
56627 { AC97_AUX, 0x1f1f },
56628 { AC97_PCM, 0x1f1f },
56629 { AC97_REC_GAIN, 0x0f0f },
56630 - { } /* terminator */
56631 + { 0, 0 } /* terminator */
56634 static int patch_lm4550(struct snd_ac97 *ac97)
56635 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
56639 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
56640 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
56641 .build_specific = patch_ucb1400_specific,
56644 diff -urNp linux-2.6.35.5/sound/pci/ens1370.c linux-2.6.35.5/sound/pci/ens1370.c
56645 --- linux-2.6.35.5/sound/pci/ens1370.c 2010-08-26 19:47:12.000000000 -0400
56646 +++ linux-2.6.35.5/sound/pci/ens1370.c 2010-09-17 20:12:09.000000000 -0400
56647 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
56648 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
56649 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
56652 + { 0, 0, 0, 0, 0, 0, 0 }
56655 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
56656 diff -urNp linux-2.6.35.5/sound/pci/hda/patch_hdmi.c linux-2.6.35.5/sound/pci/hda/patch_hdmi.c
56657 --- linux-2.6.35.5/sound/pci/hda/patch_hdmi.c 2010-08-26 19:47:12.000000000 -0400
56658 +++ linux-2.6.35.5/sound/pci/hda/patch_hdmi.c 2010-09-17 20:12:09.000000000 -0400
56659 @@ -670,10 +670,10 @@ static void hdmi_non_intrinsic_event(str
56674 diff -urNp linux-2.6.35.5/sound/pci/intel8x0.c linux-2.6.35.5/sound/pci/intel8x0.c
56675 --- linux-2.6.35.5/sound/pci/intel8x0.c 2010-08-26 19:47:12.000000000 -0400
56676 +++ linux-2.6.35.5/sound/pci/intel8x0.c 2010-09-17 20:12:09.000000000 -0400
56677 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56678 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56679 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
56680 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56682 + { 0, 0, 0, 0, 0, 0, 0 }
56685 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
56686 @@ -2135,7 +2135,7 @@ static struct ac97_quirk ac97_quirks[] _
56687 .type = AC97_TUNE_HP_ONLY
56690 - { } /* terminator */
56691 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
56694 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
56695 diff -urNp linux-2.6.35.5/sound/pci/intel8x0m.c linux-2.6.35.5/sound/pci/intel8x0m.c
56696 --- linux-2.6.35.5/sound/pci/intel8x0m.c 2010-08-26 19:47:12.000000000 -0400
56697 +++ linux-2.6.35.5/sound/pci/intel8x0m.c 2010-09-17 20:12:09.000000000 -0400
56698 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56699 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56700 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56703 + { 0, 0, 0, 0, 0, 0, 0 }
56706 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
56707 @@ -1264,7 +1264,7 @@ static struct shortname_table {
56708 { 0x5455, "ALi M5455" },
56709 { 0x746d, "AMD AMD8111" },
56715 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
56716 diff -urNp linux-2.6.35.5/usr/gen_init_cpio.c linux-2.6.35.5/usr/gen_init_cpio.c
56717 --- linux-2.6.35.5/usr/gen_init_cpio.c 2010-08-26 19:47:12.000000000 -0400
56718 +++ linux-2.6.35.5/usr/gen_init_cpio.c 2010-09-17 20:12:09.000000000 -0400
56719 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
56728 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
56729 *env_var = *expanded = '\0';
56730 strncat(env_var, start + 2, end - start - 2);
56731 strncat(expanded, new_location, start - new_location);
56732 - strncat(expanded, getenv(env_var), PATH_MAX);
56733 - strncat(expanded, end + 1, PATH_MAX);
56734 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
56735 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
56736 strncpy(new_location, expanded, PATH_MAX);
56737 + new_location[PATH_MAX] = 0;
56741 diff -urNp linux-2.6.35.5/virt/kvm/kvm_main.c linux-2.6.35.5/virt/kvm/kvm_main.c
56742 --- linux-2.6.35.5/virt/kvm/kvm_main.c 2010-08-26 19:47:12.000000000 -0400
56743 +++ linux-2.6.35.5/virt/kvm/kvm_main.c 2010-09-17 20:12:09.000000000 -0400
56744 @@ -1284,6 +1284,7 @@ static int kvm_vcpu_release(struct inode
56748 +/* cannot be const */
56749 static struct file_operations kvm_vcpu_fops = {
56750 .release = kvm_vcpu_release,
56751 .unlocked_ioctl = kvm_vcpu_ioctl,
56752 @@ -1738,6 +1739,7 @@ static int kvm_vm_mmap(struct file *file
56756 +/* cannot be const */
56757 static struct file_operations kvm_vm_fops = {
56758 .release = kvm_vm_release,
56759 .unlocked_ioctl = kvm_vm_ioctl,
56760 @@ -1835,6 +1837,7 @@ out:
56764 +/* cannot be const */
56765 static struct file_operations kvm_chardev_ops = {
56766 .unlocked_ioctl = kvm_dev_ioctl,
56767 .compat_ioctl = kvm_dev_ioctl,
56768 @@ -1844,6 +1847,9 @@ static struct miscdevice kvm_dev = {
56777 static void hardware_enable(void *junk)
56778 @@ -2178,7 +2184,7 @@ static void kvm_sched_out(struct preempt
56779 kvm_arch_vcpu_put(vcpu);
56782 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56783 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56784 struct module *module)